Setup environment to decode and manipulate Thrift traffic

Once upon a time, we were asked to pentest an API and received… JAR file with a client certificate for mTLS. Not your typical Swagger + token setup.

A quick look under the hood showed that the API wasn’t REST or SOAP - it was using Apache Thrift with a binary protocol.