I was using an application for OSX called "Charles", which has some of the oddest branding I've seen:
It worked pretty well; I set up a whitelist so that only requests to our API would be allowed through, and I set it up to redirect all requests to that API to a local server I had set up (with the SSL certificate that would allow the request to go through, since they had moved to our SSL endpoints).
So, I wasn't able to sniff the traffic from their app directly (since it was using our own SSL endpoints), so I spun up a local server instead to log the request details and be able to develop this without alerting the author.
How are you with python?
Wouldn’t take much effort to find anything with a header of “content-type: video/mp4” or whatever it is we’re talking about here, and have python stash the response body somewhere. I’ve used this method for saving all kinds of stubborn shit. All the JavaScript trickery in the world isn’t gonna stop this.
Automate requests through the proxy with selenium, maybe?
One way I've seen this done is to use the Charles which sets up a proxy on your Mac to intercept and log requests. You can then change your Wifi settings on your iPhone to use the proxy as described here.
Its not a conspiracy to have you buy pro. Is anyone out there proficient with https://www.charlesproxy.com/ ? If you are and can send me the logs from your device while an ad like this is shown, it would go a long way to helping us get these fixed.
Use Fiddler to monitor network traffic of the app. It can also do HTTPS traffic decryption
What a bunch of crap. For folks who are unitiatited, OP has drank a lot of Apple kool-aid and is just parroting the company's lines.
https://httptoolkit.tech/blog/safari-is-killing-the-web/
​
Here are some interesting bits.
>More specifically, Safari's approach isn't protecting the web from bloat & evil Google influence, because:
>
>- Most features that Safari hasn't implemented have no hint of security, privacy or performance concerns, and they've been implemented in every other browser already.
>
>- The largest Safari complaint is unrelated to experimental features from the Chrome team: it's the showstopping bugs in implemented features, made worse by Safari's slow release cycle.
>
>- Refusing to engage with the contentious API proposals for real use cases doesn't actually protect the web anyway - it just pushes web developers and users into the arms of Chromium.
I have Windows 10 Enterprise installed on a machine earlier today. Even with telemetry set to Full, the lights on my switch don't blink when I double-click on an image in Explorer.
I also set Windows to proxy HTTP/HTTPS to mitmproxy running on another computer, and I get no requests when opening images.
Independently of that, with telemetry fully disabled I still get some disappointing requests to bing.com and live.com when using the operating system. I'm not even logged into a Microsoft account.
So I use Fiddler extensively for work and the way .matt is talking about it makes it sound like he doesn't know what he's talking about either.
>This isn't EGS enumerating processes, this is literally how tools like Procmon and Fiddler work, they have injected themselves into the running process. > ...
>This is how shared libraries work on Windows, and once again in this example he is showing Fiddler which is something he has injected into EGS, nothing here.
Fiddler is an HTTP debugging proxy. It doesn't "inject" itself into running processes at all. All it does is act as a man-in-the-middle proxy server so that it can inspect outgoing HTTP requests. That's it. Web traffic gets routed to it and then you can inspect it using the various views it offers, so you can see requests and responses. It can optionally be configured to debug/inspect HTTPS traffic as well, but you need to install a special root certificate in order to do this, otherwise the data remains encrypted and can't be read. I guess maybe .matt is just trying to simplify this explanation by saying it's being "injected" purposely?
That said, the screenshots being shared do look seriously misleading. If he's using Process Monitor to show that Fiddler is doing something, well sure, it's being used to inspect HTTP traffic from the Epic Launcher, but that's not nefarious behavior, that's exactly what the person running Fiddler wanted to do.
It's only useful for specific situations, but HTTP debugging was a real game changer for me. I use Charles. Before I realised HTTP debugging was a thing, I would have to log the crap out of my HTTP requests to see what was coming back, so I could work out how to parse it. With Charles, you can see exactly what information is being sent to/from the server, which makes it much easier to identify issues.
Similarly useful is Paw. Useful for making & analysing requests & responses (with authentication etc) from your computer rather than having to perform the request in-app.
I think I hurt my left hand.
They can be considered man-in-the-middle. The word attack may have been a bit strong though :D
https://www.charlesproxy.com/documentation/proxying/ssl-proxying/
I love wireshark. Used to use it when it was still Ethereal. GUI could do with some love though.
The sweet spot of this seems to be debugging the SSL configuration of your server. For everything else, I feel there are more convenient ways.
If you're just interested in the communication contents, just open chrome://net-internals/#events
(or the devtools for a high level view). Works without any installation whatsoever, also on the stable versions. For actual debugging on the protocol level, I'd go for mitmproxy, which offers client/server replay etc. (I'm affiliated with the project - Burp, Fiddler, Charles, ZAP, ... would be great alternatives, so it's not about that).
https://httptoolkit.tech/blog/safari-is-killing-the-web/
Safari is bad, and the way Apple handles it is even worse. They treat Safari like they’re some independent team of 5 people working on the browser. 2 updates a year? Come the fuck on dude.
Charles proxy has a nasty habit of not remove the proxy configurations when it's turned off on the mac. Some apps will retain the proxy settings by not all apps causes. This can cause issues with some vpn configurations. Charles proxy is supposed to automatically remove the proxy settings when you turn it off.
Honestly? vim
and grep
. A couple quick grep
s on an unfamiliar codebase usually gives me a good idea of how "smelly" it is security-wise, pull me out a list of http routes so I can see what looks interesting, etc.
As far as infosec-specific tools, maybe mitmproxy? It gives you the ability to replay HTTP requests with slight modifications. I think Firefox allows editing a request before resending in its network inspector but it didn't handle multipart encoded forms very well last time I used it. mitmproxy is also nicer because you can also write plugins to do things like automatically strip CSRF tokens out of proxied requests and replay them so you can quickly verify that all endpoints correctly mitigate CSRF.
Self-signed certs in general provide no security. If your client blindly accepts a self-signed cert, an attacker can trivially MITM the traffic [1] and record/alter any packets in either direction. It's no better than HTTP.
You /can/ securely use your own certs if you control the trusted certificate store on the client. That's generally not the case though.
Look into StartSSL and Let's Encrypt for no-cost certificates.
This is wrong. Check out
https://mitmproxy.org/doc/ssl.html
It allows you to sniff TLS/SSL. You simply need to create a self-signed certificate for the API's domain name, and then add that certificate to Android's certificate chain (a very common/easy process). The app will then trust mitmproxy which decrypts the connection for you in real-time (while proxying onwards to the real server)
Well, if it's a keylogger then it's sending data to the outside, I would just log all traffic for a while and see if I can find something fishy.
For specifically this issue, I would probably use fiddler: https://www.telerik.com/fiddler
But if you have a suspicious process and you want to see what it's doing, you can preview it with https://www.hex-rays.com/products/ida/support/download_freeware.shtml to see if it's storing all keystrokes maybe or something.
Charles... You want Charles... https://www.charlesproxy.com
Follow the documentation for it, specifically follow the SSL proxy set up, and filter for 'pubads' and you should see the corresponding calls for google ads.
Almost certainly. mitmproxy does this. It will generate a new cert that you need to install on your device as trusted.
However, if an app is verifying the certificate itself against a list of known certain they provide, it could fail. Basically HSTS cert pinning. After all, it was designed to prevent MITM attacks.
No, the data is encrypted through TLS and both wireshark and tcp dump don't actively decrypt it.
To decrypt the data, you will need to get Niantic's TLS private key (highly unlikely to ever happen) or mitm the connection at runtime with a certificate you have the private key to. Try <code>mitmproxy</code>, it makes these things easy to do.
/u/larrysalibra, do you know about mitmproxy? It makes intercepting internet traffic (even HTTPS) much easier than sshing your router.
What's interesting to note here is not how much data Tantan is sending back to their servers, but that they're doing it without SSL. If you monitor Tinder traffic, you'll notice largely the same personal details (location, match data, distance, etc.) being transmitted – albeit via HTTPS.
Not sure what your goals are, but if you use the browser based streetview and inspect your network traffic with a program like Fiddler you can see that each scene fetches 20 .jpg's. These images do not have the embedded street names.
You can save the images directly from fiddler and/or probably whip up a script to capture and catalog them as you "drive" streetview.
EDIT: You can also view the raw images fetched by Google Earth with Fiddler.
I prefer Swift when starting new project since the syntax of Swift is cleaner and less unnecessary code syntax -> Less typing -> Rapid development ;D
However, in some situation, during developing Proxyman.io, I have to select Objc when dealing with C and C++ codebase since it's easier to deal with it. Majority of awesome system libraries are written in C, for instance, #include <libproc.h> is good one to get the pid and manipulate it in high performance.
Well when a flash file is embedded on a website (tested it with Chrome but Firefox and IE are probably affected as well), a referrer is sent.
When a client is opened with flash projector, a referrer is not sent.
> it would be limited and temporary.
I don't know what is meant by limited.
Temporary, yes, hackers may find a workaround if DECA begin to block embedded hacked clients.
>I think it’s not possible.
It's 100% possible to detect embedded hacked clients, like the one found on R***mStock. If you want to test it yourself, Fiddler is a free tool that will log HTTP/HTTPS requests.
Anyways, speaking as an slightly experienced web developer, it would be very easy to write a script that searches through server logs and collects every login made with "059client.swf" in the referrer, and then issue a huge ban wave.
There are a couple ways to do it. First is to use something like Wireshark or mitmproxy to read the network requests the app is making.
Another option is to decompile the apps. This will let them view the source code, which will let them see where it's making network connections
Finally, you can use debugging tools on a physical device to see what's going on.
You can interactively view requests, and create replacement filters on them. You can also pass all options by cli arguments.
It has a kinda funky UI, but you get used to it pretty quick.
Can't vouch for the company but a charles proxy is indeed a thing. They presumably want to look at traffic from server x doing job y for program z, to your home. Think of it like a packet sniffer. Thus, I'd not use it on any devices you do sensitive stuff on (though any sensitive stuff should by default, be encrypted, it's more of a safe than sorry thing).
I think mitmdump is the best fit for your use case. Only thing to watch out for is that mitmproxy is a bit of a resource hog, so you might need some port-mirror trickery to avoid introducing performance-related bugs on production.
As that article mentions you will need to install and use a CA cert on your phone with that wifi connection. I found this guide on how to do it but you'll have to work with your tech support in order to figure it out and they'll have to provide the appropriate cert. There's also a magisk module called "Move Certificates" that you may need to use to move user certs to system certs.
Yes it is.
But you should be using Charles Proxy because that's the king of proxing on MacOS.
There's a free version, but it quits after 30 minute, and it's a really useful tool for mobile QA so it's worth buying the full version.
Well, you could analyze the app's network communications on your phone using an interception proxy such as Charles for iOS. But that assumes the app doesn't implement some form of certificate pinning which would prevent you from analyzing the app's network flow. In that case, you could then inject JavaScript to defeat the app's certificate pinning mechanism using Frida. Once you've mastered that, you could start freelancing as a mobile app security practitioner, buy a motorcycle and new phone, and then move out of your parents' house.
There is actually a great tool for this that is very popular among developers. https://www.charlesproxy.com
Charles proxy lets you intercept and decrypt ssl communication between your device and the internet. There are plenty of example of people using this app to inspect Instagram traffic.
/u/BishopOfBattle
What version of the Editor are you using?
The team recently fixed an issue in 5.6 where DisableEditorAnalytics was not properly honored. That patch should be available soon.
We still have one bug on EditorAnalytics where it will fetch the RemoteConfig for the Editor. (RemoteConfig is the basis for the Remote Settings feature.) However, that should only affect the Editor, not any builds you create. (Also, if you do not have analytics enabled, then you will just get an empty config file.)
There is another setting to disable HW statistics within builds, which can be found in your Player Settings, under Other Settings -> "Disable HW Statistics".
What is the current state of that option in your Player Settings?
Lastly, how are you verifying that these endpoints are hit? I'm assuming you're using a network traffic analyzer, such as Charles proxy. Are you checking this via the Editor or while running on a device?
Hi
Pretty excited 'bout your efforts towards to recreate something similar to old omgpop and bringing back the community. The old omgpop towards its demise was prone to hackers and other cheaters. If those people could do it on omgpop, do you think they can do it on the site you are currently working on? I think the site will be susceptible to attacks and cheats on a heavy basis since all the cheats are out there now and can easily be found on youtube.
https://www.charlesproxy.com/ and wireshark were used to monitor the packets on the earlier site and manipulate the data. I don't really know much about this.
Just giving you a heads up.
The general idea is pretty simple, but there is some trickery involved in practice (you can see an open source implementation here for example). As you noticed, the proxy has its own root CA. The general idea is that the proxy uses this CA to generate certificates for any sites you access, on the fly (it probably caches the generated certificates, for efficiency). You can read a more detailed explanation about the whole process here -- look for the sections "Explicit HTTPS" and "Transparent HTTPS" depending on whether Chrome is set up to use the proxy ("Explicit HTTPS") or not ("Transparent HTTPS").
Chrome doesn't know the CA used by the proxy, so even though the certificate it receives for "reddit.com" has a valid signature from this CA, it doesn't consider the connection secure. If you really wanted, you could change that by adding that CA to the list of root CAs trusted by Chrome. You'd have to export the root CA to a file and then import it as a trusted CA by going here: chrome://settings/search#ssl
and clicking "Manage Certificates" (this opens the right tool to manage the certificates regardless of the OS Chrome is running). I don't really recommend doing this, though.
Short of traffic monitoring/MITM SSL proxies (mitmproxy for example) to see if proper encryption is used (or if encryption is used at all), you're left with a few choices:
It's a trade-off between security and convenience.
I usually use Fiddler for web-based stuff like this. It basically acts as a transparent proxy and can set itself up as a MITM for TLS traffic so you can see the unencrypted data as it happens (requires temporarily adding the fiddler root to the OS's root trust store).
Their new Fiddler Everywhere version that I've only very briefly touched seems to be missing some key features from the old version they now call Fiddler Classic. In particular, the old version was able to target requests from a specific process rather than just intercepting everything the machine is doing. So you could point it to a particular PowerShell window and not have to wade through things like OS telemetry, Outlook checking mail, Slack, etc.
When you launch the game it opens an unencrypted connection to ping.yoyogames.com on port 443 with a zero length body. I'm pretty sure every Game Maker (2.0?) game does this.
It could send stuff later in the game, I only looked at traffic through to shortly after character creation.
You can easily check for yourself with Fiddler.
This is true, they are trying to address it with a plugin but it still requires the developers to use it and release a new version which doesn't appear to be happening in many cases, if you want to see what web requests a game is making Fiddler can do it, make sure you enable HTTPS capture.
You're right, Android 11 changed the way it manages CA certificates. https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
>The system store is used as the default to verify all certificates - e.g. for your apps' HTTPS connections - and as a normal user it's completely impossible to change the certificates here, and has been for quite some time.
>Until now however, you could install to the user certificate store, which apps could individually opt into trusting, but which they don't trust by default.
>In Android 11, the certificate installer now checks who asked to install the certificate. If it was launched by anybody other than the system's settings application, the certificate install is refused with an obscure alert message: [...]
>In practice, this change means the certificate install API no longer works, opening certificate files no longer works, and it's impossible to initiate a certificate install even from ADB (the Android debugging tool).
>It is still possible to install certificates using the device management API, but only in the special case where your application is a pre-installed OEM app, marked during the device's initial setup as the 'device owner'. If not, you're out of luck.
For macOS users, I heartily recommend Proxyman. It's a native mac app and is under active development. It has features Charles doesn't, such as (JavaScript) scriptable responses.
here's what you need to do to get started. Pretty sure all major games have ssl pinning enabled. You need to bypass that in order to intercept HTTPs traffic. Its much easier to do it on Android. Well I mostly work on Android so thats my preference. Can be done on iOS too. Few things you would need to install: BurpSuite, frida, adb tools, apktool, etc. I prefer to use frida to bypass ssl pinning. You'd also need to root your device. Follow the steps here to do this: https://httptoolkit.tech/blog/frida-certificate-pinning/
Once you set up your proxy and bypass sslpinning, you can see all http traffic from the app.
If they are not encrypting HTTP body, you're in luck as you'll be able to that data in burp. You can start your investigation on that data and see if you can mess with it to bypass application logic in some way. If the HTTP body is encrypted, then this will get tricky. You would have to decompile the application. I like JEB decompiler, but its not free and quite expensive. There are other open source decompilers available. Just google for them.
Once you decompile the app, find the code that is being used for encrypting HTTP traffic. Then you would have to write up some frida scripts to hook those methods to dump plaintext data to actually see whats being transmitted. You might be able to mess with the plain tect data in the frida scripts to achieve what you want. Search online on how to do this.
I ron't want to go into native JNI code. But its possible that encrpytion or any other critical logic is defined in those shared libraries. You can use Ghidra to decompile those.
Now once you're able to dump your plaintext HTTP data that is being transmitted, either just by burp proxy or using other methods I mentioned. You now need to see if the game server is sharing other player data the client app. If that the case, you might be in luck and maybe cheat the game. Otherwise you'd have investigate more to see if this is even possible.
It's hard to tell what is going wrong without more details about the type of request which is being made and any specific request headers which are being sent. If you're able to share some code there's a much better chance that someone will be able to help you.
I have found the tool Will it CORS? really helpful for figuring out how I need to configure things in different situations.
The OPTIONS verb is basically a silent request that gets sent first to get a feel from the server about what it's cool with accepting.
It's a lightweight and quick response to determine if the request you ultimately want to send is going to be valid or not, since any request to the server will return on the response headers what content-type it expects, what domains it will respond to, etc. If your request will fail any of those the browser now knows not to waste anyone's time with going through with the full request.
I'm actually fairly certain that the OPTIONS
request is made all the time - it's just not visible to you most of the time on most browsers.
URL: HttpToolkit.tech
Purpose: Landing page for new product
Technologies Used: React, Styled Components, D3, Gatsby.
Feedback Requested: Design, copy, the product itself, anything really
Comments: I'm building a new side project (a tool for HTTP development), and this is the landing page, so I can start to see if people are interested in it.
If you look closely though, it's not just a landing page, but also an MVP for the design of the app itself. On desktop/tablet, the sections below with the details all have the real live JS component the UI will use, as an interactive background element. Good idea?
I'd give Charles proxy a go. Maybe the setup isn't straightforward if you haven't done it before but it's the best tool that I know for sniffing the network requests/responses.
The other tool that I used to use is Stetho.
Apparently you can use something like Charles, but as far as I'm aware there's no specific tools to manage and interpret it for you. I'm not a mobile developer, but my general understanding is that the App Store (unlike Google Play) doesn't allow for the kind of functionality that such an app requires to work.
Shame that the open source tooling isn't working yet.
I appreciate that it's a Motorola tool, but my suggestion for option 3 was to use something like Charles Proxy (https://www.charlesproxy.com) to capture the requests made by the SWF so that you could potentially create an alternative mechanism to replay similar requests for managing the system without needing Flash.
I assume you've reached out to Motorola too?
I would recommend using Charles. Make your phone proxy through your computer & you can cleanly see every HTTP request & its payload. If you notice SSL traffic then you MAY be able to side-skirt it by installing the Charles root certificate on the device, but if the app developers enabled certificate pinning then theres nothing you can do without basically hacking the app.
Charles Proxy is an app for capturing HTTP request. They have a native iOS app, however it’s $10. https://apps.apple.com/us/app/charles-proxy/id1134218562
The iOS app simplify things by a lot. Not sure if the price is worth it for your use case. I already had the app for developing purposes so I didn’t buy just for this.
However, If you don’t mind more steps. There is a PC/Mac method that would run as a proxy server on your computer and they provide a trial on https://www.charlesproxy.com/
After installing the application, you can use your PC/Mac as a proxy and then you’ll be able to sniff http request from there.
Once you found the hostname to block. You can use Filza and edit /etc/hosts and block the hostname on there. By entering 0.0.0.0 domainhere.com.
After that reboot your phone.
I can't speak for Android, but I know for a fact iOS isn't. I work on this stuff professionally.
You can get something like Charles to spoof the SSL on your device and decode all network traffic to and from the device.
You can actually see when Siri data is transmitted. Internet traffic is still dumb, and outside of 'encoded' data (that you still can see the end point and payload), if you spoof the SSL all data your device moves is visible.
I have entire days on log where all the traffic on my phone is recorded (as part of apps I'm working on) and there's nothing suspicious there, besides random background pushes from things like instagram where they are sending tracking data and usage stats.
Weird. I would have expected that simply removing it would work too. (One note: sometimes making too many edits to the AS code in FFDec can cause errors in the resulting SWF file. I try to stick with editing the P-code when possible.)
I haven't used that site. I was referring to Charles web proxy which basically monitors web traffic on your computer. This allowed me to show what URLs were being requested when I ran the original SWF file in a browser. It can be very useful for both Flash and other reverse engineering -- add it to your tools list too!
Fixing sitelocking can vary in difficulty quite a lot. I generally search in FFDec for the displayed message ("play this game on xyz.com" or whatever). This usually helps me find where in the code the site check is implemented, and modify it accordingly.
Some big-name games are tricker -- for example, NinjaKiwi games encrypt some critical sitelocking functions with a key that's computed elsewhere in the SWF at runtime. However, by adding trace() (see the output by enabling TraceOutputFile for the player as explained here) and FileReference.save() functions at the right points, you can often break these DRM methods too, given enough work. (I've successfully done this for BTD5, Happy Wheels, and a few others. It's a fun puzzle, in a way.)
Thats not true. Look at the changelog and you will see many new features in v4 that v3 does not have.
For example:
That said, v3 is perfectly capable of handling most use cases
If they are external you can monitor the request using something like Charles https://www.charlesproxy.com which you can have running in the background while you preview the SWF. The file paths will appear in the request URL list
The configuration profile in the first screenshot is NOT what gets installed when you download enterprise signed apps. The configuration profile in the first line of the first screenshot is for this extraordinarily useful tool. The second line that has the blackline obscurring the company name is what shows up when you install an enterprise app. It is explicitly NOT a configuration profile. It ONLY gives your device permission to run apps signed by that certificate which did not come from the app store (iOS trusts app store signed apps by default).
In the first screenshot, look at the second entry under the heading "Enterprise App". This is what shows up if you install enterprise signed applications and does not give MDM access.
Are you using a PC? If that's the case you can find the apps in your music folder. There you have an iTunes folder. In it there should be a Mobile Application folder. My system's language is German and the folder names are still in English so this should be the same case with Spanish systems. You can just check it out without starting anything. That seems to be the hardest part for you because it's not in in the guide. However it seems that iTunes 12.4.3 is only available for a 64 Bit system at least the version you find directly on apple.com. However you can get this version from Apple which is even older and should work. You can find the old version from Charles here. If you have both tools you should watch the entire video carefully. If you do all the things step for step you can't really mess up anything. The worst that could happen is that it does not work and you wasted a few minutes. If you take this "risk" you should definitely try it.
I've looked at some of the traffic with Charles, but it seems like none of the actual game data runs through it.
I forget how I did it, but I logged out the DNS requests, and I was seeing traffic to sparx.io
which seems to be Kabam's game API server. I seem to recall seeing it was over port 443 which is HTTPS, but I wasn't seeing that domain anywhere in Charles, so I'm not sure how they're making those connections or how to capture that data.
I made requests for read-only API access on their suggestion forum, but obviously that went nowhere.
> WHAT'S WITH THE LOGO?
>The jug is part of the Charles folklore. It once belonged to a man >named Charles, but Charles is not named after him.
https://www.charlesproxy.com/documentation/faqs/whats-with-the-logo/
We build an SDK that developers put into their apps. When there are problems, we download their applications and set up a proxy connection on mobile devices we use for testing, and inspect the network traffic of them via our laptops (the proxy) to find out if there are problems with their SDK integration. The SDK communicates to our servers over SSL, so we use a custom certificate installed on the devices, and then we use the Charles app
on the laptop to look at the traffic. (in case you're curious -- https://www.charlesproxy.com/documentation/proxying/ssl-proxying/)
To be clear, our laptop will act as the proxy for a device, so that we can inspect the traffic individually. We don't monitor all traffic of the test devices, nor do we have a need to. It's on an individual basis.
These are not devices that users own; they are test devices that they check out and return. As such, the devices do not proxy to the same IP all the time, whoever checks out the device changes the proxy IP to that of their own laptop for the duration that they use the device.
You can packet-sniff your own computer to watch the game communicate with the server, and begin to reverse-engineer the undocumented API by watching the interaction. Assuming the connection is encrypted (and why wouldn't it be, in this day and age), you'll probably have to run something like mitmproxy to decrypt the connection. If they're using certificate pinning, or connect using something other than HTTPS, you may have to reverse engineer the application directly, reading the strings or stepping through instructions to see what calls it makes. Doable, but complicated and tedious.
Concerning web-based wallets. Why are they so insecure?
In order to allow law enforcement and intelligence agencies to intercept encrypted messages, HTTPS implements a well-known backdoor.
The certificate for a site's public key can be issued by 600+ different certificate authorities, some of which are very shady. Therefore, any attacker on a node in between your device and the website server can intercept the public key and the real certificate and replace it by a fake couple of credentials.
From there on, the Man In The Middle (MITM) can completely decrypt your not so secure communications over HTTPS. A large number of attackers, working various WIFI locations, telecom operators, and backbone operators will automatically harvest userids and passwords from multiple known sites such as indeed blockchain.com. They also intercept a massive number of fiat banking logins and passwords, usually, with a view on selling them on the darknet.
Therefore, a thefting occurrence is just a question of time. All that needs to happen, is that one node on the route between your computer and the website happens to be compromised.
This type of attack is typically automated with tools such as: https://mitmproxy.org.
A fourteen year old script kiddie can learn how to do that in just a few weeks.
This problem also arises when using websites such as coinbase.com. An exchange that you access through the browser is an accident waiting to happen. It is just a question of time and your money will be gone. You can still use them for small amounts if you make sure not to leave your coins on the exchange's website for extended periods of time.
In other words, never use a web application for secure computing. Websites can simply not be secured. This is by design so.
I had a blast doing this!
Nice list!
I want to give a shout-out to mitmproxy as an open-source alternative to Charles. It has a command-line interface as well as a web interface. It's also scriptable (in Python).
It's come a long way since I first started using it. It's much simpler to get up and running now.
если у сяоми можно устанавливать руками самоподписанные сертификаты (или всовывать руками CA, а потом сертификат), и если можно указать прокси -- то прошивать роутер не обязательно.
На свободную тачку ставится mitmproxy, он генерит сертификат который надо установить в исследуемую систему. Далее в исследуемой системе надо указать, что тачка с mitmproxy это прокси и ходить надо через него.
Тул фактически делает tcpdump, но цимес в том что TLS расшифровывается. В принципе кажется с некоторой гимнастикой Wireshark тоже может залезть внутрь TLS, но с mitmproxy как-то проще в настройках показалось. Это работает, я так успешно проснифал закрытое api одного телефонного приложения и смог написать альтернативный клиент.
https://mitmproxy.org/#mitmdump would probably be a good fit. You can programmically strip out data from http requests using its python api.
I've used mitmproxy in the past with messing around with malware. It works pretty good
As /u/0x414142424242 pointed out, OWASP ZAP is basically an open source alternative with similar core functionality. However, I think mitmproxy is also worth a look -- it has a command line and web interface and is very extensible in Python.
> scraping off an app is different to HTML scraping
for sure, yes, but in my experience it can also be much, much easier because it is highly unlikely that your target will send down presentation stuff (i.e. HTML) to the app -- they will send down only the data, which is what you wanted to begin with.
That said, there are different hurdles to overcome when going after app data: authentication is almost surely involved, there could be rate limiting per login, and they are (strangely) able to change the format or data sent down almost arbitrarily, which isn't typically true for web targets.
> I intend to use an extension to run the android app
I'm not certain what that means, but I guess so long as you know and are comfortable with it, then try it out. My experience has been a mixture of man in the middle attacks, and decompilation of the app to learn the URLs and any auth schemes. But, just like going after a web target, almost every job differs.
I don't at all mean to dissuade you from using the app-centric approach, but also be sure to look at any XHRs on their current website, as it may very well be sending down the JSON you want but without all the authentication or other tidbits you may can avoid. It can be the best of both worlds: just the data, thankyouverymuch, but without all the energy expended to learn those URLs and responses.
> Je suis 100% d'accord avec toi, mais même si ils réussissent à avoir un certifcat signé avec la clef privé il ne peuvent pas lire le traffic envoyé vers un autre certificat en écoutant les câbles. Et si ils ont changé le certificat, de sorte que le traffic soit crypté pour ce certificat, ils ont déjà accès au trafic et ça ne sert donc à rien de toucher aux câbles.
Il suffit de créer un certificat intermédiaire signé avec une clé racine, comme ça tous les navigateurs le reconnaissent. Ensuite, générer des clés à la volée signées avec ce certificat n’est pas très compliqué, il y a même des logiciels qui permettent de faire ça très facilement.
Parce que soyons honnête, peu de sites déploient DNSSEC et DANE/TLSA, peu de gens utilisent un résolveur qui vérifient leur validité, peu de gens vérifient les certificats émis par les sites, et peu de gens n’utilisent un VPN.
>Ce que je veut dire c'est que ce câble ne vas avoir aucun impact sur la force de renseignement de la DGSE
Ça oui je suis d’accord. Ils doivent avoir assez de moyens technique avec les fameuses boites noires.
charlesproxy/fiddler are both very good, and will address most situations. I personally use mitmproxy in a transparent proxy mode, because I have came across some apps that "ignore" a proxy configured on the device client.
https://mitmproxy.org/ http://docs.mitmproxy.org/en/latest/transparent.html?highlight=--host#fully-transparent-mode
If the devs were really focused on preventing a MITM they might leverage cert pinning. Not sure of a way you can snoop that traffic, without doing some http client logging on the server in a lab env.
From what little I read on their site, it looks like they're just an http proxy.
Should be as easy as installing it on any other debian distribution. Get the raspbian flash, and install mitm. The biggest thing you'll have to look out for is dependencies. You may run into several libraries you have to install that aren't called out in the default instructions because normally they're there.
Try the Ubuntu Install Instructions first.
You may be able to use a MITM proxy with these.
https://mitmproxy.org/ for example. (I've never used it. Just came up in a googlesearch)
If they support the older ssl versions, they may redo the ssl protocol for the connection to your browser. They're having to decrypt it anyway.
using STunnel is also possibly an option. Use one stunnel to unwrap the old ssl protocol. Then if you need it, another to rewrap it. (or only connect via an ssh tunneled proxy, which is the only thing allowed to talk to the stunnel port)
Is the ACL (access control list) (A/k/a Ip whitelisting) being done in an access router or in a firewall? Most firewalls are very good at dropping spoofed packets while a router could be bypassed.
The typical way a MITM app works is that it's not a router, it's a proxy. As a proxy it is able to deal with HTTPS and also provide valid routing info to both ends of the conversation.
It works for me. I just point the settings in the wifi settings to the proxy.
http://puu.sh/hFnKW/8c33317b18.jpg
Did you remember to install the certificate on the phone? https://mitmproxy.org/doc/certinstall/webapp.html
If you want less bloat, more open source and non-missing images in the documentation, you way want to take a look at mitmproxy. Also, you get real Python scripting instead of this weird FiddleScript thing.
Resource Monitor is part of Windows and has Network tab dedicated to it. It's not exactly the best, nor does it keep logs, but might be all you require is to see, at any given moment, what programs are using your network.
I know us programmers like to use Fiddler, but that might be a bit advanced for the average user.
There are 2 ways that sites can identify a browser:
By User Agent
To modify the user agent that's been sent in http headers, you can use a proxy like Fiddler to intercept and change what IE is sending:
https://www.telerik.com/fiddler
​
By feature set
If the site is detecting that you're using an older browser based on it's lack of support for specific features, there's not a lot that you can do.
Instead of altering the games binaries a more common approach to debugging an encrypted network protocol is to use a logging proxy with a custom root CA. For HTTPs traffic there are tools like mitmproxy / mitmweb or Fiddler.
Fiddler also supports simulating slower networks, but it may be overkill for your setup. But it's a great testing tool overall, especially if you're doing a lot of web application testing via a browser.
I'd probably load up Fiddler, point it at your PowerShell process, and look at the raw HTTP response from the API when it fails for you (optionally copy it here as well). There might be something funky like double encoding happening where the response is being parsed, but the resulting object is just a single string value that's another embedded JSON string or something like that.
I'll add that if you don't want to use an external solution you can use Fiddler. It creates a local proxy and captures all web traffic. I use it to hack into API's that are not documented. It has helped me find the quirks in a call that works from Postman/Web browser and what the call from PS ends up looking like.
​
Yeah, those are probably the best modules for it. You can use your browser's developer tools or a local debugging proxy like fiddler to see what requests you need to send in the first place.
It's not breaking SSL encryption. Basically the company owns and manages the employee computers, so they can preconfigure them to add a trusted root CA that they own. This trusted root CA can basically be used to MITM all SSL traffic.
For example: https://security.stackexchange.com/questions/33976/man-in-the-middle-blue-coat-proxy-ssl-or-what
You can do a little test on your own by downloading and configuring Fiddler. It works similarly. I used to use it to decrypt SSL traffic on mobile devices that I was doing development on. You just have to configure your phone OS to trust the Fiddler cert first.
Edit: Actually not "all" traffic. Clients that use cert pinning can prevent this type of MITM.
The launcher is powered by the FiddlerCore library, which is a proxy that lets you modify HTTP requests. It uses it to intercept and reply to Wii U USB Helper's requests. However, without a trusted SSL certificate, programs will fail to make any HTTPS conenctions while the launcher is running, which would not be very convenient. You can read more about it here.
This warning is there to make users aware of what they're doing, as this could be easily abused by malware. If you trust the origin of the software, though, there's nothing to worry about.
For anyone running Windows, The Fiddler: https://www.telerik.com/fiddler is one of my favorite interception proxies because it's pretty easy to get started with and due to its jscript engine, scales as you grow. It's also one of the few that allow you to tamper at the protocol level which is pretty handy. One word of advice, however, make sure you understand what you are doing when you decrypt traffic and be wary of allowing remote computers to connect. It's pretty easy to configure it in a way that causes network bridging. As an example if you are running The Fiddler with allow remote computers to connect enabled while on a VPN, you'll bridge the VPN network to whatever network you are on and if that's your home network, that could cause issues if you don't have secured devices on that network like media libraries and whatnot.
if you're not already, you should be using Fiddler to check if your JSON is being formed properly as well as to investigate the response from the remote host I've made several Power API functions just by using fiddler to form the JSON, https://www.telerik.com/fiddler
This is why you should stick to the golden rule of application development: assume your users are either dumb or want to do harm. Design a system with security in mind as your primary concern. Don't expose anything to the public that you're not afraid to expose.
This tactic works well when you're open-sourcing applications. One way of fetching secrets is by downloading the APK. The second is by using tools such as HTTP Toolkit. If you manage to reverse-engineer an API, you'll be able to gain an in-depth understanding of client-server communication.
very much disagree with you, due to all the points from this post.
the internet explorer comparison is drawn because it is installed by default and forced onto users, and yet has fallen behind. that describes Safari perfectly. it is impossible to use another browser on iOS.
Try using the “Charles Proxy” app. It’s basically an external version of what the Chrome network tools is showing anyway.
Fiddler has no integration with VS - it's standalone application (also you need to choose Classic version - https://www.telerik.com/fiddler/fiddler-classic ). It check all incoming/outcoming connections on PC and also can install Root certificate to decrypt HTTPS traffic.
Chromium is a really great browser and it adopts web standards way faster and more faithfully than Safari.
I do think that the lack of privacy in Chrome is concerning, and the Chromium monopoly is without doubt a problem.
I think this blog post has an interesting take in the issue https://httptoolkit.tech/blog/safari-is-killing-the-web/.
I use Firefox. We test in FF, Chrome and Edge still. Im not a fan of Chromes privacy concerns either, its why I use FF.
We dont bother with Safari though because its just riddled with issues. As a company is that the best policy? Lol no. If someone calls and complains that something isnt working with Safari we address it then, in the meantime we dont even bother.
Im too lazy to look up how to link this in reddit lol so here copy and paste, but this article summerizes the issues well.
You shouldn't need to make your own key. HTTP Toolkit can generate the key and do most of the setup for you. Have you seen the guide at https://httptoolkit.tech/docs/guides/android/?
It's even easier if you use a rooted device or an emulator, in which case it's 100% automatic setup. There's a guide to doing that with an emulator here: https://httptoolkit.tech/blog/inspect-any-android-apps-http/
> Reason 1: make things easy to use.
Burgher's solution: a web wallet.
He does not elaborate, however, on the known phenomenon of why web wallets get hacked incessantly?
The reason is otherwise simple.
The browser was specifically designed to leak its secrets to law enforcement. We also know that not only the official mafia makes use of this browser feature but that every other mafia does that too.
Nowadays, we even have user-friendly and automated tools to assist absolutely anybody in duly and extensively hacking browser traffic:
> It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.
When you see a large herd of sheep somewhere, then rest assured that the presence of a pack of wolves will automatically materialize out of the blue and start circling this juicy source of extra proteins.
Mutatis mutandis, when a large number of unsuspecting mimic users will start using their browser-based wallet, that will certainly also draw the attention of hungry predators in search of easy prey. Before you know the successful predators will exclaim:
All your base are belong to us!
So, on the one side, yes to making some things easier.
However, on the other side, no, to making it easier for a new socialist income and wealth redistribution scheme to collect funds from the naive segment of the population to be handed over to the more ruthless one.
2FA is a fledgling workaround for the fact that SSL/TLS (as in "https") does not secure anything at all:
> mitmproxy ... can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.
Is 2FA the solution?
Not necessarily, because the second factor usually also revolves around using (yet another) insecure protocol such as SMS.
Seriously, why use something for protection that simply does not protect?
Can you really solve the problem caused by an insecure protocol by using two insecure protocols (2FA)? And if that does not work, three insecure protocols? Ad nauseam?
The real solution is not to use browser-based client applications and not to use SSL/TLS in any client application at all, be it desktop, web, or mobile.
Nothing is fixed, my friend.
Not even close!
> mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing.
> It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.
Anything that runs in a browser, such as Chrome, is low-hanging fruit. It is just too easy to strip clean.
If you store anything of value in a browser, you are doing something very dumb.
I'm planning to intercept some HTTPS requests from some of my app too but I never find the time to make it. I have read a resource here. Maybe you can attempt those steps, let me know if it works for you.
The UI/UX is thoughtful is one of the selling points, I would say. You can pin the domains or apps, Quick filter the content as you've already done in Finder app.
Regarding the features, Map Local with Editor would be easier to edit the file directly. See the tutorial: https://proxyman.io/blog/2020/02/Change-HTTP-status-codes-for-UI-testing.html
Howdy, this is Proxyman team talking ✅! Since the official launch of the original version of Proxyman over 1year ago, Proxyman has been noticed and starts being used more frequently as an alternative tool to other well-known applications. Although it means more pressure (by both bug reports and feature requests), we are also so inspired and motivated by the support and encouragement from the community.
Today we proudly introduce a “more-premium” version of Proxyman, with more advanced features including Map Local, Map Remote, Breakpoint,… for developers to manipulate HTTP requests/ responses on-the-fly and and debug quickly without any distractions. iOS, Android device are fully supported.
All of these essential features are still promised to be FREEMIUM and we will be continuing to work our ass off to deliver a native, high-performance macOS application, which simplifies HTTPS debugging for everyone.
We’d like to hear feedback, including bug reports, from the community so please do not hesitate to drop us a message at Github, Twitter, Email for more features requests or give us free coffee.
P/S: Feel free to download Proxyman at https://proxyman.io/ and use our code PROXYMAN_REDDIT_ENJOY_DEBUGGING for 20% discount to help your app live a better life 👏
I recommend you guys to give Proxyman (https://proxyman.io) a try. I love Proxyman because it's exclusive built for macOS app, so the UI is super friendly for new guys like me 😂
It's also able to "Pin" my app or domain like Finder, so there is no distraction like Charles (where flooding flows appear).
Must-have tool in my company, since I can debug on my iPhone quickly