Tutorials/MITM/HTTPS API
API Finding strategies
- Check: https://github.com/ubahnverleih/WoBike
- Sniff official app communication with BURPSUITE
- Sniff aggregator app communication with BURPSUITE
- Google public transport open data schemes for a city
- Decompile official app to find api key
- Decompile aggregator apps for api key
SCOUTING API'S WITH 'BURPSUITE'
Most apps are just wrappers to a web browser. Contents are loaded using the same requests a normal browser on your PC would do, like get a list of scooters/devices in your location etc. Nowadays most websites deploy SSL certificate encryption to encode the requests and replies rendering the communication between your app and the server into gibberish when trying to listening to it...To listen to it, you have to put yourself in between the companies server (henceforth:server) and your mobile device (henceforth: client) listening to https POST and GET requests AND decrypt the messages. To decrypt the messages you need SSL CERTIFICATES. If you have the certificate you can decrypt the encrypted information:
LINUX + IOS 12.4.4
Install burpsuite
Configure it for ios
https://portswigger.net/support/configuring-an-ios-device-to-work-with-burp
Install certificate on iOS Device
https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-ios-device
# click certificate link in the top right corner, press allow
# go to settings > profile downloaded > install (top right corner)
# enter your pass code
# press install again
# press install again
# press done
additionally:
# On iOS go to: General -> About -> Certificate Trust Settings and Enable Full Trust for the Portswigger CA root cert that you just installed.
Test if it works by visiting any https site. If you get an error message about insecure pages, regenerate the certificate.
Now open the app of interest, and in Burpsuite Intercept tab click 'forward' to let the
requests trough (or disable interception). The forward button allows you to pause at each request, making it far more convenient to see what is going on in contrary to the avalange of data generated through for example Wireshark. If you wait to long with pressing 'forward' the request might time out.
PROTIP: sniff 'sharing aggregator' apps that show sharing devices of multiple providers. These often use special unexpiring/unlimited API keys ;)
To review your http(s) request journey, just select the 'HTTP history' tab to explore all requests in plain text. This history, as well as the setting are not saved in the free version of Burpsuit, nor can you export this data in bulk.
Copy to CURL
If you have found an interesting HTTP request, let say, to flash a vehicles lights, you can easily copy the command for replay in CURL by right clicking the request in question and selecting the 'Copy as Curl command' from the contextual menu. Note: most commands rely on a personal API key with an additional time- an rate-limited Authorization code.
Troubleshooting (iOS 12.4.4)
If you get TLS error and can't connect to any HTTPS websites you need to reinstall the burpsuite certificate. On iOS open Settings and then select General. Select 'Profile' and delete the Poortswagger Root Certificate. Tap Delete Profile and enter your device password. Tap Delete again to confirm. Now, with burpsuite still running and your iOS device connected to your network and burpsuite proxy, open Safari and naviagte to http://burpsuit and click the tiny 'CA Certificate' link in the top right corner to re-install the certificate.
Mitigation =
Most Apps (lime?) now use Certificate pinning, preventing you to sniff the unencrypted data through the Burpsuite Certificate. There seem to be various rather tedious workarounds, for example: https://github.com/Fuzion24/JustTrustMe/ and https://github.com/ubahnverleih/WoBike/issues/58