I'm trying to use Charles/burb suite to read request responses sent from an iOS app to a server. The requests are sent via SSL so I've enabled an SSL proxy and installed a cert on my iPhone. This seems to work fine. However the request response and post are still unreadable. Note the response headers are readable just not the actual message.
Is there a way to make the response readable or is this a result of SSL pinning?
1) You have to add the iOS device certificate (which you have done).
2) You need to add locations to the SLL Proxying table.
From the menu: Proxy--->SSL Proxy Settings...--->SSL Proxying
Click Add.
In the Host box, put the site name to translate (use wildcards if needed). Example: *.mysite.com
Leave the Port blank.
Click OK.
Make sure Enable SSL Proxying is checked, and your host filter is also checked.
Click OK.
Restart Charles.
Related
what charles or any middle man see when we have implemented SSL pinning between client and server ?
i know bit of about what is SSL pinning, how to implement it in app and server side.
but i am not clear about how middle man views SSL pinning ? what kind of requests middle man see in this case ? and why it is not able to get information from request ?
If pinning is properly implemented the MITM will see the original TLS ClientHello from your device which likely includes the target hostname and it will get from the target server the leaf and chain certificates. After the MITM tries to send newly created certificate to the client the client should just close the connection since the certificate is not the expected one, i.e. no actual application data are transferred but only the meta data.
I'm pretty newbie in https and my project is MVC web application and i've created a self-signed certificate in IIS and set the website's binding to use that certificate and ssl settings to 'require SSL' and I can browse the website over https (although it's not verified and has red x on it).
The part that I don't understand is when I send a request to server (post request), I can still check the network console and see what was the parameter passed.
I can still check the network console
I assume that you mean the information about the send and received data within the browser with "network console". Since the browser is creating and encrypting the data the browser has access to the clear text before encryption and after decryption and thus can show these information.
There are a lot of questions on SO regarding scheme relative URL, but I don't understand what will happen in these scenarios:
1) I am on HTTPS clicking on href="//example.com/" (example.com doesn't have SSL (it's HTTP), so browser will try to open HTTPS://example.com/ (because it wants to match the current scheme) and if there won't be HTTPS scheme it will open HTTP://example.com/?
2) Vice-versa going from HTTP to HTTPS, when the target //example.com/ is only HTTPS. Will browser open HTTPS if the destination target does not have HTTP?
The browser will try to open the URL using the same scheme it's currently on; if it's currently on HTTPS, it will request the URL with HTTPS and vice versa for HTTP. If the target server does not support that scheme, it will simply fail. In case of a server which only supports HTTPS, that usually means that it enforces HTTPS; if you make an HTTP query to that server it often simply redirects to the HTTPS version of the same page. That's entirely up to the server to do though.
If a server only supports HTTP, that usually means that it doesn't have HTTPS at all. In that case an HTTPS request would simply fail and the browser will display an error message along the lines of "couldn't establish a secure connection/couldn't connect to server".
I have found the way how to do this with some inspiration from the answer on how to link to different port as I needed to do both. The way is:
<a href="/vnc.html" onclick='javascript:event.target.port=6080;event.target.protocol="https:"'>VNC connection</a><br />
I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.
I am trying to write up an HTTP proxy server in node.js, and I have successfully managed to route unsecure HTTP connections through it. But when applications (on my iOS device) use HTTPS for APIs 'n such, it always throws an error, and the attempted HTTPS connection never hits the server. So there are a few explanations of what could possibly be happening:
iOS chooses not to send HTTPS connections over the proxy for security reasons
iOS is looking for an HTTPS connection at the server on a different port, but can't find one
Basically what I am asking is: What does iOS do with HTTPS connections when an HTTP proxy is configured?
Please ask for any details or further questions in the comments. Thanks.