This blog post comes with an accompanying YouTube video where I showcase a demo application and intercept its requests. Watch it here: https://www.youtube.com/watch?v=lRNnt2g4gFA.
You have a flashy HTTP API and everybody wants to talk to it. Great! But with great power comes great risk. All these fuckers could be sending bullshitty strings to your carefully (or rather, not carefully) crafted service. What’s more, some shady hackers could be waiting, licking their lips and drooling all over, to do nasty stuff, such as modifying in-flight requests!
Granted, my understanding is that tampering like this is not possible with encrypted protocols such as HTTPS. But alas, my security team knows better (I guess).
So, in this post and from painful experience, I am going to show you a very cool tool you can use to intercept and modify requests to your APIs, so that you know what insidious vulnerabilities are hiding before the security guys.
The tool in question is Charles.
Installation and setup
It’s pretty freaking easy to set up. First, install it following the instructions here: https://www.charlesproxy.com/documentation/installation/. Then just run it!
Capturing web traffic should work out of the box, but you have to configure the tool to allow for SSL capturing (HTTPS). For that, you can follow these instructions: https://www.charlesproxy.com/documentation/proxying/ssl-proxying/. I also show how to do that in the video linked at the beginning of the post.
You should add each hostname for which you want to enable SSL proxying in the configuration.
Configuring web capturing
The only thing to do here is to configure the Mac OS X Proxy settings to allow capturing. You can follow these, rather concise, instructions to do that: https://www.charlesproxy.com/documentation/getting-started/.
For other platforms, it should work out of the box without further configuration.
Configuring you mobile device for capturing
Now, I was more interested in capturing mobile traffic from the emulator running on my machine. The steps are equally easy, if a little bit more involved.
Actually no, it’s dead simple. Basically, it should work out of the box. The documentation says that if you are not seeing your mobile traffic in Charles, you should make sure that Charles is already running before launching your simulator.
Once that’s done, you should be able to start intercepting requests coming from you emulator.
Intercepting requests (AKA Breakpoints)
You can either set breakpoints at the host level or at the request level. For my use case, I wanted to intercept all requests going to my backend, so I activated breakpoints on the host. In the video I show an example of activating breakpoints for a specific request.
To do this, right click on your host and toggle the “Breakpoints” option. Then make a request and you should see execution pause a new window open in Charles where you can do things like aborting or canceling the request, allowing it through, or, in our case, modify it before sending it.
You can select the option to modify the request and then alter the JSON payload.
So that’s it. I hope you found these instructions clear enough for you to start getting your feet wet with HTTP capturing. If you have any cool tricks for Charles or another tool of choice, don’t hesitate to share them :)