[DOCKER] Try to tamper with requests from iphone with Burp Suite

Introduction

Use Burp Suite to tamper with requests from iphone I will leave something like a tutorial memo.

It will be an experiment with iphone and pc connected in the same wifi environment.

• This is just an experiment in your own environment.
• Since the file is left on github, you can experiment in the same environment, please do it at your own risk m (_ _) m

Easy procedure summary --Launch flask web application with Docker --Launch proxy with burp suite --Proxy settings on iphone --Try to tamper with

I will do it according to the flow of.

environment

• macOS High Sierra 10.13.6
• Burp Suite Community Edition 2.1.04

Introduction

• burp suite
• docker

Please be prepared to use. I will omit the explanation.

Environment

Since I have posted this experimental web application on github I will bring it.

It will be a suitable web application for flask.

github url https://github.com/yuucu/burp_test

terminal

git clone https://github.com/yuucu/burp_test.git

Web application launch

terminal

cd burp_test
docker-compose up --build

Have your browser access http: // localhost: 5000 and If you can see the bulletin board application (), the launch is successful.

Also check the access from the iphone.

• Access is not possible unless the pc and iphone are in the same network.

Launch another terminal on your pc and check your private IP address with ʻifconfig`.

If you have a mac, you can find a private IP address here as well.

When I try to access with ʻip address: 5000 (port number)` with the browser of iphone You should see the screen below.

We confirmed the launch of the web application. When you exit, you can stop the server with ctrl -c.

Proxy server settings in Burp Suite

Launch Burp.

Click Proxy-> Options.

Select one and click Edit.

Select All interfaces and click Ok.

If you can confirm the following screen by accessing the previous IP address: 8080 The proxy server is running.

iphone proxy settings

Set iphone communication to go through a proxy server.

Tap the info button.

Configure proxy.

Set the private IP address and port number 8080 of the pc.

Save and you're done.

Try to tamper with the request

Make sure the button below is pressed in Burp. When this button is pressed, it is in the mode to stop communication and check the contents with burp.

If you access pc's private IP address: 5000 from your iphone in this state It is as follows in burp of pc. Click Forward as you can pass it through.

If you can access the web application, try sending a message from your iphone.

Check the contents on the burp side. Since you can check the posted content, try rewriting the value.

Click Params

Edit Value.

After editing, send a communication with Forward.

When I check the screen after sending with iphone, You can see that the tampered message is written instead of the message you sent.

in conclusion

I wrote it in a hurry, so please understand that it may be a little difficult to understand. ..

This time, I tried to tamper with the communication from the iphone, but of course the PC communication can be the same.

If you do it maliciously, you can falsify the score of the game and send it. It is possible to falsify and pass the information of others.

Please limit your experiments to your own environment.

• Please do not forget to turn off the proxy configuration of iphone after the experiment.