Use Burp Suite to tamper with requests from iphone I will leave something like a tutorial memo.
It will be an experiment with iphone and pc connected in the same wifi environment.
Easy procedure summary --Launch flask web application with Docker --Launch proxy with burp suite --Proxy settings on iphone --Try to tamper with
I will do it according to the flow of.
Please be prepared to use. I will omit the explanation.
Since I have posted this experimental web application on github I will bring it.
It will be a suitable web application for flask.
github url https://github.com/yuucu/burp_test
terminal
git clone https://github.com/yuucu/burp_test.git
terminal
cd burp_test
docker-compose up --build
Have your browser access http: // localhost: 5000
and
If you can see the bulletin board application (), the launch is successful.
Also check the access from the iphone.
Launch another terminal on your pc and check your private IP address with ʻifconfig`.
If you have a mac, you can find a private IP address here as well.
When I try to access with ʻip address: 5000 (port number)` with the browser of iphone You should see the screen below.
We confirmed the launch of the web application. When you exit, you can stop the server with ctrl -c.
Launch Burp.
Click Proxy-> Options.
Select one and click Edit.
Select All interfaces and click Ok.
If you can confirm the following screen by accessing the previous IP address: 8080 The proxy server is running.
Set iphone communication to go through a proxy server.
Tap the info button.
Configure proxy.
Set the private IP address and port number 8080 of the pc.
Save and you're done.
Make sure the button below is pressed in Burp. When this button is pressed, it is in the mode to stop communication and check the contents with burp.
If you access pc's private IP address: 5000
from your iphone in this state
It is as follows in burp of pc.
Click Forward
as you can pass it through.
If you can access the web application, try sending a message from your iphone.
Check the contents on the burp side. Since you can check the posted content, try rewriting the value.
Click Params
Edit Value
.
After editing, send a communication with Forward
.
When I check the screen after sending with iphone, You can see that the tampered message is written instead of the message you sent.
I wrote it in a hurry, so please understand that it may be a little difficult to understand. ..
This time, I tried to tamper with the communication from the iphone, but of course the PC communication can be the same.
If you do it maliciously, you can falsify the score of the game and send it. It is possible to falsify and pass the information of others.
Please limit your experiments to your own environment.
Recommended Posts