[PYTHON] Try to tamper with requests from iphone with Burp Suite

Introduction

Use Burp Suite to tamper with requests from iphone I will leave something like a tutorial memo.

It will be an experiment with iphone and pc connected in the same wifi environment.

Easy procedure summary --Launch flask web application with Docker --Launch proxy with burp suite --Proxy settings on iphone --Try to tamper with

I will do it according to the flow of.

environment

Introduction

Please be prepared to use. I will omit the explanation.

Environment

Since I have posted this experimental web application on github I will bring it.

It will be a suitable web application for flask.

github url https://github.com/yuucu/burp_test

terminal


git clone https://github.com/yuucu/burp_test.git

Web application launch

terminal


cd burp_test
docker-compose up --build

Have your browser access http: // localhost: 5000 and If you can see the bulletin board application (), the launch is successful.

スクリーンショット 2019-12-31 21.03.18.png

Also check the access from the iphone.

Launch another terminal on your pc and check your private IP address with ʻifconfig`.

If you have a mac, you can find a private IP address here as well.

スクリーンショット 2019-12-31 21.09.44.png

When I try to access with ʻip address: 5000 (port number)` with the browser of iphone You should see the screen below.

写真 2019-12-31 21 17 15.jpg

We confirmed the launch of the web application. When you exit, you can stop the server with ctrl -c.

Proxy server settings in Burp Suite

Launch Burp.

Click Proxy-> Options.

スクリーンショット 2020-01-01 20.18.34.png

Select one and click Edit.

スクリーンショット 2020-01-01 20.20.46.png

Select All interfaces and click Ok.

スクリーンショット 2020-01-01 20.22.15.png

If you can confirm the following screen by accessing the previous IP address: 8080 The proxy server is running.

写真 2020-01-02 1 49 58.jpg

iphone proxy settings

Set iphone communication to go through a proxy server.

Tap the info button.

写真 2020-01-02 2 01 16.jpg

Configure proxy.

写真 2020-01-02 2 01 55.jpg

Set the private IP address and port number 8080 of the pc.

写真 2020-01-02 2 02 18.jpg

Save and you're done.

Try to tamper with the request

Make sure the button below is pressed in Burp. When this button is pressed, it is in the mode to stop communication and check the contents with burp.

スクリーンショット 2020-01-02 2.11.05.png

If you access pc's private IP address: 5000 from your iphone in this state It is as follows in burp of pc. Click Forward as you can pass it through.

スクリーンショット 2020-01-02 1.57.47.png

If you can access the web application, try sending a message from your iphone.

Check the contents on the burp side. Since you can check the posted content, try rewriting the value.

Click Params

スクリーンショット 2020-01-02 2.16.21.png

Edit Value.

スクリーンショット 2020-01-02 2.16.35.png

After editing, send a communication with Forward.

スクリーンショット 2020-01-02 2.16.47.png

When I check the screen after sending with iphone, You can see that the tampered message is written instead of the message you sent.

in conclusion

I wrote it in a hurry, so please understand that it may be a little difficult to understand. ..

This time, I tried to tamper with the communication from the iphone, but of course the PC communication can be the same.

If you do it maliciously, you can falsify the score of the game and send it. It is possible to falsify and pass the information of others.

Please limit your experiments to your own environment.

Recommended Posts

Try to tamper with requests from iphone with Burp Suite
Try to factorial with recursion
Create folders from '01' to '12' with python
Try to operate Facebook with Python
Try to extract a character string from an image with Python3
Try to profile with ONNX Runtime
Try to output audio with M5STACK
From "drawing" to "writing" the configuration diagram: Try drawing the AWS configuration diagram with Diagrams
[Python] Try to recognize characters from images with OpenCV and pyocr
Try logging in to qiita with Python
Convert from PDF to CSV with pdfplumber
Try to predict cherry blossoms with xgboost
Try converting to tidy data with pandas
Quickly try to visualize datasets with pandas
Try calling Python from Ruby with thrift
First YDK to try with Cisco IOS-XE
Try to generate an image with aliasing
Try to beautify with Talking Head Anime from a Single Image [python preparation]
Get users belonging to your organization from Garoon REST API with Python + Requests
WEB scraping with python and try to make a word cloud from reviews
Try to make your own AWS-SDK with bash
Try to solve the fizzbuzz problem with Keras
Try to aggregate doujin music data with pandas
Try to solve the man-machine chart with Python
Try to extract Azure document DB document with pydocumentdb
Try to draw a life curve with python
Try to communicate with EV3 and PC! (MQTT)
How to try the friends-of-friends algorithm with pyfof
Try to make a "cryptanalysis" cipher with Python
Try to automatically generate Python documents with Sphinx
Route guidance to iPhone photography location with Pythonista
Asynchronous processing with Arduino (Asynchronous processing of processing requests from Linux)
Try to make a dihedral group with Python
Back up from QNAP to Linux with rsync
From Python environment construction to virtual environment construction with anaconda
Try to make client FTP fastest with Pythonista
Try to detect fish with python + OpenCV2.4 (unfinished)
Try to create a battle record table with matplotlib from the data of "Schedule-kun"
Perform a Twitter search from Python and try to generate sentences with Markov chains.