I am working with an iPhone application which interacts with a Web API. Since the endpoints are HTTPS, the data which communicates in-between the device and the Web API are suppose to be encrypted.
I am in need of finding every End-Points and the Data which communicates (Headers, Body Content) for each business scenario & for negative testing-flows.
Since the data which transmits are encrypted, I was unable to trace from the Fiddler which I tried while referring so several on-line tutorials.
(The reason why I am in need is because of I have got assigned to make a API Automation tool to simulate all the testing scenarios (happy-path, negative test-cases, etc))
Is there any better approach I can take to trace these API calls?
OR, is there a tool which I can try to trace these Web API calls which sends and receives from the iPhone?
TIA
Managed to get the Certificates for the HTTPS endpoints and added to the Certificate Manager (in a windows pc). Afterwards configured the proxy ports with fiddler echo service from the mobile device and was able to trace the HTTPs calls.
With the help of installing the certificates the HTTPS, intercepting the HTTPS is possible.
Related
I am developing a web service using REST API. This REST API is running on port 6443 for HTTPS. Client is going to be a Single page application running on port 443 for HTTPS on same machine. The problem I am facing is:
While I hit the url say: https://mymachine.com/new_ui I get certificate exception for an invalid certificate because I use a self signed one, so mymachine.com:443 gets added to server exception. But still requests doen't go to REST API as they are running on https://mymachine.com:6443/restservice. If I manually add mymachine.com:6443 to server exception on firefox it works but it will not be the case in production for customers.
Some options that I thought are:
1. Give another pop up and ask to add REST server on port 6443 exception too.But this doesn't look proper as why an end user should accept the cerf for same domain twice. Also REST api server port can change.
Can we programmatically add exception for domain and both the ports in one shot? Ofcourse with the consent of the user. 3. Use a reverse proxy. But then its going to have memory footprint on our system. Also it will be time consuming.
Please suggest some options. How do I deal with it. Thank you
I'm using Eclipse to develop an app that consists of an Angular 2 front end and a Java REST back end.
For the front end, I'm using the Angular CLI plugin, which starts the app by issuing an ng serve command to the CLI. This command sets up an http server on port 4200.
For the back end, I'm using an in-company framework that launches in Jetty within Eclipse in port 8088.
While both these ports are configurable, by nature of the frameworks and plugins in use, they'll always be distinct.
Authentication works via an OAuth2 service that is also deployed to port 8088, as part of the framework. This service sets a cookie which certifies the browser session as authenticated. I have verified that this service works correctly by testing it against a Swagger instance of the REST API (also running in 8088 as part of the same framework).
The problem is that when the browser is aimed at the Angular 2 app on :4200, its internal REST API requests to :8088 aren't carrying the authentication cookie. Presumably, this is because of cross-site protection.
Is there any way for the app or the framework to tell the browser that these two "sites" are actually part of the same system?
Alternatively, if I have to configure the dev browser (Chrome) to work, I can live with that too. However, I've tried the --disable-web-security --user-data-dir recommendation, but the cookie still doesn't show up on the requests.
Lastly, I have Apache installed on the dev machine. If I can set up appropriate vhosts and use it as a proxy so that the browser thinks it's all the same, that would probably work too. It would just be a matter of intercepting all /swagger and /api requests and sending them to :8088, and all forwarding all other requests to :4200. However, I've been banging my head against mod_rewrite and mod_proxy and haven't been able to come up with anything that works.
I think what you're looking for is
withCredentials = true
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
I am creating a screen scrapping application which uses web whataspp. I want to know how the messages are being posted. I installed fiddler and enabled https and tweaked the certificates settings in it. I am unable to get any traffic from web.whatsapp.com, but fiddler is able to capture requests and responses of other websites(http, https). Please help.
I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.
I'm currently writing a iphone app which will consume WCF services over a secure connection (SSL/https). I have managed to consume this service while testing locally via http.
Now we want to make sure the service is secure, so we've set up a UAT server with a properly signed certificate to run our tests.
We are using a custom binding, coupled with security mode TransportWithMessageCredentials which requires a username/password in the ClientCredentials property.
Generated the proxy using SISvcUtil.exe
When I try to call this secure service from the iPhone, I get a rather lovely generic error of:
Exception in async operation: System.Net.WebException: There was an error on processing web request: Status code 500(internal server error)
(Here is a pastebin of full exception ).
I've tried implicitly accepting the certificate using:
ServicePointManager.ServerCertificateValidationCallBack = (sender, cert, chain, ssl) => true;
but this just returns the same 500 error.
The same code works great on a windows machine but not on the iphone. Has anyone else come across this problem and/or know of a solution to it?
This could be a bug in monotouch, it may not have full implementation of generated proxy using SISvcUtil.exe, did you try generating a mac app and test it on mac?
Does monotouch have any documented example with support on WCF proxy? If they dont have then probably it may not work, monotouch does not provide a .NET runtime, instead it actually compiles everything to native ios binary. So if WCF proxy is not correctly transformed, it will not work.
So it would seem that at the time of writing, Monotouch doesn't support WCF very well (it currently has a barebones implementation).
Due to this, and the need for decent security around our webservice, we've decided to go down a different route; validating the user via username+password over a secure, encrypted SSL connection everytime the web service is called. We use Silverlight 3.0 SiSUtil.exe to generate the bindings for the webservice rather than include it as a web reference in the project.
Generally when getting Internal Server errors I've found the cause to be a problem with the HTTP headers being sent in the request. I don't really use WCF on MonoTouch so I'm not sure about the implementation.