Hi!

Today I want to share a security researching flow

Disclaimer: I am not a security expert. Disclaimer II: Every story and example shown here were either made with

1. Prior consent
2. My own systems
3. As part of a VDP (vulnerability disclosure)

The WHAT

For the next magic trick you’re going to need - A browser - A proxy - A pair of eyes

Easy, right?

I’m assuming most readers have at least 2/3 but never made them work together to get an insight into how their browser interacts with the internet.

The process is simple; you configure the browser to run everything through a proxy (exact tools will soon follow), including encrypted communication, for which you’ll need the browser to trust the proxy’s certificate. You set the proxy to monitor and stop every request and every response for inspection, which you, the traffic warden, will decide whether it’s dropped or forwarded to the client / system.

This setup alone, will give you massive understanding of what systems the browser is speaking to, what reports, metrics analytics and ads are coming in and out of a standard browser use.

Well, everything!

In 2021 (remember Covid?), I found a vulnerability in one of the airports systems that was charging for Covid tests. The “hack” was simple: I captured in and outgoing requests from the payments system just to find that the entity that was deciding how much the user pays was, well, the user… Yep, the number sent from the client, to the backend, was what was eventually sent as the price to pay. I wrote more about it here.

You won’t believe, how many systems are flawed with the bug specifically, but this is relatively simple.

When you start seriously monitoring in and outgoing requests with certain systems you’ll discover many many more similar mistakes. A famous one is a json setting the role of the user interacting with the API from user to admin, which is all it takes to tell the system you’re its administrator.

Another one I’ve seen recently is an object returned to the client where the backend tells the client whether they have to insert credit card details in order to book an appointment, simply catching the request on the fly, manipulating it by changing true to false was all it took to bypass the feature.

The HOW

Enough stories, let’s see how it’s done:

1. Any browser with a proxy plugin would do. I run FireFox with FoxyProxy​
2. The proxy I use is PortSwigger’s Burp. This is an amazing security research tool, which has a ton of plugins and additional premium features if you’re into these kind of stuff
3. To have FireFox trust burp with https traffic you’d want to download Burp’s certificate and install it within FF, here are the instructions to do that
4. Lastly, open the proxy tab on Burp, and make sure there are rules for request interception, as well as response interception (not activated by default)
5. That’s it. Go back to the proxy, and under intercept make sure “Intercept is on”
6. Start working against you’re own API, if you don’t anything to test on you may find this repo useful
7. Monitor in and outgoing traffic. Focus only on the ones that interact with the domain you’re targeting, drop the rest. Look for the numbers you can manipulate, the booleans that can be changed, and see whether you find any gems…

Thank you for reading!

If you found any issues / mistakes, or just want to share feedback or your own stories, feel free to respond to this email!