Saturday, 7 March 2015

Inspecting HTTP traffic using OWASP Zed Attack Proxy tool

9 comments


Whether I develop or debug a mobile application for Android or iOS with some networking functionality I might want to inspect HTTP traffic. Even for a web development there might be a need to intercept and modify the HTTP requests.

There are number of tools available to intercept HTTP/HTTPS traffic. One of the most popular and well documented is probably Fiddler. That’s what I used on Windows platform.
If you are on MAC, you have to configure Fiddler to run in a virtual machine or use some alternative tools.

This post is about the second option. Specifically, OWASP Zed Attack Proxy (ZAP) tool -  free, open source, easy to install and use, penetration testing tool for finding vulnerabilities in web applications.

This tool provides a lot of functionality whereas I am going to cover here only how to configure and use it as an intercepting  proxy on Mac. Also I include the steps to configure Android and iPhone devices in order to intercept the HTTP traffic. ZAP documentation already explains how to configure your web browser’s proxy, so I am not going to repeat this.

ZAP

First, download and install ZAP. Once it is installed, open it. We have to generate the SSL certificate which we are going to install on our mobile device (or web browser).
Go to Tools -> Options -> Dynamic SSL Certificates. Press “Generate" button and then press “Save” to save the generated cert file to your hard drive.




Also we need to set the address and port on which ZAP will accept incoming connections. Go to Tools -> Options -> Local Proxy.
Set the address to the IP address of your Mac and the port to, let’s say, 8080. 


ZAP is configured now.

Android

In order to use an Android device with ZAP, we have to install the generated SSL certificate (see the previous step) on our device. I assume we are going to use Android v.4.x+.
  • Copy the cert to your device (there is an Android File Transfer app for Mac available).
  • Go to Settings > Security > Install from device storage, and select the copied cert (installing the cert will require the password/pin screen lock be enable);

Now enable proxy for your WiFi connection and enter the same IP and Port on which ZAP listening (e.g. ZAP’s Local Proxy settings).

iOS

To use iPhone / iPad device, requires installation of SSL certificate as well.
  • Install Apple Configurator on your Mac from the Apple Store and connect your iPhone.
  • In the Apple Configurator app open Prepare/Settings and press on Install Profiles.


  • On the Choose or create a profile screen press New… and enter the Name of profile in the General tab.


  • Then go to Certificates and add the generated cert.


  • Press Save and then select the newly created profile and install it on the device following the wizard. 



Then enable proxy for your WiFi connection similar to what we did for Android. 

Now you should be able to see all of the requests you make to a mobile or web app and all of the responses you receive from it.



You can also set break points which allow you to change the requests and responses on the fly.

That's it!



9 comments:

  1. nice blogs.
    Route Guide Services
    SMS Route Guide ACT Gen7 Or Act Gen10 Or ACT Gen30 Unsub Or Stop Or Deact,Rs.30/30 Days Or Rs 10/10days Or Rs7/7days.

    ReplyDelete
  2. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete

  3. You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...

    Android App Development Company

    ReplyDelete
  4. This article is very much helpful and i hope this will be an useful information for the needed one.Keep on updating these kinds of informative things...
    iOS App Development Company

    ReplyDelete
  5. This article is the very much help, thks.

    ReplyDelete
  6. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful

    and knowledgeable information.
    Fitness SMS
    Fitness Text
    Salon SMS
    Salon Text
    Investor Relation SMS
    Investor Relation Text

    ReplyDelete
  7. great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...Thank you very much for this one.
    web design Company
    web development Company
    web design Company in chennai
    web development Company in chennai
    web design Company in India
    web development Company in India

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Please check below link to know how to intercept android app using zap

    https://security-testing1.blogspot.in/2017/08/how-to-intercept-android-app-using-zap.html

    ReplyDelete