22 Jul 2016, 13:03

Debugging / Interception

OWASP / OWASP ZAP / iOS / Debugging

Using OWASP ZAP with iOS

Introduction

In this post I’m going to go through how to intercept http and https traffic from an iOS device using OWASP ZAP. I have found this to be very handy when debugging web and iOS applications from the device. The version of ZAP that I am using is 2.4.3 and iOS is 9.3.

OWASP ZAP

Set up HTTP Proxy

First lets open the local proxy settings in zap. Set the ip and port address that you want. OWASP ZAP local proxy settings

To allow your iOS device to go through zap, we need to change the wifi settings to do so.

iOS HTTP proxy

Select Manual entry, and enter the IP address and port number that you have zap running on.

Intercepting traffic

Now that the proxy is up and running, navigate to a website (example.com) from safari.

zap iOS example

Over in zap you can see the history of your requests.

zap interception

From the Tools menu you set to break on request and break on response. This will halt the traffic to/from the browser.

Request

zap request

Response

zap response

Changing Request/Response

Viewing the traffic is nice, manipulating the traffic is even better. Change the heading from Example Domain to HACKED domain.

edit response

View the manipulated result on the device.

zap iOS example hacked

Dealing with encrypted traffic

Installing the root CA

To intercept the traffic on an encrypted link we must install a trusted root certificate. This will allow ZAP to encrypt and decrypt the traffic as it passes through.

Under the Tools -> Options… menu item we can find the Dynamic SSL Certificates section. From there we can generate and save the certificate to disk.

root CA

I have found the easiest way to transfer the certificate to the iOS device is to email it to an account you have on the device.

email root CA

zap iOS email

To install the certificate, touch the owasp_zap_root_ca.cer file. This will bring up the profile installer.

zap iOS install

Press install

zap iOS warning

Press install

zap iOS installed

Viewing Encrypted Traffic

Viewing the encrypted traffic is just like before when we viewed the cleartext traffic. This time point your browser at a HTTPS site and then view the request and the response.

Request

view encrypted traffic request

Response

view encrypted traffic response

And Applications

Up until now we have been looking at traffic generated via safari. You can also look at traffic sent via applications. Below is an example of traffic between the FitBit App and their server.

view encrypted application traffic