search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
1.09k stars 198 forks source link

API of the APP brings up "Attention Required! | Cloudflare" with script #102

Closed ItsMarcoDE closed 2 months ago

ItsMarcoDE commented 2 months ago

Hello,

The APP "portaventura.android" has an interesting problem. When I start the APP without the interception-and-unpinning scripts, the APP works without any issues. However, when I start it with the scripts to access the API, I can see the API requests, but I encounter an error from Cloudflare everywhere: "Attention Required! | Cloudflare - Sorry, you have been blocked."

frida.txt

mitm
pimterry commented 2 months ago

This is interesting but unrelated to certificate pinning & these scripts in this repo, which manage client trust for intercepting traffic (so I will close this in a sec).

What's happening here is that the server (not the client) is rejecting your traffic. That's almost certainly because the server is doing TLS fingerprinting (bit of a guide here: https://httptoolkit.com/blog/tls-fingerprinting-node-js/) to recognize that the traffic is coming from software that it's not expecting (i.e. from mitmproxy in this case, not from an Android app).

Different mitm tools often have different TLS fingerprints, which may allow you to work around this, so that's worth investigating. Assuming this is indeed the cause though, this isn't something you can resolve with Frida - it depends completely on the MITM setup that you proxy through.

ItsMarcoDE commented 2 months ago

It is a client-user certificate. I have extracted the "cert.pem" and the "private_der.key" from the APK. If you include these in the request, it will be accepted

pimterry commented 2 months ago

Ah, ok, that makes sense. Nonetheless, this is the server rejecting your certs, not the client, so it's not related to these scripts.

This is a configuration issue with your proxy setup. You need to configure mitmproxy to send client certs the way you want. I'm not sure how to do that with mitmproxy so you'll need to talk to them if you're not sure. Alternatively you can also use HTTP Toolkit, which definitely does support client certificates for requests like this (and also automatically manages & runs these Frida scripts for you) as part of HTTP Toolkit Pro.

rhysperry111 commented 1 month ago

Is it within the scope of this repo to at least extract client certificates?

Only asking because while it's easy to find the client certificate on some apps, on others.... it is very much not easy. Hooking into a low-lying function to extract the certificate passed to the SSL library might be easier.

Also seems like it would be a killer feature for HTTP Toolkit Pro if it could automatically load client certificates.

pimterry commented 1 month ago

Is it within the scope of this repo to at least extract client certificates?

That would be neat, but it's a bit complicated from a UX perspective within HTTP Toolkit itself. That said, I totally agree a script like that would be useful. If you're interested in working on that, I'd happily accept a PR for it.

rhysperry111 commented 1 month ago

I spent a few hours over the weekend trying it, but having no experience using frida I was shooting blind and didn't get anything worked out. I think I got close a few times but was never able to get it to actually print out the certificate data (and it didn't help that I wasn't 100% sure the app I was messing with was using client certificates)