Intercepting Firefox OS traffic using a proxy

  • Revision slug: Mozilla/Firefox_OS/Security/Intercepting_traffic_using_a_proxy
  • Revision title: Intercepting Firefox OS traffic using a proxy
  • Revision id: 372299
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment Moved From Mozilla/Firefox_OS/Intercept_Firefox_OS_Traffic_Using_a_Proxy to Mozilla/Firefox_OS/Security/Intercepting_traffic_using_a_proxy

Revision Content

ZAP Proxy & Firefox OS: See and Intercept all outgoing traffic (including HTTPS)

Make sure you have read the first part in the Firefox OS Application Security Series: How to install b2g-desktop and attach a JavaScript debugging shell is explained in Debugging and Security Testing with Firefox OS

Working with apps that are nothing but HTML and JavaScript, interesting parts are being pulled from APIs on the web. So what's could be more interesting than to look which HTTP requests all these apps do. Well, soon you can. This section will show you how to intercept all HTTP traffic with a proxy. We will also whitelist the proxy's SSL certificate so Firefox OS doesn't mind someone intercepting and re-encrypting the HTTPS communication.

First, let's get started with ZAP: ZAP is an intercepting proxy that intercepts and re-encrypts HTTPS traffic for easy debugging. Click on the big blue button on the ZAP homepage to download it. If you choose to use another proxy (I hear Burp Proxy is a common choice) feel free to do so, as our approach should work with both. Now, whichever proxy you use. Let it export its certificate to a file, e.g., owasp_zap_root_ca.cer. You also have to make sure that ZAP does not listen on localhost, but on your public ethernet IP address. This is because b2g-desktop's localhost does not point to your desktop computer, but something within the b2g binary itself. For our example, we will use my IP address, 10.264.1.5.

Accepting certificates is a thing that happens in settings. As we had it earlier, these are stored in profiles. So here's a short primer in Firefox profiles:

Start the Firefox profile manager (-P), and make sure that the firefox to be called does not use any existing firefox sessions (-no-remote):

firefox -P -no-remote

Now create a new profile, called zapped. Go to the certificate settings: Edit, Preferences, Advanced, Encryption, View Certificates, Import. Now select the owasp_zap_root_ca.cer file and tell Firefox that it should trust this CA to identify web sites (this is really only valid for this profile).

Having used Firefox to create a certificate database for us, we can now use this db for our b2g profile. The name of your firefox profile directory is a randomg string that ends with zapped. The location depends on your operating system and can be determined by following this MozillaZine article. We only need the cert8.db file, which is the profile's certificate database. Copy it over to your b2g profile directory b2g/gaia/profile/ and overwrite the existing file.

The next step is setting ZAP as the default proxy for all network communication. The proxy settings are currently not available from the Firefox OS user interface, just like the certificate settings.

So we will append these custom settings to the preferences file, b2g/gaia/profile/prefs.js:

user_pref("network.proxy.backup.ftp", "10.264.1.5");
user_pref("network.proxy.backup.ftp_port", 8080);
user_pref("network.proxy.backup.socks", "10.264.1.5");
user_pref("network.proxy.backup.socks_port", 8080);
user_pref("network.proxy.backup.ssl", "10.264.1.5");
user_pref("network.proxy.backup.ssl_port", 8080);
user_pref("network.proxy.ftp", "10.264.1.5");
user_pref("network.proxy.ftp_port", 8080);
user_pref("network.proxy.http", "10.264.1.5");
user_pref("network.proxy.http_port", 8080);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.socks", "10.264.1.5");
user_pref("network.proxy.socks_port", 8080);
user_pref("network.proxy.ssl", "10.264.1.5");
user_pref("network.proxy.ssl_port", 8080);
user_pref("network.proxy.type", 1);

Remember to replace my IP address 10.264.1.5 with yours, and if your proxy does not listen on port 8080, make sure you change it in this file too.

Now we should be good to go. Start b2g again and try some browsing. Things should show in ZAP now!

 

Next Step:

Testing in a Privileged Context: Shipping your own Gaia Apps

 

Revision Source

<h2 id="ZAP_Proxy_.26_Firefox_OS.3A_See_and_Intercept_all_outgoing_traffic_(including_HTTPS)">ZAP Proxy &amp; Firefox OS: See and Intercept all outgoing traffic (including HTTPS)</h2>
<p>Make sure you have read the first part in the Firefox OS Application Security Series: How to install b2g-desktop and attach a JavaScript debugging shell is explained in <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Debugging_and_Security_Testing_with_Firefox_OS" title="https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Debugging_and_Security_Testing_with_Firefox_OS$edit">Debugging and Security Testing with Firefox OS</a></p>
<p>Working with apps that are nothing but HTML and JavaScript, interesting parts are being pulled from APIs on the web. So what's could be more interesting than to look which HTTP requests all these apps do. Well, soon you can. This section will show you how to intercept all HTTP traffic with a proxy. We will also whitelist the proxy's SSL certificate so Firefox OS doesn't mind someone intercepting and re-encrypting the HTTPS communication.</p>
<p>First, let's get started with ZAP: ZAP is an intercepting proxy that intercepts and re-encrypts HTTPS traffic for easy debugging. Click on the big blue button on the <a data-mce-="" href="https://www.owasp.org/index.php/ZAP" title="https://www.owasp.org/index.php/ZAP">ZAP homepage</a> to download it. If you choose to use another proxy (I hear Burp Proxy is a common choice) feel free to do so, as our approach should work with both. Now, whichever proxy you use. Let it export its certificate to a file, e.g., <em>owasp_zap_root_ca.cer</em>. You also have to make sure that ZAP does not listen on localhost, but on your public ethernet IP address. This is because b2g-desktop's localhost does not point to your desktop computer, but something within the b2g binary itself. For our example, we will use my IP address, 10.264.1.5.</p>
<p>Accepting certificates is a thing that happens in settings. As we had it earlier, these are stored in profiles. So here's a short primer in Firefox profiles:</p>
<p>Start the Firefox profile manager (-P), and make sure that the firefox to be called does not use any existing firefox sessions (-no-remote):</p>
<pre>
firefox -P -no-remote</pre>
<p>Now create a new profile, called <em>zapped</em>. Go to the certificate settings: Edit, Preferences, Advanced, Encryption, View Certificates, Import. Now select the <em>owasp_zap_root_ca.cer</em> file and tell Firefox that it should trust this CA to identify web sites (this is really only valid for this profile).</p>
<p>Having used Firefox to create a certificate database for us, we can now use this db for our b2g profile. The name of your firefox profile directory is a randomg string that ends with <em>zapped</em>. The location depends on your operating system and can be determined by following this <a data-mce-="" href="http://kb.mozillazine.org/Profile_folder_-_Firefox#Navigating_to_the_profile_folder" title="http://kb.mozillazine.org/Profile_folder_-_Firefox#Navigating_to_the_profile_folder">MozillaZine article</a>. We only need the <em>cert8.db</em> file, which is the profile's certificate database. Copy it over to your b2g profile directory b2g/gaia/profile/ and overwrite the existing file.</p>
<p>The next step is setting ZAP as the default proxy for all network communication. The proxy settings are currently not available from the Firefox OS user interface, just like the certificate settings.</p>
<p>So we will append these custom settings to the preferences file, b2g/gaia/profile/prefs.js:</p>
<pre>
<code>user_pref("network.proxy.backup.ftp", "10.264.1.5");
user_pref("network.proxy.backup.ftp_port", 8080);
user_pref("network.proxy.backup.socks", "10.264.1.5");
user_pref("network.proxy.backup.socks_port", 8080);
user_pref("network.proxy.backup.ssl", "10.264.1.5");
user_pref("network.proxy.backup.ssl_port", 8080);
user_pref("network.proxy.ftp", "10.264.1.5");
user_pref("network.proxy.ftp_port", 8080);
user_pref("network.proxy.http", "10.264.1.5");
user_pref("network.proxy.http_port", 8080);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.socks", "10.264.1.5");
user_pref("network.proxy.socks_port", 8080);
user_pref("network.proxy.ssl", "10.264.1.5");
user_pref("network.proxy.ssl_port", 8080);
user_pref("network.proxy.type", 1);</code>
</pre>
<p>Remember to replace my IP address 10.264.1.5 with yours, and if your proxy does not listen on port 8080, make sure you change it in this file too.</p>
<p>Now we should be good to go. Start b2g again and try some browsing. Things should show in ZAP now!</p>
<p>&nbsp;</p>
<h4>Next Step:</h4>
<p><a href="https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Testing_in_a_Privileged_Context" title="https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Testing_in_a_Privileged_Context">Testing in a Privileged Context: Shipping your own Gaia Apps</a></p>
<p>&nbsp;</p>
Revert to this revision