Intercepting Firefox OS traffic using a proxy

  • Revision slug: Mozilla/Firefox_OS/Security/Intercepting_traffic_using_a_proxy
  • Revision title: Intercepting Firefox OS traffic using a proxy
  • Revision id: 372371
  • Created:
  • Creator: Joshua-S
  • Is current revision? No
  • Comment Editorial Review

Revision Content

{{PreviousNext("Mozilla/Firefox_OS/Security/Debugging_and_security_testing", "Mozilla/Firefox_OS/Apps/Testing_in_a_privileged_context")}}

Make sure you have read the first part; how to install B2G Desktop and attach a JavaScript debugging shell is explained in Debugging and security testing with Firefox OS.

Working with apps that are nothing but HTML and JavaScript, you'll find that a lot of the really interesting work involves using APIs that transfer data over the Web. That means it's often useful to look at the HTTP requests that these apps perform. This article will show you how to intercept all HTTP traffic using a proxy. We will also whitelist the proxy's SSL certificate so Firefox OS doesn't mind someone intercepting and re-encrypting the HTTPS communication.

Introducing ZAP

First, let's get started with ZAP. ZAP is an intercepting proxy that intercepts and re-encrypts HTTPS traffic for easy debugging. Click on the big blue button on the ZAP homepage to download it. If you choose to use another proxy (I hear Burp Proxy is a common choice) feel free to do so as our approach should work with both. Now, whichever proxy you use, let it export its certificate to a file such as owasp_zap_root_ca.cer. You also have to make sure that ZAP does not listen on localhost, but instead on your public ethernet IP address. This is because B2G Desktop's localhost does not point to your desktop computer, but something within the b2g binary itself. For our example, we will use my IP address: 10.264.1.5.

Creating a certificate database

Accepting certificates is a thing that happens in settings. As discussed elsewhere, these are stored in profiles. So here's a short primer on Firefox profiles:

Start the Firefox profile manager suing the -P option on the command line, and make sure that Firefox is not using any existing Firefox sessions (-no-remote).

On Linux, you need to do:

firefox -P -no-remote

On Mac OS X:

/Applications/Firefox.app/Contents/MacOS/firefox -P -no-remote

Now create a new profile called "zapped." Go to the certificate settings: Edit > Preferences > Advanced > Encryption > View Certificates > Import. Now select the owasp_zap_root_ca.cer file created by your proxy and tell Firefox that it should trust this CA to identify web sites (this is really only valid for this profile).

Having used Firefox to create a certificate database for us, we can now use this database for our B2G profile. The name of your Firefox profile directory is a random string that ends with zapped. The location depends on your operating system; see Runtime Directories for details on where it can be found. We only need the cert8.db file, which is the profile's certificate database. Copy it over to your b2g profile directory b2g/gaia/profile/.

Note: This will overwrite the existing file.

Setting up B2G

The next step is to set ZAP as the default proxy for all network communication. The proxy settings, like the certificate settings, are currently not available from the Firefox OS user interface, so we will append these custom settings to the preferences file, b2g/gaia/profile/prefs.js:

user_pref("network.proxy.backup.ftp", "10.264.1.5");
user_pref("network.proxy.backup.ftp_port", 8080);
user_pref("network.proxy.backup.socks", "10.264.1.5");
user_pref("network.proxy.backup.socks_port", 8080);
user_pref("network.proxy.backup.ssl", "10.264.1.5");
user_pref("network.proxy.backup.ssl_port", 8080);
user_pref("network.proxy.ftp", "10.264.1.5");
user_pref("network.proxy.ftp_port", 8080);
user_pref("network.proxy.http", "10.264.1.5");
user_pref("network.proxy.http_port", 8080);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.socks", "10.264.1.5");
user_pref("network.proxy.socks_port", 8080);
user_pref("network.proxy.ssl", "10.264.1.5");
user_pref("network.proxy.ssl_port", 8080);
user_pref("network.proxy.type", 1);

Note: Remember to replace my IP address 10.264.1.5 with yours, and if your proxy does not listen on port 8080, make sure you change it in this file too.

At this point, you should be ready to go! Start B2G Desktop again, and try some browsing. Network traffic should appear in ZAP.

{{PreviousNext("Mozilla/Firefox_OS/Security/Debugging_and_security_testing", "Mozilla/Firefox_OS/Apps/Testing_in_a_privileged_context")}}

Revision Source

<p>{{PreviousNext("Mozilla/Firefox_OS/Security/Debugging_and_security_testing", "Mozilla/Firefox_OS/Apps/Testing_in_a_privileged_context")}}</p>
<p>Make sure you have read the first part; how to install B2G Desktop and attach a JavaScript debugging shell is explained in <a href="/en-US/docs/Mozilla/Firefox_OS/Security/Debugging_and_security_testing" title="/en-US/docs/Mozilla/Firefox_OS/Security/Debugging_and_security_testing">Debugging and security testing with Firefox OS</a>.</p>
<p>Working with apps that are nothing but HTML and JavaScript, you'll find that a lot of the really interesting work involves using APIs that transfer data over the Web. That means it's often useful to look at the HTTP requests that these apps perform. This article will show you how to intercept all HTTP traffic using a proxy. We will also whitelist the proxy's SSL certificate so Firefox OS doesn't mind someone intercepting and re-encrypting the HTTPS communication.</p>
<h2 id="Introducing_ZAP">Introducing ZAP</h2>
<p>First, let's get started with ZAP. ZAP is an intercepting proxy that intercepts and re-encrypts HTTPS traffic for easy debugging. Click on the big blue button on the <a data-mce-="" href="https://www.owasp.org/index.php/ZAP" title="https://www.owasp.org/index.php/ZAP">ZAP homepage</a> to download it. If you choose to use another proxy (I hear <a href="http://portswigger.net/burp/proxy.html" title="http://portswigger.net/burp/proxy.html">Burp Proxy</a> is a common choice) feel free to do so as our approach should work with both. Now, whichever proxy you use, let it export its certificate to a file such as <code>owasp_zap_root_ca.cer</code>. You also have to make sure that ZAP does not listen on <code>localhost</code>, but instead on your public ethernet IP address. This is because B2G Desktop's <code>localhost</code> does not point to your desktop computer, but something within the <code>b2g</code> binary itself. For our example, we will use my IP address: 10.264.1.5.</p>
<h2 id="Creating_a_certificate_database">Creating a certificate database</h2>
<p>Accepting certificates is a thing that happens in settings. As discussed elsewhere, these are stored in profiles. So here's a short primer on Firefox profiles:</p>
<p>Start the Firefox profile manager suing the -P option on the command line, and make sure that Firefox is not using any existing Firefox sessions (<code>-no-remote</code>).</p>
<p>On Linux, you need to do:</p>
<pre>
firefox -P -no-remote</pre>
<p>On Mac OS X:</p>
<pre>
/Applications/Firefox.app/Contents/MacOS/firefox -P -no-remote</pre>
<p>Now create a new profile called "zapped." Go to the certificate settings: Edit &gt; Preferences &gt; Advanced &gt; Encryption &gt; View Certificates &gt; Import. Now select the <code>owasp_zap_root_ca.cer</code> file created by your proxy and tell Firefox that it should trust this CA to identify web sites (this is really only valid for this profile).</p>
<p>Having used Firefox to create a certificate database for us, we can now use this database for our B2G profile. The name of your Firefox profile directory is a random string that ends with <em>zapped</em>. The location depends on your operating system; see <a href="/en-US/docs/Runtime_Directories" title="/en-US/docs/Runtime_Directories">Runtime Directories</a> for details on where it can be found. We only need the <code>cert8.db</code> file, which is the profile's certificate database. Copy it over to your b2g profile directory <code>b2g/gaia/profile/</code>.</p>
<div class="note">
  <p>Note: This will overwrite the existing file.</p>
</div>
<h2 id="Setting_up_B2G">Setting up B2G</h2>
<p>The next step is to set ZAP as the default proxy for all network communication. The proxy settings, like the certificate settings, are currently not available from the Firefox OS user interface, so we will append these custom settings to the preferences file, <code>b2g/gaia/profile/prefs.js</code>:</p>
<pre>
<code>user_pref("network.proxy.backup.ftp", "10.264.1.5");
user_pref("network.proxy.backup.ftp_port", 8080);
user_pref("network.proxy.backup.socks", "10.264.1.5");
user_pref("network.proxy.backup.socks_port", 8080);
user_pref("network.proxy.backup.ssl", "10.264.1.5");
user_pref("network.proxy.backup.ssl_port", 8080);
user_pref("network.proxy.ftp", "10.264.1.5");
user_pref("network.proxy.ftp_port", 8080);
user_pref("network.proxy.http", "10.264.1.5");
user_pref("network.proxy.http_port", 8080);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.socks", "10.264.1.5");
user_pref("network.proxy.socks_port", 8080);
user_pref("network.proxy.ssl", "10.264.1.5");
user_pref("network.proxy.ssl_port", 8080);
user_pref("network.proxy.type", 1);</code>
</pre>
<div class="note">
  <p>Note: Remember to replace my IP address 10.264.1.5 with yours, and if your proxy does not listen on port 8080, make sure you change it in this file too.</p>
</div>
<p>At this point, you should be ready to go! Start B2G Desktop again, and try some browsing. Network traffic should appear in ZAP.</p>
<p>{{PreviousNext("Mozilla/Firefox_OS/Security/Debugging_and_security_testing", "Mozilla/Firefox_OS/Apps/Testing_in_a_privileged_context")}}</p>
Revert to this revision