Examining Network Data after bypassing SSL
Purpose: To bypass SSL and capture transmitted data using Burpsuit.
Man-In-The-Middle Attack using Burpsuit.
Check if apps accept self-signed certificates.
Burpsuit proxy generates and presents to the client a self-signed certificate.
Ensure that smartphone doesn't have any existing custom proxy certificates stored in its trust store.
If we can intercept the traffic, then the app is vulnerable to eavesdropping and modification via MITM attacks.
Demo: In the video above we use Burpsuit proxy in an attampt to bypass the SSL and capture the transmitted data. We configure the smartphone to use the proxy and the proxy to listen to traffic comming from the device.
When this is done the proxy generates and presents to the client a self-signed (fake) certificate. In the above example we can see that we are unable to see/capture any traffic and at some point the application throws an error, rejecting the