This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, October 25 • 10:00am - 10:45am
Reverse Engineering “Secure” HTTP APIs With An SSL Proxy

Sign up or log in to save this to your schedule and see who's attending!

The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs.

In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API.

We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack.

Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API.


Alejandro Caceres

Computer Network Operations Engineer, Lunarline Inc.
I am a computer network operations engineer focused on building software products and interested in breaking things, mostly. I've been told I have a "hacker" mindset by my co-workers (I like to think that they meant it in a good way) and that is entirely true. I work on a number of open source projects related to pen testing and particularly enjoy dealing with unique ways of automating exploitation of web applications.
avatar for Mark Haase

Mark Haase

Sr. Security Software Engineer, Lunarline, Inc.
I've been writing software since I was 13, writing software as a job since Junior year of college, and working professionally as a software engineer since I graduated in financial services and then information security.

Thursday October 25, 2012 10:00am - 10:45am
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (44)