zlacker

[parent] [thread] 4 comments
1. hultne+(OP)[view] [source] 2023-10-13 20:20:06
This is what I would usually do as well, self-MiTM and analyze the traffic, reverse engineer from there.
replies(1): >>aneutr+Id
2. aneutr+Id[view] [source] 2023-10-13 21:50:41
>>hultne+(OP)
While if possible, it's the best course of action, the truth is these days additions like HSTS make it extremely difficult to MITM.

Additionally, MITM and trying things out on a toaster are one thing, doing the same on a 40k$ machine that can potentially make it impossible to do your commute is another.

This is IMO a prime example where the double team rev eng is key to success: one documents the API, the other uses it without having access to code (whiteroom)

replies(1): >>amelia+iU
◧◩
3. amelia+iU[view] [source] [discussion] 2023-10-14 07:02:38
>>aneutr+Id
Nitpick: HSTS doesn't interfere with MITM. You're thinking of certificate pinning.
replies(2): >>aneutr+W01 >>LoganD+yPc
◧◩◪
4. aneutr+W01[view] [source] [discussion] 2023-10-14 08:54:04
>>amelia+iU
You are right, I was thinking of stapling but wrote HSTS. Thanks
◧◩◪
5. LoganD+yPc[view] [source] [discussion] 2023-10-18 03:17:54
>>amelia+iU
HSTS interferes with MITM when the mobile device in question doesn't allow you to install new certificate authorities (as is slowly becoming the case).
[go to top]