When building a mobile app, several situations call for engineers to monitor the app’s Application Programming Interface (API). One such situation is when engineers may want to test the app’s performance and vulnerabilities. Burp Suite is a software from PortSwigger that allows you to monitor an app’s API and to manipulate the requests that come in as well as the responses from the app.
Burp Suite software must run in the same network as the app. This, however, does not mean that anyone can use Burp Suite to hack any device within the network, because the device to be monitored must install the certificate provided by Burp Suite, and its proxy should be configured as accorded in the manual guide.
To use Burp for API monitoring, you will need a laptop with Burp Suite installed in it (you can download it here, preferably the community version) and a device (Android or iOS) where the app is installed. You need to ensure that both use the same internet network.
Configuring Burp Suite
For the configuration, open Burp Suite and click “Next” until the following interface appears:
Click on the “Proxy” tab, then navigate to “Options” tab. Head to the section called “Proxy Listeners” and then click the “Add” button. A box called “Add a New Proxy Listener” will pop up and show you a tab labelled “Binding”.
In the box next to “Bind to Port”, type in a port number that is currently unused. Furthermore, for the “Bind to Address” section, choose “Specific Address” and select according to the network you are using. When all is done, click OK.
After the pop-up box closes, while still in the “Options” tab, scroll down until you find a section called “Intercept Client Requests” followed by a table of request interception rules. This is where you can add HTTP and HTTPS protocols.
To add HTTP protocol, follow these steps:
- Click the “Add” button, and a box called “Add request interception rule” will pop up.
- For Boolean operator, choose “Or”
- For Match Type, choose “Protocol”
- For Match Relationship, choose “Is HTTP”
- Click OK
Follow the same steps to add HTTPS protocol, only this time selecting “Is HTTPS” for the Match Relationship.
After you have added the two protocols, view the table under “Intercept Client Requests” again. Make sure that only these two protocols are ticked and the other rules are unticked.
Installing certificate in the Android/iOS device
To install Burp Suite certificate in your device, thereby allowing it to be remotely monitored by Burp Suite, firstly, you need to open the device’s browser and type in the IP address of the laptop where your Burp Suite software is installed, followed by the port you had selected when configuring Burp Suite. Follow this format: [ip]:[port] (example: 192.168.8.100:8888).
After you click “Go”, a pop-up box will appear asking you to confirm that you have allowed it to open “Setting”. Select “Allow” and you will be directed to the PortSwigger CA configuration profile. Select “Install” to obtain the certificate.
After this, you will need to set the proxy configuration to manual. To do this, while still in your device’s Settings, go to Wifi and click on the “i” (information) button next to the network you’re using. Under HTTP Proxy section, choose “Configure Proxy” and select “Manual”. Then, click “Save”.
If you’re using iOS, the following steps should be taken:
- Still in your device’s “Settings” window, click on “General”.
- Select “About”
- Click on “Certificate Trust Settings”
- Activate PortSwigger CA
Note: do not forget to turn it off after you have completed the API testing.
Monitoring API and manipulating Requests/Responses
After you have completed the installation of the certificate in your device, you can start the monitoring and manipulation processes. Go back to the Burp Suite software and select the “Proxy” tab, followed by the “Intercept” tab. Make sure that the Intercept button is activated. Once you open the application, you can start the interception process. The following picture demonstrates what happens when you manipulate a request from an application when searching for the keyword kereta dorong via the iPhone.
This is an effective method if you are testing an application whose server/response is 500x, 400x, and so on. On the contrary, it will be challenging should you need to collaborate with the backend team and request for the server to be shut down temporarily. You can experiment with this tutorial and adjust it according to your needs.