# Intercepting iOS Network Traffic with Burp Suite

### Prerequisites * **Burp Suite**: You can download Burp Suite from [PortSwigger's website](https://portswigger.net/burp) (Community or Professional Edition) or install via **brew**. * **Jailbroken or Non-Jailbroken iOS Device**: You can use Burp Suite for testing both jailbroken and non-jailbroken iOS devices. * **Wi-Fi Network**: Both your iOS device and the computer running Burp Suite must be connected to the same Wi-Fi network. * **Burp Suite CA Certificate**: To intercept HTTPS traffic, you’ll need to install Burp's Certificate Authority (CA) certificate on your iOS device. *** ## Part 1: Configuring Burp Suite for iOS Traffic Interception ### Step 1: Set Up Burp Suite Proxy 1\. Open Burp Suite and go to the **Proxy** tab.\ 2\. Click **Options** and verify that a listener is running on port **8080** (default setting) or any port of your choice. Ensure that **"All interfaces"** is selected in the Bind to address field. > This allows Burp Suite to listen for traffic coming from any device on the same network.

### Step 1.1: Enable VPN In my case, I will to connect my host windows pc to the VPN "ovpn" and startup the burp in windows, eveything else, i will do into my wsl.

> Note: We can see the ip (10.11.3.2) ### Step 1.2: Set IP iOS device in BurpSuite

### Step 2: Configure iOS Device Proxy Settings You need to configure your iOS device to route its traffic through Burp Suite.\ 1\. On your iOS device, go to **Settings > Wi-Fi**.\ 2\. Tap the **i** icon next to your connected Wi-Fi network.

\ 3\. Scroll down to **HTTP Proxy** and set it to **Manual**.\ 4\. Enter the following details: * **Server**: The IP address of your computer running Burp Suite (you can find it by running **ifconfig** or **ipconfig** on your computer). * **Port**: The port Burp Suite is listening on (default is **8080**).

## Part 2: Installing Burp Suite CA Certificate To intercept HTTPS traffic, Burp Suite needs to act as a "man-in-the-middle" (MITM) proxy, and for that, your iOS device needs to trust Burp's CA certificate.\ \ Follow the manual from Portswigger: for this or execute below steps: #### Step 1: Download the Burp CA Certificate on the iOS Device 1\. On your iOS device, open **Safari** and navigate to: ``` http://burp ``` 2\. This will automatically download the Burp CA certificate (named **cacert.der**).

> Note: All it into us navegator #### Step 2: Install the CA Certificate 1\. After downloading, navigate to **Settings > General > VPN & Device Management** (or **Profiles & Device Management** depending on the iOS version). 2\. You should see the **Burp Suite Professional CA** profile listed. Tap on it and install the certificate. 3\. Go to **Settings > General > About > Certificate Trust Settings**.

Now, or upload the certf previusly download or, in the safary browser search and download again the certf -->

4\. Enable full trust for **Burp Suite Professional CA** by toggling the switch.

For end, we need activated ir in about -> "Cetificate Trust Setings"

## Part 3: Intercepting HTTP/HTTPS Traffic Once the proxy is set up and the CA certificate is installed, Burp Suite will begin intercepting all HTTP and HTTPS traffic from the iOS device. #### Step 1: Enable Interception 1\. In Burp Suite, go to the **Proxy** tab.2. Ensure the **Intercept** button is turned on.3. Open the app you want to test on your iOS device.\ Now, you should see requests from the app appearing in Burp Suite's intercept tab, allowing you to view and manipulate HTTP/HTTPS requests and responses. ## Part 4: Common Burp Suite Tasks #### 1. Testing API Calls and Parameters You can view and manipulate the API requests made by the app to the backend server.\ 1\. Open the **HTTP history** tab under **Proxy** in Burp Suite.2. Find the relevant API requests and inspect the parameters, headers, and data being sent.3. Modify the request (e.g., change parameters or tokens) and forward it to observe how the server responds. #### 2. Replay or Modify Requests Burp Suite allows you to replay captured requests or modify them to test for vulnerabilities.1. Right-click on any request in the HTTP history and select **Send to Repeater**.\ 2\. In the **Repeater** tab, you can manually modify and re-send the request, testing for various vulnerabilities like IDOR (Insecure Direct Object Reference), authentication bypass, or broken access control. #### 3. Intercepting Mobile App Login Requests Intercept login requests from the mobile app to capture or manipulate authentication tokens or credentials. This is especially useful for testing how the app handles login, session management, and authentication mechanisms.1. Log in to the app while Burp is intercepting the traffic.2. In Burp Suite’s HTTP history, search for the login request. Review the data being sent, including credentials, tokens, and session information. ## Part 5: Bypassing SSL Pinning Many iOS apps implement SSL pinning, which prevents interception of HTTPS traffic, even with the CA certificate installed. Here’s how you can bypass SSL pinning: #### Method 1: Using Frida and Objection (for Jailbroken Devices) You can use **Frida** or **Objection** to dynamically bypass SSL pinning in iOS apps. See the [Frida Guide](https://www.mobilehackinglab.com/path-player?courseid=ios-appsec\&unit=66320172d9155074010d39c5) or the [Objection Guide](https://www.mobilehackinglab.com/path-player?courseid=ios-appsec\&unit=66dee992414c21bf3d053855) for more details on how to disable SSL pinning using these tools.\ Once SSL pinning is bypassed, Burp Suite will be able to intercept HTTPS traffic from the app. #### Method 2: Using SSL Kill Switch 2 (for Jailbroken Devices) For jailbroken iOS devices, **SSL Kill Switch 2** is a popular tweak that disables SSL pinning across apps:1. Install **SSL Kill Switch 2** via **Cydia** or **Sileo** on your jailbroken iOS device.2. Once installed, it automatically disables SSL pinning in most apps.\ \ After enabling SSL Kill Switch, restart the app and Burp Suite will intercept the traffic. #### Method 3: Patch the App (Non-Jailbroken Devices) For non-jailbroken devices, you can use reverse engineering techniques to modify the app’s binary and disable SSL pinning directly. This requires tools like **Hopper** or **Ghidra** to analyze and modify the app. ## Part 6: Using Burp Extensions for Mobile App Testing Burp Suite has a marketplace called **BApp Store**, which contains various extensions to enhance your testing experience. Some useful extensions for mobile app testing include: #### 1. MobileAssistant This extension helps in testing mobile applications by providing shortcuts for common tasks such as inspecting **plist files**, checking **iOS keychain data**, and **parsing mobile API requests**.\ To install MobileAssistant:1. Go to the **Extensions** tab in Burp Suite.2. Click **BApp Store**.3. Search for **MobileAssistant** and install it. #### 2. Logger++ Logger++ is a powerful extension for logging and analyzing HTTP/S traffic. It can help you visualize how the mobile app interacts with the backend.\ To install Logger++:1. Go to the **Extensions** tab in Burp Suite.2. Click **BApp Store**.3. Search for **Logger++** and install it. #### 3. JSON Beautifier This extension automatically formats JSON requests and responses to make them more readable.\ To install JSON Beautifier:1. Go to the Extensions tab in Burp Suite.2. Click **BApp Store**.3. Search for **JSON Beautifier** and install it. ## Part 7: Automating Security Tests with Burp Suite Burp Suite offers features for automating certain security tests to help discover vulnerabilities faster. #### 1. Burp Scanner (Professional Edition) Burp Suite’s scanner automatically scans captured traffic for security vulnerabilities, such as SQL Injection, XSS, and insecure communications. To use it:\ 1\. Send the captured request to the **Scanner** by right-clicking and selecting **Send to Scanner**.\ 2\. Burp Suite will run an automated scan and report any vulnerabilities it discovers. #### 2. Intruder The **Intruder** tool allows you to automate attacks like fuzzing, brute force, or parameter tampering.\ \ To use the Intruder:1. Right-click on a request and select **Send to Intruder**.2. Configure the payloads (e.g., usernames or passwords) and run the attack.3. Burp will try all the payloads and report the results. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/mobile-hacking-lab/cipt-ios-penetration-tester/ios-penetration-tester/mobile-hacking-lab-device-setup/intercepting-ios-network-traffic-with-burp-suite.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.