Taking the S out of HTTPS for Reverse Engineering

Posted by

1

I’d like to be able to automatically query my checking account balance (and all my other accounts to, but checking is a good place to start). To my knowledge, my credit union does not provide an API like The Open Bank Project. So I must resort to screen scraping. To start, I’d like to observe my browser logging in. To do so, I’ll use socat.

socat \
  tcp4-listen:1337,fork \
  openssl:subdomain.domain.tld:443,cafile=/etc/ssl/certs/Appropriate_CA.pem

You may need to look closely at the URLs you’re dealing with. I found that my credit union used a different certificate for the account login subdomain than for the home page at the regular domain. With that in place I can navigate to http://127.0.0.1:1337/path/to/login in Firefox and observe the traffic unencrypted in Wireshark. (Apparently I could give Wireshark my private key as well, if it was built against GNU TLS, but I’ve yet to try that approach.)

One thought on “Taking the S out of HTTPS for Reverse Engineering

  1. Pingback: Watching the GETs, PUTs, and OKs | Cov's Libre Life

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s