I have been pen testing a random android app that uses POST method to send data to a remote server using HTTPS.
I have set up a proxy and am able to intercept the traffic, however the POST method appears to be encrypted and "url-encoded" .
What i want to know is .. is there a common encryption standard followed in such a scenario something like the Base64 or would it be so that the application uses a signature encryption mechanism internally which encrypts the data before it is sent through the POST method.
Any guidance would be really appreciated. Thanks in advance !
You can set encoding to whatever you like
UrlEncodedFormEntity(nameAndValuePairsGoHere,"encoding goes here");
Full example, credit: Source
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("id", "12345"));
nameValuePairs.add(new BasicNameValuePair("stringdata", "AndDev is Cool!"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs, "UTF-8"));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
Related
The website has a counter reputation.Im have two links. First link increment reputation counter, second decrement reputation counter. How im can go to the link without opening a browser to increase or decrease the reputation counter.
You will need to post to the link.
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("id", "12345"));
nameValuePairs.add(new BasicNameValuePair("stringdata", "AndDev is Cool!"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
You probably wont need the name value pairs to have anything so you can probably delete everything in between the Add your data and Execute HTTP Post Request comments but you will need to change the path when creating the HttpPost.
Code taken from here
I am working on a HttpClient that posts something to a website. The client looks something like this (based on this link):
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("id", "12345"));
nameValuePairs.add(new BasicNameValuePair("stringdata", "AndDev is Cool!"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
What I want to do now is to create a small proxy service (a VERY simple one) that runs on the same android device and listens for the outgoing HTTP connexions and modifies the POST ( for example change the "id": "12345" into "54321", just for testing purposes), and then pass the HttpRequest to the actual website. How cand I do something like that? I've been googling around but found nothing that could give me an idea how to do it(like a tutorial or something). Can anybody give me an idea of how to do that?
You do not need to write code to achieve this. Instead of writing your own proxy and since you only need it to test you application, you can use the mitmproxy which is a man-in-the-middle proxy (based on your description that is what you want to achieve). Follow this tutorial to set up your PC as the proxy and the device as your client.
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
I have a backend for my android app, which returns 404 on GET and json on POST. Now, I'm trying to do POST request using this snippet:
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/api/login");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("email", "email#email.com"));
nameValuePairs.add(new BasicNameValuePair("password", "qwerty"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
Server however receives GET request. With curl POST backend returns json as expected. But somehow httpPost sends GET(!) request. What could be the problem? What am I doing wrong?
Ok guys, answered my own question pretty quickly, may be helpful for others.
I replaced hostname with ip address, and it worked!
I have an application which converts a website to mobile format. There is a spinner in the app. So my doubt is, how do i pass these selected values from my spinner to the website to get results?
You need to make a http post request.
http://developer.android.com/reference/org/apache/http/client/HttpClient.html.
NOTE : If you are making network related operation you should use a AsyncTask other wise you will get a NetworkOnMainThreadException (Honeycomb and later).
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("id", "12345"));
nameValuePairs.add(new BasicNameValuePair("stringdata", "AndDev is Cool!"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
Some links with source code available in the links below
http://www.androidhive.info/2011/10/android-making-http-requests/
http://android-er.blogspot.in/2011/09/example-of-httppost-on-android.html
Since you are running the a mobile web application inside a WebView container you can use a well known library like jQuery an its ajax stuff.
I have android app . i should pass the data from android to web server with data security.Can any one suggest me to What are all the data security's can Provide.
You can send the data using HttpPost methos .
This is a simple example for it .
public void postData() {
// Create a new HttpClient and Post Header
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("http://www.yoursite.com/script.php");
try {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("id", "12345"));
nameValuePairs.add(new BasicNameValuePair("stringdata", "AndDev is Cool!"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
// Execute HTTP Post Request
HttpResponse response = httpclient.execute(httppost);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
Use Https , you should buy a SSL for your server first , and then Use https to send data.