# Capture SOAP API Traffic from Purolator App

## Objective
Capture actual HTTP requests sent by app to understand:
1. What headers are really sent (Basic Auth + others?)
2. Are TLS client certificates used?
3. Why external POC fails with AWS error but app works

## Setup

### 1. Start mitmproxy with SOAP endpoint filtering
```powershell
# Terminal 1
mitmproxy -p 8080 --set flow_detail=3 --ssl-insecure
```

### 2. Configure Android to use proxy
```powershell
# Terminal 2
adb shell settings put global http_proxy 192.168.226.1:8080
```

### 3. Install mitmproxy CA certificate on device
```powershell
# Push certificate
adb push ~/.mitmproxy/mitmproxy-ca-cert.cer /sdcard/

# Install via Settings > Security > Install from storage
# OR install directly:
adb shell su -c "cp /sdcard/mitmproxy-ca-cert.cer /system/etc/security/cacerts/"
```

### 4. Start Purolator app with Frida (bypass SSL pinning)
```powershell
# Terminal 3
adb shell am force-stop com.purolator.mobileapp
frida -U -f com.purolator.mobileapp -l ssl_pinning_bypass.js --no-pause
```

### 5. Trigger SOAP API calls in app

**Guest Estimate (uses Account credential)**:
1. Open app (don't log in)
2. Go to "Get a Quote" or "Estimate"
3. Enter shipping details (postal codes, weight)
4. Submit estimate request

**First Tariff Estimate (uses Credit Card credential)**:
1. Create a shipment in app
2. Select payment method
3. Proceed to get tariff estimate

**Corporate Shipping (uses Account credential)**:
1. Log in with corporate account
2. Create shipment
3. Use "Account" payment type

## What to Capture

### HTTP Headers to Document
```
POST /EWS/v2/Estimating/EstimatingService.asmx HTTP/1.1
Host: webservices.purolator.com
Authorization: Basic [credential]
Content-Type: text/xml; charset=utf-8
SOAPAction: http://purolator.com/pws/service/v2/GetQuickEstimate
User-Agent: [mobile app user agent]
X-Amz-Date: [if present]
X-Amz-Security-Token: [if present]
[other headers...]
```

### TLS Details to Check
- Client certificate used? (mitmproxy will show)
- TLS version and cipher suite
- SNI (Server Name Indication)
- ALPN protocols

### Response Analysis
- Does server respond successfully?
- Any error codes?
- Response headers

## Expected Findings

**Hypothesis 1: Client Certificates**
- App uses TLS client certificate
- Server trusts certificate + Basic Auth
- External clients without certificate get AWS error

**Hypothesis 2: Device Fingerprinting**
- Server checks User-Agent, TLS fingerprint
- Known mobile clients → accept Basic Auth
- Unknown clients → require AWS Sig v4

**Hypothesis 3: IP Allow-listing**
- Mobile app IPs are whitelisted
- External IPs require AWS signing

## Alternative: Frida Interception

If mitmproxy fails due to certificate pinning bypass issues:

```javascript
// intercept_soap_requests.js
Java.perform(function() {
    var ServicesBasicAuthInterceptor = Java.use('com.purolator.mobileapp.PurolatorApplication$ServicesBasicAuthInterceptor');
    
    ServicesBasicAuthInterceptor.intercept.implementation = function(chain) {
        var request = chain.request();
        
        console.log("[+] SOAP Request Intercepted");
        console.log("    URL: " + request.url().toString());
        console.log("    Method: " + request.method());
        
        // Log all headers
        var headers = request.headers();
        console.log("    Headers:");
        for (var i = 0; i < headers.size(); i++) {
            console.log("      " + headers.name(i) + ": " + headers.value(i));
        }
        
        // Log body if present
        try {
            var body = request.body();
            if (body) {
                var buffer = Java.use('okio.Buffer').$new();
                body.writeTo(buffer);
                console.log("    Body: " + buffer.readUtf8());
            }
        } catch (e) {}
        
        // Call original
        var response = this.intercept(chain);
        
        console.log("[+] SOAP Response");
        console.log("    Status: " + response.code());
        console.log("    Headers:");
        var respHeaders = response.headers();
        for (var i = 0; i < respHeaders.size(); i++) {
            console.log("      " + respHeaders.name(i) + ": " + respHeaders.value(i));
        }
        
        return response;
    };
});
```

Run with:
```powershell
frida -U -f com.purolator.mobileapp -l intercept_soap_requests.js --no-pause
```

## Analysis

Once captured, document:

1. **Complete HTTP request** (headers + body)
2. **Server response** (success or error)
3. **TLS handshake details**
4. **Any differences** between app request and POC request

This will show:
- ✓ If app truly sends only Basic Auth (or adds AWS headers)
- ✓ If client certificates are used
- ✓ What makes server accept app requests but reject external POC

## Deliverable

Create report:
```
SOAP_TRAFFIC_ANALYSIS.md
├── Captured Request (app)
├── Captured Response (app)
├── POC Request (external)
├── POC Response (403 AWS error)
├── Differences Identified
└── Security Implications
```