# FIX: MITMPROXY TRAFFIC CAPTURE NOT WORKING ## The Problem Genymotion emulator doesn't automatically route traffic through proxy settings. The proxy settings would show empty (`:0`), so mitmproxy never saw any traffic. ## The Solution Use **Frida to force ALL traffic through mitmproxy** on `10.0.2.2:8080` New script: `force_proxy_through_mitm.js` - Hooks HttpURLConnection.openConnection() - Hooks OkHttp3 client builder - Forces all traffic to route through 10.0.2.2:8080 (mitmproxy) - Disables SSL verification for mitmproxy certificate ## ✅ The Correct Workflow (NOW WORKING) ### Terminal 1 - Start mitmproxy ```bash mitmproxy -p 8080 -w canadapost_traffic.mitm -v ``` Watch this window - you should see traffic appear! ### Terminal 2 - Launch app with Frida (after mitmproxy is running) ```bash frida -U -f com.canadapost.android -l frida_simple_bypass.js -l force_proxy_through_mitm.js -l extract_live_credentials.js ``` ### In the App 1. Wait for login screen (5 seconds) 2. Log in OR skip 3. Go to "Track a Package" 4. Enter any package number 5. **Watch mitmproxy window** - you should now see: - GET requests to canadapost tracking API - POST requests to Firebase - Authorization headers with Bearer tokens! ## What You'll See in mitmproxy **Good signs:** ``` 21:52:24 HTTPS POST oauth.canadapost-postescanada.ca /mga/sps/oauth/oauth20/token 21:52:27 HTTPS GET www.canadapost-postescanada.ca /mgw/trackpackage/json/package?pins=... 21:52:30 HTTPS POST mobileintegration.1eqh5zpddmks.us-east.codeengine.appdomain.cloud /api/v1/... ``` **Bad signs (means traffic not routing):** - Only seeing Adobe Analytics and Firebase calls - No Authorization headers - No POST to oauth or tracking endpoints ## If Still Empty ### Check 1: Is mitmproxy actually running? ```bash netstat -ano | findstr ":8080" ``` Should show: `LISTENING 12345` (some PID) ### Check 2: Is the app actually running? ```bash adb shell pidof com.canadapost.android ``` Should return a number (PID) ### Check 3: Are the Frida scripts loaded? Look for output like: ``` [✓] HttpURLConnection proxy forcing enabled [✓] OkHttp3 proxy forcing enabled [✓] SSL certificate verification disabled for mitmproxy ``` If you see errors instead, the app might be crashing. ## Next: Extract Credentials Once you see traffic in mitmproxy with Authorization headers: ### Save and close mitmproxy Press `Ctrl+C` in the mitmproxy terminal ### Extract all credentials from the captured traffic ```bash python extract_creds.py canadapost_traffic.mitm ``` This will show: - **Authorization Bearer tokens** (user session) - **API endpoints** discovered - **Firebase tokens** - **All request/response pairs** ### Decode JWT tokens ```bash python decode_jwt.py --file canadapost_traffic.mitm --list ``` Shows: - User ID - Email - Token expiration - All token claims ## The Juice 🍋 Once you capture a Bearer token like `eyJhbGc...`, you can: 1. **Test the tracking API directly** ```bash python test_apis.py --track 1234567890 --token "eyJhbGc..." ``` 2. **Enumerate other users** (if user ID is sequential) 3. **Access user data** (shipments, account info, etc.) 4. **Find AWS credentials** (if returned in API responses) 5. **Test for IDOR vulnerabilities** (change user_id in token) ## Troubleshooting | Issue | Fix | |-------|-----| | mitmproxy empty | Check Frida scripts loaded (see "Check 3") | | App crashes on start | Upgrade frida-server or try older version | | Only analytics traffic | App not actually using HTTP calls - try logging in first | | SSL certificate error | force_proxy_through_mitm.js should disable verification | | No Authorization header | Need to actually perform login in the app | ## Quick Checklist - [ ] mitmproxy running on port 8080 - [ ] Frida scripts loaded (see `[✓]` messages) - [ ] App showing login screen - [ ] Perform action (login/track) in app - [ ] See traffic in mitmproxy window - [ ] Save traffic with Ctrl+C - [ ] Run extract_creds.py - [ ] Get Bearer token - [ ] Use token to test APIs **You're about to get the bounty!** 🎯