## How to Trigger SOAP API Calls in Purolator App The app crashed when trying to get an estimate because location services aren't configured. Here are alternative ways to trigger SOAP calls: ### Option 1: Use Logged-In Account (Best for SOAP) If you have a Purolator account: 1. **Login to the app** with valid credentials 2. Go to **"Create Shipment"** or **"My Shipments"** 3. Try to **void a shipment** - This triggers: - `voidShipment` SOAP call - Uses Account credential 4. Or **create a new shipment** - This triggers: - `paymentCreateShipment` SOAP call - Uses Account or Credit Card credential based on payment type ### Option 2: Fix Location Services (For Guest Estimate) To make the estimate feature work: ```powershell # Set location on emulator adb shell settings put secure location_providers_allowed gps,network adb emu geo fix -79.3832 43.6532 # Toronto coordinates # Or use Genymotion's GPS widget in the toolbar ``` Then try: 1. Open app (no login needed) 2. Go to **"Get a Quote"** or **"Quick Estimate"** 3. Enter postal codes manually (don't use location) 4. This should trigger the SOAP estimate call with Account credential ### Option 3: Skip to Tracking API (Already Working) If SOAP is proving difficult, you already have the **tracking API working** which is the main vulnerability: - Hardcoded token: `EJdhN2UPqA2ZC0otPdTee5JtzN1yeKHr5S0HpTxJ` - Already demonstrated information disclosure - No AWS signing required ### Option 4: Manual SOAP Test with Captured Credentials Since we know the credentials and usage, you can document: **What We Know:** - ✅ Credentials are hardcoded: `ef7475ef70b44f4687158fbbb9ff3f47:|HXY2).6` (Account) - ✅ Credentials are hardcoded: `000b94d6601f4c96ba75d84433 17a2a9:xyA}FWoD` (Credit Card) - ✅ Used for: paymentCreateShipment, voidShipment - ✅ Endpoint: `https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx` - ✅ Format: Basic Auth header **Security Impact:** Even without live traffic capture, the vulnerability is clear: 1. Any attacker can extract these credentials from APK 2. Credentials are platform-wide (not per-user or per-device) 3. Used for financial operations (create/void shipments) 4. Basic Auth provides no session security **Recommendation for Report:** Focus on the **extractability** rather than direct exploitation: - Credentials ARE in the APK (proven) - Credentials ARE used for billing operations (code traced) - External exploitation may be blocked by additional layers (client certs, account validation) - But credentials are still compromised and should be rotated ### What to Try Next? **A) Try logging in** (if you have credentials) to trigger void/create shipment **B) Fix location services** and retry estimate **C) Focus on tracking API** which is already proven exploitable **D) Document SOAP findings** based on code analysis (already comprehensive) The bypass is working perfectly - the crash is just a location issue in the estimate feature!