# TRAFFIC ANALYSIS & CREDENTIAL EXTRACTION GUIDE ## Current Status ✅ App fully functional (license check bypassed) ✅ Frida security bypasses all active ✅ mitmproxy capturing HTTPS traffic ✅ Firefox certificate installed for decryption ## Visible API Endpoints (from mitmproxy) 1. **Firebase Remote Config**: firebaseremoteconfigrealtime.googleapis.com/v1/projects/741680414261 2. **Firebase App Check**: firebaseappcheck.googleapis.com/v1/projects/canada-post-2dce9/apps/... 3. **AWS API Gateway**: q26ff9ws86.execute-api.ca-central-1.amazonaws.com/prod/v1/subscriptions (400 error) 4. **Mobile Integration**: mobileintegration.1eqh5zpddmks.us-east.codeengine.appdomain.cloud/api/v1/... 5. **Adobe Analytics**: sslstats.canadapost.ca/b/ss/canadapostca-android/... 6. **Firebase Logging**: firebaselogging-pa.googleapis.com/v1/firelog/legacy/batchlog 7. **Qualtrics Survey**: zn0xleir6swszany9-canadapostdigital.siteintercept.qualtrics.com ## STEP 1: Enable mitmproxy Traffic Dumping ```bash # Terminal 1 - Start mitmproxy with dumping mitmproxy --mode transparent -w canadapost_traffic.mitm # Or if already running, use this to save the current session # In mitmproxy console, press 'e' then 'e' on a flow, then 'w' to write to file ``` ## STEP 2: Generate User Traffic 1. Keep the app running with Frida bypass 2. **Login with test account** (if you have credentials) 3. **Try tracking a package** (use a valid Canada Post tracking number) - Valid format examples: - Numeric: 1234567890 - With letters: CA123456789 - CP prefix: CP1234567890 4. Navigate through different app features 5. This will generate HTTP/HTTPS requests that mitmproxy will intercept ## STEP 3: Extract Credentials from Traffic ```bash python extract_creds.py canadapost_traffic.mitm ``` This will show you: - **Authorization headers** (Bearer tokens for logged-in user) - **API keys** in headers - **Cookies** with session data - **API endpoints** called by the app - **Firebase tokens** and responses ## STEP 4: Analyze Captured Tokens Look for these in the output: ### Authorization Header Pattern ``` Authorization: Bearer ``` This is the **USER SESSION TOKEN** - save this! ### Firebase App Check Token From response body of firebaseappcheck endpoint: ```json { "token": "", "ttlMillis": "3600000" } ``` This token can be used for Firebase API calls. ### AWS Signature Headers Look for: ``` Authorization: AWS4-HMAC-SHA256 Credential=... X-Amz-Date: ... X-Amz-Signature: ... ``` These indicate AWS API calls that might contain temporary credentials. ## STEP 5: Test APIs with Extracted Credentials ```bash # Test tracking with extracted token python test_apis.py --track 1234567890 --token "" # Test auth endpoints python test_apis.py --auth --token "" # Test mobile integration API python test_apis.py --integration --token "" ``` ## STEP 6: Manual Traffic Inspection If you need to see the full request/response bodies: ```bash # View mitmproxy console with all captured flows mitmproxy -r canadapost_traffic.mitm # Key commands in mitmproxy: # 'q' - view flows list # ENTER - view flow details # 'e' - view request/response tabs # 'r' - replay request # 'w' - write selected flow to file ``` ## What to Look For in the Traffic ### High Priority 1. **User Session Token** (Bearer token after login) - Usually in response from /auth or /login endpoint - Format: `Authorization: Bearer eyJ...` - **THIS IS VALUABLE** - can be used to access user data 2. **Tracking API Endpoint** - Should appear when you track a package - Shows the URL pattern: `/track/{package_id}` - May reveal user ID in URL or request body 3. **AWS Credentials** (if present in responses) - Temporary AWS credentials would be in: - Mobile Integration API responses - AWS API Gateway responses - Format includes `AccessKeyId`, `SecretAccessKey`, `SessionToken` ### Medium Priority 4. **Firebase Project Details** - Already have: `canada-post-2dce9` (project ID) - Already have: `1:741680414261:android:01b8071927083c4626bb7c` (app ID) - API Key: `AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q` 5. **API Rate Limiting** - Look for `X-RateLimit-*` headers - Shows if there are API quotas to work around ### Lower Priority 6. **Analytics/Tracking Data** - Device ID, user analytics - Usually not useful for API access but good for fingerprinting ## Common Response Patterns ### Success Response (200-201) ```json { "data": {...}, "status": "success", "timestamp": "2024-..." } ``` ### Tracking Data Response ```json { "tracking_number": "1234567890", "status": "In Transit", "events": [ { "timestamp": "...", "location": "...", "description": "..." } ] } ``` ### Authentication Response ```json { "token": "eyJ...", "user_id": "...", "expires_in": 3600, "token_type": "Bearer" } ``` ## Next Actions 1. **Run the app** with Frida bypass 2. **Perform user actions** (login, track package, view history) 3. **Wait for mitmproxy** to capture traffic (~30 seconds for app to stabilize) 4. **Save the traffic**: Use mitmproxy console to write to file 5. **Run analysis script**: `python extract_creds.py canadapost_traffic.mitm` 6. **Extract valuable tokens** and save them 7. **Test APIs** with the tokens using `test_apis.py` ## Important Notes - **Do NOT share extracted tokens publicly** - they may contain real user data - **Token expiration** - session tokens typically expire after 1 hour - **Rate limiting** - test APIs responsibly, not thousands of requests - **AWS credentials** are temporary (15-60 minutes) and tied to the session - **Firebase tokens** can be reused until they expire (~1 hour) ## Quick Command Reference ```bash # Start mitmproxy with traffic saving mitmproxy -w canadapost_traffic.mitm # Extract all credentials from captured traffic python extract_creds.py canadapost_traffic.mitm # Test tracking API with extracted token python test_apis.py --track 1234567890 --token "your_token_here" # View traffic in mitmproxy console mitmproxy -r canadapost_traffic.mitm # Get just the API endpoints from traffic grep -o "https://[^\"' ]*" canadapost_traffic.mitm | sort -u ``` ## Expected Findings Based on the code analysis and traffic captured so far, you should find: 1. ✅ **Authorization header** with Bearer token (once user logs in) 2. ✅ **Tracking API endpoint** (GET /track/{number} or similar) 3. ✅ **Mobile Integration API base URL** (already visible: mobileintegration.1eqh5zpddmks.us-east.codeengine.appdomain.cloud) 4. ✅ **AWS API Gateway credentials** or temporary tokens 5. ✅ **Firebase App Check tokens** for Firebase API access 6. ⏳ **User ID / Account ID** (useful for accessing other user's data - if vulnerable) Ready to proceed? Run the app with Frida bypass and start generating traffic!