Burp Suite User Forum

Login to post

Can not intercept Plato app requests

king | Last updated: Oct 21, 2020 06:55PM UTC

Hi, I tried to test plato app many days, without any result. I tried also frida and brida, but still it didn't show any thing. just show a few requests in burp like(restserver...) Please help me why I can not intercept and modify any thing about this app? And how to do that? Regards

Ben, PortSwigger Agent | Last updated: Oct 22, 2020 02:04PM UTC

Hi, Does this app still function when you are attempting to proxy its traffic through Burp or does it (or some elements of it) behave differently or not work at all? Generally speaking (assuming you have configured the connection between your mobile device and Burp), if the app is still functioning but you are not seeing any traffic in Burp then that might suggest one of the following: 1. The app is not communicating via the HTTP/S protocol so Burp is not intercepting any of the traffic. As an example, WhatsApp uses the XMPP protocol for its chat communication, which Burp will not handle. 2. The app (or the internal code/libraries used in the app) has hardcoded endpoints and is not adhering to the proxy settings that you have set for your device. The traffic is not being sent via your configured proxy so you are not seeing it in Burp. In Android you can use something like ProxyDroid to force all traffic to use your proxy settings (through the use of IPtables). If the app (or parts of the app) does not appear to function correctly then that generally suggests that something like Certificate Pinning is being used in order to prevent the type of Man in the Middle attack that Burp is essentially performing. If this is in place then you would be looking at trying to circumvent this using various advanced techniques, the following blog contains some approaches for this: https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/ I am not familiar with this particular app - what does it do?

king | Last updated: Oct 24, 2020 11:50AM UTC

Hi, Yes app completely functoin even intercepting. my settings are ok, I can intercept other apps easily, but can not this. It just shows some other requests like ads, but don't show any request of app. I just saw some things like RestServer and reports that sent to it, but don't know what is it. and also about profile picture, it show a request to (profile2.platocdn.com) without any answer. I tested ssl unpinning with frida, but it doesn't work. It's an app about gaming and chat with frinds. So it means burp can not handle it ?

Ben, PortSwigger Agent | Last updated: Oct 27, 2020 08:42AM UTC

Hi, What requests/responses are you expecting to see? I just ran a quick test via an iOS device and most of the requests i saw were being sent to blob-prod.plato.app. Are you using an Android or iOS device?

king | Last updated: Oct 30, 2020 10:30PM UTC

Hi, 99% requests didn't show ! for example when click on my profile, click on a game, click on settings etc , it doesnt show anything. Yes there is just a few requests to "blob-prod.plato.app" that don't give anything to us. I use android .

Uthman, PortSwigger Agent | Last updated: Nov 02, 2020 02:21PM UTC

Are you using a rooted Android device? Have you followed the instructions to set this up properly? - https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device - https://portswigger.net/support/configuring-an-android-device-to-work-with-burp If you have access to the developers of the application, have you tried asking them to disable certificate pinning for the purpose of your testing?

king | Last updated: Dec 06, 2020 06:30AM UTC

Yes, rooted! Yes, certificate is ok. your answer disapointed me !! It's clear that the developers don't change their app for intercept by me !!

Uthman, PortSwigger Agent | Last updated: Dec 07, 2020 10:34AM UTC

Hi, The endpoints may be hardcoded or there could be some restrictions to prevent SSL unpinning or the use of a proxy. This seems relevant in your case since other apps are proxying fine. Have you checked with the developers of the application?

Chris | Last updated: Sep 15, 2021 11:10AM UTC

Hey, I had the same problem and for me it could be fixed by making the Burp certificate a system certificate. Details (Question with error messages and solution) can be found here: https://security.stackexchange.com/questions/255170/intercepting-app-with-burp-shows-no-requests

Uthman, PortSwigger Agent | Last updated: Sep 15, 2021 11:17AM UTC

Thanks for sharing your findings, Chris! :)

You need to Log in to post a reply. Or register here, for free.