Sniffing HTTPS during development

Fri, 28 January 2022 :: #linux

  1. When programming, developer sometimes needs to contact a server, use API, etc.

  2. HTTPS is now a must. Letsencrypt makes it easy. There are several frameworks for easy HTTPS communication.

  3. Libs are high-level. They are easy to use, but they sometimes do some of the work behind the scenes. This sometimes makes it difficult to know what exactly is being sent and how. Sometimes we need to check if a header is being sent. Sometimes there are bugs in libraries, or non-intuitive uses (e.g. httpclient in esetctl).

  4. HTTP would make it easy. We would need to use Wireshark and that's it, we have full communication recorded.

  5. But we're using HTTPS, so we can't simply sniff TLS traffic.

First option: SSLKEYLOGFILE -- per library support. curl/libcurl supports it, java doesn't. This means that it's a de-facto standard, and support is pretty spotty.

BURP potrafi sniffowac ssl?

Second option: mitmproxy