Try   HackMD

用 Postman Proxy 來逆向 HTTPS API

記錄如何透過 Postman 的 HTTP Proxy 設定,來逆向各種 app 的 HTTP API。步驟大致上為:

  1. 導入 Postman 的根憑證到裝置
  2. 打開 Postman 的 HTTP Proxy
  3. 設定裝置的 Proxy 連線
  4. Start Hacking!

附圖說明以 iOS 為例,各裝置應該都差不多。

1. 導入 Postman 的根憑證到裝置

詳見 Postman 的文件,macOS 和 Windows 路徑不一樣,這裡提供 macOS 的:

open ~/Library/Application\ Support/Postman/proxy/

如果是要逆向 iOS 的,要把憑證檔 postman-proxy-ca.crt 丟到裝置上安裝,我是用 Airdrop 直接做,大家可以透過其他的方式,比如 iCloud/Dropbox 等。

安裝後,要在 iOS 上設定一律信任,這邊放圖。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

2. 打開 Postman 的 HTTP Proxy

把右上角那個很像雷達的按鈕按開,Capture Reqeusts 打開。這裡要記下你電腦的 IP。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

3. 設定裝置的 Proxy 連線

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Start Hacking!

在 Postman 的 History 就可以看到各種 Request 源源不絕抓進來啦,舒服。

Appendix SSL Pinning

iOS 的話一定要 jailbreak device,所以暫且就先這樣吧

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
Daily Oops!
The team is the content source of my blog. See it live at the link in the profile page.
0
1793

Read more

Safari 其實還不錯用

[!TLDR]我把我的主要瀏覽器換成 Safari 了,想當然一堆魔改

May 3, 2025
2024 好用小物推薦

去年年中,睽違已久的出國玩,結果就被同行友人們傳教了輕量化(他們是輕量化登山露營愛好者 XD)。回來後我也就順勢入坑 onebag,中文或許可以譯做「一包行天下」,這個跟輕量化有點關係的主題。

May 1, 2025
HackMD 相容 Markdown 測試

註:以下的內容取自 HackMD Features 頁,用以比較 markdown-it 渲染成果

Feb 23, 2025
不會關掉的 tmux popup

在長期使用 neovim 之後,我發現 ToggleTerm 對我來說是最泛用靈活的工具。你可以:

Feb 11, 2025
Read more from Daily Oops!
Published on HackMD