Nigel
October 14, 2021, 2:30pm
1
I’m trying to make an identical request as the app is doing, but OB always adds extra stuff which makes the request invalid.
OB2:
URL: https://example.com/v3/mac/account
GET /v3/mac/account HTTP/1.1
Host: example.com
Connection: Close
: method: GET
accept: application/json
content-type: application/x-www-form-urlencoded
accept-language: en-US;q=1.0
user-agent: iOS/API/8c4dacmNmVNllG1E
authorization: Basic [BASE64 USER:PASS]
accept-encoding: gzip;q=1.0, compress;q=0.5
Real Working Request using Charles [HTTP Debugger Proxy]
URL: https://example.com/v3/mac/account
:method: GET
:scheme: https
:path: /v3/mac/account
:authority: connect.example.com
accept: application/json
content-type: application/x-www-form-urlencoded
accept-language: en-US;q=1.0
user-agent: iOS/API/8c4dacmNmVNllG1E
authorization: Basic [BASE64 USER:PASS]
accept-encoding: gzip;q=1.0, compress;q=0.5
I know for a fact that OB2 makes the request invalid because when I repeat the exact same request using Charles, it gives me a correct response.
Ruri
October 14, 2021, 2:42pm
2
Use the TCP block and write the request manually using \r\n
as linebreaks, so it will send exactly what you type. It’s the best way to send raw HTTP requests.
Nigel
October 14, 2021, 2:45pm
3
How do I include the URL its sending to using TCP while keeping the exact same RAW Headers as seen above.
Or is that the data in Authority and path?
Ruri
October 14, 2021, 2:50pm
4
Here’s an example
BLOCK:TcpConnect
host = "example.com"
port = 80
ENDBLOCK
BLOCK:TcpSendRead
message = "GET / HTTP/1.1\\r\\nHost: example.com\\r\\n\\r\\n"
=> VAR @response
ENDBLOCK
The thing you posted as a screenshot is not the raw request, it’s parsed. You need to find the raw request and send it like i’m doing in the example.
To be precise, the ones like :path:
are not proper headers, they are generated by charles. Please look into how the HTTP protocol works!
Nigel
October 14, 2021, 3:00pm
5
Thanks for your help Ruri.
It seems like the GET request using HTTP Request works sometimes, so I’ll just make it a ban key.
1 Like
Nigel
October 14, 2021, 7:04pm
6
Is there an HTTP Debugger that shows the real raw request ?
1 Like
Burpsuite community edition will do it.
3 Likes
Nigel
October 14, 2021, 7:06pm
8
Thanks, ill give that one a shot!
EDIT: Yup, fixed my issue.
Thanks alot @allw0rld67
1 Like