httpbin VS mitmproxy

policyDefinitions: cors: origin: "${CLIENT_URL}" endpoints: - path: "/example" target: url: "https://httpbin.org/bearer" request: headers: Authorization: "Bearer ${API_KEY}" policies: - cors

We proceed to define routes to https://httpbin.org/ to test our setup. Let's call the route to /get:

https://httpbin.org/ is an excellent tool for learning (and testing) the basics. Take a few minutes to explore the endpoints they provide. You can also use different response codes to test your apps error handling, etc

export FABI_PROD="http://httpbin.org/" export FABI_LOCAL="http://0.0.0.0:8000/"

use anyhow; use embedded_svc::http::client::Client; use embedded_svc::wifi::{AuthMethod, ClientConfiguration, Configuration}; use esp_idf_hal::peripherals::Peripherals; use esp_idf_svc::eventloop::EspSystemEventLoop; use esp_idf_svc::http::client::{Configuration as HttpConfig, EspHttpConnection}; use esp_idf_svc::nvs::EspDefaultNvsPartition; use esp_idf_svc::wifi::{BlockingWifi, EspWifi}; fn main() -> anyhow::Result<()> { esp_idf_sys::link_patches(); // Configure Wifi let peripherals = Peripherals::take().unwrap(); let sysloop = EspSystemEventLoop::take()?; let nvs = EspDefaultNvsPartition::take()?; let mut wifi = BlockingWifi::wrap( EspWifi::new(peripherals.modem, sysloop.clone(), Some(nvs))?, sysloop, )?; wifi.set_configuration(&Configuration::Client(ClientConfiguration { ssid: "SSID".into(), bssid: None, auth_method: AuthMethod::None, password: "PASSWORD".into(), channel: None, }))?; // Start Wifi wifi.start()?; // Connect Wifi wifi.connect()?; // Wait until the network interface is up wifi.wait_netif_up()?; // Print Out Wifi Connection Configuration while !wifi.is_connected().unwrap() { // Get and print connection configuration let config = wifi.get_configuration().unwrap(); println!("Waiting for station {:?}", config); } println!("Wifi Connected, Intiatlizing HTTP"); // HTTP Configuration // Create HTTPS Connection Handle let httpconnection = EspHttpConnection::new(&HttpConfig { use_global_ca_store: true, crt_bundle_attach: Some(esp_idf_sys::esp_crt_bundle_attach), ..Default::default() })?; // Create HTTPS Client let mut httpclient = Client::wrap(httpconnection); // HTTP Request Submission // Define URL let url = "https://httpbin.org/get"; // Prepare request let request = httpclient.get(url)?; // Log URL and type of request println!("-> GET {}", url); // Submit Request and Store Response let response = request.submit()?; // HTTP Response Processing let status = response.status(); println!("<- {}", status); match response.header("Content-Length") { Some(data) => { println!("Content-Length: {}", data); } None => { println!("No Content-Length Header"); } } match response.header("Date") { Some(data) => { println!("Date: {}", data); } None => { println!("No Date Header"); } } Ok(()) }

has_domain: whether the matched route references an upstream with a domain, e.g., http://httpbin.org, or not, e.g., 192.168.0.1

This statement gives a false sense of security. You can use a transparent proxy, like mitmproxy, to view HTTPS traffic - https://mitmproxy.org/. https://reedmideke.github.io/networking/2021/01/04/mitmproxy-openwrt.html

You'll need to install mitmproxy and set it up on your computer and iOS. I won't go into too much detail here on how to do this, but there are plenty of guides available. This is a pretty good one: https://nadav.ca/2021/02/26/inspecting-an-iphone-s-https-traffic/

TIL this goes back to 2006, how cool! We nowadays have a much simpler version as a mitmproxy example: https://github.com/mitmproxy/mitmproxy/blob/main/examples/ad.... Although it obviously does not work as well anymore with everything being HTTPS nowadays (unless you trust the cert of course). :)

Perhaps you could have your device use a proxy that can do the HTTPS unwrap for you? https://mitmproxy.org/ maybe?

A great way to test the effectiveness of a pinning implementation is by simulating an MITM attack. Tools like Mitmproxy or Wireshack allow us to create a test environment to monitor, intercept, and proxy network requests for a test host.