Proof-Reading: HTTP Tookit (by @appknox) #2914
Conversation
sk3l10x1ng
changed the title
There was a problem hiding this comment.
@sk3l10x1ng have you tested a Flutter app with HTTPToolkit and can confirm that it works? In the Github repo of HTTPToolkit there are no Frida scripts for android Flutter Apps, but only generic scripts: https://github.com/httptoolkit/frida-interception-and-unpinning/tree/main/android
@sushi2k I've tested Flutter apps with the HTTP toolkit, it's working. |
|
But how does it work? I couldn't find any Frida script to intercept http requests from flutter apps in HTTP toolkit. Just generic Frida scripts, that will not work in the context of Flutter |
HTTP Toolkit offers a functionality known as |
|
@sk3l10x1ng Noted. HTTPToolkit is open-source and there is the free and Pro Version, but in order to redirect the traffic to Burp you cannot use the free version. I installed HTTPToolkit and this option is not available that is described here: https://github.com/OWASP/owasp-mastg/pull/2914/files#diff-8a6213bf4f337a698402ae5a7dd21c272004b8d4c289794dfb52294904c61c2fR98 Can also be seen here in the feature overview of HTTP Toolkit: 
We don't describe functionality in products that you need to pay for. If that's the case for HTTP Toollkit, we need to remove it. Please let me know if I am missing something. |
|
@sushi2k noted. I will make the changes accordingly. |
|
@sushi2k made the requested change. Please review it. Thank you |
|
@sk3l10x1ng I made a few changes to the content. I think we should remove HTTP Toolkit from the technique as the features that we need are paid and we cannot endorse a paid tool in the MASTG. Having said we should add the tool and it's limitations and what a tester can do with open source tools instead. Let me know what you think or any other feedback. Then we can merge |
@sushi2k Noted, this sounds good to me. |
|
The extra space has been removed |
The content has been revised and restructured for #2897