10Oca
Intercepting Android App: Google detects burp proxy and block the request to app
I was recently doing bug bounty on a website and found it also has an app so i tried to pentest on it using burpsuite via MITM and intercepting it through burp proxy
Though my request got blocked by the app and it showed me error even after i configured everything properly via installing the burp ca certificates on system credentials and listening on my wlan0 ip
Request:
POST /m/voice-search/down?pair=600dc045-23f4-41be-b76f-1405fd466c4f HTTP/1.1
Host: www.google.com
Content-Length: 0
Cache-Control: no-cache, no-store
User-Agent: Mozilla/5.0 (Linux; U; Android 10; en-us; Android SDK built for x86 Build/QSR1.190920.001) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 GSA/15.0.14.28.x86
X-Device-Elapsed-Time: 300260168400
Accept-Encoding: gzip, deflate
Connection: close
Response:
HTTP/2 400 Bad Request
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-v9qXhTnWV26mzfmqv0r_eg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/speechs3
Date: Wed, 10 Jan 2024 10:10:32 GMT
Content-Type: text/html; charset=UTF-8
Server: S3 v1.0
Content-Length: 1660
X-Xss-Protection: 0
X-Frame-Options: SAMEORIGIN
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 400 (Bad Request)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>400.</b> <ins>That’s an error.</ins>
<p>Your client has issued a malformed or illegal request. Did not receive an upstream request with matching pair ID. (Does upstream use chunked Transfer-Encoding?) <ins>That’s all we know.</ins>
Note - The app works fine after i disable burp-proxy also am able to intercept all other apps except for this one.
Can anyone please guide me what might be causing it and what could possible bypass for it be?
attachments:
