First of all, non-malicious fetching. Some requirements in the work involve grasping tripartite data, for students who have not done grasping, it is impossible to start. Therefore, I summarized the grasping situation encountered in the work and sorted out the grasping ideas.

Train of thought

  1. Find the key data interface
  2. Find key interface parameters, input parameters, cookies, etc
  3. Find the source of key interface parameters. Most of them come from the interface response
  4. Repeat 2 and 3 until the interface input data is transparent

tool

Charles

Download the necessary tools from Charles official website, 30 days trial period.

A Chrome or Android phone

It depends on whether the data is captured on the APP side or the Web side.

use

Take an Android phone as an example to demonstrate how to configure Charles.

  1. Deselect to not request on behalf of the computer

  1. Configure the HTTPS certificate. 1 indicates the PC certificate, and 2 indicates the mobile phone certificate. If the interface is not HTTPS, do not configure this parameter. Otherwise, the request response content will be garbled.

Click Install Charles Root Certificate and then next

Then click Install Charles Root Certificate on a Mobile…. There will be a

192.168.31.86:8888:192.168.31.86:8888 Access chls.pro/ SSL again. Connect your phone and computer to the same WiFi and set it up in the WiFi agent. Take Huawei phones for example.

Visit CHLS. Pro/SSL to download the certificate and install it.

All right, the computer will show up. Charles can now grab the phone request.

Attention!! Garbled characters are still displayed after the HTTPS certificate of an earlier version of Android is configured. Use a mobile phone of an earlier version to capture garbled characters.

The sample

Dare not write, have a question private letter. 😂 😂

experience

  1. Not all data of the interface is necessary. Postman or Charles can be used to delete parameters one by one to find required parameters.
  2. Login verification is usually performed in session or cookie and is generally called session-id or XXxID.