Intercepting HTTP requests from Electron apps with Postman

Written by _jschr | Published 2018/03/10
Tech Story Tags: reverse-engineering | proxy | postman | electron | vscode

TLDRvia the TL;DR App

Not all APIs are documented. In a recent project — VSCodeThemes, I set out to scrape the Visual Studio Marketplace without an official API.

Using Chrome’s network inspector and capturing requests made from the VSCode desktop app, I was able reverse engineer the marketplace API.

This post will cover how you can use Postman to intercept HTTP requests from Electron applications with only a few clicks.

Start Postman’s proxy

This first thing you’re going to do is open Postman. If you don’t have it you can download it from here.

Once it’s opened, configuring Postman’s proxy server is as simple as clicking on the Satellite icon.

Click the Satellite icon to configure the proxy server.

Using the defaults will start the proxy server on port 5555 and log all output to history. Click the Connect button to start the proxy server.

Open the Electron app

With the proxy server started, any requests made to it will be logged and allow you to replay them later. The next step is to configure the Electron app to send requests through the proxy.

Since Electron apps are built on top of chromium, we can use a couple command line arguments to redirect HTTP requests made inside the app to the proxy server.

Using VSCode as an example, open the Electron app with:

Open VSCode from Terminal (macOS). Copy the command.

Anything after --args is passed as arguments to the app. We’re going to add two flags to route traffic to the proxy server and enable HTTPS.

The first one, --proxy-server tells chromium to use a custom proxy configuration. Setting this to localhost:5555 will route all requests to the Postman proxy server.

The second argument, --ignore-certificate-errors will temporarily disable certificate checks. Without it, the Electron app will error sending any requests over HTTPS.

Send requests to the proxy

Now that the Electron app is configured to route HTTP requests through our proxy, all we need to do is trigger the relevant API calls.

In this example, we search for extensions to find out which endpoint we need to scrape the Visual Studio Marketplace.

Sending queries from VSCode to Postman Proxy.

Browse Postman history

While making requests, you’ll start to see them appear in Postman’s history tab. This is where you can browse the requests made by the Electron app.

Browsing requests made through Postman requests.

Clicking Send on a request will let you see the full response. Since there’s no documentation, changing parameters and seeing how it affects the response will help you reverse engineer the API.

Conclusion

Intercepting HTTP requests from Electron apps with Postman is really simple to setup. This of course only works for Electron apps. Check out Charles proxy for a full-featured tool to intercept all HTTP traffic from your computer.

Happy hacking!

Published by HackerNoon on 2018/03/10
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy