Intercepting HTTP and HSTS enabled HTTPS / SSL traffic on Chrome/Firefox using Burp Suite

Burp Suite

Burp Suite is a interception and web proxy  tool to performing security testing of web applications to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced security testing techniques and also you can automation, to make your work easy, faster and more effective.

Download and install Burp Suite from here : https://portswigger.net/burp/download.html

 

Intercepting HTTP traffic:

  1. Start Burp Suite,
  2. Goto tab Proxy > Options and make sure proxy is running (default: 127.0.0.1:8080),
  3. In Intercept tab, click Intercept On/Off button to enable and disable interception,
  4. Now start Firefox or Chrome browser,
  5. In Firefox, Goto Preferences > Advanced > Network > Settings, select Manual proxy configuration and give burp proxy running IP address 127.0.0.1 and port 8080, select “Use this proxy for all protocols” option and also remove all content from “No proxy for”.
  6. In Chrome, goto Settings  and Search settings, type “Proxy”. Next Select “Change proxy settings” and give burp proxy running IP address 127.0.0.1 and port 8080,
  7. Now if you start browsing HTTP web site, you can see all request going via Burp Suite and you can intercept and modify the HTTP request on Burp > Proxy tab

Intercepting HTTPS traffic:

 

  1. To Generate the certificate by Burp Suite, Start Burp Suite, open Firefox or Chrome browser, then goto http://127.0.0.1:8080 and select CA Certificate, then save generated certificate,
  2. In Firefox,  Options>Advanced>Certificates>View Certificates>Authorities>Import( the generated certificate)>Edit trust>Select All.
  3. In Chrome, Settings>Advanced Settings>Manage Certificates> Import the Certificate in Intermediate Certificate Authorities, Trusted Root Certification Authorities and Trusted Publishers. Don’t forget to Select All in Advanced Options.
  4. Note: Some websites like Google, Twitter etc sites enabled with HSTS, HSTS has no effect in intercepting HTTPS request. But HSTS does is inform the browser to only make requests over HTTPS, instead of HTTP.
  5. Restart the browser and Burp, now you are able to intercept and modify HTTPS traffic on Burp suite
Please follow and like us:

3 Comments

Leave a Reply

Your email address will not be published.


*