Web security Burpsuite Crawling HTTPS requests

Source: Internet
Author: User

If there is a problem, what is the first step?

Of course, to go to the official website to find FAQs and help, first to practice English

Https://portswigger.net/burp/help/proxy_options_installingCAcert.html

Note that Burp provides a DER-format certificate that must first be imported into the browser and then exported from the browser in the CER format certificate

Test environment

[+] jdk1.8.0_162[+] burp Suite 1.7.26

I. Introduction of BURP

Please see https://portswigger.net/burp/for yourself.

When using Burp site to intercept HTTPS, he will prompt that your connection is not a private connection or this connection does not trust, and this is due to the usual burp default only catch HTTP packets, HTTPS because it contains a certificate, and therefore unable to crawl properly, grasping HTTPS packets need to set up a trusted certificate.

Second, the configuration1. Configure browser agent (currently supported: IE, Firefox, Chrome, Safari, IPhone, Android)

Take Chrome For example: Set----> Show advanced Settings----> Network----> Change proxy settings

---> Click LAN Settings

---> Input ok and click OK.

2, Access http://burp, download Burp's built-in certificate

---> After download

The certificate is cacert.der, the suffix name is. der File (the certificate is not encoded in the same way), this file is not a regular. cer certificate file, the following is let the browser trust the certificate we just exported.

3. Import the certificate

chrome--Settings--Advanced--https/ssl

---> Click Manage certificates, all browsers must be installed in trusted Root Certification authorities when installing the PORTSWIGGERCA.CRT certificate

---> Click Import

---> Next

---> Next

---> Next

---> Click Finish

---> Import the Cacert.der file just now, there will be a certificate such as "Portswigger CA" (Burp built-in certificate) in the server, and then select it for export

---> Next

---> Next

---> Next

4. Trust this certificate

Import the Portswiggerca.crt file you just made in the Certificate authority and select " Trust Web sites identified with this CA "

---> Click Import

---> Next

---> Next

---> Next

---> Click OK, then restart, on the line, under test access: https://www.baidu.com/

---> There's another way:

---> Open burp site

---> select the first option and save it on a local

---> Click Next, and then find the certificate to import chrome on the line.

third, catch the HTTPS packet

Visit https://www.baidu.com/

Normal access.

Iv. Other browser and client settings

method is similar to the above "three"

Note:

All browsers must be installed in trusted Root Certification authorities when installing the PORTSWIGGERCA.CRT certificate

such as: Chrome

Reference 1

Reference 2

Reference 3

Web security Burpsuite Crawling HTTPS requests

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.