Burp Web Proxy

2/14/2022by admin
  1. Burp Web Proxy
  2. Burp Proxy Free

The Problem

For newcomers to application penetration testing, a reasonably common question is How do you proxy HTTPS traffic?

I’ve heard it frequently from students and from seasoned developers alike. Their instinct is correct, in that we have to do something extra to make that work. While this post won’t go into a deep dive on the technical elements of TLS, let’s take a high-level look at interception of HTTPS traffic. If you have been learning in a lab environment like SamuraiWTF, there’s a reasonable possibility that the target apps have all been served unencrypted (HTTP). For Burp Suite to intercept TLS-encrypted (HTTPS) traffic, it has to decrypt it. The traffic is captured in Burp Suite, then re-encrypted and sent to the browser. The problem with this is that SSL/TLS uses certificates to ensure that the traffic was encrypted by expected authority. When the secureideas.com website performs its side of the TLS handshake, it sends a certificate that has been issued by a certificate authority (CA). This authority is either trusted directly, or has implicit trust granted by another authority. And that chain-of-trust can continue several levels up, as in the hierarchy pictured below. The Starfield Class 2 CA is widely trusted by default, and that trust is granted to their Services Root CA, which then grants the trust to the Amazon Root CA 1, and so on until we get to the certificate the website is actually serving.

Burp Proxy - PortSwigger Burp Suite Enterprise Edition The enterprise-enabled web vulnerability scanner. Burp Suite Professional The world's #1 web penetration testing toolkit. Burp Suite Community Edition The best manual tools to start web security testing. It also simplifies configuring browsers to access proxy-servers, offering more features than other proxy-plugins. Burp Suite is a popular penetration testing and vulnerability finder tool that is using to check web application security. To discover hidden flaws, you can route traffic through a proxy like Burp Suite. As a proxy Burp Suite is designed to intercept your web traffic. This is a key part of being able to use Burp to manipulate your web traffic as you’re using it to test a website. It’s not just a click-and-play tool though, you need to configure Burp and your device to work together. Here is where you configure everything that facilitates the basic functionality of Burp Suite from the proxy address itself to the automatic manipulation of web traffic. Generally speaking, you won't mess with the 'Proxy Listeners' section of this tab, as the default address and port of 127.0.0.1:8080 are fine 99% of the time.

Burp Web Proxy

Burp Web Proxy

Going back to Burp Suite, it doesn’t have the private key associated with the *.secureideas.com certificate. So when you browse to secureideas.com, and Burp decrypts and re-encrypts your traffic, it is sent from Burp to your browser with a root certificate generated by your Burp Suite instance. Since this certificate wasn’t granted by an authority that your computer already trusts, your browser receives it and responds the same way it would if an unauthorized party was intercepting your traffic from a person-in-the-middle position. Which looks something like this:

Not only is the browser upset with the situation, but Burp Suite is raising alarms about the problem too. You can see them in the Event log under the Dashboard tab in Burp Suite.

Burp web proxy login

Burp Proxy Free

The Solution

This is easy to fix. All we need to do is tell our browser that the Burp CA can be trusted. Because every new installation of Burp generates a different CA, this doesn’t create a risk of somebody else intercepting your traffic surreptitiously with their Burp instance. The actual steps to perform this vary slightly by operating system. For today, we’ll just cover Linux since that’s what I use for all my testing, and it’s applicable to Burp Suite.

Linux

1. Export the Certificate from Burp
2. Add the trust in the browser

These steps are for Chrome, but the process is similar for Firefox.

And you’re done. Just like that, you can proxy TLS-encrypted traffic through Burp without any issues. If your TLS issues persist, one thing to check is whether the website is using HTTP Public Key Pinning (HPKP). This is an uncommon security control that has some major drawbacks, but it breaks your ability to do person-in-the-middle interception properly.

As long as your Burp CA remains the same, you won’t have to go through these steps gain in that browser (or at all on Mac/Windows, as they use system-level cert trust stores).

WSDL (Web Services Description Language) files are XML formatted descriptions about the operations of web services between clients and servers. They contain possible requests along with the parameters an application uses to communicate with a web service. This is great for penetration testers because we can test and manipulate web services all we want using the information from WSDL files. One of the best tools to use for working with HTTP requests and responses for applications is Burp. The only downside with Burp is that it does not natively support parsing of WSDL files into requests that can be sent to a web service. A common work around has been to use a tool such as Soap-UI and proxy the requests to Burp for further manipulation. I’ve written a plugin for Burp that takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service. This plugin builds upon the work done by Tom Bujok and his soap-ws project which is essentially the WSDL parsing portion of Soap-UI without the UI.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Wsdler Requirements

Burp Web Proxy
  1. Burp 1.5.01 or later
  2. Must be run from the command line

Starting Wsdler

Web

The command to start Burp with the Wsdler plugin is as follows:
java -classpath Wsdler.jar;burp.jar burp.StartBurp

Sample Usage

Here we will intercept the request for a WSDL file belonging to an online store in Burp.

After the request for the WSDL has been intercepted, right click on the request and select Parse WSDL.

A new Wsdler tab will open with the parsed operations for the WSDL, along with the bindings and ports for each of the operations. Operations are synonymous with the requests that the application supports. There are two operations in this WSDL file, OrderItem and CheckStatus. Each of these operations has two bindings, for simplicity’s sake, bindings describe the format and protocol for each of the operations. The bindings for both of the operations are InstantOrderSoap and InstantOrderSoap12. The reason there are two bindings for each of the operations is because the WSDL file supports the creation of SOAP 1.1 and 1.2 requests. Finally, the ”Port” for each of the operations is essentially just the URL the request will be sent to. The full specification for each of the Objects in WSDL files can be read here: http://www.w3.org/TR/wsdl.

Burp Web Proxy

The SOAP requests for the operations will be in the lower part of the Burp window. The parsing functionality will also automatically fill in the data type for each of the parameters in the WSDL operation. In this example, strings are filled in with parts of the Aeneid and integers are filled in with numbers.

The request that Wsdler creates is a standard Burp request, so it can be sent to any other Burp function that accepts requests (intruder, repeater, etc.).

Here the request is sent to intruder for further testing. Because the request is XML, Burp automatically identifies the parameters for intruder to use.

Conclusion

Currently, the plugin only supports WSDL specification 1.1, but there is work on supporting 1.2 / 2.0. Also, I will be adding the option to specify your own strings and integers when the plugin automatically fills in the appropriate data type for each of the parameters in the parsed operations. If there are any bugs or features that you would like to see added, send me an email or create a ticket on Github.

Comments are closed.