PortSwigger Web Security Blog
Tuesday, September 10, 2013
The Firefox browser has recently added support for a new way of easily configuring the browser to work with intercepting proxy tools like Burp. To use this, you need to install a Firefox plugin called Plug-n-Hack:
The plugin is currently beta and also requires the latest beta version of Firefox, but when it is stabilized it will be available on the Firefox Marketplace.
If you have installed the Plug-n-Hack plugin, configuring a clean installation of Firefox to work with Burp is pretty straightforward. First, in your browser, enter the URL to connect directly to your Burp Proxy listener (by default 127.0.0.1:8080):
On the Burp welcome page, follow the Plug-n-Hack link:
Click on the "Configure your browser" button, and accept the warning displayed by the plugin:
If everything worked, you will see a "Configuration succeeded" message:
The configuration will have carried out two tasks. Firstly, it will configure your browser to use Burp as its proxy server, via a proxy auto-configuration file created by Burp:
Secondly, it will install Burp's SSL CA certificate as a trusted root in your browser, to eliminate SSL warnings when intercepting traffic to SSL web sites:
Hopefully the new Plug-n-Hack support might make life a bit easier next time you are setting up Burp on a new machine.
Monday, September 9, 2013
The latest version of Burp has a new feature: SSL pass through. You can use this feature to specify destination web servers for which Burp Proxy will directly pass through SSL connections:
As an example, suppose you encounter a domain where you are not able to get your client device to negotiate SSL correctly. This should be obvious enough in the client, and Burp will also alert you:
To work around this problem, you can add the problematic server to Burp's SSL pass through list:
Requests to this server will now pass straight through Burp, and your client can connect in the normal way.
The option to automatically add entries to the SSL pass through list on client SSL negotiation failure can be useful if you aren't sure exactly which domains the application is using, and don't want to have to manually populate the list. If you enable this option, then if your client fails to negotiate SSL connections with any other servers, these will be automatically added to the list, and Burp will alert you:
It is not recommended to generally enable the automatic addition of pass through servers automatically, because if your client happens to encounter a one-off problem that causes it to fail an negotiation, then no further SSL connections to that host will be intercepted, until you remove the server from the pass through list.