Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Showing posts with label firefox. Show all posts
Showing posts with label firefox. Show all posts

Tuesday, 10 September 2013

Burp support for Firefox Plug-n-Hack

The Firefox browser has recently added support for a new way of easily configuring the browser to work with intercepting proxy tools like Burp. To use this, you need to install a Firefox plugin called Plug-n-Hack:

The plugin is currently beta and also requires the latest beta version of Firefox, but when it is stabilized it will be available on the Firefox Marketplace.

If you have installed the Plug-n-Hack plugin, configuring a clean installation of Firefox to work with Burp is pretty straightforward. First, in your browser, enter the URL to connect directly to your Burp Proxy listener (by default

On the Burp welcome page, follow the Plug-n-Hack link:

Click on the "Configure your browser" button, and accept the warning displayed by the plugin:

If everything worked, you will see a "Configuration succeeded" message:

The configuration will have carried out two tasks. Firstly, it will configure your browser to use Burp as its proxy server, via a proxy auto-configuration file created by Burp:

Secondly, it will install Burp's SSL CA certificate as a trusted root in your browser, to eliminate SSL warnings when intercepting traffic to SSL web sites:

Hopefully the new Plug-n-Hack support might make life a bit easier next time you are setting up Burp on a new machine.

Wednesday, 20 August 2008

Problem accepting self-signed SSL certificates on FF3

Firefox 3 changes the default handling of invalid SSL certificates, to make it harder for end users to do things they probably don't want to do. If you have used FF3 to access an HTTPS web site via an intercepting proxy such as Burp, you probably know about this behaviour.

The way the feature is documented, FF3 prevents you from accessing an HTTPS site which uses an invalid SSL certificate (such as a self-signed certificate). In order to access the site, you need to explicitly add an exception, which is more cumbersome than simply clicking a "connect anyway" button. When you use an intercepting proxy, your browser receives the proxy's self-signed SSL certificate, and so you cannot connect without creating an exception.

The problem is that, for many users, the feature is not working as documented. When FF3 receives an invalid SSL certificate, many users are just seeing the following error dialog, with no option to add an exception:

You can try to add an exception manually, by going into Options / Advanced / Encryption / View Certificates / Add Exception ...

However, when you click "Get Certificate", you receive the same error dialog as originally, and the "Confirm Security Exception" button is never enabled.

At this point, there is no clue within the product or documentation about how to fix the problem, and I've spoken to several users who have given up and used another browser.

However, you can fix the problem by tweaking FF3's configuration. Somewhat bizarrely, you need to go to about:config and change the network.dns.disableIPv6 option to true:

Having done this, you will now see a completely different error message when FF3 receives a self-signed SSL certificate:

If you follow the "Or you can add an exception ..." link, then everything works as documented, and you can add an exception for the invalid certificate:

I assume that Firefox will fix this usability issue at some point, but in the meantime, if you have had problems accepting invalid certificates, try disabling IPv6 in the FF3 configuration and see if things start working.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.