How to intercept HSTS enabled HTTP requests using Burp or any other interceptors??

[Nandan L G]

Hi All,

Can anyone please help me out in how to intercept HSTS enabled requests in proxy interceptors? I'm unable to intercept requests in Burp/Fiddler as server doesn't allow communication with browser due to certificate errors.

Thanks in advance.

Best Regards,
Nandan

[Taher Barodawala]

Posting the errors received would help. Also, what does the alerts section of Burp say?

HSTS enforces all communication take place over a secured channel. No reason why you cant fit a proxy in between. Have you tried to add Portswigger CA as a trusted CA? Have you tried with another browser? Is this is a mobile app which implements cert pinning?

[Abhay Rana]

Hi,

HSTS has no effect in your capability to intercept your request. All HSTS does is inform the browser to only make requests over HTTPS, instead of HTTP.

You will face the same issue if the server is running only on HTTPS, for eg. To resolve this, what you need to do is install a root cert from burp/fiddler in your browser and have your proxy generate certs on the fly. 

Take a  look at https://support.portswigger.net/customer/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser or http://www.enhanceie.com/fiddler/help/httpsdecryption.asp

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

--

Nemo

[kamal]

install burp certificate in the browsers trusted certificate liat and it should work.

[Bharat]

Well Hit and Try worked for me:

1. Generate the certificate by Burp.
2. In Firefox,  Options>Advanced>Certificates>View Certificates>Authorities>Import( the generated certificate)>Edit trust>Select All.
3. In Chrome, Settings>Advanced Settings>Manage Certificates> Import the Certificate in Intermediate Certificate Authorities, Trusted Root Certification Authorities and Trusted Publishers. Don't forget to Select All in Advanced Options.
4. Restart the browser and Burp.

Worked for me twice.

--

Bharat Razdan

Co-Founder & Author

www.techites.com

Please do not print this email unless it is absolutely necessary. Spread environmental awareness.

[Shrivathsa Bhat]

Close all chrome instances and open chrome using this command. (Use valid path for chrome installation)

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor --ignore-certificate-errors

This will make chrome ignore all certificate errors (as well as disables default RXSS check) hence passes all requests through burp. 

Regards,

Vathsa.

[Nandan L G]

Thank you all

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

Bharat Razdan

Co-Founder & Author

www.techites.com

Please do not print this email unless it is absolutely necessary. Spread environmental awareness.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

[Ap4Ch3]

This seems to work:

In Firefox:

1. Right-click > New Integer (name test.currentTimeOffsetSeconds and value e.g. 11491200 or greater) in about:config.

You may also have to Clear Now the Cache and Active Logins with Time range to clear set to Everything via Tools (Alt + T) > Clear Recent History.

Solution found at https://support.mozilla.org/en-US/questions/942924

-Ishan

On Monday, 1 August 2016 10:40:57 UTC+5:30, Nandan L G wrote: