Welcome Readers,
Well we understood how to configure proxy tools. In this post I will tell you some tricky conditions where you will be confused why burp is not intercepting traffic. Lets see one by one.
Consider you are security testing professional and you got assignment for web application security assessment. Now according to situation the testing application may be internet facing or intranet facing (Note: Intranet is in-house network). and in an organization subnets are created to share internet via single public facing IP address. To make it simple read below example/
Lets say there is ABC organization having 3 departments HR, IT and Finance. Each department has approximate 50-60 employees. Now to provide internet facility to each employee system ABC org. bought leased line from service provider. ABC org.'s network guy made multiple subnets to provide internet facility to everybody now every system will access internet via proxy provided by network guy.
Condition 1: Now coming back to testing first question will come to testers mind how to intercept internal applications? answer is simple we just need to configure burp tool as we configure for HTTP applications.
Reason: Intranet applications are developed for internal use so they are not accessible from internet.
so we just need to put local host in browser and local host in burp.
Note: some time you need some system authentication while testing so that can be automated via burp in Options>connections>platform authentication.
in the Destination host put application intranet IP.
Condition 2: Suppose org. developed internet facing application and you should test it from internal infrastructure. Now how will you configure burp to intercept internet application?
Answer is simple "upstream proxy".You just need to put internet proxy address provided by org. network guy in the upstream proxy section. for better understanding see below,
Now every time burp will use upstream proxy to intercept internet facing application.
Above two conditions are applicable when you want to intercept any inhouse application which is intranet or internet. But what if you want to test internet application like www.google.com, www.facebook.com etc etc. Till now we learnt about how to intercept HTTP sites lets understand how to intercept HTTPS sites.
Follow below steps,
Step 1: We need to install burp certificate in our browsers trusted certificates list.We can do this by loading Burp (configure as HTTP app) and then visiting http://burp/.
Step 2: You should see a page with links on top, one of which is "CA Certificate". Clicking this will give you a download of a file named "cacert.der".
Step 3: Lets install in browser eg in Firefox, the certificate can be installed by going to Options->Advanced->View Certificates, then "import".Note: To install in windows just double click it and install.
That's it we are all set to intercept HTTPS sites. Please try this and let me know if you are stuck anywhere. Stay tuned for future posts.....
Well we understood how to configure proxy tools. In this post I will tell you some tricky conditions where you will be confused why burp is not intercepting traffic. Lets see one by one.
Consider you are security testing professional and you got assignment for web application security assessment. Now according to situation the testing application may be internet facing or intranet facing (Note: Intranet is in-house network). and in an organization subnets are created to share internet via single public facing IP address. To make it simple read below example/
Lets say there is ABC organization having 3 departments HR, IT and Finance. Each department has approximate 50-60 employees. Now to provide internet facility to each employee system ABC org. bought leased line from service provider. ABC org.'s network guy made multiple subnets to provide internet facility to everybody now every system will access internet via proxy provided by network guy.
Condition 1: Now coming back to testing first question will come to testers mind how to intercept internal applications? answer is simple we just need to configure burp tool as we configure for HTTP applications.
Reason: Intranet applications are developed for internal use so they are not accessible from internet.
so we just need to put local host in browser and local host in burp.
Note: some time you need some system authentication while testing so that can be automated via burp in Options>connections>platform authentication.
in the Destination host put application intranet IP.
Condition 2: Suppose org. developed internet facing application and you should test it from internal infrastructure. Now how will you configure burp to intercept internet application?
Answer is simple "upstream proxy".You just need to put internet proxy address provided by org. network guy in the upstream proxy section. for better understanding see below,
Above two conditions are applicable when you want to intercept any inhouse application which is intranet or internet. But what if you want to test internet application like www.google.com, www.facebook.com etc etc. Till now we learnt about how to intercept HTTP sites lets understand how to intercept HTTPS sites.
Follow below steps,
Step 1: We need to install burp certificate in our browsers trusted certificates list.We can do this by loading Burp (configure as HTTP app) and then visiting http://burp/.
Step 2: You should see a page with links on top, one of which is "CA Certificate". Clicking this will give you a download of a file named "cacert.der".
Step 3: Lets install in browser eg in Firefox, the certificate can be installed by going to Options->Advanced->View Certificates, then "import".Note: To install in windows just double click it and install.
That's it we are all set to intercept HTTPS sites. Please try this and let me know if you are stuck anywhere. Stay tuned for future posts.....
No comments:
Post a Comment