The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Found 50 posts in 48 threads

Lab : Modifying serialized data types. Bug Decoder?

of the video I get this error : PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 I understand that encoded url = %65%33%4d%36%4f%44%6f%69%64%58%4e%6c%63%6d%35%68%62%57%55%69%4f%33%4d%36%4d%54%4d%36%49%6d%46% 6b%62%57%6c%75%61%58%4e%30%63%6d%46%30%62%33%49%69%4f%33%4d%36%4d%54%49%36%49%6d%46%6a%59%32%56%7a%63%

Last updated: Mar 15, 2021 01:48PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Logic error in lntruder module

Accept: application/json, text/javascript, /; q=0.01 Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, /; q=0.01 Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 13, 2021 03:12PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Decoding Gzip/Deflate issues

I'm trying to read the contents of packets sent from an Android device and some packets where Burp can The following is from a Android phone, manufacturer I suspect is collecting/spying on it's users with packet: OST /tracker-api/tracker/trackerLog HTTP/1.1 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; U; Android 6.0; en-au; 5044T Build/MRA58K) AppleWebKit/537.36 (KHTML

Last updated: Nov 20, 2017 10:47AM UTC | 1 Agent replies | 0 Community replies | How do I?

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

cookie: session=uh7z8Bd1CaBOY98M1UQs5vtO2syzKWRL cookie: _lab=46% u=1 te: trailers content-type: application/x-www-form-urlencoded

Last updated: Jul 08, 2024 02:17PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

Missed SQL Injection

identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 =0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Nov 23, 2021 08:40AM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Android 11

has posted anything along these lines but I have been trying to transparently proxy a mobile app on Android Apparently, in Android 11 this has been further tightened.

Last updated: Jul 14, 2021 02:48PM UTC | 0 Agent replies | 0 Community replies | How do I?

No internet connection error when attempting to connect to Google Play Store.

Which version of Android are you using? Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on If you are using an older version of Android, it may be that this version of Google Play Store does not

Last updated: Jul 20, 2018 07:39AM UTC | 1 Agent replies | 1 Community replies | How do I?

Capturing traffic from my iphone for apps like Facebook, OLA cabs

Which version of Android are you using? Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. https://blog.nviso.be/2018/01/31/using-a-custom-root-ca-with-burp-for-inspecting-android-n-traffic/

Last updated: Mar 14, 2022 10:07AM UTC | 3 Agent replies | 2 Community replies | How do I?

Android Virtual Device

Hi Team, I have created an Android virtual device using Android SDK Manager on my windows 7 system I have installed an android application on that Virtual android device.

Last updated: Dec 26, 2018 11:39AM UTC | 2 Agent replies | 1 Community replies | How do I?

FOR ANDROID VERSION

Hi sir Can ur team make Burpsuite for Android version?. We android user will be thankful for u.U don't have pc laptop ,if Burpsuite can be released for Android

Last updated: Aug 16, 2021 09:50AM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Android app testing

Hi Team, I hope you are doing well, I need to test the Android mobile application but BurpSuite

Last updated: Jun 27, 2022 09:04AM UTC | 1 Agent replies | 1 Community replies | How do I?

Android Emulator - ERR_SSL_PROTOCOL_ERROR

Pointing my Android Emulator to use the Burp Proxy running on my localhost. I get the following errors in both Chrome and the Android System WebView. This seems to happen much more frequently on the newer Android Emulator images (v25, v26+).

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. Which version of Android is your emulator? If you must use Android Nougat onward then you will need to install a trusted CA at the Android OS level

Last updated: Sep 19, 2018 07:34AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Sniff Android Apps

Hello, do not be tired Excuse me, I had a question, when I want to sniff a program like PayPal or a program with such a level of security with Burp, Paypal says it does not have access to the Internet and I can no longer...

Last updated: Nov 09, 2020 09:12AM UTC | 1 Agent replies | 1 Community replies | How do I?

Android Certificate Issue

Hello, I installed Burp's Certificate on my Android phone to monitor the traffic of an app but now I'm

Last updated: Mar 02, 2022 10:53AM UTC | 1 Agent replies | 0 Community replies | How do I?

Unable to intercept with Android mobile app using Burpsuite

Which version of Android are you using? Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on If you are using an older version of Android, it may be that Instagram does not obey proxy settings.

Last updated: Jul 25, 2018 07:27AM UTC | 2 Agent replies | 1 Community replies | How do I?

SSL error for Android

Getting below error: Kindly support on priority - The client failed to negotiate a TLS connection to : Received fatal alert: certificate_unknown

Last updated: Jun 22, 2022 05:06PM UTC | 2 Agent replies | 1 Community replies | How do I?

Can't connect to android

I have a problem connecting Burp to my android phone.

Last updated: Sep 05, 2023 09:22AM UTC | 1 Agent replies | 0 Community replies | How do I?

not intercepting android traffic

i tried everthing specifed in burp documentation but still burp is not intercepting the android mobile

Last updated: May 21, 2021 03:17PM UTC | 6 Agent replies | 8 Community replies | How do I?

[Android] Intercept Traffic Issue

ok straight to the point : Device : Android 5 (Already Inject Certificate from burp suite) Burpsuite Cloudflare : 443) ==> 16.16.16.16 (Main Server : 8123) Burpsuite cannot intercept any traffic from android

Last updated: Jan 25, 2019 08:23AM UTC | 2 Agent replies | 1 Community replies | How do I?

Android Requests not intercepted

certificates src="user" /> </trust-anchors> </base-config> </network-security-config> Android versions tested on Android 12 Android 11 Android 13 Android 9 Burp User certificate installed

Last updated: Dec 28, 2023 01:37PM UTC | 2 Agent replies | 1 Community replies | How do I?

Intercept Android version 10

I keep getting the certificate_unknown error for every https request. The app I'm testing doesn't have certificate pinning enabled but I get this same error. What can I do?

Last updated: Mar 24, 2020 09:55AM UTC | 1 Agent replies | 0 Community replies | How do I?

problem cert with android

hello i have problem when install cer in android The client failed to negotiate a TLS connection certificate_unknown i try solved with this article https://blog.ropnop.com/configuring-burp-suite-with-android-nougat

Last updated: Jul 10, 2020 10:14AM UTC | 1 Agent replies | 0 Community replies | How do I?

some android apps not showing up in burp suite

android version: 10 QKQ1.200830.002 sample running application: - chrome app - gmail app not

Last updated: Oct 02, 2023 09:49AM UTC | 2 Agent replies | 3 Community replies | How do I?

error in android app

Hello everyone, I recently installed the burpsuite certificate for android and everything works correctly

Last updated: Jan 02, 2023 11:42AM UTC | 1 Agent replies | 1 Community replies | How do I?

Android Request are not intercepted

As i was testing today on my android phone, when changing the proxy of wifi(from nothing to my_laptop_ip_address

Last updated: Jun 15, 2021 11:53AM UTC | 2 Agent replies | 1 Community replies | How do I?

Global Proxy on Android Emulator

Hi, is it possible to use Burpsuite as a Global Proxy on a rooted Android Emulator? (possibly AVD in the Android Studio).

Last updated: Sep 01, 2021 08:11AM UTC | 1 Agent replies | 0 Community replies | How do I?

unable to intercept android app

I have installed ca certificate in system trusted in Android 11 via Magisk module still, when I try

Last updated: Aug 12, 2023 05:13AM UTC | 0 Agent replies | 1 Community replies | How do I?

handshake failure: unknown_ca

@Liam Im using Android 10

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. https://blog.nviso.be/2018/01/31/using-a-custom-root-ca-with-burp-for-inspecting-android-n-traffic/

Last updated: Jan 06, 2020 09:24AM UTC | 5 Agent replies | 5 Community replies | Bug Reports

burpsuite CA site not loaded

android device OS 10.1 samsung

Last updated: Mar 26, 2021 08:22AM UTC | 2 Agent replies | 3 Community replies | How do I?

Brup show android app traffic

I using ssl CertificatePinning and host name verification in my android app. but brup show my app troffic (i install ca in android emulator). android version is 6.

Last updated: May 18, 2021 02:20PM UTC | 1 Agent replies | 0 Community replies | How do I?

Genymotion android emulator TLS error

I have already installed the cacert into system on my android emulator. when i open any app from, vimeo

Last updated: Aug 01, 2022 09:27AM UTC | 4 Agent replies | 5 Community replies | How do I?

Intercept traffic from Android application

Hello, I have tried to add certificate in systeme but I didn't succeed because I need to root my phone and I don't want to take this risk (unless the manipulation can be reversed). Any know any other way to do it ?

Last updated: Mar 20, 2023 08:29AM UTC | 5 Agent replies | 8 Community replies | How do I?

Intercepting data on Android Device

Hello, Please can someone help me with the following: I am trying to use Burp Suite to see my network traffic on my mobile device however when I connect it I can see the request in the Burp Suite however my phone...

Last updated: Jul 05, 2018 06:58AM UTC | 2 Agent replies | 2 Community replies | How do I?

Intercepting data on Android Device

Earlier on it I was told to check out this article: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat error in x509 Any further help would be much appreciated and to clarify, I have tested this on Android It implies that troubleshooting guide is Android Nougat (7) only too, is this correct?

Last updated: Jul 06, 2018 09:22AM UTC | 2 Agent replies | 1 Community replies | How do I?

Unable to intercept android traffic

I want to intercept the traffic for Android applications but I am unable to do so . I have downloaded the CA Certificate on my android smart phone and I am able to get traffic for the Browser

Last updated: Apr 26, 2022 06:56AM UTC | 4 Agent replies | 6 Community replies | How do I?

Intercepting Android version 8.1 HTTPS Traffic

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on

Last updated: Feb 13, 2021 12:43PM UTC | 5 Agent replies | 8 Community replies | How do I?

Could not intercept mobile application which is hosted behind cloudflare

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. We recommend that you use an older version of Android for your testing. If you must use Android Nougat then you will need to install a trusted CA at the Android OS level on

Last updated: Sep 19, 2018 07:22AM UTC | 3 Agent replies | 3 Community replies | How do I?

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. https://blog.nviso.be/2018/01/31/using-a-custom-root-ca-with-burp-for-inspecting-android-n-traffic/

Last updated: Jun 03, 2020 07:57AM UTC | 2 Agent replies | 2 Community replies | Burp Extensions

Exploiting PHP deserialization with a pre-built gadget chain - getting error

Symfony Version: 4.3.6 PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Thanks

Last updated: Jun 05, 2021 09:01AM UTC | 1 Agent replies | 2 Community replies | How do I?

HTTP Request Smuggling

responses" is given as "POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded server was given as "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded should be like this: "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 146 x=POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Feb 14, 2022 01:54PM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab Login Not Working

HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jul 10, 2020 08:07AM UTC | 3 Agent replies | 5 Community replies | How do I?

HTTP request smuggling, obfuscating the TE header

POST / HTTP/1.1 Host: my host.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Mar 05, 2021 03:32PM UTC | 1 Agent replies | 2 Community replies | How do I?

Intercept SSL traffic for Android Nougat 7 and above version.

Since Android Nougat, Android no longer trusts user or admin supplied CA certificates. https://blog.nviso.be/2018/01/31/using-a-custom-root-ca-with-burp-for-inspecting-android-n-traffic/

Last updated: Aug 21, 2019 03:13PM UTC | 2 Agent replies | 1 Community replies | How do I?

HTTP request smuggling, basic TE.CL vulnerability

i sent: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 20, 2020 01:02PM UTC | 1 Agent replies | 1 Community replies | How do I?

Unable to intercept SSL traffic for Android 7 & above

Yes, Burp does support SSL interception from Android devices. Since Android Nougat you need to root the device to install the Burp certificate. There's some more information here: - https://blog.ropnop.com/configuring-burp-suite-with-android-nougat

Last updated: Mar 05, 2019 10:59AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: Modifying serialized data types - Debug dumps tokens

p9a5ei0x99qi74vejsq36czp0tn1z3d6, xlbjcoe8ecul6sfmtdrt5cm8qqr6o7hx]) Invalid access token for user carlos in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7

Last updated: Aug 20, 2021 02:26PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

HTTP/1.1 Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded

Last updated: Jan 30, 2020 10:00AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Not possible to disable "Update Content-Length"

HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 105 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2022 02:11PM UTC | 3 Agent replies | 3 Community replies | Bug Reports