Burp Suite User Forum

Login to post

Auto-reject client requests for sites with bad certificates

Greg | Last updated: Jun 29, 2017 03:28AM UTC

I'd like to configure Burp Suite to automatically reject requests from the client for sites with bad certificates. This seems really basic, but I haven't found a way to do this. Using badssl.com for testing, Burp Suite lets all of the bad certs right through. Thank you in advance for your help.

PortSwigger Agent | Last updated: Jun 29, 2017 07:12AM UTC

This isn't possible at present. Most pen testers will do a separate phase of testing to investigate the server's SSL certificate and configuration, using a tool like testssl. We do have this on our backlog. We are planning to refactor the networking and SSL code at some point, and we'll incorporate this feature when we do. Rather than reject the request, what we'll probably do is generate a deliberately invalid certificate to return to the browser, so the errors are passed through. Please let us know if you need any further assistance.

Ben, PortSwigger Agent | Last updated: Jun 21, 2022 10:20AM UTC

Hi Greg, We realise it has been quite awhile since you asked about this functionality but we just wanted to let you (and anyone else that might come across this forum post) know that the recent 2022.5.1 release of Burp now allows you to configure Burp to verify upstream TLS certificates.

You need to Log in to post a reply. Or register here, for free.