Burp Suite User Forum

Create new post

certificate pinning issue

András | Last updated: Feb 06, 2018 02:03PM UTC

Hi, We are testing an application which has certificate pinning, but the debug version includes the fingerprint of the charles server of the dev team. We have received this certificate in pfx format, can import into burp and successfully use to create burp-certificates, which are accepted when testing in browser. However, the application we are testing still rejects it. How and why is this behavior possible? Thanks, András (ps Chaining through charles also did not work due to the stupidity of charles, it did not open the ssl when using burp as upstream proxy, charles simply forwarded with connect method.)

PortSwigger Agent | Last updated: Feb 06, 2018 02:39PM UTC

Hi András, Thanks for your message. I have a theory what's going on. If you used "Import CA certificate" on the Proxy options, Burp will generate a new certificate for each domain, and the fingerprint won't be what you app expects. Instead, you want to use a fixed certificate. Go into Proxy > Options > Proxy Listeners > Edit > Certificate and choose "Use a custom certificate". This should do what you need. Please let us know if you need any further assistance.

Burp User | Last updated: Feb 06, 2018 09:23PM UTC

Hi, Unfortunately that is not the case, Charles proxy uses this certificate the same way as burp, as CA to generate new certificate for each host. In any case I have tried to use it like that, but did not work. Best regards, András

PortSwigger Agent | Last updated: Feb 07, 2018 09:09AM UTC

Hi András, Ok, it was worth a try. To set your expectations, Burp certificate generation is not intended to bypass certificate pinning. We may add features related to this in the future, but for now, expect this to require considerable manual effort. The next step is to compare a certificate generated by Charles proxy with one generate by Burp. I use openssl to capture and decode certificates. What are the differences? Also, speak to the application team (or disassemble the application) - what pinning techniques does it use?

Burp User | Last updated: Feb 07, 2018 03:34PM UTC

Hi, Solved! After REing it turned out the application uses hardcoded CN check against a wildcard address, with exact string match. Because burp generates certs to a specific hostname every time it failed this check. And because charles generates wildcard addresses, it managed to pass. Now by setting the specific wildcard in burp we can bypass this check. Thanks for the help. Best regards, András

PortSwigger Agent | Last updated: Feb 07, 2018 03:55PM UTC

Hi András, Glad to hear it! Hope the rest of your test goes well.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.