Burp Suite User Forum

Create new post

Clear text password box in proxy certificate p12 settings

Ben | Last updated: Apr 25, 2016 05:00PM UTC

Hello, the possibility to use a PKCS#12 keystore in the proxy certificate options saved our bottoms today in a SoapUI/Ready! API environment, so thanks for that first. [for other poor souls in the same situation: If someone else has to use Burp with SoapUI/Ready! API with client and server certificates and both HTTP/HTTPS services then try this: If you have a client cert P12 file, try to set it not only in the Burp Options-SSL options but also in the Burp Proxy certificate options (see below) - if you are lucky this might work and is easier than constructions with changing HTTPS to HTTP in SoapUI and using "force SSL" for the HTTPS services in Burp and localhost hosts file entries for the HTTP services (if you are lucky and they have a hostname and not only an IP...) plus another transparent proxy listener in Burp ...and/or truststore/cacerts hacks (we were particularly unlucky with those).] However, I identified two small bugs: Proxy - Options - [Click on proxy entry] - Edit - Certificate - Use a custom certificate (PKCS#12) 1) The password box is a normal textbox which displays the password in clear text instead of a password control 2) Burp seems to accept incorrect passwords as it does not seem to try whether the supplied password is correct when clicking OK ... A correct implementation where both bugs do not exist can be found within Burp itself within the client cert settings (Options - SSL - Client Cert): here you can also set a PKCS#12 keystore file but the password is masked and Burp checks whether it is correct before accepting the setting. ... I propose to implement the same functionality for the PKCS#12 file setting within the Proxy options. Thanks, best regards Ben

PortSwigger Agent | Last updated: Apr 26, 2016 07:42AM UTC

Thanks for this report. We've created a bugfix ticket to look at these two issues.

Burp User | Last updated: Apr 27, 2016 07:46AM UTC

Hello Dafydd, thank you for your reply, it is an honor being one of the earlier Burp pro users ;) Cheers, Ben

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.