Burp Suite User Forum

Create new post

external service interaction -- https

hong | Last updated: May 12, 2017 11:58AM UTC

I noticed Burp supports external service interaction -- DNS, http and SMPT. Do you have any plan to support external service interaction -- https? Recently we found our application is vulnerable (and exploitable) to external service interaction -- https. Thanks

PortSwigger Agent | Last updated: May 15, 2017 09:27AM UTC

Yes, Burp does detect HTTPS based interactions via Burp Collaborator. They are just labelled as generic HTTP interactions in terms of the issue names/descriptions. If you find a case that Burp doesn't report, please pass on relevant details, thanks.

Burp User | Last updated: May 15, 2017 01:00PM UTC

In my case, it is actually not "external service interaction" issue. Burp injected this string into payload: http://kxl7efljw50trrltrhkok6upngtbh15ssig7.burpcollaborator.net/api/types/loginSessionInfo/instances I wonder if Burp can inject https string, such as: https://kxl7efljw50trrltrhkok6upngtbh15ssig7.burpcollaborator.net/api/types/loginSessionInfo/instances Our validation agent will reject http request, but it will process https request. This will expose potential problem in our validation agent. Thank you

PortSwigger Agent | Last updated: May 15, 2017 03:17PM UTC

Have you tried setting the scan speed to "thorough"? I think that a default scan at "normal" speed only sends the "http" payload.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.