Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do I know if https requests are failing to be decrypted?

Andrew | Last updated: Dec 23, 2021 05:12AM UTC

I am attempting to mitm an android emulator on my computer with burpsuite. I am able to see https traffic of insecure things like assets, but I see no traffic for data being posted to and from the app, over https. I know the traffic is happening because the app is still functioning, but there is no indication in burpsuite that there are errors. Is this by design? My question is regarding error logging, but just to add more details: I have generated a certificate, converted it to the proper android format, and added it to the root cert folder (this is a genymotion emulator). Currently I am attempting to use a frida script to disable certificate pinning (assuming that is why I do not see traffic) but I am frustrated that I have no way of telling if burpsuite attempted to handshake ssl with their portswigger cert and failed, or if its just ignoring https traffic entirely for this app. I should point out that the default web browser has http2 traffic visible in burpsuite, so it does appear to be _able_ to decrypt ssl traffic, theres just no visibility into when it does. below is the commands I used to get my cert onto the emulator. My question is more about the burpsuite app UI, but this is possibly still useful to share. ```bash # Convert DER to PEM openssl x509 -inform DER -in cacert.der -out cacert.pem # Get subject_hash_old (or subject_hash if OpenSSL < 1.0) openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 # Rename cacert.pem to <hash>.0 mv cacert.pem 9a5ba575.0 # Remount and copy cert to device adb root adb remount adb push 9a5ba575.0 /sdcard/ adb shell vbox86p:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ vbox86p:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0 vbox86p:/ # reboot ``` Thank you for your help

Andrew | Last updated: Dec 23, 2021 03:06PM UTC

[edit] I may have misinterpreted parts of this tool. If I disable the burpsuite cert on the emulator, using the default web browser will not make any requests past an initial http://google.com request. Enabling the cert again, the full https://google.com page loads and the requests are shown in burpsuite. I think this means that burpsuite doesn't silently error out on decryption, and forces apps to use their specific certificate. Likewise, in the app I am attempting to pen test, I can see https traffic (http2). So I believe that the cert is being used. I think the reason the app functions despite seeing the traffic is that the actual traffic happens inside a websocket, or perhaps over UDP. I am guessing this because I see a few responses that look like websocket connection information (e.g. ip, port, what to do when frames get dropped). I don't however, see any websocket traffic under "WebSockets history" and I don't see any "Connection: Upgrade" requests. Is it possible there are types of websocket connections that burpsuite cannot capture?

Uthman, PortSwigger Agent | Last updated: Dec 23, 2021 03:52PM UTC

Hi Andrew, Thanks for this post. I'm just reviewing the information and will get back to you with some feedback as soon as possible. Thanks in advance for your patience!

Andrew | Last updated: Dec 23, 2021 08:05PM UTC

Thanks Uthman, I think I can narrow down my confusion to a few questions: 1. does burpsuite intercept wss:// protocol (secure websockets). If so, do I have to do anything special with certs? 2. does burpsuite hide any http traffic? (I am not filtering anything in the "Http History" tab) 3. does burpsuite have any way of detecting non-tls traffic (e.g. UDP traffic from WebRTC perhaps)

Andrew | Last updated: Dec 23, 2021 08:11PM UTC

following up on #3, I suppose its possible this app is using http3 https://blog.cloudflare.com/http3-the-past-present-and-future, which is based on UDP, or MQTT https://mqtt.org/ like instagram does. I don't believe burpsuite would be able to tell me this.

Uthman, PortSwigger Agent | Last updated: Dec 24, 2021 08:51AM UTC

Hi Andrew,

Thanks for clarifying that. Please see my answers below:

  1. Yes, you can intercept WebSocket messages. The request should show up in the Intercept tab if Burp can handle it (and the proxy has been configured correctly. You can decide whether client-to-server or server-to-client messages are intercepted under Proxy > Options > Intercept WebSockets Messages. There shouldn't be a need to configure additional certs.
Further information in the resources below:
  1. If you have set your Target > Scope and selected the option to hide out-of-scope traffic, or you are using the Filter, then Burp will hide some HTTP traffic.
  1. Burp only handles and logs the HTTP and HTTPS traffic. If you are interested in capturing /ALL/ types of traffic, you will most likely need to use something like WireShark instead.

I don't believe we currently support HTTP3 but I have registered your interest in a feature request and we will update this thread if/when that gets implemented.

It may be best to email support@portswigger.net with the URL of the site you are testing along with diagnostics (Help > Diagnostics) so that we can investigate this further.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.