Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

missing "Unencrypted communications"

Tiago | Last updated: Jul 02, 2017 06:33PM UTC

I perfectly understand the issue "Unencrypted communications" but I'm not sure how deterministic Burp is reporting this issue. What are the requirements for Burp to report this? I have done a lot of testing and the behaviour is not deterministic. I do an HTTP request in the browser and some sites get an Unencrypted communications issue, others don't. Are there any rules for this, like response code equals to 20X or no Strict-Transport-Security header?

PortSwigger Agent | Last updated: Jul 03, 2017 09:32AM UTC

The check detects unencrypted traffic that is not a redirect. If you access an HTTP site and it immediately redirects you to the HTTPS site, the issue is not raised. Does this explain the behavior you've observed?

Burp User | Last updated: Jul 10, 2017 01:31PM UTC

Actually I'm not really sure about what is happening because the issue does not include a request/response indicating which request is HTTP, and I'm injecting scan requests through the API so it might be possible that the scanner sees an HTTP response (maybe a redirect to HTTP). Can't you provide the HTTP request that triggers the vulnerability? I'm doing more tests to understand if there is a bug or its me missing something. ps: should I receive an email with any reply to my post? I never get emails about my posts

PortSwigger Agent | Last updated: Jul 10, 2017 01:33PM UTC

Hi Tiago, If you look in Target > site map and find the http version of the site, you can see all the unencrypted communication, and determine if there's anything sensitive. We'll have a think about including this in the issue report. There's a balance to be struck against overloading the report with information. You should get an email with support center updates. Maybe check your spam folder?

PortSwigger Agent | Last updated: Jul 10, 2017 01:41PM UTC

Hi Tiago, Yes, it's a passive check based on responses. It won't trigger without some HTTP traffic. Are you sure there's nothing in site map? Perhaps you've got a filter enabled on that view that is concealing some requests? I sent you that notification email manually. Not sure why you're not getting them as other Gmail users receive them just fine.

Burp User | Last updated: Jul 10, 2017 03:56PM UTC