Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Proxy curl request through Burpsuite

Thomas | Last updated: Feb 15, 2021 01:11PM UTC

Hi, I'm trying to proxy an API call with configured certificate and keyfile though Burpsuite. My original (working) curl command: curl v --key my-key.pem --cert my-cert.crt -H 'Host: my.api.host' "https://my.api.host/my/call/to/an/api" How can I translate this command to be routed through Burpsuite? Tried all sorts of options however the request will either not show in Burpsuite or will trigger an SSL error. Thanks in advance for help, much appreciated!

Uthman, PortSwigger Agent | Last updated: Feb 15, 2021 02:07PM UTC

Hi Thomas, Have you tried the below? curl -v --key my-key.pem --cert my-cert.crt --proxy 127.0.0.1:8080 https://my.api.host/my/call/to/an/api --proxy or -x should allow the traffic to pass through Burp (https://curl.se/docs/manpage.html).

Thomas | Last updated: Feb 15, 2021 06:46PM UTC

Thanks for your feedback! I have already tried that but it produces an SSL error: * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate without proxying the curl request through Burp it works just fine. Any Ideas?

Uthman, PortSwigger Agent | Last updated: Feb 16, 2021 08:42AM UTC

What certificate and key are you loading in your --cert and --key parameters? Is that for your API? Is it a client certificate for TLS? It looks like there could be an issue with the cert chain. Can you double-check it here? https://whatsmychaincert.com/ What happens if you remove --cert and --key?

Keith | Last updated: Apr 28, 2023 03:24AM UTC

I encountered the same error: curl: (60) SSL certificate problem: self signed certificate in certificate chain and was able to resolve it by just passing the '--insecure' command line option. I did not specify the --cert or --key option either. I also had to set the HTTPS_PROXY environment variable to "http://127.0.0.1:8080"

Liam, PortSwigger Agent | Last updated: Apr 28, 2023 01:49PM UTC

Thanks for the update, Keith.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.