Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Unable to intercept and edit requests and responses in Android Application.

XOAD | Last updated: Jun 13, 2016 08:11AM UTC

Hello, Am testing an e-commerce application on my Xiaomi android mobile running on 4.4.4. I'm able to see the requests and responses but before I edit and change them, they reach their destination. i.e when i try to edit the response from the server, the response reaches the mobile app even before i click on forward button in burp. So, the edited changes are not shown in the Application. The same thing i tried with websites, but only after i click forward, the request or response reaches the destination. Why is the same thing not happening with mobile apps. Please help me out. ** My app doesnt use any SSL.

Liam, PortSwigger Agent | Last updated: Jun 13, 2016 08:50AM UTC

Hi XOAD Thanks for your message. Have you ensured that your application is in scope? It could be that you are only intercepting in scope items. These settings can be configured in Proxy > Options > Intercept Client Requests / Server Responses.

Burp User | Last updated: Jun 13, 2016 10:02AM UTC

Hi Liam, Thanks for your response. If it is not in scope, then it wont be intercepted at all right ??. But as i said, I'm able to intercept the responses, but how does the response reach the application even before I click on 'Forward'. That is what I'm not able to understand. Help me out. ** I have included my app in the scope as well. -XOAD

Liam, PortSwigger Agent | Last updated: Jun 13, 2016 10:03AM UTC

Hi XOAD Just to clarify, when you state "how does the response reach the application even before I click on 'Forward'", by response, do you mean the request from the client? Whether requests and responses are intercepted is dictated by the settings you have configured in the Proxy > Options > Intercept Client Requests / Server Responses settings. If you uncheck the option/s next to "Relationship: Is in target scope", then all requests and responses should be intercepted. There is a further option in Project options > Connections > Out-of-Scope Requests that prevents Burp from issuing any out-of-scope requests. However, it doesn't sound like this is causing your issue.

Burp User | Last updated: Jun 14, 2016 06:40AM UTC

Hi Liam, Thanks for the explanation again. But sorry I didnt get my answer. I think I have to be more precise about the question. I have set the proper settings and I'm able to intercept the requests and responses. When a response comes from the server, it is intercepted by burp (App <-- Burp <-- Server) and only when I allow the response to go to App(clicking on forward button), it should reach the app. Am I right here ?? My prob here is, even before i click the forward button, the response which is intercepted is passed to the Application. So, after intercepting am not able to edit anything and view the changes in the App. The same procedure in website works fine. Only when i click on forward button, the response from server is shown in browser. Why is this not happening with App. Do I have to change any settings for mobile app ?? Hope My question is clear this time. Thanks, XOAD

PortSwigger Agent | Last updated: Jun 14, 2016 07:31AM UTC

If a response is showing as stalled in the Burp Intercept tab, then Burp has not forwarded it on to the client. If you are seeing content reaching the client unexpectedly, then two possible explanations are: 1. There are responses happening that are not being intercepted in Burp due to your interception rules. 2. The client is making some requests outside of the configured proxy, so Burp never sees them and the responses go directly to the client.

Burp User | Last updated: Jun 16, 2016 07:01AM UTC

Hi Stuttard, Thanks for your response. Option 2 is not possible as i can see all responses in burp which are coming from the server. Option 1 again no, all my responses are intercepted by burp, coz i can see them clearly in burp. If rules are not poper, i wont be able to see them in burp right ?? The issue is, i can see the responses in burp and it is shown as stalled. But the mobile app and server are receiving all requests and responses normally without me clicking on 'forward' button. Burp has no control over that. Is there a different configuration for mobile apps from websites ? This issue is killing me for a long time. Please help me out.

PortSwigger Agent | Last updated: Jun 16, 2016 07:53AM UTC

If a response is stalled in Burp, then it definitely does not forward it on until you click the forward button. It sounds like you might need to investigate further on the two explanations I suggested, maybe using a network-level sniffer. Another possible explanation is that the client app is reverting to a cached response when the server is slow to respond (because you have the response stalled).

Burp User | Last updated: Jun 16, 2016 11:00AM UTC

It may sound weird, but thats what is happening with my burp. Even i checked with my friends who are into security, they said its weird too. I tried clearing the data and cache from the app. Even then, the same thing. Response is not stalled but am able to view them in burp and they reach the app before i click forward. Dunno what to do. I ll check with some other tool and update.

Liam, PortSwigger Agent | Last updated: Jun 16, 2016 11:08AM UTC

Hi Rajat Have you tried investigating the two explanations suggested above? 1. There are responses happening that are not being intercepted in Burp due to your interception rules. 2. The client is making some requests outside of the configured proxy, so Burp never sees them and the responses go directly to the client.

Burp User | Last updated: Jul 22, 2016 10:10AM UTC

Hey, The same issue is happening here. Is there any solution???

Liam, PortSwigger Agent | Last updated: Jul 25, 2016 10:57AM UTC

Aman, could you tell us a little bit more about your mobile device and OS? Additionally, if you could send screenshots of the HTTP transaction, that may help us diagnose the issue. You can send additional information to support@portswigger.net.

Burp User | Last updated: Jul 26, 2016 07:07AM UTC

This is not a burpsuite-related bug. Same thing will happen with Charles proxy or Fiddler, as long as you're using android devices. Android devices probably bypass their own proxy configuration when an http request doesn't receive any response. Haven't found any specs describing this behaviour, but I can't see any other explanation.

Burp User | Last updated: Mar 21, 2017 08:29AM UTC

I am also facing the same problem while testing an ecommerce mobile application. According to me, the problem is that there are some requests while do not go through manual proxy settings configured. It may be due to some security reasons that the application wouldnt like the data to go through any proxy. You can use Proxydroid on Android to capture all the requests coming from the application and it will forward it to BurpSuite. Apart from this, if someone has any other answer, kindly suggest.

Burp User | Last updated: May 22, 2018 11:42AM UTC

My mobile device is configured with burp pro and I am able to intercept all kind of request from mobile browser and other app(cert is installed) but one app which I am testing is communicating with server but not a single request being captured in burp professional. From the log also I got it is doing HTTP transaction. Please resolve this...

Burp User | Last updated: May 23, 2018 05:41AM UTC

I am using Samsung Galexy tab 2(android 4.1.1) but I can intercept other application.

Liam, PortSwigger Agent | Last updated: May 23, 2018 07:43AM UTC

It's possible that the native apps are not using the CA certificate that you have installed on the device and which is being used by the your browser. Some native apps use their own certificate trust store, and some implement certificate pinning to only trust specific server-side certificates. In this situation, breaking the SSL tunnel is non-trivial and may entail jailbreaking the device or using some other advanced tools. Usually, we would advise setting up Android with ProxyDroid and FS Cert Installer to push HTTPS App traffic to Burp Suite: Reset burp suite Turn on listen to all interfaces Android Host: Remove all User Certs Stop task and remove data for ProxyDroid and FS Cert installer ( you can just uninstall reinstall ) Put the phone in airplane mode then turn on WIFI In FS Cert put in proxy IP and PORT then click the middle button Add CA and add it under WIFI Cert in the dropdown Then click test chain and it should all be green yes for www.google.com For Proxydroid just put in the IP and port and also tunnel DNS Kill or reinstall any apps before you start to make sure they go through the proxy properly. Please let us know if you need any further assistance.

Burp User | Last updated: May 23, 2018 11:42AM UTC

Thank you for your solution and I will follow these. Here the traffic is HTTP, I got to know from logcat.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.