Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

websites with HSTS implemented dont let me access it with burpsuite(firefox)

DBS | Last updated: Nov 03, 2023 10:48PM UTC

Hey,I have a problem with websites that have HSTS implemented. I have been looking for the solution for 2 days now, and this is my last hope to get it. I have been trying to acces a webpage with burpsuite and I have the Burp cert installed in my browser,when I try to access a website which uses HSTS it doesn't let me in and this is the problem: Not connected: Possible security issue Firefox has detected a potential security threat and has not continued to (website) because this website requires a secure connection. what can you do about it? (website) has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You cannot add an exception to visit this site. The problem is probably with the website, and there is nothing you can do to resolve it. If you are on a corporate network or using antivirus, you can contact the support team for help. You can also report the problem to the website administrator. The error that appears is this: SEC_ERROR_UNKNOWN_ISSUER -I have tried getting in with foxyproxy set to 127.0.0.1:8080(I have a listener in burpsuite set to that IP) and I cant. -I have also tried getting in with the manual proxy of firefox option(127.0.0.1:8080) -And the last thing I tried is trying to access the website with foxyproxy and the manual proxy of firefox which gives me this error: MOZILLA_PKIX_ERROR_MITM_DETECTED

oliver | Last updated: Nov 06, 2023 05:00AM UTC

It seems like you're encountering issues when trying to access a website that has implemented HTTP Strict Transport Security (HSTS). HSTS is a security feature that enforces secure connections to websites, and it can cause problems when using tools like Burp Suite for testing or debugging. Here are some suggestions to address your problem: Verify Your Burp Suite Configuration: Ensure that Burp Suite is configured correctly, and the proxy listener is running on the specified IP and port (127.0.0.1:8080 in your case). Double-check that your Burp Suite's SSL/TLS settings are correctly configured. You may need to install Burp's CA certificate as a trusted certificate in your browser. Clear Browser Cache: Sometimes, cached HSTS policies can interfere with your testing. Clear your browser's cache and try again. Try Different Browsers: If you are using Firefox, try accessing the site with a different browser like Chrome or Edge. Different browsers may handle HSTS policies differently. Check for Browser Extensions: Browser extensions can sometimes interfere with your testing. Disable any extensions that might be causing issues. Use a Clean Browser Profile: Create a new, clean browser profile to test the website without any extensions or settings that might affect your connection. Avoid HSTS Preloading: Some websites are preloaded with HSTS settings in browsers. Try testing websites that are not on the HSTS preload list. Report the Issue to the Website Administrator: If you believe there's a problem with the website's HSTS configuration, consider contacting the website administrator and explaining your situation. They may be able to provide guidance or temporarily disable HSTS for testing purposes. Check Burp Suite's Compatibility: Make sure you are using a compatible version of Burp Suite with the latest updates. Burp Suite releases updates to address compatibility issues with various security features. Understand the Risks: Be cautious when bypassing HSTS, as it can compromise the security of the connection. Use this approach only for legitimate testing and debugging purposes. Consult Burp Suite Documentation or Support: Review the official Burp Suite documentation and consider seeking support from PortSwigger (the company behind Burp Suite) if you continue to face issues. Remember that security features like HSTS are in place for a reason, and bypassing them should only be done for legitimate security testing or troubleshooting purposes. Always obtain proper authorization before conducting any security testing on a website. I am also facing the same problem on my site (https://riseapk.net) I apply these 10 steps to my site then the issue is resolved.

Dominyque, PortSwigger Agent | Last updated: Nov 06, 2023 10:31AM UTC