Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp v1.7.17 Pro appears to be dropping HTTPs requests

L | Last updated: Feb 20, 2017 01:40AM UTC

Hi everyone. I am having some issues with Burp Suite v1.7.17 Pro. I can load HTTP sites fine and intercept them with the Burp Proxy, but I am unable to load ANY HTTPs sites, the browser just continues to load waiting. I have installed the Burp CA cert as per the instructions. I have tried in Chrome, Firefox and Curl from the commandline to get this working but no luck. I have reset Burp back to factory settings but this did not resolve the issue. There is no badness showing up in the 'Alerts' section of Burp. I am running Fedora 25. Any advice on how I can further troubleshoot this issue further?

Liam, PortSwigger Agent | Last updated: Feb 20, 2017 10:44AM UTC

Hi L Thanks for your message. Is this happening with all HTTPS sites? Are you able to access https://portswigger.net/?

Burp User | Last updated: Feb 20, 2017 10:51PM UTC

Thanks for your response. No, I am not able to access https://portswigger.net, or any HTTPS site (including https://burp). Some more information if it helps: openjdk version: 1.8.0_121 openjdk runtime env build 1.8.0_121-b14

Liam, PortSwigger Agent | Last updated: Feb 21, 2017 09:51AM UTC

Are you still able to access http://burp? It sounds like your certificate hasn't installed properly. Have you tried removing your certificate and reinstalling it? - https://support.portswigger.net/customer/portal/articles/1783088-Installing_Remove%20CA%20Certificate%20-%20FF.html - https://support.portswigger.net/customer/portal/articles/1783087-Installing_Installing%20CA%20Certificate%20-%20FF.html

Liam, PortSwigger Agent | Last updated: Feb 21, 2017 09:56AM UTC

Have you tried downloading a new certificate from http://burp? It could be that the certificate has been corrupted.

Burp User | Last updated: Feb 21, 2017 12:27PM UTC

Thanks for your response. Yes, I can still access http://burp. I have removed the certificate and re-added it with no luck. I have also just now set the proxy to listen on my local address and connected to it from Windows host using a web browser that I know it works with Burp (and set the certificate correctly) and it still does not load HTTPS sites, only HTTP. This may rule out issues with the web browsers?

Burp User | Last updated: Feb 21, 2017 12:29PM UTC

Sorry by local IP address I mean my the host's internal network IP address.

Liam, PortSwigger Agent | Last updated: Feb 21, 2017 01:21PM UTC

Thanks for the additional information. I'm trying to reproduce your issue. I've just tested Burp v1.7.17 on Windows 7. I've using the installer version of Burp, which comes bundled with Java 1.8.0_112-b15. I'm having no problem with HTTPS sites. Have you tried installing the certificate in IE?

Burp User | Last updated: Feb 21, 2017 11:08PM UTC

Hi, Thanks for the response. Yes I have tried a couple of times now generating and using a new certificate with no luck. Can I provide anymore information that may help out? Cheers.

Burp User | Last updated: Feb 22, 2017 11:23PM UTC

Hi Liam, Thanks for the response. I am currently working from a Fedora 25 machine so I am not able to try in IE. I have also tried to create my own issuing CA and load a cert signed by this CA into Burp with the same result - I can load and intercept HTTP sites fine, just not HTTPS sites.

Burp User | Last updated: Feb 22, 2017 11:30PM UTC

I have just tried now and I am able to use the Repeater and Spider functions of Burp on HTTPS sites, just not the Proxy function.

Liam, PortSwigger Agent | Last updated: Feb 23, 2017 09:18AM UTC

Hi L Can you reset your Proxy settings to default and let us know if this helps. Go to Burp > Project Options > Restore Defaults > Proxy.

Burp User | Last updated: Feb 24, 2017 11:44PM UTC

Hi Liam, Thank-you for the suggestion and working through this with me. This did not seem to resolve the issues. I captured packets using Wireshark on the loop back device and when making a HTTPS request, I could see the browser send a 'Client Hello' but no 'Server Hello' was ever received back. When comparing diagnostic information with a colleague of mine, he came to realise that he was also facing this same bug. He is using the same version of Burp and Java but is running Fedora 24. We have tried older versions of Burp as well but the same issue occurs. When I am back in the office I may attempt to rollback the version of Java to see if this helps. Is there anymore information I can provide you to help to diagnose this further? Cheers, L

Liam, PortSwigger Agent | Last updated: Feb 27, 2017 10:19AM UTC

Hi L I've just tested the certificate installation on Fedora 25 / Firefox and been unable to reproduce the issue. How did you get on when you changed the Java version? Might it be worth updating your version of Fedora?

Burp User | Last updated: Mar 01, 2017 03:11AM UTC

Hi Liam, It seems my last response did not come through. The issue was to do with the version of Java. The one I am currently running is: openjdk version "1.8.0_121" OpenJDK Runtime Environment (build 1.8.0_121-b14) Using the JRE that is packed with the 'Linux installer' version of Burp allows me to browse HTTPS sites once again. The version of Java packaged into the installer is: java version "1.8.0_121" Java(TM) SE Runtime Environment (build 1.8.0_121-b13) Cheers, L

Liam, PortSwigger Agent | Last updated: Mar 01, 2017 10:05AM UTC

Good job resolving your issue.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.