CONNECT request for plaintext resource fails
While testing Metasploit modules during module development, I will often try to pass the HTTP requests Metasploit is making through burp. However, when Metasploit is interacting with a plaintext resource (no SSL), then proxying through burp doesn't work. Only proxying data through burpsuite to an SSL-enable port will allow me to successfully proxy the data.
I have determined that this is caused by Metasploit sending a CONNECT HTTP request (usually designated for SSL-enabled servers) even for port 80 plaintext HTTP servers. This isn't a bad thing, as the HTTP specification says that a CONNECT request MAY be sent before initiating any more plaintext HTTP requests. It isn't necessary that the server use SSL.
I believe this is a bug in Burp Suite. It seems to assume that CONNECT is intended for SSL, but that isn't necessarily the case, per the HTTP specification. Because of this, proxying plaintext HTTP requests through Burp doesn't work, only SSL-enabled HTTP requests.
Let me know if you have any questions or if this doesn't make sense.
Because of this, proxying plaintext HTTP requests from Metasploit through Burp doesn't work, only SSL-enabled HTTP requests.
Thanks for this report. We agree that supporting this situation would be ideal, however this is non-trivial to implement in the Proxy request handling logic, and we’re inclined not to do it since browsers and other user agents don’t behave in this way.
Instead of configuring Metasploit to use Burp as its proxy, have you tried using invisibly proxying? This way, Metasploit will send regular non-proxy requests to Burp, and it should handle them correctly.