Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

missing "Unencrypted communications"

Tiago | Last updated: Jul 02, 2017 06:33PM UTC

I perfectly understand the issue "Unencrypted communications" but I'm not sure how deterministic Burp is reporting this issue. What are the requirements for Burp to report this? I have done a lot of testing and the behaviour is not deterministic. I do an HTTP request in the browser and some sites get an Unencrypted communications issue, others don't. Are there any rules for this, like response code equals to 20X or no Strict-Transport-Security header?

PortSwigger Agent | Last updated: Jul 03, 2017 09:32AM UTC

The check detects unencrypted traffic that is not a redirect. If you access an HTTP site and it immediately redirects you to the HTTPS site, the issue is not raised. Does this explain the behavior you've observed?

Burp User | Last updated: Jul 10, 2017 01:31PM UTC

Actually I'm not really sure about what is happening because the issue does not include a request/response indicating which request is HTTP, and I'm injecting scan requests through the API so it might be possible that the scanner sees an HTTP response (maybe a redirect to HTTP). Can't you provide the HTTP request that triggers the vulnerability? I'm doing more tests to understand if there is a bug or its me missing something. ps: should I receive an email with any reply to my post? I never get emails about my posts

PortSwigger Agent | Last updated: Jul 10, 2017 01:33PM UTC

Hi Tiago, If you look in Target > site map and find the http version of the site, you can see all the unencrypted communication, and determine if there's anything sensitive. We'll have a think about including this in the issue report. There's a balance to be struck against overloading the report with information. You should get an email with support center updates. Maybe check your spam folder?

PortSwigger Agent | Last updated: Jul 10, 2017 01:41PM UTC

Hi Tiago, Yes, it's a passive check based on responses. It won't trigger without some HTTP traffic. Are you sure there's nothing in site map? Perhaps you've got a filter enabled on that view that is concealing some requests? I sent you that notification email manually. Not sure why you're not getting them as other Gmail users receive them just fine.

Burp User | Last updated: Jul 10, 2017 03:56PM UTC

I'm logging all requests burp does in two ways: through processHttpMessage() and through the Logging feature and I clearly see an Unencrypted Communications issue being report without any HTTP request being made. Is this a passive check based on responses? This time (and only this) I got the email, and yes I've checked the spam folder. thanks!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.