Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp's CA certificate was blocked from server

Relo | Last updated: Jul 19, 2018 05:10PM UTC

I'm having a problem creating an api for my application https://imgur.com/a/gFxGTZQ - In the above image I used the same request for burp suite and post man. Post man working and burp suite is not - when i use burp suite to sniff this app in my phone i get the same problem but when i remove burp suite proxy it works normal Previously the burp suite was working normally but maybe because I sent too many requests so I thought they were blocked burp suite certificate How to bypass it? Have they blocked Burp's CA certificate? Sorry for my bad english. Thanks

Liam, PortSwigger Agent | Last updated: Jul 20, 2018 09:35AM UTC

It seems unlikely that the server could block Burp's certificate. Does the application use Platform Authentication, a Client SSL Certificate or Certificate Pinning?

Burp User | Last updated: Jul 21, 2018 03:21AM UTC

Previously I could still use the burp suite to sniff requets. They don't use Platform Authentication

Burp User | Last updated: Jul 21, 2018 11:00AM UTC

can i create a similar burp suite certificate? How to make it?

Liam, PortSwigger Agent | Last updated: Jul 23, 2018 10:49AM UTC

You can generate your own certificate via the Proxy > Options tab. However, we don't think this is the issue in this case. It maybe that the session ID can only be used once. How have you configured Postman to proxy via Burp? Are you able to proxy any traffic from Postman via Burp?

Burp User | Last updated: Jul 25, 2018 05:18PM UTC

you was correct. They don't block burpsuite certificate. I sure session ID not problem https://imgur.com/a/bHhV6Rp I was configured postman to proxy via burp - > not working I remove burp proxy - > working I don't know how to they can block burpsuite. How to burp suite proxy working? Burp suite works just like a proxy server? Or burp suite intercept request then use java request library for fake?

PortSwigger Agent | Last updated: Jul 27, 2018 01:10PM UTC

Hi Relo, One other thing to try: in Proxy > Options > Miscellaneous turn off "Set connection-clock on incoming requests". You may want to fiddle with some other options there also. I also can't see how they are blocking Burp. Burp works just like a proxy server and uses it's own HTTP stack, with Java networking to communicate with the server. You could potentially try putting another proxy in between, such as Zap or mitmproxy.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.