Burp proxy10/23/2023 ![]() In this post, I want to show various techniques for configuring different CLI tools written in different languages to proxy their HTTP(S) traffic through Burp Suite - even if the tools themselves don’t offer easy proxy settings. With this knowledge, I was able to automate certain things that were not possible through their vanilla CLI or the published API docs. In the past, I have even proxied the CLI tools provided by a commercial security tool we used and learned about some undocumented APIs and behaviors that were not in their documentation. I have used these techniques to inspect popular CLI tools like the Azure CLI ( az) and Zeit’s now utility. If a CLI tool is not working as expected and the error messages are unhelpful, the problem can become obvious as soon as you look at the actual HTTP requests and responses it’s making/receiving. A lot of CLI tools for popular services are just making HTTP requests, and being able to inspect and/or modify this traffic is really valuable. However, I often want/need to inspect traffic that comes from other tools besides browsers - most notably command line tools. The general use case for a tool like Burp or mitmproxy is to configure a browser to communicate through it, and there are plenty of write-ups and tutorials on how to configure Firefox, Chrome, etc to talk to Burp Suite and to trust the Burp self-signed Certificate Authority. It can be extremely helpful to look “under the hood” at actual HTTP requests being made to make sense of complex APIs or to test that one of my scripts or tools is working correctly. I actually find myself using Burp more for debugging and learning than for actual pentesting nowadays. Intercepting HTTP proxies such as Burp Suite or mitmproxy are extremely helpful tools - not just for pentesting and security research but also for development, testing and exploring APIs. Trusting the Proxy Certificate at the OS Level.Domain name resolution - This setting determines how often Burp re-performs successful domain name look-ups.Burp waits for the specified interval before determining that the transmission is complete. Open-ended responses - Used where a response that does not contain a Content-Length or Transfer-Encoding HTTP header is being processed.This setting determines how long Burp waits before abandoning a request and recording a timeout. Normal - Used for most network communications.This setting determines how long Burp waits for a response after opening a socket, before deciding that the server is unreachable. Connect - Used when connecting to a server.You can specify the timeout thresholds that Burp uses when performing various network tasks: If you select Override options for this project only, the selected settings only apply to the current project. The Platform authentication settings can apply at both user and project level. ![]() If you select Prompt for credentials on platform authentication failure, then Burp displays an interactive popup whenever it encounters an authentication failure. You can also Edit and Remove credentials from the list if required.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |