Avoiding Common Issues with Burp Suite

This post describes key points on configuration of Burp Suite with proper environment so that interception of packets can be done successfully.

First of all you have to determine what version of Burp Suite you are going to install.(We will be talking about 1.7.05 in this post)

Before running the Jar file you need Java Runtime Enviroment (JRE) 1.7 or less(might work but not recommended) installed in OS.

Jar file can be executed directly by double clicking or you can go to the file location using CMD and use the following command:

java -jar Burploader.jar

Here we are assuming that you are familiar with basics of configuring Burp Suite with browser to intercept.

Now, there are lots of issues which are faced by users while intercepting websites on Browser using SSL such as:

  • The client failed to negotiate an SSL connection to [ … ] Received fatal alert: unknown_ca
  • Secure Connection Failed
  • Handshake Issues – javax.net.ssl.SSLException: Received fatal alert: handshake_failure
  • Weak ephemeral Diffie-Hellman key- sl_error_weak_server_ephemeral_dh_key

The above issues could be mitigated by using following possible solutions

  1. Using compatible JRE version (Most critical)
  2. Installing Burp’s CA Certificate into browser Certificate Installation Guide
  3. Setting browser to use same proxy with burpsite.(Use local host in browser and burp proxy listener)
  4. Configure SSL Negotiation Tab under Project Options properly.
    1. You can check “Allow unsafe SSL negotiations”
    2. You can check “Automatically select compatible SSL parameters on negotiations failure”
  5. If you are facing Diffie Hellman key issue you can go to about:config tab and set values to False for following parameters

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

Hope these solutions improve your experience of using the awesome Burp Suite tool. Please let me know if I can improve any part of this technical write up or consolidate more solutions for day to day issues with Burp.

 

Advertisements

We would love to hear from you..

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s