Burp Suite can’t directly intercept HTTPS traffic without you explicitly telling your browser to trust its fake certificate.
Let’s get Burp Suite set up to intercept HTTPS traffic. This is crucial for understanding how web applications handle sensitive data over encrypted connections.
First, ensure Burp Suite is running. You’ll find its proxy listener active by default on 127.0.0.1:8080.
Next, we need to configure your browser to use Burp as its proxy. The exact steps vary slightly by browser, but the principle is the same: tell your browser to send all HTTP and HTTPS traffic to Burp’s listener.
For Firefox:
- Go to
Settings->General->Network Settings(scroll to the bottom). - Click
Settings.... - Select
Manual proxy configuration. - For
HTTP Proxy, enter127.0.0.1and port8080. - Check
Use this proxy server for all protocols. - Click
OK.
For Chrome/Edge (and others using system proxy settings): These browsers typically use your operating system’s proxy settings.
- Windows:
Settings->Network & internet->Proxy. TurnOnUse a proxy serverand enter127.0.0.1for the address and8080for the port. - macOS:
System Preferences->Network-> Select your active network interface (e.g., Wi-Fi) ->Advanced...->Proxies. CheckWeb Proxy (HTTP)andSecure Web Proxy (HTTPS). Enter127.0.0.1for both servers and8080for both ports.
Once your browser is configured, try visiting any HTTPS website, like https://example.com. You should see the request appear in Burp Suite’s Proxy -> Intercept tab. If you don’t see anything, make sure the Intercept is on button is active (it should be red).
Now, the critical part for HTTPS: Burp needs to present a fake certificate to your browser, and your browser needs to trust it.
In Burp Suite, go to Proxy -> Options. Under Proxy Listeners, click Import / export CA certificate. Select Export -> DER. Save the certificate as cacert.der (or any name you prefer).
Next, you need to import this certificate into your browser’s trusted root certificate store.
Importing the Certificate:
-
Firefox:
- Go to
Settings->Privacy & Security->Certificates(scroll to the bottom). - Click
View Certificates.... - Go to the
Authoritiestab. - Click
Import.... - Select the
cacert.derfile you exported from Burp. - Check
Trust this CA to identify websites. - Click
OK.
- Go to
-
Chrome/Edge (and others using system trust):
- Open the certificate file (
cacert.der) by double-clicking it. - Click
Install Certificate.... - Choose
Current UserorLocal Machine(depending on your needs, usuallyCurrent Useris fine). ClickNext. - Select
Place all certificates in the following store. ClickBrowse.... - Choose
Trusted Root Certification Authorities. ClickOK. - Click
Next, thenFinish. You might get a security warning; clickYesto install.
- Open the certificate file (
After importing the certificate and ensuring your browser is set to use Burp as a proxy, refresh any HTTPS page you had open (or open a new one). You should now see the HTTPS traffic in Burp’s Proxy -> Intercept tab. If you see certificate errors in your browser, it means the certificate wasn’t imported correctly or your browser isn’t trusting it.
If you’re still having trouble, double-check your browser’s proxy settings. Sometimes, manually setting 127.0.0.1:8080 for both HTTP and HTTPS proxies in the browser (even if it says it uses system settings) can resolve issues, especially in environments where system proxy settings might be managed.
The next hurdle you’ll likely face is dealing with applications that use certificate pinning, where they expect a specific, known certificate and will reject Burp’s generated one.