I am novice to web pentesting. I have a question. Please suggest
Say, I have a https url and I have set all the http requests to be accessed via burp proxy configuration. In a generic case, if we are accessing the url from a client like firefox, we know that we may hit security exceptions for multiple domains and we need to add security exception for each of those. once after crossing security exceptions, we can access the url and user name and password can be accessed via burp (by setting intercept to ON).
1) If we are able to access the web app after adding security exceptions for multiple domains, then does it mean that web app has not handled security issues correctly ?
2) Also, should the client like firefox or the server on which web app is running need to handle such security issues ?
What you are talking about affects your web browser and is not indicative of security configurations in the web app you are looking at. Because burp is proxying the SSL, it needs to respond with a certificate to see the traffic. Otherwise, you would only be tunneling encrypted traffic that you could not intercept and view.
You browser sees that the certificate is not valid for the site you are trying to visit and presents you with the warning.
You can avoid having to add the security exceptions each time by configuring Burp's CA certificate. Instructions are here: https://portswigger.net/burp/help/proxy_options_installingCAcert.html
Essentially, you will browse to http://burp while configured to go through the burp proxy. Here, you will download the certificate and then you will follow the linked instructions above to import into your browser.
Have fun.