How to configure Burp Suite Community v1.7.36 to capture both http and https traffic on Windows 8?

Question

How to configure Burp Suite Community v1.7.36 to capture both http and https traffic?

Test Environment:

• OS: Windows 8 Pro
• Browser: Google Chrome v68.0
• Burp Proxy: burpsuite_community_windows-x64_v1_7_36.exe

Followed the @PortSwigger's amazing video to configure the Browser to work with Burp as follows:

• Burp Configuration Snapshot:

• The browser configuration includes settings for HTTP, Secure and FTP.

• Browser Proxy Settings Snapshot:

Now when I am manually trying to invoke invoke a http based url e.g. http://testng.org/doc/maven Proxy is properly intercepting the http GET request and I can capture the following:

GET /doc/maven.html HTTP/1.1
Host: testng.org
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://testng.org/doc/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __utmz=37447461.1527604986.1.1.utmccn=(referral)|utmcsr=stackoverflow.com|utmcct=/|utmcmd=referral; __utmc=37447461; __utma=37447461.2068459366.1527604986.1535975911.1535984412.9; __utmb=37447461
Connection: close

But when I am trying to invoke a https based url e.g. https://www.facebook.com/ I am facing the Your connection is not private page.

Though the Browser Configuration includes settings for HTTP and Secure are there any other configuration needed to access the https enabled sites?

Answer 1

@PortSwigger's comment was in the right direction solving the issue.

To configure Burp Suite Community v1.7.36 to capture both http and https traffic you need to install Burp's certificate in your browser following the documentation.

Steps

• Configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting). Then use the links below for help on installing Burp's CA certificate in different browsers:

• Chrome

  • The Chrome browser picks up the certificate trust store from your host computer. By installing Burp's CA certificate in your computer’s built-in browser (e.g. Internet Explorer on Windows, or Safari on OS X), Chrome will automatically make use of the certificate.

  • You can access your systems certificate trust store at Chrome settings > HTTPS/SSL. Or you can follow the relevant instructions for your built-in browser:

  • Windows: Internet Explorer >> Installing Burp's CA Certificate in Internet Explorer

  • When the Burp CA certificate has been installed for your built-in browser, restart Chrome and you should be able to visit any HTTPS URL via Burp without any security warnings.

• Internet Explorer

  • With Burp running, visit http://burp in IE and click the "CA Certificate" link to download and save your Burp CA certificate. Take note of where you save the Burp CA certificate.
  • You will be prompted with a message, click “Save”. The file “cacert.der” should now download.
  • You will be prompted with another message, click “Open” and a “Certificate” box will pop up.
  • Click “Install Certificate”.
  • In the “Certificate Import Wizard” dialog box click “Next”.
  • In the Certificate Import Wizard, select "Place all certificates in the following store" and click “Browse”.
  • In the “Select Certificate Store” window select "Trusted Root Certification Authorities" and click “OK”.
  • Complete the wizard by clicking “Next” followed by “Finish”.
  • Click "Yes" on the security warning.Close all dialogs and restart IE (no need to run as administrator).
  • If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings.