Burp Suite
Burp Suite is a very useful platform for application security analysis. Burp is written in Java and can be run on most platforms, it includes both a free and commercial version. It includes a proxy server that allows you to configure your browser or mobile application for traffic interception.
In this post we will go through the steps for configuring burp to intercept traffic on a mobile device.
Configure Burp Proxy Listener
Once you open Burp - go to the Proxy tab and the Options. Click on the add button and set the 'Bind to port' to 8080. Then select All interfaces.
Configure Mobile Device/ Emulator
In your Android device or emulator go to 'Settings' and Wi-Fi (ensuring that you are connected).
Next hold down on the network button until you see a menu with either 'Forget network' or 'Modify network'.
When you select 'Modify network' the menu below will open , check the 'Show advanced options' checkbox. Change the Proxy settings to 'Manual' and enter the IP address in the Proxy hostname field of the computer that is running burp. In the 'Proxy port' field enter the port that burp is listening on e.g. 8080.
Intercept Traffic
To test that we can intercept the traffic, open up a mobile application and perform an action. In the screenshot below we are logging into the Insecure Bank app.
Before hitting the Login button go to the 'Proxy Intercept' tab in burp and ensure that intercept is on.
Once you submit the request you should see the traffic in the intercept pane.
Installing Burp CA Certificate
In this example the mobile application is sending traffic over HTTP - if the application is using SSL/TLS the you will have to install the burp CA certificate on the device.
On the emulator open a browser and naviagte to http://burp. Then click on CA Certificate to install.
If you open the file manager you will see the cert under 'Downloads'.
Once you double click on the cert you will be prompted to name it. You can enter any name here and click Ok.
In Settings click on the the 'Security' tab, then and then 'Credential Storage'. You should then see the cert under User
You should now be able to intercept any traffic being transmitted over HTTPS without getting any security warnings..
References: https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device
No comments:
Post a Comment