← Certified Web Application Pentester
Task 1
Handling Multiple Proxies
1. How MITM Proxy Works
Browser --> Proxy (Burp/ZAP) --> Target Server | +-- Intercepts HTTPS by: 1. Browser connects to proxy 2. Proxy connects to target (gets real cert) 3. Proxy generates fake cert signed by its CA 4. Browser accepts if CA is trusted 5. Proxy can read/modify encrypted traffic
2. Burp Suite CA Certificate Installation
2.1 Export Certificate
# Method 1: Browser # Navigate to http://burpsuite with proxy enabled # Click "CA Certificate" to download cacert.der # Method 2: CLI curl -x http://127.0.0.1:8080 http://burpsuite/cert -o cacert.der
2.2 System-Wide Installation
Linux
# Convert DER to PEM openssl x509 -inform DER -in cacert.der -out burp-ca.pem # Install system-wide sudo cp burp-ca.pem /usr/local/share/ca-certificates/burp-ca.crt sudo update-ca-certificates # For Fedora/RHEL sudo cp burp-ca.pem /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
macOS
# Convert and install openssl x509 -inform DER -in cacert.der -out burp-ca.pem sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain burp-ca.pem
Windows
# Double-click cacert.der # Install Certificate → Local Machine → Trusted Root Certification Authorities
2.3 Browser-Specific Installation
Firefox
Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import → Select cacert.der → Check "Trust this CA to identify websites"
Chrome
Settings → Privacy and Security → Security → Manage Certificates → Authorities → Import → Select cacert.der
3. Proxy Configuration
3.1 System-Wide Proxy
Linux
export http_proxy=http://127.0.0.1:8080 export https_proxy=http://127.0.0.1:8080 export no_proxy=localhost,127.0.0.1 # Persistent echo 'export http_proxy=http://127.0.0.1:8080' >> ~/.bashrc echo 'export https_proxy=http://127.0.0.1:8080' >> ~/.bashrc
macOS
# System Preferences → Network → Advanced → Proxies # Web Proxy (HTTP): 127.0.0.1:8080 # Secure Web Proxy (HTTPS): 127.0.0.1:8080 # CLI networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8080 networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8080
Windows
Settings → Network & Internet → Proxy → Manual proxy setup Address: 127.0.0.1 Port: 8080 # CLI (PowerShell) netsh winhttp set proxy 127.0.0.1:8080
3.2 Tool-Specific Proxy
# curl curl -x http://127.0.0.1:8080 -k https://target.com # wget wget --proxy=on -e http_proxy=127.0.0.1:8080 https://target.com # Python requests import requests proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} requests.get("https://target.com", proxies=proxies, verify=False) # sqlmap sqlmap -u "https://target.com/page?id=1" --proxy=http://127.0.0.1:8080 # nuclei nuclei -u https://target.com -proxy http://127.0.0.1:8080 # ffuf ffuf -u https://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080 # nikto nikto -h https://target.com -useproxy http://127.0.0.1:8080
4. Mobile Device Proxy Configuration
4.1 Android
# Wi-Fi proxy Settings → Wi-Fi → Long press network → Modify network → Advanced → Proxy: Manual → Proxy hostname: [Burp machine IP] → Proxy port: 8080 # Install CA certificate Settings → Security → Encryption & credentials → Install from storage → Select burp-ca.pem # For Android 7+ (user certs not trusted by default) # Option 1: Root device and install as system cert # Option 2: Modify APK to trust user certs (network_security_config.xml) # Option 3: Use Frida/Objection to bypass pinning
4.2 iOS
# Wi-Fi proxy Settings → Wi-Fi → tap (i) on network → HTTP Proxy → Manual Server: [Burp machine IP] Port: 8080 # Install CA certificate Browse to http://burpsuite on device → Download profile Settings → General → VPN & Device Management → Install profile Settings → General → About → Certificate Trust Settings → Enable
5. Dealing with Certificate Pinning
# Android - Frida bypass frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause # Android - Objection objection -g com.target.app explore android sslpinning disable # iOS - SSL Kill Switch 2 (jailbroken) # Install via Cydia # iOS - Frida frida -U -f com.target.app -l ios_ssl_bypass.js --no-pause # Generic Frida SSL pinning bypass script # Uses Frida to hook SSL verification functions and return true
6. SSL/TLS Handshake Analysis
# View certificate details openssl s_client -connect target.com:443 -servername target.com # Check certificate chain openssl s_client -connect target.com:443 -showcerts # Test specific TLS version openssl s_client -connect target.com:443 -tls1_2 openssl s_client -connect target.com:443 -tls1_3 # Check supported ciphers nmap --script ssl-enum-ciphers -p 443 target.com # Comprehensive SSL test testssl.sh target.com sslscan target.com sslyze target.com
7. Upstream Proxies and Proxy Chains
# Burp → upstream proxy (corporate proxy) # Project Options → Connections → Upstream Proxy Servers # Destination host: * # Proxy host: corporate-proxy.com # Proxy port: 3128 # Proxy chaining with proxychains # /etc/proxychains4.conf # socks5 127.0.0.1 9050 # Tor # http 127.0.0.1 8080 # Burp proxychains4 curl https://target.com
8. Common Issues and Troubleshooting
# Issue: "Connection refused" # Fix: Ensure Burp is running and listening on correct interface # Burp → Proxy → Options → Proxy Listeners → Edit → Bind to: All interfaces # Issue: "Certificate not trusted" # Fix: Install Burp CA cert in browser/system trust store # Issue: "TLS handshake failed" # Fix: Check Burp → Project Options → TLS → Enable all protocols # Issue: "Proxy timeout" # Fix: Increase timeout in Burp → Project Options → Connections # Issue: "Application not working through proxy" # Fix: Check if app uses certificate pinning, WebSocket, or non-HTTP protocols # Issue: "Mobile app not proxying" # Fix: Ensure device and Burp machine on same network # Check Burp listener binds to all interfaces (0.0.0.0)