Published on August 10th, 2012 | by NJ Ouchn0
Burp Suite v1.4.12 in the wild with the support of Android SSL Analysis
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Burp Suite contains the following key components:
- An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.
- An application-aware spider, for crawling content and functionality.
- An advanced web application scanner, for automating the detection of numerous types of vulnerability.
- An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
- A repeater tool, for manipulating and resending individual requests.
- A sequencer tool, for testing the randomness of session tokens.
- The ability to save your work and resume working later.
- Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
This release resolves a problem with proxying SSL connections from Android clients. When Android proxies SSL, it resolves the destination hostname locally, and issues a CONNECT request containing the host’s IP address. In earlier versions, Burp would then generate an SSL certificate with the IP address as its subject name, causing the Android client to show an SSL error, because the subject name on the certificate did not match the original hostname that Android had resolved.
Burp now behaves differently. If a CONNECT request is received containing an IP address, Burp connects to the destination server to obtain its SSL certificate. Burp then generates an SSL certificate with the same subject name (and alternative subject names, if defined) as the server’s actual certificate. Assuming the server is returning a valid certificate for the hostname that Android is requesting, this should remove the SSL errors relating to the mismatched hostname.
(Note that it is still necessary to install Burp’s CA certificate in the Android client, as for other SSL clients.)
A number of bugs are also fixed:
- Some further causes of deadlock in the new UI.
- A bug in the Scanner, where the “skip all tests” configuration was not properly applied to REST parameters.
- An error saving and restoring state in headless mode, which was introduced in recent versions.
- A bug in the macro item editor UI which prevented the list of items from scrolling properly.