Burp Suite Proxy Not Working Firefox

Burp Suite - Setup, Config and used with Firefox Browser. Burp Suite - Setup, Config and used with Firefox Browser. After each step, check whether you are still having problems, and only continue to the next step if things are not working. In Burp, go to the Proxy tab, and the Intercept sub-tab. If this is showing an intercepted HTTP request, then turn off interception (click on the 'Intercept is on' button to toggle the interception status).

There is a few popular ways to run Burp Suite in the pentesting environment. The simplified approach is to have a dedicated web browser to use (only) with Burp.

The downside is that the proxy setting for the browser (Chrome and Safari) needs to be set on the system level - on the Mac OS X. As a result, the whole HTTP and HTTPS traffic from the system would be routed through Burp and not only traffic from the browser but also traffic from the installed applications.

Proxy configuration in Firefox is set directly in the browser. There is no need to modify system settings.

Multiple Firefox profiles

Firefox allows creating separate profiles acting as containers storing sensitive information separated from each other. Each profile stores its own:

  • Cookies
  • Extensions
  • Security certificate settings
  • and more..

Burp Suite Proxy Not Working Firefox Windows 10

'Security certificate settings: The cert9.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.'

Burp requires cacert.der (CA cert) to be imported in the browser or system keychain (not recommended) to intercept HTTPS traffic. If attacker would get this certificate and MITM your connection (i.e., when using public Wi-Fi) he would get your whole traffic, unencrypted.

Burp suite proxy not working firefox 2019

That is why storing this certificate in your browser, is not a good idea, because it opens up a new attack vector. If you are curious about what might happen, read about a similar case from Dell: eDellroot issue

On every new installation or when Burp's configuration is wiped out, it would generate a new CA certificate served from 'http://burp/cert' URL. It significantly makes the attack harder from the malicious actor perspective.

Burp suite proxy not working firefox browserProxy

Thanks to Firefox and its multiple profiles, we can install cacert.deronly in a separate profile and keep the default one without Burp's CA certificate.That allows running two Firefox instances, side by side with each other. Furthermore, you can install all of the necessary plugins in Burp's Firefox profile, and it will not affect the default one.

2017

Read more on Firefox profiles.

Configuration

  1. Open Firefox and go to 'about:profiles' URL
  2. Create a new profile and name it 'Burp'
  3. Click on the 'Launch profile in new browser' button
  4. New Firefox window should Open
  5. Install Foxy Proxy extension if needed
  6. Change Firefox theme to easily distinguish between 'default' and 'Burp' profiles

Whenever you want to run 'Burp' profile open Firefox and go to 'about:profiles' to launch it, there is an option to use CLI to run a profile as well.

Takeaways

  • Do not install cacert.der in your (default) web browser, especially do not install that directly into the system keychain
  • Always separate your pentesting tools and activities from your day-to-day environment/configuration
  • If possible, run Burp inside virtual machine or on the remote instance to avoid embarrassing incidents if someone hacks you through the Burp Suite installation. Software is software, and vulnerabilities do happen

Note: These steps are only necessary if you want to use an external browser for manual testing with Burp. If you prefer, you can just use Burp's embedded browser, which is preconfigured to work with Burp Proxy already. To access the embedded browser, go to the 'Proxy' > 'Intercept' tab, and click 'Open Browser'.

Burp Suite Proxy Not Working Firefox Download

Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. To do this, you change your browser's proxy settings to use the proxy host address (by default, 127.0.0.1) and port (by default, 8080) for both HTTP and HTTPS protocols, with no exceptions. This ensures that all HTTP and HTTPS traffic will pass through Burp. The details of how to do this vary by browser and version. Please refer to the relevant section below based on which browser you intend to use with Burp.

Burp Suite Proxy Not Working Firefox Free

Check your browser proxy configuration

When you've configured your browser, you need to test that it is working properly by performing the following steps. If anything does not happen in the way described below, there is a problem with your browser configuration. In this case, please refer to the troubleshooting page.

  1. Make sure you have checked that the proxy listener is active and have configured your chosen browser.
  2. With Burp running, open the browser that you configured and go to any HTTP URL (don't use HTTPS for the moment). Your browser should sit waiting for the request to complete, that is, it should look like it is stuck trying to load a page. This is because Burp has intercepted the HTTP request that your browser is trying to send.
  3. In Burp, go to the 'Proxy' tab and open the 'Intercept' sub-tab. Both of these tabs should be highlighted. On the 'Intercept' tab, you should see the intercepted HTTP request in the main panel.
  4. Notice the button that says 'Intercept is on'. If you click it, it will change to 'Intercept is off' and the request will be released from Burp.
  5. Go back to your browser. You should now see the requested page loading as it would during normal browsing.

Burp Suite Proxy Not Working Firefox Browser

If everything went as described above, you have finished the mandatory configuration steps for using an external browser with Burp Suite. However, at the moment you will only be able to test web applications that exclusively use HTTP. Site speed checker. If you try and access an HTTPS URL using your external browser, you will notice that the connection is blocked. Therefore, we strongly recommend that you perform the final additional step to install Burp's CA certificate so that you can also test applications using HTTPS.