android – Intercepting app with Burp shows no requests

I´m pentesting my first mobile application. I have a rooted android device and followed the steps here and here to install the certificate to proxy the traffic through Burp on my Laptop.

But no requests show up. When I´m opening the app I have the option to either register (trying that throws the error message “User already exists”, which is definitely not the case (triple checked that)) or login. I tried logging in with an account created on the webpage but the app throws a “User does not exist” error. When setting the proxy settings on the phone to none, both registration and logging in as existing user work fine.

So my guess is the app is either using certificate pinning or there are some issues with the proxy settings or the certificate.

Burp Suit does not intercept packages from my Firefox

I configured Burp Suit in my virtual Kali Linux on VMware and activated FoxyProxy in Firefox (again in Kali / VMware). However it does not intercept anything, rather websites are blocked with the below message What can I do about it?

Did Not Connect: Potential Security Issue

www.youtube.com is most likely a safe site, but a secure connection could not be established. This issue is caused by PortSwigger CA, which is either software on your computer or your network.

What can you do about it?

www.youtube.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software.
If you are on a corporate network, you can contact your IT department.
If you are not familiar with PortSwigger CA, then this could be an attack, and there is nothing you can do to access the site.

burp suite – Needing help intercepting local SSL traffic on a difficult Android app

I’m trying to intercept traffic from an Andriod app.

I’ve forwarded ports 80, 443, 6699 and 6698 on Kali to a listener port and set up arp-spoofing. I’m using BurpSuite on the same computer to listen and intercept (invisible proxy).

Certificates have been installed properly on both host and device and are working for all traffic except the app I’m interested in.

Using Frida I’ve tried various SSL pinning bypass scripts (the most popular) and none have been successful, Burp continues to report a TLS fatal exception ca_unknown and the app’s function remains restricted.

The app in question is a ISP router companion app, you use it to get live information about the internet connection and can use it to change settings on the router. The traffic is local, using TCP port 6699 but can also use 6698.

Are there any clues I can look for in the apk which may point me towards the SSL methods being employed by the app? I’ve had a look and can see directories for OKHTTP3 and BouncyCastle.

The parts of the app that communicate remotely (cloud API calls) can be intercepted without issue.

Could the problem be something entirely different than SSL pinning given this particular issue is solely based on local communication? My train of thought being, why employ SSL pinning for traffic that’ll only ever be local?

Burp – How to capture local traffic from Android device (i.e traffic that doesn’t use the internet)

I’m trying to intercept traffic between an Andriod App and a Router interface. I’m using a rooted device.

They communicate on port 6699 which I believe is typical for nginx.

I’ve tried setting up Burp to capture the traffic but all it sees is the data the App sends/receives remotely (API calls to the cloud) and nothing it sends/receives locally (API calls to nginx on the router).

It seems like the Burp listener port is only capturing traffic from ports 80 and 443 on the Android device.

How can I set up burp to capture traffic from port 6699?

Testing a Citrix XenApp application using Burp

I’m attempting to test a Citrix XenApp application by running it on a Windows 10 VM (VirtualBox) guest machine, and proxying the traffic through a Burp Professional proxy on the host only network (the proxy sits on the bare-metal host).

If I connect in this manner, the windows hosts starts making a bunch of requests like

 HEAD / HTTP/1.1
 Host: yuhakmeovo
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42
 Accept-Encoding: gzip, deflate
 Connection: close

where the host is any arbitrary 10 character domain. When the proxy doesn’t respond to these requests, (or responds improperly. This is a bit outside my ken), Citrix determines that the host isn’t connected, and stops until I bypass the Burp Proxy. This is, unfortunately, a major problem for intercepting traffic and actually testing the application. Is there a common solution?

If I get past this hurdle, I may still stumble on the certificate, (https://forum.portswigger.net/thread/interception-of-citrix-netscaler-traffic-66b481ce. ) but I’m not even out of the gate yet.

burp suite – Evilginx Phishlet with Json response

I am trying to make my own first practice phishlet in Evilginx. However, I face a challenge, when I send my username/password to a webpage, the app response with several cookies and a son string, I do not where should I put the JSON response, or even should I use it in the Yaml file or not.
unfortunately, there is no documentation about it and the project repository is not active.

Here is the response (obtained by Burp)

X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Date: Sat, 22 May 2021 08:32:22 GMT
Set-Cookie: login.offering=null; expires=Sat, 22 May 2020 01:32:22 PDT; path=/; domain=.pseudo.xxx; secure; samesite=none
Set-Cookie: qbn.ticket=V1-71-123; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.tkt=V1-71-123; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.authid=98432910; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.gauthid=98432910; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.agentid=98432910; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.uidp=2d199001fdgfdg44354353909b4; Domain=.pseudo.xxx; Path=/; Secure
Set-Cookie: qbn.parentid=50000003; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.refresh=null; expires=Sat, 22 May 2021 01:32:22 PDT; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Set-Cookie: qbn.ctxid=null; expires=Sat, 22 May 2021 01:32:22 PDT; path=/; domain=.pseudo.xxx; secure; samesite=none; HttpOnly
Connection: close

{
  "iamTicket": {
    "ticket": "V1-71-sfsdfdsf332",
    "userId": "98432910",
    "userIdPseudonym": "fvfdvfd33434",
    "agentId": "4543553435",
    "realmId": null,
    "userContextRealmId": null,
    "authenticationLevel": "0",
    "identityAssuranceLevel": "-1",
    "namespaceId": "1234",
    "role": (),
    "access": null,
    "scoped": false,
    "authTime": "1234",
    "createTime": "12345",
    "sessionId": "123456",
    "identityProvider": null,
    "compliance": (),
    "context": null,
    "mergedIds": null
  },
  "action": "CHALLENGE",
  "riskLevel": "MED",
  "challenge": (
    {
      "primary": false,
      "type": "EMAIL_OTP",
      "value": "blablacbla@blablabla.bla",
      "country": null,
      "tokenFormat": {
        "type": "numeric",
        "minLength": 6,
        "maxLength": 6
      },
      "tokenExpiry": null,
      "generated": false,
      "gracePeriodMillis": null
    },
    {
      "primary": false,
      "type": "CARE",
      "value": null,
      "country": null,
      "tokenFormat": null,
      "tokenExpiry": null,
      "generated": false,
      "gracePeriodMillis": null
    }
  ),
  "longLivedToken": null,
  "authContextId": "",
  "passwordResetRequired": true
}

http – Uploading php webshell using Burp Intruder

I am using Burp Intruder to upload a webshell to different directories.
enter image description here

enter image description here

These 400 responses tell me the requests are bad. I should be getting mostly 403 responses or maybe if I’m lucky the goal would be to get 1 200 response.

What is wrong with the requests I am making? If I make just 1 request with Repeater then I get the proper response which is 403.

burp suite – Broken chunked-encoding

Am doing proof of cocept with Burp Suite. Am sending this request

POST /solwin-ourquote.html?wmGl=1697941711 HTTP/1.1 Host: somedomain.com Accept-Encoding: gzip, deflate Accept: / Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 26 Connection: keep-alive

96 GET /404 HTTP/1.1 X: x=1&q=smugging&x= Host: somedomain.com Content-Type: application/x-www-form-urlencoded Content-Length: 100

x= 0

POST /solwin-ourquote.html?wmGl=1697941711 HTTP/1.1 Host: somedomain.com

and am getting this response

HTTP/1.1 400 Invalid Request Connection: close Content-Length: 23 content-type: text/plain; charset=utf-8

broken chunked-encoding

Someone kindly help to know whether the problem might be. I have tried to get a solution from other sites and I have not succeeded.