3

My question is regarding HTTPS form submission. One of our website is using HTTPS, we display the login page to the user via HTTPS protocol.

When the form is submitted, if we try to intercept the request using a tool called "Burp Suite" before sending it to the server, I see that the form Data is not encrypted.

Is this the right behavior? or is it something like the request is being secured only in transmission over the network?

kalina
  • 3,354
  • 5
  • 20
  • 36
user37536
  • 31
  • 3

2 Answers2

8

Burp is an intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application. Burp is actually serving it's own certificate so that you can see what's inside the request. Normally you will have accepted a security warning for a certificate issued by Portswigger, this is the certificate generate by Burp.

If you want to assess your application you should use Wireshark instead and look at the HTTP requests. Those should not be visible to you.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Kauffman,without using any tools like Burp, in the network tab in chrome inspect element, i see the form data as sent from the user. I am not able to figureout why it is not being encrypted ? Do we need to do any encryption? – user37536 Jan 19 '14 at 15:48
  • 4
    @user37536, when you inspect the page from within chrome, you are inspecting the data before it is written to the network - before it is encrypted. To test that it's encrypted, you should use a separate tool, like tcpdump or wireshark, that will monitor network traffic while it is on the network, and without the capability to decrypt the traffic. Be careful not to choose a tool that generates certificates or imports certificates, or you might run into the situation with burp, sgain. – atk Jan 19 '14 at 16:02
2

Normally when you start the Interception, your burp suite will provide it's own SSL certificate which would create a "warning" to your browser. Using this, you're talking to Burp before it sends it off to the target site.

On another note, once the user is logged in, you don't switch back to HTTP, do you? (Since you said: "we display the login page to the user via HTTPS protocol")

ndrix
  • 3,206
  • 13
  • 17
  • Hi m1ke.. We are using HTTPS throught. after the login also .Leaving Burp suit, if i see the network tab in chrome inspect element, i see the form data as sent from the user. I am not able to figureout why it is not being encrypted ? – user37536 Jan 19 '14 at 15:12
  • 1
    From the Blackhat talk @ http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf, you can see that a *Proxy* (and Burp is acting as your proxy) would present itself to be your target site; with their own CA (hence the warning), so they can decrypt everything.In its own turn, it forwards your requests to the real site as a client. – ndrix Jan 20 '14 at 10:17