Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers

One day I was playing with a tool debookee (Network Traffic Interception) in the office, I noticed that the tool was intercepting facebook cookies in a plain text.

What is Debookee ?

Debookee is able to intercept and monitor the traffic of any device in the same subnet, thanks to a Man-in-the-middle attack (MITM)It allows you to capture data from mobile devices on your Mac (iPhone, iPad, Android, BlackBerry…) or Printer, TV, Fridge (Internet of Things!) without the need of a proxy.This interception is done in 1 click and is totally transparent, without network interruption.

Now Getting facebook cookies in a plain text was not a intended behaviour as facebook uses SSL to transfer cookies and other data over HTTPS protocol. Again I tried If I get any other website’s cookies and I noticed that I was able to grab all website’s SSL traffic into plain text.

I asked my colleague and he said that he has configured burp proxy into a browser and he is surfing facebook and other websites.

Thats weird….

So I made a deep dive to understand the unexpected behaviour and came to know that,

When any user uses burp suite, user installs CA-Certificate which trusts burp to intercept all the SSL Traffic into plain text. Once user sets up a proxy, Browser sends all the traffic in burp suite in plain text. now when I run Debookee, Burp Suites thinks that Debookee is a upstream proxy and by design, burp suite does not force SSL Certificate into upstream proxy which means burp sends all the data to me/Debokee in a plain text.

Configuring Burp Proxy in firefox
Configuring Burp Proxy
Getting cookies in a plain text
Video for better understanding

Which means If an attacker can get access into pen testing consulting office’s wifi, then can probably hack all the pen testers and what about live hacking events? most of all hackers/ Bug hunters uses burp suite which means an attacker can hack all the hackers in live hacking events. and what if company is sharing same network as hackers then company triagers are exposed to same risk as well which means risk of getting hacked in live hacking events. :))

Isn’t it scary? 
Reported this issue to port swigger and they replied

Burp doesn’t enforce upstream SSL trust by design but they will push a feature with a SSL enable toggle option in upstream proxy.

I hope you guys like it. Hit me up on twitter if you guys have any queries.