Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers

Armaan Pathan
Apr 6, 2019 · 3 min read
Image for post
Image for post

One day I was playing with a tool debookee (Network Traffic Interception) in the office, I noticed that the tool was intercepting facebook cookies in a plain text.

What is Debookee?

Debookee is able to intercept and monitor the traffic of any device in the same subnet, thanks to a Man-in-the-middle attack (MITM)It allows you to capture data from mobile devices on your Mac (iPhone, iPad, Android, BlackBerry…) or Printer, TV, Fridge (Internet of Things!) without the need of a proxy. This interception is done in 1 click and is totally transparent, without network interruption.

Now Getting facebook cookies in a plain text was not an intended behavior as Facebook uses SSL to transfer cookies and other data over HTTPS protocol. Again I tried If I get any other website’s cookies and I noticed that I was able to grab all website’s SSL traffic into plain text.

I asked my colleague and he said that he has configured burp proxy into a browser and he is surfing Facebook and other websites.

That's weird….

So I made a deep dive to understand the unexpected behavior and came to know that,

When any user uses a burp suite, the user installs CA-Certificate which trusts burp to intercept all the SSL Traffic into plain text. Once the user sets up a proxy, Browser sends all the traffic in the burp suite in plain text. now when I run Debookee, Burp Suites thinks that Debookee is an upstream proxy and by design, the burp suite does not force SSL Certificate into upstream proxy which means burp sends all the data to me/Debokee in a plain text.

Image for post
Image for post
Configuring Burp Proxy in firefox
Image for post
Image for post
Configuring Burp Proxy
Image for post
Image for post
Getting cookies in a plain text
Video for better understanding

Which means If an attacker can get access into pen-testing consulting office’s wifi, then can probably hack all the pen testers, and what about live hacking events? most of all hackers/ Bug hunters use burp suite which means an attacker can hack all the hackers in live hacking events. and what if the company is sharing the same network as hackers then company triagers are exposed to the same risk as well which means the risk of getting hacked in live hacking events. :))

Isn’t it scary?
Reported this issue to port swigger and they replied

Burp doesn’t enforce upstream SSL trust by design but they will push a feature with a SSL enable toggle option in upstream proxy.

I hope you guys like it. Hit me up on twitter if you guys have any queries.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store