Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers
One day I was playing with a tool debookee (Network Traffic Interception) in the office, I noticed that the tool was intercepting facebook cookies in a plain text.
What is Debookee?
Debookee is able to intercept and monitor the traffic of any device in the same subnet, thanks to a Man-in-the-middle attack (MITM)It allows you to capture data from mobile devices on your Mac (iPhone, iPad, Android, BlackBerry…) or Printer, TV, Fridge (Internet of Things!) without the need of a proxy. This interception is done in 1 click and is totally transparent, without network interruption.
Now Getting facebook cookies in a plain text was not an intended behavior as Facebook uses SSL to transfer cookies and other data over HTTPS protocol. Again I tried If I get any other website’s cookies and I noticed that I was able to grab all website’s SSL traffic into plain text.
I asked my colleague and he said that he has configured burp proxy into a browser and he is surfing Facebook and other websites.
So I made a deep dive to understand the unexpected behavior and came to know that,
When any user uses a burp suite, the user installs CA-Certificate which trusts burp to intercept all the SSL Traffic into plain text. Once the user sets up a proxy, Browser sends all the traffic in the burp suite in plain text. now when I run Debookee, Burp Suites thinks that Debookee is an upstream proxy and by design, the burp suite does not force SSL Certificate into upstream proxy which means burp sends all the data to me/Debokee in a plain text.
Which means If an attacker can get access into pen-testing consulting office’s wifi, then can probably hack all the pen testers, and what about live hacking events? most of all hackers/ Bug hunters use burp suite which means an attacker can hack all the hackers in live hacking events. and what if the company is sharing the same network as hackers then company triagers are exposed to the same risk as well which means the risk of getting hacked in live hacking events. :))
Isn’t it scary?
Reported this issue to port swigger and they replied
Burp doesn’t enforce upstream SSL trust by design but they will push a feature with a SSL enable toggle option in upstream proxy.
I hope you guys like it. Hit me up on twitter if you guys have any queries.