Burp proxy opens Android SSL connections

Burp allows users to examine and manipulate HTTP(S) connections

With the release of version 1.5 of the Free Edition of its Burp Suite, PortSwigger has given the security tool suite a fresh new look and taught it to listen to Android devices. The Burp developers say that Android deviates from the SSL standard when establishing encrypted connections but added that this no longer causes problems for the analysis tool as they have implemented a workaround for the non-standard CONNECT requests.

Similar to Moxie Marlinspike's SSLstrip, the proxy tools can now be instructed to convert HTTPS addresses into HTTP server responses. Conversely, Burp now also supports the forced use of HTTPS. Burp 1.5 can remove the secure flag from cookies; this flag tells web browsers that a cookie must not be transmitted via an unencrypted connection. The tool now passes through server responses that are being kept open, for example, in order to continuously stream new data to the client.

Burp's user interface has also been completely overhauled to improve its overall look and usability: according to the developers, all Burp common functions can now be accessed via configurable hotkeys. Highlighting and comments can now be added to items in the proxy. For new and inexperienced users, Burp now includes full help documentation within the software itself.

Burp runs as a Java program under all mainstream desktop operating systems. The commercial Professional Edition offers a larger range of additional features such as an option to track down security holes in web applications. A detailed list of all differences can be found on the developers web site.

(crve)