简体繁体 English

尽管加密，burp-suite 如何拦截 https 请求？

[英]How does burp-suite intercept https requeest inspite of the encryption?

原文 2020-05-10 20:30:18 0 1 ssl/ https/ ssl-certificate/ burp

I was trying to get myself familiarised with basic concepts of https when I came across its encryption, which in a nutshell functions as follows,当我遇到它的加密时，我试图让自己熟悉 https 的基本概念，简而言之，它的功能如下，

Now I have seen QA engineers in my company use this tool called burp-suite to intercept request.现在我看到我公司的 QA 工程师使用这个叫做 burp-suite 的工具来拦截请求。

What I am confused about is even though the data flows through an encrypted channel, how can any interception tool like burp-suite manage to intercept the request.我感到困惑的是，即使数据流经加密通道，任何拦截工具（如 burp-suite）如何设法拦截请求。

Just to try it out I tried to intercept facebook request in burp-suite,只是为了尝试一下，我试图在 burp-suite 中拦截facebook请求，

Here you can clearly see the test email test@gmail.com I used in the intercepted request.这里可以清楚的看到我截取的请求中使用的测试email test@gmail.com 。

Why is this data not encrypted according to https standards?为什么这些数据没有按照 https 标准加密？

Or if it is then how do burp-suite manage to decrypt it?或者如果是，那么burp-suite如何设法解密它？

Thank you.谢谢你。

1 个解决方案

Meta: this isn't really a development or programming question or problem, although Burp is sometimes used for research or debugging. Meta：这不是真正的开发或编程问题或问题，尽管 Burp 有时用于研究或调试。

If you LOOK AT THE DOCUMENTATION on Using Burp Proxy 如果您查看有关使用 Burp Proxy的文档

Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. Burp CA 证书- 由于 Burp 会中断浏览器和服务器之间的 TLS 连接，如果您通过 Burp 代理访问 HTTPS 站点，您的浏览器默认会显示警告消息。 This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker.这是因为浏览器无法识别 Burp 的 TLS 证书，并推断您的流量可能被第三方攻击者拦截。 To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.要通过 TLS 连接有效地使用 Burp，您确实需要在浏览器中安装 Burp 的证书颁发机构主证书，以便它信任 Burp 生成的证书。

and following the link provided right there 并点击那里提供的链接

By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate.默认情况下，当您通过 Burp 浏览 HTTPS 网站时，代理会为每个主机生成一个 TLS 证书，由其自己的证书颁发机构 (CA) 证书签名。 ... ...

Using its own generated cert (and matching key, although the webpage doesn't talk about that because it isn't visible to people) instead of the cert from the real site allows Burp to 'terminate' the TLS session from the client, decrypting and examining the data, and then forwarding that data over a different TLS session to the real site, and vice versa on the response (unless configured to do something different like modify the data).使用它自己生成的证书（和匹配的密钥，尽管网页没有谈论它，因为它对人们不可见）而不是来自真实站点的证书允许 Burp 从客户端“终止”TLS session，解密并检查数据，然后通过不同的 TLS session 将该数据转发到真实站点，反之亦然（除非配置为执行不同的操作，例如修改数据）。

... This CA certificate is generated the first time Burp is run, and stored locally. ...此 CA 证书在 Burp 首次运行时生成，并存储在本地。 To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.要在 HTTPS 网站上最有效地使用 Burp 代理，您需要在浏览器中安装 Burp 的 CA 证书作为受信任的根。

This is followed by a warning about the risks, and a link to instructions to do so.随后是有关风险的警告，以及相关说明的链接。

Having its own CA cert trusted in the browser means that the generated cert is accepted by the browser and everything looks mostly normal to the browser user (or other client).在浏览器中信任自己的 CA 证书意味着生成的证书被浏览器接受，并且对于浏览器用户（或其他客户端）来说，一切看起来都很正常。