Webpage does not load while intercepting with Burp - http

Can someone explain to me why I can not access a webpage while intercepting with BurpSuite? When turning off the interception everything works fine and I can see the traffic in the http history section. But when turning interception on, the webpages are not loading.
I therefore ask for an explanation to understand this please.

The web page is not loading because Burp has intercepted the request and is awaiting action.
Docs/Tutorial: Intercept HTTP Traffic with Burp Proxy
Step 2: Intercept a request
Using Burp's browser, try to visit https://portswigger.net and observe that the site doesn't load. Burp Proxy has intercepted the HTTP request that was issued by the browser before it could reach the server. You can see this intercepted request on the Proxy > Intercept tab.
Viewing an intercepted request in Burp Proxy The request is held here so that you can study it, and even modify it, before forwarding it to the target server.

Related

Http request automatically becomes https

I'm running an asp.net core web application secured by ssl.
I need to send an ajax request to a local-network device which does not offer https.
So I try to send an ajax http request to a local ip adress (eg. http://192.168.1.30/hello-world) from a https browser window showing my web-app.
The url of the ajax request always gets converted into https://192.168.1.30/hello-world (which does not exist).
Is there anyway to avoid this? The device does not offer https and I can't send a local request from an insecured source.
Thank you!

Fiddler doesn't capture request from Insomnia but does capture rquest from Postman

Just sending a simple POST request to https://httpbin.org/post.
Fiddler captures the request when I send it from Postman, but doesn't when I send it from Insomnia.
Is there some setting I need to enable either in Fiddler or Insomnia?
By default, Fiddler changes the system proxy to point to the port it's listening onto, http://localhost:8888. Contrary, Insomnia doesn't use the system proxy, but could be manually configured to use a specified proxy:
Choose Settings -> HTTP Proxy and set http://localhost:8888 (or whatever Fiddler is using).

HTTP on a HTTPS Website

I was just wondering this small little question. I know it is irreverent to coding, but I just had to know quickly.
If you type in http:// for a https:// will it still take you to the correct place?
That is mostly dependent on the server configuration. The server has to accept the initial HTTP request and be configured to redirect the client to an appropriate HTTPS url.
That being said, there are some Internet standards related to automating HTTP-to-HTTPS upgrades. HTTP Strict Transport Security and Upgrade Insecure Requests allow an HTTP/S server to tell clients that it wants them to automatically use HTTPS for all subsequent requests. If a client visits an HSTS/UIR-enabled server, it will receive a normal HTTP response with additional HSTS/UIR-related headers. If the client supports HSTS/UIR, it will then know to automatically send all subsequent HTTP requests to that same server using HTTPS, and in the case of UIR also treat any received HTTP URLs as if they were HTTPS URLs.

squid redirector from https to http

Got a problem with squid. I'm using 3.1 version with my own redirector.
My problem was when a client for example request https://twitter.com (with https) but somehow got a logic with my redirector that twitter.com is invalid page so i redirected this request to my invalid page. Let say 302:http://mydomain.com?invalid=twitter.com, in this stage process will not continue and browser will say "HTTP gateway failed".
So, my theory is when a request is https redirected to http, squid will not work. Is there any configuration i need to be done so that it will work?
Thank you guys..
RFC 2817 isn't very clear about the behavior of CONNECT and redirect. I think that most of the browser won't accept a redirect as a reply to the CONNECT method. So, there is no way to do what you want.
Is not an Squid issue, is a protocol/browser issue.
well, i think the best way to redirect is when:
- if the request is https the response should be https
- and if the request if http response should be http
that's the best way i can't think at the moment...

Empty HTTP response headers and body

I am able to consistently reproduce this problem where I request a URL from my server and I get back a 200 code but the response headers and response body are empty. If I monitor incoming traffic on my web server I never see the request come in. My web server sits behind a proxy server, if I monitor traffic there, I also do not see the request come in.
Any ideas as to where this empty response might be coming from, or tips as to what situations can result in an empty response like this?
This turned out to be a GET request size limit on our internal firewall proxy server. We were able to reduce the size at which we switch from a GET to a POST request in our code to avoid the limit.

Resources