Burp Suite v1.4.12 : Cracks Android SSL - Hack Reports

Breaking

Thursday, August 16, 2012

Burp Suite v1.4.12 : Cracks Android SSL


Burp Suite v1.4.12  : Cracks Android SSL


The new version of Burp Proxy is released and improve the analysis of encrypted SSL connections on Android phones. This release resolves a problem with proxying SSL connections from Android clients. When Android proxies SSL, it resolves the destination hostname locally, and issues a CONNECT request containing the host's IP address.

Burp now behaves differently. If a CONNECT request is received containing an IP address, Burp connects to the destination server to obtain its SSL certificate. Burp then generates an SSL certificate with the same subject name (and alternative subject names, if defined) as the server's actual certificate. Assuming the server is returning a valid certificate for the hostname that Android is requesting, this should remove the SSL errors relating to the mismatched hostname.

Bugs Fix:

    * Some further causes of deadlock in the new UI.
    * A bug in the Scanner, where the "skip all tests" configuration was not properly applied to REST parameters.
    * An error saving and restoring state in headless mode, which was introduced in recent versions.
    * A bug in the macro item editor UI which prevented the list of items from scrolling properly.

No comments:

Post a Comment