Burp Trusted Root Certificate

When attacking HSTS (STS) sites, you need to install BURP’s proxy cert as the root certificate in order to load the content correctly.  A pain in the butt, but worth it.  Notes are here: https://superconfigure.wordpress.com/2013/01/29/pen-testing-hsts-http-strict-transport-security-sites-with-burp/

Key thing is to ensure you import PortSwigger into your trusted CA store.  By default for me it put the cert as an intermediate, which didn’t work correctly.  I had to export the cert to a file, then import it to the Trusted Root CA, which then worked correctly!

Comments are closed