Sunday, May 12, 2013

Using Client SSL Certificates with Burp Suite

As of version 1.5.09 released on Tuesday, March 26 2013, Burp has integrated support for PKCS#11 and 12 client SSL certificates from files, smart cards, and other physical tokens.

Key features include:
  • Ability to configure multiple PKCS#11 and PKCS#12 certificates for use with different hosts (or host wildcard masks).
  • Auto-detection of installed PKCS#11 libraries (currently Windows only).
  • Auto-detection of card slot settings.
  • Support for OS X, Linux and 32-bit Windows (note that Oracle Java does not currently support PKCS#11 on 64-bit Windows).
  • Persistence of configuration across reloads of Burp.

I'll be quickly showing how to use a hard token with Burp Suite on a Windows virtual machine. The process would be very similar on different operating systems or with certificate files.

First, insert your hard token and make sure it's recognized. Because I am using a Windows virtual machine it's recognized as a Rainbow USB Device

In Burp, select the 'Options' tab and scroll down to the 'Client SSL Certificates' section and select 'Add'.

Select the certificate type, either File (PKCS#12) or Hardware token/Smart card (PKCS#11). Also you can specify a specific destination host or leave that part blank to apply to all hosts.

Specify the location of the library file for the hardware token. Burp allows you to manually select this file or it will attempt to automatically locate it. (Windows only)

Select which locations for Burp to search. All found library files will be listed. Select the correct one and click Next. If you're not sure which file to use you can always retry using the different files.

Enter the PIN code and click Refresh. Select the certificate you want to use and click Next.

Success! Check to make sure you have the correct access. Remember, if it doesn't work you may need to try a different library file.

One thing to note, often times various user roles in an application require different tokens. I did have trouble having multiple tokens loaded and quickly switching between them. The fastest way I found was to just add/remove the tokens and certificates one at a time. A slight annoyance when doing role-based testing but not too bad. Overall this is great functionality for Burp Suite to have.