标签:certificate Python through Burp https requests proxies burpsuit PROXY
Python Requests and Burp Suite
Problem: When I am conducting a pentest, I commonly write python scripts to use the requests module and need to proxy them through Burp. I have been using the "Easy way out," but there are problems with doing this and there is a much more efficient way in handling this.
Easy way out: I can proxy requests through Burp Suite fairly easily by creating a proxies dictionary and assigning that dictionary to the proxies argument. I then have to set the verify argument to False because Burp's certificate is not trusted by the requests library's certificate bundle. Example code:
import requests
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
r = requests.get("https://www.google.com/", proxies=proxies, verify=False)
Problem with easy way out: What happens if you have many calls to the requests library and you don't want to set the proxies and verify arguments for each request. Or possibly you have been given a test harness that utilizes the requests library and you don't want to modify each and every call to the library. I have always searched for this answer and only found that I can export two environment variables HTTP_PROXY and HTTPS_PROXY. However, this does not fix the fact that I have to set the verify argument to False on every single request.
Solution: In addition to the HTTP_PROXY and HTTPS_PROXY environment variables, there is also a REQUESTS_CA_BUNDLE which can be set to specify the location of a certificate. However, the documentation is not very clear about the certificate format required. After some basic troubleshooting, I was able to determine the encoding needed for the REQUESTS_CA_BUNDLE file is PEM.
After you have downloaded your certificate from Burp (either through the browser or directly from the application's GUI), it is DER formatted. In order to convert it to the needed PEM encoded format, run the following command:
openssl x509 -inform der -in certificate.cer -out certificate.pem
You are now ready to export your environment variables and use requests with Burp.
export REQUESTS_CA_BUNDLE="/path/to/pem/encoded/cert"
export HTTP_PROXY="http://127.0.0.1:8080"
export HTTPS_PROXY="http://127.0.0.1:8080"
Now all of your HTTP requests made through the requests library without the proxies argument configured will be routed through Burp. In order to remove these environment variables, run the following commands:
unset REQUESTS_CA_BUNDLE
unset HTTP_PROXY
unset HTTPS_PROXY标签:certificate,Python,through,Burp,https,requests,proxies,burpsuit,PROXY 来源: https://blog.csdn.net/jxz_dz/article/details/120324755
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。