Burp proxy interception doesn't work for localhosted web apps with Firefox
Asked Answered
C

1

6

Although I can and do use the Burp proxy with Firefox for remote web servers without any problem, I can't seem to get it to work on the local network with test web applications I host on my local server.

Burp cannot see traffic from these requests. What am I missing? Some solutions suggested in related questions here did not help me at all.

Crownpiece answered 22/7, 2022 at 10:54 Comment(0)
H
12

TL;DR

To proxy localhost (and related addresses) with newer Firefox versions (>=67), the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.

Details on why Mozilla decided to use specific rules for localhost;

In 2018, Jann Horn reported a major security vulnerability. According to his report, applications that bind a web server to localhost and then use Host Header checks, to prevent DNS rebinding attacks, should be protected from malicious outside traffic, even if the network itself is malicious. Back then, localhost was not treated differently in proxying decisions by Firefox. That meant that an attacker could abuse Web Proxy Auto-Discovery (WPAD) Protocol to gain the ability to serve attacker-controlled content at http://localhost>:*/*. So the attacker could be able to perform same-origin XMLHttpRequest (XHR) to http://localhost>:*/* (e.g. by letting the proxy auto-config (PAC) file specify DIRECT as fallback, if the proxy went down).

In 2019, Mozilla's developers decided to create and "hide" the above mentioned preference in the config page, in order to protect inexperienced users. The fix was finally released with version 67.

Hanford answered 22/7, 2022 at 10:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.