Testing HSTS-protected Sites Using Burp


If you do a lot of web assessments using Burp (or any proxy, really) you might be having issues with HSTS-enabled sites.

The issue is with modern browsers (especially recently) being very strict with who you can and cannot talk to. Basically, before they were just warning you that something could be dangerous, but now they’re simply not allowing you to visit the site at all.

So here are two solutions:

  1. Use a browser that gives 0 f*cks

  2. Install Burp’s CA as a root certificate into your browser

The first just avoids the problem because the browser isn’t looking for, or enforcing, the HSTS check. The second forces the browser to trust Burp.

Related posts: