HTTPS for the web traffic from your browser to the web server is now widely implemented over the web. You will not be surprised if the applications that you get for testing already has a valid SSL Certificate and is using strong cipher-suites. (maybe this is not the first pentest then)
Sometimes you may have come across websites that has HSTS header enabled.
When you try to intercept the traffic using a web-proxy, in Firefox 20.x or above you will see the Certificate error message without an option to take a security exception; like we always do.
One easy way is to use a browser that does not support the HSTS like, IE (grr..) or older versions of Mozilla Firefox.
Some other ways that I explored are listed below:
Sometimes you may have come across websites that has HSTS header enabled.
When you try to intercept the traffic using a web-proxy, in Firefox 20.x or above you will see the Certificate error message without an option to take a security exception; like we always do.
Some other ways that I explored are listed below:
- Install the certificate as a trusted root CA in your browser. The below article will show you how to achieve this in Google Chrome:
Pen-testing HSTS (Http Strict Transport Security) Sites with Burp
In a very similar way you can install the certificate on you favorite browser, say Firefox. - Alternatively in Firefox, you can follow the below steps to take an exception on the Certificate error
Go to the history tab (Ctrl +H), search for the URL and right click on it. In the drop-down menu select "Forget about this site"
Now Refresh the page and you will see that the "I Understand the Risks" option is now enabled.
Proceed the usual way to confirm the security exception to continue intercepting the traffic. Happy testing!
