Bypassing BurpSuite "Failed to connect to website:port" issue

By -

Hi readers,
When performing penetration testing, it’s common to run into situations where an application or web portal works perfectly in a browser, but refuses to load once you route traffic through your interception proxy(e.g. Burp suite). Instead of the expected traffic flow, you might be greeted with errors such as:

Error
Failed to Connect to <website:port>


This happens because some applications and servers enforce stricter connection requirements, such as enforcing TLS versions, specific cipher suites, or HTTP/2 negotiation. which the proxy cannot always handle correctly on its own.

The Solution: Proxy Chaining (Upstream Proxy): 

The workaround is to introduce an additional proxy layer that sits between your BurpSuite and the destination server. Your interception proxy connects to this new proxy, which then handles the final connection to the target.

This approach is commonly called proxy chaining or upstream proxying. It ensures that your interception tool can still capture and modify traffic, while the upstream proxy takes care of establishing a compliant connection with the target.

Graphical representation of this architecture:

A Custom Python Proxy

To address this, I built a lightweight Python upstream proxy with the help of AI(no shame in accepting this) that acts as a middleman.

  • It listens locally on a port you define (e.g., default 127.0.0.1:8081).
  • It accepts connections from your BurpSuite proxy.
  • For normal HTTP requests, it forwards them to the target using modern libraries that support HTTP/2 and TLS 1.3.
  • For HTTPS (CONNECT requests), it sets up a raw tunnel, allowing your interception proxy to handle SSL/TLS interception as usual.
Script to download: https://github.com/aamir-rehman/Upstream-Proxy-for-Burp-or-anyother-proxy-
Make sure to install httpx before running the script --> pip install httpx

How to Run

  1. Save the script as bypass_proxy.py.

  2. Start it with: python bypass_proxy.py -p 8081 -v


Once the script is running, Go to 
BurpSuite proxy settings --> Network --> Upstream proxy server --> add the proxy details of this script.

For-example: destination host= *, proxy host=127.0.0.1, proxy port=8081 --> OK --> Make sure the checkbox is on/checked



Thats it, open the browser in which burp proxy is configured, and start browsing the webapp, now you will not see the error which we faced before, you can also see the logs in the script console.

The app started working and burp is capturing the traffic.




Happy hunting.









Comments

Post a Comment

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...
Read more

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -
Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...
Read more

ZKBio Time - CSV Injection (CVE-2022-40472)

By -
Image
 Hi all, I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details: Software Description: ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports. Impacted Version: 8.0.7 (Build: 20220721.14829) and before. CVE ID: CVE-2022-40472 Vulnerability details: Login to ZKBio Time Application In the left Menu click on Messages -> Public Click on ADD new message button Write your Device Serial Number Mention any date/time and duration In Content Field Add your CSV injection payload. As shown below Any user who extract th...
Read more