LabEx
Log InJoin Free

Configure SSL Passthrough in Burp Suite

Beginner
Practice Now

Introduction

Burp Suite is a powerful platform for web application security testing. One of its core features is the intercepting proxy, which allows you to inspect and modify traffic between your browser and a web server. However, sometimes you may want to prevent Burp from intercepting traffic to certain hosts. This could be to avoid breaking applications that use certificate pinning, to improve performance by ignoring high-volume traffic from trusted domains, or simply to focus on your target application.

This is where SSL Passthrough comes in. This feature tells Burp Suite to pass encrypted (TLS/SSL) traffic directly to the destination server without attempting to decrypt or intercept it.

In this lab, you will learn how to configure an SSL Passthrough rule in Burp Suite to exclude all Google domains from interception. The lab environment has Burp Suite Community Edition pre-installed and the browser is pre-configured to use the Burp proxy.

Navigate to Proxy > Options > SSL Passthrough

In this step, you will launch Burp Suite and navigate to the SSL Passthrough settings. All actions will take place within the VNC desktop environment.

First, launch Burp Suite:

  1. Click on the "Applications" menu in the top-left corner of the screen.
  2. Navigate to Other -> Burp Suite Community Edition.

A dialog box will appear. For this lab, you can just use a temporary project:

  1. Leave Temporary project selected and click Next.
  2. On the next screen, click Use Burp defaults, then click Start Burp.

Once Burp Suite is open, you need to find the SSL Passthrough settings.

  1. Click on the Proxy tab.
  2. Within the Proxy tab, click on the Options sub-tab.
  3. Scroll down the options page until you find the section titled SSL Passthrough.

You are now in the correct location to add a new rule.

Click 'Add' to Create a New Rule

In this step, you will initiate the process of adding a new SSL Passthrough rule.

The SSL Passthrough section allows you to specify destinations for which Burp will not perform TLS interception. Any requests to these destinations will be passed through directly to the server, and their contents will not be visible in the proxy history.

To begin, locate the Add button within the SSL Passthrough section and click it.

After clicking Add, a new dialog box titled "Add SSL Passthrough rule" will appear. This dialog is where you will specify the details of the host you wish to exclude from interception.

Enter a Hostname that You Do Not Want to Intercept (e.g., *.google.com)

In this step, you will define the specific host or domain to be excluded from interception.

In the "Add SSL Passthrough rule" dialog box that you opened in the previous step, you will see a field labeled Host or IP range. This is where you enter the destination you want to bypass.

You can use wildcards (*) to match all subdomains of a particular domain. This is very useful for large services like Google, which use many different subdomains (e.g., www.google.com, mail.google.com, apis.google.com).

In the Host or IP range field, type the following value:

*.google.com

After entering the hostname, click the OK button to save the rule. The dialog box will close, and you will see your new rule in the SSL Passthrough list.

Enable the Rule

In this step, you will activate the newly created SSL Passthrough rule.

By default, when you add a new rule, it is created in a disabled state. You must explicitly enable it for it to take effect. You can see your new rule for *.google.com in the list, but the checkbox in the Enabled column is currently unchecked.

To enable the rule, simply click the checkbox in the Enabled column next to the *.google.com entry.

Once the box is checked, the rule is active. Burp Suite will now automatically pass through any TLS traffic destined for any subdomain of google.com without intercepting it.

Browse to the Specified Host and Verify Traffic is Not in Proxy History

In this final step, you will test the SSL Passthrough rule by browsing to a Google domain and observing the proxy history.

First, navigate to the proxy history log in Burp Suite:

  1. Ensure you are still on the Proxy tab.
  2. Click the HTTP history sub-tab. This log shows all traffic that passes through Burp's proxy.

Next, open the web browser in the VNC environment:

  1. Click on the "Applications" menu.
  2. Navigate to Internet -> Firefox.

In the Firefox address bar, type https://www.google.com and press Enter. The Google homepage should load normally.

Now, switch back to Burp Suite and look at the HTTP history tab. You will notice that there are no entries for www.google.com showing the details of the page load (like GET /, GET /some-image.png, etc.). You might see a single entry like CONNECT www.google.com:443, which is the initial connection setup, but the encrypted application data itself has "passed through" without being logged.

To confirm that the proxy is still working for other sites, go back to Firefox and navigate to http://example.com. Now check the HTTP history in Burp again. You will see the full request and response for example.com, proving that your passthrough rule is specific to Google.

Summary

In this lab, you have successfully configured and tested the SSL Passthrough feature in Burp Suite.

You learned how to:

  • Navigate to the SSL Passthrough settings within Burp Suite's proxy options.
  • Add a new rule to exclude a specific domain, using a wildcard (*.google.com) to cover all its subdomains.
  • Enable the rule to make it active.
  • Verify that the rule is working by observing that traffic to the specified domain is no longer intercepted and logged in the HTTP history, while traffic to other domains remains unaffected.

Mastering this feature will help you create a more efficient and focused workflow during your web application security assessments.