LabEx
Log InJoin Free

Install the Burp CA Certificate in Firefox

Beginner
Practice Now

Introduction

Burp Suite is a powerful proxy tool used for web application security testing. It sits between your browser and the target web server, allowing you to intercept, inspect, and modify the traffic passing in both directions.

To inspect HTTPS traffic, which is encrypted, Burp Suite must perform a man-in-the-middle (MitM) attack on your own traffic. It breaks the TLS connection from the server and establishes a new one with your browser. For your browser to accept this new connection without security warnings, it must trust the certificate presented by Burp Suite.

In this lab, you will learn how to download and install Burp Suite's unique Certificate Authority (CA) certificate into the Firefox browser. This is a fundamental setup step for anyone looking to use Burp Suite for security testing.

In this step, you will start Burp Suite and Firefox, and then navigate to a special Burp Suite URL to access the certificate download page. The lab environment's Firefox is pre-configured to use Burp Suite as its proxy.

First, you need to launch Burp Suite.

  1. Click on the "Applications" menu at the top-left of the desktop.
  2. Go to "Other" and select "Burp Suite Community Edition".
  3. A dialog box will appear. You can leave the default settings ("Temporary project") and click "Next".
  4. Another dialog box will appear. Click "Start Burp".

Once Burp Suite is running, open the Firefox browser.

  1. Click on the Firefox icon in the application dock at the bottom of the screen.

With both applications running, open a new tab in Firefox and type the following address into the address bar, then press Enter:

http://burpsuite

You should see the Burp Suite welcome page. This page is served directly from the Burp Suite proxy and is only accessible when your browser is correctly configured to use it.

Download the CA Certificate File

In this step, you will download the Burp CA certificate file from the welcome page you just opened.

On the http://burpsuite page, you will see a link in the top-right corner labeled "CA Certificate".

  1. Click on the CA Certificate link.
  2. A file download dialog will appear. Firefox will ask you what to do with the file.
  3. Ensure the "Save File" option is selected and click "OK".

The browser will download a file named cacert.der. By default, it will be saved to the Downloads directory, which is located at /home/labex/Downloads. We will need this file in the upcoming steps.

Open Firefox Certificate Manager

In this step, you will navigate through the Firefox settings to open the Certificate Manager. This is where Firefox stores all of its trusted certificates.

Follow these instructions carefully within the Firefox browser:

  1. Click the application menu button (the three horizontal lines) in the top-right corner of the Firefox window.
  2. From the dropdown menu, select Settings.
  3. In the Settings tab that opens, click on Privacy & Security in the left-hand navigation pane.
  4. Scroll all the way down to the bottom of the page until you find the Certificates section.
  5. Click the View Certificates... button.

This will open the "Certificate Manager" window, which has several tabs like "Your Certificates", "People", "Servers", and "Authorities".

Import the Downloaded Certificate into the 'Authorities' Tab

In this step, you will import the cacert.der file you downloaded earlier. Since this certificate acts as a Certificate Authority (CA), it must be imported into the "Authorities" tab.

In the "Certificate Manager" window that you opened in the previous step:

  1. Make sure you have selected the Authorities tab.
  2. Click the Import... button located at the bottom of the window.
  3. An "Open File" dialog will appear. By default, it may open in the ~/project directory. You need to navigate to the Downloads directory where the certificate was saved. Click on Downloads in the left pane.
  4. Select the cacert.der file.
  5. Click the Open button.

After clicking "Open", a new dialog box will appear, asking you to set the trust levels for this certificate. We will configure this in the next step.

Trust the PortSwigger CA for Websites

This is the final and most important step. You must explicitly tell Firefox to trust the imported certificate for identifying websites. This is what allows Burp Suite to intercept HTTPS traffic without causing browser errors.

After you selected the cacert.der file in the previous step, a dialog box titled "Downloading Certificate" will appear. It will ask you to set the trust settings for the "PortSwigger CA".

  1. In this dialog box, check the box next to Trust this CA to identify websites.
  2. Leave the other box ("Trust this CA to identify email users") unchecked.
  3. Click the OK button to save the trust settings.

The certificate is now installed. You should see "PortSwigger" listed as a certificate authority in the "Authorities" tab of the Certificate Manager.

  1. Click OK to close the Certificate Manager window.
  2. You can now close the Settings tab in Firefox.

You have successfully installed the Burp CA certificate!

Summary

In this lab, you have completed a critical setup task for using Burp Suite. You successfully launched Burp Suite, used Firefox to download its unique CA certificate, and imported that certificate into the browser's trust store.

By trusting the PortSwigger CA, you have configured Firefox to allow Burp Suite to act as a man-in-the-middle, enabling you to intercept, view, and modify encrypted HTTPS traffic for security testing purposes. This skill is fundamental for anyone working in web application security. Congratulations on completing the lab!