KB : Installation of a tool to intercept HTTP/HTTPS requests and responses sent between Jira frontend and target server (for example Jira or Appfire backend)

Owned by Avinash Bhagawati
Nov 21, 2023
3 min read

Purpose

This page describes the way how to install the Burp Suite software in order to intercept and analyze the requests and responses sent between the Jira frontend and target servers like the Jira backend or Appfire production servers using WebSockets proxy.

Runbook:

Download and install

Download the Burp Suite Community Edition using the links below:

https://portswigger.net/burp/releases/professional-community-2022-7-1?requestededition=community&requestedplatform=

Select MacOS intel or ARM/M1 depends on the MacBook you have

Run the installer and launch Burp Suite.

Setup Proxy Listener:

In Burp, go to the Proxy > Options tab.

In the Proxy listeners panel, you should see an entry for the interface 127.0.0.1:8080 with the Running checkbox selected, indicating that the listener is active and running.

Configure your browser to proxy traffic

Depending on the browser you use you can set up a proxy in an external browser, for example, Firefox:

In Firefox, go to the Firefox Menu and select Preferences > Options. Then select the General tab and scroll to the Network Proxy settings. Click the Settings button and select the Manual proxy configuration option.

Next, enter your Burp Proxy listener port in the Port field (by default, 8080). Make sure the Use this proxy server for all protocols box is checked.

Generate CA certificate to enable HTTPS.

To install Burp's CA certificate in MacOS, proceed as follows:

With Burp running, visit http://burpsuite in your browser. You should be taken to a page that says "Welcome to Burp Suite Professional". In the top-right corner of the page, click CA Certificate to download CA certificate.

Open the Keychain Access application in MacOS and go to the Certificates folder and drag and drop the downloaded certificate to copy it into the certificates list.

In Keychain Access, double-click the entry for PortSwigger CA. In the dialog that opens, expand the Trust section and select the option Always trust.

Intercepting a request

Burp Proxy lets you intercept HTTP/HTTPS requests and responses sent between a browser and the target server. This enables you to study how the website behaves.

To check if intervention is on, go to the Proxy > Intercept tab and click the Intercept is off button, so it toggles to Intercept is on.

Using your browser, try to visit your Jira instance and observe that the site doesn't load. Burp Proxy has intercepted the HTTP request that was issued by the browser before it could reach the server. You can see this intercepted request on the Proxy > Intercept tab as the following:

Click the Forward button several times to send the intercepted request, and any subsequent ones, until the page loads in the browser.

The burp tool helps to analyze the request and check what is exactly responded to from the server. The huge advantage is that you can stop the traffic at every moment to check each request and detect the issues and also understand how the website behaves.

Example of using Burp to detect a wrong response from Jira backend while using Planning Poker.

Using the Planning Poker for Jira DC/Server, users may encounter the issue with an unexpected loop that leads them to the Planning Poker app every time they select a project from the project menu.

Using Burp you can stop and check the response headers in order to determine why this happens. The following screenshots show the response from the server returned 302 and redirects to the Location provided by the Jira backend:

It proves that the Jira backend changes this location randomly and leads the user to different views, which cannot be controlled.

In case of any issues contact @Konrad Szkudlarski .