Listen to this Post
Introduction:
In the realm of web application security testing, noise from encrypted traffic to common domains can significantly hinder efficiency. This guide delves into the advanced configuration of Burp Suite’s TLS Pass-Through feature, a critical technique for professional penetration testers and bug bounty hunters to filter out non-essential background traffic, allowing for a focused analysis of the target application.
Learning Objectives:
- Understand the purpose and function of TLS Pass-Through in Burp Suite.
- Learn to configure and manage a comprehensive TLS Pass-Through list.
- Develop the ability to customize pass-through rules for specific testing environments and targets.
You Should Know:
1. The Core TLS Pass-Through Configuration
The foundation of reducing noise begins in the Proxy > Options > TLS Pass-Through settings. The initial rules provided in the source post are essential for bypassing traffic to common Google and Mozilla services.
..google.com ..gstatic.com ..googleapis.com ..pki.goog ..mozilla..
Step-by-step guide:
This configuration uses regular expressions (regex) to match domain names. When Burp Suite encounters an HTTPS connection request to a domain that matches any of these patterns, it does not intercept the TLS handshake. Instead, it acts as a simple TCP tunnel, allowing the client and server to establish an encrypted connection directly. This prevents Burp from decrypting and logging this traffic, which is typically irrelevant to your security test, thus dramatically cleaning up your HTTP history and Target site map. To implement, navigate to `Proxy` > Options, scroll down to the “TLS Pass-Through” section, click “Add”, and enter each regex pattern.
2. Expanding Your Pass-Through List for Maximum Efficiency
A professional setup extends beyond the basic list. Adding rules for common CDNs, analytics, and social media platforms is crucial.
..cloudflare.com ..akamaihd.net ..facebook.com ..connect.facebook.net ..twitter.com ..twimg.com ..apple.com ..apple-dns.net ..live.com ..microsoft.com ..windowsupdate.com ..doubleclick.net ..googletagmanager.com ..googlesyndication.com ..google-analytics.com ..hotjar.com ..jsdelivr.net ..cloudfront.net ..amazonaws.com
Step-by-step guide:
This expanded list targets domains responsible for serving common web resources, analytics scripts, and telemetry data. By adding these, you ensure that traffic related to advertising, user tracking, and third-party libraries does not clutter your workflow. The process is identical: add each regex entry to the TLS Pass-Through list. The `.` prefix and suffix are regex wildcards that match any subdomain (e.g., www, api, cdn) of the specified base domain.
3. OS and Software Update Telemetry Bypass
Operating systems and installed software frequently phone home for updates and telemetry, creating significant background noise.
..edgesuite.net ..akamaiedge.net ..windows.com ..office.com ..office365.com ..adobe.com ..adobedc.net ..dropbox.com ..spotify.com
Step-by-step guide:
This set of rules is designed to bypass traffic generated by the underlying operating system (Windows, macOS) and common desktop applications like Microsoft Office, Adobe Creative Cloud, and media players. This is particularly important during thick-client application testing or when the testing machine itself is generating network traffic that is unrelated to the web application target. Implementing these rules will prevent your Proxy history from being filled with update checks and usage statistics.
4. Validating Pass-Through Rules with Burp’s Logger
After configuration, it’s vital to verify that the rules are functioning as intended. Burp Suite’s Logger tab is the perfect tool for this.
1. Navigate to the `Logger` tab within Burp Suite.
2. Ensure that all traffic is being captured (check the scope settings).
3. Browse the web normally or let your target application run.
4. Observe the Logger entries. Traffic to domains on your pass-through list should no longer appear as decrypted HTTP/HTTPS requests but may still show as `TCP` tunnel connections in the `Proxy > HTTP history` tab with a note indicating a pass-through.
5. Troubleshooting Intercepted Traffic with In-Scope Items
Sometimes, traffic to a pass-through domain is still intercepted. This is often due to scope settings.
1. Go to `Target > Scope`.
- Check the “Include in scope” rules. If a pass-through domain is explicitly included in the scope, Burp may prioritize interception over the pass-through rule.
- To resolve this, either remove the domain from the scope or use a `No Proxy` rule in `Proxy > Options > Proxy Listeners > Edit > Request handling > No Proxy` for that specific IP range or domain, which takes precedence.
6. The Critical Security Trade-Off: Bypassing vs. Inspecting
While TLS Pass-Through cleans noise, it also means you are not inspecting that traffic for potential vulnerabilities.
– Benefit: Cleaner logs, focused testing, improved performance.
– Risk: You might miss a vulnerability in a third-party script (e.g., an XSS in an old version of a jQuery library loaded from a CDN) or a misconfiguration in an API call to a subdomain you have bypassed.
– Mitigation Strategy: For a comprehensive assessment, perform an initial scan without extensive pass-through rules to identify all assets. Then, enable the rules for manual, focused testing. Critical subdomains of the target (e.g., api.target.com, admin.target.com) should never be on the pass-through list.
7. Automating Rule Management for Large-Scale Testing
Managing these lists across multiple projects can be tedious. Burp allows for configuration export and import.
1. To export your current settings, including the TLS Pass-Through list, go to Burp > Project options > Save project options.
2. This saves a JSON file. You can edit this file to manage your pass-through rules in a text editor.
3. To import these settings into a new project, use Burp > Project options > Restore project options.
4. For team collaboration, a standardized project options file with a pre-defined pass-through list can be shared, ensuring consistency across all testers.
What Undercode Say:
- TLS Pass-Through is a non-negotiable configuration for professional-level testing efficiency, transforming a chaotic stream of data into a targeted workflow.
- The power of this feature is a double-edged sword; its blind spots must be consciously managed through a phased testing approach to avoid critical oversights.
Analysis:
The technique of TLS Pass-Through, while simple in implementation, represents a mature understanding of the modern web ecosystem. The initial post highlighted a basic but powerful starting point. Our expanded analysis provides the depth required for operational security teams, transforming a “simple trick” into a systematic strategy. The real value lies not just in adding the recommended rules, but in understanding the “why” behind each category of bypassed traffic. This knowledge allows testers to dynamically adapt their pass-through list based on the specific application architecture and testing goals, ensuring that no critical attack surface is left unexamined while maintaining a clean and efficient testing environment.
Prediction:
The increasing reliance on third-party services, CDNs, and cloud platforms will make traffic filtering tools like TLS Pass-Through even more critical. We predict the next evolution will be AI-assisted proxy configuration within security tools, which will automatically suggest and manage pass-through rules by learning from the tester’s behavior and the target application’s traffic patterns, further streamlining the human analyst’s workflow.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xsojalsec Infosec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
