credentials in plain text in burpsuite
I got to know credentials seen in plain text while using Burpsuite configured to a browser is not a vulnerability. BUT chatgpt shows that Burpsuite should not be able to see them in plain text. Can someone explain?
2 Replies
Burp suite would be able to see stuff even with HTTPS as it has its own man-in-the-middle type decryption with its trusted certs.
With a little more context as to what you're trying to see, I can give a more specific answer though
It's a project I'm working on, I vaguely know i shouldn't be reporting plain text credentials(these are the ones for the login page of that app) as a vulnerability. So I did not. I don't know the entire "why" behind it. A colleague (our lead who's technically dumb) pointed out why I didn't report this. So I just wanted to have a better explanation for not reporting this. I told him basically Burp Suite's ca cert is added to the browser so it'd have the same visibility as our browser does.
There isn't any better explanation on the internet or even standard sites like owasp or portswigger. So I thought about reaching out in some community chat.
Thanks for the clarification by the way.