Using Burp with Containers In Docker
2025-02-08
610 words
3 mins read
Making Docker Containers Trust Burp Suite’s CA for Testing
When testing applications running inside Docker containers, intercepting traffic with Burp Suite can be challenging because containers don’t automatically trust Burp’s CA certificate. Without trust, HTTPS requests from inside the container will fail with certificate errors.
In this post, I’ll show you how to:
- Add Burp Suite’s CA to your host system
- Pass the trusted CA to Docker containers
- Ensure seamless HTTPS traffic interception for testing
Let’s get started!
Before you dive in, remember, if you can start a shell in the container and it has access to internet, has package manager, then you can install the Burp CA Certificate in the container with the commands that I have mentioned for host itself.
1. Export Burp Suite’s CA Certificate
First, you need to export Burp’s CA certificate.
-
Open Burp Suite and go to:
Proxy → Options → Import / Export CA Certificate -
Choose Certificate in DER format and save it as
burp.der. -
Convert it to PEM format (needed for most Linux distributions):
1openssl x509 -inform DER -in burp.der -out burp.pem -outform PEM
Note: You can download the certicate with following command as well `curl -O burp.der http://127.0.0.1:8080/cacert.der
2. Add the CA Certificate to Your Host System
Now, we need to add Burp Suite’s CA as a trusted root certificate on the host.
On Ubuntu / Debian
|
|
On Red Hat / Fedora
|
|
On Arch Linux
|
|
Verify the certificate is installed:
|
|
3. Pass the Trusted CA to Docker Containers
By default, containers don’t inherit the host system’s CA trust. You need to explicitly mount the CA directory inside the container.
Method 1: Mount /etc/ssl/certs/ (Recommended)
Run your container with:
|
|
This ensures the container sees the host’s trusted CAs.
Method 2: Copy CA into the Image (Persistent)
If you want to bake the CA into your image:
- Copy the certificate inside the container:
1 2COPY burp.pem /usr/local/share/ca-certificates/burp.crt RUN update-ca-certificates - Build and run:
1 2docker build -t my-container . docker run --rm -it my-container
4. Verify the Certificate in the Container
Inside the container, check that the system trusts Burp’s CA:
|
|
If everything is set up correctly, there should be no certificate warnings. Now, all HTTPS traffic from the container can be intercepted by Burp Suite without SSL/TLS errors!
5. Run a non-proxy aware command from container
If you do not have sh/bash or any other shell in the container which was the case for me, there is an age old trick you can use. Use http_proxy for http urls and https_proxy for https urls. In some cases, the capitalization matters, so you should try with both HTTPS_PROXY and https_proxy.
So, taking curl as an example, you can run the following command
|
|
Note: localhost will not be your docker host from the container, so you will
need to start a new proxy in Burp suite and listen on the docker interface IP
address, which by default is 172.17.0.*.
Final Thoughts
This setup is crucial when testing applications inside Docker containers. By ensuring the container trusts Burp Suite’s CA, you can effectively intercept and inspect HTTPS traffic for security testing without workarounds.
Now, you’re all set to analyze traffic from your Dockerized applications! 🚀
Would you like to see this as a video tutorial? Let me know in the comments!
Related Articles:
Authored By Amit Agarwal
Amit Agarwal, Linux and Photography are my hobbies.Creative Commons Attribution 4.0 International License.