login

Burp Suite, the leading toolkit for web application security testing

Burp Proxy Options

This tab contains Burp Proxy settings for Proxy listeners, interception of requests and responses, response modification, match and replace, and miscellaneous options.

Proxy Listeners

A Proxy listener is a local HTTP proxy server that listens for incoming connections from your browser. It allows you to monitor and intercept all requests and responses, and lies at the heart of Burp's user-driven workflow. By default, Burp creates a single listener on port 8080 of the loopback interface. To use this listener, you need to configure your browser to use 127.0.0.1:8080 as its proxy server. This default listener is all that is required for testing virtually all browser-based web applications.

Burp lets you create multiple Proxy listeners, and provides a wealth of configuration options for controlling their behavior. You may occasionally need to use these options when testing unusual applications, or working with some non-browser-based HTTP clients.

Binding

These settings control how Burp binds the Proxy listener to a local network interface:

Request Handling

These settings include options to control whether Burp redirects requests received by this listener:

Note that each of the redirection options can be used individually. So for example, you can redirect all requests to a particular host, while preserving the original port and protocol used in each original request.

Burp's support for invisible proxying allows non-proxy-aware clients to connect directly to the listener. For more details see the invisible proxying help.

Certificate

These settings control the server SSL certificate that is presented to SSL clients. Use of these options can resolve some SSL issues that arise when using an intercepting proxy:

The following options are available:

Interception Options

These settings control which requests and responses are stalled for viewing and editing in the Intercept tab. Separate settings are applied to requests and responses.

The "Intercept" checkbox determines whether any messages are intercepted. If it is checked, then Burp applies the configured rules to each message to determine whether it should be intercepted.

Individual rules can be activated or deactivated with the checkbox on the left of each rule. Rules can be added, edited, removed, or reordered using the buttons.

Rules can be configured on practically any attribute of the message, including domain name, IP address, protocol, HTTP method, URL, file extension, parameters, cookies, header/body content, response code, content type and HTML page title. You can configure rules to only intercept items for URLs that are within the target scope. Regular expressions can be used to define complex matching conditions for each attribute.

Rules are processed in order, and are combined using the Boolean operators AND and OR. These are processed with a simple "left to right" logic in which the scope of each operator is as follows:

(cumulative result of all prior rules) AND/OR (result of current rule)

All active rules are processed on every message, and the result after the final active rule is applied determines whether the message is intercepted or forwarded in the background.

The "Automatically update Content-Length" checkbox controls whether Burp automatically updates the Content-Length header of the message when this has been modified by the user. Using this option is normally essential when the HTTP body has been modified.

Response Modification

These settings are used to perform automatic modification of responses. You can use these options to achieve various tasks by automatically rewriting the HTML in application responses.

The following options may be useful to remove client-side controls over data:

The following options may be useful for disabling client-side logic for testing purposes (note that these features are not designed to be used as a security defense in the manner of NoScript):

The following options may be used to deliver sslstrip-like attacks against a victim user whose traffic is unwittingly being proxied via Burp. You can use these in conjunction with the listener option to force SSL in outgoing requests to effectively strip SSL from the user's connection:

Match and Replace

These settings are used to automatically replace parts of requests and responses passing through the Proxy. For each HTTP message, the enabled match and replace rules are executed in turn, and any applicable replacements are made.

Rules can be defined separately for requests and responses, and for message headers and bodies. Each rule can specify a regex pattern to match, and a literal string to replace it with. 

For message headers, if the match condition matches the entire header and the replacement string is left blank, then the header is deleted. If a blank matching expression is specified, then the replacement string will be added as a new header.

Miscellaneous

These settings control some specific details of Burp Proxy's behavior. The following options are available:

 

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, October 8, 2012

v1.5rc3

This release fixes a bug which was introduced in the v1.5rc2 release, and which caused the active scan checks for XSS to fail to execute in some situations

See all release notes ›

Copyright © 2012 PortSwigger Ltd. All rights reserved.