**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
TLS Passthrough
TLS passthrough allows traffic to pass through BurpSuite without decryption or modification. This approach offers three main advantages:
Enhanced Performance: It significantly boosts performance.
Original TLS Fingerprint: Servers receive the browser’s original TLS fingerprint, helping to bypass certain anti-bot measures.
Reduced TLS Errors: It helps avoid TLS errors on the client side, such as those in mobile apps that use TLS certificate pinning.
For applications accessing multiple domains or using both HTTP and HTTPS, you can direct TLS connections to specific problematic hosts while handling other traffic normally.
There are two methods to implement TLS passthrough:
Specify TLS Passthrough Targets: Add specific targets for TLS passthrough.
Apply to Out-of-Scope Items: Use TLS passthrough for all out-of-Scope items.
Add TLS passthrough targets
To add a new TLS passthrough target, follow these steps:
- Copy the URL and click “Paste URL” to add the web server to the list.
Alternatively, you can configure the target manually:
- Click “Add” to open the Add TLS passthrough target dialog.
- Enter the target information:
For Hosts or IP range, you can use a regex or specify an IP range. You may also leave it blank to match any item. For the Port, enter the port number for TLS passthrough or leave it blank to match any item.
- Click on “OK” to add the target to the list.
You can modify or delete targets from the list as necessary. To upload a CSV or text file of targets, click ‘Load’ and choose the appropriate file.”
To automatically add entries when a client fails a TLS negotiation, select “Automatically add entries on client TLS negotiation failure.” This is useful if Burp’s CA certificate is not recognized, causing the TLS negotiation to fail.
To Apply TLS Passthrough for out-of-scope items
To automatically apply TLS passthrough for out-of-scope items when setting the target scope, follow these steps:
- Navigate to the Target tab, then go to the Site Map and HTTP History sections. Choose the items you wish to include in the target scope.
- Right-click your selection and choose Add to scope. A Proxy history logging window will appear.
- Click Yes to enable TLS passthrough for out-of-scope items.
This action will activate the following settings in the settings > Proxy menu:
TLS passthrough: Apply to out-of-scope items (this can only be enabled when the above setting is active).
Proxy Logging History
This setting lets you control if Burp Proxy records out-of-scope items in the history or live tasks when they are added to the target scope. It helps prevent the build-up of project data for items that are not within scope.
You have three options:
- Stop logging out-of-scope items.
- Ask me what to do each time.
- Do nothing.
These Proxy history logging settings are user-specific and apply to all Burp installations on your machine.
Default Proxy Interception State
Use this setting to determine if Burp Proxy interception is enabled by default when you launch Burp. You have three choices:
- Enable interception.
- Disable interception.
- Restore the active setting in the Proxy > Intercept tab when Burp was last closed.
These Default Proxy interception state settings are user-specific and apply to all Burp installations on your machine.
Miscellaneous
These settings manage multiple aspects of Burpsuite Proxy’s behavior:
Use HTTP/1.0 in requests to server: Activate this option to use HTTP 1.0 for requests to destination servers, which is beneficial for legacy servers or applications that require this version.
Use HTTP/1.0 in responses to clients: Enable this to use HTTP 1.0 for responses. While all current browsers support both HTTP 1.0 and 1.1, using 1.0 can help control browser behavior, such as preventing HTTP pipelining.
Use keep-alive for HTTP/1 if the server supports it: By default, Burp reuses HTTP/1 connections for outgoing requests, which can enhance browser load times.
Set response header “Connection: close”: Enable this to add or update the response Connection header to “close,” which can help prevent HTTP pipelining.
Set connection close on incoming requests: Burp modifies the request Connection header to “close,” which helps to prevent HTTP pipelining.
Strip Proxy- headers in incoming requests*: By default, Burp removes Proxy-* headers from incoming requests to prevent information leakage, as browsers sometimes send headers intended for the proxy server. This can prevent malicious websites from inducing browsers to include sensitive data in the headers.
Remove the unsupported encodings from Accept-Encoding headers in incoming requests: Burp can remove the problematic encodings from requests, reducing the chance they are used. De-select this if a server needs an unsupported encoding.
Strip Sec-WebSocket-Extensions headers in incoming requests: Burpsuite removes this header to reduce the chance of using problematic WebSocket extensions. De-select this if a server requires a specific extension.
Unpack compressed requests: Enable this to automatically unpack compressed request bodies, often used in applications with custom client components. Burp can handle gzip, Deflate, or Brotli compression. Note that some applications may expect a compressed body and could experience issues if the compression is removed.
Unpack compressed responses: Enable this to automatically unpack compressed response bodies. Burp can handle gzip, Deflate, or Brotli compression. To stop servers from compressing responses, create a match and replace rule to eliminate the Accept-Encoding header from requests.
Disable web interface at http://burpsuite: This is helpful when you need to set up your listener to accept connections on an unsecured interface and want to restrict access to Burp’s in-browser interface.
Suppress Burp error messages in the browser: Enable this to suppress error messages sent to the browser. It is useful for running Burp in stealth mode for man-in-the-middle attacks.
Don’t send items to Proxy history or live tasks: Activating this option will stop Burp from recording requests in the Proxy history or forwarding them to live tasks, limiting memory and storage overhead. This is useful for authenticating upstream servers or performing match-and-replace tasks.
Don’t send items to Proxy history or live tasks, if out of scope: Burp Suite will exclude any out-of-scope requests from the Proxy history and will not forward them to live tasks. This helps you avoid accumulating project data for items that are out of scope. This option is automatically selected when you set the target scope, stopping the logging of proxy history for out-of-scope items.