Burp Suite User Forum

Create new post

Authentication for Proxy Listener (in a shared network)

Syed | Last updated: Feb 08, 2023 12:05AM UTC

Hi, Creating this post to add a FR for some sort of Authentication for the proxy listener receiving requests in a shared network (on specific/all interfaces) As the documentation states, anyone on the shared network can send traffic on the listener (if allowed to specific/all interfaces), in case I want someone to use the listener and to make sure others don't route their requests through my Burp instance, authentication should be in place. If there's already a feature which helps with this, please share. Thanks.

Syed | Last updated: Feb 08, 2023 12:24AM UTC

Adding to this^, From what I see, we can utilize the Redirect option and specify the host we want the requests to be forwarded to, instead of allowing everything but that only supports specifying a single host. I reckon authentication by some means would be the best way of doing this.

Syed | Last updated: Feb 09, 2023 03:16AM UTC

For now though as a temporary protection, I've used windows firewall to restrict connection from a specific IP in the shared network. Hopefully, this FR will be worked on :)

Hannah, PortSwigger Agent | Last updated: Feb 10, 2023 10:36AM UTC

Hi You can bind your proxy listener to a specific address and port, and then set up other machines to proxy through your specific IP and port, rather than setting your proxy listener to listen on all interfaces. By default, your proxy listener will only bind to your loopback address.

Syed | Last updated: Feb 23, 2023 03:49AM UTC

Hi Hannah, thanks for you reply. It seems you misunderstood my request. I actually want to expose it to the whole network interface since different machines will be connecting hence the requirement for authentication for specific hosts to tunnel their traffic through my Listener.

Syed | Last updated: Mar 07, 2023 10:55PM UTC

Awaiting response :)

Hannah, PortSwigger Agent | Last updated: Mar 14, 2023 04:03PM UTC

Hi Some alternatives could be to set up a full proxy/firewall in front of Burp, and proxy traffic to that to be forwarded on to Burp. Alternatively, you could create an extension in Burp that will automatically drop requests that don't contain your appropriate authorizations.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.