Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp been blocked by CloudFlare

pwndumb | Last updated: Feb 09, 2023 11:05PM UTC

Hi. I've tried a lot of things but I can't use Burp to intercept request in some sites behind CloudFlare. Change use agent not work anymore. I've read about that and seems the CF is using something like this https://blog.cloudflare.com/monsters-in-the-middleboxes. Is there a fix for this ? PS: The ideia of CF security is the worst thing that a company can do about security. We can't check if site is vulnerable or not because we can't access the site with appropriate tools to analyze. There is no exist more dumb ideia in the face of earth.

Ben, PortSwigger Agent | Last updated: Feb 10, 2023 01:37PM UTC

Hi, Ultimately, this depends on what measures are in place. We have had some luck when changing the User-Agent value (which you have already tried) or using an external browser to proxy the traffic but, realistically, if more advanced methods are place then these workarounds are unlikely to work. Unfortunately, if advanced detection methods are in use in your scenario, there is no simple way to get round this in the short term and also no easy fix for us to implement as a long term solution. Our current position is, if we were to try to carry out some work to evade current fingerprinting mechanisms, then it is likely that Cloudflare (and other similar companies) would simply develop new detection methods that we would fall foul of. We would then be, effectively, entering into an 'arms race' with them in order to try and stay one step ahead of them and this would not be a good use of our development time.

pwndumb | Last updated: Feb 10, 2023 09:47PM UTC