The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CORS problem

Ian | Last updated: Apr 03, 2024 12:01PM UTC

This may be the app I'm testing, but I've updated to the latest version of Burp (2024.2.1.3) and it is breaking CORS on any browser proxied through it. Without Burp I can access the application I'm testing and the browser correctly recognised that the API it needs to call is allowed via the Access-Control-Allow-Origin that is set via the OPTIONS preflight call. As soon as I put vanilla Burp in as a proxy I can still see the preflight calls, and I can still see the Access-Control-Allow-Origin header in the reply, but the browser refuses to accept it. The API call then fails with a CORS error and the app falls to pieces. The browser is also refusing to recognise that a cookie set by the API should be sent as part of the following API requests, again suggesting an Origin confusion. I've tried this with Edge, Chrome, Firefox and Burp bundled Chrome and I get the same problem. With the same browsers, as soon as Burp is removed from the chain, CORS, and therefore the app , works. I finally installed ZAP to make sure it wasn't just my app being proxy averse, and it works fine. I can intercept and modify and both the app and ZAP works fine.

Michelle, PortSwigger Agent | Last updated: Apr 03, 2024 01:48PM UTC