Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CORS problem

Ian | Last updated: Apr 03, 2024 12:01PM UTC

This may be the app I'm testing, but I've updated to the latest version of Burp (2024.2.1.3) and it is breaking CORS on any browser proxied through it. Without Burp I can access the application I'm testing and the browser correctly recognised that the API it needs to call is allowed via the Access-Control-Allow-Origin that is set via the OPTIONS preflight call. As soon as I put vanilla Burp in as a proxy I can still see the preflight calls, and I can still see the Access-Control-Allow-Origin header in the reply, but the browser refuses to accept it. The API call then fails with a CORS error and the app falls to pieces. The browser is also refusing to recognise that a cookie set by the API should be sent as part of the following API requests, again suggesting an Origin confusion. I've tried this with Edge, Chrome, Firefox and Burp bundled Chrome and I get the same problem. With the same browsers, as soon as Burp is removed from the chain, CORS, and therefore the app , works. I finally installed ZAP to make sure it wasn't just my app being proxy averse, and it works fine. I can intercept and modify and both the app and ZAP works fine.

Michelle, PortSwigger Agent | Last updated: Apr 03, 2024 01:48PM UTC

Hi Would you be able to email some screenshots of what you're expecting to see and what you actually see in Burp's Proxy History and Burp's Logger tabs to support@portswigger.net so we can take a closer look into this for you?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.