Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Upstream proxy settings not used by scanner

Hans | Last updated: Dec 01, 2020 07:40PM UTC

I'm testing in an environment where all traffic must go through an upstream proxy. When I attempt to run an active scan on an endpoint where the upstream proxy will need to be used, the scan fails because it can't connect to the endpoint. Same issue happens when running something like "Discover Content". I believe it has to do with the scanner using the new embedded browser. For some reason, the use of an embedded browser does not use the configured upstream proxy settings. If I set a spidering profile to not automatically use the embedded browser, it will work and scan the spidered endpoints, but not if it's not spidering the endpoint first. Embedded browser might not be the issue, but it's the only thing I can think of that may be causing the issue.

Uthman, PortSwigger Agent | Last updated: Dec 02, 2020 09:05AM UTC

Hi Hans, What type of authentication is being used on your upstream proxy?

Hans | Last updated: Dec 02, 2020 04:06PM UTC

NTLMv2

Uthman, PortSwigger Agent | Last updated: Dec 02, 2020 04:17PM UTC

Thanks. We have a bug fix in our development backlog to address this. In the meantime, can you try disabling the embedded browser in your scan configuration under Crawling > Miscellaneous? Does the issue persist in an older version of Burp? (e.g. 2020.5.1)

Hans | Last updated: Dec 02, 2020 04:51PM UTC

The issue doesn't persist in older versions where the embedded browser is not used, which is another reason I believe it has something to do with the embedded browser. Unfortunately, disabling the embedded browser has to be done in the crawling scan configuration, but I usually don't crawl on a scan, just scan specific endpoints. It doesn't seem like an embedded browser should have anything to do with a pure scan profile since Burp should just be sending the raw traffic as seen in the proxy/repeater, but it seems like there must be something happening with it since that's the only common thing I can pick out as to why it would be failing.

Uthman, PortSwigger Agent | Last updated: Dec 02, 2020 05:02PM UTC