Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

You’ve been blocked for security reasons cloudflare

Ashhad | Last updated: Jul 06, 2022 11:29AM UTC

when i on burp suite using FOXY PROXY exxtension and reload the website this error is show You’ve been blocked for security reasons If you believe this is a mistake, please contact the website owner and include the request ID number from this page. i think website use cloudflare. when i turn off the burp proxy and reload the page its working fine. I happen first time other website is working fine when i On the burp proxy. how i solve this issue?

Ben, PortSwigger Agent | Last updated: Jul 07, 2022 09:17AM UTC

Hi Ashhad, We are aware that Cloudflare is implementing some measures to fingerprint and detect the use of proxies to intercept HTTPS traffic (There is some information about this here if you are interested - https://blog.cloudflare.com/monsters-in-the-middleboxes). Unfortunately, if this is the case in your scenario, there is no simple way to get round this in the short term and also no easy fix for us to implement as a long term solution. Is this a public facing site that we could take a look at ourselves in order to try and confirm that this is the issue (if you would prefer to share details of the privately please feel to send us an email at support@portswigger.net)?

Mopam | Last updated: Oct 17, 2022 10:33AM UTC

I have this problem on both CF and Akamai, I managed to bypass it through an abyss of trial and error (and I'm not even sure how I did it), but please if you guys can fix it, I'm bumping the thread.

Ben, PortSwigger Agent | Last updated: Oct 18, 2022 09:12AM UTC

Hi Mopam, As alluded to in the earlier message, this is not something that we are looking to address. Our reasoning being that, even if we were able to make changes to circumvent detection, Cloudflare (and others) would quickly catch up and we will end up chasing what is essentially a moving target indefinitely.

EasySolution | Last updated: Nov 10, 2022 06:34PM UTC

I solved this issue. when all proxy settings are ok then just go to "match and replace section" and select on "header request" -> useragent** - emulate iOS (iphone) or android (whatever). it will work simply fine ! Have a nice day, All credits goes to PortSwigger for making such a great tool.

Dan | Last updated: Nov 19, 2022 04:58PM UTC

Hello everyone! The emulate IOS user agent seemed to work for a while, but at some point, that didn't work anymore for me. Any other ideas on how to bypass this? Are there any plans for Burp to handle this problem soon? Zap proxy has this solved, but since the proxy doesn't have HTTP/2 support, that's not a good option either.

Ben, PortSwigger Agent | Last updated: Nov 21, 2022 12:08PM UTC

Hi Dan, This is largely down to what detection methods are being used. There are some occasions where the detection methods are rudimentary and you can simply alter the User-Agent string being used in order to circumvent detection. Unfortunately, as alluded to earlier in this forum thread, there are other methods being employed that are far more sophisticated and are not easily bypassed (the information provided in the following blog post explains this - https://blog.cloudflare.com/monsters-in-the-middleboxes). As also mentioned earlier in this thread, we have no current plans to address this - to reiterate what was mentioned earlier, our reasoning being that, even if we dedicated resources and were able to make changes to circumvent the current detection, Cloudflare (and others) would quickly catch up and we will end up chasing what is essentially a moving target indefinitely. Are you able to share any details of the sites where you do not experience issues when using Zap but have issues when using Burp?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.