Burp Suite Options

Burp Suite provides extensive configuration capabilities through two main options interfaces: Project Options and User Options. These settings allow you to customize Burp's behavior to suit your specific testing needs and preferences.

Overview

Project Options

Project Options control settings specific to the current testing project:

• Apply to the current project only
• Saved with project files - Professional Edition
• Reset when starting a new project
• Include target-specific configurations
• Control testing behavior for the current target

User Options

User Options control Burp's general behavior:

• Apply across all projects
• Persist between Burp sessions
• Control UI, display, and general behavior
• Configure global tool settings
• Manage user-specific preferences

Community vs. Professional Edition

Options availability differs between editions:

Community Edition:

• Basic configuration options
• Limited customization capabilities
• No project saving functionality
• Core settings for essential tools

Professional Edition:

• Full range of configuration options
• Advanced customization capabilities
• Project saving and loading
• Extensive tool-specific settings
• Advanced scanning and automation options
• Custom extension configuration

While both editions provide essential configuration options, the Professional edition offers more advanced customization and project management capabilities.

Project Options

Connections

Connection Settings

Configure how Burp handles network connections:

1. Platform Authentication

   • Configure NTLM, Negotiate, or basic authentication
   • Set up authentication for specific URL prefixes
   • Use system credentials or custom username/password

2. Upstream Proxy Servers

   • Configure Burp to use another proxy
   • Set up proxy chains
   • Define proxy exclusions
   • Configure authentication for upstream proxies

3. SOCKS Proxy

   • Route traffic through a SOCKS proxy
   • Configure DNS resolution through SOCKS
   • Set up authentication for SOCKS proxy

4. Timeouts

   • Configure connection timeout
   • Set response timeout
   • Adjust timeout for specific hosts

5. Hostname Resolution

   • Override DNS resolution for specific hosts
   • Define custom hostname mappings
   • Useful for testing internal applications

These settings allow you to control how Burp connects to target applications and handle various network configurations.

TLS Options

Configure TLS/SSL handling:

1. Client TLS Certificates

   • Configure client certificates for mutual TLS
   • Select certificate from file or Windows store
   • Set up certificates for specific hosts

2. TLS Protocols

   • Enable/disable specific TLS versions
   • Configure protocol selection behavior
   • Set up protocol preferences

3. Java SSL Options

   • Configure Java SSL implementation behavior
   • Enable/disable specific cipher suites
   • Set up advanced SSL parameters

4. Server SSL Certificates

   • Configure how Burp generates SSL certificates
   • Customize certificate details
   • Import custom CA certificate

TLS configuration is crucial for testing secure applications and handling various certificate requirements.

HTTP

HTTP Settings

Configure how Burp handles HTTP requests and responses:

1. Redirections

   • Control how Burp handles redirections
   • Configure automatic following of redirections
   • Set up interception of redirections

2. Streaming Responses

   • Configure handling of streaming responses
   • Set up thresholds for response size
   • Control behavior for large responses

3. Status 100 Responses

   • Configure handling of HTTP 100 Continue
   • Control automatic handling of interim responses

4. HTTP/2

   • Enable/disable HTTP/2 support
   • Configure HTTP/2 connection settings
   • Control protocol negotiation

These settings allow you to customize how Burp handles various HTTP protocol features and behaviors.

Request Headers

Configure how Burp handles HTTP request headers:

1. Set Headers

   • Add custom headers to all requests
   • Modify existing headers
   • Set up conditional header rules

2. Update Content-Length

   • Control automatic updating of Content-Length
   • Configure behavior for modified requests

3. Match and Replace

   • Set up rules to modify request headers
   • Use regex patterns for matching
   • Configure replacement values

4. Match and Replace Body

   • Set up rules to modify request bodies
   • Use regex patterns for matching
   • Configure replacement values

These settings allow you to customize HTTP requests for various testing scenarios and handle application-specific requirements.

WebSockets

WebSocket Settings

Configure how Burp handles WebSocket connections:

1. Connections

   • Control WebSocket connection handling
   • Configure connection timeout
   • Set up connection limits

2. Frame Settings

   • Configure handling of WebSocket frames
   • Control frame size limits
   • Set up frame processing options

3. Message Modifications

   • Set up rules to modify WebSocket messages
   • Use regex patterns for matching
   • Configure replacement values

WebSocket configuration is important for testing modern web applications that use real-time communication.

Sessions

Session Handling Rules - Professional Edition

Configure automated session handling:

1. Session Handling Rules

   • Create rules for maintaining sessions
   • Configure scope for each rule
   • Set up rule actions and conditions

2. Rule Actions

   • Add cookies from session jar
   • Run macro to obtain session tokens
   • Run macro to validate session
   • Extract session tokens from responses

3. Rule Conditions

   • URL scope conditions
   • Tool scope conditions
   • Parameter conditions
   • Header conditions

4. Macros

   • Record sequences of requests
   • Configure macro parameters
   • Set up custom parameter extraction
   • Configure macro playback behavior

Session handling rules automate the process of maintaining valid sessions during testing, which is crucial for applications with complex authentication mechanisms.

Cookie Jar

Configure Burp's cookie management:

1. Cookie Jar

   • View and manage stored cookies
   • Configure automatic cookie capture
   • Set up cookie jar scope

2. Options

   • Enable/disable cookie jar
   • Configure which tools update the cookie jar
   • Set up cookie jar monitoring

3. Manual Control

   • Add cookies manually
   • Remove specific cookies
   • Clear all cookies

The cookie jar helps maintain sessions across different Burp tools and ensures that requests include the necessary cookies for authenticated testing.

Scanner - Professional Edition

Scanner Settings

Configure Burp Scanner behavior:

1. Active Scanning Engine

   • Configure scan speed and thoroughness
   • Set up scan optimization options
   • Control scan accuracy and detection rates

2. Active Scanning Areas

   • Select vulnerability types to check
   • Configure specific test categories
   • Enable/disable individual scan checks

3. Passive Scanning

   • Configure passive scanning behavior
   • Select passive detection types
   • Control passive scan reporting

4. Static Code Analysis

   • Configure static analysis settings
   • Select languages and frameworks
   • Control analysis depth and reporting

Scanner settings allow you to customize Burp's vulnerability detection capabilities to suit your testing requirements and target applications.

Scanner Issues

Configure how Burp handles scanner findings:

1. Issue Activity

   • Configure how issues are reported
   • Set up issue highlighting
   • Control issue tracking behavior

2. Issue Types

   • Enable/disable specific issue types
   • Configure severity levels
   • Customize issue reporting

3. False Positives

   • Configure false positive handling
   • Set up automatic suppression rules
   • Control reporting of potential false positives

These settings allow you to customize how Burp reports and manages vulnerability findings to focus on relevant issues and reduce noise.

API Settings

Configure Burp's extension system:

1. API Keys

   • Manage API keys for Burp extensions
   • Configure API access control
   • Set up API usage limits

2. REST API

   • Configure REST API settings
   • Set up authentication for API access
   • Control API endpoint behavior

3. GraphQL API

   • Configure GraphQL API settings
   • Set up schema handling
   • Control GraphQL query processing

API settings allow you to control how Burp interacts with external services and how extensions can access Burp's functionality.

Target Scope

Configure the scope of your testing:

1. Include in Scope

   • Define URL patterns to include
   • Configure host/path matching
   • Set up protocol restrictions

2. Exclude from Scope

   • Define URL patterns to exclude
   • Configure exception rules
   • Set up specific exclusions

3. Scope Control

   • Configure tool behavior for in-scope items
   • Set up out-of-scope handling
   • Control scope enforcement

Target scope settings help focus your testing on authorized targets and prevent accidental testing of out-of-scope systems.

Misc Project Options

Configure various project-specific settings:

1. Logging

   • Configure request/response logging
   • Set up log file location and format
   • Control what information is logged

2. Proxy History

   • Configure history recording options
   • Set up history filters
   • Control history display and storage

3. SSL Pass Through

   • Configure SSL bypass for specific hosts
   • Set up exclusion rules
   • Control SSL interception behavior

4. Scheduled Tasks

   • Configure automated tasks
   • Set up task scheduling
   • Control task execution parameters

These miscellaneous settings provide additional control over various aspects of Burp's behavior for the current project.

User Options

Connections

Connection Settings

Configure global connection behavior:

1. Upstream Proxy

   • Configure default upstream proxy
   • Set up global proxy settings
   • Define system-wide proxy rules

2. Timeouts

   • Configure default connection timeouts
   • Set up global timeout behavior
   • Control connection retry settings

3. Hostname Resolution

   • Configure global DNS settings
   • Set up default resolution behavior
   • Control DNS caching

These settings control how Burp connects to targets across all projects.

Intruder Settings

Configure Burp Intruder behavior:

1. Request Engine

   • Configure request throttling
   • Set up concurrent request limits
   • Control request timing and delays

2. Payload Processing

   • Configure payload handling rules
   • Set up encoding and processing options
   • Control payload transformation

3. Grep Match

   • Configure response matching rules
   • Set up extraction patterns
   • Control match highlighting

4. Grep Extract

   • Configure data extraction from responses
   • Set up extraction patterns
   • Control extracted data presentation

Intruder settings allow you to customize how Burp performs automated attacks and processes the results for effective testing.

Misc User Options

Configure various user-specific settings:

1. Hotkeys

   • Configure keyboard shortcuts
   • Customize key bindings for common actions
   • Set up custom hotkey combinations

2. Proxy Interception

   • Configure default interception behavior
   • Set up interception rules
   • Control interception UI behavior

3. Automatic Backup

   • Configure project backup settings
   • Set up backup location and frequency
   • Control backup retention policy

4. Performance

   • Configure memory usage
   • Set up thread allocation
   • Control resource utilization

5. Burp Collaborator Server

   • Configure Collaborator settings
   • Set up custom Collaborator server
   • Control Collaborator polling behavior

These miscellaneous settings provide additional control over various aspects of Burp's behavior across all projects.

Practical Applications

Optimizing for Different Testing Scenarios

Recommended configurations for different testing types:

1. Web Application Assessments

   • Configure broad scope for target domain
   • Enable passive scanning
   • Set up session handling for authentication
   • Configure appropriate scan checks

2. API Testing

   • Configure content type handling for JSON/XML
   • Set up appropriate header management
   • Configure authentication for API endpoints
   • Disable browser rendering

3. Mobile App Backend Testing

   • Configure upstream proxy for device traffic
   • Set up certificate for mobile device
   • Configure non-standard ports if needed
   • Enable appropriate interception filters

4. Single-Page Applications

   • Configure WebSocket interception
   • Enable JavaScript analysis
   • Set up appropriate scope for API endpoints
   • Configure session handling for token-based auth

5. Thick Client Applications

   • Configure non-standard ports
   • Set up hostname resolution if needed
   • Configure TLS options for non-browser clients
   • Enable binary content handling

Tailoring Burp's configuration to specific testing scenarios improves efficiency and effectiveness.

Performance Optimization

Settings to improve Burp's performance:

1. Memory Management

   • Increase Java heap size
   • Configure response size limits
   • Enable streaming for large responses
   • Limit history size

2. Scan Optimization

   • Configure concurrent request limits
   • Adjust scan speed settings
   • Select only relevant scan checks
   • Use targeted scanning instead of full crawls

3. Proxy Performance

   • Configure selective interception
   • Limit response size for interception
   • Use appropriate content type filters
   • Disable unnecessary features

4. UI Responsiveness

   • Limit displayed history items
   • Use appropriate rendering options
   • Disable real-time scanning if not needed
   • Close unused tool tabs

5. Resource Allocation - Professional Edition

   • Configure resource pools
   • Prioritize important tasks
   • Schedule resource-intensive tasks appropriately
   • Use task throttling for long-running operations

Proper performance optimization ensures that Burp remains responsive and efficient during complex testing activities.

Best Practices

Configuration Management

Best practices for managing Burp configurations:

1. Configuration Profiles

   • Create and save configuration profiles for different testing scenarios
   • Document configuration choices and rationale
   • Share configurations with team members
   • Maintain version control for configurations

2. Project Organization - Professional Edition

   • Use meaningful project names
   • Save projects in organized directory structure
   • Document project-specific configurations
   • Use consistent naming conventions

3. Configuration Validation

   • Test configurations before full deployment
   • Verify that settings work as expected
   • Check for unintended consequences
   • Validate performance impact

4. Documentation

   • Document non-standard configurations
   • Record configuration decisions
   • Maintain notes on configuration issues
   • Share lessons learned

5. Regular Review

   • Periodically review configurations
   • Update settings based on new features
   • Remove obsolete configurations
   • Optimize based on experience

Proper configuration management ensures consistent, efficient, and effective testing across projects and team members.

Security Considerations

Security best practices for Burp configuration:

1. Scope Control

   • Define precise scope to prevent accidental testing
   • Use specific include/exclude rules
   • Regularly verify scope settings
   • Implement additional safeguards for sensitive targets

2. Credential Management

   • Secure storage of testing credentials
   • Avoid hardcoding credentials in macros
   • Clear sensitive data when not needed
   • Use project-specific credentials

3. Data Protection

   • Configure appropriate logging levels
   • Secure storage of project files
   • Encrypt sensitive project data
   • Implement data retention policies

4. Access Control

   • Secure Burp installation
   • Control access to project files
   • Implement appropriate user permissions
   • Secure collaborative testing environments

5. Testing Impact

   • Configure appropriate scan throttling
   • Limit potentially disruptive tests
   • Implement safeguards for sensitive functions
   • Monitor testing impact on target systems

Security considerations in Burp configuration help protect both the tester and the target systems.

Troubleshooting

Common Configuration Issues

Solutions to frequently encountered configuration problems:

1. Connection Problems

   • Check proxy settings
   • Verify TLS configuration
   • Test hostname resolution
   • Check for network restrictions

2. Performance Issues

   • Review memory allocation
   • Check concurrent request settings
   • Verify response size handling
   • Optimize scan configurations

3. Authentication Failures

   • Check session handling rules
   • Verify macro functionality
   • Test cookie jar configuration
   • Check for CSRF token handling

4. Scope Problems

   • Review scope rule order
   • Check for conflicting rules
   • Verify hostname matching
   • Test with specific examples

5. Tool-Specific Issues

   • Scanner: Check scan configurations
   • Intruder: Verify payload processing
   • Repeater: Check request engine settings
   • Proxy: Verify interception rules

Understanding common configuration issues helps quickly resolve problems and maintain efficient testing workflows.

Next Steps

• Proxy Tool Documentation
• Scanner Tool Documentation
• Intruder Tool Documentation
• Advanced Configuration Techniques
• Best Practices for Web Application Security Testing