Saturday, November 21, 2009

[V13P] Upstream proxy rules

If I had a beer for every time someone has requested this feature, I'd have been way too wasted to implement it.

Burp already supports upstream web proxies, but only as a global configuration which affects all outgoing traffic. In the new release, Burp allows you to configure rules specifying different proxy settings for different (ranges of) destination hosts.

The following configuration will make Burp talk directly to staging.intranet.corp.com, use an internal proxy server without authentication for everything else on *.intranet.corp.com, and use an authenticated gateway web proxy for everything else, including the public internet:

You can use standard wildcards in the destination host specification. Rules are applied in sequence, and the first rule which matches the web server you are communicating with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections.