Burp Suite, the leading toolkit for web application security testing

Suite Options: Connections

This tab contains settings to control how Burp handles platform authentication, upstream proxy servers, SOCKS proxy, timeouts, hostname resolution, and out-of-scope requests.

Platform Authentication

These settings let you configure Burp to automatically carry out platform authentication to destination web servers. Different authentication types and credentials can be configured for individual hosts.

Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.

The "Prompt for credentials on platform authentication failure" option causes Burp to display an interactive popup whenever an authentication failure is encountered.

Upstream Proxy Servers

These settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server.

You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Rules are applied in sequence, and the first rule that matches the destination web server will be used. If no rule is matched, Burp defaults to direct, non-proxied connections.

You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To send all traffic to a single proxy server, create a rule with * as the destination host. Leave the proxy host blank to connect directly to the specified host.

For each upstream proxy you configure, you can specify an authentication type and credentials if required. Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.


These settings let you configure Burp to use a SOCKS proxy for all outgoing communications. This setting is applied at the TCP level, and all outbound requests will be sent via this proxy.

If you have configured rules for upstream HTTP proxy servers, then requests to upstream proxies will be sent via the SOCKS proxy configured here.

If the option "Do DNS lookups over SOCKS proxy" is enabled, then all domain names will be resolved by the proxy. No local lookups will be performed.


These settings specify the timeouts to be used for various network tasks. You can specify the following timeouts:

Values are in seconds. If an option is left blank, then Burp will never time out that function.

Hostname Resolution

These settings enable you to specify mappings of hostnames to IP addresses, to override the DNS resolution provided by your computer.

Each hostname resolution rule specifies a hostname, and the IP address that should be associated with that hostname. Rules can be individually enabled or disabled.

This feature can be useful to ensure correct onward forwarding of requests when the hosts file has been modified to perform invisible proxying of traffic from non-proxy-aware thick client components.

Out-of-Scope Requests

This feature can be used to prevent Burp from issuing any out-of-scope requests. It can be useful when you need to guarantee that no requests are made to targets that are not in-scope for your current work. Even if your browser makes requests for out-of-scope items, the outgoing requests will be dropped by Burp.

You can enable this feature for the current Target scope. Alternatively, you can define a custom scope using URL-matching rules.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, July 28, 2014


This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including DOM-based XSS, JavaScript injection, Client-side SQL injection and several other vulnerability types.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.