Note: Some of these options can be defined at both the user and project level. For these options, you can configure your normal options at the user level, and then override these if required on a per-project basis.
These settings let you configure Burp to automatically carry out platform authentication to destination web servers. Different authentication types and credentials can be configured for individual hosts. Platform authentication can also be disabled on a per-host basis.
Supported authentication types are: basic, NTLMv1, and NTLMv2. The domain and hostname fields are only used for NTLM authentication.
The "Prompt for credentials on platform authentication failure" option causes Burp to display an interactive popup whenever an authentication failure is encountered.
Upstream proxy servers
These settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server.
You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Rules are applied in sequence, and the first rule that matches the destination web server will be used. If no rule is matched, Burp defaults to direct, non-proxied connections.
You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To send all traffic to a single proxy server, create a rule with * as the destination host. Leave the proxy host blank to connect directly to the specified host.
For each upstream proxy you configure, you can specify an authentication type and credentials if required. Supported authentication types are: basic, NTLMv1, and NTLMv2. The domain and hostname fields are only used for NTLM authentication.
These settings let you configure Burp to use a SOCKS proxy for all outgoing communications. This setting is applied at the TCP level, and all outbound requests will be sent via this proxy.
If you have configured rules for upstream HTTP proxy servers, then requests to upstream proxies will be sent via the SOCKS proxy configured here.
If the option "Do DNS lookups over SOCKS proxy" is enabled, then all domain names will be resolved by the proxy. No local lookups will be performed.
These settings specify the timeouts to be used for various network tasks. You can specify the following timeouts:
- Normal - This setting is used for most network communications, and determines how long Burp will wait before abandoning a request and record that a timeout has occurred.
- Open-ended responses - This setting is only used where a response is being processed which does not contain a Content-Length or Transfer-Encoding HTTP header. In this situation, Burp waits for the specified interval before determining that the transmission has been completed.
- Domain name resolution - This setting determines how often Burp will re-perform successful domain name look-ups. This should be set to a suitably low value if target host addresses are frequently changing.
- Failed domain name resolution - This setting determines how often Burp will reattempt unsuccessful domain name look-ups.
Values are in seconds. If an option is left blank, then Burp will never time out that function.
These settings enable you to specify mappings of hostnames to IP addresses, to override the DNS resolution provided by your computer.
Each hostname resolution rule specifies a hostname, and the IP address that should be associated with that hostname. Rules can be individually enabled or disabled.
This feature can be useful to ensure correct onward forwarding of requests when the hosts file has been modified to perform invisible proxying of traffic from non-proxy-aware thick client components.
This feature can be used to prevent Burp from issuing any out-of-scope requests. It can be useful when you need to guarantee that no requests are made to targets that are not in-scope for your current work. Even if your browser makes requests for out-of-scope items, the outgoing requests will be dropped by Burp.