These settings control the types of redirections that Burp will understand in situations where it is configured to follow redirections.
The following types of redirection can be selected:
- 3xx status code with Location header
- Refresh header
- Meta refresh tag
- Any status code with Location header
Note that Burp's behavior in following redirections to particular targets is determined by settings within each individual Burp tool (for instance, based on Target scope).
These settings let you inform Burp which URLs return "streaming" responses, which do not terminate. Burp will then handle these responses differently than normal responses.
Streaming responses are often used for functions like continuously updating price data in trading applications. Typically, some client side script code makes a request, and the server keeps the response stream open, pushing further data in real time as this becomes available. Because intercepting proxies use a store-and-forward model, they can break these applications: the Proxy waits indefinitely for the streaming response to finish, and none of it is ever forwarded to the client.
Streaming responses are handled in the following way by individual Burp tools:
- The Proxy will pass these responses straight through to the client as data is received.
- Repeater will update the response panel in real time as data is received.
- Other tools will ignore streaming responses and will close the connection.
For help configuring the list of streaming URLs, refer to the help on URL matching rules.
Two further options are available relating to streaming responses:
- Store streaming responses - This causes Burp to store streaming responses in full. Using this option is necessary if you wish to view the contents of streaming responses within the Proxy history and Repeater response panel. Note that using this option may result in large temporary files.
- Strip chunked encoding metadata in streaming responses - Streaming responses are generally chunked-encoded over HTTP. If this option is selected, Burp will remove the chunked encoding metadata, making the responses more easily readable within Burp. Note that removing this metadata may break the client-side application, depending on how it is implemented.
Note that you can also use the streaming responses support for handling very large responses that are not strictly streaming (such as binary file downloads), in order to bypass the store-and-forward proxy model and improve Burp's performance.
Status 100 responses
These settings control the way Burp handles HTTP responses with status 100. These responses often occur when a POST request is sent to the server, and it makes an interim response before the request body has been transmitted.
The following settings are available:
- Understand 100 Continue responses - If this option is checked, Burp will skip the interim response and parse the real response headers for response information like status code and content type.
- Remove 100 Continue headers - If this option is checked, Burp will remove any interim headers from the server's response before this is passed to individual tools.
This setting controls whether Burp attempts to use HTTP/2 for inbound and outbound communication over TLS. It is enabled by default.
As long as this control is enabled, you continue to work with HTTP/1 messages within Burp's tools. However, Burp will convert all outgoing messages from this text-based format to their binary HTTP/2 equivalents, and reverse this process for incoming messages. This allows you to read and edit HTTP/2 messages within Burp in exactly the same way as HTTP/1 messages.
The first request you send will always indicate HTTP/1 in the request line. If Burp successfully establishes HTTP/2 communication with the server, all subsequent messages will indicate this in the request line and status line respectively. For example:
GET / HTTP/1.1
HTTP/2 200 OK
GET /example HTTP/2
HTTP/2 200 OK
Note: We have only implemented the core features of HTTP/2 that are relevant for use with Burp Suite. Additional features, such as server push, are not supported.