Misc user options
These settings let you configure hotkeys for common actions. Numerous types of actions can be assigned a hotkey, in the following categories:
- Actions specific to an individual HTTP request or response, such as "Send to Repeater".
- Global actions, such as "Switch to Proxy".
- In-editor actions, such as "Cut" and "Undo".
A number of hotkeys are configured by default. Note that very many more actions are available to have a hotkey assigned, if you use them frequently.
All hotkeys must use the Control key (or the Command key on OSX), and may also use Shift and other available modifiers. Note that on some Windows installations the Ctrl+Alt combination is treated by Windows as equivalent to AltGr, and so may result in typed characters appearing when pressed in text fields.
Automatic project backup
Automatic project backup saves a copy of the Burp project file periodically in the background. The following options are available:
- Whether to perform automatic backup, and how frequently.
- Whether to include in-scope items only.
- Whether to show a progress dialog during backups.
- Whether to delete the backup file on clean shutdown of Burp.
REST API options
The REST API can be used by other tools to integrate with Burp Suite.
Note: The REST API exposes sensitive functionality and data. You should not enable the REST API service on untrusted network interfaces, and you should use separate API keys for each client that you grant access to.
The following options are available:
- The URL on which the service runs. You can select the port number and interface to bind to. You should not bind to non-loopback interfaces when connected to untrusted networks.
- Whether the service is currently running.
- Whether to allow access without an API key. This option is not recommended. It means that anyone with network access to the service endpoint is able to trigger actions within Burp and access its data. This includes CSRF requests from untrusted websites that you browse on the same machine as Burp, so API keys should always be used even when the service is listening only the loopback interface.
- The API keys for use by clients. You can create separate API keys for different purposes, and selectively enable or disable them. API keys are secrets and should be handled carefully. Note that you can only retrieve the value of an API key at the time that it is created.
Once the service is configured, you can browse the API documentation and interact with the API at [Service URL]/[API key].
This option lets you configure whether Proxy interception should be enabled when Burp is started up. You can choose to always enable interception, always disable interception, or to restore the setting from when Burp was last closed.
Proxy history logging
This option controls whether adding items to Target scope will automatically set the Proxy option to stop sending out-of-scope items to the history or live tasks. Setting Burp to do this is useful to avoid accumulating project data for out-of-scope items.
Temporary files location
These settings let you configure where Burp stores its temporary files.
By default, Burp creates a directory within the temporary file location provided by the platform. You can modify this behavior to use a custom directory - for example, on a different volume, or which is not world-readable.
On Mac OS X, you may find that the default temporary file location is sometimes cleared following system hibernation, causing Burp to lose its temporary files. You can resolve this problem by configuring a custom location for Burp to store its temporary files.
Changes to this setting take effect the next time Burp starts up.
You can help improve Burp by submitting anonymous feedback about Burp's performance.
Feedback only contains technical information about Burp's internal functioning, and does not identify you in any way. If you do report a bug, you can help us diagnose any problems that your instance of Burp has encountered by including your debug ID.
Logging exceptions to a local directory
In some cases, it may not be possible for us to receive data about your performance issues even if you do enable anonymous feedback. For example, if you have a strict security policy, it might block data from being sent to our support team. In this case, we might ask you to temporarily activate the "Log exceptions to a local directory" option and attempt to replicate the issue.
While this option is active, exceptions are logged to a local file in the specified directory. Therefore, if you can replicate the issue, you can manually send a copy of your local log file to our support team to help them identify the problem. The file name is a combination of the current date and your debug ID, which identifies the session in which the exception was raised. Each instance of Burp generates its own log.
The log entries only contain the time of the exception, a brief description, and a stack trace. The stack trace is fully obfuscated, so no personal data can be read from the file.
Note: If you change the directory where the log should be saved, make sure that the user who is replicating the issue has write access for the specified directory. Otherwise, the file will not be generated.