Burp Suite, the leading toolkit for web application security testing

Options: Connections

The Connections options control how Burp handles platform authentication, upstream proxy servers, SOCKS proxy, timeouts, hostname resolution, and out-of-scope requests.

Note: Some of these options can be defined at both the user and project level. For these options, you can configure your normal options at the user level, and then override these if required on a per-project basis.

Platform Authentication

These settings let you configure Burp to automatically carry out platform authentication to destination web servers. Different authentication types and credentials can be configured for individual hosts.

Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.

The "Prompt for credentials on platform authentication failure" option causes Burp to display an interactive popup whenever an authentication failure is encountered.

Upstream Proxy Servers

These settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server.

You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Rules are applied in sequence, and the first rule that matches the destination web server will be used. If no rule is matched, Burp defaults to direct, non-proxied connections.

You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To send all traffic to a single proxy server, create a rule with * as the destination host. Leave the proxy host blank to connect directly to the specified host.

For each upstream proxy you configure, you can specify an authentication type and credentials if required. Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.


These settings let you configure Burp to use a SOCKS proxy for all outgoing communications. This setting is applied at the TCP level, and all outbound requests will be sent via this proxy.

If you have configured rules for upstream HTTP proxy servers, then requests to upstream proxies will be sent via the SOCKS proxy configured here.

If the option "Do DNS lookups over SOCKS proxy" is enabled, then all domain names will be resolved by the proxy. No local lookups will be performed.


These settings specify the timeouts to be used for various network tasks. You can specify the following timeouts:

Values are in seconds. If an option is left blank, then Burp will never time out that function.

Hostname Resolution

These settings enable you to specify mappings of hostnames to IP addresses, to override the DNS resolution provided by your computer.

Each hostname resolution rule specifies a hostname, and the IP address that should be associated with that hostname. Rules can be individually enabled or disabled.

This feature can be useful to ensure correct onward forwarding of requests when the hosts file has been modified to perform invisible proxying of traffic from non-proxy-aware thick client components.

Out-of-Scope Requests

This feature can be used to prevent Burp from issuing any out-of-scope requests. It can be useful when you need to guarantee that no requests are made to targets that are not in-scope for your current work. Even if your browser makes requests for out-of-scope items, the outgoing requests will be dropped by Burp.

You can enable this feature for the current Target scope. Alternatively, you can define a custom scope using URL-matching rules.

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, January 16, 2017


This release adds various enhancements and fixes:

  • There is a new command-line option to launch Burp with a specified user configuration file.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.