Note: Some of these options can be defined at both the user and project level. For these options, you can configure your normal options at the user level, and then override these if required on a per-project basis.
These settings let you configure Burp to automatically carry out platform authentication to destination web servers. Different authentication types and credentials can be configured for individual hosts.
Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.
The "Prompt for credentials on platform authentication failure" option causes Burp to display an interactive popup whenever an authentication failure is encountered.
These settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server.
You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Rules are applied in sequence, and the first rule that matches the destination web server will be used. If no rule is matched, Burp defaults to direct, non-proxied connections.
You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To send all traffic to a single proxy server, create a rule with * as the destination host. Leave the proxy host blank to connect directly to the specified host.
For each upstream proxy you configure, you can specify an authentication type and credentials if required. Supported authentication types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication.
These settings let you configure Burp to use a SOCKS proxy for all outgoing communications. This setting is applied at the TCP level, and all outbound requests will be sent via this proxy.
If you have configured rules for upstream HTTP proxy servers, then requests to upstream proxies will be sent via the SOCKS proxy configured here.
If the option "Do DNS lookups over SOCKS proxy" is enabled, then all domain names will be resolved by the proxy. No local lookups will be performed.
These settings specify the timeouts to be used for various network tasks. You can specify the following timeouts:
Values are in seconds. If an option is left blank, then Burp will never time out that function.
These settings enable you to specify mappings of hostnames to IP addresses, to override the DNS resolution provided by your computer.
Each hostname resolution rule specifies a hostname, and the IP address that should be associated with that hostname. Rules can be individually enabled or disabled.
This feature can be useful to ensure correct onward forwarding of requests when the hosts file has been modified to perform invisible proxying of traffic from non-proxy-aware thick client components.
This feature can be used to prevent Burp from issuing any out-of-scope requests. It can be useful when you need to guarantee that no requests are made to targets that are not in-scope for your current work. Even if your browser makes requests for out-of-scope items, the outgoing requests will be dropped by Burp.
Get help and join the community discussions at the Burp Suite Support Center.
This release introduces a new scan check for second-order SQL injection vulnerabilities. In situations where Burp observes stored user input being returned in a response, Burp Scanner now performs its usual logic for detecting SQL injection, with payloads supplied at the input submission point, and evidence for a vulnerability detected at the input retrieval point.