Burp: Fixing Out-of-Band Resource Loads

TL;DR

Burp Suite is flagging resources loaded from external domains as ‘Out of Band’. This guide explains how to configure Burp to handle these safely, either by allowing them or blocking them. It’s important to understand the risks before making changes.

What are Out-of-Band Resource Loads?

When a web application loads resources (images, scripts, stylesheets) from domains different than the one you initially visited, it’s called an ‘Out of Band’ resource load. This isn’t necessarily bad, but it can be risky because:

• Security Risks: External domains could host malicious content.
• Privacy Concerns: Tracking scripts might monitor your activity across different websites.

Burp Suite flags these to help you identify potential issues.

Step-by-Step Solution

1. Understand the Warning: When Burp shows an ‘Out of Band’ warning, it means a resource is being loaded from a domain not directly controlled by the website you’re testing.
2. Identify the Resource: Look at the details in Burp Suite (usually under the ‘Proxy History’ tab). Note the URL of the external resource and the domain it comes from.
3. Assess the Risk: Determine if loading this resource is legitimate or suspicious.
   • Legitimate: If the website uses a well-known CDN (Content Delivery Network) like Cloudflare, AWS CloudFront, or Google Fonts, it’s likely safe.
   • Suspicious: If the domain is unknown, has a strange name, or doesn’t seem related to the application, investigate further. Use tools like VirusTotal to check if the domain is known for malicious activity.
4. Configure Burp Suite (Option 1: Allow Specific Domains)

   If you trust a specific domain, you can tell Burp to ignore it.

   1. Go to Burp > Settings (or press Ctrl+P).
   2. Navigate to Project options > Connections > Exclude URLs.
   3. Click Add and enter the domain name in the ‘Pattern’ field. Use a wildcard (*) if needed.

      *.example.com/*

   4. Make sure the ‘Exclude from scope’ checkbox is unchecked (you want to allow it, not block it).
   5. Click OK to save your changes.
5. Configure Burp Suite (Option 2: Block Specific Domains)

   If you suspect a domain is malicious, you can block it.

   1. Go to Burp > Settings (or press Ctrl+P).
   2. Navigate to Project options > Connections > Exclude URLs.
   3. Click Add and enter the domain name in the ‘Pattern’ field.

      *.maliciousdomain.com/*

   4. Make sure the ‘Exclude from scope’ checkbox is checked (you want to block it).
   5. Click OK to save your changes.
6. Refresh Burp Suite: After making changes, refresh the target website in your browser and reload the proxy history in Burp Suite to see if the warnings are resolved.
7. Review Scope: Double-check your project scope (Target > Scope) to ensure you’re only testing the intended domains. Out-of-band warnings can sometimes occur if resources fall outside of your defined scope.

Important Considerations

• False Positives: Burp Suite might occasionally flag legitimate resources as ‘Out of Band’. Always investigate before making changes.
• CDN Changes: CDNs can change their domains, so you may need to update your Burp configuration periodically.
• cyber security Best Practices: Blocking unknown domains is a good general practice, but be careful not to block essential resources needed for the application to function correctly.