BurpSuite Anonymity

TL;DR

This guide shows you how to use Burp Suite to route your traffic through Tor or a VPN, hiding your IP address and improving your anonymity when testing web applications.

Setting up Burp Suite for Anonymity

1. Install Tor Browser: Download and install the Tor Browser from the official website.
2. Find Tor’s SOCKS Proxy: Open Tor Browser, then go to about:config in the address bar. Search for ‘network.proxy.socks’. Note down the port number (usually 9050).
3. Configure Burp Suite Proxy Settings:
   • Open Burp Suite Professional.
   • Go to Proxy > Options.
   • Select the ‘Proxy Listeners’ tab.
   • Ensure a listener is running (usually on 127.0.0.1:8080). If not, add one.
   • Go to the ‘Upstream Proxy Servers’ tab.
   • Click ‘Add’.
   • Enter the following details:
     • Host: 127.0.0.1
     • Port: The port number you noted from Tor (e.g., 9050)
     • Protocol: SOCKS5
   • Click ‘OK’.
4. Configure Your Browser to Use Burp Suite:
   • Set your browser’s proxy settings to use 127.0.0.1 on port 8080 (or the port you configured in Burp). Make sure it uses an HTTP Proxy, not a SOCKS proxy directly.

Using Tor with Burp Suite

Now all your browser traffic will go through Burp Suite and then through the Tor network.

• Verify Your IP Address: In Burp Suite, use the ‘Repeater’ or ‘Intruder’ to send a request to a website that shows your IP address (e.g., WhatIsMyIP). It should show an IP address associated with Tor.
• Install Burp Suite CA Certificate: Ensure you’ve installed the Burp Suite CA certificate in your browser to avoid SSL errors when intercepting HTTPS traffic.

Setting up a VPN with Burp Suite

1. Connect to Your VPN: Connect to your chosen VPN server.
2. Find Your VPN’s Proxy Settings: Obtain the proxy address and port from your VPN provider (usually in their documentation or settings). This could be a SOCKS5, HTTP, or HTTPS proxy.
3. Configure Burp Suite Upstream Proxy Server: Follow step 3 from ‘Setting up Burp Suite for Anonymity’, but use the details provided by your VPN instead of Tor’s.

Important Considerations

• DNS Leaks: Ensure your browser and operating system are not leaking DNS requests outside of the Tor or VPN connection. Use a website like DNSLeakTest to check.
• WebRTC Leaks: WebRTC can reveal your real IP address even when using a proxy. Disable WebRTC in your browser (search online for instructions specific to your browser).
• Burp Suite Logging: Be mindful of what Burp Suite logs, as this could contain sensitive information.
• VPN/Tor Reliability: The anonymity provided by Tor and VPNs is not foolproof. Choose reputable providers and understand their limitations.