Detecting Burp Suite

Hey guys, I’m here to show you a little simple technique, but it’s a tip that maybe someday help someone. The question is how to identify that someone is using web proxy (BURP)? well, a friend of mine aka Jerry was with me one afternoon and we decided to do a PoC, maybe a lot of people already know, but when starting BURP it automatically goes up to a “light” web server where you can for example download the BURP certificate to import into your browser or device at the following address http://burp/ The following image illustrates this interface:

an image alt text

Well, taking this as a starting point, on this little web server we have BURP’s “favicon.ico” too, where you can access it from the following URL http://burp/favicon.ico

an image alt text

according to google favicon.ico is for:

“A favicon is a small 16 × 16 pixel icon that appears at the top of a web browser. It serves as branding for your website and a convenient way for visitors to locate your page when they have multiple tabs open. Because of their tiny size , favicons work best as simple images or one-to-three characters of text.”

Because with this behavior, we can find out if a person(attacker) is using BURP, using a bit of Javascript. As shown in the following code:

https://incogbyte.github.io/samples/burpdetection.html

In the code of the link above we have 2 behaviors in case if you (attacker) access with active burp, javascript will check if favicon.ico is accessible if any, will warn that you are using burp :), otherwise You will not do anything. Go ahead and try it yourself.

OBS: You can disable this burp functionality in Options, just uncheck the option that will take this service

That’s it guys I hope I helped you a little :) It’s a silly trick, but maybe someone didn’t have that knowledge. I will try to bring a little more pentest-related topics in the next posts. :)

/.piece

Written on July 6, 2019