tl;dr

You can see the result here :)

Click here 👀

Hey guys, I’m here to show you a little simple technique, but it’s a tip that maybe someday help someone. The question is how to identify that someone is using web proxy (BURP)? well, a friend of mine aka Jerry was with me one afternoon and we decided to do a PoC, maybe a lot of people already know, but when starting BURP it automatically goes up to a “light” web server where you can for example download the BURP certificate to import into your browser or zipbit at the following address http://burp/ The following image illustrates this interface:

Well, taking this as a starting point, on this little web server we have BURP’s “favicon.ico” too, where you can access it from the following URL http://burp/favicon.ico

according to google favicon.ico is for:

“A favicon is a small 16 × 16 pixel icon that appears at the top of a web browser. It serves as branding for your website and a convenient way for visitors to locate your page when they have multiple tabs open. Because of their tiny size , favicons work best as simple images or one-to-three characters of text.”

Because with this behavior, we can find out if a person(attacker) is using BURP, using a bit of Javascript. As shown in the following code:

<style>
            body {
                font-family: sans-serif;
                color: #FBF5E3;
                background: #002B36;
                margin-left: 3em;
              }
              
              h1 {
                color: goldenrod;
              }
              
              img {
                margin-left: -1em;
                margin-bottom: -2em;
                width: 10%;
              }
    </style>
       <script>
            function arroto() {
                var img1 = document.createElement("img");
                img1.src = "http://burp/favicon.ico";

                img1.onload = function() {
                console.log("[+] Using BURP [+]");
                document.body.append(this);
                alert('[+] Burp Detected [+]');
                };

                img1.onerror = function() {
                    console.log("[+] Not using BURP [+]");
                }
            }
        </script>

<title> Burp Detection </title>
  </head>
  <body>
    <img src onerror="arroto();">
    <h1>Using Burp ?</h1>
    <p>
      Let's see.. 
    </p>
    <footer> By inc0gbyt3 and J3rry </footer>
  </body>
</html>

In the code of the link above we have 2 behaviors in case if you (attacker) access with active burp, javascript will check if favicon.ico is accessible if any, will warn that you are using burp :), otherwise You will not do anything. Go ahead and try it yourself.

OBS: You can disable this burp functionality in Options, just uncheck the option that will take this service