Setting up a Burpsuite Upstream proxy?

ByCyberResearchHub

In web application security testing you sometimes come across web applications which require the use of upstream proxy to function properly. This can be because its an internal application or just has some funny setup which means if you send the requests to burp the application completely breaks.

In this guide, you’ll learn not only how to set up an upstream proxy in Burp Suite, but also why it matters especially if you’re working in enterprise environments or red team engagements.

Understanding Burp Suite

Burp Suite, developed by PortSwigger, is a leading web application security testing tool. It acts as a proxy-based interception tool that lets security professionals intercept, modify, and analyze web traffic between a browser and target applications. Burp offers features like Spider, Intruder, Repeater, and Scanner, making it indispensable for penetration testers and bug bounty hunters alike.

What is an Upstream Proxy?

An upstream proxy refers to an external proxy server to which Burp Suite can forward all the traffic it intercepts. Instead of sending the traffic directly to the destination, Burp sends it first to the upstream proxy. This setup can be beneficial in cases where requests need to be routed through corporate firewalls, anonymized via services like Tor, or logged in centralized locations.

Why Enterprise Apps Break Without It

  • Split-DNS / Internal Zones: The hostname only resolves on internal DNS. A direct Burp connection using public DNS fails. Upstream proxies commonly resolve names on your behalf problem solved.
  • Mandatory Egress Controls: Traffic must exit via a corporate proxy (Zscaler, Blue Coat/Symantec, Netskope, Prisma, etc.). Direct egress from your host/IP is blocked or untrusted.
  • Session & Header Expectations: SWGs/WAFs add or normalize headers (e.g., Forwarded, Via, device posture tags). Apps or edges might implicitly rely on these.
  • SSO / NTLM / Kerberos Context: Some flows expect OS-level authentication or PAC routing. The upstream proxy provides the right challenge/response path.
  • mTLS at the Edge: Client certificates or TLS inspection may be anchored at the proxy. Going around it breaks the handshake.

Why Use a Burpsuite Upstream Proxy?

Centralized Traffic Logging

Using an upstream proxy allows organizations to centralize the logging of all HTTP/S requests for auditing, compliance, or threat analysis purposes.

Anonymous Routing & IP Rotation

Pentesters often use upstream proxies to anonymize their traffic. Proxies like Tor, Privoxy, or commercial VPNs can help rotate IPs and hide the tester’s identity.

Geo-based Testing

By routing your traffic through a geo-located proxy, you can test how applications behave from various countries—a vital need for global applications.

Integration with Security Tools

Some tools or scripts need to be routed through Burp for a full interception and analysis. Configuring them to go through an upstream proxy connected to Burp Suite makes this seamless.

Redirection Through Enterprise Proxies

In corporate environments where internet access is tightly controlled, upstream proxies enable Burp Suite to communicate through internal gateways.

Pre-flight Checklist (Get This Info First)

  • Upstream proxy host:port (e.g., proxy.corp.local:8080), and whether it inspects TLS.
  • Any authentication required (username/password, OS integrated auth, token).
  • Which hosts must go via upstream (e.g., *.corp.local, intranet.example.com, internal APIs).
  • Which hosts should not go via upstream (CDNs, update servers, your own tooling endpoints) to avoid loops and lag.
  • Whether DNS should be resolved by the upstream or locally (usually upstream).
  • Needed headers (e.g., X-Forwarded-For) and whether to preserve or spoof them.
  • Any client certificates required by the target or proxy.
  • Ensure you /etc/hosts files have been updated to resolve the hosts (if internal)

How to Set Up a Burpsuite Upstream Proxy (Step-by-Step)

  1. Open Burp Suite and go to the Project Options tab.
  2. Select Connections, then navigate to Upstream Proxy Servers.
  3. Click Add to define a new upstream proxy.
  4. Input the IP address and port of the proxy server.
  5. Optionally, add hostname-based conditions (e.g., only forward requests to *.internal.com).
  6. If the upstream proxy requires authentication, supply the username/password.
  7. Click OK.

Burp now forwards traffic matching your rules through the defined proxy.

Invisible Proxy + Upstream (For Non-Proxy-Aware Clients)

Testing thick clients, mobile apps, or appliances?

  • Create a Burp proxy listener and enable Invisible proxying.
  • Use NAT/port-redirection (e.g., iptables, pf, or a transparent proxy device) to steer the client’s traffic to Burp.
  • In Burp, configure Upstream proxy rules so that once Burp receives the traffic, it forwards to the enterprise proxy and preserves the production path.

This pattern lets you keep fragile clients happy while still intercepting and modifying flows.

SSL/TLS Handling with Upstream Proxies

When sending HTTPS traffic through an upstream proxy, you must ensure the proxy can handle SSL negotiation. Some proxies may require extra configuration like installing their CA certificates or enabling SSL tunneling (CONNECT method).

Using Burp with Tor

To route traffic through Tor, simply set the upstream proxy to:

  • Address: 127.0.0.1
  • Port: 9050 (SOCKS5 default for Tor)

Make sure Burp is compatible with SOCKS proxies or use a bridge like Proxychains or Privoxy for better compatibility.

Real-World Example: Penetration Test in a Corporate Network

A penetration tester needs to test a web application located in a DMZ zone. Since the network only allows connections through an internal proxy, the tester configures Burp with an upstream proxy pointing to that corporate gateway. This setup ensures compliance and connectivity while still allowing full interception and testing.

Setting up a Burpsuite Upstream Proxy

The key takeaway when setting up a Burpsuite Upstream proxy is understanding the “why” behind it. Whether you’re aiming for anonymity, compliance, or enhanced traffic control, upstream proxies offer versatility and control unmatched in basic setups. Configuring them correctly ensures seamless integration into complex networks while maintaining the power of Burp Suite’s analysis tools.

FAQs

What is the purpose of an upstream proxy in Burp Suite?
It routes intercepted traffic through another proxy server, often used for anonymity, compliance, or routing.

Can Burp Suite work with SOCKS proxies?
Yes, with limitations. Direct support is limited, but tools like Proxychains or Privoxy help bridge the gap.

Is an upstream proxy required for normal Burp operation?
No, it’s optional and used mainly for advanced setups or network constraints.

Can I use multiple upstream proxies?
Burp supports conditional proxying, allowing multiple proxies based on host/domain rules.

How does using an upstream proxy affect performance?
It may introduce slight latency depending on the proxy’s location and load.

What’s the difference between upstream and invisible proxies in Burp?
Upstream proxies forward traffic manually, while invisible proxies capture traffic without browser configuration.

Conclusion

Setting up a Burpsuite Upstream proxy is a game-changing feature for serious web application testers. It empowers professionals to bypass restrictions, maintain anonymity, and integrate seamlessly with enterprise infrastructures. While the setup may seem technical at first, the benefits far outweigh the complexity. With the step-by-step configuration guide and use cases discussed here, you’re well-equipped to take full advantage of this advanced Burp Suite capability.

Similar Posts