Detect burp suite
tl;dr
You can see the result here :)
Hey guys, I’m here to show you a little simple technique, but it’s a tip that maybe someday help someone. The question is how to identify that someone is using web proxy (BURP)? well, a friend of mine aka Jerry was with me one afternoon and we decided to do a PoC, maybe a lot of people already know, but when starting BURP it automatically goes up to a “light” web server where you can for example download the BURP certificate to import into your browser or device at the following address http://burp/ The following image illustrates this interface:
Well, taking this as a starting point, on this little web server we have BURP’s “favicon.ico” too, where you can access it from the following URL http://burp/favicon.ico
according to google favicon.ico is for:
“A favicon is a small 16 × 16 pixel icon that appears at the top of a web browser. It serves as branding for your website and a convenient way for visitors to locate your page when they have multiple tabs open. Because of their tiny size , favicons work best as simple images or one-to-three characters of text.”
Because with this behavior, we can find out if a person(attacker) is using BURP, using a bit of Javascript. As shown in the following code:
<style>
body {
font-family: sans-serif;
color: #FBF5E3;
background: #002B36;
margin-left: 3em;
}
h1 {
color: goldenrod;
}
img {
margin-left: -1em;
margin-bottom: -2em;
width: 10%;
}
</style>
<script>
function arroto() {
var img1 = document.createElement("img");
img1.src = "http://burp/favicon.ico";
img1.onload = function() {
console.log("[+] Using BURP [+]");
document.body.append(this);
alert('[+] Burp Detected [+]');
};
img1.onerror = function() {
console.log("[+] Not using BURP [+]");
}
}
</script>
<title> Burp Detection </title>
</head>
<body>
<img src onerror="arroto();">
<h1>Using Burp ?</h1>
<p>
Let's see..
</p>
<footer> By inc0gbyt3 and J3rry </footer>
</body>
</html>
In the code of the link above we have 2 behaviors in case if you (attacker) access with active burp, javascript will check if favicon.ico is accessible if any, will warn that you are using burp :), otherwise You will not do anything. Go ahead and try it yourself.
OBS: You can disable this burp functionality in Options, just uncheck the option that will take this service