Slow network requests while using Burp / Upstream Proxy in Burp
TLDR; Website loading time while using burp is doubled, tripled if using Burp + SOCKS5
Hello everyone, I'd like to ask more information about a bug I'm currently encountering while using any version of Burp, perhaps other users can perform tests to confirm if they have the same issue on their end.
The problem is as follows: When I'm trying to load a website while using burp on any browser, e.g. https://www.yahoo.com, the loading time is very slow compared to configuring the upstream proxy directly in the browser, for a site like yahoo, it takes around 28 seconds to fully load the main page while using Burp+Proxy, using Burp without a Proxy usually takes ~20 seconds to load, if I configure the proxy directly on the browser, it takes around 9-10 seconds to load, the issue becomes unbearable with sites that are not lightweight, or have a lot of separate js/css/html resources - for reference, the same site takes about 7 seconds to load on an unproxified, direct connection.
For my tests, I used the Chrome/Firefox Developer Tools, I basically just press F12 to bring the Developer Tools, go to the Network Tab, and check the "Disable cache" box, from there I just perform the tests with and without burp, using the timeline in DevTools to compare loading times.
I've tried all sorts of configurations / environments to eliminate the issue without any success, here is a list of things I've attempted to do:
- Setting the default Burp configurations
- Trying other websites and measuring their loading times
- Switching between different versions of Java
- Switching between different versions of Burp
- Trying different Browsers (FF, IE, Chrome)
- Trying it in Windows 7/10/Linux, in various VM/non-VM configurations
- Disabling Master Interception, and most options that replace/intercept traffic in Burp
- Enabling/Disabling 'Invisible Proxying' in Burp
- Manually setting an Upstream Proxy in the JVM variables, e.g. launching burp with the following command line: -DsocksProxyHost=my.proxyhost.com -DsocksProxyPort=9001
I even attempted to use a similar software (which is also developed in Java), OWASP Zed, and got some interesting results,
- If I don't setup an upstream proxy in OWASP Zed, the loading time is ~10 seconds (very close to native, unproxified browsing), for reference, while using burp, the same process takes ~20 seconds without a proxy, ~30 seconds with an upstream proxy
- If I setup an upstream proxy in OWASP Zed, the loading time increases to ~25 seconds, which is very similar to the Burp+Proxy scenario
It is very weird that OWASP Zed doesn't seem to add a lot of overhead when not using an upstream proxy, I find it very confusing that Burp alone, without an upstream proxy, is doubling the loading time even when I strip away most of the interception options.
Can someone confirm if they have the same issue as I do? You can use the DevTools as I mentioned above in order to find this out, it shouldn't take more than 5 minutes to perform a few tests. From my testing, it seems that Burp adds a huge overhead while loading a website regardless if you are using an upstream proxy or not, whereas in OWASP Zed, this issue only happens when you configure an upstream proxy.
I understand that using Burp with a browser should add some overhead, but this seems excessive in my opinion, specially after considering that OWASP Zed doesn't suffer the same issue (as long as you don't use an upstream proxy with it)
Thank you for your attention, I hope I didn't make a long winded post to explain such a simple matter, but this issue has been bugging me for quite a while now and I didn't want to miss mentioning all of the things I've tried to resolve the issue.
I know that doing this kinda defeats the purpose of using Burp for content monitoring/manipulation, but I confirmed that this delay is happening during the inspection of HTTP(S) traffic only.
Thanks for this report Julian. We’ve attempted to reproduce the issue using Firefox 66.0.1 and the latest version of Burp 2.×. without any success. Which browser and Burp versions are you using?
What is the purpose of your upstream proxy? Are you working behind a corporate proxy? Is it possible to test this issue on another network?