Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Disable update checks

cybeard Mar 26, 2015 10:39PM UTC

An option to disable update checks on startup would be great. This setting should also disable update checks when upstream proxy server settings are changed. This would be especially useful for Burp users that test in high-secure network environments isolated from the public Internet.


Smeege Security Mar 30, 2015 03:21PM UTC
Agreed. I brought this up just over a year ago in the forum and it never got a reply. For exactly the reason you stated, some people may want to limit traffic in certain network environments, and preventing the automatic update prompt from showing is a good start. Obviously users can still go in and manually update if they choose. I think this would be a fairly simple thing to implement from a development standpoint, you are just doing an initial settings check before displaying the popup.

Dafydd Stuttard Mar 31, 2015 08:06AM UTC Support Center agent

We would prefer to keep the updates check automatic. If you are working on a private network with no Internet access, then the updates check will simply fail silently with no ill effects for the user. If you are on a network that can route to the Internet but for some reason you would like to avoid requests to certain hosts, then we suggest you use an ad hoc workaround, such as a personal firewall rule, or a rule in Burp to use an invalid local port number as upstream web proxy for those hosts. In this situation, you will likely find that lots of your installed software is making noisy requests, so you might need to create suitable rules for all relevant hosts.


cybeard Apr 01, 2015 08:32PM UTC
Failing "silently" from the perspective of the end-user is fine, but not from the Security Ops desk who likes to dispatch helicopters when external access is attempted from sensitive private networks. For run-of-the-mill software, we as security practitioners have come to expect it. One would think security tools could do better. </rant><peace/>

Smeege Security Apr 03, 2015 09:11PM UTC
>"In this situation, you will likely find that lots of your installed software is making noisy requests, so you might need to create suitable rules for all relevant hosts."

A lot of security professionals like myself probably spend a considerable amount of time to test from "clean" virtual machines where they limit as much traffic as possible. Your upstream web proxy idea is clever and not something I had thought of but it still leaves users with the problem of unwanted traffic going over the network. I understand Burp is a popular tool with many requests which can't all be addressed but this seems like such a quick fix.

cybeard your rant was beautiful :)

Dafydd Stuttard Apr 07, 2015 07:57AM UTC Support Center agent

The upstream proxy option can point at 127.0.0.1:XXX (invalid port) so that you don’t see any traffic going over the network.


Martin Jan 31, 2016 05:44PM UTC
1) If you point your upstream proxy to 127.0.0.1, you also can't use the software to do its thing. That's a troll answer.

2) The reason you can't disable automatic updates is the creators WANT the software to phone home.

3) This approach is completely in line with their policy on licensing. They will only write software that has built-in self-destruct mechanism. So you can probably see why they want to keep track of all clients being used in the wild.


Dafydd Stuttard Feb 01, 2016 08:46AM UTC Support Center agent

You define an upstream proxy rule for the specific host that updates checks are made for, as discussed earlier in the thread.

We want people to know about updates, and the license agreement makes clear that updates checks happen.


rob Jul 15, 2016 12:09AM UTC
I am having trouble with the forced update check as well, particularly when using Burp with an upstream proxy. Why doesn't PortSwigger provide a way to disable this check? Otherwise, it interferes when using an upstream proxy in a highly secure environment. Regardless of the fact that the agreement says that update checks happen, it makes monitoring systems trigger red flags when Burp is used in a professional and highly watched network. When using a paid licence, I do not appreciate telltale phoning home.

Dafydd Stuttard Jul 15, 2016 07:50AM UTC Support Center agent

We prefer to keep the check for updates always on, so that these can be made available as quickly and easily as possible. We understand your perspective, but If you really need to prevent it happening, there are various technical means of doing so, such as a host firewall with an egress filter. Or you can configure your secure monitoring system to ignore (and block) the connection that checks for updates.


Post Your public answer

Your name
Your email address
Answer