Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Disable update checks

cybeard | Last updated: Mar 26, 2015 10:39PM UTC

An option to disable update checks on startup would be great. This setting should also disable update checks when upstream proxy server settings are changed. This would be especially useful for Burp users that test in high-secure network environments isolated from the public Internet.

PortSwigger Agent | Last updated: Mar 27, 2015 09:27AM UTC

We would prefer to keep the updates check automatic. If you are working on a private network with no Internet access, then the updates check will simply fail silently with no ill effects for the user. If you are on a network that can route to the Internet but for some reason you would like to avoid requests to certain hosts, then we suggest you use an ad hoc workaround, such as a personal firewall rule, or a rule in Burp to use an invalid local port number as upstream web proxy for those hosts. In this situation, you will likely find that lots of your installed software is making noisy requests, so you might need to create suitable rules for all relevant hosts.

Burp User | Last updated: Mar 30, 2015 03:21PM UTC

Agreed. I brought this up just over a year ago in the forum and it never got a reply. For exactly the reason you stated, some people may want to limit traffic in certain network environments, and preventing the automatic update prompt from showing is a good start. Obviously users can still go in and manually update if they choose. I think this would be a fairly simple thing to implement from a development standpoint, you are just doing an initial settings check before displaying the popup.

Burp User | Last updated: Apr 01, 2015 08:32PM UTC

Failing "silently" from the perspective of the end-user is fine, but not from the Security Ops desk who likes to dispatch helicopters when external access is attempted from sensitive private networks. For run-of-the-mill software, we as security practitioners have come to expect it. One would think security tools could do better. </rant><peace/>

Burp User | Last updated: Apr 03, 2015 09:11PM UTC

>"In this situation, you will likely find that lots of your installed software is making noisy requests, so you might need to create suitable rules for all relevant hosts." A lot of security professionals like myself probably spend a considerable amount of time to test from "clean" virtual machines where they limit as much traffic as possible. Your upstream web proxy idea is clever and not something I had thought of but it still leaves users with the problem of unwanted traffic going over the network. I understand Burp is a popular tool with many requests which can't all be addressed but this seems like such a quick fix. cybeard your rant was beautiful :)

PortSwigger Agent | Last updated: Apr 07, 2015 07:56AM UTC

The upstream proxy option can point at 127.0.0.1:XXX (invalid port) so that you don't see any traffic going over the network.

Burp User | Last updated: Jan 31, 2016 05:44PM UTC

1) If you point your upstream proxy to 127.0.0.1, you also can't use the software to do its thing. That's a troll answer. 2) The reason you can't disable automatic updates is the creators WANT the software to phone home. 3) This approach is completely in line with their policy on licensing. They will only write software that has built-in self-destruct mechanism. So you can probably see why they want to keep track of all clients being used in the wild.

PortSwigger Agent | Last updated: Feb 01, 2016 08:44AM UTC

You define an upstream proxy rule for the specific host that updates checks are made for, as discussed earlier in the thread. We want people to know about updates, and the license agreement makes clear that updates checks happen.

PortSwigger Agent | Last updated: Feb 18, 2016 05:22PM UTC

We prefer to keep the check for updates always on, so that these can be made available as quickly and easily as possible. We understand your perspective, but If you really need to prevent it happening, there are various technical means of doing so, such as a host firewall with an egress filter. Or you can configure your secure monitoring system to ignore (and block) the connection that checks for updates.

Burp User | Last updated: Jul 15, 2016 12:09AM UTC

I am having trouble with the forced update check as well, particularly when using Burp with an upstream proxy. Why doesn't PortSwigger provide a way to disable this check? Otherwise, it interferes when using an upstream proxy in a highly secure environment. Regardless of the fact that the agreement says that update checks happen, it makes monitoring systems trigger red flags when Burp is used in a professional and highly watched network. When using a paid licence, I do not appreciate telltale phoning home.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.