Proxying BurpSuite through TOR for Anonymity


Hi everyone, Today i am going to demonstrate how to send BurpSuite requests through tor proxy servers.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

First understand the scenario what we are going to do,

In general we set our browser’s proxy to “″ on which tor proxy daemon is running. So our request is directly going through “tor proxy servers” to the destination.
Browser –> Tor Proxy –> Destination

Lets add BurpSuite in-between the Browser and a Tor proxy, to do so we need to specify two interfaces to Burp one will handle requests from the browser to Burp and second will send requests from Burp to tor proxy.

Install tor  and   privoxy

Configure  Privoxy for BurpSuite

open /etc/privoxy/config file and uncomment the following line

#vi  /etc/privoxy/config

listen-address    8118


Screenshot from 2014-08-02 10:30:10

Start both the services tor & privoxy.

#/etc/init.d/tor start

# /etc/init.d/privoxy start
Setting  BurpSuite

First you need to configure your browser to point to Burp for outbound HTTP & HTTPS connection, then you need to set your SOCKS proxy to point to your tor service running on port 9050 by default.

Screenshot from 2014-08-02 10:31:02

Finally configure BurpSuite to point to privoxy.

Select “options tab” in Burp and navigate to ‘upstream proxy server’ click on ‘add’ button. By default privoxy runs on port ‘8118’ so add proxy host and port accordingly.

Screenshot from 2014-08-02 10:33:25
To verify that you are being routed through tor network visit

Screenshot from 2014-08-02 10:42:07


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Didier Stevens

(blog \'DidierStevens)


Red Teamer and Security Addict

Digital Hacker

Digital Hacker


IT Security Research and Services


About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

%d bloggers like this: