About a year ago I wrote about bypassing API rate limiting using IP rotation in Burp Suite. In the article, I showed you how to abuse the Amazon API Gateway to get new IP addresses from within different AWS data centers and use those to proxy your attack traffic during an engagement.
This works. Most of the time. However, some web application firewalls (WAF) have caught on and have started to restrict (or block) IP addresses that come from data centers. Cloudflare is a perfect example that can be configured to not allow connections from data center IPs.
All is not lost.
There are other ways to evade such security controls by proxying connections through sources they can’t usually block, such as residential and mobile IPs.
Let me show you how.
What are residential proxies?
A residential proxy is an intermediary server that routes your internet traffic through real devices and IP addresses assigned by internet service providers (ISPs) rather than data centers. This setup makes the traffic appear more legitimate, as it mimics that of an actual user’s internet connection.
For API hackers, residential proxies are essential because they reduce the risk of being blocked by target servers that often flag or throttle suspicious IPs, especially those associated with data centers. Using residential proxies with Burp Suite can help you test APIs more effectively, as you can maintain access to restricted endpoints and observe responses under realistic conditions.
Choosing a residential proxy
When choosing a residential proxy provider, consider factors like IP pool size, location coverage, and performance to ensure they meet your testing needs.
A large, diverse IP pool helps you avoid detection by rotating through various addresses, while broad location coverage lets you simulate traffic from different regions, which is often critical for API testing.
Look for providers with high uptime and fast response times, as slow or unreliable proxies can hinder your testing. Consider the provider’s security and privacy policies as well; some may log data, which could expose sensitive information.
Lastly, ensure the provider integrates smoothly with tools like Burp Suite, as ease of integration will streamline your workflow.
A few providers you might want to consider include:
Another set of considerations to think about is pricing plans and usage restrictions. When it comes to pricing, the pricing schemes are all over the board; select one that fits your budget and bills based on your usage.
Some of these providers may require you to provide government ID to be able to use their proxies against popular SaaS apps, as well as financial or government institutions. This shouldn’t be a problem if you are doing a legitimate engagement and are authorized to conduct your security testing against the target.
For the rest of this article, I will show you how to set up Burp Suite to work with an upstream residential proxy. I’ll use ProxyScrape for this, but you can use these same instructions from pretty much any of the providers out there.
Setting up your residential proxy
There are a few things to consider when selecting how your residential proxy will function. In ProxyScrape, they make it pretty clear in the proxy setup…
1. Type of proxy
By default, the providers will offer residential proxies. You might find that they also offer mobile proxies. For now we will select a residential proxy, but later I’ll discuss why you MIGHT want to consider a mobile proxy instead.
2. Country of proxy
By default, these providers will randomize the country the traffic will look like originating from. If you want to specifically control which region(s) this is coming from, you should reconfigure it.
3. Session Duration
Depending on your needs you may want to use “sticky sessions”. This is a feature that allows you to maintain the same IP address for a set period of time instead of rotating to a new one with every request.
This can be useful in scenarios where consistency is essential, such as logging into an account or making multiple requests that need to appear as if they’re coming from the same user. Sticky sessions provide control over the duration of IP retention, typically lasting several minutes before rotating, allowing for stable sessions without frequent disruptions.
These days, most web apps and APIs don’t rely on this, so it’s better to rotate the IP on each request. But if you find you are having problems with this, adjust the duration as necessary.
Using your residential proxy
Before we look at setting up Burp Suite to use your residential proxy, let’s see it in action using something as simple as curl…
I’ve obviously masked my username and password. But you can see how two requests in a row show as coming from different IPs from around the world.
Now let’s get Burp Suite to use residential proxies.
Setting up Burp Suite to use residential proxies
While you know Burp Suite is an attack proxy itself, did you know you can configure it to use an upstream proxy?
Ya. It can. And it’s pretty simple to set up.
Click on the Proxy tab.
Click the Proxy settings gear to load the Settings dialog.
In the left pane, expand the Network node and select Connections.
Scroll down to the Upstream proxy servers section.
Click the Add button to add a new upstream proxy server.
Fill in the details of your residential proxy provider. For authentication type, most providers will use Basic, which is just a base64 encoded username/password keypair.
Click OK to apply the upstream proxy rule.
Considerations during configuration
You will notice that during configuration there was an option to set the “destination host”. We left that blank so Burp Suite would proxy all traffic to the upstream residential proxies. If you only want to proxy specific traffic, you can configure it here.
I don’t want you to do that though. Instead, use Target Scopes in Burp Suite and control it that way.
Here’s why…
We actually configured this upstream proxy as part of the User Settings. This means all future traffic will go through the residential proxy. Even after we close and open Burp again.
This probably isn’t what we want. Not only does this cost more as all traffic is going through the upstream proxies, it leaves little flexibility in traffic flow, and possible material billing if you are a consultant who will bill your client for this traffic.
A better way would be to configure it as a Project setting by clicking the Override options for this project only slider and binding it to the project configuration. This way you can set up specific upstream proxies for each client engagement and pass on the costs if you need to when you work within their project file.
Project files are one of the nice benefits of Burp Suite Professional. And this is a good use case for it.
Proxying external tools to residential proxies
With the Burp Suite proxy now configured to redirect its traffic to the upstream residential proxy, we can use any external tools that support proxying.
Let me show you an example of how you could use feroxbuster to complete directory bruteforce enumeration at scale against a target using residential proxies. You just need to pipe it through Burp Suite when the upstream residential proxy is configured.
$ feroxbuster -u http://crapi.apisec.ai --proxy http://localhost:8080 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o dirscan.log
This is extremely effective as you are distributing the load of each request to a different residential IP address to mask your efforts, which will significantly reduce the chance of you getting IP banned.
Advanced Tip #1 – Consider using a mobile proxy
Residential proxies are great. But if you find your target can still block you for some reason, consider using a mobile proxy instead. Most of these providers offer this as an option, but they usually charge a bit more for it. And it may be worth it during some engagements.
You might prefer a mobile proxy over a residential proxy in situations where you need an even higher level of legitimacy and anonymity. Mobile proxies route traffic through real mobile devices on 3G, 4G, or 5G networks, which mobile carriers dynamically assign to users. Because mobile IP addresses are frequently shared by large groups of users and constantly change due to carrier rotation, they’re less likely to be flagged or blacklisted, making them ideal for bypassing stringent IP-based restrictions.
Mobile proxies can be particularly advantageous for API testing if you want to mimic mobile app behavior or test how an API performs with mobile traffic. They’re also helpful for accessing mobile-only content, understanding app-specific behavior, or investigating rate-limiting that may apply differently to mobile networks.
This added realism can make mobile proxies highly effective when testing APIs for mobile applications or assessing how robust your target’s defenses are against mobile-based interactions.
Advanced Tip #2 – Some Countries are better to proxy through than others
Get this. In some countries their access to IP addresses is limited. Especially for mobile devices. So if you can identify countries that have small “unique IPs per thousand”, those proxies have a better chance of NOT being blocked by WAFs and API gateways because they may harm other legitimate users.
For example, if you look at the data collection ProxyEmpire has for all locations, some countries like Mexico have an average of 224 IPs per 1000 citizens. Iran has 66 IPs per 1000 citizens. And Laos has 8 IPs per 1000 citizens.
This is all thanks to network address translation (NAT) and the need for telco providers and ISPs to reuse public IPv4 addresses across their limited network.
So here’s the secret few will tell you… if a target accepts connections from smaller countries like Mexico, Iran, Turkey, Laos or Cambodia consider using a mobile proxy from those countries to give you the best chance of evading IP blocking. There is a very good chance their upstream gateways and firewalls have been configured in a way that will always permit access.
(You’re welcome 😈)
Conclusion
Using residential proxies can make a significant difference in evading IP blocking, especially as WAFs and APIs increasingly restrict data center traffic. By following the steps outlined in this article, you now have a roadmap for integrating residential proxies into your Burp Suite setup, giving you flexibility to access restricted endpoints and execute API testing more stealthily.
Remember, the key is to choose a proxy provider that aligns with your testing requirements and to configure Burp Suite for optimal control over traffic flow. When standard residential proxies aren’t enough, consider mobile proxies or proxies from strategically selected countries to heighten your anonymity.
By leveraging these techniques, you’ll stay ahead of evolving defenses, keeping your testing toolkit sharp and effective.
HTH. Hack hard!
One last thing…
Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly.
If you haven’t, subscribe at https://apihacker.blog.
