Although I can and do use the Burp proxy with Firefox for remote web servers without any problem, I can't seem to get it to work on the local network with test web applications I host on my local server.
Burp cannot see traffic from these requests. What am I missing? Some solutions suggested in related questions here did not help me at all.
TL;DR
To proxy
localhost(and related addresses) with newerFirefoxversions (>=67), the preferencenetwork.proxy.allow_hijacking_localhost(accessible through theabout:configpage) must be set totrue.Details on why
Mozilladecided to use specific rules for localhost;In 2018, Jann Horn reported a major security vulnerability. According to his report, applications that bind a web server to
localhostand then use Host Header checks, to prevent DNS rebinding attacks, should be protected from malicious outside traffic, even if the network itself is malicious. Back then,localhostwas not treated differently in proxying decisions byFirefox. That meant that an attacker could abuse Web Proxy Auto-Discovery (WPAD) Protocol to gain the ability to serve attacker-controlled content athttp://localhost>:*/*. So the attacker could be able to perform same-origin XMLHttpRequest (XHR) tohttp://localhost>:*/*(e.g. by letting the proxy auto-config (PAC) file specifyDIRECTas fallback, if the proxy went down).In 2019, Mozilla's developers decided to create and "hide" the above mentioned preference in the config page, in order to protect inexperienced users. The fix was finally released with version 67.