NoPE Proxy: Breaking Out of Burp Suite’s HTTP-Only Prison for Binary Protocol Testing
Hook
Burp Suite dominates web application security testing, yet it’s blind to the TCP/UDP binary protocols that mobile apps, IoT devices, and thick clients actually use to communicate. One extension changes that.
Context
Security researchers face a dilemma when testing modern applications: HTTP-focused tools like Burp Suite excel at web testing but fail completely when mobile apps communicate via Protobuf over TCP, or IoT devices send binary payloads over UDP. The traditional solution requires juggling multiple tools—Wireshark for passive analysis, custom Python scripts for active interception, and certificate management nightmares for SSL/TLS MITM attacks. This workflow fragmentation means losing Burp’s powerful UI and match-replace engine.
NoPE Proxy (Non-HTTP Proxy Extension) solves this by transforming Burp Suite into a universal protocol interceptor. Created by summitt with contributions tracked under Faction Security’s GitHub presence, it adds TCP/UDP interception capabilities directly into Burp’s familiar interface. The extension’s architecture combines three components: a configurable DNS server for traffic redirection, binary protocol listeners that reuse Burp’s CA certificate infrastructure, and a SQLite-backed history system that treats non-HTTP traffic as a first-class citizen. With 1,656 GitHub stars, it’s become a widely adopted tool for security testers who need to stay in the Burp ecosystem while analyzing protocols that weren’t designed for the web.
Technical Insight
NoPE Proxy’s architecture exploits Burp’s extension API to create parallel proxy infrastructure that mirrors HTTP functionality for binary protocols. The DNS server component runs on a configurable network interface and intercepts all DNS queries from test devices. Instead of resolving hostnames to real IP addresses, it redirects traffic to Burp’s listening interfaces, forcing mobile apps and thick clients to connect through your proxy without modifying application code or routing tables.
The Custom Hosts File feature provides granular control over DNS responses. You can configure specific hostnames to resolve to Burp’s IP while allowing others to resolve normally, or send all traffic through by default with exceptions. This is critical when testing mobile apps that validate server certificates against hardcoded hostnames—you need DNS responses to match the Common Name in your intercepted certificates. The extension automatically resolves real IP addresses for hosts not in the custom file unless you check ‘Use DNS Response IP’ to force everything to a single destination.
The Non-HTTP proxy listeners operate as TCP/UDP servers that perform full man-in-the-middle interception. When you configure a listener with a hostname and port (discovered via the DNS History tab or Port Monitor), the extension creates a socket that accepts client connections, then proxies traffic to the real server. For SSL/TLS services, checking the SSL checkbox tells NoPE to export Burp’s CA certificate from the same directory where Burp runs and generate per-host certificates for transparent interception. This reuses your existing mobile device certificate trust configuration—if the device already trusts Burp for HTTPS testing, it appears to trust your binary protocol proxies.
Traffic manipulation happens through two mechanisms: automatic match-replace rules and custom Python scripts. Match-replace rules work on hex bytes or ASCII strings, with directional filters for client-to-server (c2sOnly), server-to-client, or bidirectional replacement. For example, the README demonstrates matching hex pattern 0x74657374 (“test” in hex) and replacing it with 6861636B6565 (“hackee”) using the syntax 0x74657374||6861636B6565||c2sOnly.
For more sophisticated protocols, Python mangling scripts hook into the proxy pipeline. The README shows that scripts must implement a basic structure with a mangle(input, isC2S) function that returns modified input. The README references a Community Nope Scripts repository for real-world implementations. Python code can be used to “reformat requests in history without changing outgoing or incoming requests” (e.g., converting Protobuf to JSON for display). This separation between display formatting and active manipulation allows you to decode binary formats for readability while the actual client and server continue exchanging raw bytes.
All intercepted traffic persists to a SQLite database, making NoPE resilient to Burp crashes and providing long-term audit trails. The README explicitly notes that if “Burp crashes or you close burp without saving the TCP History it will still be automatically loaded when you start Burp.” You can export databases for offline analysis or import captured traffic from other testers, treating binary protocol sessions like HTTP proxy logs.
The TCP/UDP Repeater functionality completes the feature parity with Burp’s HTTP tools. You can select any request from history, modify the payload, and replay it against either the client or server on the currently connected socket stream. The Code Playground feature lets you “create a custom python payload based on the request currently displayed in the repeater,” bridging manual testing and automation scripting.
Gotcha
NoPE Proxy requires manual configuration that assumes you already know which hostnames and ports your application uses. Unlike HTTP proxies that can passively intercept browser traffic through system proxy settings, binary protocol interception demands explicit listener creation. You’ll spend time switching between the DNS History tab to identify hostnames, the Port Monitor to find connection attempts, and the Server Config tab to create listeners—a workflow the README acknowledges by directing users to “switch to the ‘DNS History’ Tab to view the DNS queries and ports that are trying to connect to you.”
The Python mangling capabilities, while powerful, have limited documentation. The README shows only the minimal function signature (def mangle(input, isC2S): return input) and notes that “The ‘input’ variabl” appears to be an incomplete sentence. The Community Nope Scripts repository is referenced for examples, meaning you’re learning through community patterns rather than comprehensive API documentation. The README doesn’t specify available imports, error handling mechanisms, or the complete API surface for Python scripts.
SSL/TLS certificate handling introduces manual steps. The extension requires exporting Burp’s CA certificate to the same folder where Burp runs—the README states “you need to export burp’s CA cert to the same folder that Burp is running out of for the extension to find it and generate certs that will pass certificate verification.” This is a manual step that must be completed before SSL interception works. The README doesn’t detail certificate regeneration behavior, renewal handling, or simultaneous multi-service scenarios. Production mobile apps with certificate pinning will require additional techniques beyond NoPE’s capabilities.
Verdict
Use NoPE Proxy if you’re already embedded in the Burp Suite ecosystem and need to test mobile apps, thick clients, or IoT devices that communicate via TCP/UDP binary protocols. It excels when you want unified tooling across HTTP and non-HTTP testing, need to leverage Burp’s existing CA certificate trust on test devices, or require persistent history that survives crashes during long testing sessions. The familiar match-replace interface and repeater functionality extend naturally to binary protocols. Skip it if you’re testing pure HTTP/HTTPS services (use native Burp instead), need protocol-specific analysis tools with deep packet inspection capabilities, require extensive Python automation with comprehensive API documentation (the README points to community scripts rather than formal docs), or face applications with numerous endpoints where manual listener configuration for each service becomes time-consuming. The 1,656 stars validate its niche: filling Burp’s binary protocol gap without forcing security testers to abandon their primary toolchain.
