This tutorial aims to walk you through the steps necessary to configure Burp Suite to rotate your IP on every request using AWS API Gateway. While there are other ways to accomplish this task, AWS API Gateway is cheaper and more reliable than other IP rotation services.
Why would you want to rotate your IP? IP rotation can be useful in several scenarios, especially when the host implements IP-based rate-limiting.
For instance, when mounting a brute-force attack against a web application login form using Turbo Intruder (https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack), IP rotation allows the attack to continue, even when there is IP-based rate-limiting or lockout.
Another example is when you are attempting to run the Burp Suite Active Scanner, and the target site begins limiting your requests based on your IP address.
By rotating your IP on every request, these issues disappear.
The IP rotation we will configure in this tutorial is based on the Fireprox tool by Black Hills (https://github.com/ustayready/fireprox). We have modified the tool (very) slightly to work better with Burp Suite, but most of the credit goes to the Black Hills team and the individuals they mention in the credit section of their repository (https://github.com/ustayready/fireprox#credit).
By the end of this tutorial, you will be able to make HTTP requests to your target URL in a browser or via Burp Suite, and your IP will rotate transparently in the background on every request.
Let’s dive in!