Burp Collaborator Enhancement Requests
When performing manual testing, it's not possible to detect out-of-band interactions which occur after the Burp Collaborator Client is closed. This means payloads that are fired weeks or months later are not detected (even though the Collaborator server has a record of the interaction).
To address this limitation, please consider making the following enhancements to the Collaborator Client:
- Ability to restore collaborator sessions upon reopening the Collaborator Client.
- Ability to name collaborator sessions
- Ability to find the session ID associated with a subdomain generated by the Collaborator Client
Further, please consider making the following enhancements to the Private Collaborator Server:
- Ability to log all requests received to a file, including the connection details and the session id the request is associated with (if known).
- Perform optional callback to a webhook (or shell script) when an interaction is detected
- Detect and report on TCP interactions (e.g. victim opened TCP connection on port 80, but no data sent )
- Create API call that displays connection details without deleting it from the server (to enable things like OOB scoreboards to monitor campaign activity)
Any or all of these features would greatly enhance Burp's ability to find "super-blind" vulnerabilities via manual testing.
Thank you for your feature requests, I will pass them to our development team for consideration.