Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Collaborator question

Giovanni | Last updated: Oct 01, 2018 09:15AM UTC

Hello, I hold a licence for Burp PRO and have a question about Burp Collaborator. A few days ago I ran some active scans against an application (some scans were run against a "request support/add ticket" kind of function). The scans completed, and I closed Burp. Now we all know that the active engine scanner issues payloads containing Burp collaborator's hosts. Today, I started receiving tons of automated emails from this application, as if there was some sort of automating processing of tickets requests which is delayed. Or perhaps, an employee of the company ran a tool to go through all the ticket requests. Let's say that there was a vulnerable parameter and that when this automated process or employee <performed X action> (which caused my active scans' requests to be processed) there was an actual SSRF - such as the app's server performed an external interaction with the Burp collaborator server. Since this occurred days after the scans finished ... I'm assuming I would not be able to see the interaction from the vulnerable server being reported, am I right? Even if I would have manually used the Burp collaborator client, the UI says that if I close the client all interactions generated from the client's payloads would be lost. My question is: is there a way (perhaps by using a Private Burp Collaborator instance?) that would allow me to be able to retrieve interactions that may have occurred days after the initial request with the payload was sent to the server, without ever losing them? As in my current situation, for all i know, now that my tickets with the SSRF payloads were processed (with X days of delays, which is confirmed by the fact that X days after I received all those emails) there could have been a vulnerable parameter in these functions/parameters but now I would have missed the vulnerability by not being able to keep all interactions generated by the collaborator in the active scan engine. Any help is highly appreciated. Thanks, Giovanni

Liam, PortSwigger Agent | Last updated: Oct 01, 2018 09:19AM UTC

Hi Giovani Thanks for your message. When you performed your testing, did you save your work in a Burp project file? If so, you should be able to poll for your scanner generated interactions. You're correct about the Collaborator client, these interactions would be lost.

Burp User | Last updated: Oct 02, 2018 05:27AM UTC

Thanks for you answer. The scans are finished - 100% complete - and were completed days ago. How do I manually run a "poll request" without using the Collaborator client then?

Liam, PortSwigger Agent | Last updated: Oct 02, 2018 06:54AM UTC

Hi Giovanni Burp automatically continues to poll for interactions when you open the project. If your application has interacted with the collaborator, this would be reported by Burp. - https://portswigger.net/blog/introducing-burp-collaborator In general, any Collaborator-related payload that Burp sends to the target application might cause deferred interactions with the Collaborator server. This can happen in two main ways: Conventional storage and later processing of input, e.g. stored SQL injection. Immediate asynchronous processing, e.g. by a mail spooler. When Burp polls the Collaborator server to retrieve details of any interactions that were triggered by a given test, it will also receive details of any deferred interactions that have resulted from its earlier tests. Burp can then report the relevant issues to the user retrospectively. Because every Collaborator payload that Burp sends to the target includes a unique, one-time random identifier, when a deferred interaction occurs, Burp can use the identifier to pinpoint exactly where the payload originated, including the original request, the insertion point and the full payload. Please let us know if you need any further assistance.

Burp User | Last updated: Oct 02, 2018 09:05AM UTC

Forgot to mention, of course yes I still have the project file. The problem is the scans are done and I don't believe Burp itself will keep polling automatically data from the Collaborator server since the scans are completed already, which makes me think I have to run "a manual poll", which I can't find unless I use the Collaborator client. But I can't, since the collaborator payloads were sent through the active scanner not by me manually typing the various collaborator payloads in the various requests - in which in any case I would have lost the data since by shutting down burp I would have also closed the client. So, is there a way to ask burp to pull the data from the collaborator after the scans are finished without using the collaborator client? Would having a private collaborator server solve this issue? Thanks in advance

Burp User | Last updated: Oct 03, 2018 04:58PM UTC

Thanks Liam, that was a throughout answer to all my questions. Didn't know or didn't think Burp would keep polling data from the Collaborator server even after scans are done, days before. Thanks again, appreciate the time you took to respond. Have a great day

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.