Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Collab TCP stream issue

Pascal Schulz Oct 29, 2019 04:40PM UTC

Hi Burp Team,

I discovered a bug in Burp's collaborator, which confused me for about two days. Don't know if this is intended but to me it's a bug.

What I saw is that if Burp collab receives a single TCP stream with a single HTTP request looking like this:

#######
POST / HTTP/1.1
Content-Type: application/json
Content-Length: 276
Host: collab_subdomain.burpcollaborator.net
Connection: keep-alive

{"random json payload"}

GET /whatever HTTP /1.1
Host: collab_subdomain.burpcollaborator.net
User-Agent: test
####

Burp collab interprets this as two different HTTP requests (meaning that it shows you 2 individual request in the collab client). Showing two individual HTTP requests made me think that I had encountered a SSRF vuln. However, while monitoring my network with Wireshark, I figured that only the first benign POST request had been sent. The second malign "GET" request actually never caused the target to send an individual request.

Let me know what you think or if you need more information.
Appreciate it,
Pascal



Mike Eaton Oct 30, 2019 12:14PM UTC Support Center agent

Hi Pascal, I saw your post on twitter about this as well, so I just wanted to clarify a couple of things;

- The content length that you have specified in your first request, that encompasses the JSON payload AND the second GET request that you have provided in your example.
- From your Wireshark interaction, you didn’t see two independent requests to collaborator? you only saw the first one from the POST request?


Pascal Schulz Nov 05, 2019 10:26AM UTC
Hi Mike,

yes, both your statements are correct. This is exactly what I saw.

Content-length ecompassed both benign JSON and malign additional GET request.
Wireshark recorded only one outgoing HTTP request.

I still got "two HTTP requests" coming in according to what I saw in Collaborator.

Best,
Pascal

Mike Eaton Nov 06, 2019 08:55AM UTC Support Center agent

Pascal, thank you for the clarification.

Would you be able to provide an example request so I can try and replicate your issue?


Pascal Schulz Nov 11, 2019 08:09AM UTC
Hi Mike,

unfortunately not. This happened to me while testing an internal application. The application itself would be publicly reachable, but I cannot set up an account for you.

Is there anything else I could do to help resolving this issue?

Best,
Pascal

Liam Tai-Hogan Nov 12, 2019 01:55PM UTC Support Center agent

Hi Pascal

Thanks for your feedback.

We’ll monitor this behavior and proceed accordingly. We don’t think it is currently causing any issues for users.

If I can be of any further assistance, please let me know.


Post Your public answer

Your name
Your email address
Answer