Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Refine Collaborator Everywhere headers

Dan Williams Oct 29, 2019 05:21PM UTC

Hi

I ran into an assessment where the application used the "Referer:" header for portions of how the application worked. This became more noticeable when using the applications "Back" button feature. In order to use Burp for this assessment I had to disable "Collaborator Everywhere" extension. I think this extension is awesome and has helped me find many vulnerabilities. It was a shame that I had to disable it.

It would be a nice feature of it was possible to individually enable or disable the headers the "Collaborator Everywhere" extension adds to requests. In this case I would have still been able to use the extension while only having disable the "Referer:" header.

Thanks


Mike Eaton Oct 30, 2019 01:39PM UTC Support Center agent

Hi Dan, would you be able to clarify your exact requirements for this feature request?

Are you asking for Collaborator Everywhere to have configuration options to disable headers being added, or are you asking for Burp Suite to be able to disable headers being added from that extension?


Dan Williams Oct 30, 2019 02:49PM UTC
Hi Mike

I am asking to have the ability to configure the Collaborator Everywhere extension from adding certain headers. In this case it would be the "Referer:" header.

If you have time please have a look at the "OWASP Mutillidae II" vulnerable application. This is a good example of what I ran into. On almost every page there is a "Back" button that uses the "Referer:" header. The application would not work as expected due to the Collaborator Everywhere extension adding it's own "Referer:" header. Rather than moving "Back" within the application the "Back" button would now connect to the Collaborator server.

I hope this makes sense.

Thanks

Dan

Mike Eaton Oct 31, 2019 02:04PM UTC Support Center agent

Hi Dan, Normally, feature requests for extensions should be directed at their respective authors, as BApp extensions are developed and maintained by third-parties, not by us.

In this case, the author is our Director of Research James Kettle, so I have just spoken to him and unfortunately he isn’t able to provide this feature, however, he wrote a blog on how to adapt the extension so you can modify it to your requirements: https://portswigger.net/research/adapting-burp-extensions-for-tailored-pentesting


Dan Williams Oct 31, 2019 03:22PM UTC
Hi Mike

Thanks for the update and information. I will have a look at the link you provided and see if it works for me.

Thanks again.

Dan

Post Your public answer

Your name
Your email address
Answer