Refine Collaborator Everywhere headers
I ran into an assessment where the application used the "Referer:" header for portions of how the application worked. This became more noticeable when using the applications "Back" button feature. In order to use Burp for this assessment I had to disable "Collaborator Everywhere" extension. I think this extension is awesome and has helped me find many vulnerabilities. It was a shame that I had to disable it.
It would be a nice feature of it was possible to individually enable or disable the headers the "Collaborator Everywhere" extension adds to requests. In this case I would have still been able to use the extension while only having disable the "Referer:" header.
Hi Dan, would you be able to clarify your exact requirements for this feature request?
Are you asking for Collaborator Everywhere to have configuration options to disable headers being added, or are you asking for Burp Suite to be able to disable headers being added from that extension?
I am asking to have the ability to configure the Collaborator Everywhere extension from adding certain headers. In this case it would be the "Referer:" header.
If you have time please have a look at the "OWASP Mutillidae II" vulnerable application. This is a good example of what I ran into. On almost every page there is a "Back" button that uses the "Referer:" header. The application would not work as expected due to the Collaborator Everywhere extension adding it's own "Referer:" header. Rather than moving "Back" within the application the "Back" button would now connect to the Collaborator server.
I hope this makes sense.
Hi Dan, Normally, feature requests for extensions should be directed at their respective authors, as BApp extensions are developed and maintained by third-parties, not by us.
In this case, the author is our Director of Research James Kettle, so I have just spoken to him and unfortunately he isn’t able to provide this feature, however, he wrote a blog on how to adapt the extension so you can modify it to your requirements: https://portswigger.net/research/adapting-burp-extensions-for-tailored-pentesting
Thanks for the update and information. I will have a look at the link you provided and see if it works for me.