Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Collaborator client --ask

olek | Last updated: Feb 05, 2021 08:06PM UTC

hi I would like ask about this instruction.I see we revive some respond as kjsfjsdfjsdfjsd.burpcolab.net and information "received a DNS lookup" 1.But we do not see any information where is vulnerability.We see only IP server DNS . 2.We need decoding this payload """kjsfjsdfjsdfjsd.burpcolab.net""" https://portswigger.net/burp/documentation/desktop/tools/collaborator-client

Hannah, PortSwigger Agent | Last updated: Feb 08, 2021 04:50PM UTC

Hi You can find out more information on the Collaborator here: https://portswigger.net/burp/documentation/collaborator The payload is randomly generated and does not contain any identifiable information. If you received an issue including the DNS interaction, you should have some further information on the requests and responses that have triggered this.

olek | Last updated: Feb 08, 2021 06:47PM UTC

If I correctly understood .This technique do not allow my get more information (source,links)about vulnerability of this server .I'm only informed this DNS is vulnerable for some sql or xss or any different issue. only this. I'm correct ????

Hannah, PortSwigger Agent | Last updated: Feb 09, 2021 10:23AM UTC

If you have a found issue associated with the DNS vulnerability, you can use that to verify the vulnerability is present. In the documentation you linked previously (https://portswigger.net/burp/documentation/desktop/tools/collaborator-client), there are screenshots of the issue generated. This includes an advisory, the requests and responses that have triggered the vulnerability, and details on the DNS interaction. All of this information can be used to verify the findings of the Scanner. If you're looking for more information on the vulnerability, beyond what the advisory has told you, have you checked out our Web Security Academy? We have a lot of learning content for different vulnerabilities on there, including practical labs that can help you put in practice the things you have learned. You can find the Academy here: https://portswigger.net/web-security

olek | Last updated: Feb 09, 2021 04:23PM UTC

OK but if I insert any payloads the server do not works(not leak) .Burp show my only read color of some vulnerability. May you give any example how to ask that server. Do you have some movie ??? If you do not know ask your Team .???

Hannah, PortSwigger Agent | Last updated: Feb 12, 2021 11:50AM UTC

If you tell me the title of the issue I can direct you to some more detailed resources. You may find the following resources helpful: - https://portswigger.net/burp/documentation/desktop/penetration-testing - https://portswigger.net/support/using-burp-suite - https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten

olek | Last updated: Mar 04, 2021 03:00PM UTC

Hi Again this document do not help my understanding it.I get again some DNS server ""External service interaction (DNS) """How to get some sensitive information.Any payload example . 1.I run Burp Collaborator client --But nothing .I did some ask about /etc/passwd but nothing . Any example how to use this ??????

Hannah, PortSwigger Agent | Last updated: Mar 09, 2021 01:49PM UTC

Our support service is here to provide technical advice with Burp Suite. Unfortunately, we can't provide specific assistance with fixing individual issues in people's apps or dissecting/explaining scan reports. It looks like that scan issue is associated with SSRF vulnerabilities. You can find our Academy subject on that topic here: https://portswigger.net/web-security/ssrf The Academy has learning materials and interactive labs in order to provide a hands-on experience to learn about different vulnerabilities. You may also find the following forum thread helpful: https://forum.portswigger.net/thread/more-info-on-external-service-interaction-dns-eea8b80e

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.