Burp Suite User Forum

Login to post

Burp Collaborator HTTP Info Disclosure

Hannes | Last updated: Nov 03, 2020 04:46PM UTC

The collaborator server version is disclosed as HTTP header (X-Collaborator-Version). Is it possible to remove it via config parameters or is this fixed? $ curl -I http://<collaborator server> HTTP/1.1 200 OK Server: Burp Collaborator https://burpcollaborator.net/ X-Collaborator-Version: 4 Content-Type: text/plain Content-Length: 1 Could you make this configurable?

Uthman, PortSwigger Agent | Last updated: Nov 04, 2020 09:05AM UTC

This looks like intended behavior instead of a bug. The server version is returned in the header but this is not currently configurable. It looks like you are using the public collaborator server too. The collaborator version alone does not constitute a bug/information disclosure vulnerability. Our products are tested thoroughly by our security researchers. If you still think this could be a bug, can you please send an email to support@portswigger.net with further details?

You need to Log in to post a reply. Or register here, for free.