Burp Suite User Forum

Create new post

Burp Infiltrator without DNS lookup

Franz | Last updated: Apr 24, 2017 12:39PM UTC

Dear Portswigger Team, Thanks for the brilliant work on Burp Infiltrator. I frequently run Burp Collaborator in internal environments without any outbound Internet connectivity, which means I have to set up Burp Collaborator without DNS interaction support. As you mentioned in Burp Infiltrator's documentation, "The instrumentation hook performs a DNS lookup of the mutated Burp Collaborator domain.". As the DNS lookup will always fail in my set up, Burp Infiltrator will unfortunately fail to detect any invocation of unsafe functions with user-supplied input. Could you please add in a future version of Infiltrator the option to use HTTP(S) requests instead of DNS lookups as an initial check? This would be highly appreciated. Thanks and kind regards, Franz

PortSwigger Agent | Last updated: Apr 25, 2017 09:56AM UTC

Thanks for this feedback. It was a design decision in the initial release of Infiltrator to only support DNS-configured Collaborator servers. There is additional work for us to support IP-configured Collaborator servers. If sufficient users ask for this support, then we will look into providing it.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.