Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Collaborator DNS Interaction Before Request

Nick | Last updated: Sep 28, 2023 09:41AM UTC

Hi, I have an issue reported by Burp Scanner in my current test for EL-based SSTI where a Collaborator domain has been injected resulting in a DNS lookup. The issue is that the Collaborator interaction is detected about 6 minutes before the request was sent. I've searched the logs and other than my attempts to validate there are no other requests with this subdomain. There are 4 such instances of this on different endpoints. 3 are the exact same time, the other about 2 hours prior. I've accounted for timezone discrepancies (UTC vs GMT) and confirmed that the system clock on the host was set correctly at the time of the request, via logs and server Date headers. So from what I can work out, either the Collaborator server clock was temporarily running slow or something has caused a DNS request for the subdomain in the payload before the request which triggered it was sent. Is it possible that the scanner could have issued a pre-request for a Collaborator subdomain it had lined up to use as a payload? I can't share specifics just now, but I'll check with my customer and I may be able to share privately if it helps. Thanks.

Dominyque, PortSwigger Agent | Last updated: Sep 28, 2023 12:13PM UTC

Hi Nick It is a bit difficult to get the full picture from the description you have given. Can you please email support@portswigger.net with the issue reported and the requests involved so that we can take a closer look at it? This information will only be shared between you and the tech support team of course.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.