The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Collaborator DNS Interaction Before Request

Nick | Last updated: Sep 28, 2023 09:41AM UTC

Hi, I have an issue reported by Burp Scanner in my current test for EL-based SSTI where a Collaborator domain has been injected resulting in a DNS lookup. The issue is that the Collaborator interaction is detected about 6 minutes before the request was sent. I've searched the logs and other than my attempts to validate there are no other requests with this subdomain. There are 4 such instances of this on different endpoints. 3 are the exact same time, the other about 2 hours prior. I've accounted for timezone discrepancies (UTC vs GMT) and confirmed that the system clock on the host was set correctly at the time of the request, via logs and server Date headers. So from what I can work out, either the Collaborator server clock was temporarily running slow or something has caused a DNS request for the subdomain in the payload before the request which triggered it was sent. Is it possible that the scanner could have issued a pre-request for a Collaborator subdomain it had lined up to use as a payload? I can't share specifics just now, but I'll check with my customer and I may be able to share privately if it helps. Thanks.

Dominyque, PortSwigger Agent | Last updated: Sep 28, 2023 12:13PM UTC