Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Collaborator makes GET request to collaborator payload in User-Agent string

Geoff | Last updated: May 09, 2023 06:05PM UTC

While testing a CRLF based header injection on an application I noticed that collaborator will make GET requests to any *.oastify.com hostname specified in the User-Agent header. For example, given the following request: GET / HTTP/1.1 Host: 4x29d52jpe8ma9u4l4td96otbkhf55tu.oastify.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: rrmw7sw6j1294worfrn03tig57b3ztni.oastify.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Collaborator will report that two DNS queries and one GET requests are made to 4x29d52jpe8ma9u4l4td96otbkhf55tu.oastify.com as one would expect, but one GET request is made to rrmw7sw6j1294worfrn03tig57b3ztni.oastify.com reporting the same source IP address for all GET requests despite the fact that a request to rrmw7sw6j1294worfrn03tig57b3ztni.oastify.com is not made from my client insofar as I can determine, though if it were I would expect to see DNS requests reported by collaborator for rrmw7sw6j1294worfrn03tig57b3ztni.oastify.com. Interestingly this does not work for non *.oastify.com hosts specified in the User-Agent string.

Michelle, PortSwigger Agent | Last updated: May 11, 2023 09:08AM UTC

Thanks for getting in touch. We'll take a look into this and have a chat with the developers. Depending on the investigations we need to carry out, it may be a couple of days before we have the full details, but I hope to have an update for you by early next week at the latest.

Michelle, PortSwigger Agent | Last updated: May 11, 2023 01:33PM UTC

Hi We've been doing some checks on this for you, and when you send a request like the one you described where there are two different collaborator payloads in one request then the request will be reported for each of the payloads. In your example, if you sent that one request from Repeater to https://4x29d52jpe8ma9u4l4td96otbkhf55tu.oastify.com, there would be DNS and HTTPS interactions reported for 4x29d52jpe8ma9u4l4td96otbkhf55tu.oastify.com. There would also be an HTTPS interaction reported to let you know that rrmw7sw6j1294worfrn03tig57b3ztni.oastify.com had been seen in a request (even if it was not the target of the request). If it was not the target of the request, then no DNS lookup would be required. I hope this helps to explain things. Please let me know if you have any further questions.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.