Burp Suite User Forum

Create new post

Collaborator "payload" field not correct when using multiple tokens

Mike | Last updated: Nov 06, 2023 04:18PM UTC

Perhaps there is a scenario I'm missing where this is a useful feature, but I suspect it is a bug. You have two tokens: abc.oastify.com xyz.oastify.com You make a request `curl -X https://abc.oastify.com -d foo=xyz.oastify.com` This ends up logging a payload hit for xyz.oastify.com (and abc) in the UI, even though there is no request to xyz HTTP/DNS or otherwise. You can see in the host header the request is to abc. Cheers, -Mike

Dominyque, PortSwigger Agent | Last updated: Nov 07, 2023 10:20AM UTC

Hi Mike Thank you for reporting this. We will investigate on our side and update this thread on our findings after doing so.

Dominyque, PortSwigger Agent | Last updated: Nov 09, 2023 10:29AM UTC

Hi Mike Apologies for the wait. We can confirm that this is the intended functionality of the Collaborator. As two payloads are being sent in the request, it will report two interactions. If you would like any further explanations given your context, can you please email support@portswigger.net with screenshots of the request being sent in Repeater and the result of polling the Collaborator after the request has been sent? Thank you.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.