Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Collaborator reports multiple interactions instead of one

Misha | Last updated: Jul 13, 2023 09:14AM UTC

During an assessment it was noticed that if the payload (request to the Collaborator server) includes more than one Collaborator URL, Burp Collaborator reports one connection (single HTTP request) as multiple based on the number of URLs that finds in the request. Ideally, only real HTTP requests should be shown in the Collaborator interactions list, and not based on how many Collaborator URLs have been found in the request. For example, a request like this: GET /;http://qysg0vak1v1z137ew97pj2fp7gd711pq.collabdomain.tldhttp://qysg0vak1v1z137ew97pj2fp7gd711pq.collabdomain.tld HTTP/1.1 Host: q0rg2vck3v3z339ey99pl2hp9gf730rp.collabdomain.tld Accept: */* Accept-Encoding: gzip, deflate Will yield multiple (2) HTTP entries in the list at an identical timestamp as the request is received. The behavior can be reproduced by browsing to a Collaborator URL like this: http://collabURL1.collabdomain.tld/?http://collabURL1.collabdomain.tld Two HTTP entries will be created, if more URL are concatenated more entries will pop up. Could you please confirm this is a bug? Thank you.

Dominyque, PortSwigger Agent | Last updated: Jul 13, 2023 12:58PM UTC

Hi Misha The intended functionality of the Collaborator is that each request has a unique interaction ID, and it makes no attempt to deduplicate ID's. Therefore, if you do not wish to wish to have the entries displayed as such, we advise that you do not have duplicate ID's in the request.

Misha | Last updated: Jul 19, 2023 07:04AM UTC

Hi Dominyque, Sure but sometimes you cannot control how your payload will be treated by the server (especially in case of SSRF) and you might end up having multiple times the Collaborator ID inside a request, even when you specify the Collaborator ID once in the entry point. It would be useful to have in the interface a discriminator that can tell apart if the interaction came as a single request or there were multiple ones.

Misha | Last updated: Jul 19, 2023 07:19AM UTC

To make you better understand, let's say I have 2 endpoints: One endpoint performs 1 request to the Collaborator URL but specifies the Collaborator URL 3 times inside the request. Burp will visualize this as 3x HTTP type rows. The other endpoint performs 3 requests to the Collaborator URL but inside the request the Collaborator URL is mentioned only once. Burp will also visualize 3x HTTP type rows. The two behaviors are undistinguishable one from the other. In an assessment in a black box model, I have no means to understand the behavior of the server by looking at the interactions on Burp Collaborator only. I have to fire up Wireshark and check the packets.

Dominyque, PortSwigger Agent | Last updated: Jul 19, 2023 09:54AM UTC

Hi Misha Thank you for the further clarification and explanation. I have created a bug ticket for this, and we will monitor this behavior.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.