Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Collaborator servers lack ipv6 support

J | Last updated: Jul 25, 2019 12:29PM UTC

No IPv6 support for any of the collaborator infrastructure: burpcollaborator1.portswigger.net has address 52.16.21.24 burpcollaborator2.portswigger.net has address 52.16.107.92 Knowing an ipv6 source address for originating traffic is far more useful than a legacy ipv4 address, as it is less likely to be nat'd behind a shared address and less likely to be discovered via traditional scanning methods.

Liam, PortSwigger Agent | Last updated: Jul 26, 2019 10:09AM UTC

Thanks for your feedback. We've made a note of your request in our development backlog.

J | Last updated: Apr 11, 2024 11:52AM UTC

Almost 5 years later and the public collaborator is still only using legacy IP. A lot of backend infra is IPv6-only now even if the frontend (eg a public CDN) is dual stack. With a legacy only collaborator, things will be missed. Microsoft's internal infrastructure for o365 and other services is IPv6-only, the US federal government has a deadline of 85% IPv6-only by 2025, providers charge extra for legacy IP so it's not uncommon for hosts to be v6-only with a dual stack load balancer in front.

Michelle, PortSwigger Agent | Last updated: Apr 11, 2024 01:14PM UTC

Hi This isn't a feature many users have been requesting so far, but we are still tracking this.

J | Last updated: Apr 11, 2024 10:27PM UTC

Chicken and egg: Users never see IPv6 addresses show up in collaborator responses because it doesn't support it. Users never see IPv6 addresses show up in the proxy history (because java defaults to legacy ip unless you set java.net.preferIPv6Addresses=true) Users never set java.net.preferIPv6Addresses=true because it's not the default and they think no-one uses IPv6 or don't even realize such an option exists Users assume that IPv6 is not being used by anyone Users never request IPv6 support because they think it's not being used. Users never test for IPv6 specific vulns (eg logging fields which aren't big enough) Meanwhile, active IPv6 usage is over 45% of users and a similar percentage of websites, all the major CDNs enable it by default and most of the largest websites.

Michelle, PortSwigger Agent | Last updated: Apr 12, 2024 07:23AM UTC

Hi We are aware of this, and I will pass on your feedback. This will, however, need to be prioritised alongside other work.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.