The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

DNS request from a graphic

Pete | Last updated: Mar 05, 2021 07:13PM UTC

Our IT department ran a burp scan and several graphic file (.png) generated the issue: "It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names." The reports does not list any mitigation techniques. I'm sure how to deal with this.

Michelle, PortSwigger Agent | Last updated: Mar 08, 2021 11:27AM UTC

The first step is to review the purpose and intended use of the application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If it is intended behavior, you should be aware of the types of attacks that can be performed and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

Pete | Last updated: Mar 15, 2021 04:52PM UTC

I don't see how a relative link to a .png file can generate "...the ability to trigger arbitrary external service interactions..." The reference is on an .Net Master Page (where most our graphics are referenced.) Can the Community version of Burp generate this? We don't have access, and probably WON'T get access to Professional or Enterprise versions.

Michelle, PortSwigger Agent | Last updated: Mar 16, 2021 08:57AM UTC