Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

DNS request from a graphic

Pete | Last updated: Mar 05, 2021 07:13PM UTC

Our IT department ran a burp scan and several graphic file (.png) generated the issue: "It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names." The reports does not list any mitigation techniques. I'm sure how to deal with this.

Michelle, PortSwigger Agent | Last updated: Mar 08, 2021 11:27AM UTC

The first step is to review the purpose and intended use of the application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If it is intended behavior, you should be aware of the types of attacks that can be performed and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

Pete | Last updated: Mar 15, 2021 04:52PM UTC

I don't see how a relative link to a .png file can generate "...the ability to trigger arbitrary external service interactions..." The reference is on an .Net Master Page (where most our graphics are referenced.) Can the Community version of Burp generate this? We don't have access, and probably WON'T get access to Professional or Enterprise versions.

Michelle, PortSwigger Agent | Last updated: Mar 16, 2021 08:57AM UTC

I'm afraid Burp Collaborator is not an option within the Community version. If your IT department had access to Burp Suite Professional then they can probably assist you and also help you with the investigations for this. If not, we do offer free trials of Burp Suite Professional to businesses, so this might give you an option to investigate further yourself: https://portswigger.net/burp/pro/trial

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.