Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

External Service Interaction False Positive

Nick | Last updated: Mar 19, 2019 06:38PM UTC

While running active scan against a site while on a VPN, Burp reported an issue for External Service interaction. However, the service being interacted with is coming from my Public IP on the VPN and not from the site I am testing (like I would expect for SSRF). I reran the scan from a VDI that's not over VPN against the same site and the issue did not show up. Has anyone else ever run into something like this? Thanks!

Liam, PortSwigger Agent | Last updated: Mar 21, 2019 01:58PM UTC

Nick, this could well be a false positive. Are you running any security software on your system that could be causing the interaction? Have you tried using WireShark to identify where the traffic is coming from? Does the VDI have different software installed?

Burp User | Last updated: Mar 21, 2019 04:27PM UTC

I don't believe there would be any security software on my system that would cause it. I've don't other active scans against other sites and would think the issue would show up then, but it doesn't. I did try using Wireshark to see what was going on, but the traffic is encrypted over the VPN, so I couldn't see anything useful. The VDI should be running the same version (1.7.37), but the Windows version. My main computer for testing is a Mac.

PortSwigger Agent | Last updated: Mar 22, 2019 03:57PM UTC

Ok, it sounds like you have rules out some obvious causes, and further investigation will be difficult due to the VPN encryption. I suggest you try to figure out if there's any security impact from this behavior. If not, I would just ignore it - determining the exact cause of the interaction is not worthwhile. Please let us know if you need any further assistance.

tarcan | Last updated: Mar 25, 2021 02:50PM UTC

I had the same exact problem. What I realized is that when I use an absolute URL in the request line of any request in Repeater such as; "GET http://0kl6nu45qhog.burpcollaborator.net" (instead of a relative path like "/index.html"), a DNS lookup is triggered from my laptop. I am guessing Burp Repeater is honoring the RFC (https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html) but in my opinion it shouldn't raise this as an issue or not at least with Certain confidence. My $0.02

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.