Burp Suite User Forum

Create new post

How do I specify which SSL/TLS ciphers Burp Collaborator can use?

Stijn | Last updated: Feb 22, 2016 09:08AM UTC

Dear All, We're currently running a private instance of Burp Collaborator. As this host is visible to the internet, we include this system in our regular vulnerability scans focused on internet-facing systems. Our most recent scan included possible vulnerabilities on the Collaborator system. Most vulnerabilities relate to the use of unauthenticated, not encrypted or weak cipher suites. One of the vulnerabilities that popped up was the all-known BEAST. As the context of a Burp Collaborator instance is to receive connections from possibly weak systems or applications, from a wide variety of systems, we cannot have a situation in which the SSL/TLS connection can be considered to be providing insufficient security. We do need the system to be internet facing, as we won't be testing internal applications only. This leads to my question: How do I specify which SSL/TLS ciphers Burp Collaborator can use? Is there a (e.g. command line) option I can pass to the Burp Collaborator instance, which would tell it what cipher suites it can or cannot use? Thank you for your reply. Kind regards, Stijn

PortSwigger Agent | Last updated: Feb 22, 2016 10:17AM UTC

Thanks for this question. The capture interface of the Collaborator server is not using SSL as a security mechanism. It is solely using it to enable the Collaborator server to accept incoming requests from client systems that choose to use HTTPS. To maximise the effectiveness of this capture, the Collaborator server deliberately supports the widest range of SSL ciphers and protocols, including weak ones. The maximum impact of using weak ciphers in this situation will be that a suitably positioned adversary could see the contents of HTTPS interactions with the Collaborator. When a target system makes an HTTPS request to the Collaborator, this will typically be a simple GET request to a URL like https://zewhfiuwehflaiuwhrfliuwhfiluwid.burpcollaborator.net. There is no sensitive information contained within the request or the response. So there is no requirement to prevent anyone from seeing it. The only effect of restricting the supported ciphers would be to prevent some client systems from connecting, and so lose some vulnerabilities. The sensitive part of the communication with the Collaborator server occurs when Burp Suite Pro polls the Collaborator to retrieve details of any interactions resulting from its scans. For this connection, Burp does properly enforce SSL trust and uses a more secure cipher and protocol.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.