Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How to exploit external service interaction in real world applications?

Esperesso | Last updated: Apr 04, 2016 04:03AM UTC

Hi, I found a web application that made a dns lookup to burp collaborator but i don't know what is the direct exploitation scenario? Should we consider it SSRF vulnerability ? What is the real risk? Thanks

Liam, PortSwigger Agent | Last updated: Apr 04, 2016 10:05AM UTC

Hi Esperesso Thanks for your message. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers. Please let us know if you need any further assistance.

Burp User | Last updated: Apr 06, 2016 08:24PM UTC

An outbound DNS connection isn't enough to qualify a SSRF. A TCP ou UDP one would be better. In your setup, maybe that a firewall block outgoing requests to the ports used by Collaborator. Btw, are you using the public Collaborator instance? Some injection points get a better coverage when using a private instance defined by its IP address. I would propose to set up your own Web server and try to inject "YOUR_PUBLIC_IP:80/?"

PortSwigger Agent | Last updated: Apr 07, 2016 04:21AM UTC

This could be because your cookie has expired. I suggest you login again - using your browser, proxying through Burp. Then in Project option s> Sessions > Session handling rules > Use cookies from Burp's cookie jar > Edit > Scope - enable Repeater. To pick up the DNS interaction again you'll need to use Manual Collaborator Client: - https://support.portswigger.net/customer/portal/articles/2945928-using-burp-collaborator-client

Burp User | Last updated: Feb 12, 2019 07:48AM UTC

i was treid the external dns interaction while perfroming the app vapt but in response i'm getting forbidden response from the burp repeater. can i conside this as false positive in the case..? somone couldnyou please help me...

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.