Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

I got this issue after scanning my website. How do i resolve this issue can you explain me please?

Akash | Last updated: Feb 04, 2022 04:12PM UTC

There are 3 instances of this issue: / /casa /casa Issue background External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences. In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers. Issue remediation You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist. Out-of-Band Application Security Testing (OAST) is highly effective at uncovering high-risk features, to the point where finding the root cause of an interaction can be quite challenging. To find the source of an external service interaction, try to identify whether it is triggered by specific application functionality, or occurs indiscriminately on all requests. If it occurs on all endpoints, a front-end CDN or application firewall may be responsible, or a back-end analytics system parsing server logs. In some cases, interactions may originate from third-party systems; for example, a HTTP request may trigger a poisoned email which passes through a link-scanner on its way to the recipient. Issue detail It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The payload if10ne5ldxtam48w7l4nizdvemkf88w2qqgd61v.burpcollaborator.net was submitted in the HTTP Host header. The application performed a DNS lookup of the specified domain. Request GET /?q3a3mo33ow=1 HTTP/1.1 Host: if10ne5ldxtam48w7l4nizdvemkf88w2qqgd61v.burpcollaborator.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, text/q3a3mo33ow Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate, q3a3mo33ow Accept-Language: en-US,en-GB,q3a3mo33ow;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 q3a3mo33ow Connection: close Cache-Control: max-age=0 Origin: https://q3a3mo33ow.sit2portal.ahcthost.com Response HTTP/1.1 503 Service Unavailable Content-Type: text/html Cache-Control: no-cache, no-store Connection: close Content-Length: 693 X-Iinfo: 1008-68366182-0 0NNN RT(1643712050916 381) q(0 -1 -1 -1) r(2 -1) <html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv= ...[SNIP]... Collaborator DNS interaction The Collaborator server received a DNS lookup of type CNAME for the domain name if10ne5ldxtam48w7l4nizdvemkf88w2qqgd61v.burpcollaborator.net. The lookup was received from IP address 52.16.107.92 at 2022-Feb-01 10:40:51 UTC.

Uthman, PortSwigger Agent | Last updated: Feb 07, 2022 09:33AM UTC

Hi Akash,

We do not offer a consulting service, unfortunately, so you will need to liaise with your internal development and/or information security teams to understand the issue better and perform the necessary remediation steps.

Have you tried manually replicating this using the Collaborator Client?

It's also worth noting that the forum is public so it may not be ideal to share information related to a specific scan issue here (since it includes IP addresses, collaborator URLs, and the site/application URL).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.