Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Issue with Burp Collaborator

Mudit | Last updated: May 05, 2016 09:11AM UTC

Hi, We have a licensed version of Burp suite running and the license is issued to Cisco Systems India Pvt Ltd. We have been running Burp suite on our application and wanted to report an issue that we have been observing. Burp suite reported an issue "External Service Interaction(DNS)". Following response was reported as part of Collaborator response: "The Collaborator server received a DNS lookup of type A for the domain name bgvl6vznavuan2tr3ghrc2hosfy5myaqxhl6.burpcollaborator.net. The lookup was received from IP address x.x.x.x at 2016-May-05 07:10:44 UTC. " While Burp suite reported this, we have been trying to simulate a similar condition manually but could not. In packet capture, there were no outgoing traffic to the said collaborator input or any specified DNS address. Similarly while the Burp suite was running and the issue reported, the packet capture did not reveal any outgoing traffic for that domain specified in collaborator query. Is this an issue ? Please let us know.

PortSwigger Agent | Last updated: May 05, 2016 09:24AM UTC

For this issue to be reported, the following events must have taken place: 1. Burp sent a payload to the target system containing the Collaborator domain name (including the random prefix). 2. The Collaborator server received a DNS looking from somewhere for that domain name. Regarding 1, if you capture all Burp's requests (e.g. using an upstream proxy instance or the Custom Logger extension in the BApp Store) you will see the payload in question being sent to the target. Regarding 2, either the target system or some other system that processes user-supplied data has performed a regular DNS lookup for the supplied domain name. The lookup will have been made to the usual DNS server that is used, typically your ISP's server. It wont (necessarily) have been made TO the Collaborator's IP address or FROM the IP address shown in Burp's issue detail, due to the distributed nature of DNS. To see the lookup happening you will need to monitor all DNS traffic coming from the target system and all other relevant systems that might process user input. For example, this will include databases, mail servers, and anything else that user-supplied data might reach. Hope that helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.