Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Use Collaborator server for CSRF POCs?

Seth | Last updated: Sep 17, 2015 12:10AM UTC

Currently, my favorite ways to generate the "meat" for a CSRF demo is to use the Burp CSRF engagement tool. However, after I run the test locally with the burp tool, if I am dealing with XHR and CORS, I always move the POC to a "real" web server that will cause my browser to generate a pre-flight request. Depending on the engagement, I use a public webserver or just on a vm in bridged mode. Now that we have the collaborator, I was thinking that it would be really nice have an option to "Send CSRF POC to Collaborator", since that already meets all of the requirements to 100% verify CSRF (and cause pre-flight request). Thoughts?

PortSwigger Agent | Last updated: Sep 17, 2015 03:32PM UTC

Thanks for this request, which is a great idea. Later in the Burp Collaborator roadmap, we do plan to support serving of artibrary responses from the Collaborator server. This will be primarily aimed at delivering out-of-band payloads into target applications where an external HTTP interaction can be triggered. When this feature is implemented, we will also be able to use it for serving CSRF PoC responses, in the way you describe. (For various reasons, it is likely that this feature will only be available if you have deployed a private Collaborator server, because we don't want the public server being used as a vehicle for delivering arbitrary attacks against third parties.)

Burp User | Last updated: Sep 17, 2015 08:18PM UTC

Good distinction! We deployed a private collaborator server and I already forgot that there is a public option. I'll look forward to seeing it rolled out. Keep up the great work over there!

Burp User | Last updated: Sep 21, 2015 06:46PM UTC

Second this

João | Last updated: May 08, 2024 05:40PM UTC

5 years in the future and I'm in a situation that an feature like that would save me A LOT of time. Burp team give a thought about this feature.

João | Last updated: May 08, 2024 05:41PM UTC

I mean, 9 years*

Michelle, PortSwigger Agent | Last updated: May 09, 2024 09:39AM UTC