Burp Suite User Forum

Create new post

Use/Parse Collaborator responses in Session Handling Rules and/or Macros

Misha | Last updated: Jan 17, 2023 04:33PM UTC

Hello, It would be useful to be able to parse the responses received in Collaborator and use them in the Session Handling Rules interface or/and in the Macros. The use case would be to be able to automate logins that require the user to enter a 2FA code/token sent via email or even SMS (depending on the provider interface). A Burp user could use a Collaborator URL as SMTP interface, and when a new response is received trigger a rule to parse the response, gather the code and inject it into a request to complete the login. The Collaborator response could be filtered based on the Collaborator ID (or a part of it) and the response type (HTTP, DNS, SMTP, etc.). Currently, side solutions like using Hackvertor and a custom script to connect IMAP are used. I found a similar feature request but I'm not entirely sure is the same: https://forum.portswigger.net/thread/use-collaborator-in-manual-testing-e16822aa Thanks

Liam, PortSwigger Agent | Last updated: Jan 18, 2023 10:51AM UTC

Thanks for your message, Misha. This is something we have briefly discussed. We concluded that there would be some security concerns to work around. I'll raise your request with our product manager and let you know if we have an update.

Misha | Last updated: Jan 18, 2023 12:50PM UTC

Thanks Liam for your reply and for updating me. What are the security concerns raised? Thanks.

Liam, PortSwigger Agent | Last updated: Jan 19, 2023 07:59AM UTC

We would be opening potentially unsafe URLs using the public collaborator server. Please let us know if you need any further assistance.

Misha | Last updated: Jan 19, 2023 10:38AM UTC

This feature could be restricted to private collaborators and/or to Pro versions (like in this case https://forum.portswigger.net/thread/use-collaborator-server-for-csrf-pocs-41a61fdc).

Liam, PortSwigger Agent | Last updated: Jan 20, 2023 07:56AM UTC

Hi Misha, your point about private collaborators was also noted. I'll get back to you when I hear more.

Liam, PortSwigger Agent | Last updated: May 23, 2023 02:22PM UTC

Sorry for the delayed response; this isn't something we can commit to currently.

We'll continue to monitor user requests for this feature.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.