Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Wrong lookup IP address in External service interaction (DNS)

Anil | Last updated: Mar 17, 2021 02:35PM UTC

Hi, We had recently performed Burp Suite Scan on our application and the External service interaction (DNS) was reported with Severity: High and Confidence: Certain. However in the Collaborator DNS interaction the IP, from which the lookup was done is not present in our network. "The Collaborator server received a DNS lookup of type A for the domain name hrcrjxaob33ooedf37r0xjxl2c86wwkpjd90zoo.burpcollaborator.net. The lookup was received from IP address 210.xx.xx.xx at xxxxx UTC." Report generated by Burp Suite web vulnerability scanner v2020.9.2 Would this be a false positive issue ?

Anil | Last updated: Mar 17, 2021 03:07PM UTC

Found some possible explanation from https://forum.portswigger.net/thread/issue-with-burp-collaborator-ac8e3545 For this issue to be reported, the following events must have taken place: 1. Burp sent a payload to the target system containing the Collaborator domain name (including the random prefix). 2. The Collaborator server received a DNS looking from somewhere for that domain name.

Uthman, PortSwigger Agent | Last updated: Mar 17, 2021 03:23PM UTC

Thanks for the feedback. This issue would warrant further investigation since the collaborator has triggered a DNS interaction. You can use the Request/Response pair to replicate the issue.

Anil | Last updated: Jun 02, 2021 09:27AM UTC

Hi, I tried to replicate the issue manually, but couldn't succeed. I sent the request which had the issue to Repeater and created a new host name from Collaborator Client, and used it in the request, even after 30 mins no interaction was reported at the Collaborator side. The request used in Repeater was this, but it didn't trigger and interaction. GET / HTTP/1.1 Host: xxxx.burpcollaborator.net Pragma: no-cache Cache-Control: no-cache, no-transform Connection: close As per the report the request has this characteristics. "The payload xxxx.burpcollaborator.net was submitted in the SSL SNI value and the HTTP Host header." Could you help me construct this request?

Uthman, PortSwigger Agent | Last updated: Jun 02, 2021 11:16AM UTC

Are you using the instructions in the documentation below in your attempt to replicate the issue? - https://portswigger.net/burp/documentation/desktop/tools/collaborator-client

Anil | Last updated: Jun 07, 2021 10:30AM UTC

Yes, i have followed those steps. In the document the newly generated Collaborator payload was used in View State of ASP page. In my case i am using the payload in the host name of request, but it didn't trigger an interaction. Do i need to add the payload in any other part of request, in order to satisfy the condition "The payload xxxx.burpcollaborator.net was submitted in the SSL SNI value and the HTTP Host header." How do i submit the payload in the SSL SNI value?

Uthman, PortSwigger Agent | Last updated: Jun 07, 2021 11:02AM UTC

Apologies for the confusion but one of our developers has just noted that you cannot manually insert payloads into the SNI extension within Burp. You could try using curl or some of the steps described in a different forum post here: - https://forum.portswigger.net/thread/more-info-on-external-service-interaction-dns-eea8b80e - https://www.claudiokuenzler.com/blog/693/curious-case-of-curl-ssl-tls-sni-http-host-header

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.