Mastering Burp Collaborator: Detecting Out-of-Band Vulnerabilities with Precision
CRUD5th-273-

CRUD5th-273- @crud5th-273-

Joined:
Mar 4, 2025

Mastering Burp Collaborator: Detecting Out-of-Band Vulnerabilities with Precision

Publish Date: Mar 30
0 0

Not all vulnerabilities return visible errors or flags.

Some are silent — only visible through their out-of-band behavior.

Burp Collaborator is a powerful tool designed to detect such vulnerabilities by monitoring for DNS, HTTP, and SMTP interactions from the target system.

This guide walks through practical use cases and methodology.

1. What is Burp Collaborator?

Burp Collaborator is an external interaction service that listens for connections initiated by a vulnerable application.

It allows you to detect:

  • SSRF (Server-Side Request Forgery)
  • Blind XSS
  • Blind SQLi (via LOAD_FILE() or xp_dirtree)
  • Command injection (e.g., curl, wget)
  • XML External Entity (XXE) exploits

2. Setting Up Collaborator

If you're using Burp Suite Pro, Collaborator is built-in.

Go to:

Burp → Project Options → Misc → Burp Collaborator client
Enter fullscreen mode Exit fullscreen mode

Choose:

  • Use Burp Collaborator's default server (public)
  • Or self-host your own Collaborator instance for stealth/internal testing

3. Generate Collaborator Payload

Open:

Burp → Burp Collaborator client → Copy to clipboard
Enter fullscreen mode Exit fullscreen mode

You’ll receive a payload like:

abc123def456.burpcollaborator.net
Enter fullscreen mode Exit fullscreen mode

Inject this into suspect input points:

GET /profile?avatar=http://abc123def456.burpcollaborator.net HTTP/1.1
Enter fullscreen mode Exit fullscreen mode

Or:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://abc123def456.burpcollaborator.net"> ]>
Enter fullscreen mode Exit fullscreen mode

4. Monitor Interactions

After sending the payload, check the Collaborator Client:

  • DNS interaction: server attempted name resolution
  • HTTP interaction: server actually requested the resource
  • SMTP interaction: possible email-based vector

You’ll see timestamps, IPs, types — confirming external behavior.

5. Automation with Active Scans

Burp's Active Scanner integrates Collaborator automatically.

Make sure:

Scanner → Scan Configuration → Issue Definitions → Use Collaborator
Enter fullscreen mode Exit fullscreen mode

This allows detection of:

  • Blind command injection
  • Time-delay SQLi (via DNS)
  • Misconfigured email injection

6. Self-Hosting Burp Collaborator (Advanced)

To host your own private instance:

git clone https://github.com/PortSwigger/burp-collaborator
cd burp-collaborator
./build.sh
Enter fullscreen mode Exit fullscreen mode

Advantages:

  • Avoid detection by security appliances
  • Monitor internal-only systems
  • Full control over DNS/HTTP logs

Final Notes

Burp Collaborator isn't about payloads — it's about listening.

It excels where reflection-based testing fails: when the application talks back asymmetrically.

In future posts:

  • Practical SSRF chaining with Collaborator
  • Blind XSS + DOM-based data exfiltration
  • Automating OAST payloads in CI pipelines

Observe the unseen. Exploit the quiet. Own the blind surface.

Comments 0 total

    Add comment