Burp Collaborator client

Burp Collaborator client is a tool for making use of Burp Collaborator during manual testing. You can use the Collaborator client to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

To run Burp Collaborator client, go to the Burp menu and select Burp Collaborator client.

The following functions are available:

• You can generate a specified number of Collaborator payloads and copy these to the clipboard. You can use these in manual testing, for example using Burp Intruder or Repeater.
• You can choose whether the generated payloads include the full Collaborator server location, or only the unique interaction ID.
• You can poll the Collaborator server to retrieve details of any network interactions resulting from your payloads, either at a regular interval or on demand.

Please take note of the following when using the Burp Collaborator client:

• Each Collaborator client window opens in a separate context in which payloads can be generated and polled for. There is no cross-talk of payloads or interactions between separate client windows. Hence, if you close a client window, there is no way to retrieve any further interactions resulting from its payloads.
• Each Collaborator client window is tied to the Collaborator server configuration that was in place at the time the window was opened. If you modify your Collaborator server settings (for example, to use a different private Collaborator server) you will need to open a new client window to use that configuration.
• You need to ensure that you can connect to the domain used in the payload from your machine in order to poll for interactions with that payload.

Using Burp Collaborator client

In some situations, it isn't possible to trigger any noticeable effect in the application's response, either in its contents or in the time taken to receive it. In this situation, it is possible to detect vulnerabilities by causing the database to make an out-of-band network connection to the tester's server. Burp Scanner uses this technique via the Burp Collaborator feature.

The following steps demonstrate the process of using the Collaborator client to manually verify a vulnerability based on a Collaborator interaction.

In our example, Burp Scanner has sent a payload that injects a SQL query that calls the SQL Server's xp_dirtree stored procedure with a UNC file path that references a URL on an external domain.

The application interacted with that domain, indicating that the injected SQL query was executed.

We can use the Collaborator client to verify this finding.

In our example, we've identified the Collaborator payload in the request and sent the request to the Repeater.

We'll need to replace the payload with a payload generated by the Collaborator client.

There is no cross-talk of payloads or interactions between separate client windows or Burp Collaborator. Hence, if you close a client window, or use a payload generated by the Scanner, there is no way to retrieve any further interactions resulting from its payloads.

To run Burp Collaborator client, go to the Burp menu and select Burp Collaborator client.

Use the Copy to clipboard function to copy your payload.

Paste the Collaborator client payload in to the appropriate place and forward the request.

Use the Poll now function to retrieve details of any network interactions resulting from your payload.

In this example the Collaborator server received a DNS lookup, confirming that the injected SQL query was executed