1. Support Center
  2. Documentation
  3. Burp Collaborator

Burp Collaborator

This section contains information about What Burp Collaborator is, How Burp Collaborator works, Security of data processed by Burp Collaborator, and Options for using Burp Collaborator.

What is Burp Collaborator?

Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities. For example:

When Burp Collaborator is being used, Burp sends payloads to the application being audited that are designed to cause interactions with the Collaborator server when certain vulnerabilities or behaviors occur. Burp periodically polls the Collaborator server to determine whether any of its payloads have triggered interactions:

Burp Collaborator

Burp Collaborator is used by Burp Scanner and the manual Burp Collaborator client, and can also be used by the Burp Extender API.

How Burp Collaborator works

Burp Collaborator runs as a single server that provides custom implementations of various network services:

Below are some examples of issues that can be detected via Burp Collaborator.

Detecting external service interaction

A typical external service interaction issue can be detected as follows:

Detecting external service interaction

Detecting out-of-band resource load

Out-of-band resource load happens when an application can be induced to load content from an arbitrary external source, and include it in its own response. Burp Suite can detect this issue by inducing the Collaborator server to return specific data in its responses to the external interactions, and analyzing the application's in-band response for that same data:

Detecting out-of-band resource load

Detecting blind SQL injection

Burp can submit injection-based payloads designed to trigger an external interaction when the injection is successful, enabling the detection of completely blind injection vulnerabilities. The following example uses an Oracle-specific API to trigger an interaction when we successfully inject into a SQL statement:

Detecting blind SQL injection

Detecting blind cross-site scripting

The Collaborator server can notify Burp of deferred interactions that occur asynchronously following submission of the relevant in-band payload to the target. This enables the detection of various stored vulnerabilities, such as second-order SQL injection and blind XSS. In the example below, Burp Suite submits a stored XSS payload designed to trigger a Collaborator interaction if it is ever rendered to a user. Later, an admin user views the payload, and their browser performs the interaction. Later still, Burp Suite polls the Collaborator server, receives details of the interaction, and reports the stored XSS vulnerability:

Detecting blind cross-site scripting

Security of Collaborator data

Users may have legitimate concerns about the security of data that is processed by the Collaborator server, and the feature has been designed with a strong emphasis on the security of this data.

What data does the Collaborator server store?

In most cases, when a vulnerability is found, the Collaborator server will not receive enough information to identify the vulnerability. It does not see the HTTP request that was sent from Burp to the target application. In a typical case, it will record that an interaction was received from somewhere, including a random identifier that was generated by Burp. Occasionally, the Collaborator server will receive some application-specific data: for example, the contents of an email generated through a user registration form.

How is retrieval of Collaborator data controlled?

The Collaborator functionality is designed so that only the instance of Burp that generated a given payload is able to retrieve the details of any interactions that result from that payload. This requirement is implemented as follows:

Further to this mechanism, the following precautions are also implemented in the Collaborator server to protect against unauthorized access to its data:

Options for using Burp Collaborator

Burp users can choose between the following three options for using Burp Collaborator:

Note: The functionality of Burp Collaborator gives rise to issues that require careful consideration by users. Users should ensure that they fully understand the functionality and the alternative methods of utilization of Burp Collaborator, and have considered the consequences of utilization for themselves and their organization.

Within Burp Suite Professional, you can configure these settings within the Burp Collaborator server options.