Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

PROFESSIONALCOMMUNITY

Collaborator settings

  • Last updated: November 25, 2022

  • Read time: 3 Minutes

Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, such as external service interaction and out-of-band XSS.

Note

For more details about how Burp Collaborator works, see Burp Collaborator.

The Burp Collaborator server settings enable you to choose which Collaborator server you want to use:

  • Use the default Collaborator server - Select this setting to use a public, shared Collaborator server provided by PortSwigger. PortSwigger makes no warranty about the availability or performance of this server. If the public Collaborator server suffers from any service outage or degradation, then Collaborator-related functionality within Burp may be affected.
  • Don't use Burp Collaborator - Select this setting to disable all of Burp's Collaborator-related capabilities.
  • Use a private Collaborator server - Select this setting to use your own instance of the Collaborator server. For more information on this process, see Deploying a private Collaborator server.

Note

We periodically add new domain names for the public Collaborator server to reduce the chance of false negatives as a result of WAF blacklisting. By default, the Burp Collaborator client and Burp Scanner always use the newest public Collaborator domain that was available when your current version of Burp Suite Professional or Burp Scanner was released. At the moment, this will either be *.burpcollaborator.net or *.oastify.com.

To ensure that you experience the full benefits of Burp Collaborator, please make sure that the machine running Burp Scanner or the Burp Collaborator client can access both of these domains on ports 80 and 443.

In addition, the target application must be able to access *.burpcollaborator.net and *.oastify.com on ports 80 and 443.

If you choose to use a private Collaborator server then you need to configure its location. You can provide the following information:

  • Server location - This is the domain name or IP address of your server. If you specify an IP address then any Collaborator-related functionality that relies on DNS resolution will not be available. For more details, see Burp Collaborator.
  • Polling location (optional) - You can specify the location in which your private Collaborator server answers polling requests. Collaborator servers can be configured to receive interactions and answer polling requests on different network interfaces, if required. You can specify the polling location by hostname or IP address, with an optional port number separated by a colon. For example, 10.20.30.40:8008.

Note

If you have configured your Collaborator Server to use non-standard ports, then you must specify those ports here.

For more information on configuring non-standard ports, see Running on non-standard ports.

The following options are also available:

  • Poll over unencrypted HTTP - By default, Burp polls the Collaborator server over HTTPS, and enforces TLS trust to prevent man-in-the-middle attacks. If your instance of Burp is unable to poll directly over HTTPS (for example, due to your network configuration), you can opt to poll over unencrypted HTTP.
  • Run health check - Select this setting to perform a quick health check of your configured Collaborator server. Burp verifies whether it is possible to interact with the server using various network services, and whether it can retrieve the details of these interactions via polling. Based on these tests, you can determine whether Burp is likely to be able to make use of the Collaborator's features.

The Burp Collaborator server settings are project settings. They apply to the current project only.

Was this article helpful?