Last updated: October 20, 2023
Read time: 3 Minutes
You can manually use Burp Collaborator to induce your target application to interact with the external Collaborator server, and then identify that the interaction has occurred. This enables you to search for invisible vulnerabilities, which don't otherwise send a noticeably different response to a successful test attack.
Automated Burp Collaborator functionality is used by Burp Scanner and some BApps in both Burp Suite Enterprise and Burp Suite Professional. For more information, see the Burp Collaborator documentation for both Burp Suite Professional and Burp Suite Enterprise. This documentation also covers:
The general process for manual use of Burp Collaborator is:
- Generate Collaborator payloads, which are subdomains of the Collaborator server's domain.
- Insert the payloads into a request and send the request to the target application.
- Poll the Collaborator server, to see whether the application uses the injected payload to interact with any network services.
You can directly insert Collaborator payloads into any request that is open in Burp Repeater. Right-click on the request and select Insert Collaborator payload.
You can automatically insert Collaborator payloads into a Burp Intruder attack. For more information, see Payload types - Collaborator payloads.
You can also generate multiple payloads at once in the Collaborator tab:
- Enter the number of Collaborator payloads that you want to generate in the Payloads to generate field.
- To include the full Collaborator server address in your payloads, select Include Collaborator server location. If this is not selected, only the Collaborator ID is included in your payloads.
- Click Copy to clipboard to copy the specified number of payloads.
- To access the payloads, paste them into a document.
When you send the payloads in a request, the application may perform a DNS lookup on the payload subdomain. It may then initiate another network connection, such as a HTTP or SMTP request. The interactions are received by the Collaborator server: they may indicate that the application is vulnerable.
We periodically add new domain names for the public Collaborator server to reduce the chance of WAF blacklisting, which results in false negatives. By default, Burp Collaborator uses the domain in use when your version of Burp Suite Professional was released.
Currently, the domains in use are
*.oastify.com. Make sure that your machine and target application can access both these domains on ports 80 and 443.
You can view whether any interactions were received by the Collaborator server in the Collaborator tab. Burp automatically polls the Collaborator server for results every 60 seconds. To poll manually, click the Poll now button.
Results are displayed in the table:
- To sort the table's contents, click any column header.
- You can add comments and highlights to results. Right-click any result and select Comment or Highlight.
You can track interactions from different payloads in separate tables. To do this, generate Collaborator payloads in different result tabs. Each tab only displays the results of payloads that it generated. All tabs share the same polling schedule, so the load on the server doesn't increase.
If you insert Collaborator payloads into a request with Burp Intruder, the results are only shown in the attack results window. You won't be able to view the results in the Collaborator tab. Save the attack to view the results in the future.
Was this article helpful?
An error occurred, please try again.