In some situations, it isn't possible to trigger any noticeable effect in the application's response, either in its contents or in the time taken to receive it. In this situation, it is possible to detect vulnerabilities by causing the database to make an out-of-band network connection to the tester's server. Burp Scanner uses this technique via the Burp Collaborator feature.
Burp Collaborator client is a tool for making use of Burp Collaborator during manual testing. You can use the Collaborator client to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.
This article will demonstrate the process of using the Collaborator Client to manually verify a vulnerabilty based on a collaborator interaction.
In our example, Burp Scanner has sent a payload that injects a SQL query that calls the SQL Server's xp_dirtree stored procedure with a UNC file path that references a URL on an external domain.
The application interected with that domain, indicating that the injected SQL query was executed.
We can use the Collaborator Client to verify this finding.
In our example, we've identified the Collaborator payload in the request and sent the reqest to the Repeater.
We'll need to replace the payload with a payload generated by the Collaborator Client.
There is no cross-talk of payloads or interactions between separate client windows or Burp Collaborator. Hence, if you close a client window, or use a payload generated by the Scanner, there is no way to retrieve any further interactions resulting from its payloads.
To run Burp Collaborator client, go to the Burp menu and select "Burp Collaborator client".
Use the "Copy to clipboard" function to copy your payload.
Note: You can generate a specified number of Collaborator payloads and copy these to the clipboard. You can use these in manual testing, for example using Burp Intruder or Repeater.
Paste the Collaborator Client payload in to the appropriate place and forward the request.
Use the "Poll now" function to retrieve details of any network interactions resulting from your payload.
In this example the Collaborator server recieved a DNS lookup, confirming that the injected SQL query was executed