![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Mastering Burp Collaborator: Detecting Out-of-Band Vulnerabilities with Precision
Not all vulnerabilities return visible errors or flags. Some are silent — only visible through their out-of-band behavior. Burp Collaborator is a powerful tool designed to detect such vulnerabilities by monitoring for DNS, HTTP, and SMTP interactions from the target system. This guide walks through practical use cases and methodology. 1. What is Burp Collaborator? Burp Collaborator is an external interaction service that listens for connections initiated by a vulnerable application. It allows you to detect: SSRF (Server-Side Request Forgery) Blind XSS Blind SQLi (via LOAD_FILE() or xp_dirtree) Command injection (e.g., curl, wget) XML External Entity (XXE) exploits 2. Setting Up Collaborator If you're using Burp Suite Pro, Collaborator is built-in. Go to: Burp → Project Options → Misc → Burp Collaborator client Choose: Use Burp Collaborator's default server (public) Or self-host your own Collaborator instance for stealth/internal testing 3. Generate Collaborator Payload Open: Burp → Burp Collaborator client → Copy to clipboard You’ll receive a payload like: abc123def456.burpcollaborator.net Inject this into suspect input points: GET /profile?avatar=http://abc123def456.burpcollaborator.net HTTP/1.1 Or: ]> 4. Monitor Interactions After sending the payload, check the Collaborator Client: DNS interaction: server attempted name resolution HTTP interaction: server actually requested the resource SMTP interaction: possible email-based vector You’ll see timestamps, IPs, types — confirming external behavior. 5. Automation with Active Scans Burp's Active Scanner integrates Collaborator automatically. Make sure: Scanner → Scan Configuration → Issue Definitions → Use Collaborator This allows detection of: Blind command injection Time-delay SQLi (via DNS) Misconfigured email injection 6. Self-Hosting Burp Collaborator (Advanced) To host your own private instance: git clone https://github.com/PortSwigger/burp-collaborator cd burp-collaborator ./build.sh Advantages: Avoid detection by security appliances Monitor internal-only systems Full control over DNS/HTTP logs Final Notes Burp Collaborator isn't about payloads — it's about listening. It excels where reflection-based testing fails: when the application talks back asymmetrically. In future posts: Practical SSRF chaining with Collaborator Blind XSS + DOM-based data exfiltration Automating OAST payloads in CI pipelines Observe the unseen. Exploit the quiet. Own the blind surface.
Not all vulnerabilities return visible errors or flags.
Some are silent — only visible through their out-of-band behavior.
Burp Collaborator is a powerful tool designed to detect such vulnerabilities by monitoring for DNS, HTTP, and SMTP interactions from the target system.
This guide walks through practical use cases and methodology.
1. What is Burp Collaborator?
Burp Collaborator is an external interaction service that listens for connections initiated by a vulnerable application.
It allows you to detect:
- SSRF (Server-Side Request Forgery)
- Blind XSS
- Blind SQLi (via
LOAD_FILE()orxp_dirtree) - Command injection (e.g.,
curl,wget) - XML External Entity (XXE) exploits
2. Setting Up Collaborator
If you're using Burp Suite Pro, Collaborator is built-in.
Go to:
Burp → Project Options → Misc → Burp Collaborator client
Choose:
- Use Burp Collaborator's default server (public)
- Or self-host your own Collaborator instance for stealth/internal testing
3. Generate Collaborator Payload
Open:
Burp → Burp Collaborator client → Copy to clipboard
You’ll receive a payload like:
abc123def456.burpcollaborator.net
Inject this into suspect input points:
GET /profile?avatar=http://abc123def456.burpcollaborator.net HTTP/1.1
Or:
]>
4. Monitor Interactions
After sending the payload, check the Collaborator Client:
- DNS interaction: server attempted name resolution
- HTTP interaction: server actually requested the resource
- SMTP interaction: possible email-based vector
You’ll see timestamps, IPs, types — confirming external behavior.
5. Automation with Active Scans
Burp's Active Scanner integrates Collaborator automatically.
Make sure:
Scanner → Scan Configuration → Issue Definitions → Use Collaborator
This allows detection of:
- Blind command injection
- Time-delay SQLi (via DNS)
- Misconfigured email injection
6. Self-Hosting Burp Collaborator (Advanced)
To host your own private instance:
git clone https://github.com/PortSwigger/burp-collaborator
cd burp-collaborator
./build.sh
Advantages:
- Avoid detection by security appliances
- Monitor internal-only systems
- Full control over DNS/HTTP logs
Final Notes
Burp Collaborator isn't about payloads — it's about listening.
It excels where reflection-based testing fails: when the application talks back asymmetrically.
In future posts:
- Practical SSRF chaining with Collaborator
- Blind XSS + DOM-based data exfiltration
- Automating OAST payloads in CI pipelines
Observe the unseen. Exploit the quiet. Own the blind surface.
