Today I will show you a new Burp Suite plugin, Handy Collaborator, that the colleague of mine Gianluca and I wrote in order to make it possible to use Burp Suite Collaborator also during manual testing.
Burp Suite Collaborator is an external server added to Burp Suite in order to discover out-of-band vulnerabilities and issues that can be found only from external service interaction. It is a great tool and increases the power of Burp Suite Scanner a lot. But this tool is not useful only during automatic testing. It can be great also during manual testing!
Some examples of use cases in which this tool can be great are:
- You can’t use automatic scanner (test on critical web application)
- You want to reproduce a Collaborator issue discovered by the Active Scanner
- You want to test an issue discoverable with external service interaction with the payload encoded in Base64 (o something more strange). Burp Suite automatic scanner will not find the issue (because it does not encode correctly the payload) but it is easily discoverable with manual testing and Handy Collaborator!
- You simply need an external server for your manual tests!
- And so on!
Burp Suite offers a client to manually use Collaborator, but it slows down a lot the manual testing, because you need to switch tab, manually generate a new payload for every test and manually execute polling. With Handy Collaborator, all is done transparently in background and every interaction is added as a new issue!
The Handy Collaborator plugin is very simple to use. After downloading and loading it, two new entries will appear in the contextual menu of Burp Suite’s editable tabs:
By clicking the first one (“Insert collaborator payload”) a Collaborator payload is inserted into the selected point (it works both if you click a point or if you select a portion of the request):
By clicking the second entry (“Insert collaborator insertion point”) a custom insertion point (Intruder like) will be inserted in the request. Each time you will execute the request the insertion point will be automatically replaced with a newly generated Collaborator payload. You can also add more than one custom insertion point and a different Collaborator payload will be inserted in each point:
The plugin starts a thread that will poll the Collaborator server every 3 seconds. If an interaction is found, it is reported as a Burp Suite issue:
Currently, due to limitations in Burp Suite API, it is not possible to retrieve details on Collaborator interactions related to the payloads generated with this extension after unloading the extension or closing Burp Suite. The reason is that it is not possible to save the Collaborator context. An issue has been opened in Burp Suite Support Center on February 2017 and maybe this feature will be added in future (fingers crossed).
And that’s all. You can download the plugin from the “Release” tab of the GitHub repository: