In April of 2015, Portswigger released Burp Collaborator, a tool focused on testing for out of band web app vulnerabilities. Almost a year later, it is still either largely unused, or not understood. This talk covers the basics of how Burp Collaborator works, the vulnerabilities it can help discover, how they can be exploited, and the requirements to set up a private Burp Collaborator server.
3. DEFINITION
· BURP COL·LAB·O·RA·TOR
/BƏRP KƏˈLABƏˌRĀDƏR/
NOUN
1.A PERSON WHO WORKS JOINTLY WITH OTHERS TO SYNERGIZE THE PRODUCTION
OF A NOISE MADE BY AIR RELEASED FROM THE STOMACH THROUGH THE MOUTH
2.PORTSWIGGER’S WICKED TOOL FOR OUT OF BAND AND EXTERNAL SERVICE
INTERACTION VULNERABILITY DETECTION.
4.
5. WHAT DOES THAT EVEN MEAN?
•BURP COLLABORATOR RUNS THREE SERVICES TO THAT RESPOND TO ANY REQUEST:
• HTTP
• HTTPS
• DNS
•THE BURP SCANNER INJECTS PAYLOADS THAT HAVE THE POTENTIAL TO FORCE THE
TARGET APPLICATION OR DOWNSTREAM SYSTEM TO QUERY THE BURP COLLABORATOR
SERVER
6. MMMM KAAAYYYY… SO WHAT?
•AS OF BURP PRO V. 1.6.36, THIS ALLOWS BURP COLLABORATOR TO DETECT
THREE VULNERABILITIES THAT IT PREVIOUSLY COULD NOT:
• EXTERNAL SERVICE INTERACTION (DNS)
• EXTERNAL SERVICE INTERACTION (HTTP)
• OUT-OF-BAND RESOURCE LOAD (HTTP)
7. EXTERNAL SERVICE INTERACTION (DNS)
• SEVERITY: HIGH
• INDICATES THE ATTACK FORCED THE APPLICATION OR ANOTHER BACKEND SYSTEM TO ATTEMPT TO
INTERACT WITH AN EXTERNAL SERVICE
• IF THIS IS THE ONLY COLLABORATOR ISSUE IDENTIFIED, IT CAN MEAN EGRESS FILTERS PREVENT OTHER
SERVICE INTERACTIONS
8. EXTERNAL SERVICE INTERACTION (HTTP)
• SEVERITY: HIGH
• INDICATES THE APPLICATION INTERACTED WITH YOUR COLLABORATOR SERVER ON HTTP OR HTTPS
• MEANS THE APPLICATION CAN BE USE TOATTACK OTHER APPLICATIONS OR SERVICES
• THIRD PARTIES
• INTERNAL SYSTEMS
• LOOPBACK ADDRESS & SERVICES
9. OUT-OF-BAND RESOURCE LOAD ( HTTP )
• SEVERITY: HIGH
• INDICATES THE APPLICATION CAN BE FORCED TO RETRIEVE CONTENT FROMAN ARBITRARY LOCATION,
AND INCORPORATE IT INTO THE APPLICATIONS RESPONSES
• SIMILAR TO REMOTE FILE INCLUSION
• CAN BE USED AS A TWO-WAY ATTACK PROXY TO ATTACK OTHER SYSTEMS
• LIMITED TO ATTACKERS CREATIVITY ( XSS, SQL INJECTION, COMMAND INJECTION, DDOS, ETC. )
18. THE FULL POTENTIAL
• OUT-OF-BAND XSS
• SUPER-BLIND INJECTIONS
• STORED BLIND INJECTIONS
• DEFERRED INTERACTIONS
• OTHER NETWORK SERVICES: SMTP, NTLM, SSH
19. OUT OF BAND XSS
• DETECTED BY THE OUT OF BAND RESOURCE LOAD
• THINK REMOTE FILE INCLUSION, BUT WITH A SCRIPT
• SO, IT'S NOT NECESSARILY STORED, IT'S NOT REFLECTED, AND IT'S NOT DOM-BASED
• OTHER CLIENT-SIDE ISSUES COULD INCLUDE HTTP RESPONSE HEADER INJECTION AND OPEN
REDIRECTION
20. “SUPER BLIND” INJECTION
• INJECTION ATTACKS WHERE THERE IS NO WAY TO DETECT SUCCESS IN THEAPPLICATIONS RESPONSE,
WHETHER IT BE BY CONTENT, TIMING, OR THE LIKE.
• TYPICALLY A BACK END SYSTEM THAT TAKES ACTION ON THE PAYLOAD VIA:
• SQL INJECTION
• COMMAND INJECTION
• XXE INJECTION
21. OUT OF BAND INJECTION
• SIMILAR TO THE “SUPER BLIND” INJECTION, BUT IN THE APPLICATION ITSELF INSTEAD OF A BACKEND SYSTEM
• DEPENDING ON HOW THE APPLICATION PROCESSES THE RESPONSE, IT COULD BE VULNERABLE TO ANY INPUT-
BASED VULNERABILITY
• SERVER-SIDE CODE EXECUTION
• SQL INJECTION
• COMMAND INJECTION
• XSS
• ETC.
22. DEFERRED INTERACTION
• STORED VERSIONS OF PREVIOUSLY MENTIONED ATTACKS
• ABLE TO LINK AN ENTRY POINT AND A RETRIEVAL POINT WITHIN THEAPPLICATION
• THERE IS THE POTENTIAL THAT THE INJECTION IS STORED IN A PART OFTHE APPLICATION THE TESTER
DOESN’T HAVE ACCESS TO, OR A DIFFERENT APPLICATION ALTOGETHER.
• CONCEPTUALLY, THINK ABOUT DERAL HEILAND’S XSS ATTACK AGAINST ARUBA WIDS BY SETTING HIS
SSID TO <SCRIPT>ALERT(XSS)</SCRIPT>
• HTTP://FOOFUS.NET/~PERCX/PAPERS/PRACTICAL_EXPLOITATION_SSID.PPTX
23. TESTING AFTER DNS INTERACTION
• IF COLLABORATOR DETECTS A DNS INTERACTION, BUT NOT THE OTHER TWO, USE EGRESS BUSTING TECHNIQUES
• USE INTRUDER TO INJECT PAYLOADS WHILE ITERATING PORT NUMBERS
• IF YOU HAVE COMMAND INJECTION ON A *NIX BOX, USE NETCAT:
• /bin/nc -zv bc.funsec.net 1-65535 2&>1
• for ((i=0; $i < 65535; i++)); do echo >/dev/tcp/localhost/$i && echo $i open; done
2>/dev/null
• COMMAND INJECTION ON WINDOWS:
• C:> PS C:> 1..1024 | % { echo ((new-object
Net.Sockets.TcpClient).Connect("10.1.1.14",$_)) "$_ is open" } 2>$null
• C:> for /L %i in (1,1,1024) do @((echo open 10.1.1.14 %i)&(echo quit)) | ftp 2>&1 |
find "host" && @echo %i is open
24. TESTING WITH HTTP(S) INTERACTION
• TRY METASPLOIT SERVICE AUTHENTICATION CAPTURES
• SERVER SIDE REQUEST FORGERY
25. TESTING OUT OF BAND RESOURCE LOADS
• BEEF
• METASPLOIT BROWSER AUTOPWN
• LOCALHOST SERVICES
26. MIA: MANUAL TOOLS
• PORTSWIGGER’SANNOUNCEMENT MENTIONS A COLLABORATORCLIENT AND INTRUDER INTEGRATION
THAT WOULD ALLOW YOU TO CUSTOMIZE RESPONSES FROM THE SERVER, BUTNOTHING MORE HAS BEEN
SAID.
29. OTHER ROADMAP ITEMS
• OUT-OF-BAND VERSIONS OF ALL INPUT-BASED SCAN CHECKS.
• DETECTION OF VARIOUS "SUPER-BLIND" VULNERABILITIES.
• CHECKS FOR STORED VERSIONS OF ALL RELEVANT VULNERABILITIES.
• HANDLING OF DEFERRED INTERACTIONS AND RETROSPECTIVE REPORTING OFRESULTING ISSUES.
• SUPPORT FOR OTHER NETWORK SERVICE PROTOCOLS, AND ASSOCIATED TESTPAYLOADS.
• MANUAL TESTING TOOLS
30. WHAT DATA DOES THE SERVER STORE?
• IT DOES HAVE:
• SOURCE IP OF SYSTEM INITIATING THE INTERACTION
• THE UNIQUE STRING USED TO IDENTIFY THE REQUEST THAT RESULTED IN THE INTERACTION
• ANY APPLICATION SPECIFIC DATA INCLUDED IN THE REQUEST
• IT DOES NOT HAVE:
• THE ORIGINAL REQUEST MADE MY THE BURP SCANNER TO THE TARGET APPLICATION
32. SECURITY OF DATA
• EACH INSTANCE OF BURP SUITE GENERATES A SECURE RANDOM SECRET
• EACH COLLABORATOR PAYLOAD HAS A RANDOM IDENTIFIER DERIVED FROM ACRYPTOGRAPHIC HASH OF
THE SECRET
• THE SECRET IS ONLY EVER COMMUNICATED FROM BURP TO THE COLLABORATOR SERVER DURING
POLLING
• THE SERVER TAKES THE SECRET, CALCULATES THE HASH, AND LOOKS FORCORRESPONDING PAYLOADS
34. WHAT DOES COLLABORATOR DO WITH THE
DATA?
• DETAILS OF INTERACTIONS ARE STORED IN EPHEMERAL PROCESS MEMORY ONLY.
• NO DATA OF ANY KIND IS RECORDED IN PERSISTENT FORM: FOR EXAMPLE, A DATABASE OR LOG FILE.
• DETAILS OF INTERACTIONS ARE TYPICALLY RETRIEVED BY BURP SHORTLYAFTER THEY OCCUR, AND ARE THEN DISCARDED
BY THE SERVER.
• OLD INTERACTIONS THAT HAVE NOT BEEN RETRIEVED ARE DISCARDED AFTER A FIXED INTERVAL. (HOW LONG?)
• THERE IS NO ADMINISTRATIVE FUNCTION FOR VIEWING INTERACTION DETAILS, ONLY THE RETRIEVAL MECHANISM ALREADY
DESCRIBED.
• THE COLLABORATOR SERVER DOES NOT BY DESIGN RECEIVE ANY DATA THATCOULD BE USED TO IDENTIFY ANY INDIVIDUAL
BURP USER (SUCH AS AN ACCOUNT NAME OR LICENSE KEY).
37. SYSTEM REQUIREMENTS
• CAN RUN ON SINGLE CORE CLOUD INSTANCE WITH ONLY 512MB OF RAM
• REQUIRES WILDCARD CERTIFICATE FOR HTTPS INTERACTIONS, AND SECUREPOLLING
• CONFIGURE BASED ON THE EXPECTED VOLUME OF USAGE
• SMALL NUMBER OF EXPECTED USERS
• SUDO JAVA -XMS10M -XMX200M -XX:GCTIMERATIO=19 -JAR BURP.JAR --COLLABORATOR-SERVER
• LARGER NUMBER OF USERS
• SUDO JAVA -XMX3G -XMS3G -JAR BURP.JAR --COLLABORATOR-SERVER
39. DNS CONFIGURATION
• YOU NEED AN NS RECORD THAT EVENTUALLY LEADS TO YOUR COLLABORATORSERVER
• I CREATED 2 RECORDS:
• NS = NS1.BC.FUNSEC.NET
• A = BC.FUNSEC.NET
40. DNS CONFIGURATION
• I OWN FUNSEC.NET, AND CREATED THE SUBDOMAIN BC.FUNSEC.NET STRICTLY FOR BURP COLLABORATOR
• COLLABORATOR RESPONDS WITH THE SAME IP NO MATTER WHAT THE QUERY
41. CONFIG FILE
• LOOKS FOR A COLLABORATOR.CONF FILE IN THE SAME DIRECTORY YOU RAN THE TOOL FROM
• OTHER PATHS CAN BE SPECIFIED WITH THIS ARGUMENT:
• --COLLABORATOR-CONFIG=MYCONFIG.CONFIG
42. CONFIG FILE – OTHER OPTIONS
The metrics path is
used as a secret key,
so make it good.
This one is the
example on
Portswigger’s site, so
NEVER use it.
50. REFERENCES
• HTTPS://PORTSWIGGER.NET/BURP/HELP/COLLABORATOR_DEPLOYING.HTML
• SERVER SIDE REQUEST FORGERY:HTTP://SETHSEC.BLOGSPOT.COM/2015/12/EXPLOITING-SERVER-SIDE-
REQUEST-FORGERY.HTML
• NATIVE CLI PORT SCANNING: HTTP://BLOG.COMMANDLINEKUNGFU.COM/2010/04/EPISODE-89-LETS-
SCAN-US-SOME-PORTS.HTML
• SUPER BLIND XSS: HTTP://FOOFUS.NET/~PERCX/PAPERS/PRACTICAL_EXPLOITATION_SSID.PPTX
• DNS MADE EASY VIDEOS. (2012, FEBRUARY 27). DNS EXPLAINED. RETRIEVED FEBRUARY 2, 2016, FROM
HTTPS://WWW.YOUTUBE.COM/WATCH?V=72SNZCTFFTA&INDEX=1&LIST=LLG7ONF1ZVQSYEKD9M4BR5-G
Notas do Editor
Burp Suite polls the collaborator server by accessing “polling.bc.funsec.net”