Professional

Burp Collaborator

• Last updated: January 24, 2025

• Read time: 4 Minutes

You can manually use Burp Collaborator to induce your target application to interact with the external Collaborator server, and then identify that the interaction has occurred. This enables you to search for invisible vulnerabilities, which don't otherwise send a noticeably different response to a successful test attack.

The general process for manual use of Burp Collaborator is:

1. Generate Collaborator payloads, which are subdomains of the Collaborator server's domain.
2. Insert the payloads into a request and send the request to the target application.
3. Poll the Collaborator server, to see whether the application uses the injected payload to interact with any network services.

Generating payloads

You can directly insert Collaborator payloads into any request that is open in Burp Repeater. Right-click on the request and select Insert Collaborator payload.

You can automatically insert Collaborator payloads into a Burp Intruder attack. For more information, see Payload types - Collaborator payloads.

You can also generate multiple payloads at once in the Collaborator tab:

1. Enter the number of Collaborator payloads that you want to generate in the Payloads to generate field.
2. To include the full Collaborator server address in your payloads, select Include Collaborator server location. If this is not selected, only the Collaborator ID is included in your payloads.
3. Click Copy to clipboard to copy the specified number of payloads.
4. To access the payloads, paste them into a document.

When you send the payloads in a request, the application may perform a DNS lookup on the payload subdomain. It may then initiate another network connection, such as a HTTP or SMTP request. The interactions are received by the Collaborator server: they may indicate that the application is vulnerable.

Viewing results

You can view whether any interactions were received by the Collaborator server in the Collaborator tab. Burp automatically polls the Collaborator server for results every 60 seconds. To poll manually, click the Poll now button. The number of unread interactions is displayed on the Collaborator tab label, making it easy for you to see interaction counts at a glance.

Results are displayed in the table. You can perform the following actions to analyze the results:

• Filter the table - To filter the table by network protocol, click the HTTP, DNS, and SMTP buttons.
• Search the table - Click Search and enter an expression.
• Annotate interactions - Right-click any interaction and select Comment or Highlight.
• Mark interactions as read - Select the desired interactions then right-click and select Mark as read.

You can also customize and sort the table contents. For more information, see Customizing Burp's tables.

You can track interactions from different payloads in separate tables. To do this, generate Collaborator payloads in different result tabs. Each tab only displays the results of payloads that it generated. All tabs share the same polling schedule, so the load on the server doesn't increase.

Exporting results

You can export Collaborator interactions as a CSV file to easily share them with others or include them in your reports.

To export all interactions:

1. Right-click the table then select Export as CSV.

2. If necessary, choose a directory.

3. Enter a filename and click Save.

To export specific interactions:

1. Select the interactions that you want to export.

2. Right-click and select Export as CSV.

3. If necessary, choose a directory.

4. Enter a filename and click Save.

When exporting entries in CSV format, Burp represents data as follows:

• Date times are formatted as: yyyy-MMM-dd HH:mm:ss.SSS.

• DNS queries and HTTP interactions (including requests and responses) are represented as Base64 encoded strings.