Friday, October 21, 2016


This release adds a new Burp Collaborator client for use in manual testing, some new APIs for using Burp Collaborator capabilities within Burp extensions, and a new Burp extension that demonstrates usage of the APIs.

Burp Collaborator client is a tool for making use of Burp Collaborator during manual testing. You can use the Collaborator client to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

To run Burp Collaborator client, go to the Burp menu and select "Burp Collaborator client".

The following functions are available:
  • You can generate a specified number of Collaborator payloads and copy these to the clipboard. You can use these in manual testing, for example using Burp Intruder or Repeater.
  • You can choose whether the generated payloads include the full Collaborator server location, or only the unique interaction ID.
  • You can poll the Collaborator server to retrieve details of any network interactions resulting from your payloads, either at a regular interval or on demand.

Some new APIs have been added for using Burp Collaborator capabilities within Burp extensions. There is a new method on IBurpExtenderCallbacks:

IBurpCollaboratorClientContext createBurpCollaboratorClientContext();

This creates an IBurpCollaboratorClientContext object that can be used to generate Burp Collaborator payloads and poll the Collaborator server for any network interactions that result from using those payloads.

To demonstrate usage of the new APIs, we have today released to the BApp Store a new extension that can detect the HTTPoxy vulnerability via Burp Collaborator.

The source code to the HTTPoxy Scanner extension is available here.
MD5: df736dbf78bb7fcc26d58f1fa814217a
SHA256: 4d44459c04421c934f0c8e60618e255bd913213ab88021d9eee6f651949bc389

MD5: adad04d39abf937bc7c3fb6f29f28297
SHA256: 629b0c6748b115daa8dc2f31db8c7809485fc6565b82b3b08b1fa6b64bd106ad

MD5: 96a2c68f76cdbe557cada92cf6363359
SHA256: 3df6b8da0a30489368cb9c532185020f4a72ec14f824f8a86072c4ff4c9d4b53

MD5: 1278ef18097e93702371972a5dffc1d8
SHA256: af405f2c2caeff869da58bcdd27b76ad1544b16a6fcbed0f39bfe42173fa3b41

MD5: 2ab5e0e558974ed4f631e6c3c20d2a55
SHA256: 27db96f7bdb6fdb477d77add896f562fb21f819fae7a3144b49aeca3e4c51ab8