Burp Collaborator can be used to detect a wide range of out-of-band vulnerabilities. Some common use cases are described below:
Burp Collaborator can induce and detect a typical external service interaction as follows:
You can detect some types of service vulnerabilities by analyzing the details of the service interaction with a collaborating instance of that service. For example, mail header injection can be detected in this way.
The ability to induce an external service interaction doesn't always indicate a vulnerability. You need to determine whether this is intended behavior. For more information about external service interaction vulnerabilities, see the External service interaction issues in Vulnerabilities detected by Burp Scanner.
This is when an application can be induced to load content from an external source and include it in its own response.
To detect this vulnerability, the Collaborator server returns specific data in its responses to the application's interactions. Burp then analyzes the application's in-band response for the data.
For more information, see the Out-of-band resource load issue in Vulnerabilities detected by Burp Scanner.
This is when an application is vulnerable to SQL injection, but its HTTP responses don't contain the results of the relevant SQL query or the details of any database errors.
To detect this vulnerability, Burp sends injection-based payloads that trigger an external interaction when the injection is successful.
The following example uses an Oracle-specific API to trigger an interaction when injected into a SQL statement.
For more information, see the Web Security Academy documentation on Blind SQL injection.
The Collaborator server can notify Burp of deferred interactions that occur asynchronously when the relevant in-band payload is submitted to the target. This enables the detection of various stored vulnerabilities, such as second-order SQL injection and blind XSS.
In the example below:
