Hannah-PortSwigger
commented
1 year ago Hi
As of v2023.5 of Burp, you are able to create Collaborator payloads so that any resulting interactions appear in the Collaborator tab. This would allow the user to view the resulting Collaborator interaction.
You can find this [here](https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/collaborator/Collaborator.html#defaultPayloadGenerator()).
Just to clarify, the feature request you are looking for is for Burp to handle the polling and raising of an issue when an extension-generated Collaborator interaction is registered?
floyd-fuh
As an extension developer the main purpose of using the Collaborator is probably during Active Scan checks. In most cases the requirement is very simple: If there is an interaction with the collaborator URL at one point, display a certain AuditIssue.
Currently, if I want to implement this behavior, I need to create a Thread that polls the collaborator server for new interactions and displays the AuditIssue if there was an interaction. As an extension designer I now need to decide: how long/often I do this polling, if there is a point where I created too many payloads and I should discard old ones, I need to make sure the Collaborator Context is loaded correctly again when Burp is restartet, etc.
It would be really nice to have an API that just takes a CollaboratorClient, a list of payloads and the corresponding AuditIssue and then Burp would take care of it. The user could then e.g. delete certain CollaboratorClients, meaning Burp wouldn't need to poll any longer. Burp could even show a UI in the Collaborator tab for which payloads there is an issue in the background connected (which would give really cool insight into extensions by the way). It would also allow the user to chose when to cleanup etc.
To be honest I think checking for interactions for a payload is very interesting in the 10 minutes after it was sent (e.g. check every 20 seconds). Afterwards it is still interesting (maybe there is a background job on the server or a manual process where the user interacts and triggers the XSS?) but it is probably enough to check for interactions only every half an hour or so. This optimisation then could be left to the user as a setting in Burp, etc.