Hosting a private Burp Collaborator on custom domain can be very handy. However it currently has some limitations, one of them being the hard-coded index page.
It would be useful to be able to customize the web page. For example, the default page could instruct viewers how to contact the collaborator owner. Another example would be serving any additional payload files from the same domain.
There are hackish ways to achieve it, but not all are working as intended so let’s take a look how not to do it and how to actually do it.

The Burp Suite Collaborator is a valuable tool for penetration testers and bug bounty hunters. It basically gives you unique subdomains and logs all interactions (DNS, HTTP(S), SMTP) towards the subdomain. This can be used for example to detect SSRF-vulnerabilities and exfiltrate data.
Burp Suite Professional provides a collaborator service under the domain burpcollaborator.net and using it is usually fine. However on the rare occasions it can be blacklisted / blocked or otherwise unreachable from the target. Luckily, the Burp collaborator can also be self-hosted and set to use a whole custom domain.

Hackday (not to be confused with ‘hackathon’ events) is a live event where a group or groups of hackers do security testing to some target (i.e. hack the target). Usually the target is a web application or for example some IoT device. The event may last from one day to a few days. It is common that the organizer will pay bounties for the security vulnerabilities reported by the participants. Organizer(s) can coax hackers to participate with some amazing swag, bounties or other prices that can be won in the event. Bigger the prices, the more hackers will want to join and more experienced hackers will be participating.

The usual flow of the event will be; registering of participants, informational meetup to all, hacking and reporting of vulnerabilities, end meetup and some networking at the end.

This document aims to guide organizers to create and amazing hacking event so everyone participating will have amazing time! Organizer will get the target tested for vulnerabilities and will get good PR from the event.

Tämän avoimen kirjeen on tarkoitus tavoittaa yliopistojen, ammattikorkeakoulujen, lukioiden ja ammattikoulujen tietoturvasta päättävät henkilöt. Team ROT tarjoaa yhdelle Suomalaiselle koululle ilmaisen teknisen tietoturvatestauksen.

This is a writeup for the Disobey 2018 hacker ticket puzzle. There were 50 “hacker” tickets available and the puzzle was open for about a month. It was a bit tougher this time than it was in previous years.