tryhackme–RP:Burp Suite

tryhackme,RP:Burp Suite

罗尔斯
图片发布

图片发布


目录

  1. 先决条件
  2. 介绍
  3. 安装
  4. Gettin'[CA]认证
  5. 功能概述
  6. 参与黑暗模式
  7. 代理
  8. 目标定义
  9. 将所有内容重复放置[er]
  10. 救命!有一个入侵者!
  11. 事实证明,这些机器比我们的数学能力更好。
  12. 解码器和比较器
  13. 安装一些Mod [Extender]
  14. 但是,等等,还有更多!
  15. 额外信用
  16. 结论

先决条件

在尝试该会议室之前,我强烈建议您查看NinjaJc01的“ Web基础知识 ”会议室如果您熟悉基本的Web请求结构和SQL注入,那么您已经设置好了!


介绍

今天我们将要尝试完成在红底漆打嗝套房 -如果你想尝试的链接可以在这里找到:https://tryhackme.com/room/rpburpsuite

Burp Suite是Web应用程序渗透测试工具的框架,被广泛认为是执行Web应用程序测试时使用的事实上的工具。在整个会议室中,我们将介绍安装和使用此工具的基础知识以及它的各个主要组件。在整个会议室中,大多数任务的底部都提供了每节相关文档的参考链接。

图片发布

图片发布


安装

在我们深入研究Burp Suite这个令人惊叹的工具之前,我们首先必须安装它。对我们来说幸运的是,如果您在Kali Linux上安装此机房,则已经安装了Burp Suite。由于该会议室也完全可以在Windows上运行,因此我们将简要介绍如何为任何系统获取Burp Suite(社区版),因为它相当轻松。您还可以已安装BurpSuite的情况下使用部署自己的浏览器内置计算机!

如果要从头开始安装Burp(通常称为Burp),则需要先访问此链接:https : //portswigger.net/burp/communitydownload

#1

如果要从头开始安装Burp(通常称为Burp),则需要先访问此链接:https : //portswigger.net/burp/communitydownload

2号

进入Port Swigger下载页面后,继续下载适用于您的操作系统的版本

#3

Burp Suite需要Java JRE才能运行。在此处下载并安装Java:https//www.java.com/en/download/

完成所有设置后,移交给我们的下一项任务,即获得Gettin'[CA]认证!


Gettin'[CA]认证

在开始使用新安装的(或预安装的)Burp Suite之前,我们必须修复证书警告。我们需要安装CA证书,因为BurpSuite充当您的浏览器之间的代理,并通过Internet发送它—它使BurpSuite应用程序可以读取和发送HTTPS数据。

图片发布

图片发布

除非我们安装Burp的CA证书,否则将出现证书警告。

快速说明一下,在本实验中,我将使用Firefox和Foxy Proxy(可在此处找到)。我在这种情况下使用Firefox,因为使用Burp Suite时它使用起来更容易一些。

#1

首先,让我们继续前进,启动Burp。我们可以通过左侧的图标在Kali上执行此操作。在下面的图像中,它是左侧顶部第7个图标。如果您的Kali桌面看起来不像下面的屏幕截图,请单击“应用程序”并键入Burp Suite。单击出现的Burp Suite图标。

图片发布

图片发布

启动打p!

#2

启动Burp后,将出现以下屏幕:

图片发布

图片发布

弹出后,单击“临时项目”,然后单击“下一步”。

*现在,您可能已经注意到“磁盘上的新项目”和“打开现有项目”都显示为灰色。如该窗口顶部所示,保存项目是与Burp Suite Professional相关的功能,因为保存并返回多天Web应用程序测试是很常见的。

#3

接下来,将提示我们询问我们要使用哪种配置。现在,选择“使用打Bur默认设置”。

图片发布

图片发布

包含此选项是因为它对于为代理或其他设置创建自定义配置文件非常有用,尤其是取决于您的网络配置方式和/或是否通过诸如x11转发远程启动Burp Suite时

#4

最后,让我们开始Burp!立即点击“开始打p”!

#5

现在,您将看到一个类似于以下内容的屏幕:

图片发布

图片发布

由于我们现在正在运行Burp Suite,因此默认情况下将使用它启动代理服务。为了充分利用此代理,我们必须安装Burp Suite随附的CA证书(否则我们将无法使用SSL加载任何内容)。为此,请立即启动Firefox!

  • You can do this part with your browser of choice, however, I’ll be using Firefox for this room. Burp suite latest update also comes with an inbuilt browser to skip installing the CA certificate.

#6

Now that we’ve started Burp, let’s add an extension to our web browser to allow up to easily route or traffic through it! For this room, we’ll be using ‘FoxyProxy Standard’ on Firefox.

图片发布

图片发布

Navigate to the following link to install FoxyProxy Standard: Link

Go ahead and install this now!

#7

Next, click on FoxyProxy among your extensions.

图片发布

图片发布

After that, click on ‘Options’.

图片发布

图片发布

After that, click ‘Add’ in the top left.

图片发布

图片发布

Enter in the following settings and then click ‘Save’

图片发布

图片发布

Finally, click on the FoxyProxy extension icon again and select ‘Burp’.

图片发布

图片发布

In the image above Burp isn’t selected. Make sure it is in yours!

接下来,我们将继续添加Burp的证书!

#8

使用Firefox,导航到以下地址:http:// localhost:8080

#9

您将会看到以下网站:

图片发布

图片发布

单击右上角的“ CA证书”以下载并保存CA证书。

#10

既然我们已经下载了CA证书,请移至Firefox中的设置菜单。在搜索栏中搜索“证书”。

图片发布

图片发布

点击“查看证书”

#11

接下来,在“权限”标签中,点击“导入”

#12

导航到您保存我们先前下载的CA证书的位置。选择此证书后,单击“确定”。

#13

最后,选择此照片中显示的以下两个选项:

图片发布

图片发布

完成此操作后,选择“确定”。恭喜,我们现在已经安装了Burp Suite CA证书!


功能概述

Now that we’ve set up Burp, let’s take a look at everything it has to offer. Web application pentesting can be a messy affair but Burp has something for every step of the way.

图片发布

图片发布

Tools by Ana Miminoshvili on Dribbble

Throughout this room, we’ll be taking a look at these components of Burp Suite. Here’s a quick overview of each section covered:

  • Proxy — What allows us to funnel traffic through Burp Suite for further analysis
  • Target — How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
  • Intruder — Incredibly powerful tool for everything from field fuzzing to credential stuffing and more
  • Repeater — Allows us to ‘repeat’ requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder
  • Sequencer — Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies
  • Decoder — As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
  • Comparer — Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
  • Extender — Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
  • Scanner — Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.

#1

Which tool in Burp Suite can we use to perform a ‘diff’ on responses and other pieces of data?

comparer

#2

What tool could we use to analyze randomness in different pieces of data such as password reset tokens?

sequencer

#3

Which tool can we use to set the scope of our project?

target

#4

While only available in the premium versions of Burp Suite, which tool can we use to automatically identify different vulnerabilities in the application we are examining?

scanner

#5

Encoding or decoding data can be particularly useful when examining URL parameters or protections on a form, which tool allows us to do just that?

decoder

#6

Which tool allows us to redirect our web traffic into Burp for further examination?

proxy

#7

Simple in concept but powerful in execution, which tool allows us to reissue requests?

repeater

#8

通过四种模式,我们可以在Burp中使用哪种工具来实现多种目的,例如现场模糊测试?

入侵者

#9

最后但并非最不重要的一点是,哪个工具允许我们通过添加扩展来修改Burp Suite?

补充剂

参与黑暗模式

在深夜进行项目?别再害怕了!在此任务中,我们将介绍如何在Burp Suite中启用暗模式!

图片发布

图片发布

乌兰(Uran)在Dribbble上努力工作

此任务是可选的!如果您想跳过所有问题,只需单击“完成”。本部分纯粹是为了在整个会议室中使用Burp Suite时改善“生活质量”。您可以在任务八的问题三中看到暗模式。

#1

启动Burp Suite后,让我们首先导航到“用户选项”标签。

图片发布

图片发布

#2

接下来,点击“显示”子标签。

图片发布

图片发布

#3

现在,单击“外观”下拉菜单。选择“ Darcula”。

图片发布

图片发布

#4

最后,关闭并重新启动Burp Suite,以使深色主题(或您选择的任何主题)生效。


代理

一般而言,根据定义,代理服务器使我们能够通过替代路由将流量中继到Internet。这样做的原因有很多,从教育过滤(在学校中通常必须阻止受限制的内容的情况下进行过滤)到访问由于区域锁定或禁令而无法获得的内容。但是,通过使用代理进行Web应用程序测试,我们可以细粒度查看和修改内联流量。在整个任务中,我们将探索Burp代理的主要组成部分,包括拦截,请求历史记录以及我们可以访问的各种配置选项。

图片发布

图片发布

通过代理中继通信的基本示意图— 维基百科—代理服务器

在获得Gettin's [CA]认证的任务三中,我们将网络流量配置为通过Burp Suite实例进行路由。默认情况下,“打p”将设置为“拦截”我们的流量。这意味着几件事:

1.默认情况下,请求将需要我们的授权。

2.我们可以像在中间人攻击中看到的那样,在线修改我们的请求,然后将其发送。

3.我们还可以删除我们不想发送的请求。这对于在单击按钮或在网站上执行其他操作后查看请求尝试很有用。

4.最后但并非最不重要的一点是,我们可以将这些请求发送到其他工具,例如Repeater和Intruder,以进行修改和操作以诱发漏洞。

代理的Burp Suite参考文档:链接

#1

部署此任务附带的VM!

要完成此任务,您需要通过OpenVPN连接到TryHackMe网络。如果您使用的是浏览器内计算机,则不需要这样做(但请确保您正在访问该计算机并在浏览器内计算机内部使用Burp)。

#2

默认情况下,Burp Suite代理仅在一个接口上侦听。它是什么?使用IP:PORT的格式

127.0.0.1:8080

#3

在Burp Suite中,导航到“代理”部分的“拦截”子选项卡。启用拦截

#4

Return to your web browser and navigate to the web application hosted on the VM we deployed just a bit ago. Note that the page appears to be continuously loading. Change back to Burp Suite, we now have a request that’s waiting in our intercept tab. Take a look at the actions, which shortcut allows us to forward the request to Repeater?

ctrl-R

#5

How about if we wanted to forward our request to Intruder?

ctrl-i

#6

Burp Suite saves the history of requests sent through the proxy along with their varying details. This can be especially useful when we need to have proof of our actions throughout a penetration test or we want to modify and resend a request we sent a while back. What is the name of the first section wherein general web requests (GET/POST) are saved?

http history

#7

Defined in RFC 6455 as a low-latency communication protocol that doesn’t require HTTP encapsulation, what is the name of the second section of our saved history in Burp Suite? These are commonly used in collaborate application which require real-time updates (Google Docs is an excellent example here).

websocket history

#8

Before we move onto exploring our target definition, let’s take a look at some of the advanced customization we can utilize in the Burp proxy. Move over to the Options section of the Proxy tab and scroll down to Intercept Client Requests. Here we can apply further fine-grained rules to define which requests we would like to intercept. Perhaps the most useful out of the default rules is our only AND rule. What is it’s match type?

URL

#9

How about it’s ‘Relationship’? In this situation, enabling this match rule can be incredibly useful following target definition as we can effectively leave intercept on permanently (unless we need to navigate without intercept) as it won’t disturb sites which are outside of our scope — something which is particularly nice if we need to Google something in the same browser.

is in target scope

Target Definition

Perhaps the most important feature in Burp Suite, we’ll now be turning our focus to the Target tab!

图片发布

图片发布

Lock on Target by Alexei Vella on Dribbble

The Target tab in Burp allows us to perform arguably some of the most important parts of a web application penetration test: defining our scope, viewing a site map, and specifying our issue definitions (although this is more useful within report generation and scanning).

When starting a web application test you’ll very likely be provided a few things:

- The application URL (hopefully for dev/test and not prod)
- A list of the different user roles within the application
- Various test accounts and associated credentials for those accounts
- A list of pieces/forms in the application which are out-of-scope for testing and should be avoided

From this information, we can now start to build our scope within Burp, something which is incredibly important in the case we are planning on performing any automated testing. Typically this is done in a tiered approach wherein we work our way up from the lowest privileged account (this includes unauthenticated access), browsing the site as a normal user would. Browsing like this to discover the full extent of the site is commonly referenced as the ‘happy path’. Following the creation of a site map via browsing the happy path, we can go through and start removing various items from the scope. These items typically fit one of these criteria:

- The item (page, form, etc) has been designated as out of scope in the provided documentation from the client
- Automated exploitation of the item (especially in a credentialed manner) would cause a huge mess (like sending hundreds of password reset emails — If you’ve done a web app professionally you’ve probably done this at one point)
- Automated exploitation of the item (especially in a credentialed manner) would lead to damaging and potentially crashing the web app

Once we’ve removed any restricted or otherwise potentially dangerous items from our scope, we can move onto other areas of testing with the various tools within Burp Suite.

Burp Suite reference documentation for Target: Link


#1

Before leaving the Proxy tab, switch Intercept to disabled. We’ll still see the pages we navigate to in our history and the target tab, just having Intercept constantly stopping our requests for this next bit will get old fast.

#2

Navigate to the Target tab in Burp. In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop). Find our target site in this list and right-click on it. Select ‘Add to scope’.

#3

Clicking ‘Add to scope’ will trigger a pop-up. This will stop Burp from sending out-of-scope items to our site map.

#4

Select ‘Yes’ to close the popup.

#5

浏览应用程序的其余部分,以在目标选项卡中构建我们的页面结构。访问完网站的大部分页面后,请返回Burp Suite并展开应用程序目录的各个级别。我们如何称呼这种集合Web应用程序的表示?

网站地图

#6

在进一步检查之前,以普通用户身份浏览应用程序的术语是什么?

幸福的道路

#7

在继续之前的最后一件事。在目标选项卡中,您可能已经注意到问题定义的子选项卡。现在点击进入。

#8

此处找到的问题定义是Burp Suite如何定义报告中的问题。在开始时,这些问题定义对于理解和分类我们可能拥有的各种发现特别有用。当高速缓存进程背后的应用程序输入未包含在高速缓存密钥中时,会出现哪个中毒问题?

Web缓存中毒

将所有内容重复放置[er]

顾名思义,Repeater允许我们重复已经发出的请求。这些请求可以按原样重新发布,也可以进行修改。与入侵者相比,中继器通常用于实验或更精细的开发目的,其中可能不需要自动化。我们将检查Repeater的目的是找到一个概念证明,证明Juice Shop容易受到SQL注入的攻击。

图片发布

图片发布

Briton Baker在Dribbble上的电唱机

Burp Suite中继器参考文档:链接


#1

首先,单击Juice Shop右上角的“帐户”(取决于Juice Shop的版本,可能是“登录”)以导航到登录页面。

图片发布

图片发布

#2

尝试使用无效的凭据登录。登录失败会产生什么错误?

图片发布

图片发布

无效的电子邮件或密码

#3

但是,等等,我们是否不想将该请求发送给Repeater?即使我们最初没有通过拦截将其发送给Repeater,我们仍然可以在历史记录中找到该请求。切换到“代理”的“ HTTP”子选项卡。浏览这些请求,直到找到我们失败的登录尝试。右键单击此请求,然后将其发送到Repeater,然后再将其发送到Intruder!

图片发布

图片发布

#4

现在,我们已将请求发送到Repeater,让我们尝试调整请求,以便我们将单引号(')作为电子邮件和密码发送。此请求产生什么错误?

图片发布

图片发布

SQLITE_ERROR

#5

Now that we’ve leveraged Repeater to gain proof of concept that Juice Shop’s login is vulnerable to SQLi, let’s try something a little more mischievous and attempt to leave a devastating zero-star review. First, click on the drawer button in the top-left of the application. If this isn’t present for you, just skip to the next question.

图片发布

图片发布

#6

Next, click on ‘Customer Feedback’ (depending on the version of Juice Shop this also might be along the top of the page next to ‘Login’ under ‘Contact Us’)

图片发布

图片发布

#7

With the Burp proxy on submit feedback. Once this is done, find the POST request in your HTTP History in Burp and send it to Repeater.

#8

What field do we have to modify in order to submit a zero-star review?

rating

#9

Submit a zero-star review and complete this challenge in Juice Shop!


Help! There’s an Intruder!

Intruder可以说是Burp Suite中功能最强大的工具,它可以用于从模糊测试到暴力破解的许多事情。Intruder的核心目的之一是:自动化。

尽管Repeater可以最好地进行实验或一次性测试,但一旦概念证明已经建立,Intruder便可以进行重复测试。根据Burp Suite文档,一些常见用法如下:

-枚举标识符,例如用户名,在可预测的会话/密码恢复令牌中循环以及尝试简单的密码猜测
-通过重复我们的响应从用户个人资料或其他感兴趣的页面中收集有用的数据
-模糊检测漏洞,例如SQL注入,跨站点脚本(XSS)和文件路径遍历

图片发布

图片发布

Chill Desk在Dribbble上的大衣

为了完成这些各种用例,入侵者具有四种不同的攻击类型:

1. 狙击手 -最受欢迎的攻击类型,它在我们选择的位置之间循环,将下一个可用的有效负载(来自单词列表的项目)依次放在每个位置。这仅使用一组有效负载(一个单词列表)。

2. Battering Ram —与Sniper类似,Battering Ram仅使用一组有效载荷。与Sniper不同,Battering Ram将每个有效载荷放置到每个选定的位置。考虑一下撞锤如何使大表面与单个表面接触,因此,该攻击类型的名称为撞锤。

3. 干草叉 —干草叉攻击类型使我们可以使用多个有效载荷集(每个位置选择一个)并同时迭代两个有效载荷集。例如,如果我们选择两个位置(例如,用户名字段和密码字段),则可以提供用户名和密码有效负载列表。然后,入侵者将循环浏览用户名和密码的组合,从而导致组合的总数等于所提供的最小有效载荷集。

4. 群集炸弹 —群集炸弹攻击类型使我们可以使用多个有效载荷集(每个位置一个),并遍历我们提供的有效载荷列表的所有组合。例如,如果我们选择两个位置(例如,用户名字段和密码字段),则可以提供用户名和密码有效负载列表。然后,入侵者将循环浏览用户名和密码的组合,从而得出等于用户名x密码的组合总数。请注意,如果您使用的是Burp社区版,这可能会很长。

图片发布

图片发布

入侵者攻击类型选择

为了我们的目的,我们将返回到以前通过使用Repeater发现的SQL注入漏洞。

For some additional practice on using Intruder, check out the older Learn Burp Suite room here on TryHackMe

Burp Suite reference documentation for Intruder: Link


#1

Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?

sniper

#2

How about the attack type which allows us to use one payload set in every single position we’ve selected simultaneously?

battering ram

#3

Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?

cluster bomb

#4

Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?

sniper

#5

Download the wordlist attached to this room, this is a shortened version of the fuzzdb SQLi platform detection list.

#6

Return to the Intruder in Burp. In our previous task, we passed our failed login attempt to both Repeater and Intruder for further examination. Open up the Positions sub-tab in the Intruder tab with this request now and verify that ‘Sniper’ is selected as our attack type.

图片发布

图片发布

#7

Burp attempts to automatically highlight possible fields of interest for Intruder, however, it doesn’t have it quite right for what we’ll be looking at in this instance. Hit ‘Clear’ on the right-hand side to clear all selected fields.

图片发布

图片发布

#8

Next, let’s highlight the email field between the double quotes (“). This will be whatever you entered in the email field for our previous failed login attempt.

图片发布

图片发布

#9

现在,单击“添加”以选择我们的电子邮件字段作为有效负载的位置。

图片发布

图片发布

#10

接下来,让我们切换到Intruder的有效负载子选项卡。到达那里后,点击“加载”,然后选择您先前在问题5中下载的单词列表,该单词列表已附加到此任务。

图片发布

图片发布

#11

差不多了!向下滚动并取消选中“对这些字符进行URL编码”。我们不想让有效载荷中发送的字符进行编码,因为否则它们将不会被SQL识别。

图片发布

图片发布

#12

最后,点击“开始攻击”。返回200状态代码(表明我们已成功绕过身份验证)的第一个有效载荷是什么?

a'或1 = 1--

事实证明,在数学方面,机器比我们更好。

虽然在实践环境中不那么常用,但Sequencer代表了适当的Web应用程序渗透测试中的核心工具。根据Burp文档,Burp的Sequencer 是一种工具,用于分析应用程序的会话令牌和其他重要数据项中的随机性,而这些质量本来是无法预测的。一些经常分析的项目包括:

-会话令牌
-反CSRF(跨站点请求伪造)令牌
-密码重置令牌(与密码重置一起发送,理论上,密码重置将用户与他们的密码重置请求唯一地绑定在一起)

我们将快速浏览一下如何使用Sequencer来检查Juice Shop发出的会话cookie。

图片发布

图片发布

Maxime Bourgeois在Dribbble上使用Angular Universal进行SEO友好的渐进式Web应用程序

Burp Suite reference documentation for Sequencer: Link


#1

Switch over to the HTTP history sub-tab of Proxy.

#2

We’re going to dig for a response which issues a cookie. Parse through the various responses we’ve received from Juice Shop until you find one that includes a ‘Set-Cookie’ header.

#3

Once you’ve found a request response that issues a cookie, right-click on the request and select ‘Send to Sequencer’.

#4

Change over Sequencer and select ‘Start live capture’

#5

Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit ‘Pause’ and then ‘Analyze now’

#6

Parse through the results. What is the effective estimated entropy measured in?

bits

#7

为了找到熵的可用位,我们经常必须进行一些调整以具有标准化的数据集。在此过程中转换了什么项目?

代币

#8

通读令牌分析的其余结果


解码器和比较器

解码器和比较器虽然是Burp Suite中的次要工具,但对于成为熟练的Web应用程序测试人员来说,理解和利用它们仍然是必不可少的。

顾名思义,解码器是一种工具,可让我们对数据进行各种转换。这些转换从解码/编码到各种基础或URL编码不等。我们将这些转换链接在一起,并且每当我们选择解码器,编码器或哈希时,Decoder将自动产生一个附加层。最终,该工具的功能与Cyber​​Chef非常相似,尽管功能稍差一些。

图片发布

图片发布

Muriel在Dribbble上的加密

Similarly, Comparer, as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.

Per the Burp documentation, some common uses for Comparer are as follows:

- When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in responses. This is also sometimes useful for when enumerating password recovery forms or another similar recovery/account access mechanism.

- When an Intruder attack has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.

- When comparing the site maps or Proxy history entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behaviour. This may reveal possible access control issues in the application wherein lower privileged users can access pages they really shouldn’t be able to.

- When testing for blind SQL injection bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.

*These examples are taken nearly in their entirety from the Burp docs simply to provide a broader set of examples to consider when using Comparer.

图片发布

图片发布

JavaScript Arrays in Depth by Maxime Bourgeois on Dribbble

Burp Suite reference documentation for Decoder and Comparer


#1

Let’s first take a look at decoder by revisiting an old friend. Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request:

图片发布

图片发布

#2

Copy the first line of that request and paste it into Decoder. Next, select ‘Decode as …’ URL

#3

What character does the %20 in the request we copied into Decoder decode as?

space

#4

Similar to CyberChef, Decoder also has a ‘Magic’ mode where it will automatically attempt to decode the input it is provided. What is this mode called?

smart decode

#5

What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues.

site maps

#6

Comparer can perform a diff against two different metrics, which one allows us to examine the data loaded in as-is rather than breaking it down into bytes?

words

Installing some Mods [Extender]

Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more! Here are some of the most popular extensions I suggest checking out (not all of these are free but I suggest looking into them all the same):

  • Logger++ — Adds enhanced logging to all requests and responses from all Burp Suite tools, enable this one before you need it 😉
  • Request Smuggler — A relatively new extension, this allows you to attempt to smuggle requests to backend servers. See this talk by James Kettle for more details: Link
  • Autorize — Useful for authentication testing in web app tests. These tests typically revolve around navigating to restricted pages or issuing restricted GET requests with the session cookies of low-privileged users
  • Burp Teams Server — Allows for collaboration on a Burp project amongst team members. Project details are shared in a chatroom-like format
  • Retire.js — Adds scanner checks for outdated JavaScript libraries that contain vulnerabilities, this is a premium extension
  • J2EEScan — Adds scanner test coverage for J2EE (java platform for web development) applications, this is a premium extension
  • Request Timer — Captures response times for requests made by all Burp tools, useful for discovering timing attack vectors
图片发布

图片发布

Contributing by Matt Scribner on Dribbble

A prerequisite for many of the extensions offered for Burp, we’ll walk through the installation of Jython, the Java implementation of Python.

图片发布

图片发布

Burp Suite reference documentation for Extender: Link

Article on some of the top extensions for Burp Suite: Link


#1

To start, let’s go ahead and switch over to the Options sub-tab of the Extender tab.

#2

Scroll down until you reach the ‘Python Environment’ section. Note, Burp requires the standalone edition of Jython.

#3

Download the standalone version of Jython from here: Link — I suggest saving this or moving it to your Documents folder

#4

返回Burp并在Jython Standalone的Python Environment子部分下单击“选择文件”。导航到您刚刚下载此文件的位置并选择它。

#5

Burp现在可以用于安装扩展程序了。切换到Extender的BApp Store子选项卡,并浏览提供的各种扩展。

#6

哪个扩展允许我们也为各种请求添加书签?

书签

但是,等等,还有更多!

在总结之前,让我们快速了解Burp Suite Professional提供的功能:Burp Suite扫描仪和协作者客户端!

图片发布

图片发布

Todd Zlab在Dribbble上的订婚

Burp Suite扫描程序可以说是Burp Suite中最强大的功能,它使我们能够被动和主动地扫描和爬网我们正在测试的网站是否存在漏洞。在Burp 2.0的基于任务的模型中,我们可以从仪表板上启动这些扫描(扫描仪和蜘蛛),并让它们在后台运行,同时继续检查Web应用程序。在这种情况下,我对Juice Shop运行了未经身份验证的扫描,并将其附加到此任务中。这些报告可以为通过Burp Suite中的其他工具进行进一步枚举和利用提供起点。

图片发布

图片发布

Burp Professional创建的此任务所附报告的预览

Burp Collaborator Client通常用于手动测试中,使我们能够深入了解可能无法产生任何结果的问题。通常,在测试过程中,我们可能会遇到一些项目,这些项目可能由于Web应用程序的时间/速度慢或缺乏任何反应而很容易受到攻击,但不会产生任何可肯定的指标。但是,借助Burp Collaborator,我们可以通过生成有效载荷来产生带外警报,这些有效载荷可以为我们返回Burp Suite的服务器。

图片发布

图片发布

适用于ScannerCollaborator客户端的 Burp Suite参考文档


#1

下载此任务所附的报告。唯一的关键问题是什么?

跨域资源共享:可信任任意源

#2

Burp找到了多少“某些”低级问题?

12

额外信用

想了解更多?你真幸运!Burp Suite的制造商Port Swigger拥有(大部分)免费的在线Web安全学院!这项在线培训非常适合于学习更多有关Web开发技术的知识,并将您新造的Burp技能用于测试!几乎所有这些培训都是免费的,唯一的例外是一些实验室需要Burp Suite专业版。

您可以在这里找到Port Swigger Web Security Academy培训:https ://portswigger.net/web-security

图片发布

图片发布

除了Port Swigger的培训之外,SANS还提供出色的Web应用程序渗透测试课程。其中一些包括SANS SEC 542SEC 642。请注意,这些培训课程是有偿的,可能相当昂贵。话虽如此,它们的质量令人难以置信,值得一试。

图片发布

图片发布

最后但并非最不重要的是,您可以在TryHackMe的房间中继续使用OWASP Juice Shop学习!链接

图片发布

图片发布


#1

查看提供的链接并继续学习!


结论

深入了解如何截取和修改发送到外部站点的数据。我们已经学习了如何通过输入修改来检查某些漏洞,以及如何向网站提交各种有效载荷。

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud

您是第8239390 位访客, 您的IP是:[3.237.254.197]