BS architecture brute force guess
There is usually a web page for the crack between the browser and the client.
Generally, it is to guess high-privilege users in web applications, such as the content management system account of the website. For the brute force guessing of B / S, we use Burp Suit mirror form blasting.
Operating procedures
generally
Fill in the account password text box, capture the packet, and send it to the tester.
Select the attack type,
clear the variables
, select the dictionary mode in the payload option (simple list), upload it,
start the attack, and find the one whose return value is different from other data
Several understanding BurpSuit Intruder attack, burp use before I wrote some, the connection is more comprehensive, more in-depth
https://www.cnblogs.com/Kevin-1967/p/7762661.html
API interface brute force guess
API interface brute force guessing reference https://xz.aliyun.com/t/6330
(The reason why the vulnerability appears API interface can be accessed without authentication)
A /api/
similar endpoint format was found when capturing packets , but it was not possible to determine which API port was used to log in. At this time, a dictionary can be used to burst
7KBscan. Many of them are used for this kind of bursting dictionary
关于返回值:
404不存在
405数据包类型不对
转换post 或Get
Observe the response message, there are firstneme, emile and other information that can be used by us. After the change is added to the post packet part, it is equivalent to directly creating an account through the interface, and this account is likely to have administrator rights and can be bypassed. Pass all front-end account requirements