Read the table of contents
Preface
xray
Passive scanner is the scanner I feel best to use during my personal digging process. This blog, share some of the things I use xray
carefully
Official github
:
https://github.com/chaitin/xray
Official website document:
https://xray.cool/
Use of xray+burp
Common use configuration
-
The browser is configured with burp (including certificates, etc., omitted)
-
Chrome plugin SwitchyOmega
-
Start xray
# 进目录 .\xray_windows_amd64.exe webscan --listen 127.0.0.1:7777 --html-output result.html
-
burp configuration proxy
-
over
Advanced use
-
Do white list
gov
of what not to say, can add whiteSwitchyOmega
andXray
two are set to prevent misuse. Misoperation, no authorization, needless to say what the consequences might be~
-
What is best not to use
xray
, or even not to use?For example, if your weak password has entered the management background, or in places such as posting, it is best not to use it. First of all, crawlers have no sensitivity distinction, and may misuse, such as causing devastating blows in the management background;
Secondly, in postings and other places, the crawler may run out hundreds of posts in an instant, which will have a negative impact on the tested community. It is better to silently mark the test and test within one post.
Here you need to grasp it yourself, remember that the first point of penetration testing is to protect the interests of the tested object!
-
xray
Set up proxy exit | Request frequencySetting the frequency is naturally to prevent being blocked due to too fast access
ip
; setting the export proxy is mainly to ensure the progress of the test, because itxray
isip
normal to be blocked (one is the frequency of access, and the other is the possibility ofwaf
detecting a large number of sensitive words), we need to use a proxy Letxray
use, so as to ensure that this machineip
will not be blocked
One additional sentence: For very small sites, the number of concurrent sessions should also be reduced to prevent the site from being killed
-
burp
Plug-inProject address: passive-scan-client
Instructions for use: burp plug-in series 1 passive-scan-client
Understanding of automation
Using crawlergo
dynamic crawlers + xray
passive scanning is now a very popular automated idea. It is said that people sit at home and the hole comes from the sky, but the facts are not so wonderful. Say a few points of your own understanding
- The first is that if you don't give it
cookies
, the crawler can crawl to a limited interface, and can access more limited. With this limited interface, it is harder to find loopholes in xray. - If you give it
cookies
,awvs
cookies
what is the difference between this kind of test and the test after the assignment , or that sentence, the crawler is not controllable (you developed it for a specific site when I did not say), yescookies
, in case you touch a sensitive operation How to do? - The advantage of passive scanning is that I found a packet and I am too lazy to manually test for vulnerabilities such as xss, various injections, etc., and write an automated script to run it. The premise of all this is that you can control this data packet. Once it is uncontrollable, it is no different from ordinary scanners. The difference is nothing more than poc and crawler.
- Don't cause a lot of trouble in order to discover loopholes, you must control the risks!
That is all!