Introduction to burpsuite
As a commonly used software for web penetration, burpsuite has 9 commonly used modules - proxy, target, intruder, comparer, repeater, decoder, extender, sqlmap, csrf. The nine modules will be introduced one by one in the following
1.1 proxy
The proxy module is the core function of BurpSuite. As a middleman between the browser and the target application, it allows you to intercept, view, and modify the original data flow in both directions. There are four modules under the proxy: intercept, HTTP history , websockets history, options
1.1.1 Sub-module 1: intercept
The name function
forward is used to send data. Send the currently intercepted packet
to drop for discarding data. Discard the currently intercepted packet.
intercept is on/off. When it is off, all requests will be released. When it is on, all requests will be intercepted.
action Send the intercepted packet to other modules.
There are four options below: raw , param, headers, hex will be displayed from different aspects, analyze the data packet
1.1.2 Submodule 2: http history
Log all requests accessed through the proxy server
1.1.3 Submodule 3: options
This section is mainly used to set proxy monitoring, request and response, intercept response, match and replace, ssl, etc.
The name feature
Proxy Listeners is a local HTTP proxy server that listens for incoming connections from your browser. It allows you to monitor and intercept all requests and responses, and is at the heart of BurpProxy's workflow. By default, Burp listens on the 12.0.0.1 address, port 8080 by default. You can add, change, delete
Intercept Client Requests, configure interception rules, and set the matching rules for interception. When Intercept request based on the following rules is selected, burpsuite will configure the rules in the list to intercept or forward. For example, sometimes you only want to grab php script type packets
1.2 target
1.2.1 sitemap
Name function
add to scope/spider this host Add url to crawler scope for detailed crawling
actively scan this host active scan, actively send payload
passively scan this host passive scan, analyze traffic
delete host/copy URLs in this host/copy links in this host Batch edit sitemaps, such as batch delete/copy/link selected sites
1.3 intruder
Intruder can perform many tasks, the appropriate type of attack depends on the situation of the application, such as directory traversal; fuzz xss and sqli, and brute force. . .
1.3.1 positions
Attack type function
sniper
blasts the marked variables in turn, loads dictionaries for different variables in turn, first loads variable 1, then loads variable 2...
battering ram
can crack multiple variables at the same time, multiple variables use a dictionary, and multiple variables have the same value
Each variable of pitchfork corresponds to a dictionary (different from the above two, both of which are a dictionary)
Cluster bomb
combination blasting, each variable corresponds to a dictionary, and intersection blasting (note the order of addition). For example, the dictionary of variable 1 has user1, user2, and the dictionary of variable 2 has password1, password2, then there are four types of results: {user1, password1}, {user1, password2}, {user2, password1}, {user2, password2}
name role
add add variable
clear clear variable
auto automatically add all variables
1.3.2 intruder
payload type name payload type function
simple list
simple dictionary
runtime file
run file
custom iterator
custom iterator
Character substitution character replacement
Recursive grep recursive search
llegal unicode illegal character
Character blocks character block
Numbers
digital combination
Dates Date combination
Brute forcer Brute force cracking
Null payloads Empty payload
Username generator Username generation
copy other payload Copy other payload
payload processing name payload processing function
add prefix add a text prefix
add suffix add a text suffix
match/replace will replace matching specific regular expressions Any part of the payload, use a text string to represent
substring Select from the position of the string from, select the string of length length, for example, "password" from 1, length 2 is "as"
reverse substring select g to select from characters in reverse order Start from the position of the string from, reversely select a string of length length, such as "password" from 1, length 2 is "or"
modify case There are all uppercase, all lowercase, and partial uppercase options, that is, change the string to all uppercase, all In the case of lowercase or partial uppercase
encode use different encryption methods to encrypt the string, and use the encrypted result as the trial variable
hash to perform hash encryption on the string
add raw payload to repeat the string, for example, change "user" to "useruser"
skip if matches regex deletes the string containing the set string, for example, if it is set to "ss", then "user" will be left and "password" will be deleted
1.3.3 options
Request Engine name Request Engine acts as
Number of threads
threads, this option controls the concurrent number of attack requests.
Number of retries on network failure
The number of retries on network failure.
Pause before retry Waiting time before retrying. When retrying failed requests, Burp will wait for the specified time (in milliseconds) before retrying.
Throttle between requests
The waiting time between requests, Burp can wait a specified delay (in milliseconds) before each request. This option is useful to avoid overloading the application, or to be more stealthy.
Start time This option allows you to configure the attack to start immediately, or after a specified delay, or start in a paused state.
grep-match name grep-match role
Match type
match type, whether the specified expression is a simple string or regular expressions (regular expressions).
Case sensitive match Case sensitive match, specifies whether the check expression should be case sensitive.
Exclude HTTP headers Exclude HTTP headers, specifies whether the HTTP response headers should be excluded from checking.
1.4 repeater
Repeater is a simple tool for manually manipulating and sending individual HTTP requests and analyzing application responses. You can send an internal request from anywhere in Burp to the Repeater, modify the request and send it.
Repeater name repeater function
update content-length Automatically update the Content-Length in the message header
Unpack gzip /deflate decompress the compressed file
Follow redirections jump control, you can choose never jump, jump within the same site, jump within the scope, always jump Switch to one of the four
Process cookie in redirections Whether to process Cookie
View while jumping Mainly control the entire layout of the Repeater panel
1.5 decoder
Simple tools to convert raw data into various encodings and hash tables. It can intelligently identify multiple encoding formats using heuristic techniques.
The types that support encoding and decoding are: 1. Url 2. HTML 3. Base64 4. ASCII code 5. Hex (hexadecimal) 6. octal (octal) 7. binary (binary) 8. GZIP
1.6 compare
Burp Comparer mainly provides a visual difference comparison function in Burp Suite to compare and analyze the difference between the two data. Application scenarios may be:
1. In the process of enumerating user names, compare and analyze the difference between the server-side feedback results when the login is successful and failed.
2. When using Intruder to attack, for different server-side responses, you can quickly analyze the difference between the two responses.
3. When performing a blind injection test of SQL injection, compare the difference between the two response messages, and judge the relationship between the response result and the injection condition.
1.7 extender
Burp supports the functions of third-party extended plug-ins, which is convenient for users to write their own custom plug-ins or install extended plug-ins from the plug-in store. Burp extensions can support customizing Burp's behavior in a number of ways, such as: modifying HTTP requests and responses, customizing the UI, adding custom scanner checks, and accessing key runtime information, including proxy history, target sitemaps, and scans Program issue.