The environment to build a .burpsuit
Burp Suite can be said Web security tool Swiss Army knife, I intend to write a few Blog at an angle of a small white to learn Burp Suite (referred to as BP), will detail about the usage, explain what each part of the function, Remarks by the main figure to illustrate what each button function. What is wrong with hope passing through the bigwigs noted that since the basic usage is to say it is a basis for comparison, various big brother big God can bypass friends ha ha.
Note: xxx must be greater than 100, otherwise it will start to be burpsuit will flash back 2 download cracked version of pasting code based on the process on it. HTTP: //www.vuln.cn/8847 there download the next connection test can refer to this link : HTTPS: //pan.baidu.com/s/1PqcBQhrnOZHEz4eWyNg6HA extraction code: 2n5q
The basic use of two .burpsuit
1.proxy module
1. The main interface
2. Proxy configurations:
Configuration section can see, BP default listening port 8080, you can add, modify operations:
Can be added, modified listening proxy
page, click Request handling configuration process for the request:
这里解释一下不可见代理:
许多程序并没有像大部分浏览器那样有能让客户选择开启代理的功能,这时如果想要开启代理要使用Invisible proxy,要利用DNS欺骗,如客户端要访问www.A.com,首先要通过DNS欺骗,将BP的IP地址解析为www.A.com,因此客户端会把所有的流量发送给BP,再由BP实现代理,由于请求包中请求的IP换成了BP的IP,因此对要访问的www.A.com要设置对应的IP。这是在Projects options/Connections/Host Resolution中配置(这里实在Projects options模块中配置哟):
如果要访问多个域名,可以生成多个网卡,之后在新建的每个网卡上进行侦听。
接着说Proxy Listeners下面的证书部分,点击Import/export CA certificate。
对HTTPS流量访问的时候,需要伪造证书,通过自签名的证书实现加密流量的截断,解密后进行分析修改再重新加密发给真实服务器。添加证书后不会再在访问HTTPS时报证书错误。
通常为导入公钥证书
使用了BP作为代理时(设置了ip和端口),另一种方式得到证书:
在开启代理后访问:127.0.0.1:8080,点击CA Certificate,进行保存CA证书:
在浏览器设置代理:
然后访问我们设置的代理和ip:127.0.0.1:8080
把上面获得证书后在浏览器中导入。