Background: The
recently finished a penetration testing system, my colleague penetration tests last night after I looked up, I found a loophole not found.
After he consulted, he found the flaw was discovered by scan burp, but there is a request for a packet scan parameters for a moment, then burp reported a reflective XSS vulnerabilities.
Reproduced by hand, but also re-emerged, in fact, this vulnerability is very simple, error information website which contains the user input.
My previous tests did not find the main reason for this vulnerability is that I rarely go testing with scan burp, and is generally used to sweep along the entire domain name, not a request for a sweeping package.
Lessons learned: If you can use to scan in penetration testing, use burp the entire domain sweep sweep together, basically useless, only to find some simple information.
Should be a way for a request packet to sweep, to analyze, hit rate is relatively high, there is generally only sweep parameters of the request packet.
Passing out about other experiences of using burpsuite
1. First, burp comes with a small tool to detect CSRF, and this should be more people know, but CSRF is really tasteless.
In addition, the foreground and background of CSRF vulnerabilities CSRF vulnerabilities, and impacts from the use of the difficulty scale, the front desk CSRF CSRF vulnerabilities are often much higher than the background.
2. When vulnerabilities or unauthorized mining has focused on the submitted request packet parameters tested, can be used to help analyze target burp in the analysis
3.burp package after playback, if it is to jump 304 redirect, burp can choose to track this redirect packets
4. tap to XSS vulnerabilities, they can search about the set-cookie, the cookie field to see if there are all set httponly.
Also needed attention, sometimes the server does not check all of the cookie field