Reprinted from: http: //www.nxadmin.com/tools/689.html
This paper consists of Adema translated from foreign websites, please respect the fruits of labor, reproduced indicate the source
Burp Suite is one of the best tool for Web application testing, and its various functions can help us to perform various tasks. Intercept and modify requests, scanning web application vulnerability to brute force login form, perform multi-session tokens check the randomness of species. This article will be a completely regular drills Burp Suite, which focuses on the following characteristics.
1. -Burp Suite with a proxy agent running on port 8080 by default, use the proxy, we can intercept and modify from the client to the web application packets.
.Burp Suite at 2.Spider (spider) -Burp Suite spiders function is to crawl links and content such as Web applications, it will automatically submit the login form (via user-defined input) in the case of spiders can crawl scan All links on the website, detailed scanning on these links to find loopholes in Web applications.
3.Scanner (scanner) - which is used to scan Web application vulnerabilities may be some false positives in the testing process. It is important to remember that the scanner automatically scan results can not be completely 100% accurate.
4.Intruder (intrusion) - This function you can use a variety of terms, such as exploits, Web application fuzzing, and other violent guess.
5.Repeater (repeater) - This function is used according to different situations and to modify the same number of requests sent and analyzed.
6.Sequencer- This function is mainly used to check the session token randomness of the Web application provides. And perform various tests.
7.Decoder (decoding) - This function can be used to retrieve the decoded data of the original data format, and encoding or encrypting data.
8.Comparer- This function is used to perform any of the two requests, or in response to a comparison between the data in any other form.
1) Proxy (proxy)
Proxy functionality so that we can intercept and modify requests. In order to intercept the request and manipulate it, we have to configure our browser by Burp Suite.
Once you set up your browser, you open the Burp Suite, go Proxy items Intercept (cut-off), the need to ensure intercept is on.
Open alerts tab, you can see that the agent is running on port 8080. We can> options down to modify the configuration Proxy-.
Open the options tab under the Proxy
Here we can edit the proxy port is listening, or even add a new proxy listens .Burp also have the option to submit a certificate to the SSL-protected Web site. By default, Burp create the installation immediately after the certificate a self-signed. "Generate CA-signed per-host certificates "Burp after the option is selected certificate function will generate a specific host that we were able to link the certificate signed. here the only thing we care about is that when a user is linked to an SSL-protected site, can reduce site after number of warnings prompt.
If we do not select the "listen on loopback interface only" option, which means Burp Proxy can be used as a proxy to other systems on a network. This means that any computer on the same network can use Burp Proxy function as an Agent, and relay the traffic through it.
"Support invisible proxying for non-proxy-aware client" option for client does not know they are using the case of the agent. This means that the proxy settings are not set in the browser, sometimes set in the hosts file. In this lower case, and the proxy options in your browser itself is different Burp need to know that it is receiving traffic from a non-proxy client. "redirect to host" and "redirect to port" option to redirect the client to we set in this option is the host and port.
Similarly, we can intercept the request and returns a response according to our specified rules.
这里有个选项用来修改从响应中接收到的html网页。我们可以取消隐藏的表单字段,删除javascript等。还有一个选项用自定义字符串替换掉寻找到的特定的模式.我们需要用指定正则表达式。Burp将解析请求或者响应以期望能够寻找到这种模式,将会用自定义的字符串来替换它.
2)Spider(抓取)
Burp Spider用来映射Web应用程序.它会自动抓去Web应用程序的链接,提交它发现的所有登陆表单,从而详细的分析整个应用程序.这些链接会传递给Burp Scanner,进行详细的扫描.在这种情况下,我们将使用上DVWA(Damn Vulnerable Web Application).只是需要DVMA使用你的浏览器,确保Burp Suite上的inerrcept is on,并且得到Brup截取的请求,右键单击拦截的请求,选择”Send to Spider”发送给蜘蛛.
接下来会弹出一个警告弹窗让我们”add item to scope(添加项目到作用域)”.点击”Yes”.一个范围将在我们运行的测试目标上定义好.
我们能够在site map–>target标签看到一个url已经添加进作用域.我们也能看到一些其它的目标已经在目标列表中添加好了.Burp会自动使用代理浏览我们定义好的目标网页.我们可以使用单击右键–>”add item to scope(添加项目到作用域)”添加任何项目到我们的作用域.
进入Scope标签,我们能够看到DVWA应用已经添加到作用域.
接下来我们进入Spider标签,点击”options(选项)”,我们可以设置各种选项当运行Burp检测应用程序的时候.我没有可以让Burp检查robotx.txt文件(check for the robots.txt),它会尝试抓去网站管理员不允许搜索引擎索引的目录.另外一个重要的选项是”passively spider as you browse(被动蜘蛛浏览)”。基本上Burp Spider可以以被动和主动模式运行,选择这个就要求Burp Spider保持新的内容和链接进行扫描,因为我们浏览应用程序的时候使用了Burp proxy。
另外一个重要的选项是”application login(应用程序登陆)”.一旦Burp Spider提交一个登陆表单的时候就开始爬行(抓取).它可以自动提交我们提供给它的证书.我们同样可以设置admin/password凭证,设置好之后,他们会做为DVWA中的凭证.因此Burp Spider可以自动提交那些信息凭证,并且保持爬行抓取的状态希望能够获得更多的新的信息.你也可以在thread(线程)项来修改线程数.
Burp Suite使用教程
需要开始爬行抓去Web应用程序,只需要右键点击目标展开目标.然后在展开的dvwa项上单击鼠标右键选择”Spider this brach”
这样就会启动Burp Spider,在Spider control标签下我们会看到正在做出的请求,我们也可以为Burp Spider自定义一个范围.
一旦运行完成之后,我们在dvwa分支上会看到很多新的URL,这些URL为我们提供了很多有关Web信用程序的信息.然后我们就可以发送这些链接给Burp Scanner来进行漏洞扫描.Burp Scanner只有在专业版上才有这个功能.
3)Intruder(入侵)
Burp Intruder可以用于利用漏洞,模糊测试,暴力猜解等。在这种情况下我们将使用Burp Suite的Intruder对DVWA进行暴力猜解攻击.浏览到DVWA,单击”Burp Force(暴力猜解)”,随便输入username和password,确保Burp Suite上的”intercept is on(监听是打开的)”.然后点击登陆.
登陆请求将被Burp Suite监听拦截到,然后右键单击”send to intruder(发送给入侵者功能)”
以上的操作会将请求信息发送给intruder功能.进入intruder标签,配置Burp Suite来发起暴力猜解的攻击.在target标签下可以看到已经设置好了要请求攻击的目标
进入positions(选项)标签,我们可以看到之前发送给Intruder的请求.一些重要的信息用其它颜色显示.基本上是由Burp Suite进行猜解,是为了弄明白暴力猜解的这些请求中什么是发生改变的. 这种情况下只有用户和密码是不停的发生改变.我们需要相应的配置Burp.
单击右边的”clear”按钮,将会删除所有用不同颜色演示的重要的信息.接下来我们需要配置Burp在这次攻击中只把用户名和密码做为参数.选中本次请求中的username(本例中用户名是指”infosecinstiture”)然后单击”Add(添加)”.同样的将本次请求中的password也添加进去.这样操作之后,用户名和密码将会成为第一个和第二个参数.一旦你操作完成,输出的样子应该如下图所示:
接下来我们需要设置这次攻击的攻击类型,默认情况下的攻击类型是”Sniper(狙击手)”,在本例中,我们将使用”Cluster Bomb(集束炸弹)”的攻击类型.有四种攻击类型,分别是singer,battering ram,pitchfork,cluster bomb.下图中我们看到的我们的攻击类型是”Cluster Bomb’
进入payload标签,确保”payload set”的值是1,点击”load(加载)”加载一个包含用户名的文件 。本例中我们使用一个很小的文件来进行演示.加载之后用户名文件中的用户名会如下图所示
同样设置”payload set”的值为2,点击”load”加载一个密码字典文件。
进入”options”标签,确保results下的”store requests”和”store responses”已经选择.
Burp Suite使用详解
点击左上角的”Intruder”开始攻击,会看到弹出一个windows窗口,其中有我们制作好的所有请求。
我们如何确定哪一个登陆请求是成功的呢?通过一个成功的请求相比不成功的,是有一个不同的响应状态.在这种情况下,我们看到的用户名”admin”和密码”password”的响应长度相比其它的请求,有所不同.
根据不同的响应请求,点击”request”.如果点击”response”选项,我们看到文字”welcome the password protected area admin”出现在响应中,这意味着这次请求中使用的username/password是正确的.
Burp的入侵功能是Burp Suite最强大的功能之一.我们要仔细的学习它的使用.
4)Repeater(中继转发)
通过Burp Repeater功能,我们可以手动修改一个请求,并且发送出去,来分析返回的响应.我们需要从不同的地方发送请求给Burp Repeater,比如入侵者,代理等.发送一个请求给Repeater,只需要单击右键”send to Repeater”.
点开Repeater标签,会看到request,也可以看到名为1,2,3的3个标签.
我们也可以看到requestparams,header,hex和raw格式的请求,发送请求之前,我们可以修改其中的任何一个.
只修改Params请求下的username=admin,password=password,点击go,这样就会发送这个请求.
We can analyze the response partial response returned.
There are several parts function is not translated, because the lack of English skills and work experience, many professional vocabulary may not be accurate translation, paste the original URL, you can control read.
Original Address: http: //resources.infosecinstitute.com/burp-suite-walkthrough/