一.Burp Suite tool installation and configuration
1.Burp Suite
Burp Suite is an integrated platform for web application security testing and attacking web applications. It seamlessly integrates various security tools to support the entire testing process. From the initial mapping and application attack surface analysis, to the discovery and exploitation of security vulnerabilities.
Burp Suite has designed many interfaces for these tools to speed up the process of attacking applications. All tools share a request and can handle corresponding HTTP messages, persistence, authentication, proxy, log, and alert. Burp Suite combines advanced manual technology and advanced automation to make your work faster, more effective and more interesting.
Burp Suite is written in Java, so you need to install the JDK environment before using it. I will not specifically explain how to install the JDK here. The author downloaded a version from CSDN and it runs normally.
official download address: https://portswigger.net/burp
2. The installation process of
is very simple, foolish click "Next" to install.
After the installation is successful, run as shown below, click "Next" -> "Start Burp" to display the main interface.
3. Function The module of
Burp Suite includes almost the entire security testing process, from the initial information collection of the target program to vulnerability scanning and its utilization. The high integration of multiple modules makes the security testing process more efficient. The main modules are as follows:
- Target (target): displays the target directory structure.
- Proxy (proxy): Burp Suite sets up a proxy to capture data packets. The proxy server used to intercept HTTP/S acts as a middleware between the browser and the target application, allowing you to intercept, view, and modify the original data flow in both directions.
- Spider (Spider): The spider function of Burp Suite is used to grab links and content of web applications.
- Scanner (scanner): advanced tool, which can automatically find security vulnerabilities in Web applications. Mainly used to scan web application vulnerabilities and find common web security vulnerabilities, but there may be false positives.
- Intruder (Intruder): is a customized highly configurable tool that can automate attacks and brute force guessing of Web applications, such as enumerating identifiers, collecting useful data, and detecting conventional vulnerabilities using fuzzing technology.
- Repeater (repeater): replays the data packet (manually operates to trigger a separate HTTP request), analyzes the server's return and response, and judges the impact of modifying parameters.
- Sequencer (session): is used to check the randomness of session tokens provided by web applications, analyze the randomness of unpredictable application session tokens and important data items, and perform various tests.
- Decoder (decoder): performs encryption and decryption operations on data, including url, html, base64, etc.
- Comparer (comparison): is used to perform a comparison between any two requests, responses or any other forms of data, usually through some related requests and responses to obtain a visual "difference" between the two data.
- Extender (extension): loads Burp Suite's extension, and use your own or third-party code to extend Burp Suite's functions.
- Options(setSettings): has some settings for Burp Suite, such as burp, font, encoding, etc.
- Alerts (warning): is used to store error information, used to resolve errors.
4. Configure proxy
(1) add foxyproxy attachment function.
Search for "foxyproxy" in "Settings" -> "Add attachments". Add and install the accessory
, as shown in the figure below.
Click Add to install. After
is added successfully, you can choose to open or close the FoxyProxy function, as shown in the figure below.
(2) Set the Firefox local proxy. In "Network", set the HTTP proxy to 127.0.0.1 and the port number to 9090.
(3) Then set up Burp Suite proxy, add the proxy with 127.0.0.1 and port number 9090, and use it.
(4) Use the Firefox browser to open the website to obtain web page related information.
2. Burp Suite tool Tareget
Browser This function is mainly used to view the contents and elements of the website. Here is an example of a school management system. The contents of the website are shown as follows. The content obtained by
includes Host, submission method, URL, parameters, status code, title, Comment, Time, etc., and can set the comment of the corresponding URL. For example, the author adds the comment of "login page". The lower right part of
can display Request and Response information, including Raw, Headers, Hex, HTML, etc., as shown in the figure below.
Click on the upper left part of the Site map to select the information to be displayed, including display HTML, CSS, Images, etc., display status codes 2xx, 3xx, 4xx, 5xx, etc., display and hide settings, etc. This function can narrow down the scope of needs according to personal needs according to request type, request status, mime type, search keywords, file suffix, listening port, etc.
For example, if the author set to display only 2xx status code page, it will display as shown in the figure below.
At the same time, you can customize the background color for different items to represent different functions or types. If you think that a certain data packet is more important, you can set the current data packet to an eye-catching color to indicate its importance.
Right-click the link to achieve more functions, such as Spider, Scope, etc.
Scope mainly cooperates with Site map to do some filtering functions, as shown in the figure.
3. The Burp Suite tool Proxy
Proxy mainly includes four tags: Intercept, HTTP histroy, Websockets history, and Options.
reference article:
- BurpSuite basic tutorial eighth: other operations (HTTPS traffic crawling & using filters)
- BurpSuite Basic course hair: Proxy module (proxy module)
- Web security - BurpSuite combat (on)
- blog Park Burp Suite using the introduction
- "Web service security offensive and defensive combat Guide" Author: Chen Xiaoguang and other great gods
1.Intercept module
This module is mainly used to control the captured data packets, used to display and modify the HTTP request and response content, and can quickly send intercepted HTTP requests to other modules for processing.
For example, when "Intercept is on" is turned on, enter the user name and password in the Firefox browser and click login, you can see the user name and password intercepted by Burp Suite.
- Raw: Display the data packet
- Params: contains the parameter URL query string, cookies request, and can double-click the request to modify it.
- Headers: Display the obtained data packet in the form of name and value.
- Hex: The binary data of the data packet can be edited, which is very useful when the 00 is truncated. The interception information of
- is as follows, where the password is MD5 encryption.
POST /cas/login HTTP/1.1Host: xxxxx.edu.cnUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0Accept: text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Referer: http://xxxxx. edu.cn/cas/loginCookie: key_dcp_cas=nyfjdGZGmmYYdbN1fv2G349LydwzRhnrbGLqj4LMpRGd1YL3Qstl!-94055740Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 221%xxxFcp%3Axservice=http .jsp&serviceName=null&loginErrCnt=0&username=20190804&password=e10adc3949ba59abbe56e057f20f883e&replace-pwd=...online decryption, you can see that the password is "123456", of course, this is the wrong username and password.
username=20190804 password=e10adc3949ba59abbe56e057f20f883e
2.HTTP histroy module
This module will record all requests accessed through the proxy server, even when Intercept is oIt will also be recorded when ff. Including Host (host), Method (request method), URL (request address), Params (parameters), Edited (edit), Status (status), Length (response byte length), MIME type (response MLME type), Extension (address file extension), Title (page title), Comment (comment), SSL, IP (destination IP address), Cookies, Time (request time), Listener port (listening port).
When we select a request, we can view his request packet information, as well as his response packet information.
Double-click a data packet to open the details, and switch to other data packets through the Previous/next function. At the same time, the data packet can also be sent to other functional modules.
3.Websockets history module
This module is used to record data packets of WebSockets. It is the most powerful communication function in HTML5. It defines a full-duplex communication channel. Only a Socket on the Web can be used for communication, which can reduce Unnecessary network traffic and reduce network latency.
4.Options module
This module is mainly used to set up proxy monitoring, request and response, interception response, matching and replacement, ssl, etc.
(1) Set proxy
listens to the local HTTP proxy server for incoming connections from your browser. It allows you to monitor and intercept all requests and responses, and is at the heart of BurpProxy's workflow. By default, Burp listens on the address 12.0.0.1 and port 8080 by default.
(2) Configure interception rules
set interception matching rules, when Intercept request based on the following rules is selected, burpsuite will configure the rules in the list to intercept or forward. Note: If the check box is unchecked, the packet cannot be intercepted even if Intercept is on.
As shown in the figure below, create a rule: only intercept data packets matching DVWA in the request header. In actual use, we may need to create more and more complex rules to find the desired packet.
(3) Configure the interception rules Intercept Server Responses
intercept the response and modify the return value in the response.
(4) Response Modification
is used to perform automatic modification of the response. You can use these options to automatically modify the matching content in the HTML application response. For example, to set the highlighted hidden part, check the unhide hidden form fields (show hidden form, the form whose type is hidden in html) and prominently highlight unhidden fields (highlight hidden part). The example of
is as follows:
remove javascipt form validation Delete javascript form validation. Some sites filter the content of the form through JavaScript, such as string length, file suffix, string format, etc., and delete the verification javascript after opening. For more detailed knowledge, readers are recommended to read the blog:
https://www.jianshu.com/p/73e1b0a974cc
IV. Burp Suite tool violent library example
Take a certain URL as an example to perform a simple violent library test. Note that it is an HTTP login request.
The first step is to intercept the request with Burp Suite and find the request parameters to tamper with. TextBoxUserName=15200000000
TextBoxPwd=111111
In the second step, right-click in the interface and select "Send to Intruder" (Ctrl+I) in the pop-up menu. At this time, the requested data will be distributed to the Intruder module, and the Intruder will turn red.
In the third step, use the Intruder module in the Burp Suite tool to configure the cracking parameters, run the cracking task and successfully crack the user name and password.
(1) Select the Positions option in the Intruder module, and click the "Clear" button to clear the special symbols "§" before and after the relevant default parameters.
(2) Mouse select the Password parameter value in the request data page (the password value that requires brute force cracking), and click the "Add§" button to mark the position. TextBoxPwd=§111111§
(3) Select the Payloads option, click "Load items form file", select the brute force password file in the pop-up dialog box and click the "Open" button to import the cracked password list.
(4) Click the "Start attack" button to start the crack test.
(5) In the pop-up window "Intruder attack", you can judge whether the cracking is successful according to the return length Length. The hidden password here is "013579", which has the largest length and is the final password. Note that the greater the Length, the greater the password match.
can also be used to determine whether it is successful or not by looking at the response information or status information.
wrong password return information:
correct password return information:
(6) try to log in through the cracked password.
(7) If the password is MD5 encrypted, such as the website tested in the third part above, the following settings are required. Click "Add" in "Payload Processing" to add hash MD5 encryption.
The click attack is shown in the figure below, which is an encrypted match.
personal suggestion, refer to Chen Xiaoguang's web attack and defense books, and I also recommend everyone to read it. Add verification code to
- . If login fails once, the verification code will be replaced once.
- Configure the login failure limit policy. If the same user attempts to log in, if the login fails more than 4 times within 5 minutes, the user is prohibited from logging in to the system within 2 hours.
- When conditions permit, add the verification code for receiving SMS on mobile phones or the verification code for receiving emails in mailboxes to realize the anti-brute force cracking mechanism of two-factor authentication. Z64z
Supplementary knowledge: The password encryption process of
during system login is generally to send the user name and password to the server first, and the server will encrypt the password submitted by the user through the Hash algorithm and compare it with the encrypted value stored in the database. It is determined that the user submits the password correctly.
but some websitesThe process of the system is that the password is Hash-encrypted at the front-end browser client and then transmitted to the server and compared with the encrypted value of the database. If the encryption is the same, it is determined that the password submitted by the user is correct. This kind of process is not very good, it will reveal the password encryption method, causing security risks.
5. Security certificate installation for Firefox HTTPS access
When we want to visit HTTPS websites, we need to import the Burp Suite installation certificate and install it. The basic process is as follows:
The first step is to configure the browser proxy.
In the second step, enter http://burp in the address bar and press Enter to download the certificate. Note that the certificate here cannot be zero bytes, or you can find a cracked version.
The third step is to import the certificate into the browser. In firefox, choose -> Advanced -> Certificate -> View Certificate -> Certificate Authority.
The fourth step is to import the certificate and trust the certificate.
as shown in the figure below:
The fifth step is to find an HTTPS website to test. But the author tested Baidu to no avail, and the intercepted website was not right, speechless~
Reference:
https://blog.csdn.net/zyw_anquan/article/details/47904495
6. The end of this article is 5z
. In fact, network security is quite interesting, especially after a problem is finally solved. Every article is standing on the shoulders of countless great gods and bosses. As a beginner in network security, I deeply feel that I have too much to learn. Fortunately, I have a more correct attitude and I am taking steps every day. One step forward. I hope this basic article is helpful to you. If there are errors or shortcomings, please Haihan. I will share more articles on network security in the future. It is difficult to start from scratch, but Xiuzhang will go all the way. Come on.
