• All about Using Burp Suite


    1、how  to use burpsuite

       I can't thank them enough for allowing us to test web application ,making sure they are secure against threats . if you ues it another way ,all duty afford yousleves.

       this version is 2.0.04  before load running ,you should  function the key burp-loader-keygen-jas502n,because  the  authentic burpsuite not cheap , besids ,burp offers many options for only 350USD per year . we can use burp  differentiate the real vulnerabilities from the false ones.

    2、if you use the perburpSuite ,you can you commands : java -jar -Xmx2G /[path ]/[burp.jar]    fireStart

    3、Visualizing the application structure using Burp Suite 

         The Burpsuite offers the following function :

           Visualize ,  Scope 、 Search the web hindder contents 、 lists  comments 、scripts 、analyze 、report 

    4、we can se the burp Proxy it as a man-in-the-middle between your browser and destination wen servers ,it let you intercept,inspect and modify the raw trafficc passing in the bouth directions. 

    take notes: if you  penetration with the https website you should install Burp's CA cerficate .an follow

    5、Crawling the web application using Burp Splider

           ususlly speaking Spider the website there is therr ways :

            the first: Manually crawing by use the Intruder tool ; the second  Automatically Crawing by use Spider ; finally  use the Discover Content tool

    if you want a manual  as follow (the aims is to find intersting directions )

     

     

     besides it , another way automated crawing and finding hidden spots,but ,you should be careful ,and it can cause the site to malfunction

      

    6、looking for the web vulnerablities using the Scanner,you can use the repeater to make sure that there's not a false positive

    finally it's time to generate a report ,back the Target tab select the aim target host and selece issue,report the issue.

    7、replaying web  requests using the repeater tab

      I usually  check the parameter ,changing the parameter values (for example, testing input-based vulnerabilities )

    8、Fuzzing web requesting using the Intruder tab

        Brup inttruder use for automation  and it can enumerate 、fuzz、and harvest data form the target web application . when i started using Burp ,the first thing that I lerned was to burp—force login credentials .

         so let see the Intreder attack types:

         Sniper ------> you can use it for only one payload ,you can use for fuzzing direction names.fuzzing the query string value,fuzzing the product name in the url

         Battering Ram --------> this uses a single payload ,it alows sb palce the same payload into all defined position

        Cluster bomb-------> this ones can use multiple payloads foe each position (maximum is 20 )

       Pitchfork---------> this attack is used when an attack requries different ,but related, input to be inserted in multiple places in the request

    9、installing third-party apps using Burp Extender

          as this section  if  you use the proBurpSuite  you can install third-party apps

         but  before you install ,you need configure a library  an follow,(Some of these libraries need to be turned over )

  • 相关阅读:
    文件管理系统(JQuery插件+Ajax)
    十大Ajax框架
    WSS3.0开发你还在为写CAML痛苦吗?
    vue获取微博授权的URL
    微博三方登录原理
    阿里云短信服务
    JWT原理和COOKIE原理
    django数据库的ORM操作
    celery原理与组件
    生成微博授权URL
  • 原文地址:https://www.cnblogs.com/xinxianquan/p/10193271.html
Copyright © 2020-2023  润新知