|
target在渗透攻防中的利用 可以用来收集目标站点的更多资产 可以探测一些自动加载的接口、内容等,有的内容并不能被访问者直接看见,通过抓包的方式就可以一目了然。 
1栏中是流量信息,其中包含着你所请求的流量 2栏中是对1栏中内容的一个展开目录 3栏中是重要信息,其中包含一些漏洞信息(不过基本没什么用)灰色和蓝色代表正常,红色代表有问题 4栏中是对3栏中内容的详细介绍 5栏和6栏中是请求数据包和应答数据包的内容 
Site map过滤器使用 只显示符合Scope规则配置的请求:点击Site map上方的过滤器,勾选Show only in-scope items并保存 
从所有的URL中筛选带有参数的网址,以便于实现代码层面的攻击,如SQL注入等:勾选Show only parameterized requests 
通过关键字搜索过滤,如以下搜索login 
scope 功能模块详解Target Scope中作用域的定义比较宽泛,通常来说,当我们对某个产品进行渗透测试时,可以通过域名或者主机名去限制拦截内容,这里域名或主机名就是我们说的作用域;如果我们想限制得更细一点,比如,你只想拦截login目录下的所有请求,这时我们也可以在此设置,此时作用域就是目录。总体来说,Target Scope主要使用于下面几种场景中: 限制Site map和Proxy 历史中的显示结果告诉Burp Proxy 拦截哪些请求告诉Burp Spider抓取哪些内容告诉Burp Scanner自动扫描哪些作用域的安全漏洞在Burp Intruder和Burp Repeater 中指定URL简单来说,通过Target Scope 我们能方便地控制Burp 的拦截范围、操作对象,减少无效的噪音。 在Target Scope的设置中,主要包含两部分功能:包含规则和去除规则。在包含规则中的,则认为需要拦截处理,会显示在Site map中;而在去除规则里的,则不会被拦截,也不会显示在Site map里 
Incude in scope 定义范围内规则exclude from scope 定义排除范围内规则渗透测试过程中,可以通过域名或者主机名去限制拦截内容,如果想细粒度化,比如只想拦截login目录下的所有请求,此时的作用域就是目录场景:1、限制站点地图和proxy历史中的显示结果2、告诉Burp proxy 拦截哪些请求3、burp spider抓取哪些内容4、burp scanner自动扫描哪些作用域的安全漏洞5、在burp Intruder和Burp Repeater中指定URL 在Target Scope的设置中,主要包含两部分功能:包含规则和去除规则。在包含规则中的,则认为需要拦截处理,会显示在Site map中;而在去除规则里的,则不会被拦截,也不会显示在Site map里。 
需注意,要勾选使用高级配置Use advanced scope control,此时才可从协议、域名/IP、端口、文件名4个维度去配置规则。 实战案例一:只想查看某个网站的信息。 在Site map中,选择该网站,右键Add to scope;这时,会自动将该网站转换成正则表达式添加进Scope的包含规则里 
点击Site map上方的过滤器,勾选Show only in-scope items并保存,这是Site map就只会显示选择的网站了 
四、Issue definitions漏洞列表,即列出了BurpSuite可以扫描到的漏洞详情。 
sQL injectionsQL注入sQL injection (second order)sQL注入(二阶)ASP.NET tracing enabledASP.NET跟踪已启用File path traversal文件路径遍历XML external entity injectionLDAP injectionXML外部实体注入LDAP注入XPath injectionXPath注入XML injectionXML注入ASP.NET debugging enabledASP.NET调试已启用HTTP PUT method is enabledHTTP PUT方法已启用Out-of-band resource load带外资源负载(HTTP)File path manipulation(HTTP)文件路径操作PHP code injection代码注入Server-side JavaScript code injection服务器端JavaScript代码注入Perl code injectionPerl代码注入Ruby code injectionRuby代码注入Python code injectionPython代码注入Expression Language injection表达式语言注入Unidentified code injection未识别代码注入Server-side template injection服务器端模板注入sSl injectionsSl注入Cross-site scripting (stored)跨站点脚本(已存储)HTTP request smugglingHTTP请求走私Web cache poisoningWeb缓存中毒HTTP response header injectionHTTP响应标头注入Cross-site scripting (reflected)跨站点脚本(反映)Client-side template injection客户端模板注入Cross-site scripting (DOM-based)跨站点脚本(基于DOM)Cross-site scripting (reflected DOM-based)跨站点脚本(基于DOM)Cross-site scripting (stored DOM-based)跨站点脚本(基于存储的DOM)JavaScript injection (DOM-based)JavaScript注入(基于DOM)JavaScript injection (reflected DOM-based)JavaScript注入(基于DOM的反射)JavaScript injection (stored DOM-based)JavaScript注入(基于存储的DOM)Path-relative style sheet import路径相关样式表导入Client-side sQL injection (DOM-based)客户端sQL注入(基于DOM)Client-side sQL injection (reflected DOM-based)客户端sQL注入(基于DOM的反射)Client-side SQL injection (stored DOM-based)客户端SQL注入(基于存储的DOM)WebSocket URL poisoning (DOM-based)WebSocket URL中毒(基于DOM)WebSocket URL poisoning (reflected DOM-based)WebSocket URL中毒(基于DOM)WebSocket URL poisoning (stored DOM-based)WebSocket URL中毒(基于存储的DOM)Local file path manipulation (DOM-based)本地文件路径操作(基于DOM)Local file path manipulation (reflected DOM-based)本地文件路径操作(基于DOM的反射)Local file path manipulation (stored DOM-based)本地文件路径操作(基于存储的DOM)Client-side XPath injection (DOM-based)客户端XPath注入(基于DOM)Client-side XPath injection (reflected DOM-based)客户端XPath注入(基于DOM的反射)Client-side XPath injection (stored DOM-based)客户端XPath注入(基于存储的DOM)Client-side JSON injection (DOM-based)客户端JSON注入(基于DOM)Client-side JSON injection (reflected DOM-based)客户端JSON注入(基于DOM的反射)Client-side JSON injection (stored DOM-based)客户端JSON注入(基于存储的DOM)Flash cross-domain policy闪存跨域策略Silverlight cross-domain policySilverlight跨域策略Cross-origin resource sharing跨源资源共享Cross-origin resource sharing: arbitrary origin trusted跨源资源共享:任意源受信任Cross-origin resource sharing: unencrypted origin trusted跨源资源共享:未加密的源受信任Cross-origin resource sharing: all subdomains trusted跨源资源共享:所有子域均受信任Cross-site request forgery跨站请求伪造SMTP header injectionSMTP标头注入Cleartext submission of password明文提交密码External service interaction (DNS)外部服务交互(DNS)External service interaction (HTTP)外部服务交互(HTTP)External service interaction (SMTP)外部服务交互(SMTP)Referer-dependent response取决于裁判的反应Spoofable client lP address假脱机客户端IP地址User agent-dependent response依赖于用户代理的响应Password returned in later response在稍后的响应中返回密码Password submitted using GET method使用GET方法提交的密码Password returned in URL query stringURL查询字符串中返回的密码sQL statement in request parameter请求参数中的sQL语句Cross-domain POST跨域POSTASP.NET ViewState without MAC enabled未启用MAC的ASP.NET ViewStateXML entity expansionXML实体扩展Long redirection response长重定向响应Serialized object in HTTP messageHTTP消息中的序列化对象Duplicate cookies set重复cookie集lnput returned in response (stored)响应中返回的输入(已存储)lnput returned in response (reflected)响应中返回的输入(反映)Suspicious input transformation (reflected)可疑输入转换(反映)Suspicious input transformation (stored)可疑输入转换(已存储)Request URL override请求URL覆盖Vulnerable JavaScript dependency易受攻击的JavaScript依赖项Open redirection (reflected)打开重定向(反射)Open redirection (stored)打开重定向(已存储)Open redirection (DOM-based)开放重定向(基于DOM)Open redirection (reflected DOM-based)开放重定向(基于DOM的反射)Open redirection (stored DOM-based)开放重定向(基于存储的DOM)TLS cookie without secure flag set未设置安全标志的TLS cookieCookie scoped to parent domainCookie作用域为父域Cross-domain Referer leakage跨域引用泄漏Cross-domain script include跨域脚本包括Cookie without HttpOnly flag set未设置HttpOnly标志的CookieSession token in URLURL中的会话令牌Password field with autocomplete enabled启用自动完成的密码字段Password value set in cookiecookie中设置的密码值File upload functionality文件上载功能Frameable response (potential Clickjacking)可框架响应(潜在点击劫持)Browser cross-site scripting filter disabled浏览器跨站点脚本筛选器已禁用HTTP TRACE method is enabledHTTP TRACE方法已启用Cookie manipulation (DOM-based)Cookie操作(基于DOM)Cookie manipulation (reflected DOM-based)Cookie操作(基于DOM的反映)Cookie manipulation (stored DOM-based)Cookie操作(基于存储的DOM)Ajax request header manipulation (DOM-based)Ajax请求头操作(基于DOM)Ajax request header manipulation (reflected DOM-based)Ajax请求头操作(反映基于DOM)Ajax request header manipulation (stored DOM-based)Ajax请求头操作(基于存储的DOM)Denial of service (DOM-based)拒绝服务(基于DOM)Denial of service (reflected DOM-based)拒绝服务(基于DOM的反射)Denial of service (stored DOM-based)拒绝服务(基于存储的DOM)HTML5 web message manipulation (DOM-based)HTML5 web消息操作(基于DOM)HTML5 web message manipulation (reflected DOM-based)HTML5 web消息操作(基于DOM的反射)HTML5 web message manipulation (stored DOM-based)HTML5 web消息操作(基于存储的DOM)HTML5 storage manipulation (DOM-based)HTML5存储操作(基于DOM)HTML5 storage manipulation (reflected DOM-based)HTML5存储操作(基于DOM)HTML5 storage manipulation (stored DOM-based)HTML5存储操作(基于存储DOM)Link manipulation (DOM-based)链接操作(基于DOM)Link manipulation (reflected DOM-based)链接操作(基于DOM的反映)Link manipulation (stored DOM-based)链接操作(基于存储的DOM)Link manipulation (reflected)链接操作(反映)Link manipulation (stored)链接操作(已存储)Document domain manipulation (DOM-based)文档域操作(基于DOM)Document domain manipulation (reflected DOM-based)文档域操作(基于DOM的反映)Document domain manipulation (stored DOM-based)文档域操作(基于存储的DOM)DOM data manipulation (DOM-based)DOM数据操作(基于DOM)DOM data manipulation (reflected DOM-based)DOM数据操作(基于DOM的反射)DOM data manipulation (stored DOM-based)DOM数据操作(基于存储的DOM)csS injection (reflected)csS注入(反射)css injection (stored)css注入(已存储)Client-side HTTP parameter pollution (reflected)客户端HTTP参数污染(反映)Client-side HTTP parameter pollution (stored)客户端HTTP参数污染(已存储)Form action hijacking (reflected)表单动作劫持(反映)Form action hijacking (stored)表单动作劫持(已存储)Database connection string数据库连接字符串disclosedSource code disclosure泄露源代码泄露Backup file备份文件Directory listing目录列表Email addresses disclosed披露的电子邮件地址Private lP addresses disclosed公开的私有IP地址Social security numbers disclosed披露的社会保障号码Credit card numbers disclosed信用卡号已披露Private key disclosed私钥已公开Robots.txt file机器人。txt文件Cacheable HTTPs response可缓存HTTPs响应Base64-encoded data in parameter参数中的Base64编码Multiple content types specified数据指定了多个内容类型HTML does not specify charsetHTML未指定字符集HTML uses unrecognized charsetHTML使用了无法识别的字符集Unencrypted communications未加密通信Strict transport security not enforcedMixed content未实施严格的传输安全混合内容Extension generated issue扩展生成的问题Content type incorrectly stated内容类型不正确Content type is not specified未指定内容类型TLS certificateTLS证书对网站进行被动扫描:在Site map中,右键网站,点击Passively scan this host 被动扫描时,BurpSuite不会重新发送新的请求,只是对已经存在的请求和应答进行分析 
对某个数据包进行被动扫描:右键URL,点击Do passive scan 
导出扫描报告:在Site map中右键网站:Issue—>Report issues for this host 
|