Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...

Avatar for no1zy no1zy
March 11, 2019
5
1.7k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

Avatar for no1zy

no1zy

March 11, 2019
Tweet

More Decks by no1zy

See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
Avatar for no1zy no1zy
14
4.8k

Featured

See All Featured
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
130
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
150
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.7k
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
200
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
The Impact of AI in SEO - AI Overviews June 2024 Edition
Avatar for Aleyda Solis aleyda
5
750
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.1k
My Coaching Mixtape
Avatar for mlcsv mlcsv
0
63
New Earth Scene 8
Avatar for Sydney Stone popppiees
1
1.7k

Transcript

  1. Burp SuiteͷศརͳػೳͰ όάό΢ϯςΟ No1zy

  2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • ৽ถόάϋϯλʔ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ

    612ສԁ

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖ The 2019 Hacker Report

  4. Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

  5. ঺հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze

    target શͯPro൛ͷΈͰར༻Ͱ͖Δ

  6. 1. Burp Collaborator client

  7. Burp Collaborator client • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •

    DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

  8. ࢖͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ

  9. ࢖͍ํ 2. Copy to clipboardΛΫϦοΫ

  10. ࢖͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ઀ଓςετ

  11. ࢖͍ํ • ϦΫΤετΛ֬ೝ͢Δ

  12. SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ

  13. SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

  14. http://127.0.0.1:22 SSRF Payload

  15. SSRFͷςετྫ Ϩεϙϯε

  16. http://127.0.0.1:4444 SSRF Payload

  17. SSRFͷςετྫ Ϩεϙϯε

  18. ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

  19. None

  20. 2. Find Script

  21. Find Script • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

  22. ࢖͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s

  23. ࢖͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

  24. ࢖͍ํ • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

  25. APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ

  26. JSParser

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only

    ʹνΣοΫ͠ js ͱೖྗ

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 3. ΞΠςϜΛશબ୒͢Δ

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 4. Copy URLsΛΫϦοΫ

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ෇͚ 2. JSParseΛΫϦοΫ

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬཰Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ

  33. 3. Analyze target

  34. Analyze target • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

  35. ࢖͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ

  36. ࢖͍ํ ղੳ݁ՌΛ֬ೝ͢Δ

  37. Happy Hunting!