Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...
Search
no1zy
March 11, 2019
5
1.7k
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
Burp Suite Japan LT Carnivalでの発表資料
no1zy
March 11, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.8k
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
53
9k
Facilitating Awesome Meetings
lara
56
6.6k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
A Tale of Four Properties
chriscoyier
160
23k
Thoughts on Productivity
jonyablonski
70
4.9k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
620
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
GitHub's CSS Performance
jonrohan
1032
470k
Transcript
Burp SuiteͷศརͳػೳͰ όάόϯςΟ No1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • ৽ถόάϋϯλʔ • ڈͷ֫ಘใۚ૯ֹ
612ສԁ
όάϋϯλʔBurp Suite͕େ͖ The 2019 Hacker Report
Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze
target શͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client • ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •
DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ 2. Copy to clipboardΛΫϦοΫ
͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ଓςετ
͍ํ • ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
http://127.0.0.1:4444 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
None
2. Find Script
Find Script • JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s
͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ • Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only
ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ͚ 2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target • Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํ ղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!