Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

no1zy
March 11, 2019
5
1.5k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

no1zy

March 11, 2019
Tweet

More Decks by no1zy

See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.4k

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
23
1.8k
Large-scale JavaScript Application Architecture
addyosmani
500
110k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
What's new in Ruby 2.0
geeforr
336
30k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
A better future with KSS
kneath
230
16k
Debugging Ruby Performance
tmm1
68
11k
Building Adaptive Systems
keathley
29
1.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Typedesign – Prime Four
hannesfritz
34
1.6k

Transcript

  1. Burp SuiteͷศརͳػೳͰ
    όάό΢ϯςΟ
    No1zy

    View Slide

  2. ࣗݾ঺հ
    • twitter: @no1zy_sec
    • ৘ใܥઐ໳ֶੜ
    • ৽ถόάϋϯλʔ
    • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ 612ສԁ

    View Slide

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖
    The 2019 Hacker Report

    View Slide

  4. Կ͕ศརʁ
    • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ
    • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

    View Slide

  5. ঺հ͢Δศརػೳ
    1. Burp Collaborator client
    2. Find Script
    3. Analyze target
    શͯPro൛ͷΈͰར༻Ͱ͖Δ

    View Slide

  6. 1. Burp Collaborator client

    View Slide

  7. Burp Collaborator client
    • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ
    ػೳ
    • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢
    Δͱ͖ʹ༗ޮ
    • DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

    View Slide

  8. ࢖͍ํ
    1. Burp > Burp Collaborator clientΛΫϦοΫ

    View Slide

  9. ࢖͍ํ
    2. Copy to clipboardΛΫϦοΫ

    View Slide

  10. ࢖͍ํ
    $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net
    ઀ଓςετ

    View Slide

  11. ࢖͍ํ
    • ϦΫΤετΛ֬ೝ͢Δ

    View Slide

  12. SSRFͷςετྫ
    GitLabͷϦϙδτϦΠϯϙʔτػೳ

    View Slide

  13. SSRFͷςετྫ
    ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕
    ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

    View Slide

  14. http://127.0.0.1:22
    SSRF Payload

    View Slide

  15. SSRFͷςετྫ
    Ϩεϙϯε

    View Slide

  16. http://127.0.0.1:4444
    SSRF Payload

    View Slide

  17. SSRFͷςετྫ
    Ϩεϙϯε

    View Slide

  18. ΤϥʔϝοηʔδͷࠩҟΛ
    ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

    View Slide

  19. View Slide

  20. 2. Find Script

    View Slide

  21. Find Script
    • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ
    • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ
    ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ
    ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

    View Slide

  22. ࢖͍ํ
    1. Engagement tools > Find scriptsΛΫϦοΫ
    ͏s

    View Slide

  23. ࢖͍ํ
    • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

    View Slide

  24. ࢖͍ํ
    • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

    View Slide

  25. APIΤϯυϙΠϯτͷಛఆ
    1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू
    2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ
    ΠϯτΛಛఆ͢Δ

    View Slide

  26. JSParser

    View Slide

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू
    1. Find ScriptͰURLΛϦετ͢Δ
    2. Copy selected URLsΛΫϦοΫ

    View Slide

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    1. Proxy > History > ϑΟϧλʔઃఆΛ։͘
    2. Show only ʹνΣοΫ͠ js ͱೖྗ

    View Slide

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    3. ΞΠςϜΛશબ୒͢Δ

    View Slide

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    4. Copy URLsΛΫϦοΫ

    View Slide

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
    1. ίϐʔͨ͠URLΛషΓ෇͚
    2. JSParseΛΫϦοΫ

    View Slide

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ
    Ͱ͖Δ֬཰Λ্͛Δ
    2. APIΤϯυϙΠϯτΛಛఆ͢Δ

    View Slide

  33. 3. Analyze target

    View Slide

  34. Analyze target
    • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ
    Ͱ͖Δ
    • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ
    Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

    View Slide

  35. ࢖͍ํ
    1. Engagement tools > Analyze target ΛΫϦοΫ

    View Slide

  36. ࢖͍ํ
    ղੳ݁ՌΛ֬ೝ͢Δ

    View Slide

  37. Happy Hunting!

    View Slide