Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Transcript

1. Burp SuiteͷศརͳػೳͰ όάό΢ϯςΟ No1zy

2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • ৽ถόάϋϯλʔ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ

   612ສԁ

3. όάϋϯλʔ͸Burp Suite͕େ޷͖ The 2019 Hacker Report

4. Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

5. ঺հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze

   target શͯPro൛ͷΈͰར༻Ͱ͖Δ

6. 1. Burp Collaborator client

7. Burp Collaborator client • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •

   DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

8. ࢖͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ

9. ࢖͍ํ 2. Copy to clipboardΛΫϦοΫ

10. ࢖͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ઀ଓςετ

11. ࢖͍ํ • ϦΫΤετΛ֬ೝ͢Δ

12. SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ

13. SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

14. http://127.0.0.1:22 SSRF Payload

15. SSRFͷςετྫ Ϩεϙϯε

16. http://127.0.0.1:4444 SSRF Payload

17. SSRFͷςετྫ Ϩεϙϯε

18. ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

19. None

20. 2. Find Script

21. Find Script • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

22. ࢖͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s

23. ࢖͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

24. ࢖͍ํ • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

25. APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ

26. JSParser

27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ

28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only

    ʹνΣοΫ͠ js ͱೖྗ

29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 3. ΞΠςϜΛશબ୒͢Δ

30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 4. Copy URLsΛΫϦοΫ

31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ෇͚ 2. JSParseΛΫϦοΫ

32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬཰Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ

33. 3. Analyze target

34. Analyze target • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

35. ࢖͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ

36. ࢖͍ํ ղੳ݁ՌΛ֬ೝ͢Δ

37. Happy Hunting!