Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...
Search
no1zy
March 11, 2019
5
1.7k
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
Burp Suite Japan LT Carnivalでの発表資料
no1zy
March 11, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.7k
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
Designing for Performance
lara
609
69k
We Have a Design System, Now What?
morganepeng
53
7.7k
Music & Morning Musume
bryan
46
6.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
How to Think Like a Performance Engineer
csswizardry
24
1.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
BBQ
matthewcrist
89
9.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Six Lessons from altMBA
skipperchong
28
3.8k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
Transcript
Burp SuiteͷศརͳػೳͰ όάόϯςΟ No1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • ৽ถόάϋϯλʔ • ڈͷ֫ಘใۚ૯ֹ
612ສԁ
όάϋϯλʔBurp Suite͕େ͖ The 2019 Hacker Report
Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze
target શͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client • ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •
DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ 2. Copy to clipboardΛΫϦοΫ
͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ଓςετ
͍ํ • ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
http://127.0.0.1:4444 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
None
2. Find Script
Find Script • JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s
͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ • Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only
ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ͚ 2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target • Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํ ղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!