Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

no1zy
March 11, 2019
1.5k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

no1zy

March 11, 2019
Tweet

Transcript

  1. Burp SuiteͷศརͳػೳͰ
    όάό΢ϯςΟ
    No1zy

    View Slide

  2. ࣗݾ঺հ
    • twitter: @no1zy_sec
    • ৘ใܥઐ໳ֶੜ
    • ৽ถόάϋϯλʔ
    • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ 612ສԁ

    View Slide

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖
    The 2019 Hacker Report

    View Slide

  4. Կ͕ศརʁ
    • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ
    • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

    View Slide

  5. ঺հ͢Δศརػೳ
    1. Burp Collaborator client
    2. Find Script
    3. Analyze target
    શͯPro൛ͷΈͰར༻Ͱ͖Δ

    View Slide

  6. 1. Burp Collaborator client

    View Slide

  7. Burp Collaborator client
    • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ
    ػೳ
    • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢
    Δͱ͖ʹ༗ޮ
    • DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

    View Slide

  8. ࢖͍ํ
    1. Burp > Burp Collaborator clientΛΫϦοΫ

    View Slide

  9. ࢖͍ํ
    2. Copy to clipboardΛΫϦοΫ

    View Slide

  10. ࢖͍ํ
    $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net
    ઀ଓςετ

    View Slide

  11. ࢖͍ํ
    • ϦΫΤετΛ֬ೝ͢Δ

    View Slide

  12. SSRFͷςετྫ
    GitLabͷϦϙδτϦΠϯϙʔτػೳ

    View Slide

  13. SSRFͷςετྫ
    ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕
    ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

    View Slide

  14. http://127.0.0.1:22
    SSRF Payload

    View Slide

  15. SSRFͷςετྫ
    Ϩεϙϯε

    View Slide

  16. http://127.0.0.1:4444
    SSRF Payload

    View Slide

  17. SSRFͷςετྫ
    Ϩεϙϯε

    View Slide

  18. ΤϥʔϝοηʔδͷࠩҟΛ
    ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

    View Slide

  19. View Slide

  20. 2. Find Script

    View Slide

  21. Find Script
    • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ
    • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ
    ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ
    ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

    View Slide

  22. ࢖͍ํ
    1. Engagement tools > Find scriptsΛΫϦοΫ
    ͏s

    View Slide

  23. ࢖͍ํ
    • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

    View Slide

  24. ࢖͍ํ
    • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

    View Slide

  25. APIΤϯυϙΠϯτͷಛఆ
    1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू
    2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ
    ΠϯτΛಛఆ͢Δ

    View Slide

  26. JSParser

    View Slide

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू
    1. Find ScriptͰURLΛϦετ͢Δ
    2. Copy selected URLsΛΫϦοΫ

    View Slide

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    1. Proxy > History > ϑΟϧλʔઃఆΛ։͘
    2. Show only ʹνΣοΫ͠ js ͱೖྗ

    View Slide

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    3. ΞΠςϜΛશબ୒͢Δ

    View Slide

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ
    4. Copy URLsΛΫϦοΫ

    View Slide

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
    1. ίϐʔͨ͠URLΛషΓ෇͚
    2. JSParseΛΫϦοΫ

    View Slide

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ
    Ͱ͖Δ֬཰Λ্͛Δ
    2. APIΤϯυϙΠϯτΛಛఆ͢Δ

    View Slide

  33. 3. Analyze target

    View Slide

  34. Analyze target
    • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ
    Ͱ͖Δ
    • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ
    Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

    View Slide

  35. ࢖͍ํ
    1. Engagement tools > Analyze target ΛΫϦοΫ

    View Slide

  36. ࢖͍ํ
    ղੳ݁ՌΛ֬ೝ͢Δ

    View Slide

  37. Happy Hunting!

    View Slide