Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...

Avatar for no1zy no1zy
March 11, 2019
5
1.7k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

Avatar for no1zy

no1zy

March 11, 2019
Tweet

More Decks by no1zy

See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
Avatar for no1zy no1zy
14
4.8k

Featured

See All Featured
BBQ
Avatar for Matthew Crist matthewcrist
89
9.8k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
352
21k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
9.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
6k
Side Projects
Avatar for Sacha Greif sachag
455
43k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
358
30k
It's Worth the Effort
Avatar for 3n 3n
187
28k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.1k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k
Visualization
Avatar for Eitan Lees eitanlees
148
16k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.5k

Transcript

  1. Burp SuiteͷศརͳػೳͰ όάό΢ϯςΟ No1zy

  2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • ৽ถόάϋϯλʔ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ

    612ສԁ

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖ The 2019 Hacker Report

  4. Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

  5. ঺հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze

    target શͯPro൛ͷΈͰར༻Ͱ͖Δ

  6. 1. Burp Collaborator client

  7. Burp Collaborator client • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •

    DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

  8. ࢖͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ

  9. ࢖͍ํ 2. Copy to clipboardΛΫϦοΫ

  10. ࢖͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ઀ଓςετ

  11. ࢖͍ํ • ϦΫΤετΛ֬ೝ͢Δ

  12. SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ

  13. SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

  14. http://127.0.0.1:22 SSRF Payload

  15. SSRFͷςετྫ Ϩεϙϯε

  16. http://127.0.0.1:4444 SSRF Payload

  17. SSRFͷςετྫ Ϩεϙϯε

  18. ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

  19. None

  20. 2. Find Script

  21. Find Script • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

  22. ࢖͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s

  23. ࢖͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

  24. ࢖͍ํ • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

  25. APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ

  26. JSParser

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only

    ʹνΣοΫ͠ js ͱೖྗ

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 3. ΞΠςϜΛશબ୒͢Δ

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 4. Copy URLsΛΫϦοΫ

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ෇͚ 2. JSParseΛΫϦοΫ

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬཰Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ

  33. 3. Analyze target

  34. Analyze target • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

  35. ࢖͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ

  36. ࢖͍ํ ղੳ݁ՌΛ֬ೝ͢Δ

  37. Happy Hunting!