A cheat sheet for PortSwigger Burp Suite application security testing framework.

Send to Repeater

Ctrl+R

Send to Intruder

Ctrl+I

Forward intercepted Proxy message

Ctrl+F

Toggle Proxy interception

Ctrl+T

Switch to Target

Ctrl+Shift+T

Switch to Proxy

Ctrl+Shift+P

Switch to Scanner

Ctrl+Shift+S

Switch to Intruder

Ctrl+Shift+I

Switch to Repeater

Ctrl+Shift+R

Switch to Suite options

Ctrl+Shift+O

Switch to Alerts tab

Ctrl+Shift+A

Go to previous tab

Ctrl+Minus

Go to next tab

Ctrl+Equals

##Editor

Cut

Ctrl+X

Copy

Ctrl+C

Paste

Ctrl+V

Undo

Ctrl+Z

Redo

Ctrl+Y

Select all

Ctrl+A

Search

Ctrl+S

Go to previous search match

Ctrl+Comma

Go to next search match

Ctrl+Period

URL-decode

Ctrl+Shift+U

URL-encode key characters

Ctrl+U

HTML-decode

Ctrl+Shift+H

HTML-encode key characters

Ctrl+H

Base64-decode

Ctrl+Shift+B

Base64-encode

Ctrl+B

Backspace word

Ctrl+Backspace

Delete word

Ctrl+Delete

Delete line

Ctrl+D

Go to previous word

Ctrl+Left

Go to previous word (extend selection)

Ctrl+Shift+Left

Go to next word

Ctrl+Right

Go to next word (extend selection)

Ctrl+Shift+Right

Go to previous paragraph

Ctrl+Up

Go to previous paragraph (extend selection)

Ctrl+Shift+Up

Go to next paragraph

Ctrl+Down

Go to next paragraph (extend selection)

Ctrl+Shift+Down

Go to start of document

Ctrl+Home

Go to start of document (extend selection)

Ctrl+Shift+Home

Go to end of document

Ctrl+End

Go to end of document (extend selection)

Ctrl+Shift+End

BASIC PASSIVE AND ACTIVE CHECKS:

Burpsuite Spider with intelligent form submission

Manual crawl of website through Burpsuite proxy and submitting INJECTX payloads for tracking

Burpsuite passive scan

Burpsuite engagement tools > Search > <form|<input|url=|path=|load=|INJECTX|Found|<!--|Exception|Query|ORA|SQL|error|Location|crowdshield|xerosecurity|username|password|document\.|location\.|eval\(|exec\(|\?wsdl|\.wsdl

Burpsuite engagement tools > Find comments

Burpsuite engagement tools > Find scripts

Burpsuite engagement tools > Find references

Burpsuite engagement tools > Analyze target

Burpsuite engagement tools > Discover content

Burpsuite Intruder > file/directory brute force

Burpsuite Intruder > HTTP methods, user agents, etc.

Enumerate all software technologies, HTTP methods, and potential attack vectors

Understand the function of the site, what types of data is stored or valuable and what sorts of functions to attack, etc.

ENUMERATION:

OPERATING SYSTEM

WEB SERVER

DATABASE SERVERS

PROGRAMMING LANGUAGES

PLUGINS/VERSIONS

OPEN PORTS

USERNAMES

SERVICES

WEB SPIDERING

GOOGLE HACKING

VECTORS:

INPUT FORMS

GET/POST PARAMS

URI/REST STRUCTURE

COOKIES

HEADERS

SEARCH STRINGS:

Just some helpful regex terms to search for passively using Burpsuite or any other web proxy...

fname|phone|id|org_name|name|email

QUICK ATTACK STRINGS:

Not a complete list by any means, but when you're manually testing and walking through sites and need a quick copy/paste, this can come in handy...

Company

First Last

username

username@mailinator.com

Password123$

+

google.com

https://google.com

//google.com

.google.com

https://google.com/.injectx/rfi_vuln.txt

https://google.com/.injectx/rfi_vuln.txt?`whoami`

https://google.com/.injectx/rfi_vuln.txt%00.png

https://google.com/.injectx/rfi_vuln.txt%00.html

//

INJECTX

'>"></INJECTX>(1)

javascript:alert()//

"><img/onload=alert(1)>' --

"></textarea><img/onload=alert(1)>' --

INJECTX'>"><img/src="https://google.com/.injectx/xss_vuln.png"></img>

'>"><iframe/onload=alert(1)></iframe>

INJECTX'>"><ScRiPt>confirm(1)<ScRiPt>

"></textarea><img/onload=alert(1)>' -- // INJECTX <!--

"><img/onload=alert(1)>' -- // INJECTX <!--

INJECTX'"><h1>X<!--

INJECTX"><h1>X

en%0AContent-Length%3A%%0A%0AHTTP%2F1.%%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A

%0AContent-Length%3A%%0A%0AHTTP%2F1.%%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A

../../../../../../../../../../../etc/passwd%

{{+}}

sleep ; sleep  || sleep  | sleep  & sleep  && sleep

admin" or ""=""--

admin' or ''=''--

INJECTX%0a%0d%

OWASP TESTING CHECKLIST:

Spiders, Robots and Crawlers IG-

Search Engine Discovery/Reconnaissance IG-

Identify application entry points IG-

Testing for Web Application Fingerprint IG-

Application Discovery IG-

Analysis of Error Codes IG-

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CM‐

DB Listener Testing - DB Listener weak CM‐

Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CM‐

Application Configuration Management Testing - Application Configuration management weakness CM‐

Testing for File Extensions Handling - File extensions handling CM‐

Old, backup and unreferenced files - Old, backup and unreferenced files CM‐

Infrastructure and Application Admin Interfaces - Access to Admin interfaces CM‐

Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CM‐

Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-

Testing for user enumeration - User enumeration AT-

Testing for Guessable (Dictionary) User Account - Guessable user account AT-

Brute Force Testing - Credentials Brute forcing AT-

Testing for bypassing authentication schema - Bypassing authentication schema AT-

Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-

Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-

Testing for CAPTCHA - Weak Captcha implementation AT-

Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-

Testing for Race Conditions - Race Conditions vulnerability AT-

Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-

Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-

Testing for Session Fixation - Session Fixation SM-

Testing for Exposed Session Variables - Exposed sensitive session variables SM-

Testing for CSRF - CSRF SM-

Testing for Path Traversal - Path Traversal AZ-

Testing for bypassing authorization schema - Bypassing authorization schema AZ-

Testing for Privilege Escalation - Privilege Escalation AZ-

Testing for Business Logic - Bypassable business logic BL-

Testing for Reflected Cross Site Scripting - Reflected XSS DV-

Testing for Stored Cross Site Scripting - Stored XSS DV-

Testing for DOM based Cross Site Scripting - DOM XSS DV-

Testing for Cross Site Flashing - Cross Site Flashing DV-

SQL Injection - SQL Injection DV-

LDAP Injection - LDAP Injection DV-

ORM Injection - ORM Injection DV-

XML Injection - XML Injection DV-

SSI Injection - SSI Injection DV-

XPath Injection - XPath Injection DV-

IMAP/SMTP Injection - IMAP/SMTP Injection DV-

Code Injection - Code Injection DV-

OS Commanding - OS Commanding DV-

Buffer overflow - Buffer overflow DV-

Incubated vulnerability - Incubated vulnerability DV-

Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-

Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-

Locking Customer Accounts - Locking Customer Accounts DS-

Testing for DoS Buffer Overflows - Buffer Overflows DS-

User Specified Object Allocation - User Specified Object Allocation DS-

User Input as a Loop Counter - User Input as a Loop Counter DS-

Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-

Failure to Release Resources - Failure to Release Resources DS-

Storing too Much Data in Session - Storing too Much Data in Session DS-

WS Information Gathering - N.A. WS-

Testing WSDL - WSDL Weakness WS-

XML Structural Testing - Weak XML Structure WS-

XML content-level Testing - XML content-level WS-

HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST WS-

Naughty SOAP attachments - WS Naughty SOAP attachments WS-

Replay Testing - WS Replay Testing WS-

AJAX Vulnerabilities - N.A. AJ-

AJAX Testing - AJAX weakness AJ-

LOW SEVERITY:

A list of low severity findings that are likely out of scope for most bug bounty programs but still helpful to reference for normal web penetration tests.

Descriptive error messages (e.g. Stack Traces, application or server errors).

HTTP  codes/pages or other HTTP non- codes/pages.

Banner disclosure on common/public services.

Disclosure of known public files or directories, (e.g. robots.txt).

Click-Jacking and issues only exploitable through click-jacking.

CSRF on forms which are available to anonymous users (e.g. the contact form).

Logout Cross-Site Request Forgery (logout CSRF).

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Lack of Secure and HTTPOnly cookie flags.

Lack of Security Speedbump when leaving the site.

Weak Captcha / Captcha Bypass

Username enumeration via Login Page error message

Username enumeration via Forgot Password error message

Login or Forgot Password page brute force and account lockout not enforced.

OPTIONS / TRACE HTTP method enabled

SSL Attacks such as BEAST, BREACH, Renegotiation attack

SSL Forward secrecy not enabled

SSL Insecure cipher suites

The Anti-MIME-Sniffing header X-Content-Type-Options

Missing HTTP security headers

Security best practices without accompanying Proof-of-Concept exploitation

Descriptive error messages (e.g. Stack Traces, application or server errors).

HTTP  codes/pages or other HTTP non- codes/pages.

Denial of Service Attacks.

Fingerprinting / banner disclosure on common/public services.

Disclosure of known public files or directories, (e.g. robots.txt).

Clickjacking and issues only exploitable through clickjacking.

CSRF on non-sensitive forms.

Logout Cross-Site Request Forgery (logout CSRF).

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Lack of Secure/HTTPOnly flags on non-sensitive Cookies.

Lack of Security Speedbump when leaving the site.

Weak Captcha / Captcha Bypass

Login or Forgot Password page brute force and account lockout not enforced.

OPTIONS HTTP method enabled

HTTPS Mixed Content Scripts

Known vulnerable libraries

Attacks on Third Party Ad Services

Username / email enumeration via Forgot Password or Login page

Missing HTTP security headers

Strict-Transport-Security Not Enabled For HTTPS

X-Frame-Options

X-XSS-Protection

X-Content-Type-Options

Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

Content-Security-Policy-Report-Only

SSL Issues, e.g.

SSL Attacks such as BEAST, BREACH, Renegotiation attack

SSL Forward secrecy not enabled

SSL weak / insecure cipher suites

Lack of SPF records (Email Spoofing)

Auto-complete enabled on password fields

HTTP enabled

Session ID or Login Sent Over HTTP

Insecure Cookies

Cross-Domain.xml Allows All Domains

HTML5 Allowed Domains

Cross Origin Policy

Content Sniffing Not Disabled

Password Reset Account Enumeration

HTML Form Abuse (Denial of Service)

Weak HSTS Age (, or less)

Lack of Password Security Policy (Brute Forcable Passwords)

Physical Testing

Denial of service attacks

Resource Exhaustion attacks

Issues related to rate limiting

Login or Forgot Password page brute force and account lockout not enforced

api*.netflix.com listens on port

Cross-domain access policy scoped to *.netflix.com

Username / Email Enumeration

via Login Page error message

via Forgot Password error message

via Registration

Weak password

Weak Captcha / Captcha bypass

Lack of Secure/HTTPOnly flags on cookies

Cookie valid after logout

Cookie valid after password reset

Cookie expiration

Forgot password autologin

Autologin token reuse

Same Site Scripting

SSL Issues, e.g.

SSL Attacks such as BEAST, BREACH, Renegotiation attack

SSL Forward secrecy not enabled

SSL weak / insecure cipher suites

SSL vulnerabilities related to configuration or version

Descriptive error messages (e.g. Stack Traces, application or server errors).

HTTP  codes/pages or other HTTP non- codes/pages.

Fingerprinting/banner disclosure on common/public services.

Disclosure of known public files or directories, (e.g. robots.txt).

Clickjacking and issues only exploitable through clickjacking.

CSRF on forms that are available to anonymous users (e.g. the contact form).

Logout Cross-Site Request Forgery (logout CSRF).

Missing CSRF protection on non-sensitive functionality

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Incorrect Charset

HTML Autocomplete

OPTIONS HTTP method enabled

TRACE HTTP method enabled

Missing HTTP security headers, specifically

(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.

Strict-Transport-Security

X-Frame-Options

X-XSS-Protection

X-Content-Type-Options

Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

Content-Security-Policy-Report-Only

Issues only present in old browsers/old plugins/end-of-life software browsers

IE <

Chrome <

Firefox <

Safari <

Opera <

Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

插件

jsEncrypter.0.3  #对请求数据加密处理
HackBar.jar              
LFI scanner checks.jar        #LFI检测
burp-vulners-scanner-1.2.jar    #漏洞库对比
burplogger++.jar    #扩展日志模块
chunked-coding-converter.0.2.1.jar    #waf bypass
domain_hunter-v1.4.jar  #域名收集
knife-v1.4.jar   #字符转换
reCAPTCHA-v0.9.jar  #爆破验证码
sqlmap.jar  #sqlmap api
AES-Encrypter  
Assassin  #子域名爆破 | 旁注查询
AuthMatrix  #越权漏洞检测
Blazer  #AMF Messages
BurpAMFDSer  #AMF
BurpAuthzPlugin    #可用AuthMatrix代替
BurpCSJ
BurpDOMXSS
BurpHeartbleedExtension
BurpHistorytoMysql
BurpJDSer-ng
BurpJDSer
BurpMultiDEC
BurpNotesExtension
BurpPassiveXssScan
BurpPatchMe
BurpSentinel
BurpSessionAuth
BurpSmartBuster
BurpWebSphere
Burp_CustomScannerChecks
Burp_saml  #单点登录
DOMXSSHilight
J2EEScan  #可被LFI scanner checks取代
JSON
JavaScriptInjector  #JS注入
MobileMiTM  #中间人攻击
POST2JSON   
PT-Manager
Refeffer
SAMLRaider
W3af  #防火墙类型检测
WCF-Binary-SOAP-Plug-In  #WCF相关
Wsdler
Yara-Scanner  #恶意样本识别
aesburp AES Tool
autoEdit
burp-Curlit
burp-git-bridge
burp-massimpo
burp-msc
burp-protobuf-decoder
burp-radamsa
burp_Gwtscan
burp_JSBeautifier
burp_extension-googlehack
burp_extension_MultiScanner
burp_extension_nmap_parser
burp_extension_payloadparser
burp_wicket_handler
CSRFScanner #CSRF检测
distribute-damage
faraday
jsEncrypter add jsEncrypter.jar
scriptgen
sleepy-puppy
xssValidator
xssless
BurpCO2_v1_0_0RC1.jar
BurpFlashCSRFBuilder-0.1.4.jar
BurpKit.jar add BurpKit.jar
BurpMultiProxy.jar
BurpMultiProxy_ListVer.jar
BurpPlugin-full.jar
Burp_MultiProxy.py
GrabTencentExmailContacts.jar
JavaSerialKiller.jar
LICENSE
README
activeScan++.py
aesburp_fat.jar
burp-image-size.jar
burp-paramalyzer.jar
burp-retire-js-2.jar
burpbuddy-2.0.0.jar
bypasswaf.jar   #waf bypass 
changeu.py  
csrf-master.zip
key.bin
parrotng_v0.2.jar
rhinauditor-burp-plugin-1.jar
scriptgen-burp-plugin-3.jar
sentinelburp.xpi
shodanapi.py
sitemap-Import_links.py
threadfix-release-2.jar
update.bat
update.sh
ws.jar

宏(Macros)

功能:

()通过页面的跳转验证当前的会话是否仍然有效;

()执行登陆动作获取新的有效会话;

()获取前一次HTTP请求响应的Token或其它参数,作为后续请求的输入参数(如CSRF Token的绕过);

()扫描或模糊测试时,执行一些先前请求,确保扫描请求能被正常执行;

()测试请求执行之后,执行后续的请求操作(如结合Intruder使用不同账号登陆后进行批量投票);

应用安全-工具使用-Burpsuite的更多相关文章

  1. 安全测试工具之Burpsuite

    端口即服务,每一个服务对应一个或多个端口.端口扫描即通过一些方法检测到一台主机的一段特定端口是否提供相应的服务.利用这些扫描结果,正常用户可以访问系统所提供的服务,而黑客却可以利用这些服务中的漏洞对系 ...

  2. BurpSuite工具应用

    BurpSuite工具应用 BurpSuite是用于攻击web 应用程序的集成平台.它包含了许多工具,并为这些工具设计了许多接口,以促进加快攻击应用程序的过程.所有的工具都共享一个能处理并显示HTTP ...

  3. BurpSuite工具应用及重放攻击实验

    一.BurpSuite工具介绍 BurpSuite是用于攻击web 应用程序的集成平台.它包含了许多工具,并为这些工具设计了许多接口,以促进加快攻击应用程序的过程.所有的工具都共享一个能处理并显示HT ...

  4. Burpsuite工具的使用

    目录 Burpsuite Proxy代理模块 Repeater模块(改包,重放) Intruder模块(爆破) Target模块 position模块 Payloads模块 Options模块 一处爆 ...

  5. BurpSuite实例教程

    很久以前就看到了Burp suite这个工具了,当时感觉好NB,但全英文的用起来很是蛋疼,网上也没找到什么教程,就把这事给忘了.今天准备开始好好学习这个渗透神器,也正好给大家分享下.(注:内容大部分是 ...

  6. Web安全测试工具 Burp Suit 使用简介

    参考文档: https://blog.csdn.net/gitchat/article/details/79168613 https://www.cnblogs.com/nieliangcai/p/6 ...

  7. kali菜单中各工具功能

    一.说明 各工具kali官方简介(竖排):https://tools.kali.org/tools-listing 安装kali虚拟机可参考:https://www.cnblogs.com/lsdb/ ...

  8. 安全测试6_Web安全工具第二节(代理抓包分析工具)

    上节课讲了浏览器及扩展,这节课继续来学习下抓包分析. 首先看下下图,了解下代理工具的原理:代理就相当于收费站一样,任何要通过的车辆必须经过它. 浏览器的代理我们可以通过设置进行手动设置代理,或者通过P ...

  9. Kali Linux菜单中各工具功能大全

    各工具kali官方简介(竖排):https://tools.kali.org/tools-listing 名称 类型 使用模式 功能 功能评价 dmitry 信息收集   whois查询/子域名收集/ ...

随机推荐

  1. SpringMVC Controller单例和多例(转)

    首先上测试代码 import org.springframework.context.annotation.Scope; import org.springframework.stereotype.C ...

  2. 06-JavaScript简介

    ### 前段三大块 ```HTML css JavaScript``` ### 什么是JavaScript? JavaScript是运行在浏览器端的脚步语言,JavaScript主要解决的是前端与用户 ...

  3. js—input框中输入数字,动态生成内容的方法

    项目中需要在前端实现: 用户输入数字n,动态生成n个元素,删除n,自动清空n个元素(如图一): 用户输入数字n,失焦生成n个元素,再聚焦修改n,自动清空n个元素(如图二): 图一: 图二: 需求一实现 ...

  4. JavaScript基础7——动态生成表格

    <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title> ...

  5. element 弹框关闭报错

    <template> <el-container style="padding: 00px 20px 0px 20px"> <el-dialog ti ...

  6. 阿里开源框架-JarsLink-【JAVA的模块化开发框架】

    JarsLink (原名Titan) 是一个基于JAVA的模块化开发框架,它提供在运行时动态加载模块(一个JAR包).卸载模块和模块间调用的API. 需求背景 应用拆分的多或少都有问题.多则维护成本高 ...

  7. 关于post xml的请求和响应

    关于post的请求作为开发者应该常用到,post请求的数据包含了参数和data,post参数相对比较容易理解,比如我们一个form提交,其实就是调用后台方法的,发送相关参数,这里我单独说一下关于pos ...

  8. Rsync安装部署

    Rsync安装部署 1.Rsync  简介 Rsync  是一款开源的.快速的 多功能的 可以实现全量以及增量的本地或者是远程的数据同步备份的优秀工具,并且可以不进行改变原有的数据属性信息,实现数据的 ...

  9. Installation of the latest version of netease-cloud-music on Fedora 30 linux platform

    Installation of the latest version of netease-cloud-music on Fedora 30 linux platform Abtract As we  ...

  10. xml转dict

    xml转dict 最开始的时候一直是按格式比较严谨的XML格式进行的转换,所以一般只需要考虑两种情况就可以了,即各个节点或者子节点全相同或者全不同,全相同按list处理,全不同按dict处理,这么一想 ...