Professional Documents
Culture Documents
Tm tt
Trong bi vit ny, mnh s gii thiu v Burp Suite, mt cng c gip h tr qu
trnh pentest ng dng web. Cc kin thc l c bn, dnh cho newbie, pro min
tip nh (_ _!)
1. Gii thiu Burp Suite
Burp Suite l mt cng c pentest ng dng web. y khng phi l mt cng c
n sn nh Acunetix, m n ch h tr mt s vic cho tester trong qu trnh
pentest. Vi mt cht c gng, bt k ai cng c th s dng Burp Suite kim
th cc ng dng web. Cc tnh nng nng cao ca Burp s gip tester nng cao k
nng v trnh ca mnh hn na. Ngoi ra, giao din ca Burp cng rt trc
quan v thn thin.
Burp Suite c rt nhiu tnh nng th v:
Decoder: decode v encode string theo cc format khc nhau (URL, Base64,
HTML,).
2. Ci t v cu hnh
Burp Suite c vit bng ngn ng Java. Do , my tnh ca bn cn c ci
t Java nu mun s dng Burp. Bn truy cp vo website
http://portswigger.net/burp/download.html download Burp Suite bn mi nht
v. Sau khi download, bn ch cn chy file .JAR ny bt u.
Burp c thit k s dng cng vi trnh duyt. N hot ng ging nh mt
HTTP proxy server, v tt c HTTP(S) traffic u s i qua Burp. Trc khi tin
hnh lm vic vi Burp, bn cn cu hnh trnh duyt ca mnh lm vic vi n.
u tin, bn kim tra xem Burp proxy listener c active hay cha, bng cch
chn tab Proxy Options tm n phn Proxy Listeners kim tra xem
checkbox Running c chn hay cha, v Interface l 127.0.0.1:8080. Nu cc
thng tin khng ng nh trn, hy click vo button Restore defaults (bn tri
panel).
Tip theo, bn tin hnh cu hnh trnh duyt ca mnh. Bn cn thay i proxy
setting vi proxy host l 127.0.0.1, v port 8080.
Di y ti s hng dn cu hnh FireFox.
Chn Tools Options Advanced Network Settings, sau thit lp
nh hnh sau:
Sau khi cu hnh xong trnh duyt, bn test li nh sau: g vo trnh duyt mt
URL bt k. Quay tr li ca s Burp Suite, chn tab Proxy Intercept. Bn s
thy ni dung ca HTTP request hin tr trong panel.
n y, khi truy cp website c s dng HTTPS, bn s nhn c cnh bo t
pha trnh duyt. Bn cn ci t thm Burp CA Certificate. Truy cp
http://127.0.0.1:8080/, chn CA Certificate, download file cacert.der. Bn chn
Tools Options Advanced Certificates View Certificates, sau
import file va download v.
n y, bn c th bt u lm vic cng Burp Suite
3. Target
Target l ni cha cc thng tin tng quan v ng dng web. Tab cho php bn
xem site map v iu chnh phm vi mc tiu. Phm vi c th c xc nh bng
cch in loi giao thc, host/IP, port.
4. Proxy
Tab Proxy hin th chi tit cc request i qua Burp Proxy. Ti y, bn c cc ty
chn Forward, Drop hay chuyn sang cc action khc.
6. Extender
Bn c th m rng cc tnh nng cho Burp bng cch thm cc extensions. Trn
BApp Store hin c rt nhiu extension hu ch cho bn la chn.
7. Intruder
Burp Intruder cho php bn test ng dng web bng cch gi cc payloads c
nh ngha trc ln server, sau xem xt kt qu tr v. Bn thc hin theo cc
bc sau:
Bc 1: Chn mt request v chn tip Send to Intruder, sau chuyn sang tab
Intruder. Vng c nh du cho bit phn no ca request c th brute force
c.