Scribd Logo
Upload

Welcome to Scribd!

  • Huong Dan Su Dung Phan Mem Burp Suite

    Uploaded by

    letranganh
    210 views13 pages
    Huong Dan Su Dung Phan Mem Burp Suite

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Huong Dan Su Dung Phan Mem Burp Suite

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    210 views13 pages

    Huong Dan Su Dung Phan Mem Burp Suite

    Uploaded by

    letranganh
    Huong Dan Su Dung Phan Mem Burp Suite

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    HNG DN S DNG PHN MM BURP SUITE

    Tm tt
    Trong bi vit ny, mnh s gii thiu v Burp Suite, mt cng c gip h tr qu
    trnh pentest ng dng web. Cc kin thc l c bn, dnh cho newbie, pro min
    tip nh (_ _!)
    1. Gii thiu Burp Suite
    Burp Suite l mt cng c pentest ng dng web. y khng phi l mt cng c
    n sn nh Acunetix, m n ch h tr mt s vic cho tester trong qu trnh
    pentest. Vi mt cht c gng, bt k ai cng c th s dng Burp Suite kim
    th cc ng dng web. Cc tnh nng nng cao ca Burp s gip tester nng cao k
    nng v trnh ca mnh hn na. Ngoi ra, giao din ca Burp cng rt trc
    quan v thn thin.
    Burp Suite c rt nhiu tnh nng th v:

    Interception Proxy: c thit k bt cc request gi ln server.

    Repeater: cho php sa i ni dung request mt cch nhanh chng.

    Intruder: t ng ha vic gi cc payloads ln server.

    Decoder: decode v encode string theo cc format khc nhau (URL, Base64,
    HTML,).

    Comparer: ch ra s khc nhau gia cc requests/responses

    Extender: API m rng chc nng ca Burp Suite. Bn c th download


    cc extensions thng qua Bapp Store.

    Spider & Discover Content: crawl link c trong ng dng web.

    Scanner (ch c trong bn Pro): t ng qut cc l hng trong ng dng


    web (XSS, SQLi, Command Injection, File Inclusion,).

    2. Ci t v cu hnh
    Burp Suite c vit bng ngn ng Java. Do , my tnh ca bn cn c ci
    t Java nu mun s dng Burp. Bn truy cp vo website
    http://portswigger.net/burp/download.html download Burp Suite bn mi nht
    v. Sau khi download, bn ch cn chy file .JAR ny bt u.
    Burp c thit k s dng cng vi trnh duyt. N hot ng ging nh mt
    HTTP proxy server, v tt c HTTP(S) traffic u s i qua Burp. Trc khi tin
    hnh lm vic vi Burp, bn cn cu hnh trnh duyt ca mnh lm vic vi n.
    u tin, bn kim tra xem Burp proxy listener c active hay cha, bng cch
    chn tab Proxy Options tm n phn Proxy Listeners kim tra xem
    checkbox Running c chn hay cha, v Interface l 127.0.0.1:8080. Nu cc
    thng tin khng ng nh trn, hy click vo button Restore defaults (bn tri
    panel).
    Tip theo, bn tin hnh cu hnh trnh duyt ca mnh. Bn cn thay i proxy
    setting vi proxy host l 127.0.0.1, v port 8080.
    Di y ti s hng dn cu hnh FireFox.
    Chn Tools Options Advanced Network Settings, sau thit lp
    nh hnh sau:

    Sau khi cu hnh xong trnh duyt, bn test li nh sau: g vo trnh duyt mt
    URL bt k. Quay tr li ca s Burp Suite, chn tab Proxy Intercept. Bn s
    thy ni dung ca HTTP request hin tr trong panel.
    n y, khi truy cp website c s dng HTTPS, bn s nhn c cnh bo t
    pha trnh duyt. Bn cn ci t thm Burp CA Certificate. Truy cp
    http://127.0.0.1:8080/, chn CA Certificate, download file cacert.der. Bn chn
    Tools Options Advanced Certificates View Certificates, sau
    import file va download v.
    n y, bn c th bt u lm vic cng Burp Suite
    3. Target

    Target l ni cha cc thng tin tng quan v ng dng web. Tab cho php bn
    xem site map v iu chnh phm vi mc tiu. Phm vi c th c xc nh bng
    cch in loi giao thc, host/IP, port.

    4. Proxy
    Tab Proxy hin th chi tit cc request i qua Burp Proxy. Ti y, bn c cc ty
    chn Forward, Drop hay chuyn sang cc action khc.

    Vi vic cu hnh scope v proxy, gi y bn c th duyt ng dng web bng


    cch s dng trnh duyt v Burp. Tab Site map cho bn ci nhn tng quan v ng
    dng web, cu trc th mc, ti nguyn, thc hin cc ty chn khc, bn ch
    cn click chut phi vo URL.

    d dng focus vo ng dng web mc tiu, bn c th click vo Filter v chn


    Show only in-scope items:

    5. Decoder & Comparer


    Khi bn tin hnh pentest ng dng web, bn s nhn ra s cn thit ca vic
    encode v decode string sang mt nh dng khc. Vic ny gip bn bypass qua
    cc b lc n gin ca cc lp trnh vin. Di y l v d s dng Burp
    Decoder encode URL vi nhiu ty chn encode khc nhau:

    Burp Comparer cho php bn so snh nhanh chng cc requests/responses tm


    s khc bit:

    6. Extender
    Bn c th m rng cc tnh nng cho Burp bng cch thm cc extensions. Trn
    BApp Store hin c rt nhiu extension hu ch cho bn la chn.

    7. Intruder
    Burp Intruder cho php bn test ng dng web bng cch gi cc payloads c
    nh ngha trc ln server, sau xem xt kt qu tr v. Bn thc hin theo cc
    bc sau:
    Bc 1: Chn mt request v chn tip Send to Intruder, sau chuyn sang tab
    Intruder. Vng c nh du cho bit phn no ca request c th brute force
    c.

    Bc 2: Chuyn sang tab payloads, load payloads do bn nh ngha sn:

    Bc 3: chn Intruder Start attack tin hnh attack. Sau bn c th


    nhm nhi mt ly cafe v xem xt kt qu tr v.

    Cn mt vi tnh nng hu ch na, chng hn Scanner hay Engagement tools,


    nhng cc tnh nng ny mt ph, nn mnh s gii thiu mt bi khc, ni v
    Burp Suite Pro.
    https://forum.whitehat.vn/threads/13232-Burp-Suite-101.html?p=26048#post26048

    You might also like