Question

Burp Suite has a variety of useful features besides the web proxy. Burp Suite also includes an intruder for automating attacks, a repeater for manipulating individual requests, a decoder for decoding encoded content, and a comparer tool for comparing requests and responses. Of all Burp’s features, these are the most useful for bug bounty hunting, so we’ll explore them here.

除了网络代理之外，Burp Suite 还有各种有用的功能。Burp Suite 还包括可以自动攻击的 Intruder 工具、可以操作单个请求的 Repeater 工具、可以解码编码内容的解码器以及比较请求和响应的比较器工具。在 Burp 的所有功能中，这些对于漏洞赏金猎人来说最为有用，因此我们将在这里进行探讨。

The Proxy

Let’s see how you can use the Burp proxy to examine requests, modify them, and forward them to Burp’s other modules. Open Burp and switch to the Proxy tab, and start exploring what it does! To begin intercepting traffic, make sure the Intercept button reads Intercept is on ( Figure 4-8 ).

让我们看看如何使用 Burp 代理来检查请求、修改它们并将它们转发到 Burp 的其他模块。打开 Burp 并切换到代理选项卡，开始探索它的功能！要开始拦截流量，请确保拦截按钮显示“拦截已开启”(图 4-8)。

Figure 4-8 : The Burp Proxy tab shows Intercept is on.

图 4-8：Burp 代理标签显示截取已开启。

When you browse to a site on Firefox or Burp’s embedded browser, you should see an HTTP/HTTPS request appear in the main window. When intercept is turned on, every request your browser sends will go through Burp, which won’t send them to the server unless you click Forward in the proxy window. You can use this opportunity to modify the request before sending it to the server or to forward it over to other modules in Burp. You can also use the search bar at the bottom of the window to search for strings in the requests or responses.

当您在 Firefox 或 Burp 的嵌入式浏览器中浏览到网站时，您应该会在主窗口中看到一个 HTTP/HTTPS 请求出现。当截获被打开时，浏览器发送的每个请求都将通过 Burp，而 Burp 不会将它们发送到服务器，除非您在代理窗口中单击“转发”。您可以利用这个机会在发送请求到服务器之前修改请求或将其转发到 Burp 中的其他模块。您也可以使用窗口底部的搜索栏搜索请求或响应字符串。

To forward the request to another Burp module, right-click the request and select Send to Module ( Figure 4-9 ).

右键单击请求，选择发送到模块（图 4-9），可将请求转发到另一个 Burp 模块。

Let’s practice intercepting and modifying traffic by using Burp Proxy! Go to Burp Proxy and turn on traffic interception. Then open Firefox or Burp’s embedded browser and visit https://www.google.com/ . As you did in the preceding section, click Forward until you see the request with the hostname www.google.com . You should see a request like this one:

让我们通过使用 Burp 代理来练习拦截和修改流量！转到 Burp 代理并打开流量拦截。然后打开 Firefox 或 Burp 的嵌入式浏览器并访问 https://www.google.com/。如同在前面的章节中所做的那样，点击"转发"直到你看到主机名为 www.google.com 的请求。你应该会看到像这样的一个请求：

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close

Figure 4-9 : You can forward the request or response to different Burp modules by right-clicking it.

图 4-9：右键单击请求或响应，可以将其转发到不同的 Burp 模块中。

Let’s modify this request before sending it. Change the Accept-Language header value to de .

让我们在发送之前修改这个请求。将“Accept-Language”头的值更改为“de”。

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0
Accept-Language:     de 
Accept-Encoding: gzip, deflate
Connection: close

Click Forward to send the request over to Google’s server. You should see Google’s home page in German appear in your browser’s window ( Figure 4-10 ).

点击“转发”将请求发送到 Google 的服务器。您应该在浏览器窗口中看到以德语为主的 Google 主页（图 4-10）。

Figure 4-10 : Google’s home page in German

图 4-10：Google 在德国的主页

If you’re a German speaker, you could do the test in reverse: switch the Accept-Language header value from de to en . You should see the Google home page in English. Congratulations! You’ve now successfully intercepted, modified, and forwarded an HTTP request via a proxy.

如果您是德语说话者，可以反向进行测试：将 Accept-Language 标头值从 de 切换到 en。您应该会看到英文版的 Google 首页。恭喜！ 您现在已成功拦截、修改和转发代理请求。

The Intruder

The Burp intruder tool automates request sending. If you are using the Community version of Burp, your intruder will be a limited, trial version. Still, it allows you to perform attacks like brute-forcing , whereby an attacker submits many requests to a server using a list of predetermined values and sees if the server responds differently. For example, a hacker who obtains a list of commonly used passwords can try to break into your account by repeatedly submitting login requests with all the common passwords. You can send requests over to the intruder by right-clicking a request in the proxy window and selecting Send to intruder .

Burp intruder 工具可以自动发送请求。如果您使用的是 Burp 的社区版本，那么您的 intruder 将是一个有限制的试用版本。但是，它可以让您执行像暴力破解这样的攻击，攻击者使用预先确定的值列表向服务器提交许多请求，看看服务器是否会有不同的响应。例如，一个黑客如果获得了一个常用密码的列表，可以通过反复提交所有常用密码的登录请求来尝试入侵您的帐户。您可以通过在代理窗口中右键单击请求并选择发送到 intruder 来将请求发送到 intruder。

The Target screen in the intruder tab lets you specify the host and port to attack ( Figure 4-11 ). If you forward a request from the proxy, the host and port will be prefilled for you.

“Intruder”选项卡中的“目标屏幕”可让您指定攻击的主机和端口（图 4-11）。如果您从代理服务器转发请求，主机和端口将自动填充。

Figure 4-11 : You can specify the host and port to attack on the Target screen.

图 4-11：您可以在目标屏幕上指定要攻击的主机和端口。

The intruder gives several ways to customize your attack. For each request, you can choose the payloads and payloads positions to use. The payloads are the data that you want to insert into specific positions in the request. The payload positions specify which parts of the request will be replaced by the payloads you choose. For example, let’s say users log in to example.com by sending a POST request to example.com/login . In Burp, this request might look like this:

入侵者提供了多种方式来定制你的攻击。对于每个请求，你可以选择使用的负载和负载位置。负载是你想要插入到请求特定位置的数据。负载位置指定请求的哪些部分将被你选择的负载替换。例如，让我们假设用户通过发送 POST 请求到 example.com/login 来登录 example.com。在 Burp 中，这个请求可能看起来像这样：

POST /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
 
username=vickie&password=abc123

The POST request body contains two parameters: username and password . If you were trying to brute-force a user’s account, you could switch up the password field of the request and keep everything else the same. To do that, specify the payload positions in the Positions screen ( Figure 4-12 ). To add a portion of the request to the payload positions, highlight the text and click Add on the right.

POST 请求正文包含两个参数：用户名和密码。如果您试图暴力破解用户的帐户，可以更改请求的密码字段并保持其他内容不变。要做到这一点，请在“位置”屏幕（图 4-12）中指定有效载荷位置。要将请求的一部分添加到有效载荷位置，请突出显示文本，然后单击右侧的“添加”。

Figure 4-12 : You can specify the payload positions in the Positions screen.

图 4-12：您可以在位置屏幕中指定有效载荷的位置。

Then, switch over to the Payloads screen ( Figure 4-13 ). Here, you can choose payloads to insert into the request. To brute-force a login password, you can add a list of commonly used passwords here. You can also, for example, use a list of numbers with which to brute-force IDs in requests, or use an attack payload list you downloaded from the internet. Reusing attack payloads shared by others can help you find bugs faster. We will talk more about how to use reused payloads to hunt for vulnerabilities in Chapter 25 .

然后，切换到有效负载屏幕（图 4-13）。在此处，您可以选择要插入请求中的有效负载。要爆破登录密码，可以在此处添加常用密码列表。您还可以使用数字列表来爆破请求中的 ID，或使用从 Internet 下载的攻击有效负载列表。重新使用别人分享的攻击有效负载可以帮助您更快地找到漏洞。我们将在第 25 章中更多地讨论如何使用重复使用的有效负载来寻找漏洞。

Figure 4-13 : Choose your payload list on the Payloads screen.

图 4-13：在载荷屏幕上选择您的载荷列表。

Once you’ve specified those, click the Start attack button to start the automated test. The intruder will send a request for each payload you listed and record all responses. You can then review the responses and response codes and look for interesting results.

一旦您指定了这些内容，点击“开始攻击”按钮以启动自动化测试。入侵者将为您列出的每个有效负载发送请求并记录所有响应。然后，您可以查看响应和响应代码，并寻找有趣的结果。

The Repeater

The repeater is probably the tool you’ll use the most often ( Figure 4-14 ). You can use it to modify requests and examine server responses in detail. You could also use it to bookmark interesting requests to go back to later.

中继器可能是您最常使用的工具（图 4-14）。您可以使用它修改请求并仔细检查服务器响应。您还可以将有趣的请求添加到书签中以便以后回到。

Although the repeater and intruder both allow you to manipulate requests, the two tools serve very different purposes. The intruder automates attacks by automatically sending programmatically modified requests. The repeater is meant for manual, detailed modifications of a single request.

尽管中继器和入侵者都允许您操作请求，但这两种工具的用途非常不同。入侵者通过自动发送程序化修改的请求自动化攻击。中继器是用于手动、详细修改单个请求的工具。

Send requests to the repeater by right-clicking the request and selecting Send to repeater .

通过右键点击请求并选择“发送到中继器”来发送请求。

On the left of the repeater screen are requests. You can modify a request here and send the modified request to the server by clicking Send at the top. The corresponding response from the server will appear on the right.

中继器屏幕左侧是请求。您可以在此修改请求，并在顶部单击“发送”将修改后的请求发送到服务器。相应的服务器响应将出现在右侧。

The repeater is good for exploiting bugs manually, trying to bypass filters, and testing out different attack methods that target the same endpoint.

中继器对于手动利用漏洞、尝试绕过过滤器、测试针对同一端点的不同攻击方法非常有用。

Figure 4-14 : The repeater is good for close examination of requests and manual exploitation.

图 4-14：中继器适用于对请求的近距离审查和手动利用。

The Decoder

The Burp decoder is a convenient way to encode and decode data you find in requests and responses ( Figure 4-15 ). Most often, I use it to decode, manipulate, and re-encode application data before forwarding it to applications.

“Burp 解码器是一种方便的编码和解码工具，可用于处理请求和响应中的数据（图 4-15）。我经常使用它来解码、操作和重新编码应用程序数据，然后将其转发给应用程序。”

Figure 4-15 : You can use the decoder to decode application data to read or manipulate its plaintext.

图 4-15：您可以使用解码器将应用程序数据解码，以读取或操作其明文。

Send data to the decoder by highlighting a block of text in any request or response, then right-clicking it and selecting Send to decoder . Use the drop-down menus on the right to specify the algorithm to use to encode or decode the message. If you’re not sure which algorithm the message is encoded with, try to Smart decode it. Burp will try to detect the encoding, and decode the message accordingly.

通过在任何请求或响应中突出显示文本块，然后右键单击它并选择发送到解码器，将数据发送到解码器。使用右侧的下拉菜单指定用于编码或解码消息的算法。如果您不确定消息使用哪个算法进行编码，请尝试智能解码。Burp 将尝试检测编码，并相应地解码消息。

The Comparer

The comparer is a way to compare requests or responses ( Figure 4-16 ). It highlights the differences between two blocks of text. You might use it to examine how a difference in parameters impacts the response you get from the server, for example.

比较器是一种比较请求或响应的方式（图 4-16）。它突出显示两个文本块之间的差异。例如，您可以使用它来检查参数差异如何影响您从服务器获取的响应。

Send data over to the comparer by highlighting a block of text in any request or response, then right-clicking it and selecting Send to comparer .

通过在任何请求或响应中突出显示一段文本块，然后右键单击该文本块并选择发送到比较器，将数据发送到比较器。

Figure 4-16 : The comparer will highlight the differences between two blocks of text.

图 4-16：比较器将突出显示两个文本块之间的差异。

Saving Burp Requests

You can save requests and responses on Burp as well. Simply right-click any request and select Copy URL , Copy as curl command , or Copy to file to store these results into your note folder for that target. The Copy URL option copies the URL of the request. The Copy as curl command copies the entire request, including the request method, URL, headers, and body as a curl command. Copy to file saves the entire request to a separate file.

您还可以在 Burp 上保存请求和响应。只需右键单击任何请求，然后选择"复制 URL"，"复制为 curl 命令"或"复制到文件"，将这些结果存储到该目标的笔记文件夹中。 "复制 URL"选项会复制请求的 URL。"复制为 curl 命令"会将整个请求，包括请求方法、URL、头部和正文，复制为一个 curl 命令。"复制到文件"会将整个请求保存到一个单独的文件中。