摘要
Burpsuite是全球知名的Web攻击集成平台,平台包括:Web代理、网络爬虫、扫描器、自动化攻击、解码器、中继器等功能,并且支持编写自定义工具来扩展Burp Suit的功能。文章对Burpsuite工具的工作方法进行了深入研究,挖掘Burpsuite工具的最新的使用方法和功能。从Web安全测试的角度,以流行的Struts安全漏洞为例,充分发挥Burpsuite工具的优势,编写了多个Struts漏洞的检测工具。在Burpsuite工具平台上,实现自动化Struts漏洞检测、识别,并且加入了编码变形,能够进行绕过Web应用防火墙等防护手段的测试,在相关的安全检测工作中起到了重要的作用。
Burpsuite is a world-renowned leading integrated platform o f Web attack, and the platform includes web proxy, web crawler, scanner, automated attack, decoder, repeater and so on.It supports writing custom plugins to extend Burpsuit. In this paper, the work method of Burpsuite tool is studied in depth, and the new method and function of Burpsuite tool is excavated. From the perspective of web security testing, as an example of the popular struts security vulnerabilities, we give full play to the advantages of Burpsuite tools and write a number of Struts vulnerability detection tools.By Burpsuite tool platform,we realize automation Struts vulnerability detection identification, and join the coding distortion, to bypass the web application firewall protection means test. And it will play an important role in the safety testing.
出处
《信息网络安全》
2016年第9期94-97,共4页
Netinfo Security
