标签：macOS 2021.2 scan -- pro Burp https Suite burp

请访问原文链接：https://sysin.org/article/burp-suite-pro/，查看最新版。原创作品，转载请保留出处。

简介

Burp Suite Professional 是一套用于测试 web 安全性的高级工具集 —- 所有这些都在一个产品中。从一个基本的拦截代理到尖端的 Burp 扫描器，使用 Burp Suite Pro，正确的工具只需点击一下就可以了。

我们强大的自动化让您有更多的机会做您最擅长的，而 Burp Suite 处理容易实现的目标。先进的手动工具将帮助你识别目标更微妙的盲点。

Burp Suite Pro 是由一个研究团队开发的。这意味着在我们发布之前，发现成果已经包含在我们的最新更新中。我们的 pentesting 工具将使您的工作更快，同时让您了解最新的攻击向量。

功能介绍

Manual penetration testing features 手动渗透测试功能

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eTl61ic1-1615173296175)(https://portswigger.net/burp/pro/features/images/proxy-interception.png)]

• Intercept everything your browser sees

A powerful proxy/history lets you modify all HTTP(S) communications passing through your browser.

• Manage recon data

All target data is aggregated and stored in a target site map - with filtering and annotation functions.

• Expose hidden attack surface

Find hidden target functionality with an advanced automatic discovery function for “invisible” content.

• Test for clickjacking attacks

Generate and confirm clickjacking attacks for potentially vulnerable web pages, with specialist tooling.

• Work with WebSockets

WebSockets messages get their own specific history - allowing you to view and modify them.

• Break HTTPS effectively

Proxy even secure HTTPS traffic. Installing your unique CA certificate removes associated browser security warnings.

• Manually test for out-of-band vulnerabilities

Make use of a dedicated client to incorporate Burp Suite’s out-of-band (OAST) capabilities during manual testing.

• Speed up granular workflows

Modify and reissue individual HTTP and WebSocket messages, and analyze the response - within a single window.

• Quickly assess your target

Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.

• Assess token strength

Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).

---

Advanced/custom automated attacks 高级/自定义自动攻击

• Faster brute-forcing and fuzzing

Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.

• Query automated attack results

Capture automated results in customized tables, then filter and annotate to find interesting entries/improve subsequent attacks.

• Construct CSRF exploits

Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.

• Facilitate deeper manual testing

See reflected/stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.

• Scan as you browse

The option to passively scan every request you make, or to perform active scans on specific URLs.

• Automatically modify HTTP messages

Settings to automatically modify responses. Match and replace rules for both responses and requests.

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iJPZ9P8P-1615173296177)(https://portswigger.net/burp/pro/features/images/payload.png)]

---

Automated scanning for vulnerabilities 自动扫描漏洞

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4a3cBJIS-1615173296178)(https://portswigger.net/burp/pro/features/images/scan-results.png)]

• Harness pioneering AST technology

High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).

• Conquer client-side attack surfaces

Hybrid AST and built-in JavaScript analysis engine help to find holes in client-side attack surfaces.

• Fuel vulnerability coverage with research

Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.

• Fine-tune scan control

Get fine-grained control, with a user-driven scanning methodology. Or, run “point-and-click” scans.

• Remediate bugs effectively

Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research.

• Configure scan behavior

Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more.

• Navigate difficult applications

Crawl more complex targets. Burp Suite’s crawler identifies locations based on content - not just URL.

• Effectively apply IAST

Source identification and vulnerability reporting simplified, with optional code instrumentation.

• Experience browser-driven scanning

Browser-driven scanning is already striding toward better coverage of tricky targets like AJAX-heavy single page apps.

---

Productivity tools 生产力工具

• Deep-dive message analysis

Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.

• Utilize both built-in and custom configurations

Access predefined configurations for common tasks, or save and reuse custom configurations.

• Multiply project options

Auto-save all working projects to disk, and add configurations to pre-saved projects.

• Make code more readable

Automatically pretty-print code formats including JSON, JavaScript, CSS, HTML, and XML.

• Easily remediate scan results

See source, discovery, contents, and remediation, for every bug, with aggregated application data.

• Simplify scan reporting

Customize with HTML/XML formats. Report all evidence identified, including issue details.

• Speed up data transformation

Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).

---

Extensions 扩展

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0XIJpfO5-1615173296180)(https://portswigger.net/burp/pro/features/images/bapp-store.png)]

• Create custom extensions

Extender API ensures universal adaptability. Code custom extensions to make Burp work for you.

• Logger++

For in-depth vulnerability detail, ordered and arranged in an easily accessible table, make use of Logger++.

• Autorize

When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.

• Turbo Intruder

Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.

• J2EE Scan

Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.

• Access the extension library

The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.

• Upload Scanner

Adapt Burp Scanner’s attacks by uploading and testing multiple file-type payloads, with Upload Scanner.

• AuthMatrix

Run AuthMatrix with Autorize to define your access-level vulnerability authorization check.

• Param Miner

Quickly find unkeyed inputs with Param Miner - can guess up to 65,000 parameter names per second.

• Backslash Powered Scanner

Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.

下载地址

百度网盘链接：https://sysin.org/article/burp-suite-pro/

• Burp Suite Pro for macOS
  链接: https://sysin.org/article/burp-suite-pro/

  集成 keygen，直接运行，无需额外安装 Java
  

  修复原版图标，Big Sur 图标适配
  

• Burp Suite Pro for Linux
  链接: https://sysin.org/article/burp-suite-pro/
  安装：chmod +x burpsuitepro-2021.2-linux.bin && sudo ./burpsuitepro-2021.2-linux.bin

  集成安装、注册和卸载
  

  主界面一览
  

标签：macOS,2021.2,scan,--,pro,Burp,https,Suite,burp
来源： https://blog.csdn.net/netgc/article/details/114525996

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。