Burp Suite Web应用安全测试指南：拦截、扫描与漏洞利用

Burp Suite Web Application Testing by automindtechnologie-jpg/ultimate-skill.md

安装命令

npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Burp Suite Web Application Testing'

自动化测试安全

🇨🇳中文介绍

Burp Suite Web应用程序测试

目的

使用Burp Suite的集成工具集执行全面的Web应用程序安全测试，包括HTTP流量拦截和修改、请求分析与重放、自动化漏洞扫描以及手动测试工作流。此技能通过基于代理的测试方法，系统性地发现和利用Web应用程序漏洞。

输入 / 前提条件

必需工具

已安装Burp Suite Community或Professional Edition
Burp的内置浏览器或已配置的外部浏览器
目标Web应用程序URL
用于身份验证测试的有效凭据（如适用）

环境设置

使用临时或命名项目启动Burp Suite
在127.0.0.1:8080（默认）上激活代理监听器
浏览器配置为使用Burp代理（或使用Burp的浏览器）
已安装CA证书以进行HTTPS拦截

版本对比

功能	Community	Professional
代理	✓	✓
Repeater	✓	✓
Intruder	有限	完整
Scanner	✗	✓
扩展	✓	✓

输出 / 交付物

主要输出

拦截和修改的HTTP请求/响应
包含修复建议的漏洞扫描报告
HTTP历史记录和站点地图文档
针对已识别漏洞的概念验证利用

核心工作流

阶段1：拦截HTTP流量

启动Burp浏览器

导航至集成浏览器以实现无缝代理集成：

打开Burp Suite并创建/打开项目
转到 Proxy > Intercept 标签页
点击 Open Browser 启动预配置的浏览器
调整窗口位置以同时查看Burp和浏览器

配置拦截

控制捕获哪些请求：

Proxy > Intercept > Intercept is on/off toggle

当开启时：请求暂停以供审查/修改
当关闭时：请求通过，记录到历史记录

拦截并转发请求

处理拦截的流量：

将拦截开关设置为 Intercept on
在浏览器中导航至目标URL
观察请求在Proxy > Intercept标签页中被暂停
审查请求内容（头部、参数、正文）
点击 Forward 将请求发送到服务器
继续转发后续请求直到页面加载完成

查看HTTP历史记录

访问完整的流量日志：

转到 Proxy > HTTP history 标签页
点击任意条目查看完整的请求/响应
点击列标题进行排序（#号表示按时间顺序）
使用过滤器聚焦相关流量

阶段2：修改请求

拦截并修改

在转发前更改请求参数：

启用拦截：Intercept on
在浏览器中触发目标请求
在拦截的请求中找到要修改的参数
直接在请求编辑器中编辑值
点击 Forward 发送修改后的请求

常见修改目标

目标	示例	目的
价格参数	`price=1`	测试业务逻辑
用户ID	`userId=admin`	测试访问控制
数量值	`qty=-1`	测试输入验证
隐藏字段	`isAdmin=true`	测试权限提升

示例：价格操纵

POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

productId=1&quantity=1&price=100

# 修改为：
productId=1&quantity=1&price=1

结果：商品以修改后的价格添加到购物车。

阶段3：设置目标范围

定义范围

将测试聚焦于特定目标：

转到 Target > Site map
在左侧面板中右键点击目标主机
选择 Add to scope
出现提示时，点击 Yes 以排除范围外的流量

按范围过滤

从HTTP历史记录中移除干扰：

点击HTTP历史记录上方的显示过滤器
选择 Show only in-scope items
历史记录现在仅显示目标站点的流量

范围设定的好处

减少第三方请求的干扰
防止意外测试范围外的站点
提高扫描效率
生成更清晰的报告

阶段4：使用Burp Repeater

发送请求到Repeater

为手动测试准备请求：

在HTTP历史记录中识别感兴趣的请求
右键点击请求并选择 Send to Repeater
转到 Repeater 标签页访问请求

修改并重新发送

高效测试不同的输入：

1. 在Repeater标签页查看请求
2. 修改参数值
3. 点击Send提交请求
4. 在右侧面板审查响应
5. 使用导航箭头查看请求历史记录

Repeater测试工作流

Original Request:
GET /product?productId=1 HTTP/1.1

Test 1: productId=2    → Valid product response
Test 2: productId=999  → Not Found response  
Test 3: productId='    → Error/exception response
Test 4: productId=1 OR 1=1 → SQL injection test

分析响应

寻找漏洞的迹象：

显示堆栈跟踪的错误消息
框架/版本信息泄露
表明逻辑缺陷的不同响应长度
暗示盲注的时间差异
响应中出现意外数据

阶段5：运行自动化扫描

启动新扫描

启动漏洞扫描（仅限Professional版）：

转到 Dashboard 标签页
点击 New scan
在 URLs to scan 字段输入目标URL
配置扫描设置

扫描配置选项

模式	描述	持续时间
轻量级	高级别概览	~15分钟
快速	快速漏洞检查	~30分钟
均衡	标准全面扫描	~1-2小时
深度	彻底测试	数小时

监控扫描进度

跟踪扫描活动：

在 Dashboard 中查看任务状态
实时观察 Target > Site map 更新
检查 Issues 标签页以发现漏洞

审查已识别的问题

分析扫描结果：

在Dashboard中选择扫描任务
转到 Issues 标签页
点击问题以查看：
- Advisory : 描述和修复建议
- Request : 触发漏洞的HTTP请求
- Response : 显示漏洞的服务器响应

阶段6：Intruder攻击

配置Intruder

设置自动化攻击：

发送请求到Intruder（右键点击 > Send to Intruder）
转到 Intruder 标签页
使用§标记定义有效载荷位置
选择攻击类型

攻击类型

类型	描述	用例
Sniper	单个位置，迭代有效载荷	模糊测试单个参数
Battering ram	所有位置使用相同有效载荷	凭证测试
Pitchfork	并行有效载荷迭代	用户名:密码对
Cluster bomb	所有有效载荷组合	完全暴力破解

配置有效载荷

Positions Tab:
POST /login HTTP/1.1
...
username=§admin§&password=§password§

Payloads Tab:
Set 1: admin, user, test, guest
Set 2: password, 123456, admin, letmein

分析结果

审查攻击输出：

按响应长度排序以发现异常
按状态码过滤以查找成功尝试
使用grep搜索特定字符串
导出结果以供记录

快速参考

键盘快捷键

操作	Windows/Linux	macOS
Forward request	Ctrl+F	Cmd+F
Drop request	Ctrl+D	Cmd+D
Send to Repeater	Ctrl+R	Cmd+R
Send to Intruder	Ctrl+I	Cmd+I
Toggle intercept	Ctrl+T	Cmd+T

常见测试有效载荷

# SQL注入
' OR '1'='1
' OR '1'='1'--
1 UNION SELECT NULL--

# XSS
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

# 路径遍历
../../../etc/passwd
..\..\..\..\windows\win.ini

# 命令注入
; ls -la
| cat /etc/passwd
`whoami`

请求修改技巧

右键点击获取上下文菜单选项
使用解码器进行编码/解码
使用Comparer工具比较请求
将感兴趣的请求保存到项目

约束与防护

操作边界

仅测试已授权的应用程序
配置范围以防止意外测试范围外的内容
限制扫描速率以避免拒绝服务
记录所有发现和操作

技术限制

Community Edition缺少自动化扫描器
某些站点可能阻止代理流量
HSTS/证书固定可能需要额外配置
重度扫描可能触发WAF拦截

最佳实践

在广泛测试前始终设置目标范围
使用Burp的浏览器以获得可靠的拦截
定期保存项目以保留工作
手动审查扫描结果以排除误报

示例

示例1：业务逻辑测试

场景 : 电子商务价格操纵

正常添加商品到购物车，拦截请求
在POST正文中识别 price=9999 参数
修改为 price=1
转发请求
以操纵后的价格完成结账

发现 : 服务器信任客户端提供的价格值。

示例2：身份验证绕过

场景 : 测试登录表单

提交有效凭据，在Repeater中捕获请求
发送到Repeater进行测试
尝试：username=admin' OR '1'='1'--
观察成功的登录响应

发现 : 身份验证中存在SQL注入。

示例3：信息泄露

场景 : 基于错误的信息收集

导航到产品页面，观察 productId 参数
发送请求到Repeater
将 productId=1 更改为 productId=test
观察显示框架版本的详细错误信息

发现 : 堆栈跟踪中泄露了Apache Struts 2.5.12。

故障排除

浏览器未通过代理连接

验证代理监听器是否激活（Proxy > Options）
检查浏览器代理设置是否指向127.0.0.1:8080
确保没有防火墙阻止本地连接
使用Burp的内置浏览器以获得可靠的设置

HTTPS拦截失败

在浏览器/系统中安装Burp CA证书
导航至 http://burp 下载证书
将证书添加到受信任的根证书颁发机构
安装后重启浏览器

性能缓慢

限制范围以减少处理量
禁用不必要的扩展
在启动选项中增加Java堆大小
关闭未使用的Burp标签页和功能

请求未被拦截

验证"Intercept on"已启用
检查拦截规则是否过滤了目标
确保浏览器正在使用Burp代理
验证目标未使用不支持的协议

每周安装

仓库

automindtechnol…skill.md

首次出现

1970年1月1日

安全审计

Gen Agent Trust HubPass SocketPass SnykWarn

🇺🇸English

Burp Suite Web Application Testing

Purpose

Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.

Inputs / Prerequisites

Required Tools

Burp Suite Community or Professional Edition installed
Burp's embedded browser or configured external browser
Target web application URL
Valid credentials for authenticated testing (if applicable)

Environment Setup

Burp Suite launched with temporary or named project
Proxy listener active on 127.0.0.1:8080 (default)
Browser configured to use Burp proxy (or use Burp's browser)
CA certificate installed for HTTPS interception

Editions Comparison

Feature	Community	Professional
Proxy	✓	✓
Repeater	✓	✓
Intruder	Limited

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Outputs / Deliverables

Intercepted and modified HTTP requests/responses
Vulnerability scan reports with remediation advice
HTTP history and site map documentation
Proof-of-concept exploits for identified vulnerabilities

Phase 1: Intercepting HTTP Traffic

Launch Burp's Browser

Navigate to integrated browser for seamless proxy integration:

Open Burp Suite and create/open project
Go to Proxy > Intercept tab
Click Open Browser to launch preconfigured browser
Position windows to view both Burp and browser simultaneously

Configure Interception

Control which requests are captured:

Proxy > Intercept > Intercept is on/off toggle

When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history

Intercept and Forward Requests

Process intercepted traffic:

Set intercept toggle to Intercept on
Navigate to target URL in browser
Observe request held in Proxy > Intercept tab
Review request contents (headers, parameters, body)
Click Forward to send request to server
Continue forwarding subsequent requests until page loads

Access complete traffic log:

Go to Proxy > HTTP history tab
Click any entry to view full request/response
Sort by clicking column headers (# for chronological order)
Use filters to focus on relevant traffic

Phase 2: Modifying Requests

Intercept and Modify

Change request parameters before forwarding:

Enable interception: Intercept on
Trigger target request in browser
Locate parameter to modify in intercepted request
Edit value directly in request editor
Click Forward to send modified request

Common Modification Targets

Target	Example	Purpose
Price parameters	`price=1`	Test business logic
User IDs	`userId=admin`	Test access control
Quantity values	`qty=-1`	Test input validation
Hidden fields	`isAdmin=true`	Test privilege escalation

Example: Price Manipulation

POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

productId=1&quantity=1&price=100

# Modify to:
productId=1&quantity=1&price=1

Result: Item added to cart at modified price.

Phase 3: Setting Target Scope

Focus testing on specific target:

Go to Target > Site map
Right-click target host in left panel
Select Add to scope
When prompted, click Yes to exclude out-of-scope traffic

Remove noise from HTTP history:

Click display filter above HTTP history
Select Show only in-scope items
History now shows only target site traffic

Reduces clutter from third-party requests
Prevents accidental testing of out-of-scope sites
Improves scanning efficiency
Creates cleaner reports

Phase 4: Using Burp Repeater

Send Request to Repeater

Prepare request for manual testing:

Identify interesting request in HTTP history
Right-click request and select Send to Repeater
Go to Repeater tab to access request

Test different inputs efficiently:

1. View request in Repeater tab
2. Modify parameter values
3. Click Send to submit request
4. Review response in right panel
5. Use navigation arrows to review request history

Repeater Testing Workflow

Original Request:
GET /product?productId=1 HTTP/1.1

Test 1: productId=2    → Valid product response
Test 2: productId=999  → Not Found response  
Test 3: productId='    → Error/exception response
Test 4: productId=1 OR 1=1 → SQL injection test

Look for indicators of vulnerabilities:

Error messages revealing stack traces
Framework/version information disclosure
Different response lengths indicating logic flaws
Timing differences suggesting blind injection
Unexpected data in responses

Phase 5: Running Automated Scans

Initiate vulnerability scanning (Professional only):

Go to Dashboard tab
Click New scan
Enter target URL in URLs to scan field
Configure scan settings

Scan Configuration Options

Mode	Description	Duration
Lightweight	High-level overview	~15 minutes
Fast	Quick vulnerability check	~30 minutes
Balanced	Standard comprehensive scan	~1-2 hours
Deep	Thorough testing	Several hours

Monitor Scan Progress

Track scanning activity:

View task status in Dashboard
Watch Target > Site map update in real-time
Check Issues tab for discovered vulnerabilities

Review Identified Issues

Analyze scan findings:

Select scan task in Dashboard
Go to Issues tab
Click issue to view:
- Advisory : Description and remediation
- Request : Triggering HTTP request
- Response : Server response showing vulnerability

Phase 6: Intruder Attacks

Set up automated attack:

Send request to Intruder (right-click > Send to Intruder)
Go to Intruder tab
Define payload positions using § markers
Select attack type

Type	Description	Use Case
Sniper	Single position, iterate payloads	Fuzzing one parameter
Battering ram	Same payload all positions	Credential testing
Pitchfork	Parallel payload iteration	Username:password pairs
Cluster bomb	All payload combinations	Full brute force

Positions Tab:
POST /login HTTP/1.1
...
username=§admin§&password=§password§

Payloads Tab:
Set 1: admin, user, test, guest
Set 2: password, 123456, admin, letmein

Review attack output:

Sort by response length to find anomalies
Filter by status code for successful attempts
Use grep to search for specific strings
Export results for documentation

Action	Windows/Linux	macOS
Forward request	Ctrl+F	Cmd+F
Drop request	Ctrl+D	Cmd+D
Send to Repeater	Ctrl+R	Cmd+R
Send to Intruder	Ctrl+I	Cmd+I
Toggle intercept	Ctrl+T	Cmd+T

Common Testing Payloads

# SQL Injection
' OR '1'='1
' OR '1'='1'--
1 UNION SELECT NULL--

# XSS
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

# Path Traversal
../../../etc/passwd
..\..\..\..\windows\win.ini

# Command Injection
; ls -la
| cat /etc/passwd
`whoami`

Request Modification Tips

Right-click for context menu options
Use decoder for encoding/decoding
Compare requests using Comparer tool
Save interesting requests to project

Constraints and Guardrails

Operational Boundaries

Test only authorized applications
Configure scope to prevent accidental out-of-scope testing
Rate-limit scans to avoid denial of service
Document all findings and actions

Technical Limitations

Community Edition lacks automated scanner
Some sites may block proxy traffic
HSTS/certificate pinning may require additional configuration
Heavy scanning may trigger WAF blocks

Always set target scope before extensive testing
Use Burp's browser for reliable interception
Save project regularly to preserve work
Review scan results manually for false positives

Example 1: Business Logic Testing

Scenario : E-commerce price manipulation

Add item to cart normally, intercept request
Identify price=9999 parameter in POST body
Modify to price=1
Forward request
Complete checkout at manipulated price

Finding : Server trusts client-provided price values.

Example 2: Authentication Bypass

Scenario : Testing login form

Submit valid credentials, capture request in Repeater
Send to Repeater for testing
Try: username=admin' OR '1'='1'--
Observe successful login response

Finding : SQL injection in authentication.

Example 3: Information Disclosure

Scenario : Error-based information gathering

Navigate to product page, observe productId parameter
Send request to Repeater
Change productId=1 to productId=test
Observe verbose error revealing framework version

Finding : Apache Struts 2.5.12 disclosed in stack trace.

Browser Not Connecting Through Proxy

Verify proxy listener is active (Proxy > Options)
Check browser proxy settings point to 127.0.0.1:8080
Ensure no firewall blocking local connections
Use Burp's embedded browser for reliable setup

HTTPS Interception Failing

Install Burp CA certificate in browser/system
Navigate to http://burp to download certificate
Add certificate to trusted roots
Restart browser after installation

Limit scope to reduce processing
Disable unnecessary extensions
Increase Java heap size in startup options
Close unused Burp tabs and features

Requests Not Being Intercepted

Verify "Intercept on" is enabled
Check intercept rules aren't filtering target
Ensure browser is using Burp proxy
Verify target isn't using unsupported protocol

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

27,600 周安装