Pinpoint attackers with burp

  Technical communication

  Pay attention to WeChat public number  Z20 Security team  , reply   Add group  , Pull you into the group Discuss technology together .

The official account is copied. , The layout may be a bit messy , You can go to the official account .

burp yes web Penetrating , The most commonly used tool , If we can find out who used it on our website burp Test by agent , Nine times out of ten that person would be an attacker .

principle

Used to burp Of all know , If the default installation configuration , Hang up burp, visit

http://burp

The following page will appear ：

except `http://burp` outside , also ：

http://127.0.0.1:8080/     #8080 The port is not fixed , yes burp The proxy port of http://burpsuite/

The above interface will also appear .

Pay attention to the picture above , There's... In the upper left corner burp The icon , Like most other websites , visit

http://xxxx/favicon.ico

You will get the icon of the website ：

We can use this to judge the users who visit our website , Have you used burp agent , To determine if it was the attacker .

Basics

Simply write a test page ：

index.html​​​​​​​

<html><head>  <title>burp test</title>  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head>

<body>  <img src="http://burp/favicon.ico" onload="alert('Burp is being used')" ></body></html>

then , Turn on burp The proxy user accesses this page , It will trigger ：

Into the rank

What can we do with this point ：

take burp Detect that the code inserted into the website is normal js In file , Usage detected burp after , Log attackers ip, Then ban ip, In this way, the attacker will be intercepted when he visits again ;

The detection code is placed in the sensitive location of the normal website , For example, the login page , Usage detected burp after , Log attackers ip, Then guide the attacker into the honeypot or guide the attacker to download exe;

......

......

Here's a demo Here's a simple demonstration of ：

【 There is no way to play the video , It is recommended that the public view utilize burp Pinpoint the attacker 】

Then the attacker ip It was recorded that attacker.txt file ：

Of course , You still have many ways to improve it , Here is just a demonstration of the effect ...

protective

So how to prevent being discovered ？

The simplest way is to set up the proxy , Do not use proxy for the following three host names ：

The other way is in burp options in , Tick the following two options

Technical communication

Communication group

Pay attention to the reply of the official account “ Add group ”, add to Z2OBot Small K Automatically pull you to join Z2O Security attack and defense communication group Share more good things .