Contents
Burp Suite Logger++ 常见过滤器规则汇总
[TOC]
规则汇总
https://github.com/nccgroup/BurpSuiteLoggerPlusPlus/wiki/Filter-Fields
一个复杂规则示例
Card No in JSON post response
METHOD == "post" && MIMETYPE == "json" && RESPONSE == /\b(?:4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})\b/
敏感信息 内网 IP
Internal IP Address #1
内网 IP #1
RESPONSE == /(10(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){3}|((172\.(1[6-9]|2[0-9]|3[01]))|192\.168)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){2})/
Internal IP Address #2
内网 IP #2
不严格,没有 255 以下限制。
RESPONSE == /(?:192\.168|10\.[0-9]|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)\.[0-9]{1,3}\.[0-9]{1,3}/
常规IP地址 (包括外网)
RESPONSE == /(?:(?:^|\.)(?:2(?:5[0-5]|[0-4]\d)|1?\d?\d)){4}/
敏感信息 手机号
手机号 (存在单词边界)
RESPONSE == /\b(1[3-9](\d{9}))\b/
手机号 (误报多)
RESPONSE == /(1[3-9](\d{9}))/
敏感信息 电子邮件
通用电子邮件地址匹配
RESPONSE == /(([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4}))/
匹配特定邮箱
RESPONSE == /(([A-Za-z0-9_\-\.])+\@example.com)/
模糊匹配关键字邮箱
RESPONSE == /(([A-Za-z0-9_\-\.])+\@(.*)example(.*))/
敏感信息 身份证号
身份证号
# 简易正则
RESPONSE == /((\d{6})(18|19|20)?(\d{2})([01]\d)([0123]\d)(\d{3})(\d|X))/
# 出现图片误报
RESPONSE == /((\d{6})(18|19|20)?(\d{2})([01]\d)([0123]\d)(\d{3})(\d|X))/ && MIMETYPE != "jpeg"
参考资料
https://gist.github.com/z007/033e3f2b423e77244b90
潜在的 CORS 配置不当
Null CORS response with Allow Credentials #1
CORS 响应头为空 #1
RESPONSEHEADERS == /Access-Control-Allow-Origin: null/
Null CORS response with Allow Credentials #2
CORS 响应头为空 #2
RESPONSEHEADERS == /Access-Control-Allow-Origin: \*/
点击劫持(Clickjacking)
Missing X-FRAME-OPTIONS
缺少 X-FRAME-OPTIONS 响应头
https://tools.ietf.org/html/rfc7034
RESPONSEHEADERS != /X-FRAME-OPTIONS/
Missing Content-Security-Policy
缺少 CSP 响应头
RESPONSEHEADERS != /Content-Security-Policy/
Content-Security-Policy 头中主要是与 frame-ancestors 相关的字段
寻找潜在的 SSRF / Open Redirection
SSRF / Open Redirection
# 根据响应头
ResponseHeaders == /(Location)/
# 根据参数名称
QUERY == /(url(.*)=)/ || REQUEST == /(url(.*)=)/
QUERY == /(uri(.*)=)/ || REQUEST == /(uri(.*)=)/
QUERY == /(path(.*)=)/ || REQUEST == /(path(.*)=)/
QUERY == /(href(.*)=)/ || REQUEST == /(href(.*)=)/
QUERY == /(redirect(.*)=)/ || REQUEST == /(redirect(.*)=)/
# 寻找参数中的图片
QUERY == /(img(.*)=)/ || REQUEST == /(img(.*)=)/
QUERY == /(pic(.*)=)/ || REQUEST == /(pic(.*)=)/
QUERY == /(\.png)/ || REQUEST == /(\.png)/
QUERY == /(\.jpg)/ || REQUEST == /(\.jpg)/
QUERY == /(\.gif)/ || REQUEST == /(\.gif)/
JSONP 调用
JSONP 调用
# 基于参数
REQUEST == /(callback(.*)=)/ || QUERY == /(callback(.*)=)/
# 基于响应特征
HTTP记录量大时容易长耗时
RESPONSE == /(.+\(\[(.*)\]\))/ && RESPONSEHEADERS == /application\/json/
寻找潜在的 XXE
# 根据 content-type
RequestHeaders == /application\/xml/ || RequestHeaders == /text\/xml/
REQUESTHEADERS == /Content-Type: application\/xml/
# 根据 POST 参数
REQUEST == /<\?xml version="1\./
编辑器
RESPONSE == /ueditor/
RPO 相对路径重写
RESPONSE == /=\.\.\//
潜在越权点
# 基于参数名称
REQUEST == /(_id(.*)=)/ || QUERY == /(_id(.*)=)/
REQUEST == /(id(.*)=)/ || QUERY == /(id(.*)=)/
REQUEST == /((I|i)(D|d)(.*)=)/ || QUERY == /((I|i)(D|d)(.*)=)/
其他敏感参数
QUERY == /(sql(.*)=)/ || REQUEST == /(sql(.*)=)/
QUERY == /(exec(.*)=)/ || REQUEST == /(exec(.*)=)/
QUERY == /(script(.*)=)/ || REQUEST == /(script(.*)=)/
QUERY == /(src(.*)=)/ || REQUEST == /(src(.*)=)/
Leave a Reply