Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Burp Suite Logger++ 常见过滤器规则汇总

wpadmin~April 20, 2019 /InfoSec

Burp Suite Logger++ 常见过滤器规则汇总

[TOC]

规则汇总

https://github.com/nccgroup/BurpSuiteLoggerPlusPlus/wiki/Filter-Fields

一个复杂规则示例

Card No in JSON post response

METHOD == "post" && MIMETYPE == "json" && RESPONSE == /\b(?:4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})\b/

敏感信息 内网 IP

Internal IP Address #1

内网 IP #1

RESPONSE == /(10(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){3}|((172\.(1[6-9]|2[0-9]|3[01]))|192\.168)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){2})/

Internal IP Address #2

内网 IP #2

不严格,没有 255 以下限制。

RESPONSE == /(?:192\.168|10\.[0-9]|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)\.[0-9]{1,3}\.[0-9]{1,3}/

常规IP地址 (包括外网)

RESPONSE == /(?:(?:^|\.)(?:2(?:5[0-5]|[0-4]\d)|1?\d?\d)){4}/

敏感信息 手机号

手机号 (存在单词边界)

RESPONSE == /\b(1[3-9](\d{9}))\b/

手机号 (误报多)

RESPONSE == /(1[3-9](\d{9}))/

敏感信息 电子邮件

通用电子邮件地址匹配

RESPONSE == /(([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4}))/

匹配特定邮箱

RESPONSE == /(([A-Za-z0-9_\-\.])+\@example.com)/

模糊匹配关键字邮箱

RESPONSE == /(([A-Za-z0-9_\-\.])+\@(.*)example(.*))/

敏感信息 身份证号

身份证号

# 简易正则
RESPONSE == /((\d{6})(18|19|20)?(\d{2})([01]\d)([0123]\d)(\d{3})(\d|X))/

# 出现图片误报
RESPONSE == /((\d{6})(18|19|20)?(\d{2})([01]\d)([0123]\d)(\d{3})(\d|X))/ && MIMETYPE != "jpeg"

参考资料

https://gist.github.com/z007/033e3f2b423e77244b90

潜在的 CORS 配置不当

Null CORS response with Allow Credentials #1

CORS 响应头为空 #1

RESPONSEHEADERS == /Access-Control-Allow-Origin: null/

Null CORS response with Allow Credentials #2

CORS 响应头为空 #2

RESPONSEHEADERS == /Access-Control-Allow-Origin: \*/

点击劫持(Clickjacking)

Missing X-FRAME-OPTIONS

缺少 X-FRAME-OPTIONS 响应头

https://tools.ietf.org/html/rfc7034

RESPONSEHEADERS != /X-FRAME-OPTIONS/ 

Missing Content-Security-Policy

缺少 CSP 响应头

RESPONSEHEADERS != /Content-Security-Policy/

Content-Security-Policy 头中主要是与 frame-ancestors 相关的字段

寻找潜在的 SSRF / Open Redirection

SSRF / Open Redirection

# 根据响应头
ResponseHeaders == /(Location)/

# 根据参数名称
QUERY == /(url(.*)=)/ || REQUEST == /(url(.*)=)/
QUERY == /(uri(.*)=)/ || REQUEST == /(uri(.*)=)/
QUERY == /(path(.*)=)/ || REQUEST == /(path(.*)=)/
QUERY == /(href(.*)=)/ || REQUEST == /(href(.*)=)/
QUERY == /(redirect(.*)=)/ || REQUEST == /(redirect(.*)=)/


# 寻找参数中的图片
QUERY == /(img(.*)=)/ || REQUEST == /(img(.*)=)/
QUERY == /(pic(.*)=)/ || REQUEST == /(pic(.*)=)/
QUERY == /(\.png)/ || REQUEST == /(\.png)/
QUERY == /(\.jpg)/ || REQUEST == /(\.jpg)/
QUERY == /(\.gif)/ || REQUEST == /(\.gif)/

JSONP 调用

JSONP 调用

# 基于参数
REQUEST == /(callback(.*)=)/ || QUERY == /(callback(.*)=)/

# 基于响应特征
HTTP记录量大时容易长耗时
RESPONSE == /(.+\(\[(.*)\]\))/ && RESPONSEHEADERS == /application\/json/

寻找潜在的 XXE

# 根据 content-type
RequestHeaders == /application\/xml/ || RequestHeaders == /text\/xml/
REQUESTHEADERS == /Content-Type: application\/xml/

# 根据 POST 参数
REQUEST == /<\?xml version="1\./

编辑器

RESPONSE == /ueditor/

RPO 相对路径重写

RESPONSE == /=\.\.\//

潜在越权点

# 基于参数名称
REQUEST == /(_id(.*)=)/ || QUERY == /(_id(.*)=)/
REQUEST == /(id(.*)=)/ || QUERY == /(id(.*)=)/
REQUEST == /((I|i)(D|d)(.*)=)/ || QUERY == /((I|i)(D|d)(.*)=)/

其他敏感参数

QUERY == /(sql(.*)=)/ || REQUEST == /(sql(.*)=)/
QUERY == /(exec(.*)=)/ || REQUEST == /(exec(.*)=)/
QUERY == /(script(.*)=)/ || REQUEST == /(script(.*)=)/
QUERY == /(src(.*)=)/ || REQUEST == /(src(.*)=)/

Leave a Reply

Your email address will not be published. Required fields are marked *