Path Traversal with Burp
下载 FuzzDB Payload Go to Intruder - Add from list Go to Intruder - Payload Processing…
Monitoring HTTPS Traffic of a Single App on OSX
Monitoring HTTPS Traffic of a Single App on OSX | Caleb Fenton's Blog 该文介绍的就是利用proxychains4, 将目标App的流量转发去127.0.0.1:8080,然后让mitmproxy纪录流量。…
Win10 App Proxy
方法1 访问http://www.telerik.com/fiddler, 然后从顶部菜单中选择「WinConfig」,在接下来打开的窗口中勾选你想排除网络隔离的应用就可以了 方法2 - 修改注册表 通过设置为 Win 10 UWP 应用解除网络隔离 - 少数派…
Security Scanning using OWASP ZAP in a CI pipeline
AllDayDevOps ZAP automation in CI from Simon Bennetts…
Burp Intruder
1. Sniper 只需要1个payload POST /login HTTP /1.1 username=$nino$&password=$password$ Payload simplelist: a, b request1: username=a&password=password request2: username=b&password=password request3: username=nino&password=a request4: username=nino&password=b 2. Battering ram 只需要一个payload POST /login HTTP /1.1…
Too Easy – Adding Root CA’s to iOS Devices
利用Profile, 欺骗用户进行安装。 SensePost | Too easy – adding root ca’s to ios devices…
Thick Client Proxying
1. Interception 1.1 Intercepting Responses 1.2 Intercepting Request/Responses Rules 1.3 Match and Replace Proxy > Options > Match and Replace 利用它,就可以实现类似charles proxy的替换功能. 例如替换user-agent 1.4 SSL Pass Through Proxy > Options > SSL Pass Through Burp will not MitM anything added to this section and…
Burp+Shadowsocks 测试被墙Apps
Only need to enable socks5 proxy on User options Remember to select Do DNS lookups over SOCK5 proxy…
ZAProxy
Contexts a Set of URLs Assign characteristics to groups of URLs Authentication 1. Simple Automatically Login Login in a browser Define Login request Enable forced user mode User logins automatically 2. Zest Login 假如Login时除了username和password,还需要csrf_token. 上述的方法就不可行了. Record a new Zest Script Perform Authentication steps Test the Zest script by…
Burp Scanner Not working
burp-scanner-not-working',' If it said waiting, check at the low left corner if it is paused. If so, double click to continue.…