Vulnerability discovery of the art of blasting

oxo1 brute encounter 302 Jump

When performing brute force login box, find the first verification code is normal, behind all the validation code is wrong to see the return package 302

Try this link blasting directly above and found that this link can bypass the verification code directly to brute force. (Fig success was not saved)

Incidentally then talk about, sometimes more than 302 blasting experience a jump BurpSuite settings can follow the jump

oxo2 brute username methods

爆破用户名的位置：登录、注册、忘记密码。如果能注册、在成功登录后修改密码处也有可能可以爆破用户名。

Readily wave input account and password, prompt the user name or password is incorrect. Do you think you can not see here first traversal username exists, then blast your password? This may not necessarily

When you enter a user name exists, he actually prompt you to enter the number of errors, thereby exposing the user name exists

Sometimes he returned package is a digital front-end to resolve what was then returned to the page, you can also look at the front end of which there is a direct return to the situation, and then to quickly locate corresponding JS file.

For example: under the code error

Used here is Firefox, view the elements (F12), debugger, to find all files

Tip the contents of the front end of search

See case "-7" parameter that can be used is described blasting username

Sometimes Web clients may require a verification code blasting, but around, but this code, if relevant APP, APP will surprise then try

oxo3 brute bypass IP restrictions

When you blow up a user name and password you want to blast him have this restriction, you Mozhe yet

Some developers always just to prevent someone bursting password set this, and are not necessarily directly to this account locked. So long as we then set a X-Forwarded-For header can easily bypass the

Here we recommend a Burp plug: fakeip

oxo4 brute surprise parameters

In a public test, a verification code around, however, do this verification code verification code to identify cost a little high but all the measured speed to fight, I go the other way now. (This code can actually become successful denial of service measured as if the public do not accept I did not mention)

Focus here api.php have not felt something did. We come to the blasting, blasting what is it this time, blasting parameters, where it has two blast

One is api.php? M = {} One is api.php? {} = Xx

This is what I was blasting the map we can from this parameter length if there is a status code point of view, and when we blasted the following parameters / api.php? M = getuserinfo return a blank page but status code is 200, this time we will think it is still missing a parameter so it was such a blast / api.php? m = getuserinfo & xxx = 1111, because getuserinfo is clearly a parameter user information at this time we should be similar lack of identity userid us directly to a xxx = 1111 and then blasting out followerid successfully blasting parameters (successful harvest an information disclosure)

I also back after another blasting out a number of parameters, two unauthorized page

A reflective XSS

An ultra vires

oxo5 importance of brute force manual

Give you a talk I have always stressed the point, if you encounter a login box tests have instructions have to look at the document, there are many things that may be used, I said a few examples

This is one of the background is a shuttle if you come, you do not come out blasting because the username is not normal that we take a look Project Manual

I found a user name, a common weak passwords

See this account 3601000039K what you think, you go blasting the account password? I think that this is definitely a regular account, so I set up a blast