GithubHelp home page GithubHelp logo

whwlsfb / springspider Goto Github PK

View Code? Open in Web Editor NEW
187.0 2.0 19.0 25 KB

Spring Actuator端点的BurpSuite被动扫描插件。

License: Apache License 2.0

Java 100.00%
actuator burpsuite-extender passive-scanner spring-boot passtive

springspider's Introduction

SpringSpider

该工具为被动扫描Spring Actuator端点的BurpSuite插件,用于解决多层级目录下隐藏的Actuator端点、或端点需要Bypass才能访问的情况下的漏报问题。

安装方法

导航至BurpSuite的Extender->Extensions界面,点击Add按钮,在弹出的窗口中点击Select file ...按钮,在文件打开页面中找到插件的jar文件,安装即可。

使用

该插件安装完成后,将无需特殊设置,自动启用被动扫描,扫描发现的端点将会生成漏洞条目出现在BurpSuite首页的Issue activity中。另外,若要优化扫描过程中的参数,则需要根据需要,修改插件设置,插件设置位于BurpSuite的SpringSpider选项卡。

本插件具有如下设置项:

Enable

该复选框为修改该插件的启用状态,当该复选框选中时插件才会执行被动扫描。当取消选中时,插件将不会再接受新的扫描任务,在当前正在执行的扫描任务结束后将会停止扫描。

Dir Scan Deeper

该设置项为修改插件的目录扫描深度,设置范围为1~∞,默认建议值为3,假设当前目录扫描深度设置为3,在用户访问目标「http://test.com/backend/api/admin/user/」时,将会拆分为「http://test.com/」、「http://test.com/backend/」、「http://test.com/backend/api/」分别扫描,该参数请尽量控制在1~5以内,以避免产生过大的请求流量。

Use Bypass

该设置项为修改启用的Bypass字符列表,默认启用;.,当正常请求无果后,将会尝试在路径中插入Bypass字符尝试进行绕过,例如在启用;字符后,对「http://test.com/api/actuator/env」的绕过URL则是「http://test.com/api/;/actuator/;/env

Scan Point

该设置项为修改启动扫描的端点,为了避免请求频率过大,目前支持启用的端点有「/actuator/env」、「/actuator」、「/env」,建议全部启用。

鸣谢

插件中部分代码借鉴于以下项目

https://github.com/sting8k/BurpSuite_403Bypasser

springspider's People

Contributors

whwlsfb avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

asura88 zzhsec trytohack8 atomxw purewatersun go-bi fiverest want2live233 fanyibo2009 chessan 30579096 sec-fork xiju2003 arrnitage waydmy awdscan ashthes not1sec

springspider's Issues

很棒的工具

师傅请教下,魔改添加其他目录是在哪添加,我添加完编译bp加载报错
image
image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.