Burp Suite チートシート
# Download from PortSwigger website
# https://portswigger.net/burp/communitydownload
# Linux Installation
# Download JAR file
wget https://portswigger.net/burp/releases/download?product=community&version=latest&type=jar -O burpsuite_community.jar
# Install Java (if not already installed)
sudo apt update
sudo apt install -y openjdk-11-jdk
# Verify Java installation
java -version
# Run Burp Suite
java -jar burpsuite_community.jar
# Create desktop shortcut
cat > ~/Desktop/BurpSuite.desktop << 'EOF'
[Desktop Entry]
Version=1.0
Type=Application
Name=Burp Suite Community
Comment=Web Application Security Testing
Exec=java -jar /path/to/burpsuite_community.jar
Icon=/path/to/burp-icon.png
Terminal=false
Categories=Development;Security;
EOF
chmod +x ~/Desktop/BurpSuite.desktop
# Windows Installation
# Download installer from PortSwigger
# Run installer as Administrator
# Follow installation wizard
# Launch from Start Menu or Desktop
# macOS Installation
# Download DMG file
# Mount DMG and drag to Applications
# Launch from Applications folder概要
Burp Suiteは、PortSwiggerによって開発された、Webアプリケーションセキュリティテスト分野の業界をリードするプラットフォームで、WebアプリケーションおよびAPIのセキュリティ脆弱性を特定、分析、および悪用するための包括的なツールと機能を提供します。Webアプリケーションペネトレーションテストの事実上の標準として、Burp Suiteは自動スキャン機能と強力な手動テストツールを組み合わせ、セキュリティ専門家が最新のWebアプリケーション、REST API、GraphQLエンドポイント、複雑なシングルページアプリケーションを徹底的に評価することを可能にします。プラットフォームのモジュラーアーキテクチャと拡張可能なフレームワークにより、自動セキュリティテストワークフローと詳細な手動セキュリティ調査の両方に適しています。
Burp Suiteの中核の強みは、セキュリティ評価を容易にする統合インターフェース内の複数の専門ツールを組み合わせた、Webアプリケーションセキュリティテストへの統合アプローチにあります。このプラットフォームには、トラフィック分析と操作のためのインターセプティングプロキシ、セキュリティ問題を自動的に発見するWebぜい弱性スキャナー、カスタマイズされた攻撃とファジングのためのイントルーダーツール、手動リクエスト操作のためのリピーター、セッショントークンのランダム性を分析するシーケンサーが含まれています。この統合されたツールセットにより、セキュリティ専門家は初期の偵察から詳細なぜい弱性の悪用と検証まで、完全なセキュリティ評価を実行できます。
Burp Suiteの高度な機能には、洗練されたセッション処理機能、APIを通じたカスタム拡張開発、DevSecOpsワークフローのためのCI/CD統合、技術および経営層向けの包括的なレポート機能が含まれます。このプラットフォームは、JavaScriptの重いアプリケーション、WebSocketコミュニケーション、HTTP/2プロトコル、複雑な認証メカニズムを含む最新のWeb技術をサポートしています。活発なセキュリティ研究者コミュニティ、広範なドキュメンテーション、Webアプリケーションセキュリティテスト手法における継続的なイノベーションにより、Burp Suiteは世界中のWebアプリケーションセキュリティ専門家の基盤ツールであり続けています。
# Purchase license from PortSwigger
# Download Professional edition
# Linux Installation
wget https://portswigger.net/burp/releases/download?product=pro&version=latest&type=jar -O burpsuite_pro.jar
# Run with license
java -jar burpsuite_pro.jar
# Enter license key when prompted
# License format: XXXX-XXXX-XXXX-XXXX
# Increase memory allocation for large applications
java -Xmx4g -jar burpsuite_pro.jar
# Run with custom JVM options
java -Xmx8g -XX:+UseG1GC -jar burpsuite_pro.jar
# Create startup script
cat > ~/bin/burp-pro.sh ``<< 'EOF'
#!/bin/bash
java -Xmx8g -XX:+UseG1GC -jar /opt/burpsuite/burpsuite_pro.jar "$@"
EOF
chmod +x ~/bin/burp-pro.sh
```## インストール
### Burp Suite Community Edition
Burp Suite Community Editionのインストール:
```bash
# Create Dockerfile for Burp Suite
cat >`` Dockerfile.burp << 'EOF'
FROM openjdk:11-jre-slim
# Install dependencies
RUN apt-get update && apt-get install -y \
wget \
xvfb \
x11vnc \
fluxbox \
&& rm -rf /var/lib/apt/lists/*
# Download Burp Suite Community
RUN wget -O /opt/burpsuite_community.jar \
"https://portswigger.net/burp/releases/download?product=community&version=latest&type=jar"
# Create startup script
RUN echo '#!/bin/bash\nXvfb :1 -screen 0 1024x768x16 &\nexport DISPLAY=:1\nfluxbox &\nx11vnc -display :1 -nopw -listen localhost -xkb &\njava -jar /opt/burpsuite_community.jar' > /start.sh
RUN chmod +x /start.sh
EXPOSE 5900 8080
CMD ["/start.sh"]
EOF
# Build Docker image
docker build -f Dockerfile.burp -t burpsuite .
# Run Burp Suite in Docker
docker run -d --name burpsuite \
-p 5900:5900 \
-p 8080:8080 \
-v $(pwd)/burp-data:/root/.BurpSuite \
burpsuite
# Access via VNC
# Connect to localhost:5900 with VNC clientBurp Suite Professional
Burp Suite Professionalのインストール:
# Firefox Configuration
# 1. Open Firefox
# 2. Go to Settings > Network Settings
# 3. Configure Manual proxy:
# - HTTP Proxy: 127.0.0.1, Port: 8080
# - Use this proxy server for all protocols: checked
# 4. Install Burp CA certificate:
# - Navigate to http://burp
# - Download CA Certificate
# - Import in Firefox Certificate Manager
# Chrome Configuration
# Launch Chrome with proxy settings
google-chrome --proxy-server=127.0.0.1:8080 --ignore-certificate-errors
# Create Chrome profile for Burp
google-chrome --user-data-dir=/tmp/chrome-burp --proxy-server=127.0.0.1:8080
# Install CA certificate in Chrome
# 1. Navigate to http://burp
# 2. Download CA Certificate
# 3. Go to Chrome Settings > Privacy and Security > Security
# 4. Manage certificates > Authorities > Import
# 5. Select downloaded certificate
# FoxyProxy Extension (Recommended)
# Install FoxyProxy extension
# Configure proxy:
# - Title: Burp Suite
# - Proxy Type: HTTP
# - IP: 127.0.0.1
# - Port: 8080Dockerインストール
Dockerでのburp Suiteの実行:
# Start Burp Suite
java -jar burpsuite_community.jar
# Proxy Tab Configuration
# 1. Go to Proxy > Options
# 2. Proxy Listeners:
# - Interface: 127.0.0.1:8080 (default)
# - Add additional listeners if needed
# 3. Intercept Client Requests: On/Off
# 4. Intercept Server Responses: On/Off
# Basic Proxy Usage
# 1. Configure browser to use Burp proxy
# 2. Navigate to target application
# 3. Observe requests in Proxy > HTTP history
# 4. Intercept and modify requests as needed
# Certificate Installation
# 1. With proxy configured, navigate to http://burp
# 2. Click "CA Certificate" to download
# 3. Install in browser certificate store
# 4. Trust for identifying websites
# Scope Configuration
# 1. Go to Target > Scope
# 2. Add target URLs to scope
# 3. Configure proxy to only show in-scope items
# 4. Use scope to focus testing effortsブラウザ設定
Burp Suiteで動作するブラウザの設定:
# Site Map Building
# 1. Browse target application normally
# 2. Observe site map building in Target tab
# 3. Review discovered content and parameters
# 4. Identify attack surface
# Content Discovery
# 1. Right-click on target in site map
# 2. Select "Spider this host"
# 3. Configure spider options
# 4. Review discovered content
# Parameter Analysis
# 1. Review Params tab in Target
# 2. Identify all parameters used
# 3. Note parameter types and contexts
# 4. Plan parameter-based attacks
# Technology Identification
# 1. Review HTTP headers in proxy history
# 2. Identify server technologies
# 3. Note framework and language indicators
# 4. Research known vulnerabilities基本的な使用方法
プロキシ設定
Burp Proxyの設定と使用:
# Request Manipulation with Repeater
# 1. Send interesting requests to Repeater
# 2. Modify parameters, headers, and body
# 3. Analyze responses for vulnerabilities
# 4. Test different attack payloads
# SQL Injection Testing
# 1. Identify database parameters
# 2. Test with SQL injection payloads:
# - ' OR '1'='1
# - '; DROP TABLE users; --
# - UNION SELECT 1,2,3--
# 3. Analyze error messages and responses
# 4. Exploit confirmed vulnerabilities
# XSS Testing
# 1. Identify reflection points
# 2. Test with XSS payloads:
# - <script>alert('XSS')</script>
# - "><script>alert(document.cookie)</script>
# - javascript:alert('XSS')
# 3. Test in different contexts (HTML, JavaScript, CSS)
# 4. Bypass filters and encoding
# Authentication Testing
# 1. Analyze login mechanisms
# 2. Test for weak passwords
# 3. Check session management
# 4. Test for privilege escalationターゲット分析
ターゲットアプリケーションの分析:
# Active Scanning
# 1. Right-click on target in site map
# 2. Select "Actively scan this host"
# 3. Configure scan settings:
# - Scan speed: Fast/Normal/Thorough
# - Scan accuracy: Minimize false positives/Normal/Minimize false negatives
# 4. Monitor scan progress in Scanner tab
# Passive Scanning
# 1. Passive scanning runs automatically
# 2. Review issues in Scanner > Issues
# 3. Analyze issue details and evidence
# 4. Verify findings manually
# Custom Scan Configurations
# 1. Go to Scanner > Options
# 2. Configure attack insertion points
# 3. Customize payload sets
# 4. Set scan optimization options
# Live Scanning
# 1. Enable live passive scanning
# 2. Configure live active scanning
# 3. Set scan queue management
# 4. Monitor real-time results手動テスト
手動セキュリティテストの実行:
# Sniper Attack
# 1. Send request to Intruder
# 2. Set single payload position
# 3. Configure payload set (wordlist)
# 4. Launch attack and analyze results
# Battering Ram Attack
# 1. Set multiple payload positions
# 2. Use same payload for all positions
# 3. Useful for testing same value everywhere
# 4. Analyze response variations
# Pitchfork Attack
# 1. Set multiple payload positions
# 2. Use different payload sets
# 3. Iterate through payloads in parallel
# 4. Test related parameter combinations
# Cluster Bomb Attack
# 1. Set multiple payload positions
# 2. Test all combinations of payloads
# 3. Comprehensive but time-consuming
# 4. Useful for credential brute forcing
# Custom Payloads
# 1. Create custom wordlists
# 2. Use payload processing rules
# 3. Configure payload encoding
# 4. Set grep extraction rules高度な機能
自動スキャン
Burp Scanner(Professional限定)の使用:
# Session Handling Rules
# 1. Go to Project Options > Sessions
# 2. Create session handling rules
# 3. Configure rule actions:
# - Use cookies from Burp's cookie jar
# - Run macro
# - Check session is valid
# 4. Set rule scope and conditions
# Macros for Authentication
# 1. Record login sequence as macro
# 2. Configure macro to extract session tokens
# 3. Use macro in session handling rules
# 4. Automatically maintain authentication
# Cookie Management
# 1. Review cookies in Proxy > Options > Sessions
# 2. Configure cookie scope and handling
# 3. Manage session fixation issues
# 4. Test cookie security attributes
# CSRF Token Handling
# 1. Identify CSRF token parameters
# 2. Create macro to extract tokens
# 3. Configure automatic token updates
# 4. Test CSRF protection effectivenessイントルーダー攻撃
自動攻撃のためのBurp Intruderの使用:
# BApp Store Extensions
# 1. Go to Extender > BApp Store
# 2. Browse available extensions
# 3. Install useful extensions:
# - Logger++
# - Autorize
# - Param Miner
# - Turbo Intruder
# - Active Scan++
# Manual Extension Installation
# 1. Download extension JAR/Python file
# 2. Go to Extender > Extensions
# 3. Click Add and select file
# 4. Configure extension settings
# Custom Extension Development
# 1. Use Burp Extender API
# 2. Develop in Java, Python, or Ruby
# 3. Implement required interfaces
# 4. Test and debug extensions
# Popular Extensions
# Logger++: Enhanced logging and filtering
# Autorize: Authorization testing
# Param Miner: Parameter discovery
# Turbo Intruder: High-speed attacks
# Collaborator Everywhere: SSRF testingセッション処理
複雑なセッション処理の管理:
#!/usr/bin/env python3
# Burp Suite API automation script
import requests
import json
import time
import base64
import urllib3
from urllib.parse import urljoin
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class BurpSuiteAPI:
def __init__(self, api_url="http://127.0.0.1:1337", api_key=None):
self.api_url = api_url.rstrip('/')
self.api_key = api_key
self.session = requests.Session()
self.session.verify = False
if api_key:
self.session.headers.update(\\\\{'X-API-Key': api_key\\\\})
def get_proxy_history(self):
"""Get proxy history"""
try:
response = self.session.get(f"\\\\{self.api_url\\\\}/burp/proxy/history")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting proxy history: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting proxy history: \\\\{e\\\\}")
return None
def send_to_repeater(self, request_data):
"""Send request to Repeater"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/repeater/send",
json=request_data
)
if response.status_code == 200:
return response.json()
else:
print(f"Error sending to repeater: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception sending to repeater: \\\\{e\\\\}")
return None
def start_active_scan(self, target_url, scan_config=None):
"""Start active scan"""
scan_data = \\\\{
'urls': [target_url]
\\\\}
if scan_config:
scan_data.update(scan_config)
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/scanner/scans/active",
json=scan_data
)
if response.status_code == 201:
return response.json()
else:
print(f"Error starting scan: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception starting scan: \\\\{e\\\\}")
return None
def get_scan_status(self, scan_id):
"""Get scan status"""
try:
response = self.session.get(f"\\\\{self.api_url\\\\}/burp/scanner/scans/\\\\{scan_id\\\\}")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan status: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting scan status: \\\\{e\\\\}")
return None
def get_scan_issues(self, scan_id=None):
"""Get scan issues"""
url = f"\\\\{self.api_url\\\\}/burp/scanner/issues"
if scan_id:
url += f"?scan_id=\\\\{scan_id\\\\}"
try:
response = self.session.get(url)
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan issues: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting scan issues: \\\\{e\\\\}")
return None
def generate_report(self, report_config):
"""Generate scan report"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/report",
json=report_config
)
if response.status_code == 200:
return response.content
else:
print(f"Error generating report: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception generating report: \\\\{e\\\\}")
return None
def run_intruder_attack(self, attack_config):
"""Run Intruder attack"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/intruder/attack",
json=attack_config
)
if response.status_code == 200:
return response.json()
else:
print(f"Error running intruder attack: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception running intruder attack: \\\\{e\\\\}")
return None
# Automated Web Application Testing
class WebAppTester:
def __init__(self, burp_api):
self.burp = burp_api
self.results = \\\\{\\\\}
def discover_application(self, target_url):
"""Discover application structure"""
print(f"Discovering application: \\\\{target_url\\\\}")
# Start with basic crawling
scan_config = \\\\{
'scan_configurations': ['crawl_and_audit'],
'application_logins': [],
'resource_pool': 'default'
\\\\}
scan_result = self.burp.start_active_scan(target_url, scan_config)
if scan_result:
scan_id = scan_result['scan_id']
print(f"Started discovery scan: \\\\{scan_id\\\\}")
return scan_id
return None
def wait_for_scan_completion(self, scan_id, max_wait=3600):
"""Wait for scan to complete"""
start_time = time.time()
while time.time() - start_time < max_wait:
status = self.burp.get_scan_status(scan_id)
if status:
scan_status = status.get('scan_status', 'unknown')
print(f"Scan \\\\{scan_id\\\\} status: \\\\{scan_status\\\\}")
if scan_status == 'finished':
return True
elif scan_status == 'failed':
print(f"Scan \\\\{scan_id\\\\} failed")
return False
time.sleep(30) # Check every 30 seconds
print(f"Scan \\\\{scan_id\\\\} did not complete within \\\\{max_wait\\\\} seconds")
return False
def analyze_vulnerabilities(self, scan_id=None):
"""Analyze discovered vulnerabilities"""
print("Analyzing vulnerabilities...")
issues = self.burp.get_scan_issues(scan_id)
if not issues:
print("No issues found")
return \\\\{\\\\}
vulnerability_summary = \\\\{\\\\}
for issue in issues:
severity = issue.get('severity', 'Unknown')
issue_type = issue.get('issue_type', 'Unknown')
if severity not in vulnerability_summary:
vulnerability_summary[severity] = \\\\{\\\\}
if issue_type not in vulnerability_summary[severity]:
vulnerability_summary[severity][issue_type] = 0
vulnerability_summary[severity][issue_type] += 1
return vulnerability_summary
def test_authentication(self, login_url, credentials):
"""Test authentication mechanisms"""
print(f"Testing authentication at: \\\\{login_url\\\\}")
# Test weak passwords
weak_passwords = ['password', '123456', 'admin', 'test', 'guest']
for username, password in credentials:
for weak_pass in weak_passwords:
# Create intruder attack for password testing
attack_config = \\\\{
'base_request': \\\\{
'url': login_url,
'method': 'POST',
'headers': \\\\{'Content-Type': 'application/x-www-form-urlencoded'\\\\},
'body': f'username=\\\\{username\\\\}&password=\\\\{weak_pass\\\\}'
\\\\},
'attack_type': 'sniper',
'payload_sets': [weak_passwords]
\\\\}
result = self.burp.run_intruder_attack(attack_config)
if result:
print(f"Tested \\\\{username\\\\}:\\\\{weak_pass\\\\}")
def generate_comprehensive_report(self, scan_id, output_file):
"""Generate comprehensive security report"""
print(f"Generating report: \\\\{output_file\\\\}")
report_config = \\\\{
'scan_id': scan_id,
'report_type': 'HTML',
'include_false_positives': False,
'include_request_response': True
\\\\}
report_data = self.burp.generate_report(report_config)
if report_data:
with open(output_file, 'wb') as f:
f.write(report_data)
print(f"Report saved: \\\\{output_file\\\\}")
return True
return False
def run_comprehensive_test(self, target_url, output_dir="/tmp/burp_results"):
"""Run comprehensive web application test"""
print(f"Starting comprehensive test of: \\\\{target_url\\\\}")
# Create output directory
import os
os.makedirs(output_dir, exist_ok=True)
# Step 1: Discovery
scan_id = self.discover_application(target_url)
if not scan_id:
print("Failed to start discovery scan")
return False
# Step 2: Wait for completion
if not self.wait_for_scan_completion(scan_id):
print("Scan did not complete successfully")
return False
# Step 3: Analyze results
vulnerabilities = self.analyze_vulnerabilities(scan_id)
# Step 4: Generate report
report_file = os.path.join(output_dir, f"burp_report_\\\\{scan_id\\\\}.html")
self.generate_comprehensive_report(scan_id, report_file)
# Step 5: Summary
print("\n=== Test Summary ===")
print(f"Target: \\\\{target_url\\\\}")
print(f"Scan ID: \\\\{scan_id\\\\}")
print(f"Report: \\\\{report_file\\\\}")
print("\nVulnerabilities by Severity:")
for severity, issues in vulnerabilities.items():
print(f" \\\\{severity\\\\}:")
for issue_type, count in issues.items():
print(f" \\\\{issue_type\\\\}: \\\\{count\\\\}")
return True
# Usage example
def main():
import argparse
parser = argparse.ArgumentParser(description='Burp Suite Automation')
parser.add_argument('--target', required=True, help='Target URL')
parser.add_argument('--api-url', default='http://127.0.0.1:1337', help='Burp API URL')
parser.add_argument('--api-key', help='Burp API key')
parser.add_argument('--output', default='/tmp/burp_results', help='Output directory')
args = parser.parse_args()
# Initialize Burp API
burp_api = BurpSuiteAPI(args.api_url, args.api_key)
# Initialize tester
tester = WebAppTester(burp_api)
# Run comprehensive test
success = tester.run_comprehensive_test(args.target, args.output)
if success:
print("Comprehensive test completed successfully")
else:
print("Comprehensive test failed")
if __name__ == "__main__":
main()拡張とカスタマイズ
Burp Suiteの機能拡張:
# Jenkins Pipeline for Burp Suite Integration
pipeline \\\\{
agent any
environment \\\\{
BURP_API_URL = 'http://burp-server:1337'
BURP_API_KEY = credentials('burp-api-key')
TARGET_URL = 'https://staging.example.com'
\\\\}
stages \\\\{
stage('Deploy Application') \\\\{
steps \\\\{
// Deploy application to staging
sh 'deploy-to-staging.sh'
\\\\}
\\\\}
stage('Security Scan') \\\\{
steps \\\\{
script \\\\{
// Start Burp scan
def scanResult = sh(
script: """
python3 burp_automation.py \
--target $\\\\{TARGET_URL\\\\} \
--api-url $\\\\{BURP_API_URL\\\\} \
--api-key $\\\\{BURP_API_KEY\\\\} \
--output ./burp-results
""",
returnStatus: true
)
if (scanResult != 0) \\\\{
error("Burp scan failed")
\\\\}
\\\\}
\\\\}
\\\\}
stage('Process Results') \\\\{
steps \\\\{
// Archive scan results
archiveArtifacts artifacts: 'burp-results/**/*', fingerprint: true
// Publish security report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'burp-results',
reportFiles: '*.html',
reportName: 'Burp Security Report'
])
// Check for critical vulnerabilities
script \\\\{
def criticalVulns = sh(
script: "grep -c 'High\\|Critical' burp-results/*.html||true",
returnStdout: true
).trim()
if (criticalVulns.toInteger() > 0) \\\\{
currentBuild.result = 'UNSTABLE'
echo "Found $\\\\{criticalVulns\\\\} critical/high vulnerabilities"
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Clean up
sh 'rm -rf burp-results'
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "Security Scan Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "Security scan failed for $\\\\{TARGET_URL\\\\}. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\\\}自動化スクリプト
Burp Suite API 自動化
# Check Burp proxy listener
# Go to Proxy > Options > Proxy Listeners
# Verify 127.0.0.1:8080 is running
# Test proxy connectivity
curl -x 127.0.0.1:8080 http://example.com
# Check browser proxy settings
# Verify proxy configuration in browser
# Test with simple HTTP site first
# Certificate issues
# Reinstall Burp CA certificate
# Clear browser certificate cache
# Check certificate trust settings統合例
CI/CD統合
# Increase Java heap size
java -Xmx4g -jar burpsuite_pro.jar
# Optimize Burp settings
# Reduce proxy history size
# Limit active scan threads
# Disable unnecessary extensions
# Database optimization
# Clear project data regularly
# Use temporary projects for large scans
# Monitor disk space usageトラブルシューティング
一般的な問題
プロキシ接続の問題:
# Check scan configuration
# Verify target scope settings
# Review scan insertion points
# Check authentication settings
# Monitor scan progress
# Review scan queue status
# Check for scan errors
# Verify network connectivityパフォーマンスの問題:
# JVM Optimization
java -Xmx8g -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -jar burpsuite_pro.jar
# Burp Configuration
# Project Options > Misc:
# - Automatic project backup: Disabled for performance
# - Temporary files location: Fast SSD
# - Memory usage: Optimize for large projects
# Scanner Optimization
# Scanner > Options:
# - Scan speed: Adjust based on target
# - Concurrent scan threads: 10-20
# - Insertion point types: Limit as needed
# Proxy Optimization
# Proxy > Options:
# - History size: Limit to reasonable number
# - Automatic response modification: Minimal
# - Match and replace rules: Optimize regexスキャナーの問題: https://portswigger.net/burp/documentation
パフォーマンスの最適化
Burp Suiteのパフォーマンス最適化: https://portswigger.net/burp/extender/api/)[Web セキュリティテスト ガイド](https://owasp.org/www-project-top-ten/)http://www.webappsec.org/[OWASPトップ10](