目录
有时候想看看Web应用在代码或者数据库层有没有加锁,比如在一些支付、兑换类的场景,可以通过多线程并发访问进行测试。
下面介绍几种测试方法:
Burp + Python threading库
1. Burp Suite安装插件
安装一个Copy As Python-Requests插件,提高编码效率;
2. 拦截包并拷贝发包的代码
打开一个文本编辑器,右键粘贴出来:
import requests
burp0_url = "https://www.baidu.com:443/s?word=test123&tn=50000021_hao_pg&ie=utf-8&sc=UWd1pgw-pA7EnHc1FMfqnHRdnHfkP163PWD3PzuW5y99U1Dznzu9m1Y1rj0zPjRYP1Ds&ssl_sample=s_108&srcqid=2890185856410820647&H123Tmp=nu"
burp0_cookies = {"BAIDUID": "DE39C3557AA883A517F3717D9ED1B346:FG=1", "BIDUPSID": "DE39C3557AA883A517F3717D9ED1B346", "PSTM": "1548660573", "BD_UPN": "13314352", "H_PS_PSSID": "1431_21111_18560_28585_26350_28519", "H_PS_645EC": "0701XLkxqPa8GpBa6wBJs%2BrZyNuhMOA%2FIRfHCR7YuUcETmxXSKm0g32CT0c", "delPer": "0", "BD_CK_SAM": "1", "PSINO": "1", "BDSVRTM": "142"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "https://www.hao123.com/", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
3. 运行Python多线程代码
将生成的python代码粘贴到action( )函数里面即可;
import threading
import requests
threads = []
def action():
burp0_url = "https://www.baidu.com:443/s?word=test123&tn=50000021_hao_pg&ie=utf-8&sc=UWd1pgw-pA7EnHc1FMfqnHRdnHfkP163PWD3PzuW5y99U1Dznzu9m1Y1rj0zPjRYP1Ds&ssl_sample=s_108&srcqid=2890185856410820647&H123Tmp=nu"
burp0_cookies = {"BAIDUID": "DE39C3557AA883A517F3717D9ED1B346:FG=1", "BIDUPSID": "DE39C3557AA883A517F3717D9ED1B346",
"PSTM": "1548660573", "BD_UPN": "13314352", "H_PS_PSSID": "1431_21111_18560_28585_26350_28519",
"H_PS_645EC": "0701XLkxqPa8GpBa6wBJs%2BrZyNuhMOA%2FIRfHCR7YuUcETmxXSKm0g32CT0c", "delPer": "0",
"BD_CK_SAM": "1", "PSINO": "1", "BDSVRTM": "142"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Referer": "https://www.hao123.com/", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
if __name__ == '__main__':
print("Threading ready:")
for i in range(0,100):
t = threading.Thread(target=action)
t.setDaemon(True) // 开启守护进程,如果宿主进程挂了,不用执行完全部线程任务也要立即结束。 参考 https://www.cnblogs.com/Haojq/p/10278365.html
t.start()
print("Threading ran end!")
4. 确认结果
查看领取的结果是否有超过原本的数量,如果超过原本可领的数量,那就证明有问题。
Burp + Repeater
对于常见的单个数据包的竞争条件测试,先将其发到Repeater(快捷键是Ctrl+R),需要测试多少个就发多少个,发送后在右侧有个Create tab group功能。
Burp + Turbo Intruder插件
Turbo插件也支持条件竞争测试,不过需要Python基础,它支持数据包的修改和定制,有些复杂场景如果Repeater无法满足时,则需要用到Turbo。
修复
针对条件竞争问题,很多场景和逻辑都可以进行测试,修复的话,可以参考下面几点:
- 对于共享资源,多线程环境中,建议适用锁机制,确保只有一个线程在执行相关操作;
- 对于数据库操作,可以添加事务处理机制;
- 对于一些权限类的,需要对用户进行权限确认。
Reference
Burp对条件竞争漏洞的支持
https://mp.weixin.qq.com/s/aXnd2eT2Zpa-0qdlyBUlgQ