企业Web网站很多直接对Internet提供服务,往往会被黑客作为恶意攻击的突破口,Web的安全和企业的信息安全高度相连。
现实的管理中,在安全制度不完善的情况下,网站开发人员和维护人员经常因为业务紧急上线或者Bug修复,私自上线新的内容或变更,安全人员往往在出现问题后追查时才发现,之前的安全环境或者代码已经都变更了。
今天介绍如何利用GitHut上的SimpleAutoBurp项目,利用Python脚本实现网站的定时的自动扫描,这样能够在更短的时间发现Web系统的漏洞。GitHub上的脚本针对Linux平台,本文将脚本修改为在Windows平台上运行。
一、工作原理:
利用Crontab(linux平台)或任务计划程序(windows平台)定期执行SimpleAutoBurp.py,该脚本利用BurpsuitePro的RESTAPI和配置文件config.json对目标主机进行web扫描。
二、脚本文件 SimpleAutoBurp+Config.json
SimpleAutoBurp.py 是调用Burp suite API的脚本,config.json是其配置文件。
SimpleAutoBurp.py
from os import strerrorfrom subprocess import Popenimport requestsimport timeimport subprocessimport loggingimport osimport signalimport jsonimport sysfrom datetime import datetime#将configFile指向你的config.json文件configFile = r"F:/pythonCode/SimpleAutoBurp/SimpleAutoBurp-main/config.json"try: with open(configFile) as json_data: config=json.load(json_data)except: print("Missing config.json file. Make sure the configuration file is in the same folder") sys.exit()burpConfigs=config["burpConfigs"][0]siteConfigs=config["sites"]def set_logging(): global rootLogger logFormatter = logging.Formatter("%(asctime)s [%(levelname)-5.5s] %(message)s") rootLogger = logging.getLogger() NumericLevel = getattr(logging, burpConfigs["loglevel"].upper(), 10) rootLogger.setLevel(NumericLevel) fileHandler = logging.FileHandler("{0}/{1}.log".format(burpConfigs["logPath"], burpConfigs["logfileName"])) fileHandler.setFormatter(logFormatter) rootLogger.addHandler(fileHandler) consoleHandler = logging.StreamHandler() consoleHandler.setFormatter(logFormatter) rootLogger.addHandler(consoleHandler)def execute_burp(site): cmd = burpConfigs["java"] + " -jar -Xmx" + burpConfigs["memory"] + " -Djava.awt.headless=" + str(burpConfigs["headless"]) + " " + burpConfigs["burpJar"] + " --project-file=" + site["project"] + " --unpause-spider-and-scanner" try: rootLogger.debug("Executing Burp: " + str(cmd)) p = Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) return p.pid except: rootLogger.error("Burp Suite failed to execute.") exit()def check_burp(site): count = 0 url = "http://127.0.0.1:1337/"+ site["apikey"] +"/v0.1/" time.sleep(10) while True: if count > burpConfigs["retry"]: rootLogger.error("Too many attempts to connect to Burp") exit() else: rootLogger.debug("Cheking API: " + str(url)) init = requests.get(url) if init.status_code == 200: rootLogger.debug("API running, response code: " + str(init.status_code)) # Let Brup time to load extensions time.sleep(30) break else: rootLogger.debug("Burp is not ready yet, response code: " + str(init.status_code)) time.sleep(10)def execute_scan(site): data = \'{"urls":["\'+ site["scanURL"] + \'"]}\' url="http://127.0.0.1:1337/" + site["apikey"] + "/v0.1/scan" rootLogger.info("Starting scan to: " + str(site["scanURL"])) scan = requests.post(url, data=data) rootLogger.debug("Task ID: " + scan.headers["Location"]) while True: url="http://127.0.0.1:1337/" + site["apikey"] + "/v0.1/scan/" + scan.headers["Location"] scanresults = requests.get(url) data = scanresults.json() rootLogger.info("Current status: " + data["scan_status"]) if data["scan_status"] == "failed": rootLogger.error("Scan failed") kill_burp() exit() elif data["scan_status"] == "succeeded": rootLogger.info("Scan competed") return data else: rootLogger.debug("Waiting 60 before cheking the status again") time.sleep(60)def kill_burp(child_pid): rootLogger.info("Killing Burp.") try: os.kill(child_pid, signal.SIGTERM) rootLogger.debug("Burp killed") except: rootLogger.error("Failed to stop Burp")def get_data(data, site): for issue in data["issue_events"]: rootLogger.info("Vulnerability - Name: " + issue["issue"]["name"] + " Path: " + issue["issue"]["path"] + " Severity: " + issue["issue"]["severity"]) token=site["scanURL"].split(\'/\')[2] top_level=token.split(\'.\')[-2]+\'.\'+token.split(\'.\')[-1] file = top_level + "-" + datetime.now().strftime("%Y_%m_%d-%I_%M_%S_%p") + ".txt" file = burpConfigs["ScanOutput"] + file rootLogger.info("Writing full results to: "+ file) with open(file, "w") as f: f.write(str(data["issue_events"]))def main(): set_logging() for site in config["sites"]: # Execute BurpSuite Pro child_pid = execute_burp(site) # Check if API burp is up check_burp(site) # Execute Scan data = execute_scan(site) # Get Vulnerability data get_data(data, site) # Stop Burp rootLogger.info("Scan finished, killing Burp.") kill_burp(child_pid)if __name__ == \'__main__\': main() Config.json(这里面配置要扫描的站点, APIKEY在BurpSuite里面生成)
{ "sites" : [{ "scanURL" : "http://192.168.168.180/", "project" : "d:/temp/metasploitable2.burp", "apikey" : "S44ZGKWIXsGa8eWiASfDz7u5d2CzsbHm" }], "burpConfigs" : [{ "memory" : "2048m", "headless" : "true", "java" : "C:/Program Files/Java/jdk-11.0.11/bin/java.exe", "burpJar" : "F:/Download/burpsuite_pro_v2021.6.1.jar", "retry" : 5, "logPath" : "d:/temp/ScanOutput/", "logfileName" : "SimpleAutoBurp", "loglevel" : "debug", "ScanOutput" : "d:/temp/ScanOutput/" }]} 三、Burp suite pro REST API服务开启方法
Burp Suite Pro 开启REST API 界面
四、使用任务计划程序(taskschd.msc)自动执行脚本,这里不再啰嗦如何利用Windows任务计划程序执行脚本,可以参考Windows相关帮助文件。
使用SimpleAutoBurp脚本来及时发现网站的安全漏洞是一种补救措施,我们更应该建立和遵循安全的软件发布流程,标准的软件发布流程我们可以参考ITIL中的发布,部署流程,也可以参考Microsoft的SDL流程。
