Automatic Security Testing Workflow

Getting started with Scanner and HTTPView automated testing features

While there is still nothing better than manual web security assessments performed by a skilled hacker, there are a number of readily available tools in the SecApps' toolbelt to help you start with automated vulnerability assessments. The automated web security testing workflow is useful when you want to automate the bulk of the vulnerability discovery work using our intelligent web security Scanner, or when you want to take a semi-automated security testing approach with the help "Co-pilot", a feature which will automatically test all web requests captured by HTTPView.

With the help of the SecApps Browser Extension you can kick off the test directly from your very own browser. All tests are performed locally using local-only network resources. No external 3rd-party servers and intermediaries are involved. This means that you can safely and confidently use the Scanner to test any application behind your network firewall or even residing on localhost which is useful during the development stages. Our automated tools are good developer companions.

Target & Scope

Open the Scanner and type in the URL of the application you want to test automatically in the target input field. Keep in mind that the URL path is taken into consideration to ensure that only the right parts of the application are tested. In practice, this means that if you enter https://target/portal/dash only the resources under /portal and subfolders will be tested. Further details how the target URL is utilized in the scanning engine can be found in the built-in documentation.

The testing scope can be further influenced from Scope settings screen. You can define URL patterns you would like to specifically exclude such as maybe logout URLs. You can also create a white-list filter by using the "Include URLs" feature. Here we can declare the URL patterns which are only included in this test. All URLs, which do not match this pattern list will be excluded. While the security testing engine will use smart logic to automatically find the right scope for your application, it is always recommended to familiarise yourself with the target URL structure to ensure that only the most important parts are tested and the features which are non-essential or dangerous are excluded.

Authentication

Before starting the test you may wish to authenticate. Simply open another tab, navigate to the application you are testing and authenticate the same way you usually do from your browser. The Scanner will automatically use your current browser session and use it during testing. Ensure that your scope is configured to avoid following logout URLs. The Scanner will automatically avoid testing logout facilities it can successfully identify as such. This is a built-in feature.

Keep in mind that authenticated scans can be particularly destructive. Ensure that you are testing only non-production application with the correct level of privileges. Failure to do so could result in damaging the live application. If in doubt, consult with the vendor or development team to confirm the application is fit for authenticated testing.

Testing

To kick-off the test simply click the start button. The test will immediately start and you will be able to see the report is generated on the fly. Details are not spared from the report. We offer full details for every discovered vulnerability including the actual request that was used at the time of the test, the payload and the location where the payload was used. Relevant details are also conveniently organised for you. Errors, useful information and metadata is extracted during the scan and placed inside the report for inspection. This gives you a very deep insight how the scanner works, what it did and why it did it.

Unlike other web security tools, our philosophy is to ensure that you are in full control of the scanning process by being fully transparent how the tool performs. Every request that the scanner generates is displayed in the "Transaction View". Each request can be fully inspected with the provided HTTP viewers. Query parameters, headers, and the different body types are conveniently parsed and available for your convenience. We even generate the code for you to repeat the request in your language of choice. Any details regarding the vulnerabilities identified with the selected request are also present. So you know exactly which request identified which vulnerability. Our motto is full transparency!

Testing in Co-Pilot

Sometimes it is required to manually guide the scanner to test the application in the same way it has been used. This is where "Co-pilot" comes extremely handy With this feature, the security scanner, combined with tools such as HTTPView, actively intercepts HTTP traffic between the client and the application while automatically applying all passive and active security tests. All vulnerability results are summarised in the report and also attached to individual requests and responses for maximum transparency and flexibility.

Individual request can also be opened in other tools such as Rest and Fuzzer for further inspection. This means that discovered issues can be manually confirmed, easily exploited or fuzzed with additional payloads to explore the vulnerabilities in full and discover edge-cases. This is done with the intention to ensure that nothing is missed.

Projects

Save your work when you are ready. Project are esentially made of files and folder. Files are portable and easy to parse - no more obscure file formats. You can organise your project in which ever way fits your. Your scanner reports can go in its own folder or mixed toghether with the files generated by the rest of the tools.

Final Words

Performing automated web application security assessments with the SecApps toolbelt is very simple but it requires a degree of care. Minimise the automated testing activities on live applications as security scanners tend to be very verbose and could generate an excessive amount of logs or fill databases with test data. This is no different to any other type of testing.