Websecurify

Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities

Web Scan Monitor

One of the most interesting aspects of Websecurify is that it is perhaps the most extensible web application security platform out there. You can virtually take the available binaries and with a simple extension convert them into whatever tools you fancy... without the need to setup complex development environments, compile or even use unfamiliar IDEs. You favourite text editor is sufficient for the task.

In the last 30 minutes we were able to to put together simple but very useful extension which records all requests made by the scanner in a nicely formatted table. Here is a screenshot which shows the last couple of requests before the scanner completed execution:

The main code behind this is as simple as 1,2,3. This is how it looks like:

window.websecurifyMonitorHttpResponseObserver = weaponryCommon.createObserver(['http-on-examine-response', 'http-on-examine-cached-response'], function (subject, topic, data) {
    let httpChannel = null;

    try {
        httpChannel = subject.QueryInterface(CI.nsIHttpChannel);
    } catch (e) {
        return;
    }

    let xWebsecurifyLiteRequest = 'false';

    try {
        xWebsecurifyLiteRequest = httpChannel.getRequestHeader('X-WebsecurifyLite-Request');
    } catch (e) {
        // pass
    }

    if (xWebsecurifyLiteRequest != 'true') {
        return;
    }

    let workspace = weaponryWorkspaces.lookupHttpChannelWorkspace(httpChannel);

    if (!workspace) {
        return;
    }

    if (!workspace.sameAs(window.workspace)) {
        return;
    }

    weaponryCommon.getHttpChannelTransactionDetails(httpChannel, function (requestParts, responseParts, httpChannel) {
        let fields = {requestData:requestParts.data, responseData:responseParts.data};

        for (let fieldName in requestParts) {
            fields['request' + fieldName.replace(/^\w/, function($0) { return $0.toUpperCase(); })] = requestParts[fieldName];
        }

        for (let fieldName in responseParts) {
            fields['response' + fieldName.replace(/^\w/, function($0) { return $0.toUpperCase(); })] = responseParts[fieldName];
        }

        fields.entryId = ++window.websecurifyMonitorEntryId;

        $transactionsDatatable.appendDataRow(fields);
    });
});

And with that we are done.

pdp

Petko D. Petkov (pdp), is founder of Websecurify and frontman of the GNUCITIZEN Information Security Think Tank. pdp is a recognized information security researcher, security tools developer, penetration tester, frequent speaker at industry events, and published author who has contributed to several best-selling books in the field of information security.

Comments Powered ByDisqus