Web Scan Monitor

One of the most interesting aspects of Websecurify is that it is perhaps the most extensible web application security platform out there. You can virtually take the available binaries and with a simple extension convert them into whatever tools you fancy... without the need to setup complex development environments, compile or even use unfamiliar IDEs. You favourite text editor is sufficient for the task.

In the last 30 minutes we were able to to put together simple but very useful extension which records all requests made by the scanner in a nicely formatted table. Here is a screenshot which shows the last couple of requests before the scanner completed execution:

The main code behind this is as simple as 1,2,3. This is how it looks like:

window.websecurifyMonitorHttpResponseObserver = weaponryCommon.createObserver(
  ['http-on-examine-response', 'http-on-examine-cached-response'],
  function (subject, topic, data) {
    let httpChannel = null

    try {
      httpChannel = subject.QueryInterface(CI.nsIHttpChannel)
    } catch (e) {
      return
    }

    let xWebsecurifyLiteRequest = 'false'

    try {
      xWebsecurifyLiteRequest = httpChannel.getRequestHeader(
        'X-WebsecurifyLite-Request'
      )
    } catch (e) {
      // pass
    }

    if (xWebsecurifyLiteRequest != 'true') {
      return
    }

    let workspace = weaponryWorkspaces.lookupHttpChannelWorkspace(httpChannel)

    if (!workspace) {
      return
    }

    if (!workspace.sameAs(window.workspace)) {
      return
    }

    weaponryCommon.getHttpChannelTransactionDetails(
      httpChannel,
      function (requestParts, responseParts, httpChannel) {
        let fields = {
          requestData: requestParts.data,
          responseData: responseParts.data,
        }

        for (let fieldName in requestParts) {
          fields[
            'request' +
              fieldName.replace(/^\w/, function ($0) {
                return $0.toUpperCase()
              })
          ] = requestParts[fieldName]
        }

        for (let fieldName in responseParts) {
          fields[
            'response' +
              fieldName.replace(/^\w/, function ($0) {
                return $0.toUpperCase()
              })
          ] = responseParts[fieldName]
        }

        fields.entryId = ++window.websecurifyMonitorEntryId

        $transactionsDatatable.appendDataRow(fields)
      }
    )
  }
)

And with that we are done.