While AppCheck's headless browser crawler is very good at crawling web applications, some applications have user journeys that are impossible to comprehensively crawl without manual assistance.
This can be because they require valid data, or specific choices to be made in order to reach particular functionality within the application, for example entering a valid ID number, or clicking elements in a certain order.
A Workflow GoScript allows users to direct the scanner through these user journeys in order to ensure that critical areas of the application are reached. The scanner will then include these areas in its attack surface along with the ones it found entirely though automated crawling.
The scanner will also continue automated crawling after running each workflow, so once you have directed the scanner to the hard-to-reach locations you do not need to then directed it to every child page.
How do I write a WorkFlow GoScript?
-
For each workflow journey you want to include, create a new function with a name beginning "seeding.", for example "seeding.workflow1" or "seeding.findMyCat".
The below code creates two such functions, workflow1 and workflow2:def seeding.workflow1
go: https://www.appcheck-ng.com
wait for: Home
click: Home
def seeding.workflow2
go: https://www.appcheck-ng.com
wait for: Home
hover: Services
click: Features
wait for: OUR SOFTWARE -
Finally, create a function named seeding.general, then list your workflow functions within it. For example:
def seeding.general
seeding.workflow1
seeding.workflow2
Where should I put my WorkFlow GoScript to use with my scan?
You can find the designated WorkFlow GoScripts box at:
Web Application Scanner Settings
-> Advanced Settings
-> GoScript
If I have an authentication GoScript and a WorkFlow GoScript, which one runs first?
The scanner will try to authenticate first if provided with authentication information.
The auth.login, auth.confirm and auth.logout functions used in authentication GoScripts are used by the scanner to analyse the authentication of the application. The analysis identifies a means of obtaining authentication tokens from the application, and a request which can be used to determine if the token is still valid.
Once that analysis is complete, the scanner uses the information to obtain authentication tokens which it can then use within the scan session.
When running WorkFlow GoScripts, a new browser is started within the scan session, and the authentication tokens are applied to the browser causing all subsequent requests to have the tokens and therefore be in the authenticated session with the server.
You may need to take this into account when writing your script, particularly if the application does not allow simply navigating to the root URL of the application directly while maintaining the authenticated session.
How many times will the Scanner run my WorkFlow GoScript?
It is not possible to predict the number of times the WorkFlow GoScript will run in any given scan. The scanner will run the script at the start of the scan to enumerate targets, and again multiple times during a scan in order to flex the target application and expose vulnerabilities.
Comments
0 comments
Article is closed for comments.