Rapid7 AppSpider

Today's security teams are responsible for securing hundreds of applications that include complex rich clients and APIs, complying with industry and government regulations, and keeping up with hacking trends. To them, building an effective application security program requires more than just crawling the web application interface. It's about having comprehensive application coverage and utilizing more sophisticated attack methodologies that address the technologies used by modern applications.Application security is hard, but using application security tools shouldn't be. Application security scans come with a thousand options, but Rapid7's appsec products ship with system defaults based on years of application security experience, so that you can spend your time focusing on remediating vulnerabilities.With AppSpider, you can plan, control and measure scans and look across all application scan data to track improvements in your security posture. Ultimately, AppSpider provides a way for you to assess and prioritize areas of greatest risk and enables you to build a modern enterprise application security program.Rapid7 AppSec SolutionsAppSpider is a dynamic application security testing solution that allows you to scan web and mobile applications for vulnerabilities.The core technology behind AppSpider is the Universal Translator, which interprets the new technologies, such as AJAX, HTML5, and JSON, that are being used in today's web and mobile applications and crawls traditional applications.Available on premise, hosted or as a managed service, AppSpider enables you to effectively manage your application security program, delivers thorough analysis, comprehensive application coverage and sophisticated attack methodologies.Benefits of AppSpider include:Broad coverageAdvanced authenticationIntegrationsInteractive reportsDistributed and scalableCentralized controlContinuous site monitoringEnd to end testing of APIs built with the OpenAPI Specification (formerly known as Swagger)AppSpider ProThis is a single scan engine meant for a team of one on a single machine, this on-premises edition is a highly customizable interface, with multiple options for vulnerability detection, reporting and remediation, as well as scan management and other features.AppSpider EnterpriseThis is a single console that includes multiple AppSpider Pro scan engines. Meant for multi user teams that need to be centrally managed, this on premise edition has a webapp that supports multiple scan engines with unlimited scans, dozens to hundreds of web apps, and has multiple options for vulnerability detection, reporting and remediation, as well as scan management and other features.See the Product Editions page for information on additional application security solutions offered by Rapid7.

If you use Rapid7 AppSpider to scan your Web applications, you can import AppSpider data with Nexpose scan data and reports. This allows you to view security information about your Web assets side-by-side with your other network assets for more comprehensive assessment and prioritization.The process involves importing an AppSpider-generated file of scan results, VulnerabilitiesSummary.xml, into a Nexpose site. Afterward, you view and report on that data as you would with data from a Nexpose scan.If you import the XML file on a recurring basis, you will build a cumulative scan history in Nexpose about the referenced assets. This allows you to track trends related to those assets as you would with any assets scanned in Nexpose.This import process works with AppSpider versions 6.4.122 or later.To import AppSpider data, take the following steps:Create a site if you want a dedicated site to include AppSpider data exclusively. See Creating and editing sites.Since you are creating the site to contain AppSpider scan results, you do not need to set up scan credentials. You will need to include at least one asset, which is a requirement for creating a site. However, it will not be necessary to scan this asset.If you want to include AppSpider results in an existing site with assets scanned by Nexpose, skip this step.Download the VulnerabilitiesSummary.xml file, generated by AppSpider, to the computer that you are using to access the Nexpose Web interface.In the Sites table, select the name of the site that you want to use for AppSpider.In the

Selenium is a framework for the automated testing of web applications and enables you to record sequences of actions, like entering data in forms and clicking buttons. You can replay Selenium recordings on demand to ensure that the web application behaves as desired.Consider a use case where a user selects an item to buy, proceeds through the shopping cart, checkout, and payment option screens to finally process the purchase of the item. There is no way to reach the "Purchase" web page using a direct URL or by simply crawling the site. Organizations can create Selenium test suites for all the use cases of their product, and ensure that difficult to reach pages such as the Purchase page are tested correctly.AppSpider can use Selenium scripts to scan the pages that are important for your use cases. First, AppSpider replays the Selenium scripts and records the network traffic. Then, it generates vulnerability tests based on its knowledge of the visited web pages and their parameters.AppSpider supports Selenium scripts in a variety of formats, such as:Java Selenium scripts (.jar)C# Selenium scripts (.exe)Custom batched Selenium scripts (.bat)Firefox legacy IDE Selenium scripts (.htm)The toolbar contains the following options:Restrict scan to Selenium recording - AppSpider will only crawl the pages and test the actions from the Selenium script. AppSpider will not crawl or test any other pages.Add - Adds a Selenium file from your filesystem for scanning.Bulk Add - Opens the “Bulk Files Import” window so you can add all Selenium files from a selected directory on your filesystem.Delete - Removes the selected Selenium file from the list.Up - Moves the selected recording higher in the scan queue.Down - Moves the selected recording lower in the scan queue.Web Driver - Selects the Web Driver (reference: for your Selenium script. The AppSpider install process has an option for you to install the Chrome web driver. If you had selected this option, AppSpider will use the default Chrome web driver with which it was installed.Scan using Selenium recordingsTo scan the traffic produced from a Selenium recording:Create a Selenium script and save the file on your computer.NoteSelenium files in this section should assume that the user is already authenticated.Selenium files for authentication should be recorded separately and uploaded to the Authentication tab of the scan config.Open the "Selenium Recordings" screen and click Add in the toolbar. This will open the "Open Selenium file" popup.Navigate to the location of

You may run into web applications that AppSpider cannot crawl. You can test the security of these applications by using a Web Proxy tool such as the Traffic Recorder. Using the Traffic Recorder, you can record the interactions, such as HTTP GET and POST requests and responses, between the front-end application and the back-end server in a traffic file. AppSpider can use these interactions to run attacks against the backend of your application. This approach is also useful if you have not built the frontend of your web application and want to begin testing early in the development process.The toolbar contains the following options:Restrict scan to recorded traffic - AppSpider will only crawl the URLs imported from the traffic files. No other pages will be crawled or tested. AppSpider will not crawl or test any other pages.Add - Adds a traffic file from your file system for scanning.Bulk Add - Opens the “Bulk Files Import” window so you can add all traffic files from a selected directory on your filesystem.Delete - Removes the selected traffic file from the list.Up - Moves the selected recording higher in the scan queue.Down - Moves the selected recording lower in the scan queue.Save - Saves any modifications made to the traffic file on this screen.Record Traffic - Launches the Traffic Recorder tool. If you close the tool after recording and saving the traffic, a file automatically gets added to the Traffic File list.Scan using Recorded TrafficTo scan traffic files:Complete the steps in your app that you wish to test, and record the interactions in a traffic file on your computer. Traffic files can be of the following formats:AppSpider Traffic Files (*.trec)Burp Files (*.xml)Paros Files (*.txt)WebScarab Files (conversationlog)HAR (HTTP Archive) Files (*.har)Fiddler Files (*.saz)Open the "Recorded Traffic" screen and click Add File in the toolbar.

The data… TCP Scans Project So… "" Rapid7 Labs research@rap…## 3 sonar… HTTP… Responses… Ths data… HTTP GET … Project So… "" Rapid7 Labs research@rap…## 4 sonar… Nati… Open port… The data… National … Project So… "" Rapid7 Labs research@rap…## 5 sonar… Forw… DNS 'ANY'… This dat… Forward D… Project So… "" Rapid7 Labs research@rap…## 6 sonar… Crit… The Criti… The curr… Global Vu… RSA Securi… "" Rapid7 Labs research@rap…## 7 sonar… UDP … UDP scan … The data… UDP Scans Project So… "" Rapid7 Labs research@rap…## 8 sonar… HTTP… Responses… This stu… HTTPS GET… Project So… "" Rapid7 Labs research@rap…## 9 sonar… Reve… DNS IPv4 … This dat… Reverse D… Project So… "" Rapid7 Labs research@rap…## 10 sonar… Forw… DNS 'ANY'… This dat… Forward D… Project So… "" Rapid7 Labs research@rap…## 11 sonar… Reve… DNS IPv4 … This dat… Reverse D… Project So… "" Rapid7 Labs research@rap…## 12 heise… Rapi… Rapid7 He… This is … Rapid7 He… Rapid7 Hei… "" Rapid7 Labs research@rap…## 13 sonar… More… X.509 cer… The data… Project S… Project So… "" Rapid7 Labs research@rap…## # … with 5 more variables: organization_name , organization_website , created_at , updated_at ,## # sonarfile_set "sonar.ssl", "sonar.tcp", "sonar.http", "sonar.national_exposure", "sonar.fdns_v2", "son…## $ name "SSL Certificates", "TCP Scans", "HTTP GET Responses", "National Exposure Scans", "Forwa…## $ short_desc "X.509 certificate metadata observed when communicating with HTTPS endpoints", "SYN scan…## $ long_desc "The dataset contains a collection of metadata related to the net new X.509 certificates…## $ study_url " " $ study_name "Project Sonar: IPv4 SSL Certificates", "TCP Scans", "HTTP GET Responses", "National Exp…## $ study_venue "Project Sonar", "Project Sonar", "Project Sonar", "Project Sonar", "Project Sonar", "RS…## $ study_bibtext "", "", "", "", "", "", "", "", "", "", "", "", ""## $ contact_name "Rapid7 Labs", "Rapid7 Labs", "Rapid7 Labs", "Rapid7 Labs", "Rapid7 Labs", "Rapid7 Labs"…## $ contact_email "[email protected]", "[email protected]", "[email protected]", "[email protected]…## $ organization_name "Rapid7", "Rapid7", "Rapid7", "Rapid7", "Rapid7", "Rapid7", "Rapid7", "Rapid7", "Rapid7"…## $ organization_website " " " " $ created_at "2018-06-07", "2018-06-20", "2018-06-19", "2018-06-12", "2018-06-20", "2018-05-15", "201…## $ updated_at "2019-01-17", "2019-01-17", "2019-01-17", "2018-08-06", "2019-01-14", "2013-04-01", "201…## $ sonarfile_set [## Observations: 13## Variables: