Extracting input traits to help with manual pentests

So, suppose we're preparing a manual penetration test of a web application; wouldn't it be nice to be able to know beforehand the behavior of each individual input?

For example, changing an input's value may change the response we get in a certain way, or even not, which is equally valuable information.

Let's say that inputs that change the behavior of the web page are called active and those that don't are called blind.

Furthermore, it would be of even more interest if the value we input gets included in the HTTP response (or even written on the DOM client-side) and taking it one step further, where in the response.


These are the things Codename SCNR concerns itself about to a great degree, in order to self-optimize and perform as much of a surgical scan as possible.

In addition, due to its highly versatile scripting capabilities, it let's us create custom components like checks and plugins by means of custom scripts.


Now...being the hackers that we are, we'd like to extract the aforementioned highly valuable info for our manual pentest as well; so, it's time for me to give away some esoteric know-how and show you how to do exactly that.


We're going to abuse SCNR's security check system via a custom script, to make it think that a sink trace is worth running, and then, via a custom plugin, print out that ol' valuable information.


As you can see in the documentation, Codename SCNR's scripting capabilities are quite awesome and range from using scripts as:

  • Static configuration.
  • Dynamic configuration.
  • Hooking-up into system callbacks.
  • A way to add custom components (checks, plugins, platform fingerprinters) on the fly.
  • Even a way to create custom scanners, like this article describes.


That's all for now, please leave your thoughts in the comments. :)


Newer post

Leave a comment

Please note, comments must be approved before they are published