Hello all,
First off, apologies for the made-up name in the title, but I'm not sure what this should be called.
Contextual scanning...by that I mean that the user can re-enter the vulnerable state of the web application and debug it right then and there. Like calling IRB or pry at the moment of vulnerability; a real joy for pentesters checking a webapp and developers tasked to fix it alike!
In addition, you get coverage data so you'll be able to determine how much of a webapp's codebase was covered by the scan, and thus be able to adjust your configuration accordingly to achieve optimal scan coverage.
This isn't included in SCNR just yet, but it's fully working as best as I cal tell so it should have its turn soon enough.
This project is called the Introspector, and what it does is it runs the web application directly using a custom Rack::Handler, so all Rack-based web applications can benefit from this (Ruby-on-Rails, Sinatra, etc.).
And by doing the above, it has direct access to the runtime state and data of its Ruby environment (IAST-ish-ly), which is where the fun comes in. :)
Configuration and execution is simple, but it's going to be simplified further by the time of release.
Let's have a more practical look at this.
Suppose we have a Sinatra webapp that's vulnerable to XSS, like this one:
Then the configuration we'd use to run SCNR with Introspector at the helm would be:
Which would yield the following output:
At the top, we have SCNR's usual scanning output, it found the XSS, hooray!
Then, the code that was covered by the scanning process.
After that, a stacktrace full of context for the traced XSS vulnerability.
And at the bottom, the XSS context was re-entered using pry in order to take a closer look at the state, data and code -- which is nothing short of amazing!
Cool stuff huh? You can leave your thoughts at the comments.
Cheers!