News — introspector

Tasos Laskos
Codename SCNR v1.7.2 with Introspector for .NET, Java & Ruby

Codename SCNR v1.7.2 with Introspector for .NET, Java & Ruby

Hello all!   I wanted to let you know that Codename SCNR v1.7.2 is out and includes several bug fixes and optimizations.   More importantly, however, Introspector support has been added for .NET and Java; now covering .NET, Java and Ruby web applications, with more to come. The instrumentation allows the capture of: Server-side code execution. Server-side data flow (-- not for Java unfortunately). Client-side code execution. Client-side data flow. This in turn allows for immense context to be attached to each identified vulnerability, thus making narrowing down bugs easier than ever.   In addition, with AI and this much...

Read more


Codename SCNR v1.7.0: Introspector + OpenAI

Codename SCNR v1.7.0: Introspector + OpenAI

Hello all, There is a new release of Codename SCNR, v1.7.0, and it includes some really spectacular updates. Let's dive in. The Introspector The Introspector is middleware that you use in your web application in order to provide immense context to identified issues: Execution flow Which parts of the web application code were executed. File paths Source code Methods/functions Data flow Which parts of the web application the audit payloads traversed through. File paths Source code Methods functions Arguments at the time. Source code for those methods. Backtrace. Hunting down issues just became easier than ever. In addition, armed with...

Read more


IAST/Contextual scanning for Ruby-on-Rails (and Rack in general)

Hello all,   Some time ago I announced the arrival of IAST scanning for Rack-based (such as Ruby-on-Rails, Sinatra, etc.) web applications. The feature is now here and I'd like to demo it for you. We have our application, in this case a Sinatra one, and it goes like: As you can see, scnr/introspector has been required and made use of. Now we run a scan with no additional options or configuration: ./bin/scnr http://localhost:4567/ [...] [+] Web Application Security Report - SCNR::Engine Framework [~] Report generated on: 2024-01-08 09:59:13 +0200 [+] System settings: [~] --------------- [~] Version:           1.0dev [~] Seed:...

Read more


Tasos Laskos
IAST/Contextual scanning for Ruby-on-Rails (and Rack in general) coming soon!

IAST/Contextual scanning for Ruby-on-Rails (and Rack in general) coming soon!

Hello all, First off, apologies for the made-up name in the title, but I'm not sure what this should be called. Contextual scanning...by that I mean that the user can re-enter the vulnerable state of the web application and debug it right then and there. Like calling IRB or pry at the moment of vulnerability; a real joy for pentesters checking a webapp and developers tasked to fix it alike! In addition, you get coverage data so you'll be able to determine how much of a webapp's codebase was covered by the scan, and thus be able to adjust your...

Read more