Browser Macro

The panel allows the user to record or import pre-recorded macro files.

A macro is a sequence of actions (e.g. menu selections, link executions, value entries, etc.) that will be replayed exactly as input by the user.

The panel contains the following elements:

  • Restrict scan to macro checkbox: this will result in AppSpider only crawling and testing the pages/actions executed in the Macro. No other pages will be crawled or tested.
  • Macro record files: the list Macros added for the users macro file. The list contains the following options:
  • Add - add a macro file from file system.
  • Delete - removes a selected traffic from the list.
  • Sort - sorts the traffic files in the list.
  • Test macro - test if macro executed successfully or not.
  • Configure sequence - opens “Configure sequence” tab.
  • Save changes - saves changes in selected traffic file.
  • Record Macro button - opens the Browser Macro Recorder tab.

The following Macro file parameters are presented in the grid

  • File path: the macro's directory path
  • Show in browser checkbox - shows the macro record in the browser window when the macro file is played
  • Sequence checkbox - enables the Configure sequence tab.

The Macro content tab contains a grid with the following macros parameters : Enabled, Window index, Event type, Data, Element path, and Duration.

The Configure sequence tab contains a grid with the following parameters : URL, Attack, Send, and From cache.

The table and Read request button are enabled if Auto Select request is unchecked.

Use the Test sequence button to test if sequence executed successfully or not.

Sequences

Sequences allow users to create a sequence of requests that perform an action on the website. The typical sequence would be a shopping cart sequence, where a user first selects an item to buy, then adds it to the shopping cart, then proceeds to the checkout, enters a home address, payment option, and finally submits all the collected data to the web site to process the purchase of the item.

Usually, the sequence can not be interrupted, or jumped into in the middle - the website will throw an error if the request is done out of sequence. In order to test the sequence properly for security issues, the entire sequence needs to be replayed with every attack.

AppSpider has added support for attacking sequences. In order to attack a sequence as a whole, the user needs to start a macro recording, declare it as a sequence, and record it in the embedded in UI player to verify proper recording. AppSpider will run all its attacks with this sequence. Running attacks within a sequence can be slow, so it is advisable to limit the scan to this sequence only by selecting the Restrict scan to Macro checkbox on the Browser Macro config page.

By default, the embedded browser(s) are hidden. If you wish to observe the sequence attacking during the scan, then you will need to select the Show in browser checkbox.