Rapid7 AppSec Plugin for Chrome

The Rapid7 AppSec Plugin for Chrome adds useful capabilities like recording your login activities or replaying attacks from your InsightAppSec console. Use the plugin to understand how traffic is moving between your server, apps, and authentication layer. To use this functionality, you will need the latest stable version of the Chrome browser installed on your system.

Installation

  1. To install the AppSec chrome plugin, click the following link: https://chrome.google.com/webstore/detail/rapid7-appsec-plugin/mnmlipalillmakdiildpclhocfgcddnp
  2. The Rapid7 AppSec Plugin page will open, click on the ADD TO CHROME button
  3. Click Add extension in the popup that appears.

AppSec Chrome Plugin Download

  1. You will see a notification indicating that the chrome plugin has been successfully installed.

Request Builder

The Request Builder will allow you to validate a vulnerability from InsightAppSec.

Request Builder interface tour

Before starting, familiarize yourself with the Request Builder interface: InsightAppSec Request Builder Interface Tour

  1. Available request methods
  2. Http type
    1. https
    2. http
  3. URL of the request. FQDN (Fully Qualified Domain Name) or IP address
  4. Port the request should run on
  5. Follow redirect stops the redirect when the response has a Location header of 302. It will display the first response https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location
  6. The response headers from the request
  7. The HTML body response
  8. Show the HTML response in an iFrame
  9. The request body. This allows you to execute a raw HTTP request.

Validate vulnerabilities

Within InsightAppSec you can access vulnerabilities in several ways including from the All Vulnerabilities tab and All Scans. Vulnerabilities have a button that allows you to Replay Attack. We will go over two ways to Replay an Attack:

  • Use the Vulnerabilities with Remediation Report
  • From All Scans, then selecting a scan and URL

Vulnerabilities with the Remediation Report

These steps assume you are logged into InsightAppSec.

  1. Click on All Apps.
  2. Choose the app you want to use to validate the vulnerabilities.
  3. Choose the scan you want to use to generate the report.
  4. Click Generate Report in the upper right corner.
  5. Give the report a name and choose HTML export.

AppSec Chrome plugin report

  1. Once the report is available, choose an Attack Type then click Replay Attack, next to Attack Type. The Vulnerability Validator window will open.

AppSec Plugin Chrome Validate Vuln Window

Along the top are tabs that allow you to switch between each separate step in the attack traffic that occurred.

AppSec Plugin Chrome Attack

From each tab, you can click Send to validate each attack with the Request Builder. The response headers and response body will return with the attack information.

AppSec Plugin Chrome Attack Replay

Edit the request body

You can edit the information in the request body then send the attack again.

Validate from All Apps

These steps assume you are logged into InsightAppSec:

  1. Click on All Apps.
  2. Choose the app you want to use to validate the vulnerabilities.
  3. Click the Vulnerabilities tab on the next page.
  4. Choose the vulnerability you want. Once the Vulnerability Validator window opens, click the Replay Attack button.

AppSec Plugin Chrome Attack Replay

Along the top are tabs that allow you to switch between each separate step in the attack traffic that occurred.

AppSec Plugin Chrome Attack

From each tab, you can click Send to validate each attack with the Request Builder. The response headers and response body will return with the attack information.

AppSec Plugin Chrome Attack Replay

Edit the request body

You can edit the information in the request body then send the attack again.

Macro Recorder

Rapid7 AppSec Macros are sequences of actions, such as clicking a series of buttons or text entry on a web page. Once you have the AppSec Chrome plugin installed, you can use macros to record the actions needed to authenticate into an application or to access a specific section of your app that cannot be reached purely by crawling.

Macro Recorder interface tour

Macro Recorder interface tour

  1. The domain name or local host IP address.
  2. The recorded authentication or sequence will appear here. You can edit the information after recording. This window is initially blank.
  3. Record the authentication information during the sequence. This records all actions, including the username and password. When making a recording, only the actions for authentication should be taken.
  4. Record the sequence. Use this to record visited web pages visited and actions taken. The actions recorded should be steps that an authenticated user can do.
  5. Playback Settings will add options at the end of the playback sequence using regex.
    1. Enable Regex - Add regex to validate HTML at the end of a macro replay. The example included (sign|log)[ -]?(out|off) allows you to check the logged in state.
    2. Playback - Will run the recorded sequence or authentication again.
  6. Export Settings - Control how to export the recorded sequence.
    1. Min duration - The minimal delay for each macro when exporting an event.
    2. Element path - Export with the full xpath or xpath with element name and ID.
    3. Driver events - Replace Click and SetControlData with DriverClick and DriverSendKeys requests. .
    4. Export - Export the recorded sequence. This will show the sequence in the window to the left.
  7. Download the recorded sequence in .rec format.

Record authentication and playback

There are 2 ways to record authentication with the Rapid7 AppSec Plugin:

  1. Use Authentication in InsightAppSec.
  2. Use the Macro Recorder tab in the Rapid7 AppSec plugin.

This will walk you through recording a login authentication and then playing the authentication back.

  1. Navigate to the Macro Recorder tab in the Rapid7 AppSec Plugin.
  2. Enter the URL or local IP address of the site you want to record.
  3. Click Record authentication.
  4. This opens a new window with the site you are recording, along with a popup confirming that “You are now recording a macro/traffic sequence.”

AppSec Plugin Chrome Record Macro

  1. The new window will have a bar across the top, alerting you that “Rapid7 Appsec Plugin is debugging this browser.”
  2. On the login page of the site you are recording, enter your credentials and sign in. In this example, it’s an email and password.
  3. Once completed, click the Cancel button on the top page and close the window.
  4. In the plugin, choose the Macro Recorder tab to see the XML output of the sequence that was recorded.

AppSec Plugin Chrome Macro Data

Edit the text

This text can be edited. You can make changes to the authentication sequence and play it back.

From here you can playback the authentication or sequence you recorded and use it in other applications.

Playback the authentication

Before playing back the sequence, make sure all windows opened by the plugin are closed.

  1. Click Playback.
  2. A pop up will appear confirming that “You are now starting a macro playback.”

AppSec Plugin Chrome Macro Playback

  1. The playback will attempt to run through the same actions taken by the user.
  2. Once complete, the sequence will close out the browser window.

Playback in InsightAppSec

To playback the sequence in InsightAppSec, download the .rec file and import into the macro Authentication tab.

  • MacroEventList - The list of macro recorder events.
  • MacroEvent - A single macro event.
  • WindowIndex - During authentication the browser will open a different window, then redirect you back to the original window.
    • 0 - No window was opened.
    • 1 - A new window was opened.
    • 2 or more - As the number of browser windows change, the number will keep incrementing.
  • EventType - The actions you take in the browser.
    • Delay - This event is used to add a time delay between two macro events.
    • DriverClick - This event type indicates the action of clicking an element on the page that requires a click action. A new page, new content on the existing page or interaction with a specific element will return a DriverClick.
    • DriverSetControlValue - This event indicates an action of sending parameters or values into fields which you may have clicked on in DriverClick,such as a username and password. DriverSetControlValue will clear the field before sending the value.
    • DriverSendKeys - This event type is similar to the DriverSetControlValue, but it emulates sending key values as they are typed in with a keyboard and not just the whole value set. DriverSendKeys can append and prepend to existing values if needed.
    • Click - This event type indicates an action of clicking on an element of the page which requires a click action similarly to DriverClick. Click interacts with the DOM (Document Object Model).
    • SetControlData - This event indicates an action of sending parameters or values into fields which you may have clicked during Click. Some events are username and password.
    • JavaScript - Custom JavaScript can be utilized under <Data><![CDATA[ ____ ]]></Data>.
  • UseEncryptedData - This field determines if the field <EncryptedData> such as a password is used. For most macro event types this field will be a 0 since you may not be passing encrypted data.
    • 0 - The data is not encrypted and the field is used.
    • 1 - The data is encrypted and the <EncryptedData> is used.
  • When you are passing an encrypted value such as a password, this will be a 1, and there will be an encrypted value in the <EncryptedData> section. When set to 0, <Data> will have a value.
  • Data - The value that is going to be passed or the action which is to be done in tandem with what is defined in <ElementPath>.
    • Wildcards - Wildcards can be used in the <Data> field. For example, if the login button was dynamically generated with a new value such as ‘login-5423’ and upon next login the value is ‘login-7668’, we can address this situation by using ‘login-*’ in the <Data> field.
  • EncryptedData - This field is used with UseEncryptedData. If it is set to 1, this will contain an encrypted value to be passed during the authentication sequence. This can be done using the Encrypter/Decrypter in the AppSecToolkit using the Rapid7 encryption option.
  • ElementPath - This field defines the XPath to the specified location in the browser where the specific event is to take place. It works with the <Data> field. <Data> is the actual value to be inputted in the field and is the actual path of the <Data> field. If you are using a JavaScript macro event, [CDATA[]] will be empty in since the value will be defined in .
  • Duration - The time in milliseconds on how long a specific macro event will take to execute.
  • Enable - This field defines if a macro event is enabled or not.
    • 0 - Disable the event
    • 1 - The default value and all macro events are enabled.
  • Optional - This field allows you to toggle a specific macro event as .
    • 0 - This is not optional. The macro event has to succeed for the macro to continue onto the next step.
    • 1 - The macro is an optional step. Use 1 when there are actions after login, such as security questions or one time pop ups after authentication.

Differences between DriveClick, DriverSetControlValue, Click, SetControlData

  • DriverClick and DriverSetControlValue - These operations are leveraging specific web drivers at the OS level to execute commands that simulate a mouse click or keyboard press.
  • Click and SetControlData - These are events which interact with the DOM (Document Object Model).

You can use either DriverClick and DriverSetControlValue or Click and SetControlData as macro events to interact with an application’s authentication sequence.

Traffic Recorder

You may run into web applications built with technologies that are not supported by the InsightAppSec crawler. You can authenticate into such applications by using a web proxy tool such as the Traffic Recorder in the Rapid7 InsightAppSec plugin. Using the proxy tool, you can record the interactions (like HTTP GET and POST requests) between the front end application and the back end server in a Traffic File. InsightAppSec can replay these interactions to authenticate into your application.

Traffic Recorder interface tour

AppSec Chrome Plugin Traffic Recorder Interface Tour

  1. The domain name or local host IP address.
  2. A Unified Modeling Language (UML) diagram of the traffic between the browser and the server. You can view the host, any cookies used, and authentication types.
  3. Record authentication - Record the authentication information during the sequence. This will record the username and password.
  4. Record sequence - Record the sequence. Use this to record web pages visited and actions taken. The actions recorded should be steps that an authenticated user can do.
  5. Recording Details - Each authentication type is rated based on which authentication type is better to use for gaining access.
    1. Macro - A macro is a sequence of actions, such as clicking of buttons, or text entry in a web page recorded in a .rec file.
    2. Traffic - You can authenticate into such applications by using a web proxy tool such as a Traffic Recorder.
    3. NLTM or HTTP Basic - Authentication using a username and password.
    4. HTTP Bearer token - A bearer token was found in the header. For example, Authorization: Bearer <token-value>. It requires a second step to authenticate the user.
    5. Token - A token was found in the header. For example, Authorization: Bearer <token-value>. It requires a second step to authenticate the user.
  6. Download - Download as .har file. The HTTP Archive format is a JSON-formatted archive file format for logging of a web browser's interaction with a site.

Record traffic authentication

There are 2 ways to record traffic:

  1. Manually record traffic elsewhere, then import into InsightAppSec.
  2. Using the Rapid7 InsightAppSec plugin to record the authentication and then export the .har file. The plugin instructions are below.

This will walk you through recording a traffic authentication.

  1. Navigate to the Traffic Recorder tab in the Rapid7 Appsec plugin.
  2. Enter the URL or local IP address of the site you want to record.
  3. Click Record authentication.
  4. A new window and a pop up will appear. It will alert “You are now recording a macro/traffic sequence.”

AppSec plugin chrome record macro

  1. Log in to the web browser with the username and password.
  2. Go back to the plugin and click Download(*.har) You can use this file in other applications or import into InsightAppSec.