Rapid7 AppSpider

Today's security teams are responsible for securing hundreds of applications that include complex rich clients and APIs, complying with industry and government regulations, and keeping up with hacking trends. To them, building an effective application security program requires more than just crawling the web application interface. It's about having comprehensive application coverage and utilizing more sophisticated attack methodologies that address the technologies used by modern applications.Application security is hard, but using application security tools shouldn't be. Application security scans come with a thousand options, but Rapid7's appsec products ship with system defaults based on years of application security experience, so that you can spend your time focusing on remediating vulnerabilities.With AppSpider, you can plan, control and measure scans and look across all application scan data to track improvements in your security posture. Ultimately, AppSpider provides a way for you to assess and prioritize areas of greatest risk and enables you to build a modern enterprise application security program.Rapid7 AppSec SolutionsAppSpider is a dynamic application security testing solution that allows you to scan web and mobile applications for vulnerabilities.The core technology behind AppSpider is the Universal Translator, which interprets the new technologies, such as AJAX, HTML5, and JSON, that are being used in today's web and mobile applications and crawls traditional applications.Available on premise, hosted or as a managed service, AppSpider enables you to effectively manage your application security program, delivers thorough analysis, comprehensive application coverage and sophisticated attack methodologies.Benefits of AppSpider include:Broad coverageAdvanced authenticationIntegrationsInteractive reportsDistributed and scalableCentralized controlContinuous site monitoringEnd to end testing of APIs built with the OpenAPI Specification (formerly known as Swagger)AppSpider ProThis is a single scan engine meant for a team of one on a single machine, this on-premises edition is a highly customizable interface, with multiple options for vulnerability detection, reporting and remediation, as well as scan management and other features.AppSpider EnterpriseThis is a single console that includes multiple AppSpider Pro scan engines. Meant for multi user teams that need to be centrally managed, this on premise edition has a webapp that supports multiple scan engines with unlimited scans, dozens to hundreds of web apps, and has multiple options for vulnerability detection, reporting and remediation, as well as scan management and other features.See the Product Editions page for information on additional application security solutions offered by Rapid7.

If you use Rapid7 AppSpider to scan your Web applications, you can import AppSpider data with Nexpose scan data and reports. This allows you to view security information about your Web assets side-by-side with your other network assets for more comprehensive assessment and prioritization.The process involves importing an AppSpider-generated file of scan results, VulnerabilitiesSummary.xml, into a Nexpose site. Afterward, you view and report on that data as you would with data from a Nexpose scan.If you import the XML file on a recurring basis, you will build a cumulative scan history in Nexpose about the referenced assets. This allows you to track trends related to those assets as you would with any assets scanned in Nexpose.This import process works with AppSpider versions 6.4.122 or later.To import AppSpider data, take the following steps:Create a site if you want a dedicated site to include AppSpider data exclusively. See Creating and editing sites.Since you are creating the site to contain AppSpider scan results, you do not need to set up scan credentials. You will need to include at least one asset, which is a requirement for creating a site. However, it will not be necessary to scan this asset.If you want to include AppSpider results in an existing site with assets scanned by Nexpose, skip this step.Download the VulnerabilitiesSummary.xml file, generated by AppSpider, to the computer that you are using to access the Nexpose Web interface.In the Sites table, select the name of the site that you want to use for AppSpider.In the

Selenium is a framework for the automated testing of web applications and enables you to record sequences of actions, like entering data in forms and clicking buttons. You can replay Selenium recordings on demand to ensure that the web application behaves as desired.Consider a use case where a user selects an item to buy, proceeds through the shopping cart, checkout, and payment option screens to finally process the purchase of the item. There is no way to reach the "Purchase" web page using a direct URL or by simply crawling the site. Organizations can create Selenium test suites for all the use cases of their product, and ensure that difficult to reach pages such as the Purchase page are tested correctly.AppSpider can use Selenium scripts to scan the pages that are important for your use cases. First, AppSpider replays the Selenium scripts and records the network traffic. Then, it generates vulnerability tests based on its knowledge of the visited web pages and their parameters.AppSpider supports Selenium scripts in a variety of formats, such as:Java Selenium scripts (.jar)C# Selenium scripts (.exe)Custom batched Selenium scripts (.bat)Firefox legacy IDE Selenium scripts (.htm)The toolbar contains the following options:Restrict scan to Selenium recording - AppSpider will only crawl the pages and test the actions from the Selenium script. AppSpider will not crawl or test any other pages.Add - Adds a Selenium file from your filesystem for scanning.Bulk Add - Opens the “Bulk Files Import” window so you can add all Selenium files from a selected directory on your filesystem.Delete - Removes the selected Selenium file from the list.Up - Moves the selected recording higher in the scan queue.Down - Moves the selected recording lower in the scan queue.Web Driver - Selects the Web Driver (reference: for your Selenium script. The AppSpider install process has an option for you to install the Chrome web driver. If you had selected this option, AppSpider will use the default Chrome web driver with which it was installed.Scan using Selenium recordingsTo scan the traffic produced from a Selenium recording:Create a Selenium script and save the file on your computer.NoteSelenium files in this section should assume that the user is already authenticated.Selenium files for authentication should be recorded separately and uploaded to the Authentication tab of the scan config.Open the "Selenium Recordings" screen and click Add in the toolbar. This will open the "Open Selenium file" popup.Navigate to the location of