Scenester – A Small Tool for Cross-Platform Web Application

A quick post to announce NCC Group’s new web application security assessment tool has been pushed to our Gifthub repo at https://github.com/nccgroup/.

So what is Scenester? 

It is a simple Java application to discover different web application front ends based on web browser user-agents. The goal is to ensure coverage during web application assessments where the developers may not have been as diligent securing a slightly different code base for a less assessed/attacked interface.

What can Scenester do? 

  • It can request web application using different User-Agents strings – these are defined in an XML file to allow for easy extensibility.
  • Make requests via HTTP and HTTPS.
  • Take a screen shot so you can inspect the differences visually.

Where do I get the code? 

https://github.com/nccgroup/Scenester

How about a screenshot or two?

The output is a separate PNG for each of the different rendered sites i.e. for Bing and the three user-agent strings we see:

Granted for most sites these differences will be down to just rendering however there will be some where there are completely different technology stacks present.

Future development plan

  • Report rendering
  • POST request support
  • Custom request (allow you modify all request headers)
  • Define browser dimensions(e.g. iPhone screen size for iPhone user-agent string)

Please let me know via the Github issue tracker if you have any suggestions and I will look to add any features.

Published date:  30 September 2013

Written by:  Sharique Shaikh