A quick post to announce NCC Group’s new web application security assessment tool has been pushed to our Gifthub repo at https://github.com/nccgroup/.
So what is Scenester?
It is a simple Java application to discover different web application front ends based on web browser user-agents. The goal is to ensure coverage during web application assessments where the developers may not have been as diligent securing a slightly different code base for a less assessed/attacked interface.
What can Scenester do?
- It can request web application using different User-Agents strings – these are defined in an XML file to allow for easy extensibility.
- Make requests via HTTP and HTTPS.
- Take a screen shot so you can inspect the differences visually.
Where do I get the code?
How about a screenshot or two?
The output is a separate PNG for each of the different rendered sites i.e. for Bing and the three user-agent strings we see:
Granted for most sites these differences will be down to just rendering however there will be some where there are completely different technology stacks present.
Future development plan
- Report rendering
- POST request support
- Custom request (allow you modify all request headers)
- Define browser dimensions(e.g. iPhone screen size for iPhone user-agent string)
Please let me know via the Github issue tracker if you have any suggestions and I will look to add any features.
Published date: 30 September 2013
Written by: Sharique Shaikh