Introduction

One of the key advantages of Websecurify is that it is the first and only most portable web application security testing platform. Websecurify not only is available as desktop and server software but also it can be directly incorporated into the Google Chrome and Mozilla Firefox web browsers.

In this tutorial you will get yourself familiarised with both browser solutions (they are very similar) and you will learn a little bit more about the internals of our testing technology.

Installation Instructions

Websecurify browser extensions for Google Chrome and Mozilla Firefox follow the standard setup and administration practices available by default for both Chrome and Firefox. In order to get the appropriate extension for your browser and platform select one of the following links:

• Google Chrome Extension
• Mozilla Firefox Extension
• Automatically Detect the Browser and Extension Platform

Follow the on-screen instructions to install the extension. After you are done, you should be able to see the Websecurify toolbar button just like the following screens:

Starting Your First Test

When the popup button (drop-down arrow in Mozilla Firefox) is clicked you will be able to see the main extension window, also known as The Popup Page.

The Popup Page is responsible for starting and controlling every single aspect of a test. You can start a test by focusing on the target field and then typing the full path to the target application. Press the enter key once you are done.

The Websecurify testing engine automatically determines the application scope (resources included as part of the test) from the target url. The scope includes the original target url and the target url base url. For example, if http://target/path/to/application is the target url then the test scope will include the following rules:

http://target/path/to/application*
https://target/path/to/application*
http://target/path/to/*
https://target/path/to/*

where "*" denotes a wildcard character

Urls such as http://target/totally/different/path will not be included in the test because they will not match the scope.

Once the target is selected you will be presented with a screen which confirms the test and ensures that you know all risks and regulations which may be at hand during the test.

Although automated testing solutions such as Websecurify are great time savers, sometimes they could create more problems than solutions. In order to avoid future frustrations, Websecurify automatically minimizes the risk by carefully selecting what not to do as the test proceeds. However, it is generally recommended to test against systems in pre-production, development and testing environment where the risk of failure is minimal.

Once you accept the warning the target will be acquired and the test will be on its way.

Controling The Testing Process

As the test proceeds you will be able to monitor several of its aspects. First of all, you will be able to monitor the test progress. This information will indicate how far you are into the test and how much it is left to do.

The Popup Page also contains the necessary controls to pause, resume and stop the current test. You will be also able to clear any test data at the end of the test and follow up with more tests.

Additionally, you will be able to see all report findings as the test proceeds. To do that, simply click on the progress bar. You don't need to refresh the report page. Any new issues will be automatically inserted into the report structure.

Websecurify browser extensions can only perform one test at a time. If you want to do many simultaneous tests, check our desktop and server solutions.

Things you should know

Authenticated Tests

The Websecurify browser extensions do not differentiate between authenticated and un-authenticated tests. If you have logged in the target application, the test will run as authenticated because the requests will cary all the necessary information, such as session cookies.

Generally, the following strategies apply:

• Authenticated Tests - make sure that you login into the target application before and during the test
• Unauthenticated Tests - make sure that you are logged out from the application before and during the test

Test Scope

At the moment, you cannot control the scope of the test, i.e. the scope is automatically assigned. Although Websecurify will try not to follow logout links while performing authenticated tests, this feature is not guaranteed to always work especially on application which have non-standard logout mechanisms.