Recordings are used to feed web scans with valid HTTP requests to use during scanning.
With a recording, the scanner can follow a normal user’s activity, and will as a result get deeper into the application’s logic and potentially identify more vulnerabilities. Recordings are useful when certain functionality cannot be identified by the crawling engine or if the web forms require specific input before they are processed by the server. For example, thick-client components such as Flash and Silverlight cannot be interpreted or crawled by web scans, but you can do access the content manually and upload the valid HTTP requests to a web scan. Another example is a banking application that only allows transfers to a specific bank account number. With recordings, you can provide the web scan with the exact HTTP request that contains the valid account number, for example.
To create a recording, you will need a HTTP proxy tool that can record requests as you browse the target web site. The following recording formats are supported:
- Burp Proxy XML files (proxy-history log)
- Fiddler SAZ Archive files (saved spider items)
- Radar nProxy TXT files (logs from Radar nProxy tool)
- Elements Vulnerability Management Recordings XML files (internal format for existing Elements Vulnerability Management recordings)
This document only describes how to use nProxy in detail. The other tools are only described briefly.