Tenable IO WAS Chrome Extension

In the comments of the previous post about Tenable IO WAS Fergus Cooney mentioned a new Google Chrome extension for Tenable IO WAS, that should help in configuring scan Authentication setting. You can install it in Chrome Web Store.

Tenable IO WAS Chrome App

The idea is great. Authentication process in modern web applications is actually too complicated for Web Application Scanners. It is almost impossible to determine automatically which elements of the web interface should be clicked and where to enter the login and password. So it’s great that we can help scanner to do this with the Selenium script. And if Selenium IDE is somehow integrated into the scanner, it is even better. With Tenable.io Web Application Scanning Chrome extension you simply perform the authentication procedure in Chrome once manually, and the recorded script will be sent to Tenable IO WAS.

However, the actual implementation of this extension, IMHO, could be better.

How it works

This extension requires Tenable IO authentication. After Sign In you choose the scan:

Tenable IO WAS Chrome Extension Create Scan

A blank script window will appear, click Record:

Tenable IO WAS Chrome Extension Record Script

And perform the authentication procedure in a new window. At the end you get the Selenium script:

Tenable IO WAS Chrome Extension Recorded Script

In the last step, you select a text string that appears on the screen after successful authentication, for example, “login is successful”:

Tenable IO WAS Chrome Extension successful login

The extension then copies the Selenium script to the Scan Authentication settings:

Tenable IO WAS Selenium Authentication

Why I think the implementation could be better

Missing Selenium functionality

In fact, what we see is the Selenium IDE with some missing features. You can delete some commands, but you cannot add them directly to the interface. Here is the Selenium IDE interface, for example:

Selenium IDE Tenable Authentication

As you can see, it’s much more powerful. However this restriction of Tenable Chrome Extension IDE might be caused by the limitation of engine, that Tenable uses for running Selenium scripts. For example, when I created a script in Selenium IDE with waitForElementVisible command, I could not use it in Tenable WAS because of this error:

An error occurred while processing command #11 from the Selenium script:
‘waitForElementVisible’ is not a supported command. Please check the online documentation for a list of supported commands.

Thus, you should keep in mind that there is a list of supported commands (I could not google it), and not every Selenium script will work. It would be less confusing if Tenable could check it at script importing in the scan Authentication Settings.

From this point of view, it may be better to use the Tenable Chrome extension, because it will not give you the opportunity to use something unsupported.

Save, edit, and reuse Selenium script

Another great advantage of Selenium IDE is that it can save scripts to .side files. And you can use them in various applications and edit them in the Selenium IDE or simply with a text editor. The Tenable extension only replaces the script in the scan policy, and you cannot download it either from the extension GUI or from the Tenable IO interface. So, if something changes in the authentication procedure, you will need to repeat it all from scratch. I do not know why, perhaps this is an error, but the extension shows a message: “No data was found” every time, even if there is a script in the scan configuration. This is uncomfortable to say the least.

Script debugging in Tenable IO

I also had some problems debugging scripts. Selenium scripts worked well in Tenable IO Chrome Extension or Selenium IDE, and it did not work during the scan in Tenable IO WAS, and there were no authentication errors in the scan results. This may be a problem only with my application, but it would be nice to see screenshots in scan results after each Selenium command, or at least at the end of the scan Authentication part.

In conclusion

But it is still an excellent idea. I hope that Tenable can add

  • a link to the list of supported Selenium commands;
  • the ability to export the script from the Tenable WAS Chrome extension or/and Tenable WAS GUI;
  • more information about authentication process to scan results.

Then it will be awesome. 🙂

One thought on “Tenable IO WAS Chrome Extension

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.