The last post was about SikuliX. It’s fair to say that it’s not optimal for web applications automation. For such applications, it’s better to use something, that will natively work with your web-browse. The first solution that comes to mind is, of course, Selenium.
Selenium is a portable software-testing framework for web applications. Selenium provides a record/playback tool for authoring tests without the need to learn a test scripting language.
This app is released under the Apache 2.0 license and is a very common tool for Quality Assurance (QA). It can be also used in Information Security. For example, you can upload Selenium scripts in Qualys WAS (Web Application Scanner) to help scanner in performing some complex operations, for example in authentication on the website.
Selenium is available in a form of two products: Selenium WebDriver for some hardcore automation and web-browser plugin Selenium IDE, which will help you to create and run scripts. I chose Selenium IDE.
Not so long time ago Gartner’s report “Vulnerability Management an essential piece of the security puzzle” has become publicly available. Now you can read it for free by filling out a questionnaire on F-Secure website.
Talking about the document, I would like, firstly, to thank Gartner. Do you know who writes most articles about VM? Of course, VM vendors. And we all understand that their main goal is to promote their own products. Reports of independent consulting firms, primarily IDC, Forrester and Gartner, allow us to get some balanced view from the side. It is very important.
Here I would like to comment some theses of the text.
I have already wrote earlier how to automatically retrieve data from the Vulners.com vulnerability database: if you need objects of some particular type, it’s better use Collection API, if you want to get different types of objects using advanced queries, your choice is Search API v.3.
But what if we want to get, not all the objects, but only new or modified ones in a some date range? How can we do it in Vulners?
Each object in Vulners (vulnerability, patch, bulletin, etc.) has a publication date, and modification date. You can see it if you open some Vulners object in json format, for example CVE-2017-6301:
This post I will publish in the API section of my blog. However, it is about the situation when there application has no API. Let’s suppose that we have to use in our work some graphical application or web-service. And unfortunately we need constantly repeat some very routine and annoying operations in it. This often happens if the application developers have not thought enough about the real-life cases their end-users will deal with. What can we do in such scenario?
First of all, look maybe there is an open and documented API
If there is no API, and it is an installed application, maybe you can use it in a console mode
If it is a web-service, maybe you can figure out how it works and how to automate it using tools like Firebug
But sometimes it is impossible to do anything at all. And it is even more sad, if this routine task is really elementary and you can easily explain the logic: what menu to choose, what button to push, where you should enter text and so on.
At this point, you just spit on all and use your last resort – SikuliX.
With this tool, you can automate everything. It doesn’t matter if it is a web-service or a GUI application, what operating system it uses and so on. That’s all because SikuliX is working at the highest level. In fact, it just makes screenshots, analyses them as images, trying to find graphical elements that it should somehow use.
Tenable.io VM is obviously based on Nessus Cloud, which in its turn had features similar to Nessus Manager briefly reviewed earlier. So, today I want to concentrate only on new features.
According to the public interface screenshots and Tenable.io datasheets, it will have some new dashboards and reports, free integration with PVS and Nessus deployed on-premise, and something very new in asset management.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at firstname.lastname@example.org or contact me any other way.