![]() ![]() In Postman, you can go to Settings by clicking the gear icon in the upper right, and then clicking into the proxy settings. The first step is to set up your proxy settings. Here is a video running through setup using the InsightAppSec Toolkit. You could alternately use the Rapid7 Insight AppSec Toolkit, to record the traffic as well. We will use Postman to send the API request to the web app and Burp Suite to record the traffic. ![]() The main difference you’ll encounter when using the Hackazon web app is the API authentication does not have a UI, therefore we must record and pass a traffic file for InsightAppSec to authenticate. ![]() If you want to configure your own Hackazon instance, details around installation and setup can be found here.Īlternatively, there are free public test sites you can use instead, such as this one. Automating this process using token replacement will save you time and effort in the long run, especially if you have multiple apps you need to generate tokens for.įor this example, we will be using the Rapid7 Hackazon web app. While this is the easiest way to set up this form of authentication, unless you generate a token that will not expire, you will have to replace this token every scan. Under Custom Options > HTTP Headers > Extra Header, you can manually pass an authentication token to your web app. Such as:Authorization: Bearer Token Token Replacement? is replaced with the value captured by ExtractionTokenLocation.Īny string. The format in which the token should be sent to the web app. Where the captured token should be injected. Anything placed in brackets can be returned in the InjectionTokenRegex using regex, such as:"token": ?"(*)"access_token": ?"(+)"sessionId=(*) Request HeaderRequest BodyRequest URLResponse HeadersResponse Body Where the token you want to extract is located. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |