Last updated at Tue, 12 Dec 2023 19:11:10 GMT
有许多不同的方法可以使用InsightAppSec来验证web应用程序, 但有时你需要更深入的高级设置来完全自动化你的登录, especially with API scanning. 今天,我们将介绍其中一个高级设置:令牌替换.
InsightAppSec令牌替换可用于捕获和重放承载身份验证令牌, JWT Authentication tokens, or any other type of session token.
The token replacement values are under your scan configs in the following location: Custom Options > Advanced > AuthConfig > TokenReplacementList
When you press Add, the following values can be set.
| Name | Description | Possible Values |
| ExtractionTokenLocation | Where the token you want to extract is located. | URLResponse HeadersResponse Body |
| ExtractionTokenRegex | Regex used to extract the token. 括号中的任何内容都可以在InjectionTokenRegex中使用@token@返回. | Any regex, such as:"token": ?"([^"]*)"access_token": ?"([-a-f0-9]+)"[?]sessionId=([^&]*) |
| InjectionTokenLocation | Where the captured token should be injected. | Request URLRequest HeadersRequest Body |
| InjectionTokenRegex | 令牌应该发送到web应用程序的格式. @token@被ExtractionTokenLocation捕获的值所替换. | Any string. @token@ is replaced with the captured value. 例如:授权:承载人@token@Authorization:令牌@ Token @&sessionId=@token@ |
Why Token Replacement?
Under Custom Options > HTTP Headers > Extra Header, 你可以手动将一个身份验证令牌传递给你的web应用. 虽然这是设置这种身份验证形式的最简单方法, unless you generate a token that will not expire, you will have to replace this token every scan. 从长远来看,使用令牌替换自动化此过程将节省您的时间和精力, 尤其是当你需要为多个应用生成令牌时.
For this example, we will be using the Rapid7 Hackazon web app. If you want to configure your own Hackazon instance, details around installation and setup can be found here.
另外,您也可以使用免费的公共测试站点,例如 this one.
在使用Hackazon web应用程序时,您将遇到的主要区别是API身份验证没有UI, 因此,我们必须记录并传递一个流量文件,以便InsightAppSec进行身份验证.
We will use Postman to send the API request to the web app and Burp Suite to record the traffic. You could alternately use the Rapid7 Insight AppSec Toolkit, to record the traffic as well. Here is a video 使用InsightAppSec工具包运行设置.
The first step is to set up your proxy settings. In Postman, 单击右上角的齿轮图标进入“设置”界面, and then clicking into the proxy settings. 我们将代理服务器设置为“localhost”并将端口更改为“5000”.
在Postman中设置代理之后,您必须在Burp Suite中设置它. 在Burp中,转到代理选项卡,然后单击代理设置. 接下来,添加一个代理侦听器,指定端口5000以匹配Postman中的设置. Then, set the interface to Loopback Only.
返回到Postman,添加基本身份验证,然后发送流量. 在Burp中,单击HTTP History选项卡,右键单击捕获的流量,然后单击“Save Item”。. Make sure you save the traffic as an xml file.
You can also record the traffic using the Rapid7 Insight AppSec Plugin, or from within the Chrome browser. 如何做到这一点的说明位于流量身份验证或可以找到 here.
When recording using the Rapid7 Appsec Plugin, 确保记录在记录的详细信息中包含承载认证或令牌.
记录登录后,将流量文件上传到“局点鉴权”. 确保您也调整了登录正则表达式,以确保扫描不会失败.
在对您的web应用程序进行身份验证并获取令牌之后, 下一步是配置一个正则表达式,以确保能够提取令牌. 有各种各样的方法来测试正则表达式,但我们将使用 http://regex101.com/ for this example.
然后,我们将获取包含令牌信息的web应用响应, paste it into the website, 并配置一个正则表达式以确保只选择令牌. In this use case, the expression "token": ?([^"]*)成功地只突出显示了我们想要提取的信息. 我们可以确保在捕获组1中只选择令牌,因为当我们在InjectionTokenRegex下指定@token@时将返回该令牌.
Next, we want to configure the TokenReplacementList.
| Name | Value | Reason |
| ExtractionTokenLocation | Response Body | The token appeared in the body after authenticating |
| ExtractionTokenRegex | "token": ?"([^"]*) | This successfully isolated the auth token |
| InjectionTokenLocation | Request Header | Where the web app is expecting the token |
| InjectionTokenRegex | Authorization: Token @token@ | The header format the web app is expecting |
Make sure you upload the swagger API file. 你既可以上传文件,也可以将InsightAppSec指向特定的URL. 您可以选择将扫描限制为只扫描swagger文件,以便进行更有针对性的扫描.
为了确保成功,请单击“下载附加日志” 扫描完成后,在“扫描日志”页面打开“操作日志”文件. 您正在寻找日志条目“[good]: Added imported token from response body”。. Once you see this, 你知道照片被正确地导入到扫描中,我们可以用它来登录API.
For further testing, 您可以查看漏洞流量请求,以确保授权:令牌标头已成功通过.
To detect if the token has expired, you can modify the sessionLossRegex and sessionLossHeaderRegex under Authentication > Additional Settings, or by using a CanaryPage if that has been set up. When configured correctly, the token replacement will grab the token again, ensuring we stay logged in to your API.
可以找到有关配置扫描身份验证的更多信息 here. 如果有疑问,请联系您的web应用程序开发人员和/或Rapid7支持人员寻求帮助.
