Vex records communication between a client and a target server and performs a scan based on it.
Therefore, you can use Vex to scan a part where communication generates.
However, specific settings may be required for some target applications due to its specifications.
For more details, see the individual links below.
[Basic requirements for Vex scan]
1. The target site must use HTTP protocol for communication
*Since Vex does not support an access through IPv6 addresses, set up a domain if you want to use it.
2. The target site must be able to be accessed through a proxy
*For example, Vex cannot perform a scan when a client application has the function to verify server certificates and cannot be accessed by Vex CA.
3. The request body must be in HTML, SOAP (XML data), or JSON format.
*Formats other than the above cannot be scanned.
[Features, plug-ins, and site specifications for Vex scan]
1. WebSocket
Vex scans communication performed on applications using WebSockets during connection (handshaking).
*Vex cannot scan communication after the connection is completed.
In case of the hosts using WebSocket, see "Setting for scanning a target using WebSocket" to set up target information.
2.REST Web Services
Vex scans a part where communication with a web server is generated.
*Vex does not scan processes that are completed on a client side because any communication will not be generated.
3.Sites using external authentication (SSO, etc.)
For details on the settings, see "Setting for scanning sites using external authentication *SSO, etc.)"
4.ActiveX Control
Vex scans a part where communication with a web server is generated.
5.Adobe Flash Player
Vex scans a part where data transmission occurs from an entry field in Flash to a target server.
*Vex scans Flex requests in text-based formats such as XML, but cannot scan requests in AMF binary format.
6. Sites with upload function in the entry form
If you upload a file to the entry form in your browser when you record a proxy log, Vex reproduces the state where the file is uploaded in the same way during a scan.
We recommend that you upload as little data as possible.
*Vex cannot scan the binary data (images, PDFs, etc.), because the content of the response can not be analyzed or reproduced correctly due to the specification of Vex.
Vex does not scan requests with the following specifications.
[Specifications that Vex scan is NOT applicable]
1. When the request body is in a non-multipart binary format
Ex: AMF (Action Message Format) in Flash, etc.
2. When the response body is in a binary format (data with the extensions such as jpeg, pdf, etc.)
Ex: Screens for generating and obtaining image data, PDF data, etc.
*Note that scanning the request/response headers and paths can be performed even in cases of 1 and 2 above.
3.When the target has a function that requires human interaction
Ex: CAPTCHA, multi-factor authentication (RSA one-time token, online banking, etc.)
4. When the parameters are dynamically generated on the client side
* By fixing the session ID in the Vex inspection settings, it may be possible to inspect during the valid period.
5. Login function using IC cards
* In the login process by IC card authentication, if the same value for the authentication key is always sent as an HTTP parameter, it may be possible to inspect it by recording it as a proxy log.
Comments
0 comments
Please sign in to leave a comment.