Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/flabbergastedbd/pocuito

A tiny chrome extension to record and replay your web application proof-of-concepts.
https://github.com/flabbergastedbd/pocuito

Last synced: about 2 months ago
JSON representation

A tiny chrome extension to record and replay your web application proof-of-concepts.

Host: GitHub
URL: https://github.com/flabbergastedbd/pocuito
Owner: flabbergastedbd
License: other
Created: 2016-11-17T21:29:40.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2016-12-01T10:32:21.000Z (about 8 years ago)
Last Synced: 2024-11-09T05:02:42.974Z (2 months ago)
Language: JavaScript
Homepage:
Size: 127 KB
Stars: 20
Watchers: 1
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-network-stuff - **20**星 - of-concepts. (<a id="58b6684347a223e01d4d76d9ca185a88"></a>Replay&&重播)

README

![Pocuito](/extension/images/icons/icon128.png)

# Pocuito

A tiny chrome extension to record and replay your web application proof-of-concepts. Replaying PoCs from bug tracker written steps is a pain
most of the time, so just record the poc, distribute and replay it whenever necessary without much hassle.

### Use Cases

+ To avoid developers wasting your time when they are unable to reproduce your issues, just send them the json file and let them go through step by step.
+ To share your shiny new web vulnerabilities with your colleagues.
+ To simplify verification of a bug fix by just replaying the poc.

### Installation

+ Download & Install from [here](https://github.com/tunnelshade/pocuito/releases)
+ Start python proxy if planning on using tampering or asserting functionality.

+ Clone the repository
+ Install bower dependencies `bower install`
+ Setup proxy
+ Open Chrome extension settings
+ Enable developer mode checkbox
+ Click on load unpacked extension and browse to root extension directory

### Proxy Setup

+ Install pip requirements ``pip install -r proxy/requirements.txt``.
+ Start proxy server ``python proxy.py --uuid some_random_string`` (proxy url = ``http://:8888/some_random_string``)
+ For more customizations look into ``python proxy.py --help``.
+ It will print a url to the console which will be used in the addon.

### Usage

Setup the proxy and put that url in the addon and wait a moment or two so that addon can verify. Let us take an example of a
poc of XSS in chrome.

+ Let's navigate to ``testphp.vulnweb.com``.
+ Let us click on the extension and add an event called start proxy (`testphp` as url filter) to tamper responses later.
+ Once the proxy event is added, let us disable XSS auditor by adding event add response header & fill the first row with `X-XSS-Protection` and `0`.
+ Click on record user actions to record our search actions.
+ Now, we will click on the search, search for `` and click on the button `Go`.
+ When we open the popup we will see multiple click and change events made by us. Stop user event recording by clicking on `Pause Recording Events`.
+ Since our required capture is done, we will add stop proxy event.
+ If necessary add comments to each step, eg: Lets click on the first step cursor button and add comment `Navigate to https://testphp.vulnweb.com and then play`.

To replay any step just select a step and click on **Play Step**.

More Docs: [Events](/docs/events.md), [Buttons](/docs/buttons.md)

### Known Issues

+ User input events like `return` on input fields is not being recorded as an event yet. Only click and change events are being monitored now.

### Roadmap

#### v0.2

+ Move to typescript or coffeescript?
+ Add Unit Tests?
+ Add to webstore?

### Author

Bharadwaj Machiraju

The main reason for writing this extension is to learn MarionetteJS. May be learn more stuff like TypeScript or CoffeScript in the further development.