A tiny chrome extension to record and replay your web application proof-of-concepts.
JavaScript Python HTML Other
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Pocuito

Pocuito

A tiny chrome extension to record and replay your web application proof-of-concepts. Replaying PoCs from bug tracker written steps is a pain most of the time, so just record the poc, distribute and replay it whenever necessary without much hassle.

Use Cases

  • To avoid developers wasting your time when they are unable to reproduce your issues, just send them the json file and let them go through step by step.
  • To share your shiny new web vulnerabilities with your colleagues.
  • To simplify verification of a bug fix by just replaying the poc.

Installation

  • Download & Install from here
  • Start python proxy if planning on using tampering or asserting functionality.

or

  • Clone the repository
  • Install bower dependencies bower install
  • Setup proxy
  • Open Chrome extension settings
  • Enable developer mode checkbox
  • Click on load unpacked extension and browse to root extension directory

Proxy Setup

  • Install pip requirements pip install -r proxy/requirements.txt.
  • Start proxy server python proxy.py --uuid some_random_string (proxy url = http://<ip>:8888/some_random_string)
  • For more customizations look into python proxy.py --help.
  • It will print a url to the console which will be used in the addon.

Usage

Setup the proxy and put that url in the addon and wait a moment or two so that addon can verify. Let us take an example of a poc of XSS in chrome.

  • Let's navigate to testphp.vulnweb.com.
  • Let us click on the extension and add an event called start proxy (testphp as url filter) to tamper responses later.
  • Once the proxy event is added, let us disable XSS auditor by adding event add response header & fill the first row with X-XSS-Protection and 0.
  • Click on record user actions to record our search actions.
  • Now, we will click on the search, search for <img src=x onerror='alert(9);'/> and click on the button Go.
  • When we open the popup we will see multiple click and change events made by us. Stop user event recording by clicking on Pause Recording Events.
  • Since our required capture is done, we will add stop proxy event.
  • If necessary add comments to each step, eg: Lets click on the first step cursor button and add comment Navigate to https://testphp.vulnweb.com and then play.

To replay any step just select a step and click on Play Step.

More Docs: Events, Buttons

Known Issues

  • User input events like return on input fields is not being recorded as an event yet. Only click and change events are being monitored now.

Roadmap

v0.2

  • Move to typescript or coffeescript?
  • Add Unit Tests?
  • Add to webstore?

Author

Bharadwaj Machiraju

The main reason for writing this extension is to learn MarionetteJS. May be learn more stuff like TypeScript or CoffeScript in the further development.