Knowledge Base

Ask A Question



AppSpider: Unable to Complete Scan due to Long Running Time [Amachi Lewis]

The Problem: So far, the scan takes several days to complete. During this time, if the PC is inactive for too long, it locks the PC. This will cause the session with the AppSpider server to end, thus closing AppSpider itself and subsequently ends the scan prematurely. Environment: We have an AppSpider Pro license. AppSpider is housed on a VM running Windows 2012 R2. I remote in to this server using my own login and run the scan. Actions tried: If I do this from my regular PC, my remote session ends after I lock my pc to leave my desk. If I do this from a special I have setup for this purpose, the same will happen when the PC locks due to inactivity. If I disable the lock screen, it seems to be a viable workaround, but the PC is easily interfered with and lock screen counter measures are not 100% reliable. Additionally, leaving myself logged into an unlocked PC, even if it is secured in a limited access room, is undesirable. We run the scan as a windows scheduled task; however, since we are Pro users and not Enterprise users, we don’t have any monitoring access besides opening AppSpider Application itself. This leaves with no choice but to sit and wait on an output to be created. However, whenever we decide to check on generated results, if nothing is there we won’t know if it the scan is failed, in a paused status, or still running. The only option we haven't tried it building a physical machine capable of housing and running AppSpider that can be logged into directly. So finally, my question to the AppSpider Pro community is: have any of you run into this kind of problem and if so how have you resolved it? If you have not had this difficulty, how does your configuration differ from mine? Any recommendations or suggestions would be greatly appreciated.

Posted by Stephanie Coyle about a year ago


How to generate comprehensive Selenium variable name for complex HTML elements

I am trying to develop my own Selenium Page Object Generator. But I have encountered a problem where I have to generate meaningful names for web elements. I know I can do like this for "normal" elements: grab the html element, get the ID or Class and then use the extracted ID to make it into normal variable name. For example: <input type="text" name="username" size="10"> Here I can extract "name" attribute and generate variable name as userName. But let's say that there are more complex html elements now (link for example). For example: open google and type: selenium features and limitations. When I inspect the first link, it looks horrible and complex: <a href="/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=1&amp;cad=rja&amp;uact=8&amp;ved=0ahUKEwiZi6z3i6PWAhWnKJoKHVUVBM8QFggkMAA&amp;;usg=AFQjCNEFZcVJn3i-IJijiF8WqyCh86K-_A" onmousedown="return rwt(this,'','','','1','AFQjCNEFZcVJn3i-IJijiF8WqyCh86K-_A','','0ahUKEwiZi6z3i6PWAhWnKJoKHVUVBM8QFggkMAA','','',event)" data-href="">What are the Advantages and Disadvantages of Selenium ? - Software ...</a> Exactly how am I supposed to generate comprehensive page object variable name from that? Is there some sort of algorithm?

Posted by soujanya about a year ago


Nexpose: Nexpose Agent Review [Matthew Prouse]

So I recently installed the agent on a system and gave it a go. I know it is Beta...but I wanted to address the items I saw in case they aren't being addressed...Please add your own experience or feedback to help me and others get better acquainted... 1) I like the idea this is for mobile systems like laptops that can check in from outside... What I need is a way to use this agent on systems internally that are "off limits" to scanning for one reason or another and ensure the data is not traversing the "cloud" but proxying directly to the on prem console. I can already see this will not get approved by my Risk team without a full blown evaluation of how the data traverses. 2) The data is already internal credential scan and the external agent data is not even close to matching. From vulnerabilities, software installed, users, groups, etc. This will cause all kinds of confusion around remediation and compliance if we applied this to other systems. 3) I have multiple security consoles in my environment...I see it matters which Nexpose Now dashboard I pull the install package from to build its relationship with that agents cert. No big deal I just thought this would be configurable to point an agent at a particular Console/Nexpose Now dashboard. 4) Also just looking at my basic system build the agent is the 4th largest consumer of memory. As we add other applications and move this to production I will look to see if that impacts our final builds. I am sure I will have more but for now this is my initial feedback.

Posted by Edward Sheehy about a year ago


Nexpose: SQL Query Export: Convenient Technique to Join Site Name to Assets [jaldridge]

One idiom that I've been having to use over and over again involves showing assets with their site names. But, this involves joining three tables, and I'd like to share a notational technique to make this more manageable. Note that I've been meaning to post a rant that the intermediate table, `dim_site_asset`, did not need to be a part of the design (as such tables are usually only justified when a many-to-many relationship, which this is not). However, as much time as I've been pondering the issue, I've found a notational convenience that alleviates some of my frustration. Having learned my early SQL skills on old systems and primitive embedded systems, I have been conditioned over the years to do everything the hard way, with lots of repeated/redundant SQL code, And since it's become apparent that modern SQL has cured much of that old coding malaise, I've been putting myself through a crash course to make the most of modern SQL features permitted through the NeXpose reporting interface. So, if you're new to SQL or if you're suffering from lots of ancient SQL habits, you might find this useful and time saving. The key to the trick is in how `SELECT *` works in a join. The following simply adds the column `site_id` to the table `dim_asset`: ```sql SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ``` This can then be used and re-used as defined sub-query in the 'WITH' block. Add to this a narrowed definition of the table dim_site, and you can use the same trick again to add in only the site name. ```sql WITH dim_asset_site AS ( SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ), dim_site_name AS ( SELECT site_id, name AS site_name FROM dim_site ) SELECT * FROM dim_asset_site JOIN dim_site_name USING (site_id) ``` To go ahead and make the whole thing reusable: ```sql WITH dim_asset_site AS ( SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ), dim_site_name AS ( SELECT site_id, name AS site_name FROM dim_site ), dim_asset_site_name AS ( SELECT * FROM dim_asset_site JOIN dim_site_name USING (site_id) ) SELECT * FROM dim_asset_site_name ``` For the number of times that I've joined site names to assets, this is certainly a technique I would like to have known about from the start, but I'm very happy to have learned that modern SQL has eliminated some of the nonsense that had existed way back in ancient history.

Posted by Edward Sheehy about a year ago