Qualys Browser Recorder 1.2 Now Available

Dave Ferguson

I’m pleased to announce that Qualys Browser Recorder 1.2 is now available from the Chrome Web Store. As a reminder, Qualys Browser Recorder (QBR) is a Chrome extension to record Selenium scripts for playback in Qualys Web Application Scanning (WAS). Besides the Chrome browser, QBR can also be installed in Microsoft’s new Chromium-based Edge browser.

With this new release, we’ve added an exciting new feature to QBR enabling WAS to authenticate to web applications that require two-factor authentication (2FA). Modern web applications often use a time-based one-time password (TOTP) for the second factor. If you’ve ever used the Google Authenticator app on your phone, then you’re already familiar with TOTPs. With TOTP a cryptographically secure token (typically 6 digits in length) is generated based on the current time and a secret key. The user enters their token, which is validated on the server side during the authentication process.

In the past WAS was unable to authenticate to applications that required a 2FA token, but with QBR 1.2 you can create a Selenium login script to authenticate even when the application requires input of a TOTP. The new sendTotp() command is used to provide the configuration values that both QBR and the WAS scan engine need to generate the proper TOTP for your web application. The sendTotp() command must be configured with the hashing algorithm, the number of digits, the time window in seconds, and the secret key. These values are used to generate the correct TOTP for a given point in time. Every time the script is run (either in QBR or by the WAS engine during a scan), the correct TOTP for that moment in time will be generated and entered into the form field.

QBR 1.2 with a login script using new “sendTotp” command

Keep in mind that the system time on the client and the system time on the server need to be approximately the same. If not, the tokens won’t match, and the 2FA will fail.

Other changes in Qualys Browser Recorder 1.2 include:

  • A new Source tab, allowing you to edit the raw Selenium script in XHTML format.
  • A new About section in the lower pane having a link to the QBR user guide.
  • A number of bug fixes.

We hope you find the new features in QBR 1.2 useful. For more information about using the extension including sendTotp(), please see the Qualys Browser Recorder User Guide.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *