Under the hood: New tool simplifies the vulnerability replication process

Researcher Paul Johnston demonstrates how his Replicator tool aims to ease common issues for pen testers

Developers seeking to reproduce issues discovered by pen testers were given a deep dive into PortSwigger's Replicator BApp yesterday at the Black Hat security conference in Las Vegas.

Replicator’s creator, PortSwigger researcher Paul Johnston, explained to delegates that the inspiration for Replicator derived from his frustrations in an earlier job.

“When I was working as a pen tester, I often found it was difficult getting developers to be able to understand the more complex issues,” he said.

After producing a report, he explained: “The recipient would struggle to know what to do with it. You'd get follow-up questions via email, they’d want a conference call to discuss it – it was a problem.”

Johnston added: “What I've found from working with developers is that what they want more than anything is to be able to reproduce an issue on their workstation.”

Replicating issues discovered by pen testers isn't easy, especially when there is complex session logic, when security tools are needed to exploit vulnerabilities, and when tokens are involved.

But the Burp extension Replicator was created in the hope of simplifying the task – easing the process for both pen testers and their clients.

Johnston walked conference delegates through the process, demonstrating how the pen tester can create a Replicator file which contains the findings of their report, including the vulnerability payloads along with session handling rules, Burp configuration, and detection logic.

The file is sent to the developer along with the standard PDF report.

Once the developer has loaded this file, the issues can be quickly reproduced, and different application instances can be tested.

When the application is updated, it can be re-tested for remaining vulnerabilities at the click of a button.

At the conference yesterday, Johnston demonstrated Replicator in various scenarios, including instances with problematic SQL injection and a ’classic’ cross-site scripting attack, in which the developer has taken a variable from a form parameter and inserted it straight into HTML without any escaping.

Johnston showed how each issue could be replicated and solved. He also gave pen testers a step-by-step demonstration of how to create the Replicator file, as well as a look under the hood at how some of Replicator's features work.

Replicator is available to download through the BApp store.