Project 15: InsightAppSec (15 pts)

What You Need

Purpose

Practice using InsightAppSec=, Rapid7's enterprise vulnerability management solution for Web applications.

Downloading InsightAppSec

In a Web browser, go to

https://www.rapid7.com/try-now

In the "InsightAppSec" section, click the "Free Trial" button, as shown below.

On the next page, fill in the form and click Submit, as shown below.

Check your email. Find the message similar to the one shown below, and click the button to set up your account.

Choose a password and log in.

Scanning a Domain

The insightAppSec web console opens. Close the extra boxes advertising advanced features to reveal the screen shown below.

Click "Scan a Rapid7 domain".

On the "Select a Rapid7 All" page, click "http://webscantest.com", as shown below.

Click the Users button.

On the next page, click "Add New App".

The next page sets up a "recommended-webscantest" for you, as shown below.

In the top right, click the "Scan Now" button. In the drop-down list, click recommended-webscantest

At the center left, click Scans. A page shows that there is a scan "Runing", as shown at the bottom of the image below.

Refresh the page occasionally. When I did it, it tool 15 minutes to finish the scan, as shown below.

Viewing Scan Results

When the scan is complete, click the blue Scan text at the bottom of the page shown in the image above.

Results are shown, as shown below.

Click the first item, with a Module Name of "Blind SQL". Details of the vulnerability appear, as shown below.

Scroll down to the "Description" section. Find the OVAL number for this vulnerability, which is covered by a green box in the image below.

Enter that number into the form below to record your success.


15.1 Recording Your Success (15 pts.)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
OVAL Number:


15.2 Extra Credit: Scan WebGoat (10 pts extra)

Scan the other Rapid7 App, named Hackazon.

There's only one "High" severity vulnerability, as shown below.

Find the "DISSA_ASC" number for that vulnerability, as shown below.


15.2 Recording Your Success (10 pts extra)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
DISSA_ASC Number:


Posted 11-5-18