ReproNow: Triage Assistant

Bug bounty programs (i.e.crowdsourced security) can bring a lot of benefits. Organizations are able to leverage talent from all over the world while bug hunters can get compensated for submitting bugs and improve their personal reputation within the security community. While all of this is amazing, as security engineers we still have to endure the most painful of this process – triaging.

The Problem

The amount of information required to understand a bug and reproduce it in today’s complex ecosystems is one the biggest challenges faced by security engineers. Providing so many pieces of information like user flows, videos, and requests is a challenge for bug bounty hunters. This is what we wanted to solve with ReproNow.

What is ReproNow?

ReproNow is an open source browser extension to help bug bounty hunters and engineers triage quicker and better. This tool captures your screen and the underlying network data and presents it as a video. It also provides a “Previewer” – an interactive UI to view the screen capture and the corresponding network requests in context. It also displays the headers and body of any “Request” call selected and presents the corresponding “Response” headers. Everything happens on the client side. As paranoid as we are as security engineers, the last thing to do is to trust and store vulnerabilities of various organizations on another server. So, everything in this tool is built on the client side.

This tool uses 3 main components:

  1. Screen Capture – Achieved by using chrome.screenCapture (which uses getUserMedia API)
  2. Network Capture – Achieved using getWebRequest API
  3. Export Screen + Network as MKV –  Achieved by storing the network information in attachment section of MKV using ffmpeg.js/ts-ebml on client.

For more technical details on how this works, refer to this blogpost.

ReproNow Previewer

ReproNow Previewer

Tool Features:

  • Capture screen and network data
  • Option to copy any request as “Curl” or “Raw”
  • Video on local storage
  • Previewer with a clean UI to have all information on one screen
  • Single file with network and screen
  • History on the extension shows the previous videos
  • Host Previewer locally or just go to https://www.repro-now.com/previewer/
  • Lots of options to customize what you want to capture
  • Everything on client side
  • Open Source – Customize and change as you like

Demo

Go to https://www.repro-now.com/previewer/ and load the demo video.

Get It Now

ReproNow is available on the Chrome Store as an extension. The project “repo” is available on GitHub.

 

Lakshmi Sudheer
Security Researcher

Comments are closed.