What are Web Forms?
Many web applications have forms which are used to capture user data. Forms are typically used in create a new account, newsletter sign-up, password reminder, shipping address details and other similar pages. They require the web application visitor to enter information such a phone number, email address or credit card number.
Many of these web forms typically have some basic checks because some of the fields might be mandatory. For example if a user is required to enter his age, the form cannot be submitted if the user enters a non numeric value such as the infamous asdf. Below is an example of a web form, returning an error because the user did not populate the company input field, which is required.
Table of Content
- What are Web Forms?
- Why Does the Netsparker Scanner Need to Traverse Web Forms?
- When Are the Configured Form Values Used?
- Configuring Form Values in Netsparker Web Application Security Scanners
- Examples of How to Configure Form Values in Netsparker
- Option 1: Determine which Input Parameters You Want to Add
- Option 2: Importing Form Values From the Scan Session File
- Option 3: Find the HTTP Attributes Values of the Input Parameter
Why Does the Netsparker Scanner Need to Traverse Web Forms?
To scan a web application for vulnerabilities the Netsparker web security scanner need to identify all its attack surfaces. This means that during the crawling stage it has to discover all the pages on the web application. During this process it needs to successfully submit the discovered forms and traverse them to access the pages that are typically only accessible once the form is submitted.
By default Netsparker is able to automatically populate and submit a form with pre-configured values. You can change these values or add new ones from the Form Values section in the Scan Policy, as explained in this FAQ.
When Are the Configured Form Values Used?
These configured form values are used both during the crawling and attacking phases of the web security scan. If you would like to exclude a Form Value from being attacked, you can do so by excluding the Parameter from the scan.
Configuring Form Values in Netsparker Web Application Security Scanner
You can add a new pre-configured value or modify existing ones from the Forms Values setting in the Scan Policy. If you are using Netsparker Desktop, you can launch the Scan Policy Editor from the Start a new Website or Web Service Scan dialog or from the Tools drop down menu. In Netsparker Cloud you can access the Scan Policy Editor from the Policies node, by either creating a new scan policy, or edit an existing one.
The default set of preconfigured form values in both Netsparker Desktop and Netsparker Cloud online web application security scanner work in the majority of cases. However, should your web application require other data types you can easily configure the scanners to automatically submit such data when crawling the web forms.
Therefore if for example your web application expects a value that is unique to your business in a web form, such as Company Employee Number, you should configure this in the Form Values. Failing to do so Netsparker might fail to automatically traverse the web form and identify all possible attack surfaces on the web application.
The Default Match All Value
The entry #DEFAULT#, which is a special name. This entry is the catch all entry, i.e. is used when no other Value/Type is matched. You should not delete this entry. Should you wish to modify it, use a numeric only value, with which typically most checks are bypassed.
Examples of How to Configure Form Values in Netsparker
This example explains the whole process of how to configure the Form Values in Netsparker web application security scanner in an easy to follow step by step format.
Option 1: Determine which Input Parameters You Want to Add
First you have to determine which input parameters you want to add. You can either do so manually or use the Parse from URL feature in Netsparker, which basically extracts the list of parameters from a web form automatically.
To do so follow the below procedure:
- Navigate to the Forms Value settings in the Scan Policy and click Parse from URL.
- Enter the URL of the web form in the URL placeholder.
- Click Parse.
- The scanner will automatically retrieve the list of Parameters, their type and value.
- Tick those you would like to add and click Save.
Once all the parameters are imported you can also modify the parameters as explained in step 3 of this procedure.
Option 2: Importing Form Values From the Scan Session File
You can use the Import from Netsparker Scan Session feature in Netsparker, which basically extracts the list of parameters from a previous scan session. This allows you to view any incorrect Form Value configurations and fix them.
How to Import Form Values in the Scan Session File
- In the Scan Policy Editor dialog (see Scan Policy Editor), navigate to the Form Values, and click Import from Scan Session.
- The Select Netsparker Scan Session File to Import dialog is displayed.
- Select the Netsparker Session file, and click Open.
- The scanner will automatically parse the list of parameters, including their Name, Type, Sent Value and Pages that contain the input.
- In the checkbox column, check those you would like to add, and click OK. The imported Form Values are displayed.
- If required, you can adjust the value to use for subsequent scans by editing the Sent Value field.
- Once all parameters are imported, you can also modify the parameters as explained in step 3 of this procedure.
Option 3: Find the HTTP Attributes Values of the Input Parameter
There are two options how to find the HTTP Attributes values of input parameters. You can either retrieve them automatically using Netsparker or find them manually. Both processes are explained below.
Add List of Web Form Parameters
Before configuring a predefined form value, you need to know the value of the Name, or Placeholder or Label attributes of the input in question. For this example we will record the details of the Age input field in a form. Start by navigating to the web form and if you are using the Google Chrome browser right click the input field and select Inspect from the menu, as shown in the screenshot below.
In this case we can use the value of the name attribute which can be seen in the browser's Developer Tools, as highlighted in the below screenshot. This parameter does not have a placeholder or a label attribute, but should the parameter in question have them you can record and use either of those values.
Alternatively you can also right click anywhere on the page and select View page source, to view the source of the page and manually search for the input ID.
3. Add the New Entry to Form Values in Netsparker Scanners
For this example we will be configuring a form value of 20 for an input with ID AgeCheck. Therefore in the scanner we should configure the following:
Name: Age Check
Below is a screenshot of the new form value configured in Netsparker Cloud.
Once the above is configured, whenever the Netsparker scanner crawls a web form that has an input field with the name AgeCheck, it will submit 20 as a value. And by doing so it will successfully traverse the web form and crawl the pages which are only accessible once that form is submitted. Below is an explanation of what all the settings are.
Name: This is the friendly name, as a reference for you. It does not have any affect on the scan.
Type: This is the type of the input. If you leave this empty, the scanner will submit the value irrelevant of the input type. If you select a specific input type, Netsparker will submit the value to the form if either the Type OR Pattern match.
You can also select the Type and not specify any pattern so the scanner populates all the inputs which match the selected Type with the provided value. For example by default the Netsparker scanners have the following input configured:
In such case the Netsparker scanner will always submit the value of #ffffff whenever it identifies an input of Type color.
Match: This is the match type for the Pattern field and it has five options:
- RegEx: Use regular expression to match the pattern. For example the regular expression [\w\d]*cc|credit_?card|card[\w\d]* will match all the input fields that have any of the following values in the configured HTML attribute value; cc, credit_card, card
This is the most flexible option if you are familiar with RegEx. You can use a tool such as RegEx101 to test your RegExes.
- Exact: The pattern value should be the exact match to the configured HTML attribute value. Therefore if the name is AgeCheck, the pattern should be AgeCheck, else it won't match.
- Contains: The specified pattern should be part of the configured HTML attribute value. Example; if the Name attribute is AgeCheck, the pattern can be Age or Check.
- Starts: The HTML attribute value should start with the specified pattern. Example; if the value of the name HTML attribute is AgeCheck, the pattern can be Age, A or Ag. Check won't match.
- Ends: The HTML attribute value should end with the entered pattern. Example; if the valuie of the HTML attribute is AgeCheck, the pattern can be Check or eck. Age won't match.
Pattern: This is the value that the HTML attribute value will be matched against based on the selected Match (RegEx, Exact, Contains, Starts, Ends). Use the URL encoded name if the attribute value contains non-ASCII characters.
Value: This is the value Netsparker will submit to the input parameter when the match is successful.
Force: When this option is enabled Netsparker will submit the provided value even when the parameter is already populated with some other value. Therefore if for example Netsparker crawls a form which has a default value of 10, it won't try to overwrite it by default. Though if the Force option is checked, and Type and Pattern match, Netsparker will submit the provided Value instead of 10.
Form Values for POST and GET Parameters
By default, the Form Values settings only work for POST parameters. If you want to apply the same rules to GET parameters, you can set OnlyFillUpPost to True in Advanced Settings.
When this option is set to True, just like with POST parameters the Netsparker scanner will populate GET parameters by using the same rules as well.
Note: A form on a page with an input doesn't always mean POST. Check the method attribute of the <form> tag to see whether it's a POST or GET.