What are Web Forms?
Many web applications have forms which are used to capture user data. Forms are typically used in create a new account, newsletter sign-up, password reminder, shipping address details and other similar pages. They require the web application visitor to enter information such a phone number, email address or credit card number.
Many of these web forms typically have some basic checks because some of the fields might be mandatory. For example if a user is required to enter his age, the form cannot be submitted if the user enters a non numeric value such as the infamous asdf. Below is an example of a web form, returning an error because the user did not populate the company input field, which is required.
Why Does the Netsparker Scanner Need to Traverse Web Forms?
To scan a web application for vulnerabilities the Netsparker web security scanner need to identify all its attack surfaces. This means that during the crawling stage it has to discover all the pages on the web application. During this process it needs to successfully submit the discovered forms and traverse them to access the pages that are typically only accessible once the form is submitted.
By default Netsparker is able to automatically populate and submit a form with pre-configured values. You can change these values or add new ones from the Form Values section in the Scan Policy, as explained in this FAQ.
When Are these Configured Form Values Used?
These configured form values are used both during the crawling and attacking phases of the web security scan. If you would like to exclude a Form Value from being attacked, you can do so by excluding the Parameter from the scan.
Configuring Form Values in Netsparker Web Application Security Scanners
The default set of preconfigured form values in both Netsparker Desktop and Netsparker Cloud online web application security scanner work in the majority of cases. However, should your web application require other data types you can easily configure the scanners to automatically submit such data when crawling the web forms.
Therefore if for example your web application expects a value that is unique to your business in a web form, such as Company Employee Number, you should configure this in the Form Values. Failing to do so Netsparker might fail to automatically traverse the web form and identify all possible attack surfaces on the web application.
The Default Match All Value
The last entry #DEFAULT# in the Form Values configuration is a special name. This is the entry that the Netsparker web vulnerability scanner uses when no other Value/Type is matched. Therefore you should not delete this entry. Should you wish to modify it, use a numeric only value, with which typically most checks are bypassed.
Examples of How to Configure Form Values in Netsparker
This example explains the whole process of how to configure the Form Values in Netsparker web application security scanner in an easy to follow step by step format.
1. Find the HTTP Attributes Values of the Input Parameter
Before configuring a predefined form value, you need to know the value of the Name, or Placeholder or Label attributes of the input in question. For this example we will record the details of the Age input field in a form. Start by navigating to the web form and if you are using the Google Chrome browser right click the input field and select Inspect from the menu, as shown in the screenshot below.
In this case we can use the value of the name attribute which can be seen in the browser's Developer Tools, as highlighted in the below screenshot. This parameter does not have a placeholder or a label attribute, but should the parameter in question have them you can record and use either of those values.
Alternatively you can also right click anywhere on the page and select View page source, to view the source of the page and manually search for the inoput ID.
2. Add the New Entry to Form Values in Netsparker Scanners
To add the new value, access the Form Values settings in the Scan Policy Editor. If you are using Netsparker Desktop, you can launch the Scan Policy Editor from the Start a new Website or Web Service Scan dialog or from the Tools drop down menu. In Netsparker Cloud you can access the Scan Policy Editor from the Policies node, by either creating a new scan policy, or edit an existing one.
For this example we will be configuring a form value of 20 for an input with ID AgeCheck. Therefore in the scanner we should configure the following:
Name: Age Check
Below is a screenshot of the new form value configured in Netsparker Cloud.
Once the above is configured, whenever the Netsparker scanner crawls a web form that has an input field wiht the name AgeCheck, it will submit 20 as a value. And by doing so it will successfully traverse the web form and crawl the pages which are only accessible once that form is submitted. Below is an explanation of what all the settings are.
Name: This is the friendly name, as a reference for you. It does not have any affect on the scan.
Type: This is the type of the input. If you leave this empty, the scanner will submit the value irrelevant of the input type. If you select a specific input type, Netsparker will only submit the value to the form if both the Type AND Pattern match.
You can also select the Type and not specify any pattern so the scanner populates all the inputs which match the selected Type with the provided value. For example by default the Netsparker scanners have the following input configured:
In such case the Netsparker scanner will always submit the value of #ffffff whenever it identifies an input of Type color.
Match: This is the match type for the Pattern field and it has five options:
- RegEx: Use regular expression to match the pattern. For example the regular expression [\w\d]*cc|credit_?card|card[\w\d]* will match all the input fields that have any of the following values in the configured HTML attribute value; cc, credit_card, card
This is the most flexible option if you are familiar with RegEx. You can use a tool such as RegEx101 to test your RegExes.
- Exact: The pattern value should be the exact match to the configured HTML attribute value. Therefore if the name is AgeCheck, the pattern should be AgeCheck, else it won’t match.
- Contains: The specified pattern should be part of the configured HTML attribute value. Example; if the Name attribute is AgeCheck, the pattern can be Age or Check.
- Starts: The HTML attribute value should start with the specified pattern. Example; if the value of the name HTML attribute is AgeCheck, the pattern can be Age, A or Ag. Check won’t match.
- Ends: The HTML attribute value should end with the entered pattern. Example; if the valuie of the HTML attribute is AgeCheck, the pattern can be Check or eck. Age won’t match.
Pattern: This is the value that the HTML attribute value will be mateched against based on the selected Match (RegEx, Exact, Contains, Starts, Ends). Use the URL encoded name if the attribute value contains non-ASCII characters.
Value: This is the value Netsparker will submit to the input parameter when the match is successful.
Force: When this option is enabled Netsparker will submit the provided value even when the parameter is already populated with some other value. Therefore if for example Netsparker crawls a form which has a default value of 10, it won’t try to overwrite it by default. Though if the Force option is checked, and Type and Pattern match, Netsparker will submit the provided Value instead of 10.
Form Values for POST and GET Parameters
By default, the Form Values settings only work for POST parameters. If you want to apply the same rules to GET parameters, you can set OnlyFillUpPost to True in Advanced Settings.
When this option is set to True, just like with POST parameters the Netsparker scanner will populate GET parameters by using the same rules as well.
Note: A form on a page with an input doesn’t always mean POST. Check the method attribute of the <form> tag to see whether it’s a POST or GET.