Configuring Predefined Web Form Values in Netsparker Web Security Scanners

What are Web Forms?

Many web applications have forms which are used to capture user data. Forms are typically used in create a new account, newsletter sign-up, password reminder, shipping address details and other similar pages. They require the web application visitor to enter information such a phone number, email address or credit card number.

Many of these web forms typically have some basic checks because some of the fields might be mandatory. For example if a user is required to enter his age, the form cannot be submitted if the user enters a non numeric value such as the infamous asdf. Below is an example of a web form, returning an error because the user did not populate the company input field, which is required.

A web form returns an error because the user did not populate all the mandatory fields.

Table of Content

  1. Why Does the Netsparker Scanner Need to Traverse Web Forms?
  2. When Are the Configured Form Values Used?
  3. Configuring Form Values in Netsparker Web Application Security Scanners
  4. Examples of How to Configure Form Values in Netsparker
  5. Form Values for POST and GET Parameters

Why Does the Netsparker Scanner Need to Traverse Web Forms?

To scan a web application for vulnerabilities the Netsparker web security scanner need to identify all its attack surfaces. This means that during the crawling stage it has to discover all the pages on the web application. During this process it needs to successfully submit the discovered forms and traverse them to access the pages that are typically only accessible once the form is submitted.

By default Netsparker is able to automatically populate and submit a form with pre-configured values. You can change these values or add new ones from the Form Values section in the Scan Policy, as explained in this FAQ.

When Are the Configured Form Values Used?

These configured form values are used both during the crawling and attacking phases of the web security scan. If you would like to exclude a Form Value from being attacked, you can do so by excluding the Parameter from the scan.

Configuring Form Values in Netsparker Web Application Security Scanner

Configuring form values in Netsparker Cloud

You can add a new pre-configured value or modify existing ones from the Forms Values setting in the Scan Policy. If you are using Netsparker Desktop, you can launch the Scan Policy Editor from the Start a new Website or Web Service Scan dialog or from the Tools drop down menu. In Netsparker Cloud you can access the Scan Policy Editor from the Policies node, by either creating a new scan policy, or edit an existing one.

The default set of preconfigured form values in both Netsparker Desktop and Netsparker Cloud online web application security scanner work in the majority of cases. However, should your web application require other data types you can easily configure the scanners to automatically submit such data when crawling the web forms.

Configuring form values in Netsparker Cloud

Therefore if for example your web application expects a value that is unique to your business in a web form, such as Company Employee Number, you should configure this in the Form Values. Failing to do so Netsparker might fail to automatically traverse the web form and identify all possible attack surfaces on the web application.

The Default Match All Value

The entry #DEFAULT#, which is a special name. This entry is the catch all entry, i.e. is used when no other Value/Type is matched. You should not delete this entry. Should you wish to modify it, use a numeric only value, with which typically most checks are bypassed.

Examples of How to Configure Form Values in Netsparker

This example explains the whole process of how to configure the Form Values in Netsparker web application security scanner in an easy to follow step by step format.

1. Determine which Input Parameters You Want to Add

First you have to determine which input parameters you want to add. You can either do so manually or use the Parse from URL feature in Netsparker, which basically extracts the list of parameters from a web form automatically.

Parse from URL feature in Netsparker.

To do so follow the below procedure:

  1. Navigate to the Forms Value settings in the Scan Policy and click Parse from URL.
  2. Enter the URL of the web form in the URL placeholder.
  3. Click Parse.
  4. The scanner will automatically retrieve the list of Parameters, their type and value.
  5. Tick those you would like to add and click Save.

Once all the parameters are imported you can also modify the parameters as explained in step 3 of this procedure.

2. Find the HTTP Attributes Values of the Input Parameter

There are two options how to find the HTTP Attributes values of input parameters. You can either retrieve them automatically using Netsparker or find them manually. Both processes are explained below.

Add List of Web Form Parameters

Before configuring a predefined form value, you need to know the value of the Name, or Placeholder or Label attributes of the input in question. For this example we will record the details of the Age input field in a form. Start by navigating to the web form and if you are using the Google Chrome browser right click the input field and select Inspect from the menu, as shown in the screenshot below.

Right click a form value to inspect it and find its ID

In this case we can use the value of the name attribute which can be seen in the browser's Developer Tools, as highlighted in the below screenshot. This parameter does not have a placeholder or a label attribute, but should the parameter in question have them you can record and use either of those values.

Find the HTML attributes for the input field

Alternatively you can also right click anywhere on the page and select View page source, to view the source of the page and manually search for the input ID.

3. Add the New Entry to Form Values in Netsparker Scanners

For this example we will be configuring a form value of 20 for an input with ID AgeCheck. Therefore in the scanner we should configure the following:

Name: Age Check
Type: (Empty)
Pattern: AgeCheck
Target: Name
Match: Exact
Value: 20
Force: (Checked)

Below is a screenshot of the new form value configured in Netsparker Cloud.

Configuring a web form value in Netsparker Cloud

Once the above is configured, whenever the Netsparker scanner crawls a web form that has an input field with the name AgeCheck, it will submit 20 as a value. And by doing so it will successfully traverse the web form and crawl the pages which are only accessible once that form is submitted. Below is an explanation of what all the settings are.

Name: This is the friendly name, as a reference for you. It does not have any affect on the scan.

Type: This is the type of the input. If you leave this empty, the scanner will submit the value irrelevant of the input type. If you select a specific input type, Netsparker will submit the value to the form if either the Type OR Pattern match.

You can also select the Type and not specify any pattern so the scanner populates all the inputs which match the selected Type with the provided value. For example by default the Netsparker scanners have the following input configured:

Name: color
Type: color
Pattern: (empty)
Target: Name
Match: Regex
Value: #ffffff

In such case the Netsparker scanner will always submit the value of #ffffff whenever it identifies an input of Type color.

Match: This is the match type for the Pattern field and it has five options:

  1. RegEx: Use regular expression to match the pattern. For example the regular expression [\w\d]*cc|credit_?card|card[\w\d]* will match all the input fields that have any of the following values in the configured HTML attribute value; cc, credit_card, card

    This is the most flexible option if you are familiar with RegEx. You can use a tool such as
    RegEx101 to test your RegExes.

  2. Exact: The pattern value should be the exact match to the configured HTML attribute value. Therefore if the name is AgeCheck, the pattern should be AgeCheck, else it won't match.

  3. Contains: The specified pattern should be part of the configured HTML attribute value. Example; if the Name attribute is AgeCheck, the pattern can be Age or Check.
  1. Starts: The HTML attribute value should start with the specified pattern. Example; if the value of the name HTML attribute is AgeCheck, the pattern can be Age, A or Ag. Check won't match.
  1. Ends: The HTML attribute value should end with the entered pattern. Example; if the valuie of the HTML attribute is AgeCheck, the pattern can be Check or eck. Age won't match.

Pattern:  This is the value that the HTML attribute value will be matched against based on the selected Match (RegEx, Exact, Contains, Starts, Ends).  Use the URL encoded name if the attribute value contains non-ASCII characters.

Value: This is the value Netsparker will submit to the input parameter when the match is successful.

Force: When this option is enabled Netsparker will submit the provided value even when the parameter is already populated with some other value. Therefore if for example Netsparker crawls a form which has a default value of 10, it won't try to overwrite it by default. Though if the Force option is checked, and Type and Pattern match, Netsparker will submit the provided Value instead of 10.

Form Values for POST and GET Parameters

By default, the configured Form Values work for both POST and GET parameters. You can restrict Netsparker to only fill up POST parameters by setting the option OnlyFillUpPost to True in Advanced Settings.

Configure the Netsparker Desktop advanced settings

When this option is set to True, the Netsparker scanner will not populate GET parameters with these rules.

Note: A form on a page with an input doesn't always mean POST. Check the method attribute of the <form> tag to see whether it's a POST or GET.


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN