How to Configure URL Rewrite Rules in Netsparker

Category: Product Docs & FAQS - Tue, 21 Jun 2016 - by Robert Abela

By configuring URL rewrite rules in Netsparker Web Application Security Scanner it will automatically detect, crawl and attack all parameters in URLs. This article explains how to use the wizard to easily configure URL rewrite rules in Netsparker. Read the article URL rewrite rules and web vulnerability scanners for more information on URL rewrite rules and why it is important to configure them when doing an automated web application security scan.

Note: By default Netsparker Desktop can heurisitically identify URL rewrite on the target website and automatically configure itself as explained in the article automatic configuration or URL rewrite rules when scanning websites. Though if you can configure the URL rewrite rules manually as explained in this article the scan will be more efficient.

Configure URL Rewrite Rules Using the Wizard

  1. From the Start a New Scan dialog click on the URL Rewrite node and tick the option Use Custom URL Rewrite Support as shown in the below screenshot.

Configuring URL rewrite rules in Netsparker web vulnerability scanner

  1. Enable the option Enable Heuristic Rule Detection so the scanner still tries to automatically detect any additional URL Rewrites on the target website and use them in conjunction with the ones you configured.
  2. Click New to launch the URL Rewrite Rules wizard.

Note: Should you wish to configure the URL Rewrite rules manually in Netsparker, without using the wizard you can simply click on the Placeholder Pattern and RegEx Pattern input fields to populate them manually.

  1. In the first step of the wizard specify a URL that matches the URL rewrite rule you want to add, such as "http://www.example.com/movie/fight-club/"

Add URL Rewrite Rule wizard in Netsparker

  1. In the second step of the wizard you have to specify which of the path segments is a parameter and its type by following the below procedure:
    1. tick the URL path segment that contains a parameter value
    2. specify the parameter name
    3. Specify the parameter type from the drop down menu in the Parameter Type column. For more information on why it is important to configure a parameter type refer to the section Why Should You Specify a Parameter Type.

As seen in the below screenshot the parameter value is "fight-club", the parameter name we entered is "movie" and the parameter type is "Alphanumeric".

Specifying parameter and parameter type in URL Rewrite Rules wizard in Netsparker

If there are multiple parameters in the URL you can specify all of them in this step as per the example in the screenshot below, where the URL also includes parameters called year, month and movie.

Configuring multiple URL parameters using the URL Rewrite Rules wizard in Netsparker

  1. Click Finish so the place holder pattern and regular expression are automatically generated. Click on any of the values to manually modify them, for example to manually write a regular expression.

Configured URL rewrite rules in Netsparker Desktop

Why Should You Specify the Parameter Type?

It is important to specify the correct parameter type when configuring URL Rewrite rules in Netsparker to ensure the security scan is more accurate.

For example imagine specifying the following pattern: "/{PARAM}/{ID}", where "{PARAM}" is the parameter that will be scanned and "{ID}" is its value. If the parameter type is not specified, leaving the default "Any", this means that both the below URLs will match this URL Rewrite configuration:

  • http://www.example.com/products/18
  • http://www.example.com/products/date.js

The above matching is too generic and might lead to incorrect scan results. For example Netsparker might not scan some files because after collecting enough samples (i.e. /product/1, /product/2, /product/3 etc) it will assume that /products/date.js is just another value of the product parameter, due to the too generic matching.

In this case if you set the parameter type to Integer you avoid this problem, since Netsparker will only expect integers when scanning such parameter and when it notices something else, such as /product/date.js it will recognize it is a file and scans it.

As a rule of thumb, the more specific you are when defining the parameter type the better because matching everything (using the default Any) might cause Netsparker to miss legitimate URLs.

Note about Encoded URLs

If you are manually configuring URL rewrite rules and your website URLs use encoded values, always specify the decoded value in the rewrite rules. Example follows:

Website URL: http://www.example.com/user/john%2dDoe

The correct URL rewrite rule should contain the decoded character as follows:

http://www.example.com/user/{firstname}-{lastname}

The following URL rewrite rule is incorrect because it contains the encoded character:

http://www.example.com/user/{firstname}%2d{lastname}

Step 3: Test Configured URL Rewrite Rules

Once you are ready you can test the rules by clicking the Test button next to the URL and click OK to save the new Scan Policy and launch the web vulnerability scan.

Netsparker URL Rewrite Rules Configuration Video Tutorial

Below is a short Netsparker video tutorial which shows you how to:

  • Configure a URL Rewrite Rule using the Wizard
  • Configure a URL Rewrite Rule with multiple parameters in the URL
  • Configure a URL Rewrite Rule Manually


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN