Scanning Parameter-Based Navigation Websites for Vulnerabilities

Category: Product Docs & FAQS - Mon, 11 Apr 2016 - by Robert Abela

Parameter-based navigation websites use the same URL and parameter, but different parameter values to either serve different content or do different things in general. Below are two examples of the URLs used in parameter-based navigation websites. The first example is of a PHP website and the second one is of an ASP.NET website.

Parameter-Based Navigation PHP Website

In the above example, a different parameter value is used in the URL to display different content. For example when the value of the parameter page is home, the home page is loaded. When the value of the same parameter page is support, the support page is loaded. Therefore in such case each parameter value is triggering the execution of different code branches to return the different content.

Parameter-Based Navigation ASP.NET Website

ASP.NET Web Forms have a process mechanism called Postback, which is used to control server-side events. It allows the execution of different code branches depending on the "__EVENTTARGET" parameter's value. Some examples follow.

Parameter-based navigation sample in ASP.NET

The above will execute LinkButton1's click event handler on the server-side.

Parameter-based navigation code sample in ASP.NET

On the other hand this will execute LinkButton2's click event handler on the server-side.

Automatically Crawling and Scanning Parameter-Based Navigation Websites

The Challenge of Scanning Parameter-Based Navigation Websites

Netsparker scanners have two crawling options in the Scan Policy:

  • Maximum Signature Limit
  • Maximum Page Visits

These options are used to optimize the crawling of similar pages. However, if the target website uses parameter-based navigation these settings will prevent Netsparker to crawl and scan the entire website properly.

You can increase the values of the above mentioned options but you will be prolonging the scan duration. Also, such workaround will still have some limitations because the Netsparker scanners will only attack the first instance of the page and ignore the rest, as explained with the below example.

Netsparker will crawl the above page and its parameters page and id.

Netsparker will ignore this version of the page since it has the same URL and parameters page and id, which it has already crawled and scanned. Therefore it is ignoring the parameter value, which in parameter-based navigation is used to trigger different code that needs to be scanned.

To address this limitation and successfully crawl and scan parameter-based navigation websites we introduced two new options in Netsparker scanners. These settings and their configuration are mentioned below.

Options in Netsparker Scanners to Scan Parameter-Based Navigation Websites

To be able to scan parameter-based navigation websites we introduced two new crawling settings in the Scan Policy. Below is a screenshot of the settings in Netsparker Desktop web application security scanner:

Configuring Parameter-Based Navigation settings in Netsparker Web Application Security Scanner

Below is a screenshot of the parameter-based navigation settings in Netsparker Cloud online web application security scanner:

Configuring Parameter-Based Navigation Options in Netsparker Cloud

To enable such technology, enable the crawling of parameter-based navigation websites by checking the checkbox Enable Parameter-Based Navigation. Then configure the following settings:

Navigational Parameter RegEx: This option has a regular expression that is used to match the parameters’ name. Therefore when a parameter name matches this regular expression it will be considered as a navigation parameter. The parameter can be either a GET or a POST parameter. The default RegEx both Netsparker scanners are configured with is:


Maximum Page Visits: The maximum number of times the scanner should visit such page. This number should be greater than the number of different values there are for a navigational parameter. The default value is 999.


Dead accurate, fast & easy-to-use Web Application Security Scanner