SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Scanning Parameter-Based Navigation Websites

Parameter-based navigation websites use the same URL and parameter – but different parameter values – to either serve different content or do different things in general.

Parameter-Based Navigation in PHP Websites

In these examples, a different parameter value is used in the URL to display different content. For example, when the value of the parameter page is 'home', the home or page is loaded. When the value of the same parameter page is 'support', the support page is loaded.

  • http://example.com/index.php?page=home
  • http://example.com/index.php?page=support

Each parameter value triggers the execution of different code branches to return the relevant content.

Parameter-Based Navigation in ASP.NET Websites

ASP.NET Web Forms have a process mechanism called Postback, which is used to control server-side events. It allows the execution of different code branches depending on the __EVENTTARGET parameter's value. Here are a few examples.

This will execute LinkButton1's click event handler on the server-side.

Parameter-based navigation sample in ASP.NET

On the other hand, this will execute LinkButton2's click event handler on the server-side.

Parameter-based navigation code sample in ASP.NET

Crawling Options

There are two relevant crawling options in the Scan Policy (explained in the Crawling table):

  • Maximum Signature Limit
  • Maximum Page Visits

These options optimize the crawling of similar pages. However, if the target website uses parameter-based navigation, these settings will prevent Netsparker from crawling and scanning the entire website properly.

If you increase these values, you will prolong the scan duration. Also, workarounds have limitations, because the Netsparker scanners will only attack the first instance of the page and ignore the rest, as explained in this example:

  • Netsparker will crawl the above page and its parameters page and id.
    • http://example.com/index.php?page=product&id=1
  • Netsparker will ignore this version of the page since it has the same URL and parameters (page and id), which it has already crawled and scanned. Therefore it is ignoring the parameter value, which in parameter-based navigation is used to trigger different code that needs to be scanned.
    • http://example.com/index.php?page=pricing&id=2

How to Configure Scanning of Parameter-Based Navigation Websites in Netsparker Enterprise

  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Policies, then New Scan Policy. The New Scan Policy window is displayed.

  1. Select the Crawling tab. The Crawling window is displayed.

  1. In the Parameter-Based Navigation section, select the Enable Parameter-Based Navigation checkbox.
Configuring Parameter-Based Navigation Options in Netsparker Cloud
  1. In the Navigational Parameter RegEx field, enter the RegEx.
  2. In the Maximum Page Visits field, enter a value.
  3. Complete the remaining fields as required.
  4. Click Save.

How to Configure Scanning of Parameter-Based Navigation Websites in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the Home tab, click Scan Policy Editor. The Scan Policy Editor dialog is displayed.

  1. Select the Crawling tab.

  1. Click New. The Parameter-Based Navigation fields are enabled.
  1. In the Parameter-Based Navigation section, select the Enable Parameter-Based Navigation checkbox.
    • Navigational Parameter RegEx: This option has a regular expression that is used to match the parameters' name. Therefore when a parameter name matches this regular expression it will be considered as a navigation parameter. The parameter can be either a GET or a POST parameter. The default RegEx both Netsparker scanners are configured with is:
      • ^(page|redirect|goto|ctrl|content|__EVENTTARGET)$
    • Maximum Page Visits: The maximum number of times the scanner should visit such page. This number should be greater than the number of different values there are for a navigational parameter. The default value is 999. IT should be between 1 and 100,000.

  1. In the Navigational Parameter RegEx field, enter the RegEx.
  2. In the Maximum Page Visits field, enter a value.
  3. Complete the remaining fields as required.
  4. Click OK.
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO