Many websites include web forms that capture visitor data, such as download forms. Acunetix Web Vulnerability Scanner can be configured to automatically submit random data or specific values to web forms during the crawl and scan stages of a security audit.
By default, Acunetix Web Vulnerability Scanner uses a generic submit rule that will submit generic and random values to any kind of web form encountered during a crawl or scan. There are situations where the values used by Acunetix during a scan need to be in a specific format, or the form would give an error. An example of this would be an email address field, which would only accept values in the form of user@domain.com.
The Acunetix WVS Input fields allow you to pre-define the values that are submitted during a scan for fields found on a specific URL and having a specific name.
To specify a list of predefined values that must be automatically entered on a web form or web service:
- Navigate to the Configuration > Scan Settings > Input Fields node.
- Enter the URL of the webpage or web service containing the specific form or list of operations to which pre-defined values must be passed, and click Parse from the URL button.
- The resulting list will then be automatically completed with the form fields found in the given URL.
- Enter the values for the required fields by double clicking the respective value column. Click Apply to save changes.
- Input fields also support wildcards to match a broad range of data. Below you can find a number of examples:
- *cus* is used to match any number of characters before and after the pattern ‘cus’
- *cus is used to match any number of characters before the pattern ‘cus’
- cus* is used to match any number of characters after the pattern ‘cus’
- ?cus is used to match a single character before the pattern ‘cus’
- c?us is used to match a single character as a second character in the pattern specified
Alternatively, you can configure Acunetix Web Vulnerability Scanner to automatically randomize the values for each input field by entering the variable names in bold below in the parameter’s value field:
- ${alpharand} – Automatically submit random alphabetical characters (a –z)
- $[numrand} – Automatically submit random numeric characters
- ${alphanumrand} – Automatically submit random alphabetical and numeric characters (a – z, 0 – 9)
You can also change the priority of a specific input field by highlighting it, and then using the Up and Down arrows to give it higher or lower priority respectively.
Note: If a unique set of data must be submitted to different forms, then a new rule-set must be created for each form respectively.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
