Many of today’s large scale websites are template based. This means that most of the website pages which users visit are usually built from the same template file. Thus it is normal for a template based websites to be made up of about 20 or 30 PHP or .NET files and yet the website contains hundreds, if not thousands of pages. A perfect example of such websites is a shopping cart web application or a WordPress installation.
Typically shopping carts use a single template file to generate all of the category pages, another single template file to generate all the products pages and so on. Since the website is built using templates, there is no need to scan each and every page while doing a security audit of the website with an automated web vulnerability scanner such as Acunetix WVS.
When securing such type of websites (template based), you only need to scan one page from each different template and not all of the pages. Since all pages are generated from the same template, if there is a vulnerability in one of the templates, it will be the same for all other pages. If the template does not have any vulnerabilities, or all vulnerabilities have been fixed, then this applies to all pages built from that template. Taking such approach to secure a template based web application will not only save you time, but also makes analyses of scan results a much simpler job.
How to scan a shopping cart or template based website
- Scan the Templates
The following is an example detailing how to perform a security scan of a shopping cart by scanning a page from each different template only. The shopping cart used in this example is the amazon.co.uk shopping cart.
First, identify all the different templates in the shopping cart. If you have access to the files of the website it is even easier to determine how many templates are used by analyzing the file structure.
In the following example we will see the differences between the URLs of two subcategories of the Books category:
This example shows that the only difference between the two URLs is the node value which is used to specify the category type. The different numbers between 162814547_1 and 162814547_2 is just for categorization since the function has the same name, which loads different data depending on the node value but use the same template.
From the previous example it is clear that different categories and products use the same templates but with different data extracted from the database. This is the same for different products. So in order to scan the shopping cart templates, the user can go through all the different categories until the product selection point and list down all the different templates to be scanned. The product selection point is when the user adds the product to the shopping basket.
- Scan the Checkout Area
Typically shopping carts include a checkout process which also should be scanned. The checkout area typically consists of a small number of pages which allow you to enter shipping and payment details. This section should be scanned separately from the shopping cart templates.
To scan the checkout area, you should select a product and then proceed through the whole checkout process.
Use Acunetix WVS to scan template based websites
All of the above can be realized by crawling manually different pages from each different template using the Acunetix Web Vulnerability Scanner HTTP Sniffer. Using the Acunetix WVS HTTP Sniffer, you can record all the URLs from the Web Browser and then import those URLs in the Scan operation. For more information on how to use the Acunetix WVS HTTP Sniffer please refer to the blog post Manual crawling with the HTTP Sniffer.
Using a web browser configured with the Acunetix WVS HTTP Sniffer, you should follow the procedure to add a product in the basket. This sequence of URLS will be recorded by the Acunetix sniffer.
When you manage to add the product into the cart, then save the results and import them in the Acunetix Site Crawler. Save the crawl results and launch a scan against the saved crawl results. The scanner will perform a web vulnerability scan against the URLs you have visited, i.e. one URL from each category, product etc. At the end, the result will reflect to all the categories and product URLs since they use the same template.
The same procedure will be followed in order to check the second part of the shopping cart scan which is the ‘Checkout’.
If you are using the manual crawling process to scan the checkout area, any session cookies will be recorded by the Acunetix WVS HTTP Sniffer and can be used during the Acunetix WVS scan operation. However, the session needs to remain valid in order for the cookies to be used successfully during the scan operation. Thus you should not log out after the ‘recording’ operation of the Checkout URLs.