Configuring Predefined Web Form Values
What are Web Forms?
Many web applications have forms that are used to capture user data. Forms are typically used in create a new account, newsletter sign-up, password reminder, shipping address details and other similar pages. They require the web application visitor to enter information such as a phone number, email address or credit card number.
Many of these web forms typically have some basic checks because some of the fields might be mandatory. For example, if a user is required to enter his age, the form cannot be submitted if the user enters a non-numeric value such as the infamous asdf. This is an example of a web form, returning an error because the user did not populate the company input field, which is required.
Why Does Acunetix 360 Need to Traverse Web Forms?
To scan a web application for vulnerabilities, the Acunetix 360 web security scanner needs to identify all its attack surfaces. This means that during the crawling stage, it has to discover all the pages on the web application. During this process, it needs to successfully submit the discovered forms and traverse them to access the pages that are typically only accessible once the form is submitted.
By default, Acunetix 360 is able to automatically populate and submit a form with pre-configured values. You can change these values or add new ones from the Form Values section in the Scan Policy, as explained in this article.
When Are the Configured Form Values Used?
These configured form values are used both during the crawling and attacking phases of the web security scan. If you would like to exclude a Form Value from being attacked, you can do so by excluding the Parameter from the scan.
Configuring Form Values in Acunetix 360
You can add a new pre-configured value or modify existing ones from the Forms Values setting in the Scan Policy. In Acunetix 360 you can access the Scan Policy Editor from the Policies node, by either creating a new scan policy, or edit an existing one.
The default set of preconfigured form values in Acunetix 360 online web application security scanner work in the majority of cases. However, should your web application require other data types, you can easily configure the scanner to automatically submit such data when crawling the web forms.
So if, for example, your web application expects a value that is unique to your business in a web form, such as Company Employee Number, you should configure this in the Form Values. Failing to do so, Acunetix 360 might fail to automatically traverse the web form and identify all possible attack surfaces on the web application.
The Default Match All Value
The entry #DEFAULT# is a special name. This entry is a catch-all entry, which means it is used when no other Value/Type is matched. You should not delete this entry. Should you wish to modify it, use a numeric only value, with which typically most checks are bypassed.
Option 1: Determine Which Input Parameters You Want to Add
First, you have to determine which input parameters you want to add. You can do so manually.
Once all the parameters are imported, you can also modify the parameters as explained in Option 2 of this procedure.
Option 2: Find the HTTP Attributes Values of the Input Parameter
There are two options for how to find the HTTP Attributes values of input parameters. You can either retrieve them automatically using Acunetix 360 or find them manually. Both processes are explained below.
Add List of Web Form Parameters
Before configuring a predefined form value, you need to know the value of the Name, or Placeholder or Label attributes of the input in question. For this example we will record the details of the Age input field in a form. Start by navigating to the web form and if you are using the Google Chrome browser right click the input field and select Inspect from the menu, as shown in the screenshot below.
In this case we can use the value of the name attribute which can be seen in the browser's Developer Tools, as highlighted in the below screenshot. This parameter does not have a placeholder or a label attribute, but should the parameter in question have them you can record and use either of those values.
Alternatively you can also right click anywhere on the page and select View page source, to view the source of the page and manually search for the input ID.
Add the New Entry to Form Values in Acunetix 360
For this example we will be configuring a form value of 20 for an input with ID AgeCheck. Therefore in the scanner we should configure the following:
Name: Age Check
Below is a screenshot of the new form value configured in Acunetix 360.
Once the above is configured, whenever Acunetix 360 crawls a web form that has an input field with the name AgeCheck, it will submit 20 as a value. And by doing so it will successfully traverse the web form and crawl the pages which are only accessible once that form is submitted. Below is an explanation of what all the settings are.
Name: This is the friendly name, as a reference for you. It does not have any effect on the scan.
Type: This is the type of the input. If you leave this empty, the scanner will submit the value irrelevant of the input type. If you select a specific input type, Acunetix 360 will submit the value to the form if either the Type OR Pattern match.
You can also select the Type and not specify any pattern so the scanner populates all the inputs which match the selected Type with the provided value. For example by default the Acunetix 360 scanner has the following input configured:
In such case the Acunetix 360 scanner will always submit the value of #ffffff whenever it identifies an input of Type color.
Match: This is the match type for the Pattern field and it has five options:
- RegEx: Use regular expression to match the pattern. For example the regular expression [\w\d]*cc|credit_?card|card[\w\d]* will match all the input fields that have any of the following values in the configured HTML attribute value; cc, credit_card, card
This is the most flexible option if you are familiar with RegEx. You can use a tool such as RegEx101 to test your RegExes.
- Exact: The pattern value should be the exact match to the configured HTML attribute value. Therefore if the name is AgeCheck, the pattern should be AgeCheck, else it won't match.
- Contains: The specified pattern should be part of the configured HTML attribute value. Example; if the Name attribute is AgeCheck, the pattern can be Age or Check.
- Starts: The HTML attribute value should start with the specified pattern. Example; if the value of the name HTML attribute is AgeCheck, the pattern can be Age, A or Ag. Check won't match.
- Ends: The HTML attribute value should end with the entered pattern. Example; if the value of the HTML attribute is AgeCheck, the pattern can be Check or eck. Age won't match.
Pattern: This is the value that the HTML attribute value will be matched against based on the selected Match (RegEx, Exact, Contains, Starts, Ends). Use the URL encoded name if the attribute value contains non-ASCII characters.
Value: This is the value Acunetix 360 will submit to the input parameter when the match is successful.
Force: When this option is enabled Acunetix 360 will submit the provided value even when the parameter is already populated with some other value. Therefore if for example Acunetix 360 crawls a form which has a default value of 10, it won't try to overwrite it by default. Though if the Force option is checked, and Type and Pattern match, Acunetix 360 will submit the provided Value instead of 10.
Form Values for POST and GET Parameters
By default, the Form Values settings only work for POST parameters.
A form on a page with an input doesn't always mean POST. Check the method attribute of the <form> tag to see whether it's a POST or GET.