Scanning Parameter-Based Navigation Websites

Parameter-based navigation websites use the same URL and parameter  but different parameter values  to either serve different content or do different things in general.

Parameter-Based Navigation in PHP Websites

In these examples, a different parameter value is used in the URL to display different content. For example, when the value of the parameter page is 'home', the home or page is loaded. When the value of the same parameter page is 'support', the support page is loaded.

  • http://example.com/index.php?page=home
  • http://example.com/index.php?page=support

Each parameter value triggers the execution of different code branches to return the relevant content.

Parameter-Based Navigation in ASP.NET Websites

ASP.NET Web Forms have a process mechanism called Postback, which is used to control server-side events. It allows the execution of different code branches depending on the __EVENTTARGET parameter's value. Here are a few examples.

This will execute LinkButton1's click event handler on the server-side.

Parameter-based navigation sample in ASP.NET

On the other hand, this will execute LinkButton2's click event handler on the server-side.

Parameter-based navigation code sample in ASP.NET

Crawling Options

There are two relevant crawling options in the Scan Policy (explained in the Crawling table):

  • Maximum Signature Limit
  • Maximum Page Visits

These options optimize the crawling of similar pages. However, if the target website uses parameter-based navigation, these settings will prevent Acunetix 360 from crawling and scanning the entire website properly.

If you increase these values, you will prolong the scan duration. Also, workarounds have limitations, because the Acunetix 360 scanner will only attack the first instance of the page and ignore the rest, as explained in this example:

  • Acunetix 360 will crawl the above page and its parameters page and id.
  • http://example.com/index.php?page=product&id=1
  • Acunetix 360 will ignore this version of the page since it has the same URL and parameters (page and id), which it has already crawled and scanned. Therefore it is ignoring the parameter value, which in parameter-based navigation is used to trigger different code that needs to be scanned.
  • http://example.com/index.php?page=pricing&id=2
How to Configure Scanning of Parameter-Based Navigation Websites in Acunetix 360
  1. Log in to Acunetix 360.
  2. From the main menu, select Policies, then New Scan Policy. The New Scan Policy window is displayed.

  1. Select the Crawling tab. The Crawling window is displayed.

  1. In the Parameter-Based Navigation section, select the Enable Parameter-Based Navigation checkbox.
  2. Check the Enable Query-based Navigation option if you want only string parameters to be recognized as navigation parameters.

  1. In the Navigational Parameter RegEx field, enter the RegEx.
  2. In the Maximum Page Visits field, enter a value.
  3. Complete the remaining fields as required.
  4. Click Save.

 

« Back to the Acunetix Support Page