Scan Forms with Predefined Field Values

Matthias's Avatar

Matthias

30 Mar, 2016 04:10 PM

Hi,

We have a couple of forms that we'd like to scan with Arachni but that expect specific inputs (e.g. a number value) at some form fields. As long as these fields have not a valid value, other form fields cannot be tested for XSS and other vulnerabilities. Is it possible to teach Arachni this somehow, make it "business logic aware"?

Thanks!

Matthias

  1. Support Staff 1 Posted by Tasos Laskos on 30 Mar, 2016 04:14 PM

    Tasos Laskos's Avatar
  2. 2 Posted by Matthias on 30 Mar, 2016 04:30 PM

    Matthias's Avatar

    Ah, yes, that looks like it.

    But that would only work for a global parameter name, say:

    --input-value=paramname:123

    Or could I also restrict this input value to be only sent to one form / url as well? Unfortunately I could not find any examples on the Web.

    Thanks!!
    Matthias

  3. Support Staff 3 Posted by Tasos Laskos on 30 Mar, 2016 04:32 PM

    Tasos Laskos's Avatar

    Yeah it's a global thing, is that a problem for your use-case?
    If you need something more specialised it could be possible (need to lookup the API or update it) via a custom plugin.

  4. 4 Posted by Matthias on 30 Mar, 2016 06:43 PM

    Matthias's Avatar

    yes perhaps that could be the case. Anyhow at least there is a global solution. If we create a plugin we would of course share it with the community. Thanks!

  5. Support Staff 5 Posted by Tasos Laskos on 31 Mar, 2016 01:08 PM

    Tasos Laskos's Avatar

    No worries, let me know if you require further assistance.

    Cheers

  6. Tasos Laskos closed this discussion on 31 Mar, 2016 01:08 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac