Parameter-Based Testing
Now let’s go back to
where we left off before we dove into makeRequest.
You recall that we had just started our loop through the input file
requests and had checked to see if the requests contained parameters.
Now that we have replayed the original unaltered request,
let’s start dicing up the input file entry and
generate our parameter-based test requests. Because we are within the
if statement that checks for the presence of
request parameters, we know any request that hits this area of the
code has input parameters. As such, we perform a split on the first
question mark to separate the data from the method and resource name.
We assign the method and resource name (typically a web server script
or file) to the $methodAndFile variable and the
parameter data to the $reqData variable:
#Populate methodAndFile and reqData variables my ($methodAndFile, $reqData) = split(/\?/, $oRequest, 2);
Next, we split the $reqData variable into an array
based on an ampersand (&). Because this
character is used to join parameter name/value pairs, we should be
left with an array containing each parameter name/value pair:
my @reqParams = split(/\&/, $reqData);
Now that @reqParams is populated with our parameter name/value pairs, we are ready to start testing individual parameters. For efficiency, our scanner tests only unique page/parameter combinations that have not yet been tested. This is important if we have a large application that makes multiple requests to a common page ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
