Advanced: Custom Parameters tab

The Advanced tab of Parameters and Cookies view in the Configuration dialog box.

About this task

The second tab of the Explore: Parameters and Cookies view lets you create and manage custom parameters with formats that AppScan® would not be able to recognize automatically.

AppScan® automatically recognizes parameters in standard HTML format, but if parameters are in other formats (for example within the path or within another parameter), you need to define them to AppScan® so it can recognize, follow and manipulate them during scanning.

Procedure

Click the plus button

The Add Custom Parameter dialog box opens. Its fields and options are described in the table following.

Setting

Description

Reference Name

Assign the parameter an easily recognizable name.

Custom parameters appear on the Application Data tree with the prefix "__patternParameter__" followed by the parameter name.

Pattern

A regular expression containing one or more groups that defines the parameter.

A "group" is a section of the regular expression delineated by parentheses. One of the groups contains the parameter value, and there may also be a group that contains the name.

You can open the Expression Test PowerTool by clicking Expression Test button to help you verify the syntax of the regular expression.

Name group index

(Optional) If the name is included in the regular expression, indicate which group (1,2,3...) contains it.

AppScan® uses this value to "count through the groups" and locate the parameter name (see example below).

Value group index

Indicate which group (1, 2, 3...) in the above regular expression contains the parameter's value.

AppScan® uses this value to "count through the groups" and locate the parameter value (see example below).

Location

Indicate which component of the request contains this parameter: Body / Path / Query.

Note: The selection you make here will apply to both the Pattern and the Condition Pattern (if any), but not to the Response Pattern.

Condition Pattern

(Optional) You can enter a regular expression that defines the whole component (Body, Path or Query) containing the parameter. AppScan® will create the parameter only when the whole component matches this pattern; saving scan time.

For example, if the parameter is located in the Body, and the Body must be XML, you could set as the Condition Pattern a regex that verifies that the Body starts and ends with XML tags. In cases where it does not, AppScan® will not create the parameter.
Note: Fields that require or accept a regular expression have this button: the Expression Test button, which opens the Expression Test PowerTool, to help you verify the syntax of the regular expression.

Group indexes

To understand the indexing system for groups in the Pattern regular expression, consider the following example:

Pattern: (abc)((def)(ghi))
The groups in this expression would be indexed as follows:
Group 1: (abc)
Group 2: ((def)(ghi))
Group 3: (def)
Group 4: (ghi)
Use the Name group index and Value group index drop down lists to select the correct groups for the parameter. The selected group is highlighted in the Pattern field.
Note: If you change the pattern after indexes have been selected, and the selected index no longer exists in the pattern, a warning appears, but the value is not automatically changed, and you must change it manually.