The challenge of parameter-based navigation sites
An explanation of the configuration changes needed to scan a site in which the navigation is parameter-based.
By default, AppScan has a Redundant Path Limit of 5 (the maximum number of time a request can be sent to the same URL, see Explore Options view). In regular sites this prevents repeating tests unnecessarily. However, when site navigation is parameter-based, this low limit will effectively prevent AppScan® from scanning the site thoroughly, and a scan run using the Regular Scan template will discover and test hardly any of the site.
- During the Explore stage, when hashing a request, AppScan® will include all the parameters and cookies it finds in the request. With the
redundant path limit gone, all combinations of these values will be taken into consideration.
Let's say for example that each page from a section of the site contains hundreds of links to a script that retrieves information from the database about an item available for sale. These links contain a parameter named
item_id
which is of no importance in generating new pages, and is used only to retrieve information about the item. AppScan® will end up requesting thousand of instances of this item info page unlessitem_id
can be excluded from the hash. - In the Test stage the problem becomes more severe. Let's say that
a request contains two parameters
par1
andpar2
, and AppScan® encounters four links that include these parameters:http: // site.com/content.aspx?par1=a&par2=c http: // site.com/content.aspx?par1=a&par2=d http: // site.com/content.aspx?par1=b&par2=c http: // site.com/content.aspx?par1=b&par2=d
If there are 400 tests applicable to each parameter, AppScan® will send 1600 tests in total (800 on
par1
whenpar2=c
andpar2=d
and 800 onpar2
whenpar1=a
andpar1=b
)! Therefore, in addition to excluding these parameters from the Explore hash, we must tell AppScan® to test each parameter only once: 400 tests onpar1
and 400 tests onpar2
.
- Explore stage: Ignore the values of all parameters except navigational parameters.
- Test stage: Do not create new tests when the value of a parameter changes, except for navigational parameters.
See also: