Sites that use parameter-based navigation
Sites in which all pages are reached using a single URL, need a specific scan configuration.
A site with "parameter-based" navigation is a site where only one URL (controller) is sent, while different parameters in the URL result in different content and structure being returned. (Sites of this kind are sometimes referred to by our support team as "megascript" sites.)
- In some sites the URL does actually remain the same for all "pages",
as in the following example:
http://site.com/content.aspx?PageName=page1
http://site.com/content.aspx?PageName=page2
- In other sites, all links are directed through a single, proxy
page, using a GET parameter. For example:
http://site.com?default.aspx/redirect=page1
redirects to:
http://site.com/page1.aspx
This poses the same problem for AppScan® as the previous case, since the same URL is sent each time.
- In the case of ASP.NET 2.0 postback links, each link generates
a POST request to the page it is located on.
Once again, the problem posed to AppScan® is the same.
In all cases the requests for all "pages" are sent to the same URL. This requires special treatment from AppScan®, as the default configuration will result in an incomplete scan.
To scan a site with parameter-based navigation
- When creating the scan, select the Parameter-Based Navigation template instead of the Regular Scan template.
- Verify that the navigational parameter(s) of your site are correctly defined: Go to Scan > Scan Configuration > Parameters and Cookies, and check that the regular expression defining the last parameter in the list includes the navigational parameter(s) of your site. If necessary edit the regular expression. (See Parameters and Cookies view.)
- (Optional and Advanced:) Configure the Content-Based Results tab of the Scan Configuration dialog box, so that AppScan can present a meaningful application tree. (See Content-Based Results view.)
- Make any other configuration changes you need, and continue as for a regular scan.
- (Optional:) When viewing scan results in the application tree, select Content-based view instead of the default URL-based view. (See Application Tree.)
See also: