Re: Handling URL Query String Based Navigation (444 Views)
Reply
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 1 of 6 (451 Views)

Handling URL Query String Based Navigation

Hi,

 

I have been asked to scan an application that uses query strings to identify pages.

 

These have been structured in the following way: 

http://mydomain.com/controller.aspx?_NCE=Home&_NCS=Search&_NCP=2 represents the Homepage

http://mydomain.com/controller.aspx?_NCE=SearchEnquiries&_NCS=Welcome&_NCP=1 represents the Search Page

etc.

 

I'm having trouble getting Web Inspect to identify all these different pages.

In the Scan Settings >> HTTP Parsing >> HTTP Paramters Used For Navigation I added the three parameters _NCE, _NCE and _NCP (as above), though Web Inspect still didn't identify all the different pages.

 

Is this the correct way for setting up a scan for an app that uses this kind of navigation?

Are there any of settings that need to be considered for this kind of scan?

Can you tell me about you experience with scanning these kinda of web apps.

 

Many thanks as usual,

 

Cheers,

 

Dan

 

 

 

 

 

Please use plain text.
Valued Contributor
Sam_Shober
Posts: 70
Registered: ‎03-29-2011
Message 2 of 6 (444 Views)

Re: Handling URL Query String Based Navigation

Happy Holidays Dan,

 

Your solution looks right to me at first glance. I don't recall If you need to adjust the Max URL hits setting. I think you do. Likewise with the Max web form submission parameter. Both are on the General page of the scan settings screen.

 

If WI found most pages but didn't find every page it could be that its having trouble completing work flows. Make sure your web forms file has everything it needs to properly complete the webforms and navigate through the workflows. It could also be that there are other parameters that you didn't identify yet.

 

I suggest you do the following in a methodical way.

1) navigate the site with the web form value editor tool to record a set of web from values specific to the site. Review the values recorded and exclude any state or navigation parameters. Use these values in future scans.

2) adjust the crawler settings in a methodical way.

3) perform crawl only assessments until you are satisfied with the coverage you are getting from the scanners site discovery phase.

 

you may determine that you need to do workflow macros to cover the site. If that's the case then we'll need to talk some more.

 

It may benefit you to log a case with the support team as well. They can establish a remote session (webex) with you If needed to work through the site.

 

Please use plain text.
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 3 of 6 (439 Views)

Re: Handling URL Query String Based Navigation

Hi Sam,

 

Thankyou very much for your help as usual :o)

 

I hadn't increased the max URL hits or web form submission counts, so I'll increase those.

 

I have had a browse through the application and there doesn't seem to be any complex web forms. The most complex form is a search screen, but it only requires a single search parameter to be present in order to perform the search. The same page is always returned from a search as well, so different search combinations will still produce the same page.

 

Something else I have notice is that the application doesn't use the standard <a href> tags for defining links. Instead it uses an onclick event as per the example below:

onclick="javascript&colon;MenuEvent('SearchEnquiries')

 

Not sure if these means that I will need to add something to the "Specialized Link Parsing Settings"?

 

Happy Holidays to you too and thanks for all your help :o)

 

 

 

 

Please use plain text.
Valued Contributor
Sam_Shober
Posts: 70
Registered: ‎03-29-2011
Message 4 of 6 (435 Views)

Re: Handling URL Query String Based Navigation

Dan,

 

I don't think the onclick event will make a difference, but I'll follow up with some developers when they get back . Pretty much everyone here is off until early January.

 

You could try using manual crawl. To see what shows up. That may give you a few clues about structure.

 

Have a happy holiday.

Please use plain text.
Valued Contributor
Sam_Shober
Posts: 70
Registered: ‎03-29-2011
Message 5 of 6 (421 Views)

Re: Handling URL Query String Based Navigation

[ Edited ]

Dan,

 

Sorry for the long delay in getting back to you on this. The developers state

"Max URL hits works on understanding of “page” which would include navigation parameters, and thus need not be increased"

 

There is an assumption of course that the navigation parameters were properly defined in the scan configuration.

 

Some additional information they provide is

 

" It would help if [you] could identify what link WI is not finding, and what page the link appears on.  Then looking at that page (i.e. session) in WebInspect, switch to links view, and see if WI identified that link as existing.  If not, WI is not seeing it for some reason on that page (and since those are JS-based menus, perhaps script parser is not able to navigate the menu if it is complex).  If yes, then double-click it, and it should take you to that session.  There you can see if WI got the response, and if not, I believe you can see there why WI didn’t (i.e. reject reasons).  For the reject reasons, [you] may need to enable a hidden app setting (not a scan setting) called “EnableSupportUI” to enable the screen that gives the reject reasons."

 

For assistance on enabling hidden settings you should contact the product support team.

 

I hope this helps.

 

-Sam-

 



Please use plain text.
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 6 of 6 (414 Views)

Re: Handling URL Query String Based Navigation

Hi Sam,

Thanks for your response.

I ended up using a Workflow Macro for this site as it wasn't too large or complex. This seemed to identify all the pages that were previously missing.

In saying this though, I’m coming across more and more sites that use JavaScript based navigation, rather than <a href>, so will get a chance to try out your solution in the not to distant future.

Thanks again for your help.

Regards,
Dan

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation