12-20-2011 10:44 PM
I have been asked to scan an application that uses query strings to identify pages.
These have been structured in the following way:
I'm having trouble getting Web Inspect to identify all these different pages.
In the Scan Settings >> HTTP Parsing >> HTTP Paramters Used For Navigation I added the three parameters _NCE, _NCE and _NCP (as above), though Web Inspect still didn't identify all the different pages.
Is this the correct way for setting up a scan for an app that uses this kind of navigation?
Are there any of settings that need to be considered for this kind of scan?
Can you tell me about you experience with scanning these kinda of web apps.
Many thanks as usual,
12-21-2011 06:00 AM
Happy Holidays Dan,
Your solution looks right to me at first glance. I don't recall If you need to adjust the Max URL hits setting. I think you do. Likewise with the Max web form submission parameter. Both are on the General page of the scan settings screen.
If WI found most pages but didn't find every page it could be that its having trouble completing work flows. Make sure your web forms file has everything it needs to properly complete the webforms and navigate through the workflows. It could also be that there are other parameters that you didn't identify yet.
I suggest you do the following in a methodical way.
1) navigate the site with the web form value editor tool to record a set of web from values specific to the site. Review the values recorded and exclude any state or navigation parameters. Use these values in future scans.
2) adjust the crawler settings in a methodical way.
3) perform crawl only assessments until you are satisfied with the coverage you are getting from the scanners site discovery phase.
you may determine that you need to do workflow macros to cover the site. If that's the case then we'll need to talk some more.
It may benefit you to log a case with the support team as well. They can establish a remote session (webex) with you If needed to work through the site.
12-21-2011 04:53 PM
Thankyou very much for your help as usual :o)
I hadn't increased the max URL hits or web form submission counts, so I'll increase those.
I have had a browse through the application and there doesn't seem to be any complex web forms. The most complex form is a search screen, but it only requires a single search parameter to be present in order to perform the search. The same page is always returned from a search as well, so different search combinations will still produce the same page.
Something else I have notice is that the application doesn't use the standard <a href> tags for defining links. Instead it uses an onclick event as per the example below:
Not sure if these means that I will need to add something to the "Specialized Link Parsing Settings"?
Happy Holidays to you too and thanks for all your help :o)
12-22-2011 10:16 AM
I don't think the onclick event will make a difference, but I'll follow up with some developers when they get back . Pretty much everyone here is off until early January.
You could try using manual crawl. To see what shows up. That may give you a few clues about structure.
Have a happy holiday.
01-05-2012 06:08 AM - edited 01-05-2012 06:08 AM
Sorry for the long delay in getting back to you on this. The developers state
"Max URL hits works on understanding of “page” which would include navigation parameters, and thus need not be increased"
There is an assumption of course that the navigation parameters were properly defined in the scan configuration.
Some additional information they provide is
" It would help if [you] could identify what link WI is not finding, and what page the link appears on. Then looking at that page (i.e. session) in WebInspect, switch to links view, and see if WI identified that link as existing. If not, WI is not seeing it for some reason on that page (and since those are JS-based menus, perhaps script parser is not able to navigate the menu if it is complex). If yes, then double-click it, and it should take you to that session. There you can see if WI got the response, and if not, I believe you can see there why WI didn’t (i.e. reject reasons). For the reject reasons, [you] may need to enable a hidden app setting (not a scan setting) called “EnableSupportUI” to enable the screen that gives the reject reasons."
For assistance on enabling hidden settings you should contact the product support team.
I hope this helps.
01-08-2012 09:20 PM
Thanks for your response.
I ended up using a Workflow Macro for this site as it wasn't too large or complex. This seemed to identify all the pages that were previously missing.
Thanks again for your help.