The Business Logic Recorder is a new and unique Acunetix feature that lets you test more web applications without extensive manual work or additional non-automated tools. Most automated web vulnerability scanners do not have any mechanisms that let you test applications with complex business logic. In this article, we explain how the Business Logic Recorder works and when you may need to use it to test your web applications.
Web applications process user input data in the background but an automated scanner cannot recognize the meaning of this data. In many cases, the application may behave differently depending on the data that the user selects or enters. This is when you need a tool that lets you “explain” to the vulnerability scanner what can happen when users enter different data.
Multi-Step Web Forms and Their Variations
Many web applications use multi-step web forms. This is because some business processes need to collect different data in, for example, step 2, depending on the information provided by the user in step 1.
Shopping carts are very often multi-step forms. They need to collect personal details, then billing and shipping addresses, then payment information, and then finalize the business process. Airline reservation sites also typically use multi-step forms.
The key concept to keep in mind here is that one field (or more correctly – different values or value ranges in one field) can give rise to different workflow paths within a web application. As an example, consider a car rental company presenting its users with a web form for booking a rental car. A typical field in such a form would be a birth date (to verify the driver’s age). There could be 3 variations for such a field in this hypothetical example:
- If the driver’s age entered is 65 or more, or 20 or less, the web form could simply stop the user and inform them that car rental is not available for drivers in that age range.
- If the driver’s age entered is between 26 and 64, the web form would lead the user to the next step in a multi-step form when the normal car rental procedure would be followed.
- Finally, if the driver’s age entered is between 21 and 25, the web form would lead the user to an extra intermediate step in the multi-step form where the user is asked to acknowledge and accept additional insurance costs related to that age range.
This is the sort of scenario which would be suited for the Business Logic Recorder because the BLR allows us to record a number of sequences (effectively one for each variation), ensuring that the scanner can reach all the valid variations for vulnerability testing.
Business Logic Field Constraints
Some web forms are designed to require a restricted set of values for particular fields, which may not necessarily be “guessed” by the scanner engine.
Here is a relatively commonplace example of a multi-step web form with field constraints that might not be properly navigated by an automated scanner without assistance from the Business Logic Recorder:
In this example, the fields may look quite “normal”. However, the web application may be intelligently performing some validation based on the combination of values provided in the phone number Country Code field in Step 1 and the Postal / Zip Code field in Step 2. For example, if Country Code is set to 1 (the country code for the United States), the Postal / Zip Code might be validated to ensure that the value is indeed in a format valid for this country.
The Business Logic Recorder allows you to easily record the workflow logic within the web application, increasing the reach of the scanner by overcoming such constraint barriers. This means that Step 3 and Step 4 of the form can successfully be reached and scanned.
Using the Business Logic Recorder
Let us use the Business Logic Recorder to record the business logic in the above example.
To enter the Business Logic Recorder:
- Click the Targets menu option
- Click a target to edit it
- Scroll down to the Business Logic Recorder section
- Click the New BLR button
In the Business Logic Recorder, simply navigate to the element where you need to record business logic (for example, a multi-part web form), and then click the Record button.
The following image shows the Business Logic Recorder in action on Step 1 of the multi-step form, with the right-hand side panel displaying the actions it has recorded.
On the image below, you can see that we have completed Step 2, having successfully inserted a ZIP code that is considered valid for Country Code 1 that we entered in Step 1. The BLR continues to record actions as you navigate all the fields of the multi-step form.
On the image below, you see that Step 3 has been completed and the BLR has continued to record actions as you moved from one field to the next inserting appropriate values
The multi-step form has been completed. You can use the Play button to confirm the steps captured by the Business Logic Recorder. Finally, click the Save button for the BLR to store the recorded actions for use in the next scan.
Summary of Use Cases for the Acunetix Business Logic Recorder
In summary, the Acunetix Business Logic Recorder (BLR) feature is designed to enable effective testing of particular scenarios which would otherwise make it impossible for a scanner to reach all areas of a web application:
- it allows you to define multiple input sequences to permit the scanner to reach and test all variations of multi-step web forms or other web application workflows.
- it allows you to define input sequences that fulfill particular constraints to reach parts of a web application, which an automated scanner would otherwise not be able to reach and test.
The Business Logic Recorder is available for every target in the latest release of Acunetix v13.
Get the latest content on web security
in your inbox each week.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Kevin Attard Compagno. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/QhhhO2lKiE0/