How to Scan a Shopping Cart with an Automated Security Scanner
来源:互联网 发布:sql语句使用别名 编辑:程序博客网 时间:2024/06/05 03:52
Typically shopping carts use a single template file to generate all of the category pages, another single template file to generate all the products pages and so on. Since the website is built using templates, there is no need to scan each and every page while doing a security audit of the website with an automated web vulnerability scanner such as Acunetix WVS.
When securing such type of websites (template based), you only need to scan one page from each different template and not all of the pages. Since all pages are generated from the same template, if there is a vulnerability in one of the templates, it will be the same for all other pages. If the template does not have any vulnerabilities, or all vulnerabilities have been fixed, then this applies to all pages built from that template. Taking such approach to secure a template based web application will not only save you time, but also makes analyses of scan results a much simpler job.
How to scan a shopping cart or template based website
- Scan the Templates
The following is an example detailing how to perform a security scan of a shopping cart by scanning a page from each different template only. The shopping cart used in this example is the amazon.co.uk shopping cart.
First, identify all the different templates in the shopping cart. If you have access to the files of the website it is even easier to determine how many templates are used by analyzing the file structure.
In the following example we will see the differences between the URLs of two subcategories of the Books category:
http://www.amazon.co.uk/Art-Architecture-Photography-Books/b/ref=amb_link_162814547_1?ie=UTF8&node=91&pf…
http://www.amazon.co.uk/Audio-CDs-Books/b/ref=amb_link_162814547_2?ie=UTF8&node=267859&pf…
This example shows that the only difference between the two URLs is the node value which is used to specify the category type. The different numbers between 162814547_1 and 162814547_2 is just for categorization since the function has the same name, which loads different data depending on the node value but use the same template.
From the previous example it is clear that different categories and products use the same templates but with different data extracted from the database. This is the same for different products. So in order to scan the shopping cart templates, the user can go through all the different categories until the product selection point and list down all the different templates to be scanned. The product selection point is when the user adds the product to the shopping basket.
- Scan the Checkout Area
Typically shopping carts include a checkout process which also should be scanned. The checkout area typically consists of a small number of pages which allow you to enter shipping and payment details. This section should be scanned separately from the shopping cart templates.
To scan the checkout area, you should select a product and then proceed through the whole checkout process.
Use Acunetix WVS to scan template based websites
All of the above can be realized by crawling manually different pages from each different template using the Acunetix Web Vulnerability Scanner HTTP Sniffer. Using the Acunetix WVS HTTP Sniffer, you can record all the URLs from the Web Browser and then import those URLs in the Scan operation. For more information on how to use the Acunetix WVS HTTP Sniffer please refer to the blog postManual crawling with the HTTP Sniffer.
Using a web browser configured with the Acunetix WVS HTTP Sniffer, you should follow the procedure to add a product in the basket. This sequence of URLS will be recorded by the Acunetix sniffer.
When you manage to add the product into the cart, then save the results and import them in the Acunetix Site Crawler. Save the crawl results and launch a scan against the saved crawl results. The scanner will perform a web vulnerability scan against the URLs you have visited, i.e. one URL from each category, product etc. At the end, the result will reflect to all the categories and product URLs since they use the same template.
The same procedure will be followed in order to check the second part of the shopping cart scan which is the ‘Checkout’.
If you are using the manual crawling process to scan the checkout area, any session cookies will be recorded by the Acunetix WVS HTTP Sniffer and can be used during the Acunetix WVS scan operation. However, the session needs to remain valid in order for the cookies to be used successfully during the scan operation. Thus you should not log out after the ‘recording’ operation of the Checkout URLs.
- How to Scan a Shopping Cart with an Automated Security Scanner
- How to use an Elm327 Scan Tool
- After Adding a Product Redirect to Shopping Cart doesnot work
- HOW TO: Create an Assembly with a Strong Name
- How to make a automated testing for web applications
- How to use SCAN and node listeners with different ports?
- Building Automated Trading Systems: With an Introduction to Visual C++.NET 2005
- How to cover an IE windowed control (Select Box, ActiveX Object, etc.) with a DHTML layer.
- How to build a mobile app with an App Engine backend
- How to sort an array of hashes into hashes with multiple values for a key?
- Building an ASP.NET Shopping Cart Using DataTables
- How to deal with an SVM with categorical attributes?
- How to recover a system failure using Automated System Recovery(ASP)-ZT
- How to Succeed at Automated Testing
- how to use a SQLite database in a standalone program with an HTML interface and VBScript as the programming language
- How do I add an integer value with javascript (jquery) to a value that's returning a string?
- How to add an AJAX cart in the header in OpenCart
- How to: How to disable Java Security Warning "The application requires an earlier version of Java."
- 单元测试利器——Mockito
- 当前页导航选中
- MFC中UpdateData( bool b)函数的用法---控件变量与数值
- 安装Postfix+Postgresql
- varchar nvarchar char varchar 比较
- How to Scan a Shopping Cart with an Automated Security Scanner
- java简单实现复制文件
- VI模式下实现多行注释
- Android开发配置文件AndroidManifest.xml详解
- PostgreSQL数据库的安装与配置
- Jmeter压力测试工具
- AndroidManifest.xml文件详解(receiver)
- Mysql两种存储引擎的优缺点
- AndroidManifest.xml文件详解(provider)