1.5. Conditional Parameter:(ValidCondRegex)
User Authenticated web site is difficult to test with automated vulnerability tools such as ZAPROXY. For example, when you test [changing user password] feature in such web site, the password is changed by tool generated attack patterns, so ZAP's session relogin will fail and subsequent tool test will fail. Because ZAP's Authentication method relogin with fixed password value. To test these circumstances, AutoMacroBuilder only holds the password which successfully changed and relogin with use it. AutoMacroBuilder use conditional parameter: ValidCondRegex for detecting whether the password has been changed. The ValidCondRegex is a regular expression for detecting succeeded(valid) of processing.
- Typical flow of the example web site
docker image:WEBSAMPSQLINJ: Modify user feature
-
download & install setup WEBSAMPSQLINJ web application.
-
follow BASIC usageinstructions.
browse [Modify User]feature, add these requests to MacroBuilder panel, press [Track] button and save json file. -
In the MacroBuilder panel, You must be setting up for password tracking. the request 002|moduser.php is changed password by ActiveScan and when next login comes, the request 000|mypage.php must use the changed password. select these requests by Ctrl key + mouse left click, and press [Custom] button.
-
The "Custom Parameter Config" screen is displayed. Press the [New] button.
-
The "Parameter Edit" screen is displayed. click [Track] tab and press [Add] button.
-
Select request where extracting value from. Select moduser.php and press [OK] button.
-
The "Extract parameter value from ..." is displayed. Select "requestbody" parameter where extracting value from. Select parameter named "password" and press [Next] button.
-
Select request where embeding value to. Select mypage.php and press [OK] button.
-
Select parameter where embeding value to. Select parameter named "pass" and press [Add] button.
-
Press [Save] button in the "Parameter Edit" dialog. In the "Custom Parameter Config" dialog, a new entry record has been added. press [Close] button in the "Custom Parameter Condig" dialog.
-
From here, Conditional Parameter setting begins. You need to define a regular expression to validate that the password change is complete. In the MacroBuilder panel, The final "003 | moduser.php" request performs a SQL statement update to change the password. Therefore, the response to this request should indicate whether the password has been changed. Select "003 | moduser.php" and press [Custom] button.
-
In the "Custom Parameter Settings" dialog, select the new record you added so far and press the [Edit] button.
-
In the "Parameter Edit" dialog, select the new record you added so far and press mouse right click. select the [ValidCodRegex: a regex for detecting succeeded results.] menu.
-
In the "MessageEditor.." dialog, Select a keyword that indicates the completion of processing in response text. select the title: "user mod completed" in response, and press the right button of mouse, select the [Update Regex text with selected text] menu.
-
Press the [Test] button to check regex is matched in response text. after pressed the [OK] button, if you are right, press the [Save] button.
Press [Save] button in the "Parameter Edit" dialog. press [Close] button in the "Custom Parameter Condig" dialog.