Custom Post Body - Unusual "Parameters"
I have a REST"ish" web service that needs to be scanned, its the recreation of a legacy product that used a custome query string with MQ. The new service being created is using HTTP and simply sends the legacy query string format as the body of a POST to the back end for processing.
An example string is:
The parameters on the back end are parsed out splitting on '/' and some on '.'
Is there any way to create a scan that will see the portions of this string (submited as the body of a POST) as individual parameters?
I can do this using the intruder on burpsuite surrounding each portion that i want to be treated as a variable with the '§' character. I can not find anything in WebInspect that allows me to do this.
Re: Custom Post Body - Unusual "Parameters"
I believe you could do this with the Custom Parameters scan settings in WebInspect. These settings were initially created to handle URL Rewriting scenarios (early "RESTish" apps) where portions of the URI folder path were actually input parameters, such as can occur with Amazon, Shutterfly, or JC Penny catalog sites. The Help Guide (F1) in WebInspect has details on a variety of ways to use Custom Parameters so that you can declare select structures in the HTTP Respnses to the scanner as legitimate inputs that should be fuzzed.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify