New Member.

Custom Post Body - Unusual "Parameters"

I have a REST"ish" web service that needs to be scanned, its the recreation of a legacy product that used a custome query string with MQ.  The new service being created is using HTTP and simply sends the legacy query string format as the body of a POST to the back end for processing.

An example string is:


The parameters on the back end are parsed out splitting on '/' and some on '.'

Is there any way to create a scan that will see the portions of this string (submited as the body of a POST) as individual parameters?

I can do this using the intruder on burpsuite surrounding each portion that i want to be treated as a variable with the '§' character.  I can not find anything in WebInspect that allows me to do this.

2 Replies
Micro Focus Expert
Micro Focus Expert

Re: Custom Post Body - Unusual "Parameters"

I believe you could do this with the Custom Parameters scan settings in WebInspect.  These settings were initially created to handle URL Rewriting scenarios (early "RESTish" apps) where portions of the URI folder path were actually input parameters, such as can occur with Amazon, Shutterfly, or JC Penny catalog sites.  The Help Guide (F1) in WebInspect has details on a variety of ways to use Custom Parameters so that you can declare select structures in the HTTP Respnses to the scanner as legitimate inputs that should be fuzzed.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Raphael Hagi Super Contributor.
Super Contributor.

Re: Custom Post Body - Unusual "Parameters"

I think you will need to write some custom rules to cover this parameters.

Data, or do not.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.