Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
TomyLamote Absent Member.
Absent Member.
4640 views

How to add line parameter to scan

Hello!

 

I want to add my custom parameter to scan in this case "a"

 

hxxp://123.com/1.php?a=[SQL injection CHECK]

 

I was trying custom policy but no luck. Any help ?

 

Also how to add more ? a,b,c ?

 

 

Thank you !

 

Tomy

0 Likes
1 Reply
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: How to add line parameter to scan

TomyLamote;

 

Within the Policy Manager tool, you would add a Custom Check using the File Menu or a right-click menu once you are in the Attack Groups view/tree.  See the Policy Manager's Help for the article, "Creating a Custom Check".  It sounds like you want to add a Parameter Injection, so select that from the wizard options rather than Simple Attack.  Bear in mind that your Custom Check's  attack payload will be run against all parameter inputs found during the scan, not simply one that you attempt to name.

 

Within the Custom Check, you will need to specify the regex for a valid attack, so please review the WebInspect Help on Regular Expression Extensions to understand what it offers.  WebInspect's regex extensions are tailored for HTTP traffic with simple location tags such as [STATUSCODE], [ALL], [HEADERS], [BODY] , so you do not have to write complex regular expressions for CRLF, et al.

 

 

If this Custom Check option is still not advanced enough, you may want to investigate our WebInspect Extension for Visual Studio 2013 which permits you to add and create Custom Agents.  that will require a bit more work as well as VS skills.

 

 

From Policy Manager Help:

==================================

Parameter injection

This type of attack replaces an argument value with an attack string.

 

Example:

http://www.samplesite.com/webapp.asp?ValidParameter=ValidArgument

will be changed to

http://www.samplesite.com/webapp.asp?ValidParameter=AttackArgument

 

There are several types of parameter injection, as follows:

 

<snip>

 

  • SQL Injection

    SQL injection is the act of passing SQL code into an application. These attack strings are composed of fragments of SQL syntax that will be executed on the database server if the web application uses the string when forming a SQL statement without first filtering out certain characters.

    • Attack Type: Parameter Injection
    • Attack: ' [an apostrophe]
    • Signature: [[STATUSCODE]5\d\d

<snip>

==================================


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.