Checking For Vulnerabilities in Path Fragments
Nowadays, more and more people are using URL rewrite techniques to increase their “friendliness” to both users and search engines. With URL rewrites, a URL like http://www.site.com/cms/product.php?action=buy&id=1 is typically rewritten to something like:
Prior to Acunetix Web Vulnerability Scanner version 8 (WVS 8 ) we had two ways to deal with this type of situations:
We could install AcuSensor and the sensor will automatically detect URL rewrites and inform the scanner about the real filenames and parameters.
We could define URL rewrite rules (either by importing them from .htacess/httpd.conf or by manually add them).
Acunetix WVS 8 introduces a new feature to deal with rewritten URLs. It’s called Path Fragments. In WVS 8, the crawler will automatically parse URLs and try to detect if they are rewritten. In case they are rewritten, it will split them into path fragments and create input schemes for them. The Acunetix script engine will work with these input schemes and manipulate each of them looking for vulnerabilities.
To demonstrate this feature, I have prepared a small website that is using URL rewriting. The URL rewrite rules were defined using a .htaccess file. The URL rewrite rules are listed below.
RewriteEngine onRewriteRule Details/.*/(.*?)/ details.php?id=$1 RewriteRule BuyProduct-(.*?)/ buy.php?id=$1 RewriteRule RateProduct-(.*?)\.html rate.php?id=$1
We’ve defined three rewrite rules. Here are some sample URLs