Scanner Design
Now that we have defined the basic requirements for our scanner, we can start to develop an overview of the scanner’s overall structure. Based on our requirements, two separate scripts will be used to perform testing. We will use the first script to parse the proxy log file and generate an input file with the request data to be used for testing. The second script will accept the input file and perform various tests against the application based on the pages and parameter data contained in the file.
parseLog.pl
Our first script is called parseLog.pl , and it is used to parse the proxy server log file. This script accepts one mandatory input argument containing the name of the file to be parsed. The script’s output is in a simple format that our scanner can use as input. At this point, it probably makes sense to define the actual structure of the input file and the requests contained within it. We must keep in mind here that we most likely will see the following types of requests in our log file:
GETrequests (without a query string)GETrequests (with a query string)POSTrequests
To handle these request types, we generate a flat text file with one
line for each request, as shown in Example 8-5. The
first portion of the line contains the request method
(GET or POST), followed by a
space, and then by the path to the resource being requested. If the
request uses the GET method with query string
data, it is concatenated to the resource name using a question mark
(?). This ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
