For web applications, a web spider such as the one in OWASP ZAP, the one in the Burp suite, or the one in the Paros proxy can help.
When you find an input location, document it and record what tests you performed to help avoid duplication of effort. For web applications, you want to know:
-
The URI of the request.
-
The parameters for the URI, including any optional ones and hidden ones.
-
The method (GET, POST).
-
The cookies used and set.
-
All HTTP headers the system might use.
Testing for other vulnerabilities also needs this information.
Related
Published by
Kenneth Ingham
Kenneth has been working with security since the early 1980s. He was a system administrator when the Morris Worm was released, and one of his work areas was helping secure the systems. Since then, Kenneth has studied network and computer security, and spent many, many hours looking at how software fails. With knowledge about failures, he can help you produce software that is less likely to suffer a security breach. Kenneth has a Ph.D. in Computer Science, and his research topic was on computer security.
Kenneth has helped developers creating systems for financial services institutions, telecommunications companies, and embedded system and process control.
View all posts by Kenneth Ingham
