This page explains how to retrieve and scan URLs in an email automatically delivered through a registration process and the like.
Settings items to be used
|A list of URLs and "Substitute list parameter" or "Replacement Text Substitution (regular expression)" will be used.|
The following article describes the setting items available in each template.
[Related article]”The purpose pf Pre processor"
■Ex: Specifications of applications
Assume a case in which you have signed up an email address, and received an email in which an URL with a parameter value randomly generated is provided. And, you want to scan a page that can be accessed from that URL.
When scanning such a target, if the same parameter values cannot be sent more than once, you need to provide the parameter values in accordance with the number of requests to be sent during scanning in advance.
-Execute the email sending feature several times and issue a large amount of URLs(i.e. emails) to acquire values as much as necessary for performing a scan. You can use Vex scanning feature to complete this step.
-Create a list of the values you have acquired, and set up Pre processor so that Vex can access the URLs with different parameter values each time a request is sent.
■Setting in detail
1. Acquire a list of values in URL paths
(1)Set up Pre processor for the email sending feature
Since enough number of URLs (emails) must be provided, you must set up handover for the feature of registering email addresses so that it will be able to register a different email address each time.
Use "Substitute list parameter" here.
See the following article for details on how to set up handover.
[Related article] "Handler setting items"
(2) Execute the email sending process as many as required by performing a scan.
Perform a scan according to the scenario you have created in (1) to execute the email sending process several times so that you can acquire the parameter values.
However, when the scan is performed for the relevant Message ID, the values may not be acquired properly since a payload will be inserted into a request.
This can be resolved by executing the process using either one of the following methods.
*The number of parameters to be provided must be about 50 times the number of parameters to be scanned. You can check how many parameters are specified at the "Number of parameters" in the Proxy log list.
Specify the relevant Message ID in Pre processor for logs that will not be used for the scan, and perform a dummy scan for the log to acquire the value.
You can acquire the normal values since a payload will not be inserted by Pre processor.
The System signature provided by Vex is a signature that does not insert parameters for scanning.
The value can be acquired by performing scans using only System signature as many times as required.
(3) Extract the parameter value in the target URL from the email automatically delivered
*Note that Vex cannot extract a variable part.
2. Set up Pre processor based on the acquired value
(1)Specify the list of the extracted KEYs in Substitute list parameter to perform a scan
Set up handover for the Message ID that will access the URLs in the emails so that it can access the different URL paths each time a request is sent.
Use "Substitute list parameter" (use "Replacement text substitution (Regular expression)" when the values are not parameters but paths) here.
For more details on setting up handover, see the following article.
To make the setting easier, you can create a spreadsheet in which parameter values are listed, and copy and paste them into a "Parameter Values" field.
[Related articles]"Handler setting items"
(2) Perform Test Access to see if the page transition is properly completed.
See the following article for how to verify that the scenario can reproduce the page transition.
[Related article]"How to verify the effectiveness of scenarios"
If URL links have a time limit, you must complete the scan before they expire.
Since Vex does not stop scanning automatically, follow the steps below.
(1) Acquire a list of values
(2) Set up handover based on (1) and perform a scan.
(3) Manually stop the scan when they expire.
(4) Acquire the list of values again.
(5) Replace the list of "parameter values" in which the handover is set in (2) with the one acquired in (4).
*In this case, you must set "Starting position of Substitute list" to "0".
(6) Perform the scan again (after that, repeat (3) to (6)).