If you are familiar with web technologies, either from assessing them for security, or from developing them, you are probably aware of the many innovative ways developers choose to implement web applications. The days of following the HTTP RFC are long gone - developers do whatever they need to do, in order to make things work.
For example, HTTP Parameters are passed as a part of the URL (e.g. REST), tokens are passed as HTTP headers (e.g. CSRF protection) instead of as cookies or parameters, parameter values are concatenated with weird strings instead of ampersand (&), XML islands inside HTTP request body, JSON, etc.
Continue reading "Handling Complex Scenarios with AppScan's Custom Parameters" »
