It would be great if the spider could identify forms,
and make them visible in some fashion to the reviewer.
Possibly even allowing the operator to populate the
form fields and submit the forms manually. Ideally, if
any of the form fields are prefilled (e.g a hidden
field) these values should be saved and presented to
Present a table of forms according to the conversation
in which they were seen, the method (GET/POST), the
URL, and a "signature" of the INPUT elements that make
up the form.
When a row in the table is selected, populate a
secondary table with the parameters and any known
values, and allow the operator to edit the fields and
supply values, before submitting the form.
It would be useful, but probably quite difficult, to
mark forms as submitted and remove them from the table
if we observe a "compatible" request. e.g. the method
and dst URL are the same, where values are pre-filled
in, the values are the same, etc.
It might not be all that difficult, simply iterate over
the list of conversations, and compare them.
Log in to post a comment.