Scanning pages with forms SortSite Desktop Manual

SortSite scans sites by following links on each page it scans to find new pages to scan. It’s like clicking on every link on a page to find new pages, then clicking on all the links on the found pages. The form replayer allows the scanner to reach pages that require user input to display. Examples include:

  • A page of search results (nothing gets displayed until you type something to search for)
  • A login page (nothing gets displayed until you type a user name and password)
  • A confirmation page displayed after submitting a Contact Us form

SortSite Professional and Developer Edition can record form actions, for automatic replay during subsequent scans. This lets you test parts of sites not reachable by links.

Warning: this feature should be used with caution, since some forms may have undesirable side effects when the form is submitted. Examples include:

  • A delete conformation form in a database web app
  • A close bank account form in a banking application
  • Sending an email from a Contact Us page

Recording form actions

To record a form action:

  1. Navigate to the page containing the form you want to record.
  2. Select Record Form Input from the Check menu to start recording.
  3. Type your test values into your form and submit it.
  4. Select Record Form Input again to stop recording. The form action is replayed next time this page is visited during a scan.

To review, pause or delete recorded form actions:

  • Select View Recorded Forms from the Check menu.
  • To stop playback of a form action temporarily, untick Enable Playback on the Options menu next to the form action.
  • To resume playback select Enable Playback again to tick it.
  • To delete a form action permanently, select Delete Recording on the Options menu next to the form action.

Limitations

Limitations:

  • Forms that only allow data to be entered once usually can’t be replayed (e.g. create new username or join mailing list pages)
  • Forms with captchas can’t be replayed since captchas are designed to stop automated replays
  • Multi-step forms (like insurance quotes) usually can’t be replayed unless each step submits to a unique URL

Note: SortSite Standard doesn’t provide a record and replay facility.

Replaying form actions

Once recorded, form actions are replayed automatically each time the page containing the form is visited during subsequent scans.

For example, if you record a form on https://example.com/account/login then the form is automatically replayed when:

  • You run a site scan on https://example.com (assuming there’s a link to /account/login somewhere on the site)
  • You run a folder scan on https://example.com/account (assuming there’s a link to /account/login somewhere in the /account folder)
  • You run a page scan on https://example.com/account/login

How replay data is stored

Replay data is stored in a replay.xml file on a per-user basis:

  • Mac: ~/Library/PowerMapper Software/SortSite/replay.xml
  • Windows: %localappdata%\PowerMapper Software\SortSite\replay.xml

Recorded data is encrypted using a per-user encryption key, so recorded data is not accessible to other users, even on the same computer.

How replay data is exported

Replay data can be exported for use by SortSite Developer via the Export command. Exported replay data is encrypted using a per-machine encryption key, so recorded data can be used in different accounts on the same computer, but not on different computers.