SortSite Manual Form Replayer
SortSite scans sites by following links on each page it scans to find new pages to scan. It’s like clicking on every link on a page to find new pages, then clicking on all the links on the found pages. The form replayer allows the scanner to reach pages that require user input to display. Examples include:
- A page of search results (nothing gets displayed until you type something to search for)
- A login page (nothing gets displayed until you type a user name and password)
- A confirmation page displayed after submitting a Contact Us form
SortSite Professional can record form actions, for automatic replay during subsequent scans. This lets you test parts of sites not reachable by links.
Warning: this feature should be used with caution, since some forms may have undesirable side effects when the form is submitted. Examples include:
- A delete conformation form in a database web app
- A close bank account form in a banking application
- Sending an email from a Contact Us page
Recording form actions
To record a form action:
- Navigate to the page containing the form you want to record.
- Select Record Form Input from the Check menu to start recording.
- Type your test values into your form and submit it.
- Select Record Form Input again to stop recording. The form action will be replayed next time this page is visited during a scan.
To review, pause or delete recorded form actions:
- Select View Recorded Forms from the Check menu.
- To stop playback of a form action temporarily, untick Enable Playback on the Options menu next to the form action.
- To resume playback select Enable Playback again to tick it.
- To delete a form action permanently, select Delete Recording on the Options menu next to the form action.
- Forms that only allow data to be entered once usually can’t be replayed (e.g. create new username or join mailing list pages)
- Forms with captchas can’t be replayed since captchas are designed to stop automated replays
- Multi-step forms (like insurance quotes) usually can’t be replayed unless each step submits to a unique URL
Note: SortSite Standard doesn’t provide a record and replay facility.
Replaying form actions
Once recorded, form actions are replayed automatically each time the page containing the form is visited during subsequent scans.
For example, if you record a form on
https://example.com/account/login then the form is automatically
- You run a site scan on
https://example.com(assuming there’s a link to /account/login somewhere on the site)
- You run a folder scan on
https://example.com/account(assuming there’s a link to /account/login somewhere in the /account folder)
- You run a page scan on
How replay data is stored
Replay data is stored in a replay.xml file on a per-user basis:
Recorded data is encrypted using a per-user encryption key, so recorded data is not accessible to other users, even on the same computer.
Note: Replays in SortSite Developer should be recorded by the desktop application using the same user account used to run the command line tool. If you’re using Jenkins this may require changing the Jenkins service login account, since this defaults to Local System on Windows. The replay.xml file is saved when the application exits, so newly recorded form actions are not available to the command line tool until you quit the desktop application.