What is a WAYPOINTS template or scan rule?

There are 2 different types of templates, public templates, the ones that are published by us (Nova Security) and are publicly available. And private templates. These templates are private and can not be viewed by others.

A WAYPOINTS template consists of 4 main parts:

Metadata:

The metadata property is used to store relavent information to help you identify the template, tag it, set a severity and common weakness (CWE) ID and so on.

Request:

The request property is used to store the request information and help instruct WAYPOINTS to know what kind of HTTP request it has to make. You can set the URL paths, HTTP methods, HTTP request headers and HTTP POST body.

Matchers:

The matchers property is used to tell WAYPOINTS what to match for. You can define up to 10 different conditions (matcher rules) to instruct WAYPOINTS when to mark a finding as a vulnerability.

You can define matchers against several types of criterea such as:

  • HTTP Response Status Code
  • HTTP Response Content Length
  • HTTP Response Content Type
  • A specific keyword
  • A regex pattern

Validator:

The validator property is another way to tell WAYPOINTS to visit your target using a web browser and minimize false positive and false negative results.

This is especially helpful in case you need to listen for a popup event (like alert(), prompt() or confirm()) after visiting your target URL.

Just as with matchers, you can define validators against several types of criterea such as:

  • A popup (like alert(), prompt() or confirm())
  • HTML Element
  • DOM-Based or Client-Side Redirect
  • A specific keyword
  • A regex pattern

All specified keywords or regex patterns are matched after the page (and DOM) has fully loaded in the browser. This allows you to validate your template even on single-page web applications.

WAYPOINTS Template-based ScannerCreating a WAYPOINTS template