A variable is a value (eg a string or a number) referred to by a name.
The value of a variable can bet set in the scan configuration, as is commonly done for the standard username and password variables in Authentication GoScripts (and can be done for as many variables as you like using names you choose). Property values can also be set at run-time to hold values extracted by JavaScript.
Why You Should Use Variables
It is recommended to always use variables to hold sensitive data such as credentials rather than writing the values directly into the script. There are two main reasons for this:
-
Security: access to variables is more locked-down than access to scripts. Any user can access all of their company's GoScripts, and so can see any values written directly in the script. Variables saved in scan configurations are only accessible to administrator users, and users specifically allowed access to that scan. GoScripts are also written to logs when run, whereas variables are not.
- Practicality: separating the values from the scripts means the script can easily be saved once and re-used in multiple scans with different values.
How To Use Variables in GoScripts
Once variables have value assigned, you can use those values in your script by including the variable name within {}. For example, when the variable myVariable has the value "abc" we can use this value in our script like so:
type: {myVariable}
this has the same effect as:
type: abc
but without hard-coding the value "abc" into the script.
Before you can use a variable, you'll need to assign it a value.
Assigning Variables in Scan Configuration
The standard username, password and login URL variables used Authentication GoScripts have their own boxes in the user interface. Simply add the values in the appropriate boxes and refer to them in your script as {username, {password} and {login_url}:
Variables with custom names can also be used, by inserting them in the form name:value in the GoScript Properties box, below the GoScript box within Authenticated Scanning.
In this example we use two new variables, secretThing and anotherSecretThing:
One of the new variables is used in a simple = command, the other is used in a type: command. See A Guide to GoScript for more information on the various commands available.
Assigning Variables in the GoScript Testing Interface
The standard username, password and login URL variables used Authentication GoScripts have their own boxes in the user interface. Simply add the values in the appropriate boxes and refer to them in your script as {username, {password} and {login_url}:
Variables with custom names can also be used, by inserting them in the form name:value in the Variables box on the right hand side, using the +Add Value button.
In this example we use two new variables, secretThing and anotherSecretThing:
One of the new variables is used in a simple = command, the other is used in a type: command. See A Guide to GoScript for more information on the various commands available.
Assigning Variables Dynamically Using JavaScript
You may wish to assign a value to a variable when the script runs, for example with a token received from a previous request, which you would then use later in your script.
To create a new variable (or assign a new value to an existing one) dynamically within a scan using JavaScript, use the syntax:
name := js: [some JavaScript that produces a value]
For example:
myNewVariable := js: document.documentElement.textContent.match(/myRegularExpressionPrefix: ([0-9]{3})/)[1];
This creates a variable with the name myNewVariable and the value extracted from the page body using a regular expression. If myNewVariable was already associated with a value, the old value is replaced with the new one.
Now in your script you can refer to the variable name, wrapped in {}, instead of the value. For example:
type: {myNewVariable}
This example uses the type: command. See A Guide to GoScript for more information on the various commands available.
Comments
0 comments
Article is closed for comments.