Using the Business Logic Recorder (BLR)
The Business Logic Recorder (BLR) enables you to test complex web applications without manual effort or extra tools. Most scanners struggle with business logic, but this tool helps "explain" how user input affects application behavior. Some web forms require specific field values that a scanner engine may not be able to guess.
This document covers how the Business Logic Recorder works and how and when to use it.
When to use the Business Logic Recorder
Many web applications use multi-step forms, where later steps depend on user input from earlier ones. Shopping carts and airline reservations commonly follow this approach.
A key concept is that different input values can trigger different workflow paths. For example, a car rental form might use a birth date field to determine eligibility:
- Ages ≤20 or ≥65: Rental unavailable, process stops.
- Ages 26-64: Proceeds normally.
- Ages 21-25: Adds an extra step for insurance acknowledgment.
The Business Logic Recorder (BLR) captures such sequences, ensuring scanners can test all workflow variations for vulnerabilities.
How to use the Business Logic Recorder
To enter the Business Logic Recorder:
- In Acunetix, select Targets from the left-side menu.
- Click a target to edit it.
- Scroll down to the Business Logic Recorder section.
- Click New BLR.
- In the Business Logic Recorder, navigate to the element where you need to record business logic (for example, a multi-part web form). The Record button is pre-selected for you.
- Click and fill in the elements in the form and submit the form. As you click, the information on the right is updated.
- Select the Record button again to stop the recording.
- Select Play to review the recording.
- Click Save for the BLR to store the recorded actions for use in the next scan.
- A .blr file is created and added to the form.
- Save the target.