Internal and External Hyperlinks

Looking for hyperlinks to other Web resources in the HTML code is another promising area. Studying hyperlinks gives us an idea of how the application is laid out. We can then chart various areas of the application that are grouped by functionality and try and understand how information flows through the application. Once the linkage and information flow between various areas of the application becomes clear, we can identify the weak areas.

In HTML, hyperlinks are specified by using the <A HREF=link> </A> tags. Hyperlinks can link resources within the same Web site, or they can link to resources on external Web sites. Hyperlinks also can be found within the <FORM> tag. The <FORM ACTION=link> tag is an example of a resource that is invoked when the user submits an HTML form. The easiest way to search for hyperlinks in the HTML source is to look for occurrences of "HREF" or "FORM."

When looking at hyperlinks, we need to distinguish between internal and external hyperlinks so that we don't end up stepping outside the application boundaries. The following HTML code snippet is from an online stock trading application running on www.acmetrade-online.com:

<A HREF="/login/signin.jsp">Click here to sign in to the trading system</A>

<P> New user? Click <A HREF="/login/newuser.jsp">here</A> to set up a

trading account.

<FORM ACTION="http://quotes.acme-stockquotes.com/cgi-bin/stockquote.pl"

METHOD=POST>

<B>Quick Quotes</B>

<INPUT NAME=symbol TYPE=TEXT SIZE=5>

<INPUT TYPE=SUBMIT VALUE="Get quote">

</FORM>

The first two hyperlinks <A HREF=/login/signin.jsp> and <A HREF=/login/newuser.jsp> are internal hyperlinks. They translate to http://www.acmetrade-online.com/login/signin.jsp and http://www.acmetrade-online.com/login/newuser.jsp, respectively. The third hyperlink, which is invoked by submitting the stock quotes look-up form, is an external hyperlink, pointing to http://quotes.acme-stockquotes.com/cgi-bin/stockquote.pl.