A set of 4 options has 24 possibilities.
Most forms have options containing upwards of 30 options.
230 is 1073741824.
I'm writing my own analyzer for testing forms and have run into the reality that testing form injections while taking option sets into consideration, is fairly impossible.
I get that I could just get input names, and test each of them without any consideration to options, but that seems like it's not really any sort of coverage at all.
It does not explore all functionality of the form to do that.
On the backend, one option being set vs. not being set could trigger an entirely different — and potentially vulnerable — code path. Just filling an option with an injection test without exhausting option configuration context, isn't really testing the form at all and is just providing surface level analysis.
My question is, does this mathematical truth mean that the vast majority, if not all commercial web vulnerability scanners, are pure bullshit when it comes to testing web applications reliant on large forms?