Micro Focus Fortify Webinspect: User Guide
Uploaded by
Zildjian Xavier LlagasMicro Focus Fortify Webinspect: User Guide
Uploaded by
Zildjian Xavier LlagasMicro Focus
Fortify WebInspect
Software Version: 19.2.0
Windows® operating systems
User Guide
Document Release Date: November 2019
Software Release Date: November 2019
User Guide
Legal Notices
Micro Focus
The Lawn
22-30 Old Bath Road
Newbury, Berkshire RG14 1QN
UK
https://www.microfocus.com
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in
the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained
herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
Copyright Notice
© Copyright 2004-2019 Micro Focus or one of its affiliates
Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Docker® and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other
countries.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
This document was produced on October 24, 2019. To check for recent updates or to verify that you are using the most
recent edition of a document, go to:
https://www.microfocus.com/support-and-services/documentation
About this PDF Version of Online Help
This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the
help information or read the online help in PDF format. Because this content was originally created to be viewed as online
help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF
version. Those topics can be successfully printed from within the online help.
Micro Focus Fortify WebInspect (19.2.0) Page 2 of 482
User Guide
Contents
Preface 25
Contacting Micro Focus Fortify Customer Support 25
For More Information 25
About the Documentation Set 25
Change Log 26
Chapter 1: Introduction 31
Fortify WebInspect Overview 31
About Fortify WebInspect Enterprise 33
Fortify WebInspect Enterprise Components 34
Component Descriptions 35
FIPS Compliance 36
About FIPS Compliance in Fortify WebInspect Products 36
Selecting FIPS-compliant Mode 36
Related Documents 36
All Products 37
Micro Focus Fortify WebInspect 37
Micro Focus Fortify WebInspect Enterprise 39
Chapter 2: Getting Started 40
Preparing Your System for Audit 40
Sensitive Data 40
Firewalls, Anti-virus Software, and Intrusion Detection Systems 40
Effects to Consider 41
Helpful Hints 41
Quick Start 42
Update SecureBase 42
Prepare Your System for Audit 43
Start a Scan 43
Scanning Web Services at zero.webappsecurity.com 43
Conducting a Web Service Scan 44
Micro Focus Fortify WebInspect (19.2.0) Page 3 of 482
User Guide
Chapter 3: User Interface Overview 47
The Activity Panel 47
Closing the Activity Panel 48
The Button Bar 48
Panes Associated with a Scan 50
Start Page 51
Home 51
Manage Scans 51
Manage Schedule 51
Menu Bar 52
File Menu 52
Edit Menu 53
View Menu 53
Tools Menu 54
Scan Menu 54
Enterprise Server Menu 54
Reports Menu 55
Help Menu 56
WebInspect Help 56
Search 56
Support > Request an Enhancement 56
Support > Contact Technical Support 56
Support > Get Open TC Browsers info 56
Support > Copy Application Snapshot to Clipboard 57
Tutorials 57
About WebInspect 57
Toolbars 57
Buttons Available on the Scan Toolbar 57
Buttons Available on the Standard Toolbar 59
Buttons Available on the "Manage Scans" Toolbar 60
Navigation Pane 61
Site View 63
Excluded Hosts 63
Allowed Hosts Criteria 64
Micro Focus Fortify WebInspect (19.2.0) Page 4 of 482
User Guide
Sequence View 65
Search View 66
Step Mode View 67
Navigation Pane Icons 67
Navigation Pane Shortcut Menu 69
Information Pane 71
Scan Info Panel Overview 72
Dashboard 72
Traffic Monitor 73
Attachments 73
False Positives 74
Dashboard 74
Progress Bars 75
Progress Bar Descriptions 75
Progress Bar Colors 76
Activity Meters 76
Activity Meter Descriptions 77
Vulnerabilities Graphics 77
Statistics Panel - Scan 77
Statistics Panel - Crawl 79
Statistics Panel - Audit 79
Statistics Panel - Network 79
Attachments - Scan Info 80
False Positives 81
Importing False Positives 81
Inactive / Active False Positives Lists 81
Loading False Positives 81
Working with False Positives 81
Session Info Panel Overview 82
Options Available 82
Vulnerability 85
Web Browser 85
HTTP Request 85
Highlighted Text in the Request 85
HTTP Response 85
Highlighted Text in the Response 86
Stack Traces 86
Details 86
Steps 86
Micro Focus Fortify WebInspect (19.2.0) Page 5 of 482
User Guide
Links 86
Comments: Session Info 87
Text 87
Hiddens: Session Info 87
Forms: Session Info 87
E-Mail 87
Scripts - Session Info 88
Attachments - Session Info 88
Viewing an Attachment 88
Adding a Session Attachment 88
Editing an Attachment 89
Attack Info 89
Web Service Request 90
Web Service Response 90
XML Request 90
XML Response 90
Host Info Panel Overview 90
Options Available 91
P3P Info 92
P3P User Agents 92
AJAX 92
How AJAX Works 93
Certificates 94
Comments - Host Info 94
Cookies 94
E-Mails - Host Info 95
Forms - Host Info 95
Hiddens - Host Info 95
Scripts - Host Info 96
Broken Links 96
Offsite Links 96
Parameters 97
Summary Pane 97
Vulnerabilities Tab 98
Not Found Tab 102
Information Tab 102
Best Practices Tab 102
Scan Log Tab 102
Server Information Tab 103
Micro Focus Fortify WebInspect (19.2.0) Page 6 of 482
User Guide
Micro Focus Fortify Monitor 103
Chapter 4: Working with Scans 105
Guided Scan Overview 105
Predefined Templates 105
Mobile Templates 106
Running a Guided Scan 106
Predefined Template (Standard, Quick, or Thorough) 106
Mobile Scan Template 107
Native Scan Template 107
Using the Predefined Template 107
Launching a Guided Scan 107
About the Site Stage 108
Verifying Your Web Site 108
Choosing a Scan Type 110
About the Login Stage 111
Network Authentication Step 111
Configuring Network Authentication 111
Application Authentication Step 113
Using a Login Macro without Privilege Escalation 113
Using Login Macros for Privilege Escalation 114
Using a Login Macro when Connected to Fortify WebInspect Enterprise 115
Using a Selenium IDE Macro 115
Automatically Creating a Login Macro 116
About the Workflows Stage 117
To Add Burp Proxy results 118
About the Active Learning Stage 118
Using the Profiler 118
About the Settings Stage 120
Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan 123
Using the Mobile Scan Template 124
Launching a Mobile Scan 124
Creating a Custom User Agent Header 125
About the Site Stage 125
Verifying Your Web Site 125
Choosing a Scan Type 127
About the Login Stage 128
Network Authentication Step 128
Micro Focus Fortify WebInspect (19.2.0) Page 7 of 482
User Guide
Configuring Network Authentication 128
Application Authentication Step 130
Using a Login Macro without Privilege Escalation 131
Using Login Macros for Privilege Escalation 131
Using a Login Macro when Connected to Fortify WebInspect Enterprise 132
Using a Selenium IDE Macro 133
Automatically Creating a Login Macro 134
About the Workflows Stage 134
Adding Burp Proxy Results 135
Adding Burp Proxy Results 135
About the Active Learning Stage 136
Using the Profiler 136
About the Settings Stage 138
Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan 140
Using the Native Scan Template 142
Setting Up Your Mobile Device 142
Guided Scan Stages 142
Supported Devices 142
Supported Development Emulators 143
Launching a Native Scan 143
About the Native Mobile Stage 143
Choose Device/Emulator Type Step 144
Selecting a Profile 144
Setting the Mobile Device Proxy Address 144
Adding a Trusted Certificate 145
Choose Scan Type Step 146
About the Login Stage 147
Network Authentication Step 147
Configuring Network Authentication 147
Configuring a Client Certificate 149
Application Authentication Step 150
Using a Login Macro without Privilege Escalation 150
Using Login Macros for Privilege Escalation 150
Using a Login Macro when Connected to Fortify WebInspect Enterprise 151
Using a Selenium IDE Macro 152
Testing the Macro 153
About the Application Stage 153
Run Application Step 153
Finalizing Allowed Hosts and RESTful Endpoints 154
Micro Focus Fortify WebInspect (19.2.0) Page 8 of 482
User Guide
About the Settings Stage 154
Final Review Step 154
Validate Settings and Start Scan 155
Post Scan Steps 156
Running a Web Service Scan 157
Authentication and Connectivity 158
Detailed Scan Configuration 160
Congratulations 160
Running a Basic Scan 160
Basic Scan Options 161
Authentication and Connectivity 164
Coverage and Thoroughness 169
Detailed Scan Configuration 170
Profiler 170
Settings 171
Auto Fill Web Forms 171
Add Allowed Hosts 171
Reuse Identified False Positives 171
Sample Macro 172
Traffic Analysis 172
Message 172
Congratulations 172
Upload to Fortify WebInspect Enterprise Scan Template 172
Save Settings 172
Generate Reports 173
Using the Site List Editor 173
Configuring the Proxy Profile 174
Configure proxy using a PAC file 174
Explicitly configure proxy 174
Specifying Allowed Hosts 176
Specifying Allowed Hosts 177
Editing Allowed Hosts 177
Multi-user Login Scans 177
Before You Begin 178
Known Limitations 178
Process Overview 178
Configuring a Multi-user Login Scan 179
Adding Credentials 179
Micro Focus Fortify WebInspect (19.2.0) Page 9 of 482
User Guide
Editing Credentials 180
Deleting Credentials 180
Interactive Scans 180
Configuring an Interactive Scan 181
Restrict to Folder Limitations 182
JavaScript Include Files 182
Login Macros 182
Workflow Macros 182
Running an Enterprise Scan 182
Edit the 'Hosts to Scan' List 185
Export a List 185
Start the Scan 185
Running a Manual Scan 186
About Privilege Escalation Scans 188
Two Modes of Privilege Escalation Scans 188
What to Expect During the Scan 188
Regex Patterns Used to Identify Restricted Pages 188
Effect of Crawler Limiting Settings on Privilege Escalation Scans 189
Effect of Parameters with Random Numbers on Privilege Escalation Scans 190
About Single-page Application Scans 190
Technology Preview 191
The Challenge of Single-page Applications 191
Enabling SPA Support 191
Scan Status 192
Updates to Information in the Scan Manager 192
Opening a Saved Scan 193
Comparing Scans 193
Selecting Scans to Compare Scans 193
Reviewing the Scan Dashboard 194
Scan Descriptions 195
The Venn Diagram 195
Vulnerabilities Bar Chart 195
Effect of Scheme, Host, and Port Differences on Scan Comparison 196
Compare Modes 196
Session Filtering 196
Using the Session Info Panel 197
Micro Focus Fortify WebInspect (19.2.0) Page 10 of 482
User Guide
Using the Summary Pane to Review Vulnerability Details 197
Grouping and Sorting Vulnerabilities 197
Filtering Vulnerabilities 198
Working with Vulnerabilities 198
Manage Scans 199
Reusing Scans 200
Reuse Options 200
Difference between Remediation Scans and Retest Vulnerability 200
Guidelines for Reusing Scans 201
Reusing a Scan 201
Incremental Scan 201
Merging Baseline and Incremental Scans 202
Incremental Scan with Continuous or Deferred Audit 202
Schedule a Scan 203
Configuring Time Interval for Scheduled Scan 204
Managing Scheduled Scans 205
Selecting a Report 206
Configuring Report Settings 207
Stopping a Scheduled Scan 209
Scheduled Scan Status 209
Exporting a Scan 209
Exporting Scan Details 211
Export Scan to Software Security Center 213
Exporting Protection Rules to Web Application Firewall 214
Importing a Scan 215
Importing False Positives 215
Importing Legacy Web Service Scans 216
Changing Import/Export Settings 216
Downloading a Scan from Enterprise Server 217
Log Files Not Downloaded 217
Uploading a Scan to Enterprise Server 217
Running a Scan in Enterprise Server 218
Transferring Settings to/from Enterprise Server 218
Micro Focus Fortify WebInspect (19.2.0) Page 11 of 482
User Guide
Creating a Fortify WebInspect Enterprise Scan Template 218
Creating a Fortify WebInspect Settings File 219
Publishing a Scan (Fortify WebInspect Enterprise Connected) 220
Integrating with Fortify WebInspect Enterprise and Fortify Software Security Center 221
First scan 222
Second scan 223
Third scan 223
Fourth Scan 223
Synchronize with Fortify Software Security Center 223
Chapter 5: Using Fortify WebInspect Features 225
Using Macros 225
Using Selenium Macros 226
Selecting a Workflow Macro 226
Importing a Selenium IDE Workflow Macro 227
Using the Unified Web Macro Recorder 227
Traffic Monitor (Traffic Viewer) 228
Traffic Session Data in Traffic Viewer 228
Viewing Traffic in the Traffic Viewer 228
Server Profiler 229
Using the Server Profiler 229
Inspecting the Results 230
Basic Scan 230
Working with One or More Vulnerabilities 230
Working with a Group 232
Understanding the Severity 232
Working in the Navigation Pane 233
Web Services Scan 233
Search View 234
Using Filters and Groups in the Summary Pane 235
Using Filters 235
No Filters 235
Filtered by Method:Get 236
Specifying Multiple Filters 236
Filter Criteria 236
Using Groups 237
Micro Focus Fortify WebInspect (19.2.0) Page 12 of 482
User Guide
Auditing Web Services 238
Options Available from the Session Info Panel 238
Reviewing a Vulnerability 240
Adding/Viewing Vulnerability Screenshot 241
Viewing Screenshots for a Selected Session 242
Viewing Screenshots for All Sessions 242
Editing Vulnerabilities 242
Editing a Vulnerable Session 243
About Vulnerability Rollup 245
What Happens to Rolled Up Vulnerabilities 245
Rollup Guidelines 245
Rolling Up Vulnerabilities 245
Undoing Rollup 246
Mark As False Positive 247
Mark As Vulnerability 247
Flag Session for Follow-Up 247
Viewing Flags for a Selected Session 248
Viewing Flags for All Sessions 248
Scan Note 248
Session Note 248
Viewing Notes for a Selected Session 249
Viewing Notes for All Sessions 249
Vulnerability Note 249
Viewing Notes for a Selected Session 250
Viewing Notes for All Sessions 250
Reviewing and Retesting 250
Review Individual Vulnerability 250
Retest Vulnerabilities 251
Rescan the Site 252
Compare Scans 252
Recovering Deleted Items 253
Sending Vulnerabilities to Micro Focus ALM 254
Additional Information Sent 254
Disabling Data Execution Prevention 255
Generating a Report 255
Micro Focus Fortify WebInspect (19.2.0) Page 13 of 482
User Guide
Saving a Report 256
Advanced Report Options 256
Report Viewer 257
Adding a Note 258
Standard Reports 258
Manage Reports 260
Compliance Templates 260
Managing Settings 268
Creating a Settings File 268
Editing a Settings File 268
Deleting a Settings File 269
Importing a Settings File 269
Exporting a Settings File 269
Scanning with a Saved Settings File 269
SmartUpdate 269
Performing a SmartUpdate (Internet Connected) 270
Downloading Checks without Updating Fortify WebInspect 271
Performing a SmartUpdate (Offline) 271
WebSphere Portal FAQ 272
Command-line Execution 273
Launching the CLI 274
CLI Limitations in Fortify WebInspect on Docker 274
Using WI.exe 274
Options 275
Examples 286
Merging Scans 286
Hyphens in Command Line Arguments 287
Using WIScanStopper.exe 287
Using MacroGenServer.exe 288
Options 288
Using the WISwag.exe Tool 289
Supported API Definitions and Protocols 289
Process Overview 290
WISwag.exe Parameters 290
Converting the API Definition to a Macro 292
Converting the API Definition to a Settings File 292
Micro Focus Fortify WebInspect (19.2.0) Page 14 of 482
User Guide
Using a Configuration File 293
Configuration File Format 293
Configuration Properties 294
Parameter Rule Objects 295
Regular Expressions 298
Regex Extensions 299
Regular Expression Tags 299
Regular Expression Operators 300
Examples 300
Fortify WebInspect REST API 301
What is the Fortify WebInspect REST API? 301
Configuring the Fortify WebInspect REST API 301
Accessing the Fortify WebInspect REST API Swagger UI 303
Using the Swagger UI 304
Automating Fortify WebInspect 305
Fortify WebInspect Updates and the API 305
Scanning with a Postman Collection 305
What is Postman? 305
Benefits of a Postman Collection 305
Prerequisites 305
Ensure Valid Responses 306
Order of Requests 306
Handling Authentication 307
Including Multiple Collection Files Simultaneously 307
Sample Postman Scripts 307
Conducting a Scan Using a Postman Collection 307
Troubleshooting the Postman Scan 308
Integrating with Selenium WebDriver 308
Known Limitations 309
Process Overview 309
Adding the Proxy to Selenium Scripts 310
Advantages 311
Disadvantages 311
Sample Code 311
Using the CLI 315
Using the Fortify WebInspect geckodriver.exe 315
Advantages 315
Micro Focus Fortify WebInspect (19.2.0) Page 15 of 482
User Guide
Disadvantages 315
Installing the Selenium WebDriver Environment 316
Testing from the Command Line 316
Creating a Selenium Command 316
Uploading Files to Fortify WebInspect 319
Using the CLI 319
Using the API 319
Using the Selenium Command 319
Running a Scan Using WI.exe 320
Creating a Macro Using the API 320
About the Burp API Extension 321
Benefits of Using the Burp API Extension 321
Supported Versions 322
Using the Burp API Extension 322
Loading the Burp Extension 323
Connecting to Fortify WebInspect 324
Refreshing the List of Scans 326
Working with a Scan in Burp 326
Sending Items from Burp to Fortify WebInspect 329
About the WebInspect SDK 330
Audit Extensions / Custom Agents 330
SDK Functionality 331
Installation Recommendation 331
Installing the WebInspect SDK 331
Verifying the Installation 332
After Installation 332
Add Page or Directory 332
Add Variation 333
Fortify Monitor: Configure Enterprise Server Sensor 334
After Configuring as a Sensor 334
Blackout Period 335
Creating an Exclusion 335
Example 1 336
Example 2 336
Example 3 336
Example 4 336
Micro Focus Fortify WebInspect (19.2.0) Page 16 of 482
User Guide
Internet Protocol Version 6 337
Chapter 6: Default Scan Settings 338
Scan Settings: Method 338
Scan Mode 338
Crawl and Audit Mode 339
Crawl and Audit Details 339
Navigation 340
SSL/TLS Protocols 341
Scan Settings: General 341
Scan Details 342
Crawl Details 343
Scan Settings: JavaScript 346
JavaScript Settings 346
Scan Settings: Requestor 348
Requestor Performance 348
Requestor Settings 349
Stop Scan if Loss of Connectivity Detected 349
Scan Settings: Session Storage 350
Log Rejected Session to Database 350
Session Storage 352
Scan Settings: Session Exclusions 352
Excluded or Rejected File Extensions 352
Excluded MIME Types 353
Other Exclusion/Rejection Criteria 353
Editing Criteria 353
Adding Criteria 353
Scan Settings: Allowed Hosts 355
Using the Allowed Host Setting 355
Adding Allowed Domains 356
Editing or Removing Domains 356
Scan Settings: HTTP Parsing 356
Options 356
CSRF 360
About CSRF 360
Using CRSF Tokens 361
Micro Focus Fortify WebInspect (19.2.0) Page 17 of 482
User Guide
Enabling CSRF Awareness in Fortify WebInspect 361
Scan Settings: Custom Parameters 361
URL Rewriting 361
RESTful Services 362
Enable automatic seeding of rules that were not used during scan 363
Double Encode URL Parameters 363
Path Matrix Parameters 364
Definition of Path Segment 364
Special Elements for Rules 364
Asterisk Placeholder 366
Benefit of Using Placeholders 366
Multiple Rules Matching a URL 366
Scan Settings: Filters 367
Options 367
Adding Rules for Finding and Replacing Keywords 367
Scan Settings: Cookies/Headers 368
Standard Header Parameters 368
Append Custom Headers 368
Adding a Custom Header 369
Append Custom Cookies 369
Adding a Custom Cookie 369
Scan Settings: Proxy 370
Options 370
Scan Settings: Authentication 373
Scan Requires Network Authentication 373
Authentication Method 373
Authentication Credentials 375
Client Certificates 375
Editing the Proxy Config File for WebInspect Tools 376
Enable Macro Validation 377
Use a login macro for forms authentication 377
Login Macro Parameters 377
Use a startup macro 377
Multi-user Login 379
Scan Settings: File Not Found 380
Options 380
Scan Settings: Policy 381
Micro Focus Fortify WebInspect (19.2.0) Page 18 of 482
User Guide
Creating a Policy 381
Editing a Policy 381
Importing a Policy 382
Deleting a Policy 382
Chapter 7: Crawl Settings 383
Crawl Settings: Link Parsing 383
Adding a Specialized Link Identifier 383
Crawl Settings: Link Sources 383
What is Link Parsing? 384
Pattern-based Parsing 384
DOM-based Parsing 384
Form Actions, Script Includes, and Stylesheets 388
Miscellaneous Options 389
Limitations of Link Source Settings 390
Crawl Settings: Session Exclusions 390
Excluded or Rejected File Extensions 390
Adding a File Extension to Exclude/Reject 390
Excluded MIME Types 391
Adding a MIME Type to Exclude 391
Other Exclusion/Rejection Criteria 391
Editing the Default Criteria 391
Adding Exclusion/Rejection Criteria 391
Chapter 8: Audit Settings 394
Audit Settings: Session Exclusions 394
Excluded or Rejected File Extensions 394
Adding a File Extension to Exclude/Reject 394
Excluded MIME Types 395
Adding a MIME Type to Exclude 395
Other Exclusion/Rejection Criteria 395
Editing the Default Criteria 395
Adding Exclusion/Rejection Criteria 396
Audit Settings: Attack Exclusions 397
Excluded Parameters 397
Adding Parameters to Exclude 398
Excluded Cookies 398
Micro Focus Fortify WebInspect (19.2.0) Page 19 of 482
User Guide
Excluding Certain Cookies 398
Excluded Headers 399
Excluding Certain Headers 399
Audit Inputs Editor 400
Audit Settings: Attack Expressions 400
Additional Regular Expression Languages 400
Audit Settings: Vulnerability Filtering 400
Adding a Vulnerability Filter 401
Suppressing Off-site Vulnerabilities 401
Audit Settings: Smart Scan 401
Enable Smart Scan 401
Use regular expressions on HTTP responses 402
Use server analyzer fingerprinting and request sampling 402
Custom server/application type definitions 402
Chapter 9: Application Settings 403
Application Settings: General 403
General 403
WebInspect Agent 405
Web Macro Recorder 406
Accessibility of Web Macro Recorder with Macro Engine 5.0 406
Application Settings: Database 406
Connection Settings for Scan/Report Storage 406
SQL Server Database Privileges 407
Configuring SQL Server Standard Edition 407
Connection Settings for Scan Viewing 407
Creating Scan Data for Site Explorer 408
Application Settings: Directories 408
Changing Where Fortify WebInspect Files Are Saved 408
Application Settings: License 408
License Details 408
Direct Connection to Micro Focus 409
Connection to APLS 409
Connection to LIM 410
Application Settings: Server Profiler 410
Modules 410
Micro Focus Fortify WebInspect (19.2.0) Page 20 of 482
User Guide
Application Settings: Step Mode 412
Application Settings: Logging 413
Application Settings: Proxy 413
Not Using a Proxy Server 413
Using a Proxy Server 414
Configuring a Proxy 414
Application Settings: Reports 416
Options 416
Headers and Footers 417
Application Settings: Telemetry 417
About Telemetry 418
Enabling Telemetry 418
Uploading Scans via Telemetry 418
Setting the Upload Interval 418
Setting the On-disk Cache Size 418
Identifying Categories of Information to Send 419
Application Settings: Run as a Sensor 419
Sensor 419
Application Settings: Override SQL Database Settings 420
Override Database Settings 420
Configure SQL Database 420
Application Settings: Smart Update 421
Options 421
Application Settings: Support Channel 421
Opening the Support Channel 422
Application Settings: Micro Focus ALM 422
ALM License Usage 422
Before You Begin 422
Creating a Profile 422
Chapter 10: Reference Lists 424
Fortify WebInspect Policies 424
Best Practices 424
By Type 425
Custom 426
Hazardous 426
Micro Focus Fortify WebInspect (19.2.0) Page 21 of 482
User Guide
Deprecated Checks and Policies 427
Scan Log Messages 428
HTTP Status Codes 451
Chapter 11: Troubleshooting and Support 455
Troubleshooting WebInspect 455
Connectivity Issues 455
Scan Initialization Failed 455
Testing Login Macros 456
Validation Tests Performed 456
Troubleshooting Tips 457
Contact Customer Support 458
Contacting Micro Focus Fortify Customer Support 458
For More Information 458
Suggest Enhancement 458
Purchases and Renewals 459
New Purchases 459
Renew Your Product License 459
Uninstalling Fortify WebInspect 459
Options for Removing 459
About WebInspect 459
Appendix A: Using the License and Infrastructure Manager 460
Introduction 460
Getting Started 460
Server Configuration 460
Activation 461
Proxy 461
Updates 461
E-mail 462
Administrative Users 462
Adding an Administrator 462
Editing an Administrator's Account 463
Removing an Administrator 463
Editing Your LIM Administrator Account 463
Micro Focus Fortify WebInspect (19.2.0) Page 22 of 482
User Guide
Editing Your Account 463
Product Licenses 464
Adding a License 464
Adding a License Pool 464
Forcing a License Refresh 465
Product License Details 465
Viewing Product License Details 465
Editing a Pool 465
License Pools 465
Creating a License Pool 466
Adding a License to a Pool 466
Editing a License Pool 467
Modifying Number of Seats for a License 467
Current Product Usage 467
Viewing License Details 467
Viewing Current Activity for a Product 468
Current Activity 468
Information Displayed 468
Available Actions 468
Releasing a Seat 469
Revoking a Seat 469
Releasing All Seats 469
Lease History 469
LIM Updates 470
Checking for Updates 470
Scheduling an Update 471
Data Migration 471
Backing Up and Restoring the LIM 472
Task 1: Copy the LIM 472
Task 2: Restore the LIM onto Another Server 472
Task 3: Activate the Restored Application 472
Task 4: Refresh Product Licenses 473
Task 5: Verify License Pools and Tokens 473
Task 6: Configure Clients to Use New Server 473
Alternative Back-Up Strategy 473
LIM Troubleshooting 473
Micro Focus Fortify WebInspect (19.2.0) Page 23 of 482
User Guide
Required components not installed 473
LIM installer appears to stop responding 474
LIM initializer appears to stop responding 474
Service fails to start at initialize 474
License update returns message that provided public key value is different from expected
one 476
LIM cannot activate its license (manual process) 476
LIM receives message during activation that all instances are in use 477
Error message indicates that the token is not valid for the product 477
LIM cannot activate a concurrently licensed product 477
LIM does not release expired leases automatically 478
LIM does not refresh licenses automatically 478
LIM does not refresh licenses manually 478
LIM does not SmartUpdate automatically 479
Windows service not executing automated tasks 479
Help File errors on open – message specifies HTTPS required 480
Annoying message bar pops up from IE every time LIM menu is moused over 481
Send Documentation Feedback 482
Micro Focus Fortify WebInspect (19.2.0) Page 24 of 482
User Guide
Preface
Preface
Contacting Micro Focus Fortify Customer Support
If you have questions or comments about using this product, contact Micro Focus Fortify Customer
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://softwaresupport.softwaregrp.com
To Call Support
1.844.260.7219
For More Information
For more information about Fortify software products:
https://software.microfocus.com/solutions/application-security
About the Documentation Set
The Fortify Software documentation set contains installation, user, and deployment guides for all
Fortify Software products and components. In addition, you will find technical notes and release notes
that describe new features, known issues, and last-minute updates. You can access the latest versions of
these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support-and-services/documentation
Micro Focus Fortify WebInspect (19.2.0) Page 25 of 482
User Guide
Change Log
Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.
Software Release /
Document Version Changes
19.2.0 Added:
l A topic describing how to use the MacroGenServer.exe application. See
"Using MacroGenServer.exe" on page 288.
l A topic describing how to use a Postman collection to conduct a scan.
See "Scanning with a Postman Collection" on page 305.
l A process and several procedures for integrating Fortify WebInspect
with Selenium WebDriver. See "Integrating with Selenium WebDriver" on
page 308.
l Content to describe the new setting to enable and create response state
rules. See "Scan Settings: HTTP Parsing" on page 356.
Updated:
l Command-line execution topic to describe the Fortify WebInspect
applications that you can use by way of the command-line interface
(CLI). See "Command-line Execution" on page 273.
l WI.exe topic with parameters for starting a Selenium workflow scan. See
"Using WI.exe" on page 274.
l WI.exe topic with parameters for scan vulnerability retesting. See "Using
WI.exe" on page 274.
l CLI and Basic Scan topics with information about performing an
automated scan using a macro created from a REST API definition. See
the following topics:
l "Using WI.exe" on page 274.
l "Running a Basic Scan" on page 160
l Topics related to conducting scans with important information about
concurrent scans for installations using SQL Express. See the following
topics:
l "Running a Basic Scan" on page 160
Micro Focus Fortify WebInspect (19.2.0) Page 26 of 482
User Guide
Change Log
Software Release /
Document Version Changes
l "Using the Predefined Template" on page 107
l "Using the Mobile Scan Template" on page 124
l "Using the Native Scan Template" on page 142
l "Running a Web Service Scan " on page 157
l "Fortify WebInspect REST API" on page 301
l Scan Settings: Content Analyzers was renamed Scan Settings:
JavaScript. See "Scan Settings: JavaScript" on page 346.
l Fortify WebInspect REST API configuration procedure with
information about using a client certificate for authentication. See
"Fortify WebInspect REST API" on page 301.
Removed:
l Known limitations of the Web Macro Recorder with Macro Engine 5.0
from General Application Settings. See "Application Settings: General"
on page 403.
l The following scan settings:
l Test each engine type per session (engine driven) and Test each
session per engine type (session driven) options from the
Sequentially Crawl and Audit Mode settings in Scan Settings:
Method. See "Scan Settings: Method " on page 338.
l Breadth-first and Depth-first crawler options from Scan Settings:
General. The default setting is Breadth-first. See "Scan Settings:
General" on page 341.
l Flash, VBScript, and Silverlight options from Scan Settings:
Content Analyzers (renamed Scan Settings: JavaScript). See "Scan
Settings: JavaScript" on page 346.
l Reject script include file requests to offsite hosts, Create script
event sessions, Enable classic script engine, and Enable
Advanced JS Framework Support options from Scan Settings:
Content Analyzers (renamed Scan Settings: JavaScript). See "Scan
Settings: JavaScript" on page 346.
l If you need to change any of these scan settings, contact Fortify
Customer Support. See "Preface" on page 25.
Micro Focus Fortify WebInspect (19.2.0) Page 27 of 482
User Guide
Change Log
Software Release /
Document Version Changes
19.1.0 Added:
l Process for configuring an interactive scan. See "Interactive Scans" on
page 180.
l Troubleshooting tips for failed login macros. See "Testing Login Macros"
on page 456.
l Option for selecting the new Web Macro Recorder with Macro Engine
5.0 as the default Web Macro Recorder. See "Application Settings:
General" on page 403.
Updated:
l Help menu topic with two new menu commands. See "Help Menu" on
page 56.
l Processes and procedures for using multi-user logins and running a scan
across multiple threads. See "Multi-user Login Scans" on page 177 and
"Scan Settings: Authentication" on page 373.
l General scan settings with "Limit maximum directory hit count to" and
"Minimum folder depth" settings that determine the number of
subfolders to enumerate during a crawl. See "Scan Settings: General" on
page 341.
l List of policies with description of the WebSocket policy. See "Fortify
WebInspect Policies" on page 424.
l Parameters and features accessible in the command-line interface to
indicate those that are not supported in Fortify WebInspect on Docker.
See "Command-line Execution" on page 273.
l Login macro content and command-line interface parameters with
information about testing of login macros while configuring scan or at
start of scan. See the following topics:
l "Running a Basic Scan" on page 160
l "Using the Predefined Template" on page 107
l "Using the Mobile Scan Template" on page 124
l "Using the Native Scan Template" on page 142
l "Using Macros" on page 225
l "Command-line Execution" on page 273
Micro Focus Fortify WebInspect (19.2.0) Page 28 of 482
User Guide
Change Log
Software Release /
Document Version Changes
l Scan configuration information and command-line interface parameters
with option to automatically create a login macro. See the following
topics:
l "Running a Basic Scan" on page 160
l "Using the Predefined Template" on page 107
l "Using the Mobile Scan Template" on page 124
l "Command-line Execution" on page 273
l HTTP request and response descriptions to describe use of highlighting.
See "HTTP Request " on page 85 and "HTTP Response " on page 85.
l Supported API definitions and protocols. See "Using the WISwag.exe
Tool" on page 289.
l WISwag.exe parameters table with new -ab parameter. See "Using the
WISwag.exe Tool" on page 289.
Removed:
l References to the Support Tool.
18.20 Added:
l Account privilege information for SQL Server database connections. See
"SQL Server Database Privileges" on page 407.
l Information and instructions on using the License and Infrastructure
Manager (LIM), previously available only in help format. See "Using the
License and Infrastructure Manager" on page 460.
Updated:
l WISwag.exe parameters table with new -ma parameter. See "Using the
WISwag.exe Tool" on page 289.
l Command line execution with a new command to stop a scan. See
"Command-line Execution" on page 273.
l List of policies with descriptions for General Data Protection Regulation
(GDPR), SANS Top 25, and DISA STIG. See "Fortify WebInspect
Policies" on page 424.
l URL for Support Channel in Application Settings. See "Application
Settings: Support Channel" on page 421.
Micro Focus Fortify WebInspect (19.2.0) Page 29 of 482
User Guide
Change Log
Software Release /
Document Version Changes
l URL for SmartUpdate in Application Settings. See "Application Settings:
Smart Update" on page 421.
Removed:
l References to FilesToURLs.exe and FilesToURLs.py utilities.
Micro Focus Fortify WebInspect (19.2.0) Page 30 of 482
Chapter 1: Introduction
Micro Focus Fortify WebInspect™ 19.2.0 is an automated Web application and Web services vulnerability
scanning solution. Fortify WebInspect delivers the latest evolution in scan technology—a Web
application security product that adapts to any enterprise environment. As you initiate a scan, Fortify
WebInspect assigns agents that dynamically catalog all areas of a Web application. These agents
report their findings to a main security engine that analyzes the results. Fortify WebInspect then
launches "Threat Agents" to evaluate the gathered information and apply attack algorithms to
determine the existence and relative severity of vulnerabilities. With this smart approach, Fortify
WebInspect continuously applies appropriate scan resources that adapt to your specific application
environment.
See Also
"Fortify WebInspect Overview " below
Fortify WebInspect Overview
The following is a brief overview of what you can do with Fortify WebInspect, and how it can benefit
your organization.
Crawling and Auditing – Fortify WebInspect uses two basic modes to uncover your security
weaknesses.
l A crawl is the process by which Fortify WebInspect identifies the structure of the target website. In
essence, a crawl runs until it can access no more links on the URL.
l An audit is the actual vulnerability scan. A crawl and an audit, when combined into one function, is
termed a scan.
Reporting – Use Fortify WebInspect reports to gain valuable, organized application information. You
can customize report details, decide what level of information to include in each report, and gear the
report for a specific audience. You can also save any customized report as a template, which you can
then use to generate a report using the same reporting criteria, but with updated information. You can
save reports in either PDF, HTML, Excel, Raw, RTF, or text format, and you can include graphic
summaries of vulnerability data.
Manual Hacking Control – With Fortify WebInspect, you can see what's really happening on your site,
and simulate a true attack environment. Fortify WebInspect functionality enables you to view the code
for any page that contains vulnerabilities, and make changes to server requests and resubmit them
instantly.
Summary and Fixes – The information pane displays all summary and fix information for the
vulnerability selected in either the navigation pane or the summary pane. For more information, see
"Navigation Pane" on page 61 and "Summary Pane" on page 97.
It also cites reference material and provides links to patches, instructions for prevention of future
problems, and vulnerability solutions. Because new attacks and exploits are formulated daily,
Micro Focus Fortify WebInspect (19.2.0) Page 31 of 482
User Guide
Chapter 1: Introduction
Fortify frequently updates the summary and fix information database. Use Smart Update on the Fortify
WebInspect toolbar to update your database with the latest vulnerability solution information, or check
for updates automatically on startup. For more information, see "SmartUpdate" on page 269 and
"Application Settings: Smart Update" on page 421
Scanning Policies – You can edit and customize scanning policies to suit the needs of your
organization, reducing the amount of time it takes for Fortify WebInspect to complete a scan. For more
information on how to configure Fortify WebInspect policies, see the Policy Manager help or the Tools
Guide for Fortify WebInspect Products.
Sortable and Customizable Views – When conducting or viewing a scan, the left navigation pane in
the Fortify WebInspect window includes the Site, Sequence, Search, and Step Mode buttons, which
determine the contents (or "view") presented in the navigation pane.
l Site view presents the hierarchical file structure of the scanned site, as determined by Fortify
WebInspect. It also displays, for each resource, the HTTP status code returned by the server and the
number of vulnerabilities detected.
l Sequence view displays server resources in the order Fortify WebInspect encountered them during
an automated scan or a manual crawl (Step Mode).
l Search view enables you to locate sessions that match the criteria you specify. For more information,
see "Search View" on page 234.
l Step Mode is used to navigate manually through the site, beginning with a session you select from
either the site view or the sequence view. For more information, see "Running a Manual Scan " on
page 186.
Enterprise-Wide Usage Capabilities – Integrated scan provides a comprehensive overview of your
Web presence from an overall enterprise perspective, enabling you to conduct application scans of all
Web-enabled applications on the network.
Web Services Scan Capabilities – Provides a comprehensive scan of your Web services vulnerabilities.
Enables you to assess applications that contain Web services/SOAP objects.
Export Wizard – Fortify WebInspect's robust and configurable XML export tool enables users to
export (in a standardized XML format) any and all information found during the scan. This includes
comments, hidden fields, JavaScript, cookies, web forms, URLs, requests, and sessions. Users can specify
the type of information to be exported.
Web Service Test Designer – Allows you to create a Web Service Test Design file (filename.wsd) that
contains the values for Fortify WebInspect to submit when conducting a Web service scan.
API Scans – Fortify WebInspect supports scanning REST API applications as follows:
l Configure an API Scan in the user interface by way of the Basic Scan Wizard. For more information,
see "Running a Basic Scan" on page 160.
l Scan a REST API definition using the WebInspect REST API. For more information, see "Fortify
WebInspect REST API" on page 301.
l Use a Postman collection of API requests to start a scan. For more information, see "Scanning with a
Postman Collection" on page 305.
l For advanced use cases, use the WISwag.exe tool to create a webmacro or settings file to conduct a
scan of your REST API. For more information, see "Using the WISwag.exe Tool" on page 289.
Micro Focus Fortify WebInspect (19.2.0) Page 32 of 482
User Guide
Chapter 1: Introduction
Integration Capabilities – You can integrate Fortify WebInspect with some of the most widely used
application security development and testing tools, including the following:
l Burp (For more information, see "About the Burp API Extension" on page 321.)
l Postman (For more information, see "Scanning with a Postman Collection" on page 305.)
l Selenium WebDriver (For more information, see "Integrating with Selenium WebDriver" on page 308.)
Enhanced Third-Party Commercial Application Threat Agents – Fortify WebInspect enables users
to perform security scans for any web application, including the industry-leading application platforms.
Some standard commercial application threat agents with Fortify WebInspect include:
l Adobe ColdFusion
l Adobe JRun
l Apache Tomcat
l IBM Domino
l IBM WebSphere
l Microsoft.NET
l Oracle Application Server
l Oracle WebLogic
See Also
"Contact Customer Support" on page 458
About Fortify WebInspect Enterprise
Micro Focus Fortify WebInspect Enterprise employs a distributed network of Fortify WebInspect
sensors controlled by a system manager with a centralized database. Optionally, you can integrate
Fortify WebInspect Enterprise with Fortify Software Security Center to provide Fortify Software
Security Center with information detected through dynamic scans of Web sites and Web services.
This innovative architecture enables you to:
l Conduct a large number of automated security scans using any number of Fortify WebInspect
sensors to scan web applications and SOAP services.
l Manage large or small Fortify WebInspect deployments across your organization to control product
updates, scan policies, scan permissions, tools usage, and scan results all centrally from the Fortify
WebInspect Enterprise console.
l Track, manage, and detect your new and existing web applications and monitor all activity associated
with them.
l Optionally upload scan data to Fortify Software Security Center.
l Independently schedule scans and blackout periods, manually launch scans, and update repository
information using Fortify WebInspect or the Fortify WebInspect Enterprise console. For more
information, see "Blackout Period " on page 335.
l Limit exposure to enterprise-sensitive components and data by using centrally defined roles for
users.
Micro Focus Fortify WebInspect (19.2.0) Page 33 of 482
User Guide
Chapter 1: Introduction
l Obtain an accurate snapshot of the organization's risk and policy compliance through a centralized
database of scan results, reporting, and trend analysis.
l Facilitate integration with third-party products and deployment of customized web-based front ends
using the Web Services application programming interface (API).
Fortify WebInspect Enterprise Components
The following illustration depicts the main components of the Fortify WebInspect Enterprise system.
These include the Fortify WebInspect Enterprise application, database, sensors, and users.
Micro Focus Fortify WebInspect (19.2.0) Page 34 of 482
User Guide
Chapter 1: Introduction
Component Descriptions
The following table provides descriptions of the Fortify WebInspect Enterprise user interfaces and
architecture.
Item Component Description
1 Windows Console User This console is a thin-client application that provides
Interface administrative functionality, policy editing, and the toolkit.
2 Web Console User This console is a browser-based application that provides user
Interface functionality. It does not provide administrative functionality,
policy editing, or the toolkit.
3 HTTP or HTTPS The Fortify WebInspect Enterprise components use these
communication protocols.
4 Fortify Software Integration with Fortify Software Security Center provides a way
Security Center to publish scans to a central repository of all static and dynamic
(optional) scans. It provides somewhat centralized accounts, although
permissions are still managed separately, the ability to submit
scan requests, and more extensive reporting than a standalone
installation.
5 Fortify WebInspect This is a Microsoft Windows server with an IIS application
Enterprise Manager platform. It is a Web service whose main functions are user
authentication and authorization, data repository, and remote
scan scheduling.
6 Sensors These WebInspect sensors are installed on Microsoft Windows
or Windows Server operating systems. Sensors have no GUI and
execute remote scans that are configured at the Web Console.
You use the Web Console to control all scan configurations,
results, reports, and updates .
7 Microsoft SQL Server This Microsoft Windows server has a SQL database that stores
all users, permissions, and administrative settings. The database
also stores all scan data and reporting.
Micro Focus Fortify WebInspect (19.2.0) Page 35 of 482
User Guide
Chapter 1: Introduction
FIPS Compliance
You can run Fortify WebInspect and Fortify WebInspect Enterprise in either normal mode or FIPs-
compliant mode.
About FIPS Compliance in Fortify WebInspect Products
In FIPs-compliant mode, Fortify WebInspect programs meet the encryption standards required to be
compliant with Federal Information Processing Standard (FIPS). When running in FIPS-compliant
mode, data is encrypted using the AES algorithm established by the National Institute of Standards and
Technology (NIST). This includes the transmission of data to and from Fortify WebInspect as well as
saved scan data.
Because FIPS-compliance uses different cryptography modules from those used by the default Fortify
WebInspect product, a FIPS-compliant installation cannot access scan data generated on a non-FIPS
compliant installation. If you previously used a non-FIPS compliant installation of Fortify WebInspect
and now want to run Fortify WebInspect in a FIPS-compliant environment, the scan data you generated
in the non FIPS-compliant installation will not be available to you unless you use the Micro
Focus FIPS Migration Tool to decrypt the data and then re-encrypt it using the AES algorithm. When
running multiple instances of Fortify WebInspect in your environment, these instances must all be either
FIPS-compliant or non FIPS-compliant if you intend to share data among them.
Fortify WebInspect, Fortify WebInspect Enterprise, and the Fortify WebInspect Agent all have FIPS-
compliant modes.
Selecting FIPS-compliant Mode
Installing Fortify WebInspect in a FIPS-compliant environment triggers the option to run Fortify
WebInspect in normal mode or FIPS-compliant mode. You cannot switch from one mode to another, so
make sure that you do not have dependencies that require you to maintain backward compatibility with
non FIPS-compliant data before choosing this option. When running in FIPS-compliant mode, you will
not notice any changes in the day-to-day operation of Fortify WebInspect.
Related Documents
This topic describes documents that provide information about Micro Focus Fortify software products.
Note: You can find the Micro Focus Fortify Product Documentation at
https://www.microfocus.com/support-and-services/documentation. All guides are available in both
PDF and HTML formats. Product help is available within the Fortify WebInspect products.
Micro Focus Fortify WebInspect (19.2.0) Page 36 of 482
User Guide
Chapter 1: Introduction
All Products
The following documents provide general information for all products. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website.
Document / File Name Description
About Micro Focus Fortify Product This paper provides information about how to access Micro
Software Documentation Focus Fortify product documentation.
About_Fortify_Docs_<version>.pdf Note: This document is included only with the product
download.
Micro Focus Fortify Software System This document provides the details about the
Requirements environments and products supported for this version of
Fortify Software.
Fortify_Sys_Reqs_<version>.pdf
Micro Focus Fortify Software Release This document provides an overview of the changes made
Notes to Fortify Software for this release and important
information not included elsewhere in the product
FortifySW_RN_<version>.pdf
documentation.
What’s New in Micro Focus Fortify This document describes the new features in Fortify
Software <version> Software products.
Fortify_Whats_New_<version>.pdf
Micro Focus Fortify WebInspect
The following documents provide information about Fortify WebInspect. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-webinspect.
Document / File Name Description
Micro Focus Fortify WebInspect This document provides an overview of Fortify
Installation Guide WebInspect and instructions for installing Fortify
WebInspect and activating the product license.
WI_Install_<version>.pdf
Micro Focus Fortify WebInspect User This document describes how to configure and use
Guide Fortify WebInspect to scan and analyze Web applications
and Web services.
Micro Focus Fortify WebInspect (19.2.0) Page 37 of 482
User Guide
Chapter 1: Introduction
Document / File Name Description
WI_Guide_<version>.pdf Note: This document is a PDF version of the Fortify
WebInspect help. This PDF file is provided so you can
easily print multiple topics from the help information
or read the help in PDF format. Because this content
was originally created to be viewed as help in a web
browser, some topics may not be formatted properly.
Additionally, some interactive topics and linked
content may not be present in this PDF version.
Micro Focus Fortify WebInspect on This document describes how to download, configure,
Docker User Guide and use Fortify WebInspect that is available on the
Docker container platform. This full version of the
WI_Docker_Guide_<version>.pdf
product is intended to be used in automated processes as
a headless scanner configured by way of the command
line interface (CLI) or the application programming
interface (API).
Micro Focus Fortify WebInspect Tools This document describes how to use the Fortify
Guide WebInspect diagnostic and penetration testing tools and
configuration utilities packaged with Fortify WebInspect
WI_Tools_Guide_<version>.pdf
and Fortify WebInspect Enterprise.
Micro Focus Fortify WebInspect This document describes how to install the Fortify
Runtime Agent Installation Guide WebInspect Runtime Agent for applications running
under a supported Java Runtime Environment (JRE) on a
WI_RT_Agent_Install_<version>.pdf
supported application server or service and applications
running under a supported .NET Framework on a
supported version of IIS.
Micro Focus Fortify WebInspect Agent This document describes the detection capabilities of
Rulepack Kit Guide Fortify WebInspect Agent Rulepack Kit. Fortify
WebInspect Agent Rulepack Kit runs atop the Fortify
WI_Agent_Rulepack_Guide_
WebInspect Runtime Agent, allowing it to monitor your
<version>.pdf
code for software security vulnerabilities as it runs. Fortify
WebInspect Agent Rulepack Kit provides the runtime
technology to help connect your dynamic results to your
static ones.
Micro Focus Fortify WebInspect (19.2.0) Page 38 of 482
User Guide
Chapter 1: Introduction
Micro Focus Fortify WebInspect Enterprise
The following documents provide information about Fortify WebInspect Enterprise. Unless otherwise
noted, these documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-webinspect-enterprise.
Document / File Name Description
Micro Focus Fortify WebInspect This document provides an overview of Fortify WebInspect
Enterprise Installation and Enterprise and instructions for installing Fortify WebInspect
Implementation Guide Enterprise, integrating it with Fortify Software Security
Center and Fortify WebInspect, and troubleshooting the
WIE_Install_<version>.pdf
installation. It also describes how to configure the
components of the Fortify WebInspect Enterprise system,
which include the Fortify WebInspect Enterprise application,
database, sensors, and users.
Micro Focus Fortify WebInspect This document describes how to use Fortify WebInspect
Enterprise User Guide Enterprise to manage a distributed network of Fortify
WebInspect sensors to scan and analyze Web applications
WIE_Guide_<version>.pdf
and Web services.
Note: This document is a PDF version of the Fortify
WebInspect Enterprise help. This PDF file is provided so
you can easily print multiple topics from the help
information or read the help in PDF format. Because this
content was originally created to be viewed as help in a
web browser, some topics may not be formatted
properly. Additionally, some interactive topics and linked
content may not be present in this PDF version.
Micro Focus Fortify WebInspect This document describes how to use the Fortify WebInspect
Tools Guide diagnostic and penetration testing tools and configuration
utilities packaged with Fortify WebInspect and Fortify
WI_Tools_Guide_<version>.pdf
WebInspect Enterprise.
Micro Focus Fortify WebInspect (19.2.0) Page 39 of 482
Chapter 2: Getting Started
This chapter describes how to prepare your system for audit, update SecureBase, and start a scan so
that you begin using Fortify WebInspect right away. It also provides a tutorial on how to scan web
services at zero.webappsecurity.com, which is Fortify's demo website.
Preparing Your System for Audit
Fortify WebInspect is an aggressive web application analyzer that rigorously inspects your entire
website for real and potential security vulnerabilities. This procedure is intrusive to varying degrees.
Depending on which Fortify WebInspect policy you apply and the options you select, it can affect server
and application throughput and efficiency. When using the most aggressive policies,
Fortify recommends that you perform this analysis in a controlled environment while monitoring your
servers.
Sensitive Data
Fortify WebInspect captures and displays all application data sent between the application and server. It
might even discover sensitive data in your application that you are not aware of. Fortify recommends
that you follow one of these best practices regarding sensitive data:
l Do not use potentially sensitive data, such as real user names and passwords, while testing with
Fortify WebInspect.
l Do not allow Fortify WebInspect scans, related artifacts, and data stores to be accessed by anyone
unauthorized to access potentially sensitive data.
Network authentication credentials are not displayed in WebInspect and are encrypted when stored in
settings.
Firewalls, Anti-virus Software, and Intrusion Detection Systems
WebInspect sends attacks to servers, and then analyzes and stores the results. Web application firewalls
(WAF), anti-virus software, firewalls, and intrusion detection/prevention systems (IDS/IPS) are in place
to prevent these activities. Therefore, these tools can be problematic when conducting a scan for
vulnerabilities.
First, these tools can interfere with WebInspect’s scanning of a server. An attack that WebInspect sends
to the server can be intercepted, resulting in a failed request to the server. If the server is vulnerable to
that attack, then a false negative is possible.
Second, results or attacks that are in the WebInspect product, cached on disk locally, or in the database
can be identified and quarantined by these tools. When working files used by WebInspect or data in the
database are quarantined, WebInspect can produce inconsistent results. Such quarantined files and
data can also cause unexpected behavior.
Micro Focus Fortify WebInspect (19.2.0) Page 40 of 482
User Guide
Chapter 2: Getting Started
These types of issues are environmentally specific, though McAfee IPS is known to cause both types of
problems, and any WAF will cause the first problem. Fortify has seen other issues related to these tools
as well.
If such issues arise while conducting a scan, Fortify recommends that you disable WAF, anti-virus
software, firewall, and IDS/IPS tools for the duration of the scan. Doing so is the only way to be sure
you are getting reliable scan results. If it is not practical to disable these tools, you should allow
exceptions within these tools for every issue that they detect related to WebInspect or a WebInspect
scan.
Effects to Consider
During an audit of any type, Fortify WebInspect submits a large number of HTTP requests, many of
which have "invalid" parameters. On slower systems, the volume of requests may degrade or deny access
to the system by other users. Additionally, if you are using an intrusion detection system, it will identify
numerous illegal access attempts.
To conduct a thorough scan, Fortify WebInspect attempts to identify every page, form, file, and folder
in your application. If you select the option to submit forms during a crawl of your site, Fortify
WebInspect will complete and submit all forms it encounters. Although this enables Fortify WebInspect
to navigate seamlessly through your application, it may also produce the following consequences:
l If, when a user normally submits a form, the application creates and sends e-mails or bulletin board
postings (to a product support or sales group, for example), Fortify WebInspect will also generate
these messages as part of its probe.
l If normal form submission causes records to be added to a database, then the forms that Fortify
WebInspect submits will create spurious records.
During the audit phase of a scan, Fortify WebInspect resubmits forms many times, manipulating every
possible parameter to reveal problems in the applications. This greatly increases the number of
messages and database records created.
Helpful Hints
l For systems that write records to a back-end server (database, LDAP, and so on) based on forms
submitted by clients, some Fortify WebInspect users, before auditing their production system,
backup their database, and then reinstall it after the audit is complete. If this is not feasible, you can
query your servers after the audit to search for and delete records that contain one or more of the
form values submitted by Fortify WebInspect. You can determine these values by opening the Web
Form Editor.
l If your system generates e-mail messages in response to user-submitted forms, consider disabling
your mail server. Alternatively, you could redirect all e-mails to a queue and then, following the audit,
manually review and delete those e-mails that were generated in response to forms submitted by
Fortify WebInspect.
l Fortify WebInspect can be configured to send up to 75 concurrent HTTP requests before it waits for
an HTTP response to the first request. The default thread count setting is 5 for a crawl and 10 for an
audit (if using separate requestors). In some environments, you may need to specify a lower number
to avoid application or server failure. For more information, see "Scan Settings: Requestor" on
Micro Focus Fortify WebInspect (19.2.0) Page 41 of 482
User Guide
Chapter 2: Getting Started
page 348.
l If, for any reason, you do not want Fortify WebInspect to crawl and attack certain directories, you
must specify those directories using the Excluded URLs feature of Fortify WebInspect settings (see
"Scan Settings: Session Exclusions" on page 352). You can also exclude specific file types and MIME
types.
l By default, Fortify WebInspect is configured to ignore many binary files (images, documents, and so
on) that are commonly found in web applications. These documents cannot be crawled or attacked,
so there is no value in auditing them. Bypassing these documents greatly increases the audit speed. If
proprietary documents are in use, determine the file extensions of the documents and exclude them
within Fortify WebInspect's default settings. If, during a crawl, Fortify WebInspect becomes extremely
slow or stops, it may be because it attempted to download a binary document.
l For form submission, Fortify WebInspect submits data extracted from a prepackaged file. If you
require specific values (such as user names and passwords), you must create a file with Micro Focus’s
Web Form Editor and identify that file to Fortify WebInspect.
l Finally, Fortify WebInspect tests for certain vulnerabilities by attempting to upload files to your
server. If your server allows this, Fortify WebInspect will record this susceptibility in its scan report
and attempt to delete the file. Sometimes, however, the server prevents file deletion. For this reason,
search for and delete files with names that start with "CreatedByHP" as a routine part of your post-
scan maintenance.
See Also
"Fortify WebInspect Overview " on page 31
"Quick Start " below
Quick Start
This topic provides information to help you get started with Fortify WebInspect. It includes links to
more detailed information.
Update SecureBase
To ensure that you have up-to-date information about the Fortify WebInspect catalog of
vulnerabilities, use the following procedure to update your vulnerabilities database.
1. Start Fortify WebInspect.
Note: If Fortify WebInspect is installed as an interactive component of the Fortify WebInspect
Enterprise, and if the enterprise server is currently using this Fortify WebInspect module to
conduct a scan, then you cannot start Fortify WebInspect. The following message will be
displayed: "Unable to start WebInspect. Permission denied."
2. On the Start Page, click Start Smart Update.
The Smart Update window opens and lists available updates.
3. Click Update.
Micro Focus Fortify WebInspect (19.2.0) Page 42 of 482
User Guide
Chapter 2: Getting Started
Note: Update the product each time you use it. You can select an application setting that runs
Smart Update each time you start the program. For more information, see "Application Settings:
Smart Update" on page 421.
For more information, including instructions for updating WebInspect that is offline, see "SmartUpdate"
on page 269.
Prepare Your System for Audit
Before performing an audit, be aware of the potential impact on your website, and what you can do to
prepare for a successful audit. For more information, see "Preparing Your System for Audit " on
page 40.
Start a Scan
After you update your database, you are ready to determine your web application’s security
vulnerabilities.
On the Fortify WebInspect Start Page, click one of the following selections:
l Start a Guided Scan (see "Guided Scan Overview " on page 105)
l Start a Basic Scan (see "Running a Basic Scan" on page 160)
l Start a Web Service Scan (see "Running a Web Service Scan " on page 157)
l Start an Enterprise Scan (see "Running an Enterprise Scan " on page 182)
See Also
"Preparing Your System for Audit " on page 40
"User Interface Overview" on page 47
Scanning Web Services at zero.webappsecurity.com
Web services are programs that communicate with other applications (rather than with users) and
answer requests for information. Most Web services use Simple Object Access Protocol (SOAP) to send
XML data between the Web service and the client Web application that initiated the information
request.
A client Web application that accesses a Web service receives a Web Services Definition Language
(WSDL) document so that it can understand how to communicate with the service. The WSDL
document describes the programmed procedures included in the Web service, the parameters those
procedures expect, and the type of return information the client Web application will receive.
This tutorial illustrates how to conduct a Web service scan of zero.webappsecurity.com using a
predefined Web service design (.wsd) file containing the values that Fortify WebInspect will submit
when conducting the scan. For information on how to use the Web Service Test Designer to create a
Web service design file (filename.wsd) for your site, refer to the Web Service Test Designer help.
Micro Focus Fortify WebInspect (19.2.0) Page 43 of 482
User Guide
Chapter 2: Getting Started
Conducting a Web Service Scan
To conduct a web service scan:
1. Select Start a Web Service Scan from the Fortify WebInspect Start page.
2. Accept the default name or enter a new Scan Name and select Configure a Web Service Scan.
Note: "Service:" is auto-filled at the start of the scan name.
Tip: If you were conducting a scan on your site, the Web Service Scan Wizard Step 3 of 4
would prompt you to open the Web Service Test Designer tool to create a .wsd file for your
site. Then for subsequent scans of the same WSDL, you would re-use the .wsd file you created
and select Scan with existing Design File on the Web Service Scan Wizard Step 1 of 4.
Web Service Scan Wizard Image Step 1 of 4
3. Accept the default URL for the WSDL Location.
Tip: If you were conducting a scan on your site, you would enter or select the fully qualified
path to the WSDL file on your site.
4. Click Next.
Micro Focus Fortify WebInspect (19.2.0) Page 44 of 482
User Guide
Chapter 2: Getting Started
Web Service Scan Wizard Image Step 2 of 4
5. If you need to access the target site through a proxy server, select Network Proxy and then
choose an option from the Proxy Profile list.
6. If server authentication is required, select Network Authentication and then select
an authentication method and enter your network credentials. For this exercise, accept the default.
7. Click Next.
Micro Focus Fortify WebInspect (19.2.0) Page 45 of 482
User Guide
Chapter 2: Getting Started
Web Service Scan Wizard Image Step 3 of 4
8. Accept the defaults and click Next.
Tip: If you were conducting a scan on your site and had not created a .wsd file, the Web
Service Scan Wizard Step 3 of 4 would prompt you to open the Web Service Test Designer tool
to create a .wsd file for your site.
9. Click Scan.
Fortify WebInspect conducts the Web Service scan.
Micro Focus Fortify WebInspect (19.2.0) Page 46 of 482
Chapter 3: User Interface Overview
When you first start Fortify WebInspect, the application displays the Start Page in the client area, as
illustrated below.
Start Page Image
Note: When Fortify WebInspect is connected to Enterprise Server, there is a button labeled
"WebInspect Enterprise WebConsole" to the right of the SmartUpdate button. This button launches
the Web Console.
The Activity Panel
The left pane (the Activity Panel) displays hyperlinks to the following major functions:
l Start a Guided Scan (see "Guided Scan Overview " on page 105)
l Start a Basic Scan (see "Running a Basic Scan" on page 160)
l Start a Web Service Scan (see "Running a Web Service Scan " on page 157)
l Start an Enterprise Scan (see "Running an Enterprise Scan " on page 182)
l Generate a Report (see "Generating a Report" on page 255)
l Start SmartUpdate (see "SmartUpdate" on page 269)
Micro Focus Fortify WebInspect (19.2.0) Page 47 of 482
User Guide
Chapter 3: User Interface Overview
Closing the Activity Panel
You can close the Activity Panel by clicking the Left Arrow on the bar above the pane.
Start Page with No Activity Panel Image
The Button Bar
The contents of the right pane are determined by the button selected on the Button bar identified in
the following image.
The choices are described in the following table.
Button Displayed List
Home Displays a list of recently opened scans, as well as scans scheduled to be
conducted today, recently generated reports, and messages downloaded from
Micro Focus Fortify WebInspect (19.2.0) Page 48 of 482
User Guide
Chapter 3: User Interface Overview
Button Displayed List
the Micro Focus server.
If you hover the pointer over a scan name, Fortify WebInspect displays summary
information about the scan. If you click the scan name, Fortify WebInspect
opens the scan on a separate tab.
Manage Displays a list of previously conducted scans, which you can open, rename, or
Scans delete. Click Connections to choose a database: either Local (scans stored in a
SQL Server Express Edition database on your machine) or Remote (scans stored
in a SQL Server Standard Edition database configured on your machine or
elsewhere on the network), or both. For more information, see "Manage Scans "
on page 199.
Manage Displays a list of scans that are scheduled to be performed. You can add a scan
Schedule to the schedule, edit or delete a scheduled scan, or start the scan manually. For
more information, see "Managing Scheduled Scans " on page 205.
Micro Focus Fortify WebInspect (19.2.0) Page 49 of 482
User Guide
Chapter 3: User Interface Overview
Panes Associated with a Scan
Each time you open or conduct a scan, Fortify WebInspect opens a tab labeled with the name or
description of the target site. This work area is divided into three regions, as depicted in the following
illustration.
Item Description
1 Navigation Pane
2 Information Pane
3 Summary Pane
If you have a large number of scans open at the same time, and there is no room to display all tabs, you
can scroll the tabs by clicking the arrows on the extreme right end of the tab bar. Click the X to
close the selected tab.
See Also
"Menu Bar " on page 52
"Toolbars " on page 57
"Start Page " on the next page
"Navigation Pane" on page 61
Micro Focus Fortify WebInspect (19.2.0) Page 50 of 482
User Guide
Chapter 3: User Interface Overview
"Summary Pane" on page 97
"Information Pane " on page 71
Start Page
The left-hand pane of the Start Page contains a list of activities related to the vulnerability scan of your
Web site or Web service:
l Start a Guided Scan (see "Guided Scan Overview " on page 105)
l Start a Basic Scan (see "Running a Basic Scan" on page 160)
l Start a Web Service Scan (see "Running a Web Service Scan " on page 157)
l Start an Enterprise Scan (see "Running an Enterprise Scan " on page 182)
l Generate a Report (see "Generating a Report" on page 255)
l Start SmartUpdate (see "SmartUpdate" on page 269)
The contents of the right-hand pane are controlled by the buttons on the Button bar.
Home
When Home is selected (the default), Fortify WebInspect displays a list of:
l Recently opened scans.
If you hover the pointer over a scan name, Fortify WebInspect displays summary information about
the scan. If you click the scan name, Fortify WebInspect opens the scan on a separate tab.
l Scans scheduled to be conducted today
l Recently generated reports
l Messages downloaded from the Micro Focus server
Manage Scans
When Manage Scans is selected, Fortify WebInspect displays a list of previously conducted scans, which
you can open, rename, or delete. Click Connections to choose a database: either Local (scans stored in
the SQL Server Express Edition database on your machine) or Remote (scans stored in the SQL Server
database, if configured), or both. For more information, see "Manage Scans " on page 199.
Manage Schedule
When Manage Schedule is selected, Fortify WebInspect displays a list of scheduled scans. You can add
a scan to the schedule, edit or delete a scheduled scan, or start the scan manually. For more information,
Micro Focus Fortify WebInspect (19.2.0) Page 51 of 482
User Guide
Chapter 3: User Interface Overview
see "Managing Scheduled Scans " on page 205.
See Also
"User Interface Overview" on page 47
Menu Bar
Menu options are:
l "File Menu" below
l "Edit Menu " on the next page
l "View Menu " on the next page
l "Tools Menu " on page 54
l "Scan Menu " on page 54
l "Enterprise Server Menu" on page 54
l "Reports Menu " on page 55
l "Help Menu" on page 56
File Menu
The File menu commands are described in the following table.
Command Description
New Allows you to select either Basic Scan or Web Service scan, and then launches
the Scan Wizard, which steps you through the process of starting a scan.
Open Allows you to open either a scan or a generated report.
Schedule Opens the Manage Scheduled Scans window, which allows you to add, edit, or
delete a scheduled scan.
Import Scan Allows you to import a scan file.
Export This command is available only when a tab containing a scan is selected. You
may:
l Export a scan
l Export scan details
l Export a scan to Software Security Center
Close Tab When multiple tabs are open, closes the selected tab.
Micro Focus Fortify WebInspect (19.2.0) Page 52 of 482
User Guide
Chapter 3: User Interface Overview
Command Description
Exit Closes the Fortify WebInspect program.
Edit Menu
The Edit menu commands are described in the following table.
Command Description
Default Scan Displays the Default Settings window, allowing you to select or modify options
Settings used for scanning.
Current Scan Displays a settings window that allows you to select or modify options for the
Settings current scan. This command is available only when a tab containing a scan is
selected.
Manage Settings Opens a window that allows you to add, edit, or delete settings files.
Application Displays the Application Settings window, allowing you to select or modify
Settings options controlling the operation of the Fortify WebInspect application. For
more information, see the Application Settings.
Copy URL Copies the selected URL to the Windows clipboard. This command is available
only when a tab containing a scan is selected.
Copy Scan Log Copies the log (for the scan on the selected tab) to the Windows clipboard. This
command is available only when a tab containing a scan is selected.
View Menu
The View menu commands are described in the following table.
Command Description
Word Wrap Inserts soft returns at the right-side margins of the display area when viewing
HTTP requests and responses. This command is available only when a tab
containing a scan is selected.
Toolbars Allows you to select which toolbars should be displayed. For more information,
see "Toolbars " on page 57.
Micro Focus Fortify WebInspect (19.2.0) Page 53 of 482
User Guide
Chapter 3: User Interface Overview
Tools Menu
The Tools menu contains commands to launch the tool applications.
Scan Menu
The Scan menu appears on the menu bar only when a tab containing a scan has focus. Scan menu
commands are described in the following table.
Command Description
Start/Resume Starts or resumes a scan after you paused the process.
Pause Halts a crawl or audit. Click Resume to continue the scan.
Skip If an audit is in progress, skips to the next audit methodology. If a crawl is in
progress, skips to the audit.
Audit Assesses the crawled site for vulnerabilities. Use the command after completing
a crawl or exiting Step Mode.
Rescan This command launches the Scan Wizard prepopulated with settings last used
for the selected scan.
Enterprise Server Menu
The Enterprise Server menu contains the following commands:
Command Description
Connect to Establishes or breaks a connection to the Fortify WebInspect
WebInspect Enterprise server.
Enterprise or
Disconnect
Download Scan Allows you to select a scan for copying from the server to your hard drive.
Publish Scan Displays a dialog box that allows you to review vulnerabilities and
transmit them to an enterprise server which, in turn, transmits them to a
Micro Focus Fortify Software Security Center server. For more information,
Micro Focus Fortify WebInspect (19.2.0) Page 54 of 482
User Guide
Chapter 3: User Interface Overview
Command Description
see "Publishing a Scan (Fortify WebInspect Enterprise Connected) " on
page 220.
Note: This option is available only if Fortify WebInspect Enterprise is
integrated with Fortify Software Security Center.
Upload Scan Allows you to select a scan for transferring data to the server. This is used
most often when the application setting "auto upload scans" is not selected.
Transfer Settings Allows you to select a Fortify WebInspect settings file and transfer it to the
server, which will create a Scan Template based on those settings. Also
allows you to select a Scan Template and transfer it to Fortify WebInspect,
which will create a settings file based on the template. For more
information, see "Transferring Settings to/from Enterprise Server" on
page 218.
WebConsole Launches the Fortify WebInspect Enterprise Web Console application.
About Enterprise Displays information about Fortify WebInspect Enterprise.
Server
Note: A Fortify WebInspect installation with a standalone license may connect to an enterprise
server at any time, as long as the user is a member of a role in Fortify WebInspect Enterprise.
Reports Menu
The Reports menu commands are described in the following table.
Command Description
Generate Report Launches the Report Generator.
Manage Reports Displays a list of standard and custom report types. You can rename, delete, or
export custom-designed reports, and you may import a report definition file.
Micro Focus Fortify WebInspect (19.2.0) Page 55 of 482
User Guide
Chapter 3: User Interface Overview
Help Menu
The Help menu provides the commands described in this topic.
WebInspect Help
This command opens the Help file.
Search
This command opens the Help file, displaying the search options in the left pane.
Support > Request an Enhancement
If the support channel is enabled (see "Application Settings: Support Channel" on page 421), this
command opens a window allowing you to submit enhancement requests to Micro Focus.
Support > Contact Technical Support
This command displays instructions for contacting Fortify Customer Support.
Support > Get Open TC Browsers info
Use this menu command when working with Fortify Customer Support to troubleshoot issues with
scans, such as when a scan is not completing. This command collates snapshots and logs of the
TruClient browsers during a scan. The browsers are hidden during the scan and the processes cannot
be seen in memory dumps, so these snapshots provide a browser view of what Fortify WebInspect
encountered during the scan.
To use this command:
1. Select the Help > Support > Get Open TC Browsers info.
The Get Browsers Information window appears.
2. Click the browse button (…) and select a location to save the collated files.
3. Select Upload to Telemetry to automatically upload the collated files to Micro Focus upon
completion.
4. Click Collate.
A folder is created with the name of the scan GUID, and the collated snapshots and logs are placed
inside the folder.
Micro Focus Fortify WebInspect (19.2.0) Page 56 of 482
User Guide
Chapter 3: User Interface Overview
Support > Copy Application Snapshot to Clipboard
Use this menu command when working with Fortify Customer Support to diagnose problems with
Fortify WebInspect. This option creates a memory dump of Fortify WebInspect so that a dump analysis
can be performed using a Windows debugger tool.
To use this command:
1. Select the Help > Support > Copy Application Snapshot to Clipboard.
The Collect WebInspect State Information window appears.
2. After receiving the complete message, open Notepad and press CTRL+V to paste the contents into
the file.
Tutorials
This command allows you to download tutorials and other Fortify WebInspect documentation.
About WebInspect
This command displays information about the Fortify WebInspect application, including license
information, allowed hosts, and attributes.
Toolbars
The Fortify WebInspect window contains two toolbars: Scan and Standard. You can display or hide
either toolbar by selecting Toolbars from the View menu.
Buttons Available on the Scan Toolbar
Button Function
You can pause a scan and then resume scanning. Also, a
completed scan may contain sessions that were not sent
(because of timeouts or other errors); if you click Start, Fortify
WebInspect will attempt to resend those sessions.
Interrupts an ongoing scan. You can continue scanning by
clicking the Start/Resume button.
When conducting a sequential crawl and audit, you can skip
processing by whichever engine is running (if you selected Test
each engine type per session) or you can skip processing the
Micro Focus Fortify WebInspect (19.2.0) Page 57 of 482
User Guide
Chapter 3: User Interface Overview
Button Function
session (if you selected Test each session per engine type).
For more information, see the "Sequentially" crawl and audit
option in "Scan Settings: Method " on page 338.
If you conduct a crawl-only scan or a Step Mode scan, you can
afterwards click this button to conduct an audit. For more
information, see "Running a Manual Scan " on page 186.
This button appears only if you select a tab containing a scan. If
you select Scan Again from the drop-down menu, it launches
the Scan Wizard prepopulated with settings last used for the
selected scan. If you select Retest Vulnerabilities, it starts a
scan that examines only those portions of the target site in
which vulnerabilities were detected during the original scan. For
more information, see "Reviewing and Retesting" on page 250.
This button appears only if you select a tab containing a scan. It
allows you to compare the vulnerabilities revealed by two
different scans of the same target. For more information, see
"Comparing Scans " on page 193.
This button appears only if Fortify WebInspect is connected to
Fortify WebInspect Enterprise and a scan is open on the tab that
has focus. It allows you to send the scan settings to Fortify
WebInspect Enterprise, which creates a scan request and places
it in the scan queue for the next available sensor. For detailed
information, see "Running a Scan in Enterprise Server" on
page 218.
This button appears only after connecting to Fortify WebInspect
Enterprise. It allows you to specify a Fortify Software Security
Center application and version. Fortify WebInspect then
downloads a list of vulnerabilities from Fortify Software Security
Center, compares the downloaded vulnerabilities to the
vulnerabilities in the current scan, and assigns an appropriate
status (New, Existing, Reintroduced, or Not Found) to the
vulnerabilities in the current scan. For detailed information, see
"Integrating with Fortify WebInspect Enterprise and Fortify
Software Security Center " on page 221.
Micro Focus Fortify WebInspect (19.2.0) Page 58 of 482
User Guide
Chapter 3: User Interface Overview
Button Function
Note: This option is available only if Fortify WebInspect
Enterprise is integrated with Fortify Software Security
Center.
This button appears only after connecting to Fortify WebInspect
Enterprise and is enabled after you have synchronized Fortify
WebInspect with Fortify Software Security Center. It uploads
application version data through Fortify WebInspect Enterprise
to Fortify Software Security Center.
Note: This option is available only if Fortify WebInspect
Enterprise is integrated with Fortify Software Security
Center.
Buttons Available on the Standard Toolbar
Button Function
Allows you to start a Basic Scan, a Web service scan, or an
enterprise scan.
Allows you to open a scan or a report.
Starts the Compliance Manager.
Starts the Policy Manager.
Starts the Report Generator.
Allows you to schedule a scan to occur on a specific time and
date. For more information, see "Schedule a Scan " on page 203.
Contacts the central Micro Focus database to determine if
updates are available for your system and, if updates exist,
allows you to install them. For more information, see
"SmartUpdate" on page 269.
Micro Focus Fortify WebInspect (19.2.0) Page 59 of 482
User Guide
Chapter 3: User Interface Overview
Button Function
Launches the Fortify WebInspect Enterprise Web Console
application. This button appears only if you are connected to
Fortify WebInspect Enterprise.
Buttons Available on the "Manage Scans" Toolbar
Button Function
To open scans, select one or more scans and click Open (or
simply double-click an entry in the list). Fortify WebInspect loads
the scan data and displays each scan on a separate tab.
To launch the Scan Wizard prepopulated with settings last used
for the selected scan, click Rescan > Scan Again.
To rescan only those sessions that contained vulnerabilities
revealed during a previous scan, select a scan and click Rescan >
Retest Vulnerabilities.
For more information, see "Reviewing and Retesting" on
page 250.
To rename a selected scan, click Rename.
To delete the selected scan(s), click Delete.
To import a scan, click Import.
To export a scan, export scan details, or export a scan to Fortify
Software Security Center, click the drop-down arrow on Export.
To compare scans, select two scans (using Ctrl + click) and click
Compare. For more information, see "Comparing Scans " on
page 193.
By default, Fortify WebInspect lists all scans saved in the local
SQL Server Express Edition and in a configured SQL Server
Standard Edition. To select one or both databases, or to specify
a SQL Server connection, click Connections.
Micro Focus Fortify WebInspect (19.2.0) Page 60 of 482
User Guide
Chapter 3: User Interface Overview
Button Function
When necessary, click Refresh to update the display.
To select which columns should be displayed, click Columns. You
can rearrange the order in which columns are displayed using the
Move Up and Move Down buttons or, on the Manage Scans
list, you can simply drag and drop the column headers.
Navigation Pane
When conducting or viewing a scan, the navigation pane is on the left side of the Fortify WebInspect
window. It includes the Site, Sequence, Search, and Step Mode buttons, which determine the contents
(or "view") presented in the navigation pane.
Micro Focus Fortify WebInspect (19.2.0) Page 61 of 482
User Guide
Chapter 3: User Interface Overview
Item Description
1 Navigation Pane
2 Buttons for changing the view
Micro Focus Fortify WebInspect (19.2.0) Page 62 of 482
User Guide
Chapter 3: User Interface Overview
If all buttons are not displayed, click the drop-down arrow at the bottom of the button list and select
Show More Buttons.
Site View
Fortify WebInspect displays in the navigation pane only the hierarchical structure of the Web site or
Web service, plus those sessions in which a vulnerability was discovered. During the crawl of the site,
Fortify WebInspect selects the check box next to each session (by default) to indicate that the session
will also be audited. When conducting a sequential crawl and audit (where the site is completely
crawled and then audited), you can exclude a session from the audit by clearing its associated
check box before the audit begins.
Site view also contains two pop-up tabs: Excluded Hosts and Allowed Hosts Criteria.
Excluded Hosts
If you click the Excluded Hosts tab (or hover your pointer over it), the tab displays a list of all
disallowed hosts. These are hosts that may be referenced anywhere within the target site, but cannot be
scanned because they are not specified in the Allowed Hosts setting (Default/Current Scan Settings >
Scan Settings > Allowed Hosts).
Using the Excluded Hosts tab, you can select an excluded host and click either Add to scan or Add
allowed host criteria.
Micro Focus Fortify WebInspect (19.2.0) Page 63 of 482
User Guide
Chapter 3: User Interface Overview
Item Description
1 Add to scan – Adding a host to the scan creates a node in the site tree representing the
host root directory. Fortify WebInspect will scan that session. If you have selected the
option to log rejected sessions for invalid hosts (Default/Current Scan Settings > Scan
Settings > Session Storage), Fortify WebInspect will scan the entire host.
2 Add to Allowed Host Criteria – Adding a host to the allowed host criteria adds the URL to
the list of allowed hosts in the Current Scan Settings. Fortify WebInspect will include in the
scan any subsequent links to that host. However, if you add a host to the allowed host
criteria after Fortify WebInspect has already scanned the only resource containing a link to
that host, the added host will not be scanned.
Allowed Hosts Criteria
If you click the Allowed Hosts Criteria tab (or hover your pointer over it), the tab displays the URLs
(or regular expressions) specified in the Fortify WebInspect scan settings (under Allowed Hosts). If you
click either Delete or Add allowed host criteria, Fortify WebInspect opens the Current Settings dialog
box, where you can add, edit, or delete allowed host criteria (a literal URL or a regular expression
representing a URL).
Micro Focus Fortify WebInspect (19.2.0) Page 64 of 482
User Guide
Chapter 3: User Interface Overview
Item Description
1 Add Allowed Host Criteria – If you add an entry, Fortify WebInspect will include in the scan
any subsequent links it encounters to hosts that match the criteria. However, if you specify
a host after Fortify WebInspect has already scanned the only resource containing a link to
that host, the added host will not be scanned.
2 Delete – If you delete an entry from the allowed host list, the scan will still include any
resources that Fortify WebInspect already encountered.
To save these settings for a future scan, select Save settings as (at the bottom of the left pane of the
Settings window).
You must pause the scan before you can modify the excluded hosts or allowed hosts criteria.
Furthermore, the scanning of added or deleted hosts may not occur as expected, depending on the
point at which you paused the scan. For example, if you add an allowed host after Fortify WebInspect
has already scanned the only resource containing a link to the added host, the added host will not be
scanned.
Sequence View
Sequence view displays server resources in the order they were encountered by Fortify WebInspect
during a scan.
Note: In both Site view and Sequence view, blue text denotes a directory or file that was "guessed"
Micro Focus Fortify WebInspect (19.2.0) Page 65 of 482
User Guide
Chapter 3: User Interface Overview
by Fortify WebInspect, rather than a resource that was discovered through a link. For example,
Fortify WebInspect always submits the request "GET /backup/ HTTP/1.1" in an attempt to discover
if the target Web site contains a directory named "backup."
Search View
The Search view allows you to search across all sessions for various HTTP message components. For
example, if you select Request Method from the drop-down list and specify POST as the search string,
Fortify WebInspect lists every session whose HTTP request uses the POST method.
To use the Search view:
1. In the navigation pane, click Search (at the bottom of the pane).
If all buttons are not displayed, click the Configure Buttons drop-down at the bottom of the
button list and select Show More Buttons.
2. From the top-most list, select an area to search.
3. In the combo box, type or select the string you want to locate.
4. If the string represents a regular expression, select the Regular Expression check box. For more
information, see "Regular Expressions" on page 298.
5. To find an entire string in the HTTP message that exactly matches the search string, select the
Micro Focus Fortify WebInspect (19.2.0) Page 66 of 482
User Guide
Chapter 3: User Interface Overview
Match Whole String check box. The exact match is not case-sensitive.
Note: This option is not available for certain search targets.
6. Click Search.
Step Mode View
Use Step Mode to navigate manually through the site, beginning with a session you select from either
the site view or the sequence view.
Follow the steps below to step through the site:
1. In the site or sequence view, select a session.
2. Click the Step Mode button.
If the button is not visible, click the Configure Buttons drop-down and select Show More
Buttons.
3. When Step Mode appears in the navigation pane, select either Audit as you browse or Manual
Audit from the Audit Mode list. Manual Audit is recommended.
4. To use a different browser in Step Mode, select the browser from the Browser list.
5. Click Record .
6. Click Browse.
The selected browser opens and displays the response associated with the selected session.
Continue browsing to as many pages as you like.
7. When done, return to Fortify WebInspect and click Finish.
The new sessions are added to the navigation pane.
8. If you selected Manual Audit in step 3, click . Fortify WebInspect will audit all unaudited
sessions, including those you added (or replaced) through Step Mode.
Navigation Pane Icons
Use the following table to identify resources displayed in the navigation pane.
Micro Focus Fortify WebInspect (19.2.0) Page 67 of 482
User Guide
Chapter 3: User Interface Overview
Icons Used in the Navigation Pane
Icon Description
Server/host: Represents the top level of your site's tree structure.
Blue folder: A folder discovered by "guessing" and not by crawling.
Yellow folder: A folder whose contents are available over your Web site.
Grey folder: A folder indicating the discovery of an item via path truncation. Once the parent
is found, the folder will display in either blue or yellow, depending on its properties.
File.
Query or post.
DOM event.
Icons superimposed on a folder or file indicate a discovered vulnerability
Icon Description
A red dot with an exclamation point indicates the object contains a critical vulnerability. An
attacker might have the ability to execute commands on the server or retrieve and modify
private information.
A red dot indicates the object contains a high vulnerability. Generally, the ability to view
source code, files out of the Web root, and sensitive error messages.
A gold dot indicates the object contains a medium vulnerability. These are generally non-
HTML errors or issues that could be sensitive.
A blue dot indicates the object contains a low vulnerability. These are generally interesting
issues, or issues that could potentially become higher ones.
An "i" in a blue circle indicates an informational item. These are interesting points in the site,
or certain applications or Web servers.
A red check mark indicates a "best practice" violation.
Micro Focus Fortify WebInspect (19.2.0) Page 68 of 482
User Guide
Chapter 3: User Interface Overview
Navigation Pane Shortcut Menu
If you right-click an item in the navigation pane while using the Site or Sequence view, a shortcut menu
presents the following options:
l Expand Children* - (Site View only) Expands branching nodes in the site tree.
l Collapse Children* - (Site View only) Contracts branching nodes into the superior node.
l Check All* - (Site View only) Marks the check box the parent node and all children.
l Uncheck All* - (Site View only) Removes the check mark from the parent node and all children.
l Generate Session Report* - (Site View only) Creates a report showing summary information, the
attack request and attack response, links to and from the URL, comments, forms, e-mail addresses,
and check descriptions for the selected session.
l Export Site Tree* - (Site View only) Saves the site tree in XML format to a location you specify.
l Copy URL - Copies the URL to the Windows clipboard.
l View in Browser - Renders the HTTP response in a browser.
l Links - (Site View only) Lists all resources at the target site that contain links to the selected
resource. The links may be rendered by HTML tags, scripts, or HTML forms. It also lists (under Linked
To) all resources that are referenced by links within the HTTP response for the selected session. If
you double-click a listed link, Fortify WebInspect shifts focus in the navigation pane to the referenced
session. Alternatively, you can browse to the linked resource by viewing the session in the Web
browser (click Web Browser).
l Add - Allows you to add locations discovered by means other than a Fortify WebInspect scan
(manual inspection, other tools, etc) for information purposes. You can then add any discovered
vulnerabilities to those locations so that a more complete picture of the site is archived for analysis.
l Page - A distinct URL (resource).
l Directory - A folder containing a collection of pages.
Choosing either Page or Directory invokes a dialog box that allows you to name the directory or
page and edit the HTTP request and response.
l Variation - A subnode of a location that lists particular attributes for that location. For example,
the login.asp location might have the variation: “(Query)
Username=12345&Password=12345&Action=Login”. Variations are like any other location in
that they can have vulnerabilities attached to them, as well as subnodes.
Choosing Variation invokes the Add Variation dialog box, allowing you to edit the variation
attributes, specify Post or Query, and edit the HTTP request and response.
l Vulnerability - A specific security threat.
Choosing Vulnerability invokes the Edit Vulnerabilities dialog box, allowing you to edit the
variation attributes, specify Post or Query, and edit the HTTP request and response. For more
information, see "Editing Vulnerabilities" on page 242.
l Edit Vulnerabilities - Allows you to edit a location that was added manually or edit a vulnerability.
For more information, see "Editing Vulnerabilities" on page 242.
l Remove Location - Removes the selected session from the navigation pane (both Site and Sequence
Micro Focus Fortify WebInspect (19.2.0) Page 69 of 482
User Guide
Chapter 3: User Interface Overview
views) and also removes any associated vulnerabilities.
Note: You can recover removed locations (sessions) and their associated vulnerabilities. See
"Recovering Deleted Items" on page 253 for details.
l Review Vulnerability - Allows you to retest the vulnerability, mark it as a false positive, or send it to
Micro Focus Application Lifecycle Management (ALM). For more information, see "Reviewing a
Vulnerability " on page 240.
l Mark as False Positive - Flags the vulnerability as a false positive and allows you to add a note.
l Send to - Allows you convert the selected vulnerability to a defect and assign it to Micro Focus
Application Lifecycle Management (ALM), using the profile specified in the Fortify WebInspect
application settings.
l Remove Server - Deletes the server from the navigation pane and does not include the server in any
remaining scan activity. This command appears only when you right-click a server.
l Crawl - Recrawls the selected URL.
l Attachments - Allows you to create a note associated with the selected session, flag the session for
follow-up, add a vulnerability note, or add a vulnerability snapshot.
l Tools - Presents a submenu of available tools.
l Filter by Current Session - Restricts the display of items in the Summary pane to those having the
SummaryDataID of the selected session.
* Command appears on shortcut menu only when the Navigation pane is using the Site view.
See Also
"User Interface Overview" on page 47
"Search View" on page 234
"Inspecting the Results" on page 230
Micro Focus Fortify WebInspect (19.2.0) Page 70 of 482
User Guide
Chapter 3: User Interface Overview
Information Pane
When conducting or viewing a scan, the information pane contains three collapsible information panels
and an information display area.
Item Description
1 Scan Info panel (See "Scan Info Panel Overview " on the next page)
2 Session Info panel (See "Session Info Panel Overview " on page 82)
3 Host Info panel (See "Host Info Panel Overview" on page 90)
4 Information display area
Select the type of information to display by clicking on an item in one of these three information panels
in the left column.
Tip: If you follow a link when viewing the vulnerability information, click the highlighted session in
Micro Focus Fortify WebInspect (19.2.0) Page 71 of 482
User Guide
Chapter 3: User Interface Overview
the navigation pane to return.
See Also
"Summary Pane" on page 97
"User Interface Overview" on page 47
"Navigation Pane" on page 61
"Scan Info Panel Overview " below
"Session Info Panel Overview " on page 82
"Host Info Panel Overview" on page 90
Scan Info Panel Overview
The Scan Info panel has the following choices:
l Dashboard
l Traffic Monitor
l Attachments
l False Positives
Dashboard
The Dashboard selection displays a real-time summary of the scan results and a graphic representation
of the scan progress. This section is displayed only if you select this option from the Default or Current
settings. For additional information, see "Dashboard" on page 74.
Dashboard Image
Micro Focus Fortify WebInspect (19.2.0) Page 72 of 482
User Guide
Chapter 3: User Interface Overview
Traffic Monitor
Fortify WebInspect normally displays in the navigation pane only the hierarchical structure of the Web
site or Web service, plus those sessions in which a vulnerability was discovered. The Traffic Monitor or
Traffic Viewer allows you to display and review every HTTP request sent by Fortify WebInspect and the
associated HTTP response received from the web server.
The Traffic Monitor or Traffic Viewer is available only if Traffic Monitor Logging was enabled prior to
conducting the scan.
For more information, see "Traffic Monitor (Traffic Viewer)" on page 228.
Attachments
The Attachments selection displays a list of all session notes, vulnerability notes, flags for follow-up,
and vulnerability screenshots that have been added to the scan. Each attachment is associated with a
specific session. This form also lists scan notes (that is, notes that apply to the entire scan rather than to
a specific session).
You can create a scan note, or you can edit or delete an existing attachment.
To create a scan note, click the Add menu (in the information display area).
To edit an attachment, select the attachment and click Edit.
To create attachments in other area of the Fortify WebInspect user interface, you can either:
l Right-click a session in the navigation pane and select Attachments from the shortcut menu, or
l Right-click a URL on the Vulnerabilities tab of the summary pane and select Attachments from the
shortcut menu.
Fortify WebInspect automatically adds a note to the session whenever you send a defect to Micro Focus
Application Lifecycle Management (ALM).
For more information, see "Attachments - Scan Info" on page 80.
Attachments Image
Micro Focus Fortify WebInspect (19.2.0) Page 73 of 482
User Guide
Chapter 3: User Interface Overview
False Positives
This feature lists all URLs that Fortify WebInspect originally flagged as containing a vulnerability,
but which a user later determined were false positives. Note that this option is not displayed until
someone actually designates a vulnerability as a false positive.
Click the URL associated with a false positive to view a note that may have been entered when the user
removed the vulnerability.
To reassign the vulnerability and remove the URL from the False Positive list, select a URL and click
Mark as Vulnerability.
You can import from a previous scan a list of vulnerabilities that were identified as being false positives.
Fortify WebInspect then correlates these false positives from a previous scan with vulnerabilities
detected in the current scan and flags the new occurrences as false positives.
For more information, see "False Positives" on page 81.
False Positives Image
See Also
"Session Info Panel Overview " on page 82
"Host Info Panel Overview" on page 90
"User Interface Overview" on page 47
"Dashboard" below
"Traffic Monitor (Traffic Viewer)" on page 228
"Attachments - Scan Info" on page 80
Dashboard
The Dashboard selection displays a real-time summary of the scan results and a graphic representation
of the scan progress.
Micro Focus Fortify WebInspect (19.2.0) Page 74 of 482
User Guide
Chapter 3: User Interface Overview
Dashboard Image
The following image displays the Scan Dashboard with a scan in progress.
Progress Bars
Each bar represents the progress being made through that scanning phase.
Progress Bar Descriptions
The following table describes the progress bars.
Progress Bar Description
Crawled Number of sessions crawled / total number of sessions to crawl.
Audited Number of sessions audited / total number of sessions to audit.
The total number includes all checks except those pertaining to server type,
which are handled by smart audit.
Micro Focus Fortify WebInspect (19.2.0) Page 75 of 482
User Guide
Chapter 3: User Interface Overview
Progress Bar Description
Smart Audited Number of sessions audited using smart audit / total number of sessions for
smart audit.
For smart audit, Fortify WebInspect detects the type of server on which the Web
application is hosted. Fortify WebInspect runs checks that are specific to the
server type and avoids checks that are not valid for the server type.
Verified Number of persistent XSS vulnerable sessions verified / total number of
persistent XSS vulnerable sessions to verify.
When persistent XSS auditing is enabled, Fortify WebInspect sends a second
request to all vulnerable sessions and examines all responses for probes that
Fortify WebInspect previously made. When probes are located, Fortify
WebInspect will record links between those pages internally.
Reflection Number of persistent XSS vulnerable linked sessions audited / total number of
Audited persistent XSS vulnerable linked sessions to audit.
When persistent XSS auditing is enabled, this represents the work required for
auditing the linked sessions found in the verification step for persistent XSS.
Progress Bar Colors
1. Dark green indicates sessions that have been processed.
2. Light green indicates excluded, aborted, or rejected sessions (sessions that were considered for
processing, but were skipped due to settings or other reasons).
3. Light gray indicates the unprocessed sessions.
Activity Meters
Fortify WebInspect polls information about the activity occurring in the scan and displays the data in
activity meters. The data presents a real-time snapshot of the scan activity. This information can help
you to determine whether the scan is stalled or actively running.
Micro Focus Fortify WebInspect (19.2.0) Page 76 of 482
User Guide
Chapter 3: User Interface Overview
Activity Meter Descriptions
The following table describes the activity meters.
Meter Description
Network The amount of data being sent and received by Fortify WebInspect.
The chart shows this data as B, KB, or MB sent/received over the last one
second.
Analysis The amount of work being done per second by Fortify WebInspect in processing
all threads.
Vulnerabilities Graphics
The following table describes the Vulnerabilities bar graph and grid.
Graphic Description
Vulnerability Total number of issues identified for the scan per severity level.
Graph
Attack Stats Number of attacks made and issues found, categorized by attack type and audit
Grid engine.
Statistics Panel - Scan
The following table describes the Scan section of the statistics panel.
Item Description
Type Type of scan: Site, Service, or Site Retest.
Scan Status Status: Running, Paused, or Complete.
Agent Refers to the Fortify WebInspect Agent and states either Detected or Not
Micro Focus Fortify WebInspect (19.2.0) Page 77 of 482
User Guide
Chapter 3: User Interface Overview
Item Description
Detected. For certain checks (such as SQL injection, command execution, and
cross-site scripting), Fortify WebInspect Agent intercepts Fortify WebInspect
HTTP requests and conducts runtime analysis on the target module. If this
analysis confirms that a vulnerability exists, Fortify WebInspect Agent appends
the stack trace to the HTTP response. Developers can analyze this stack trace to
investigate areas that require remediation.
Client The rendering engine specified for the scan. Options are:
l IE (Internet Explorer)
l FF (Firefox)
l iPhone
l iPad
l Android
l Windows Phone
l Windows RT
Duration Length of time scan has been running (can be incorrect if the scan terminates
abnormally).
Policy Name of the policy used for the scan. For a retest, the field contains a dash ("-"),
because the retest does not use the entire policy. For more information, see
"Retest Vulnerabilities" on page 251.
Deleted Items The number of sessions and vulnerabilities removed by the user from the scan.
To remove a session, right-click a session in the Navigation pane and select
Remove Location from the shortcut menu. For more information, see
"Navigation Pane" on page 61.
To remove a vulnerability, right-click a vulnerability in the Summary pane and
select Ignore Vulnerability from the shortcut menu. For more information, see
"Summary Pane" on page 97.
To restore sessions or vulnerabilities that have been deleted:
1. On the Scan Dashboard, click the number associated with deleted items.
The Recover Deleted Items window appears.
2. Select either Vulnerabilities or Sessions from the drop-down menu.
3. Select one or more items.
4. Click Recover.
Micro Focus Fortify WebInspect (19.2.0) Page 78 of 482
User Guide
Chapter 3: User Interface Overview
Statistics Panel - Crawl
The following table describes the Crawl section of the statistics panel.
Item Description
Hosts Number of hosts included in the scan.
Sessions Total number of sessions (excluding AJAX requests, script and script frame
includes, and WSDL includes).
Statistics Panel - Audit
The following table describes the Audit section of the statistics panel.
Item Description
Attacks Sent Total number of attacks sent.
Issues Total number of issues found (all vulnerabilities, as well as best practices).
Statistics Panel - Network
The following table describes the Network section of the statistics panel.
Item Description
Total Requests Total number of requests made.
Failed Requests Total number of failed requests.
Script Includes Total number of script includes.
Macro Requests Total number of requests made as part of macro execution.
404 Probes Number of file not found probes made to determine file not found status.
404 Check Number of times a 404 probe resulted in a redirect.
Redirects
Verify Requests Requests made for detection of stored parameters.
Logouts Number of times logout was detected and login macro executed.
Macro Number of times macros have been executed.
Playbacks
Micro Focus Fortify WebInspect (19.2.0) Page 79 of 482
User Guide
Chapter 3: User Interface Overview
Item Description
AJAX Requests Total number of AJAX requests made.
Script Events Total number of script events processed.
Kilobytes Sent Total number of kilobytes sent.
Kilobytes Total number of kilobytes received.
Received
See Also
"Scan Info Panel Overview " on page 72
"Session Info Panel Overview " on page 82
"Host Info Panel Overview" on page 90
Attachments - Scan Info
The Attachments selection displays a list of all session notes, vulnerability notes, flags for follow-up,
and vulnerability screenshots that have been added to the scan. Each attachment is associated with a
specific session. This form also lists scan notes (that is, notes that apply to the entire scan rather than to
a specific session).
You can create a scan note, or you can edit or delete an existing attachment.
To view an attachment, select the attachment and click View (or simply double-click the attachment).
To create a scan note, click the Add menu (in the information display area). For more information, see
"Information Pane " on page 71.
To edit an attachment, select the attachment and click Edit. Note that screenshots cannot be edited.
These functions are also available by right-clicking an attachment and selecting an option from the
shortcut menu. You may also select Go to session, which opens the Session Info - Attachments pane
and highlights in the navigation pane the session associated with that attachment.
To create attachments in other areas of the Fortify WebInspect user interface, do one of the following:
l Right-click a session in the navigation pane and select Attachments from the shortcut menu. For
more information, see "Navigation Pane" on page 61.
l Right-click a URL on the Vulnerabilities tab of the summary pane and select Attachments from the
shortcut menu. For more information, see "Summary Pane" on page 97.
Fortify WebInspect automatically adds a note to the session whenever you send a defect to Micro Focus
Application Lifecycle Management (ALM).
See Also
"Scan Info Panel Overview " on page 72
Micro Focus Fortify WebInspect (19.2.0) Page 80 of 482
User Guide
Chapter 3: User Interface Overview
False Positives
This feature lists all URLs that Fortify WebInspect originally flagged as containing a vulnerability
and which a user later determined were false positives.
Importing False Positives
You can also import from a previous scan a list of vulnerabilities that were analyzed as being false
positive. Fortify WebInspect then correlates these false positives from a previous scan with
vulnerabilities detected in the current scan and flags the new occurrences as false positives.
To illustrate, suppose a cross-site scripting vulnerability was detected in Scan No. 1 at URL
http://www.mysite.com/foo/bar and, after further analysis, someone flagged it as a false positive. If you
import false positives from Scan No. 1 into Scan No. 2 of www.mysite.com, and if that second scan
detects a cross-site scripting vulnerability at the same URL (http://www.mysite.com/foo/bar), then
Fortify WebInspect automatically changes that vulnerability to a false positive.
Inactive / Active False Positives Lists
Imported false positives are loaded first into a list labeled "Inactive False Positives." If a false positive in
that list is matched with a vulnerability in the current scan, the item is moved from the Inactive False
Positives list to the Active False Positives list. Unmatched items remain in the Inactive False Positives list.
Loading False Positives
False positives from other scans can be manually loaded into the current scan at any time. Alternatively,
you may instruct the Scan Wizard, while initiating a scan, that false positives are to be loaded from a
specific file; in this case, Fortify WebInspect correlates the false positives as they are encountered during
the scan. You can also see (on the scan dashboard) the false positives matched while the scan is
running.
Working with False Positives
1. Select False Positives from the Scan Info panel.
2. If necessary, click the plus sign next to a vulnerability description to display the associated URLs
and state.
3. Click a URL to view a comment (at the bottom of the Information pane) that may have been
entered when the user removed the vulnerability.
4. To import false positives from other scans, click Import False Positives.
5. To change a false positive back to a vulnerability, select an item from the Active False Positive list
and click Mark as Vulnerability.
6. To remove an item from the Inactive False Positive list, select the item and click Remove From
Inactive.
7. To edit a comment associated with a false positive, select the item and click Edit Comment.
For information on how to designate a vulnerability as a false positive, see "Navigation Pane Shortcut
Menu" on page 69 or "Vulnerabilities Tab" on page 98.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
Micro Focus Fortify WebInspect (19.2.0) Page 81 of 482
User Guide
Chapter 3: User Interface Overview
Session Info Panel Overview
Fortify WebInspect lists each session created during a scan in the navigation pane using either the Site
view or Sequence view. Select a session and then click one of the options in the Session Info panel to
display related information about that session.
In the following example scan, Fortify WebInspect sent the HTTP request GET /stats/stats.html
HTTP/1.1.
To see the vulnerability:
1. Select Stats.html in the navigation pane.
2. In the Session Info panel, click Vulnerability.
Options Available
The following table lists the options available in the Session Info panel. Some options appear only for
specific scans (Basic Scan or Web Service Scan). Also, options are enabled only if they are relevant to the
selected session; for example, the Forms selection is not available if the session does not contain a form.
Option Description
Vulnerability Displays the vulnerability information for the session selected in the navigation
pane.
Web Browser1 Displays the server's response as rendered by a Web browser for the session
selected in the navigation pane.
HTTP Request Displays the raw HTTP request sent by Fortify WebInspect to the server hosting
the site you are scanning.
HTTP Response Displays the server's raw HTTP response to Fortify WebInspect's request.
Micro Focus Fortify WebInspect (19.2.0) Page 82 of 482
User Guide
Chapter 3: User Interface Overview
Option Description
If the response contains one or more attack signatures (indicating that a
vulnerability has been discovered) you can tab from one attack signature to the
next by clicking these buttons:
If you select a Flash (.swf) file, Fortify WebInspect displays HTML instead of
binary data. This allows Fortify WebInspect to display links in a readable format.
Stack Traces This feature is designed to support Fortify WebInspect Agent when it is installed
and running on the target server.
For certain checks (such as SQL injection, command execution, and cross-site
scripting), Fortify WebInspect Agent intercepts Fortify WebInspect HTTP
requests and conducts runtime analysis on the target module. If this analysis
confirms that a vulnerability exists, Fortify WebInspect Agent appends the stack
trace to the HTTP response. Developers can analyze this stack trace to
investigate areas that requires remediation.
Details1 Lists request and response details, such as the size of the response and the
request method. Note that the Response section contains two entries for
content type: returned and detected. The Returned Content Type indicates the
media type specified in the Content-Type entity-header field of the HTTP
response. Detected Content Type indicates the actual content-type as
determined by Fortify WebInspect.
Steps1 Displays the route taken by Fortify WebInspect to arrive at the session selected
in the navigation pane or the URL selected in the summary pane. Beginning with
the parent session (at the top of the list), the sequence reveals the subsequent
URLs visited and provides details about the scan methodology.
Links1 This option lists (under Linked From) all resources at the target site that contain
links to the selected resource. The links may be rendered by HTML tags, scripts,
or HTML forms. It also lists (under Linked To) all resources that are referenced
by links within the HTTP response for the selected session.
Comments1 Displays all comments (in HTML) embedded in the HTTP response.
Text1 Displays all text contained in the HTTP response for the session selected in the
navigation pane.
Hiddens1 Displays the name attribute of each input element whose control type is
Micro Focus Fortify WebInspect (19.2.0) Page 83 of 482
User Guide
Chapter 3: User Interface Overview
Option Description
"hidden."
Forms1 Displays the HTML interpreted by the browser to render forms.
E-mail1 Displays all e-mail addresses included in the response.
Scripts1 Displays all client-side scripts embedded in the server's response.
Attachments Displays all notes, flags, and screenshots associated with the selected object.
To create an attachment, you can either:
l Right-click a session (Basic or Guided Scan) or an operation or vulnerability
(Web service scan) in the navigation pane and select Attachments from the
shortcut menu, or
l Right-click a URL on the Vulnerabilities tab of the summary pane and select
Attachments from the shortcut menu, or
l Select a session (Basic Scan) or an operation or vulnerability (Web service
scan) in the navigation pane, then select Attachments from the Session Info
panel and click the Add menu (in the information pane).
Fortify WebInspect automatically adds a note to the session information
whenever you send a defect to Micro Focus Application Lifecycle Management
(ALM).
Attack Info1 Displays the attack sequence number, URL, name of the audit engine used, and
the result of the vulnerability test. Attack information is usually associated with
the session in which the attack was created and not with the session in which it
was detected. If attack information does not appear for a selected vulnerable
session, select the parent session and then click Attack Info.
XML Request2 Displays the SOAP envelope embedded in the request (available when selecting
an operation during a Web Service Scan).
XML Response2 Displays the SOAP envelope embedded in the response (available when
selecting an operation during a Web Service Scan).
Web Service Displays the web service schema and values embedded in the request (available
Request2 when selecting an operation during a Web Service Scan).
Web Service Displays the web service schema and values embedded in the response
Response2 (available when selecting an operation during a Web Service Scan).
1 Basic or Guided Scan only
Micro Focus Fortify WebInspect (19.2.0) Page 84 of 482
User Guide
Chapter 3: User Interface Overview
2 Web Service Scan only
Most options provide a Search feature at the top of the information pane, allowing you to locate the
text you specify. To conduct a search using regular expressions, select the Regex button before clicking
Find.
Tip: If you follow a link when viewing the vulnerability information, click the highlighted session in
the navigation pane to return.
See Also
"User Interface Overview" on page 47
"Host Info Panel Overview" on page 90
"Navigation Pane" on page 61
"Scan Info Panel Overview " on page 72
"Summary Pane" on page 97
"Regular Expressions" on page 298
Vulnerability
This option displays the vulnerability information for the session selected in the navigation pane or for
the vulnerability selected in the summary pane. It typically includes a description of the vulnerability,
vulnerability ID, Common Weakness Enumeration (CWE) ID, Kingdom, implications (how this
vulnerability may affect you), and instructions on how to fix the vulnerability.
Web Browser
This option displays the server's response as rendered by a Web browser for the session selected in the
Navigation pane.
HTTP Request
This option displays the raw HTTP request (for the session selected in the navigation pane) sent by
Fortify WebInspect to the server hosting the site you are scanning.
Highlighted Text in the Request
In the HTTP request, Fortify WebInspect highlights text as follows:
l Yellow highlighting indicates the GET, POST, or PUT status line and cookie headers.
l Red highlighting indicates the attack payload and a vulnerability, if detected.
HTTP Response
This option displays the server's raw HTTP response to Fortify WebInspect's request, for the session
selected in the navigation pane.
Micro Focus Fortify WebInspect (19.2.0) Page 85 of 482
User Guide
Chapter 3: User Interface Overview
If the response contains one or more attack signatures (indicating that a vulnerability has been
discovered) you can tab from one attack signature to the next by clicking these buttons:
If you select a Flash (.swf) file, Fortify WebInspect displays HTML instead of binary data. This allows
Fortify WebInspect to display links in a readable format.
Highlighted Text in the Response
In the HTTP response, Fortify WebInspect uses red highlighting to indicate a detected vulnerability.
Stack Traces
This feature is designed to support Fortify WebInspect Agent when it is installed and running on the
target server.
For certain checks (such as SQL injection, command execution, and cross-site scripting), Fortify
WebInspect Agent intercepts Fortify WebInspect HTTP requests and conducts runtime analysis on the
target module. If this analysis confirms that a vulnerability exists, Fortify WebInspect Agent appends
the stack trace to the HTTP response. Developers can analyze this stack trace to investigate areas that
require remediation.
Details
This option lists request and response details, such as the size of the response and the request method,
for the session selected in the navigation pane.
Note that the Response section contains two entries for content type: returned and detected. Returned
Content Type indicates the media type specified in the Content-Type entity-header field of the HTTP
response. Detected Content Type indicates the actual content-type as determined by Fortify
WebInspect.
Steps
This option displays the route taken by Fortify WebInspect to arrive at the session selected in the
navigation pane or the URL selected in the summary pane. Beginning with the parent session (at the
top of the list), the sequence reveals the subsequent URLs visited and provides details about the scan
methodology.
Links
This option lists (under Linked From) all resources at the target site that contain links to the selected
resource. The links may be rendered by HTML tags, scripts, or HTML forms.
It also lists (under Linked To) all resources that are referenced by links within the HTTP response for
the selected session.
Micro Focus Fortify WebInspect (19.2.0) Page 86 of 482
User Guide
Chapter 3: User Interface Overview
If you double-click a listed link, Fortify WebInspect shifts focus in the navigation pane to the referenced
session. Alternatively, you can browse to the linked resource by viewing the session in the Web browser
(click Web Browser). For more information, see "Navigation Pane" on page 61.
Comments: Session Info
This option displays all comments embedded in the HTTP response for the session selected in the
navigation pane.
Developers sometimes leave critical information in comments that can be used to breach the security of
a site. For example, something as seemingly innocuous as a comment referencing the required order of
fields in a table could potentially give an attacker a key piece of information needed to compromise the
security of your site.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy comments to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
Text
This option displays all text contained in the HTTP response for the session selected in the navigation
pane. For more information, see "Navigation Pane" on page 61.
Hiddens: Session Info
Fortify WebInspect analyzes all forms and then lists all controls of the type "hidden" (i.e., controls that
are not rendered but whose values are submitted with a form). Developers often include parameters in
hidden controls that can be edited and resubmitted by an attacker.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy the HTML text to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
Forms: Session Info
Fortify WebInspect lists all HTML forms discovered for the session selected in the navigation pane.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy forms to your clipboard by highlighting the text and selecting Copy from the shortcut
menu.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
E-Mail
Fortify WebInspect lists all email addresses contained in the session selected from the navigation pane.
Micro Focus Fortify WebInspect (19.2.0) Page 87 of 482
User Guide
Chapter 3: User Interface Overview
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy email addresses to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
Scripts - Session Info
Fortify WebInspect lists all scripts discovered in a session.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find. For more information,
see "Regular Expressions" on page 298.
You can copy the script to your clipboard by highlighting the text and selecting Copy from the shortcut
menu.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
Attachments - Session Info
You can associate the following attachments with a session:
l Session Note
l Flag Session for Follow Up
l Vulnerability Note
l Vulnerability Screenshot
Note: You can also associate a note with a scan and view all attachments that have been added to
the scan by selecting Attachments in the Scan Info panel.
The Attachments selection displays a list of all notes, flags, and screenshots that have been associated
with the selected session.
Viewing an Attachment
To view an attachment:
l Select the attachment and click View (or simply double-click the attachment).
Adding a Session Attachment
To add a session attachment:
1. Do one of the following to select a session:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL. For more information, see "Summary Pane" on page 97.
l On the Navigation pane, right-click a session or URL. For more information, see "Navigation
Pane" on page 61
2. On the shortcut menu, click Attachments and select an attachment type.
Micro Focus Fortify WebInspect (19.2.0) Page 88 of 482
User Guide
Chapter 3: User Interface Overview
Note: An alternative method is to select a session in the Navigation pane, click Attachments in
the Session Info panel, and then select a command from the Add menu (in the information
display area). For more information, see "Information Pane " on page 71.
3. Enter a comment related to the type of attachment you selected.
4. Select the check box next to one or more vulnerabilities.
5. If you selected Vulnerability Screenshot:
a. Enter a name for the screenshot in the Name box. Maximum length is 40 characters.
b. Click the Browse button to locate the graphic file or, if you captured the image in memory,
click Copy from Clipboard.
6. Click OK.
Editing an Attachment
To edit an attachment:
1. Do one of the following:
l To view all attachments that have been added to the scan, click Attachments in the Scan Info
panel.
l To view only those attachments that have been added to a specific session, click Attachments
in the Session Info panel and then click a session in the Navigation pane. You can also select a
URL in the Summary pane.
2. Select an attachment and click Edit.
3. Modify the comments as required.
Note: Screenshot attachments cannot be edited.
4. Click OK.
Tip: Add, Edit, View, and Delete functions are also available by right-clicking an attachment in the
information display area and selecting an option from the shortcut menu.
Attack Info
For the session selected in the navigation pane, this option displays the attack sequence number, URL,
name of the audit engine used, and the result of the vulnerability test.
Attack information is usually associated with the session in which the attack was created and not with
the session in which it was detected. If attack information does not appear for a selected vulnerable
session, select the parent session and then click Attack Info.
Also, attack information for non-vulnerable sessions will not appear unless you have enabled the
appropriate session storage option in the default settings. For more information, see "Session Storage"
on page 352.
Micro Focus Fortify WebInspect (19.2.0) Page 89 of 482
User Guide
Chapter 3: User Interface Overview
Web Service Request
This option displays the web service schema and values embedded in the request (available when
selecting an operation during a Web Service Scan). It is available only during a Web Service scan.
Web Service Response
This option displays the web service schema and values embedded in the response (available when
selecting an operation during a Web Service Scan). It is available only during a Web Service scan.
XML Request
This option displays the associated XML schema embedded in the selected request (available when
selecting the WSDL object during a Web Service scan).
XML Response
This option displays the associated XML schema embedded in the response for the session selected in
the navigation pane (available when selecting the WSDL object during a Web Service scan).
Host Info Panel Overview
When you click any item listed in this collapsible panel, Fortify WebInspect displays all instances of that
item type that were discovered during a crawl or audit of the site (or host).
If you double-click an item, Fortify WebInspect highlights in the navigation pane the session that
contains that item. You can copy items (such as e-mail addresses) to your clipboard by highlighting the
text and selecting Copy from the shortcut menu.
In most cases, you can use the Search feature at the top of the information pane to locate the text you
specify. To conduct a search using regular expressions, select the Regex button before clicking Find.
Note: The Host Info panel is not displayed when conducting a Web Service scan.
In the following illustration, selecting Cookies displays a list of all sessions in which cookies were
detected. If you select an item from the list, Fortify WebInspect displays the cookies associated with the
selected session.
Micro Focus Fortify WebInspect (19.2.0) Page 90 of 482
User Guide
Chapter 3: User Interface Overview
Host Info Panel Image
Options Available
The Host Info options are described in the following table.
Option Description
P3P Info Displays Platform for Privacy Preferences Project (P3P) information. For more
information, see "P3P Info" on the next page.
AJAX Displays a list of all pages containing an AJAX engine, as well as the AJAX
requests. For more information, see "AJAX" on the next page.
Certificates Displays a list of all certificates associated with the site. For more information,
see "Certificates" on page 94.
Comments Displays a list of all URLs containing comments. For more information, see
"Comments - Host Info" on page 94.
Cookies Displays a list of all URLs containing cookies. For more information, see
"Cookies" on page 94.
E-Mails Displays a list of all URLs containing e-mail addresses in the response. For more
information, see "E-Mails - Host Info" on page 95.
Forms Displays a list of all URLs containing forms. For more information, see "Forms -
Host Info" on page 95.
Micro Focus Fortify WebInspect (19.2.0) Page 91 of 482
User Guide
Chapter 3: User Interface Overview
Option Description
Hiddens Displays a list of all URLs containing input elements whose control type is
"hidden." For more information, see "Hiddens - Host Info" on page 95.
Scripts Displays a list of all URLs containing client-side scripts embedded in the server's
response. For more information, see "Scripts - Host Info" on page 96.
Broken Links Displays a list of all URLs containing hyperlinks to missing targets. For more
information, see "Broken Links" on page 96.
Offsite Links Displays a list of all URLs containing hyperlinks to other sites. For more
information, see "Offsite Links" on page 96.
Parameters Displays a list of all URLs containing embedded parameters. For more
information, see "Parameters" on page 97.
P3P Info
This option displays Platform for Privacy Preferences Project (P3P) information.
The World Wide Web Consortium's P3P enables Web sites to express their privacy practices in a
standard format that can be retrieved automatically and interpreted easily by user agents. P3P user
agents allow users to be informed of site practices (in both machine- and human-readable formats) and
to automate decision-making based on these practices when appropriate. Thus users need not read the
privacy policies at every site they visit.
A P3P-compliant Web site declares in a policy the kind of information it collects and how that
information will be used. A P3P-enabled Web browser can decide what to do by comparing this policy
with the user's stored preferences. For example, a user may set browser preferences so that information
about their browsing habits should not be collected. When the user subsequently visits a Web site
whose policy states that a cookie is used for this purpose, the browser automatically rejects the cookie.
P3P User Agents
Microsoft Internet Explorer 6 can display P3P privacy policies and compare the P3P policy with your
own settings to decide whether or not to allow cookies from a particular site.
The Privacy Bird (originally developed by AT&T), which you can find at http://www.privacybird.com/, is
a fully featured P3P user agent that automatically searches for privacy policies at every Web site the
user visits. It then compares the policy with the user's stored privacy preferences and notifies the user of
any discrepancies.
See Also
"Host Info Panel Overview" on page 90
AJAX
AJAX is an acronym for Asynchronous JavaScript and XMLHttpRequest.
Micro Focus Fortify WebInspect (19.2.0) Page 92 of 482
User Guide
Chapter 3: User Interface Overview
If you select this option, Fortify WebInspect displays all pages containing an AJAX engine, as well as the
AJAX requests.
There are two types of AJAX line items in this view:
l AJAX Page (as illustrated above)
l Request
If you click an item in the list, Fortify WebInspect displays "This page uses AJAX in script" (for a Page
type) or it lists the query and/or POST data parameters (for a Request type).
How AJAX Works
AJAX is not a technology per se, but a combination of existing technologies, including HTML or
XHTML, Cascading Style Sheets, JavaScript, the Document Object Model, XML, XSLT, and the
XMLHttpRequest object. When these technologies are combined in the AJAX model, Web applications
are able to make quick, incremental updates to the user interface without reloading the entire browser
page.
Instead of loading a Web page at the start of the session, the browser loads an AJAX engine that is
responsible for both rendering the user interface and communicating with the server. Every user action
that normally would generate an HTTP request takes the form of a JavaScript call to the AJAX engine
instead. Any response to a user action that does not require communication with the server (such as
simple data validation, editing data in memory, and even some navigation) is handled by the engine. If
the engine needs to communicate with the server — submitting data for processing, loading additional
interface code, or retrieving new data — the engine makes those requests asynchronously, usually
using XML, without stalling a user's interaction with the application.
Micro Focus Fortify WebInspect (19.2.0) Page 93 of 482
User Guide
Chapter 3: User Interface Overview
Certificates
A certificate states that a specific Web site is secure and genuine. It ensures that no other Web site can
assume the identity of the original secure site. A security certificate associates an identity with a public
key. Only the owner of the certificate knows the corresponding private key, which allows the owner to
make a "digital signature" or decrypt information encrypted with the corresponding public key.
Comments - Host Info
Developers sometimes leave critical information in comments that can be used to breach the security of
a site. For example, something as seemingly innocuous as a comment referencing the required order of
fields in a table could potentially give an attacker a key piece of information needed to compromise the
security of your site.
To view discovered comments:
1. Select Comments from the Host Info panel to list all URLs that contain comments.
2. Click a URL to view the comments it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the comment.
Focus switches to the Comments choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy comments to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
Cookies
A cookie contains information (such as user preferences or configuration information) stored by a
server on a client for future use. Cookies appear in two basic forms: as individual files or as records
within one contiguous file. Often, there are multiple sets, the result of multiple browsers being installed
in differing locations. In many cases, "forgotten" cookies contain revealing information that you would
prefer others not see.
To view discovered cookies:
1. Select Cookies from the Host Info panel to list all URLs in which cookies were found during a crawl
or audit.
2. Click a URL to view the cookies it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the cookie. Focus
switches to the HTTP Response choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy cookie code to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
Micro Focus Fortify WebInspect (19.2.0) Page 94 of 482
User Guide
Chapter 3: User Interface Overview
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
E-Mails - Host Info
Fortify WebInspect lists all email addresses discovered during a scan. To view the email addresses:
1. Select E-mail from the Host Info panel to list all URLs that contain email addresses.
2. Click a URL to view the email addresses it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the email address.
Focus switches to the E-mail choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy email addresses to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
Forms - Host Info
Fortify WebInspect lists all HTML forms discovered during a scan.
1. Select Forms from the Host Info panel to list all URLs that contain forms.
2. Click a URL to view the source HTML of the form it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the form. Focus
switches to the Forms choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy forms to your clipboard by highlighting the text and selecting Copy from the shortcut
menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
Hiddens - Host Info
Fortify WebInspect analyzes all forms and then lists all controls of the type "hidden" (i.e., controls that
are not rendered but whose values are submitted with a form). Developers often include parameters in
hidden controls that can be edited and resubmitted by an attacker.
1. Select Hiddens from the Host Info panel to list all URLs that contain hidden controls.
2. Click a URL to view the name and value attributes of the "hidden" controls contained in that URL.
3. Double-click an entry to locate in the navigation pane the session that contains the hidden control.
Focus switches to the Hiddens choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
Micro Focus Fortify WebInspect (19.2.0) Page 95 of 482
User Guide
Chapter 3: User Interface Overview
You can copy the HTML text to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
Scripts - Host Info
Fortify WebInspect lists all scripts discovered during a scan. To view the discovered scripts:
1. Select Scripts from the Host Info panel to list all URLs that contain scripts.
2. Click a URL to view the script it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the script.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy a script to your clipboard by highlighting the text and selecting Copy from the shortcut
menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
See Also
"Host Info Panel Overview" on page 90
"Navigation Pane" on page 61
"Regular Expressions" on page 298
Broken Links
Fortify WebInspect finds and documents all non-working hyperlinks on the site. To locate broken links:
1. Select Broken Links from the Host Info panel to list all URLs that contain non-working hyperlinks.
2. Double-click an entry to locate in the navigation pane the session that contains a broken link. Focus
switches to the HTTP Response choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy the HTML text to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
Offsite Links
Fortify WebInspect finds and documents all hyperlinks to other sites.
Micro Focus Fortify WebInspect (19.2.0) Page 96 of 482
User Guide
Chapter 3: User Interface Overview
To examine hyperlinks to other sites:
1. Select Offsite Links from the Host Info panel to list all URLs that contain hyperlinks to other sites.
2. Double-click an entry to locate in the navigation pane the session that contains the offsite link.
Focus switches to the HTTP Response choice in the Session Info panel.
Use the Search feature at the top of the information pane to locate the text you specify. To conduct a
search using regular expressions, select the Regex button before clicking Find.
You can copy the HTML text to your clipboard by highlighting the text and selecting Copy from the
shortcut menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the session that
contains the URL.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
Parameters
A parameter can be either of the following:
l A query string submitted as part of the URL in the HTTP request (or contained in another header).
l Data submitted using the Post method.
To list all URLs that contain parameters:
1. Select Parameters from the Host Info panel.
2. Click a URL to view the parameters it contains.
3. Double-click an entry to locate in the navigation pane the session that contains the parameter. For
more information, see "Navigation Pane" on page 61.
Use the Search feature at the top of the information pane to search the selected URL for the text you
specify. To conduct a search using regular expressions, select the Regex button before clicking Find.
For more information, see "Regular Expressions" on page 298.
You can copy text to your clipboard by highlighting the text and selecting Copy from the shortcut
menu.
If you double-click a URL, Fortify WebInspect highlights in the navigation pane the Session that
contains the URL.
For more information on the Fortify WebInspect window, see "User Interface Overview" on page 47.
See Also
"Host Info Panel Overview" on page 90
Summary Pane
When conducting or viewing a scan, use the horizontal summary pane at the bottom of the window to
view a centralized display of vulnerable resources, quickly access vulnerability information, and view
Fortify WebInspect logging information.
Micro Focus Fortify WebInspect (19.2.0) Page 97 of 482
User Guide
Chapter 3: User Interface Overview
Note: You can also group and filter results on all tabs except Scan Log. For more information, see
"Using Filters and Groups in the Summary Pane" on page 235.
This pane has the following tabs:
l Vulnerabilities
l Not Found
l Information
l Best Practices
l Scan Log
l Server Information
Vulnerabilities Tab
The Vulnerabilities tab lists information about each vulnerability discovered during an audit of your
Web presence.
To select the information you want to display, right-click the column header bar and choose Columns
from the shortcut menu.
Micro Focus Fortify WebInspect (19.2.0) Page 98 of 482
User Guide
Chapter 3: User Interface Overview
The available columns are:
l Severity: A relative assessment of the vulnerability, ranging from low to critical. See below for
associated icons.
l Check: A Fortify WebInspect probe for a specific vulnerability, such as cross-site scripting,
unencrypted log-in form, etc.
l Check ID: The identification number of a Fortify WebInspect probe that checks for the existence of a
specific vulnerability. For example, Check ID 742 tests for database server error messages.
l Path: The hierarchical path to the resource.
l Method: The HTTP method used for the attack.
l Stack: Stack trace information obtained from Fortify WebInspect Agent . Column is available only
when Fortify WebInspect Agent is enabled during scan.
l Vuln Param: The name of the vulnerable parameter.
l Parameters: Names of parameters and values assigned to them.
l Manual: Displays a check mark if the vulnerability was manually created.
l Duplicates: Vulnerabilities detected by Fortify WebInspect Agent that are traceable to the same
source. Column is available only when Fortify WebInspect Agent is enabled during scan.
l Location: Path plus parameters.
l CWE ID: The Common Weakness Enumeration identifier(s) associated with the vulnerability.
l Kingdom: The category in which this vulnerability is classified, using a taxonomy of software security
errors developed by the Fortify Software Security Research Group.
Micro Focus Fortify WebInspect (19.2.0) Page 99 of 482
User Guide
Chapter 3: User Interface Overview
l Application: The application or framework in which the vulnerability is found, such as ASP.NET or
Microsoft IIS server.
l Pending Status: The status (assigned automatically by Fortify WebInspect or manually) if this scan
were to be published.
l Published Status: The status as it exists in Software Security Center, if previously published.
l Reproducible: Values may be Reproduced, Not Found/Fixed, or New. Column is available for Site
Retests only (Retest Vulnerabilities).
l Response Length: The response size in bytes for the vulnerable session.
The severity of vulnerabilities is indicated by the following icons.
Critical High Medium Low
If you click an item in the list, the program highlights the related session in the navigation pane and
displays associated information in the information pane. For more information, see "Navigation Pane"
on page 61 and "Information Pane " on page 71.
With a session selected, you can also view associated information by selecting an option from the
Session Info panel.
For Post and Query parameters, click an entry in the Parameters column to display a more readable
synopsis of the parameters.
If you right-click an item in the list, a shortcut menu allows you to:
l Copy URL - Copies the URL to the Windows clipboard.
l Copy Selected Item(s) - Copies the text of selected items to the Windows clipboard.
l Copy All Items - Copies the text of all items to the Windows clipboard.
l Export - Creates a comma-separated values (csv) file containing either all items or selected items and
displays it in Microsoft Excel.
l View in Browser - Renders the HTTP response in a browser.
l Filter by Current Value - Restricts the display of vulnerabilities to those that satisfy the criteria you
select. For example, if you right-click on "Post" in the Method column and then select Filter by
Current Value, the list displays only those vulnerabilities that were discovered by sending an HTTP
request that used the Post method.
Note: The filter criterion is displayed in the combo box in the upper right corner of the summary
pane. Alternatively, you can manually enter or select a filtering criterion using this combo box.
For additional details and syntax rules, see "Using Filters and Groups in the Summary Pane" on
page 235.
l Change SSC Status - Change the status of a vulnerability/issue before publishing to Fortify
Software Security Center.
Note: This option is available only when connected to Fortify WebInspect Enterprise that is
Micro Focus Fortify WebInspect (19.2.0) Page 100 of 482
User Guide
Chapter 3: User Interface Overview
integrated with Fortify Software Security Center.
l Change Severity - Allows you to change the severity level.
l Edit Vulnerability - Displays the Edit Vulnerabilities dialog box, allowing you to modify various
vulnerability characteristics. For more information, see "Editing Vulnerabilities" on page 242.
l Rollup Vulnerabilities - Available if multiple vulnerabilities are selected; allows you to roll up the
selected vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in Fortify
WebInspect, Fortify WebInspect Enterprise, and reports. For more information, see "About
Vulnerability Rollup" on page 245.
Note: If you have selected a rolled up vulnerability, this menu option is Undo Rollup
Vulnerabilities.
l Review Vulnerability - Available if one vulnerability is selected; allows you to retest the vulnerable
session, mark it as false positive or ignored, or send it to Micro Focus Application Lifecycle
Management (ALM). For more information, see "Reviewing a Vulnerability " on page 240. This option
is also invoked if you double-click a vulnerability.
l Mark as - Flags the vulnerability as either a false positive (and allows you to add a note) or as
ignored. In both cases, the vulnerability is removed from the list. You can view a list of all false
positives by selecting False Positives in the Scan Info panel. You can view a list of false positives and
ignored vulnerabilities by selecting Dashboard in the Scan Info panel, and then clicking the
hyperlinked number of deleted items in the statistics column.
Note: You can recover "false positive" and "ignored" vulnerabilities. See "Recovering Deleted
Items" on page 253 for details.
l Send to - Converts the vulnerability to a defect and adds it to the Micro Focus Application Lifecycle
Management (ALM) database.
l Remove Location - Removes the selected session from the navigation pane (both Site and
Sequence views) and also removes any associated vulnerabilities.
Note: You can recover removed locations (sessions) and their associated vulnerabilities. See
"Recovering Deleted Items" on page 253 for details.
l Crawl - Recrawls the selected URL.
l Tools - Presents a submenu of available tools.
l Attachments - Allows you to create a note associated with the selected session, flag the session for
follow-up, add a vulnerability note, or add a vulnerability screenshot.
If you right-click a group heading, a shortcut menu allows you to:
l Collapse/Expand All Groups
l Collapse/Expand Group
l Copy Selected Item(s)
l Copy All Items
l Change Severity
l Mark as
Micro Focus Fortify WebInspect (19.2.0) Page 101 of 482
User Guide
Chapter 3: User Interface Overview
l Send to
l Remove Location
Not Found Tab
This tab appears only after connecting to Fortify WebInspect Enterprise and after synchronizing a scan
with Software Security Center. It lists vulnerabilities that were detected by a previous scan in a specific
application version, but were not detected by the current scan. These vulnerabilities are not included in
counts on the dashboard and are not represented in the site or sequence view of the navigation pane.
The shortcut menu options, grouping, and filtering capabilities are a subset of those described for the
Vulnerabilities tab.
Information Tab
The Information tab lists information discovered during a Fortify WebInspect scan. These are not
considered vulnerabilities, but simply identify interesting points in the site or certain applications or Web
servers. When you click a listed URL, the program highlights the related item in the navigation pane.
The shortcut menu options, grouping, and filtering capabilities are the same as described for the
Vulnerabilities tab.
Best Practices Tab
The Best Practices tab lists issues detected by Fortify WebInspect that relate to commonly accepted
best practices for Web development. Items listed here are not vulnerabilities, but are indicators of overall
site quality and site development security practices (or lack thereof).
The shortcut menu options, grouping, and filtering capabilities are the same as described for the
Vulnerabilities tab.
Scan Log Tab
Use the Scan Log tab to view information about your Fortify WebInspect scan action. For instance, the
time at which certain audit methodologies are applied against your Web presence are listed here.
Micro Focus Fortify WebInspect (19.2.0) Page 102 of 482
User Guide
Chapter 3: User Interface Overview
You can select the logging level (Debug, Info, Warn, Error, or Fatal) using the Logging option on the
Application Settings window. For more information, see "Application Settings: Logging" on page 413.
You can filter the type of messages displayed using the Errors, Warnings, and Messages buttons at
the top of the pane. To view detailed information about a specific entry in the scan log, select an entry
and then click Detail.
You can also right-click an entry and select the following options from the shortcut menu:
l Copy selected row to clipboard.
l Copy all items to clipboard.
l Get more information about this message.
Server Information Tab
This tab lists items of interest pertaining to the server. Only one occurrence of an item or event is listed
per server.
See Also
"User Interface Overview" on page 47
"Using Filters and Groups in the Summary Pane" on page 235
"Reviewing a Vulnerability " on page 240
"About Vulnerability Rollup" on page 245
Micro Focus Fortify Monitor
The Micro Focus Fortify Monitor program, represented by an icon in the notification area of the
taskbar, provides a context menu that allows you to:
l Start/stop the sensor service
l Start/stop the scheduler service
Micro Focus Fortify WebInspect (19.2.0) Page 103 of 482
User Guide
Chapter 3: User Interface Overview
l Configure Enterprise Server sensor
l Start/configure the WebInspect API
Pop-up messages also appear whenever certain events occur.
This feature is provided primarily for users who install Fortify WebInspect as a standalone scanner, but
subsequently want to connect to Fortify WebInspect Enterprise.
Micro Focus Fortify WebInspect (19.2.0) Page 104 of 482
Chapter 4: Working with Scans
This chapter describes the various types of scans that Fortify WebInspect can perform, as well as
instructions on how to run those scans. It includes procedures for scheduling scans, and importing,
exporting, and managing scans that have completed.
Guided Scan Overview
Guided Scan directs you through the best steps for configuring a scan tailored to your application.
The first time you initiate a Guided Scan, Fortify WebInspect launches a tutorial. You can close the
tutorial at any time, or click Tutorial in the top right corner or the wizard screen to launch the tutorial.
The Guided Scan progress display in the left pane allows you to easily see your progress as you specify
settings for your scan. The right pane displays the scan options on each wizard page.
The Guided Scan Wizard allows you to:
l Verify connectivity to your application
l Test the entire application or only workflows
l Record your login procedure
l Review suggested configuration changes
l Explore your application to ensure proper coverage
Guided Scans are template based; you can select to use either a Predefined Template or a Mobile
Template.
Predefined Templates
There are three predefined templates options to choose from:
l Standard Scan: use this option to when you are interested in coverage. Larger sites could take days
when using this template.
l Quick Scan: use this option when focusing on breadth and performance rather than digging deep.
Especially good for very large sites.
l Thorough Scan: use to perform an exhaustive crawl on your site. It is recommended that you split
your site into parts and only scan smaller chunks of your site with these settings. Not recommended
for large sites.
Micro Focus Fortify WebInspect (19.2.0) Page 105 of 482
User Guide
Chapter 4: Working with Scans
Mobile Templates
There are two mobile template options to choose from:
l Mobile Scan: use this option to scan a mobile site from the machine where your instance of Fortify
WebInspect or Fortify WebInspect Enterprise is installed. Fortify WebInspect or Fortify WebInspect
Enterprise will fetch the mobile version of the site rather than the full site when this option is chosen.
l Native Scan: use this option to manually crawl a native mobile application and capture the Web
traffic as a workflow macro. Generate the traffic on an Android, Windows, or iOS device or software
emulator (Android and iOS only) running a mobile application.
After selecting a Guided Scan template, the stages and steps are displayed in the left pane, allowing you
to easily navigate among them and specify the settings for your scan.
See Also
"Using the Predefined Template" on the next page
"Using the Mobile Scan Template" on page 124
"Using the Native Scan Template" on page 142
Running a Guided Scan
The first time you initiate a Guided Scan, Fortify WebInspect launches a tutorial. You can close the
tutorial at any time, or click Tutorial in the top right corner or the wizard screen to launch the tutorial.
The Guided Scan progress display in the left pane allows you to easily see your progress as you specify
settings for your scan. The right pane displays the scan options on each wizard page.
The first page of the Guided Scan presents you with the option to select the type of scan to run. There
are three main types to choose from.
Predefined Template (Standard, Quick, or Thorough)
There are three Predefined templates options to choose from:
l Standard Scan: Default scan settings are designed to focus more on coverage than performance.
Larger sites could take days to crawl with these settings.
l Quick Scan: A scan that focuses on breadth and performance rather than digging deep. Especially
good for very large sites.
l Thorough Scan: Thorough scan settings are designed to perform an exhaustive crawl of your site. It
is recommended that your split your site up into parts and only scan smaller chunks of your site with
these settings. Not recommended for large sites.
For more information, see "Using the Predefined Template" on the next page.
Micro Focus Fortify WebInspect (19.2.0) Page 106 of 482
User Guide
Chapter 4: Working with Scans
Mobile Scan Template
This template emulates a mobile device while scanning a Web application.
For more information, see "Using the Mobile Scan Template" on page 124.
Native Scan Template
This template manually crawls a native mobile application and captures Web traffic as a workflow macro.
For more information, see "Using the Native Scan Template" on page 142.
See Also
"Guided Scan Overview " on page 105
"Fortify WebInspect Policies" on page 424
Using the Predefined Template
The Guided Scan wizard will step you through the necessary stages and steps required to scan your
Web site. If you need to return to a previous step or stage, click the back navigation button, on click the
step in the Guided Scan tree to be taken directly there.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Launching a Guided Scan
To launch a Guided Scan:
l For Fortify WebInspect users, click the Start a Guided Scan option in the left pane, or select File >
New > Guided Scan from the menu bar.
l For Fortify WebInspect Enterprise users, click Guided Scan under Actions on the Web Console.
The Guided Scan wizard launches and presents a list of Guided Scan templates. There are three
Predefined templates options to choose from:
l Standard Scan: use this option to when you are interested in coverage. Larger sites could take days
when using this template.
l Quick Scan: use this option when focusing on breadth and performance rather than digging deep.
Especially good for very large sites.
l Thorough Scan: use to perform an exhaustive crawl on your site. It is recommended that you split
your site into parts and only scan smaller chunks of your site with these settings. Not recommended
for large sites.
Micro Focus Fortify WebInspect (19.2.0) Page 107 of 482
User Guide
Chapter 4: Working with Scans
Choose one of the Predefined Templates.
About the Site Stage
During the Site stage, you will:
l Verify the Web site you want to scan
l Choose a scan type
Verifying Your Web Site
To verify your Web site:
1. In the Start URL box, type or select the complete URL or IP address of the site to scan.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify
WebInspect or Fortify WebInspect Enterprise will not scan WWW.MYCOMPANY.COM or any other
variation (unless you specify alternatives in the Allowed Hosts setting).
An invalid URL or IP address results in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative
paths).
Note: Fortify WebInspect supports Internet Protocol version 6 (IPv6) addresses in web site
and web service scans. When you specify the Start URL, you must enclose the IPv6 address in
brackets. For example:
l http://[::1]
Fortify WebInspect scans "localhost."
l http://[fe80::20c:29ff:fe32:bae1]/subfolder/
Fortify WebInspect scans the host at the specified address starting in the "subfolder"
directory.
l http://[fe80::20c:29ff:fe32:bae1]:8080/subfolder/
Fortify WebInspect scans a server running on port 8080 starting in "subfolder."
Fortify WebInspect and Fortify WebInspect Enterprise support both Internet Protocol version 4
(IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets.
2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and
then select one of the following options from the list:
Directoryonly (self). Fortify WebInspect and Fortify WebInspect Enterprise will crawl and/or audit
only the URL you specify. For example, if you select this option and specify a URL of
www.mycompany/one/two/, Fortify WebInspect or Fortify WebInspect Enterprise will assess only
the "two" directory.
Micro Focus Fortify WebInspect (19.2.0) Page 108 of 482
User Guide
Chapter 4: Working with Scans
Directory and subdirectories. Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is higher in
the directory tree.
Directory and parent directories. Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is lower in
the directory tree.
For information about limitations to the Restrict to folder scan option, see "Restrict to Folder
Limitations" on page 182.
3. Click Verify.
If the website is set up to be authenticated with a client certificate using a common access card
(CAC), then Guided Scan will prompt you with the following message:
The site <URL> is requesting a client certificate. Would you like to configure one now?
To configure a client certificate using a CAC:
a. Click Yes.
The Select a Client Certificate window appears.
b. Under Certificate Store, select Current User.
A list of available certificates appears in the Certificate area.
c. Locate and select a certificate that is prefixed with “(SmartCard)”.
Details about the certificate and a PIN field appear in the Certificate Information area.
d. If a PIN is required, type the PIN for the CAC in the PIN field, and then click Test.
Note: If a PIN is required and you do not enter the PIN at this point, you must enter the
PIN in the Windows Security window each time it prompts you for it during the scan.
4. If you must access the target site through a proxy server, click Proxy in the lower left of the main
screen to display the Proxy Settings area, and then select an option from the Proxy Settings list:
l Direct Connection (proxy disabled)
l Autodetect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a
proxy autoconfig file and use this to configure the browser's Web proxy settings.
l Use System proxy settings: Import your proxy server information from the local machine.
l Use Firefox proxy settings: Import your proxy server information from Firefox.
l Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic
Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the
PAC.
l Explicitly configure proxy settings: Specify proxy server settings as indicated. If you select
this option, click Edit to enter proxy information.
Note: Electing to use browser proxy settings does not guarantee that you will access the
Internet through a proxy server. If the Firefox browser connection settings are configured for
"No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server is not used.
Micro Focus Fortify WebInspect (19.2.0) Page 109 of 482
User Guide
Chapter 4: Working with Scans
When the Web site or directory structure appears, you have successfully verified your connection
to the Start URL.
5. Click Next.
The Choose Scan Type window appears.
Choosing a Scan Type
1. Type in a name for your scan in the Scan Name box.
2. Select one of the following scan types:
l Standard: Fortify WebInspect or Fortify WebInspect Enterprise perform an automated analysis,
starting from the target URL. This is the normal way to start a scan.
l Workflows: If you select this option, an additional Workflows stage is added to the Guided scan.
3. In the Scan Method area, select one of the following scan methods:
l Crawl Only. This option completely maps a site's hierarchical data structure. After a crawl has
been completed, you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit. Fortify WebInspect or Fortify WebInspect Enterprise map the site’s
hierarchical data structure and audits each resource (page). Depending on the default settings
you select, the audit can be conducted as each resource is discovered or after the entire site is
crawled. For information regarding simultaneous vs. sequential crawl and audit, see "Scan
Settings: Method " on page 338.
l Audit Only. Fortify WebInspect or Fortify WebInspect Enterprise apply the methodologies of
the selected policy to determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
4. In the Policy area, select a policy from the Policy list. For information about managing policies, see
the "Policy" chapter in the Tools Guide for Fortify WebInspect Products.
5. In the Crawl Coverage area, select the level of coverage you want using the Crawl Coverage slider.
For more information on crawl coverage levels, see "Coverage and Thoroughness" on page 169.
6. In the Single-Page Applications area, select Enable SPA support for crawling and auditing single-
page applications (SPAs). When enabled, the DOM script engine finds JavaScript includes, frame
and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic
generated by those events.
Caution! SPA support should be enabled for single-page applications only. Enabling SPA
support to scan a non-SPA website will result in a slow scan.
For more information, see "About Single-page Application Scans" on page 190.
7. Click the Next button.
The Login stage appears with Network Authentication highlighted in the left pane.
Micro Focus Fortify WebInspect (19.2.0) Page 110 of 482
User Guide
Chapter 4: Working with Scans
About the Login Stage
If the application you intend to scan requires login credentials, you can use the login stage to either
select a pre-existing login macro or record one for use with the scan.
If your application does not require login credentials, you can skip this section of the Guided Scan
wizard by clicking through the options without assigning values, or clicking Application in the Guided
Scan tree to skip to the next stage.
In this stage you can:
l Configure network authorization
l Configure application authorization
l Create or assign a login macro
Network Authentication Step
If your application requires either network or application level authentication, you can assign it here.
Configuring Network Authentication
If your network requires user authentication, you can configure it here. If your network does not require
user authentication, click the Next navigation button or the next appropriate step in the Guided Scan
tree to continue on.
To configure network authentication:
1. Click the Network Authentication checkbox.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
are:
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
Micro Focus Fortify WebInspect (19.2.0) Page 111 of 482
User Guide
Chapter 4: Working with Scans
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
Micro Focus Fortify WebInspect (19.2.0) Page 112 of 482
User Guide
Chapter 4: Working with Scans
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
3. To use a client certificate for network authentication, select Client Certificate.
4. In the Certificate Store area, select one of the following, and then select either the My or Root
radio button:
l Local Machine. Fortify WebInspect uses a certificate on the local machine based on your
selection in the Certificate Store area.
l Current User. Fortify WebInspect uses a certificate for the current user based on your selection
in the Certificate Store area.
5. To view certificate details in the Certificate Information area, select a certificate.
6. Click the Next button.
The Application Authentication page appears.
Application Authentication Step
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login
macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is
successful. If the macro is invalid and fails to log in to the application, the scan stops and an error
message is written in the scan log file. For more information and troubleshooting tips, see "Testing
Login Macros" on page 456.
The following options are available for login macros:
l "Using a Login Macro without Privilege Escalation " below
l "Using Login Macros for Privilege Escalation" on the next page
l "Using a Login Macro when Connected to Fortify WebInspect Enterprise" on page 115
l "Using a Selenium IDE Macro" on page 115
l "Automatically Creating a Login Macro" on page 116
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on page 115.
Micro Focus Fortify WebInspect (19.2.0) Page 113 of 482
User Guide
Chapter 4: Working with Scans
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
3. Click the Next button.
If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows
scan, the Manage Workflows page appears.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 188. To use login macros:
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on the next page.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see "About
Privilege Escalation Scans" on page 188.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
l To perform the scan in unauthenticated mode, click No. For more information, see "About
Privilege Escalation Scans" on page 188.
The Application Authentication Step is complete. If you selected a Standard scan, the
Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows
page appears.
4. Select the Low-Privilege User Account Login Macro check box. This login macro is for the lower-
privilege user account, such as a viewer or consumer of the site content.
5. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on the next page.
Micro Focus Fortify WebInspect (19.2.0) Page 114 of 482
User Guide
Chapter 4: Working with Scans
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
6. After recording or selecting the second macro, click the Next button.
If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows
scan, the Manage Workflows page appears.
Using a Login Macro when Connected to Fortify WebInspect Enterprise
For a Fortify WebInspect that is connected to Fortify WebInspect Enterprise, you can download and use
a login macro from the Fortify WebInspect Enterprise macro repository.
1. Select the Use a login macro for this site check box.
2. Click Download.
The Download a Macro from Fortify WebInspect Enterprise window appears.
3. Select the Application and Version from the drop-down lists.
4. Select a repository macro from the Macro drop-down list.
5. Click OK.
Note: Selecting a repository macro automatically syncs the Application and Version on the Final
Review page under Automatically Upload Scan to WIE.
Using a Selenium IDE Macro
Fortify WebInspect supports integration with Selenium IDE browser automation. When you click the
Import button and select a Selenium IDE macro to import, Fortify WebInspect detects that a Selenium
IDE macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must
include a logout condition. If a logout condition does not exist, you can add one using the Logout
Conditions Editor just as with any other macro. However, all other edits must be done in the Selenium
IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium IDE macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium IDE macros do not have a specific file extension and can be any type of text
file, including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the default settings become visible. Make changes as necessary.
Micro Focus Fortify WebInspect (19.2.0) Page 115 of 482
User Guide
Chapter 4: Working with Scans
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To... Then...
Specify a logout condition a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
b. Add a logout condition and click OK.
Export the Selenium script to use a. Click Export.
elsewhere The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium IDE macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
Automatically Creating a Login Macro
You can enter a username and password and have Fortify WebInspect create a login macro
automatically.
Note: You cannot automatically create login macros for privilege-escalation and multi-user login
scans or for any scan using the Internet Explorer rendering engine.
To automatically create a login macro:
1. Select Auto-gen Login Macro.
2. Type a username in the Username field.
Micro Focus Fortify WebInspect (19.2.0) Page 116 of 482
User Guide
Chapter 4: Working with Scans
3. Type a password in the Password field.
Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before
advancing to the next stage in the Guided Scan wizard. If you need to cancel the validation test prior to
completion, click Cancel.
Important! To use an automatically-generated macro in the Workflows stage or the Enhanced
Coverage task of Guided Scan, you must click Test to generate a macro.
If the macro is invalid and fails to log in to the application, an error message appears. For more
information and troubleshooting tips, see "Testing Login Macros" on page 456.
About the Workflows Stage
The Workflows stage only appears if you selected Workflows as the Scan Type in the Site stage. If you
chose Standard, the Workflows stage will not appear. You can create a Workflow macro to ensure
Fortify WebInspect audits the pages you specify in the macro. Fortify WebInspect audits only those
URLs included in the macro and does not follow any hyperlinks encountered during the audit. A logout
signature is not required. This type of macro is used most often to focus on a particular subsection of
the application.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium macros. You cannot use different types of macros in the same scan.
To complete the Workflows settings, click any of the following in the Workflows table:
l Record. Opens the Unified Web Macro Recorder, allowing you to create a macro.
l Edit. Opens the Unified Web Macro Recorder and loads the selected macro.
l Delete. Removes the selected macro (but does not delete it from your disk).
l Import. Opens a standard file-selection window, allowing you to select a previously recorded
.webmacro file, Burp Proxy captures, or a Selenium macro. If using a Selenium macro, you will need to
click Verify for Fortify WebInspect to play the macro. If the macro does not play successfully, the
Import Selenium Script window displays an error. You will need to debug and correct the error in
Selenium, and return to this procedure to try the import again.
Note: If you have installed Micro Focus Unified Functional Testing (UFT) on your computer,
then Fortify WebInspect detects this automatically and displays an option to import a UFT .usr
file.
See "Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan " on
page 123.
l Export. Opens a standard file-selection window, allowing you to save a recorded macro.
After you specify and play a workflow macro, it appears in the Workflows table and its Allowed Hosts
are added to the Guided Scan > Workflows > Workflows > Manager Workflow page. You can
enable or disable access to particular hosts. For more information, see "Scan Settings: Allowed Hosts" on
page 355.
Micro Focus Fortify WebInspect (19.2.0) Page 117 of 482
User Guide
Chapter 4: Working with Scans
To Add Burp Proxy results
If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a
Workflow macro, reducing the time it would otherwise take to rescan the same areas.
To add Burp Proxy results to a workflow macro:
1. If you are not on the Workflows screen, click on the Manage Workflows step in the Guided Scan
tree.
2. Click the Import button.
The Import Macro file selector appears.
3. Change the file type box filter from Web Macro (*.webmacro) to Burp Proxy (*.*).
4. Navigate to your Burp Proxy files and select the desired file.
5. Click Open.
About the Active Learning Stage
During the Active Learning stage:
l The WebInspect Profiler is run to see if any settings need to be modified.
l Set scan optimization option if necessary.
l Navigate to key locations in your site that should be fully exercised.
Using the Profiler
The WebInspect Profiler conducts a preliminary examination of the target Web site to determine if
certain settings should be modified. If changes appear to be required, the Profiler returns a list of
suggestions, which you may accept or reject.
For example, the Profiler may detect that authorization is required to enter the site, but you have not
specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Profiler’s suggestion to configure the required
information before continuing.
Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found"
detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client
requests a resource that does not exist (they may instead return a status "200 OK," but the response
contains a message that the file cannot be found). If the Profiler determines that such a scheme has
been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to
accommodate this feature.
To launch the Profiler:
1. Click Profile.
The Profiler runs. For more information, see "Server Profiler" on page 229.
Results appear in the Optimize scan for box in the Settings section.
Micro Focus Fortify WebInspect (19.2.0) Page 118 of 482
User Guide
Chapter 4: Working with Scans
2. Accept or reject the suggestions that appear in the Optimize scan for drop-down box. To reject the
suggestion, select None or an alternate from the drop-down menu.
3. If necessary, provide any requested information.
4. Click the Next button.
Several options may be presented even if you do not run the Profiler, as described in the following
sections.
Autofill Web Forms
Select Auto-fill Web forms during crawl if you want Fortify WebInspect to submit values for input
controls on forms it encounters while scanning the target site. Fortify WebInspect will extract the values
from a prepackaged default file or from a file that you create using the Web Form Editor. See the "Web
Form Editor" chapter in the Tools Guide for Fortify WebInspect Products. You may:
1. Click the ellipsis button (...) to locate and load a file.
2. Click Edit to edit the selected file (or the default values) using the Web Form Editor.
3. Click Create to open the Web Form Editor and create a file.
Add Allowed Hosts
Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. For more information, see "Scan Settings: Allowed Hosts" on
page 355.
To add allowed domains:
1. Click Add.
2. In the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and
click OK.
Reuse Identified False Positives
Select scans containing vulnerabilities that were changed to false positives. If those false positives
match vulnerabilities detected in this scan, the vulnerabilities will be changed to false positives. For more
information, see "False Positives" on page 81.
To reuse identified false positives:
1. Select Import False Positives.
2. Click Select Scans.
3. Select one or more scans containing false positives from the same site you are now scanning.
4. Click OK.
Apply Sample Macro
Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login. If
you scan this site, select Apply sample macro to run the prepackaged macro containing the login
script.
Traffic Analysis
Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the
HTTP requests issued by Fortify WebInspect and the responses returned by the target server.
Micro Focus Fortify WebInspect (19.2.0) Page 119 of 482
User Guide
Chapter 4: Working with Scans
While scanning a Web site, Fortify WebInspect displays in the navigation pane only those sessions that
reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was
discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect adds the Traffic
Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by
Fortify WebInspect and the associated HTTP response received from the server.
Message
If the Profiler does not recommend changes, the Guided Scan wizard displays the message "No settings
changes are recommended. Your current scan settings are optimal for this site."
The Enhance coverage of your web site task appears highlighted in the left pane.
Enhance coverage of your web site
To enhance coverage of your application, navigate to key locations in your application to enhance
coverage.
When using the Enhance Coverage of Your Web Site feature in Guided Scan in conjunction with the
Privilege Escalation policy, the explored locations are collected while authenticated with the high-
privilege login macro.
See "Unified Web Macro Recorder" in the Tools Guide for Fortify WebInspect Products for detailed
information about using the Web Macro Recorder to navigate key locations in your application for
Guided Scan to use during the scan.
See the Guided Scan Tutorial for more information about how to use this page of the Guided Scan
wizard. To launch the tutorial, click Tutorial in the upper right corner of the page.
Web Form Values
Guided Scan recorded all of the web form values that you entered while you explored your Web site.
Here you can review and modify the values, which are part of the scan settings that are saved with the
scan. In the Web Forms section of the toolbar, you can click Export to save the values to a separate file
or click Import to use an existing set of values. The scan settings, including the web form values, serve
as defaults that you can modify in future scans.
Click Next.
The Final Review page appears with Configure Detailed Options highlighted in the left pane.
About the Settings Stage
To configure detailed options, specify any of the following settings.
Reuse Identified False Positives
Select the False Positives box to reuse false positives that Fortify WebInspect has already identified.
Traffic Analysis
1. To use the Web Proxy tool, select Launch and Direct Traffic through Web Proxy to use the Web
Proxy tool to examine the HTTP requests issued by Fortify WebInspect and the responses
returned by the target server.
Micro Focus Fortify WebInspect (19.2.0) Page 120 of 482
User Guide
Chapter 4: Working with Scans
Web Proxy is a stand-alone, self-contained proxy server that you can configure and run on your
desktop. Web Proxy allows you to monitor traffic from a scanner, a Web browser, or any other tool
that submits HTTP requests and receives responses from a server. Web Proxy is a tool for a
debugging and penetration scan; you can view every request and server response while browsing a
site.
2. Select the Traffic Monitor box to display and review each HTTP request sent by Fortify
WebInspect and the associated HTTP response received from the server.
While scanning a Web site, Fortify WebInspect displays only those sessions that reveal the
hierarchical structure of the Web site, plus those sessions in which a vulnerability was discovered.
However, if you select Enable Traffic Monitor, Fortify WebInspect allows you to display and
review each HTTP request sent by Fortify WebInspect and the associated HTTP response received
from the server.
3. Click Next.
The Validate Settings and Start Scan page appears with Configure Detailed Options highlighted in
the left pane.
Validate Settings and Start Scan
Options on this page allow you to save the current scan settings and, if WebInspect is integrated with
WebInspect Enterprise, to interact with WebInspect Enterprise.
1. To save your scan settings as an XML file, select Click here to save settings. Use the standard
Save as window to name and save the file.
2. If WebInspect is integrated with WebInspect Enterprise, a Templates section appears in the toolbar.
Continue according to the following table.
If you want to… Then…
Save the current scan settings as a template in a. Do one of the following:
the WebInspect Enterprise database o Click Save in the Templates section of
Note: When editing an existing template, the toolbar.
the Save is actually an update. You can o Select Click here to save template.
save any edits to settings and change the The Save Template window appears.
Template Name. However, you cannot
b. Select an application from the Application
change the Application, Version, or Global
drop-down list.
Template settings.
c. Select an application version from the
Version drop-down list.
d. Type a name in the Template field.
Load scan settings from a template a. Click Load in the Templates section of the
toolbar.
A confirmation message appears advising
that your current scan settings will be lost.
Micro Focus Fortify WebInspect (19.2.0) Page 121 of 482
User Guide
Chapter 4: Working with Scans
If you want to… Then…
b. Click Yes.
The Load Template window appears.
c. Select an application from the Application
drop-down list.
d. Select an application version from the
Version drop-down list.
e. Select the template from the Template
drop-down list.
f. Click Load.
Guided Scan returns to the Site Stage for you
to verify the Web site and step through the
settings from the template.
3. If WebInspect is integrated with WebInspect Enterprise, the WebInspect Enterprise section appears
on this page. You can interact with WebInspect Enterprise as follows:
a. Select an application from the Application drop-down list.
b. Select an application version from the Version drop-down list.
c. Continue according to the following table.
To run the scan… Then…
With a sensor in WebInspect i. Select Run in WebInspect Enterprise.
Enterprise ii. Select a sensor from the Sensor drop-down list.
iii. Select a Priority for the scan.
In WebInspect i. Select Run in WebInspect.
ii. If you want to automatically upload the scan
results to the specified application and version in
WebInspect Enterprise, select Auto Upload to
WebInspect Enterprise.
Note: If the scan does not complete
successfully, it will not be uploaded to
WebInspect Enterprise.
4. In the Scan Now area, review your scan settings, and then click Start Scan to begin the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 122 of 482
User Guide
Chapter 4: Working with Scans
Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan
If you have the Micro Focus Unified Functional Testing application installed, Fortify WebInspect detects
it and allows you to import a UTF file (.usr) into your workflow scan to enhance the thoroughness and
attack surface of your scan. For more information, see Unified Functional Testing on the Micro Focus
Web site.
To import a UTF (.usr) file into a Fortify WebInspect Guided Scan:
1. Launch a Guided Scan, and then select Workflow Scan as the Scan Type. Additional text appears
under the Workflows scan option: Micro Focus Unified Functional Testing has been detected. You
can import scripts to improve the thoroughness of your security test.
2. Click the Next button.
3. In the Authentication section, Application Authentication is automatically selected. Complete the
fields as indicated.
4. On the Manage Workflows screen, click Import. The Import Scripts dialog box appears. On the
Import Scripts dialog box, you may:
l Type the filename.
l Browse to your file by clicking to locate your file with a .usr extension. Select Micro Focus
Unified Functional Testing from the drop-down file type, and then navigate to the file.
l Click Edit to launch the Micro Focus Unified Functional Testing application.
5. (Optional) On the Import Scripts dialog box, you may select either of the following options:
l Show Micro Focus Unified Functional Testing UI during import
l Open script result after import
6. Select the file to import, and then click Import. After your file is successfully imported, the file
appears in the Workflows table.
7. Select one of the following from the Workflows table:
l Record - launches the WebInspect Unified Macro Recorder. For more information, see "Unified
Web Macro Recorder" in the Tools Guide for Fortify WebInspect Products.
l Edit - allows you to modify the file using the Unified Web Macro Recorder. See "Unified Web
Macro Recorder" in the Tools Guide for Fortify WebInspect Products.
l Delete - deletes the script from the Workflows table.
l Import - import another file.
l Export - saves a file in .webmacro format with the name and location you specify.
8. Click the Next button.
When the first .usr script file is added to the list, its name (or default name) appears in the
Workflows table and an Allowed Hosts table is added to the pane.
Adding another .usr script file can add more allowed hosts. Any host that is enabled is available to
all the listed workflow .usr script files, not just the workflow.usr file for which it was added. The
Guided Scan will play all the listed workflow files and make requests to all the listed allowed hosts,
Micro Focus Fortify WebInspect (19.2.0) Page 123 of 482
User Guide
Chapter 4: Working with Scans
whether or not their check boxes are selected. If a check box for an allowed host is selected, Fortify
WebInspect will crawl or audit the responses from that host. If a check box is not selected, Fortify
WebInspect will not crawl or audit the responses from that host. In addition, if a particular workflow
.usr script uses parameters, a Macro Parameters table is displayed when that workflow macro is
selected in the list. Edit the values of the parameters as needed.
9. After you have completed changes or additions to the Workflows table, proceed in the Guided Scan
wizard to complete your settings and run the scan. For more information about recording a new
login macro or using an existing login macro, see the "Unified Web Macro Recorder" chapter in the
Tools Guide for Fortify WebInspect Products.
See Also
"Guided Scan Overview " on page 105
Using the Mobile Scan Template
Using the Mobile Scan template to create a mobile Web site scan allows you to scan the mobile version
of a Web site using the desktop version of your browser from within Fortify WebInspect or Fortify
WebInspect Enterprise.
A Mobile Scan is nearly identical to a Web site scan and mirrors the settings options you will find when
using one of the Predefined templates to do a Standard, Thorough, or Quick scan. The only difference
is that you need to select a user agent header to allow your browser to emulate a mobile browser.
Fortify WebInspect and Fortify WebInspect Enterprise come with four mobile user agent options to
choose from, but you can create a custom option and create a user agent for another version of
Android, Windows Phone, or other mobile device. For information creating a user agent header, see
"Creating a Custom User Agent Header " on the next page.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Launching a Mobile Scan
To launch a Mobile Scan:
1. Log into Fortify WebInspect or Fortify WebInspect Enterprise.
2. Start a Guided Scan:
a. For Fortify WebInspect, click Start a Guided Scan on the Fortify WebInspect Start page.
b. For Fortify WebInspect Enterprise, click Guided Scan under Actions on the Web Console.
3. Select Mobile Scan from the Mobile Templates section.
4. Click the Mobile Client icon in the tool bar.
5. Select the Rendering Engine you want to use.
6. Select the User Agent that represents the agent string you want your rendering engine to present
Micro Focus Fortify WebInspect (19.2.0) Page 124 of 482
User Guide
Chapter 4: Working with Scans
to the site. If you created your own user string, it will appear as Custom. If the user agent is not
listed, you can create a custom user agent. See Creating a Custom User Agent Header.
The Guided Scan wizard displays the first step in the Native Mobile Stage: Verify Web Site.
Creating a Custom User Agent Header
Fortify WebInspect and Fortify WebInspect Enterprise include user agents for Android, Windows, and
iOS devices. If you are using one of these options, you do not need to create a custom user agent
header. If you want your Web browser to identify itself as a different mobile device or a specific OS
version, create a custom user agent header.
To create a custom user agent:
1. Click the Advanced icon in the Guided Scan tool bar.
2. The Scan Settings window appears.
3. In the Scan Settings column, select Cookies/Headers.
4. In the Append Custom Headers section of the settings area, double-click the User-Agent string.
The Specify Custom Header box appears.
5. Type in User-Agent: followed by the user agent header string for the desired device.
6. Click OK.
The new custom user agent will now be available to select as your Mobile Client.
About the Site Stage
During the Site stage, you will:
l Verify the Web site you want to scan
l Choose a scan type
Verifying Your Web Site
To verify your Web site:
1. In the Start URL box, type or select the complete URL or IP address of the site to scan.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify
WebInspect or Fortify WebInspect Enterprise will not scan WWW.MYCOMPANY.COM or any other
variation (unless you specify alternatives in the Allowed Hosts setting).
An invalid URL or IP address results in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect and Fortify WebInspect Enterprise support both Internet Protocol version 4
(IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets.
Micro Focus Fortify WebInspect (19.2.0) Page 125 of 482
User Guide
Chapter 4: Working with Scans
Note: Fortify WebInspect supports Internet Protocol version 6 (IPv6) addresses in web site
and web service scans. When you specify the Start URL, you must enclose the IPv6 address in
brackets. For example:
l http://[::1]
Fortify WebInspect scans "localhost."
l http://[fe80::20c:29ff:fe32:bae1]/subfolder/
Fortify WebInspect scans the host at the specified address starting in the "subfolder"
directory.
l http://[fe80::20c:29ff:fe32:bae1]:8080/subfolder/
Fortify WebInspect scans a server running on port 8080 starting in "subfolder."
2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and
then select one of the following options from the list:
l Directory only (self). Fortify WebInspect and Fortify WebInspect Enterprise will crawl and/or
audit only the URL you specify. For example, if you select this option and specify a URL of
www.mycompany/one/two/, Fortify WebInspect or Fortify WebInspect Enterprise will assess
only the "two" directory.
l Directory and subdirectories. Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is higher
in the directory tree.
l Directory and parent directories. Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is lower in
the directory tree.
For information about limitations to the Restrict to folder scan option, see "Restrict to Folder
Limitations" on page 182.
3. Click Verify.
If the website is set up to be authenticated with a client certificate using a common access card
(CAC), then Guided Scan will prompt you with the following message:
The site <URL> is requesting a client certificate. Would you like to configure one now?
To configure a client certificate using a CAC:
a. Click Yes.
The Select a Client Certificate window appears.
b. Under Certificate Store, select Current User.
A list of available certificates appears in the Certificate area.
c. Locate and select a certificate that is prefixed with “(SmartCard)”.
Details about the certificate and a PIN field appear in the Certificate Information area.
d. If a PIN is required, type the PIN for the CAC in the PIN field, and then click Test.
Note: If a PIN is required and you do not enter the PIN at this point, you must enter the
PIN in the Windows Security window each time it prompts you for it during the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 126 of 482
User Guide
Chapter 4: Working with Scans
4. If you must access the target site through a proxy server, click Proxy in the lower left of the main
screen to display the Proxy Settings area, and then select an option from the Proxy Settings list:
l Direct Connection (proxy disabled)
l Autodetect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a
proxy autoconfig file and use this to configure the browser's Web proxy settings.
l Use System proxy settings: Import your proxy server information from the local machine.
l Use Firefox proxy settings: Import your proxy server information from Firefox.
l Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic
Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the
PAC.
l Explicitly configure proxy settings: Specify proxy server settings as indicated. If you select
this option, click Edit to enter proxy information.
Note: Electing to use browser proxy settings does not guarantee that you will access the
Internet through a proxy server. If the Firefox browser connection settings are configured for
"No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server is not used.
When the Web site or directory structure appears, you have successfully verified your connection
to the Start URL.
5. Click Next.
The Choose Scan Type window appears.
Choosing a Scan Type
1. Type in a name for your scan in the Scan Name box.
2. Select one of the following scan types:
l Standard: Fortify WebInspect or Fortify WebInspect Enterprise perform an automated analysis,
starting from the target URL. This is the normal way to start a scan.
l Workflows: If you select this option, an additional Workflows stage is added to the Guided scan.
3. In the Scan Method area, select one of the following scan methods:
l Crawl Only: This option completely maps a site's hierarchical data structure. After a crawl has
been completed, you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit: Fortify WebInspect or Fortify WebInspect Enterprise map the site’s
hierarchical data structure and audits each resource (page). Depending on the default settings
you select, the audit can be conducted as each resource is discovered or after the entire site is
crawled. For information regarding simultaneous vs. sequential crawl and audit, see "Crawl and
Audit Mode" on page 339.
l Audit Only: Fortify WebInspect or Fortify WebInspect Enterprise apply the methodologies of
Micro Focus Fortify WebInspect (19.2.0) Page 127 of 482
User Guide
Chapter 4: Working with Scans
the selected policy to determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
4. In the Policy area, select a policy from the Policy list. For information about managing policies, see
the "Policy" chapter in the Tools Guide for Fortify WebInspect Products.
5. In the Crawl Coverage area, select the level of coverage you want using the Crawl Coverage slider.
For more information on crawl coverage levels, see "Coverage and Thoroughness" on page 169.
6. In the Single-Page Applications area, select Enable SPA support for crawling and auditing single-
page applications (SPAs). When enabled, the DOM script engine finds JavaScript includes, frame
and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic
generated by those events.
Caution! SPA support should be enabled for single-page applications only. Enabling SPA
support to scan a non-SPA website will result in a slow scan.
For more information, see "About Single-page Application Scans" on page 190.
7. Click the Next button.
The Login stage appears with Network Authentication highlighted in the left pane.
About the Login Stage
If the application you intend to scan requires login credentials, you can use the login stage to either
select a pre-existing login macro or record one for use with the scan.
If your application does not require login credentials, you can skip this section of the Guided Scan
wizard by clicking through the options without assigning values, or clicking Application in the Guided
Scan tree to skip to the next stage.
In this stage you can:
l Configure network authorization
l Configure application authorization
l Create or assign a login macro
Network Authentication Step
If your application requires either network or application level authentication, you can assign it here.
Configuring Network Authentication
If your network requires user authentication, you can configure it here. If your network does not require
user authentication, click the Next navigation button or the next appropriate step in the Guided Scan
tree to continue on.
To configure network authentication:
1. Click the Network Authentication checkbox.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
Micro Focus Fortify WebInspect (19.2.0) Page 128 of 482
User Guide
Chapter 4: Working with Scans
are:
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Micro Focus Fortify WebInspect (19.2.0) Page 129 of 482
User Guide
Chapter 4: Working with Scans
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
3. To use a client certificate for network authentication, select Client Certificate.
Note: You can add a client certificate to a Windows phone, but the only way to subsequently
remove it is to restore the phone to its default settings.
4. In the Certificate Store area, select one of the following, and then select either the My or Root
radio button:
l Local Machine. Fortify WebInspect uses a certificate on the local machine based on your
selection in the Certificate Store area.
l Current User. Fortify WebInspect uses a certificate for the current user based on your selection
in the Certificate Store area.
5. To view certificate details in the Certificate Information area, select a certificate.
6. Click the Next button.
The Application Authentication page appears.
Application Authentication Step
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login
macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is
successful. If the macro is invalid and fails to log in to the application, the scan stops and an error
Micro Focus Fortify WebInspect (19.2.0) Page 130 of 482
User Guide
Chapter 4: Working with Scans
message is written in the scan log file. For more information and troubleshooting tips, see "Testing
Login Macros" on page 456.
The following options are available for login macros:
l "Using a Login Macro without Privilege Escalation " below
l "Using Login Macros for Privilege Escalation" below
l "Using a Login Macro when Connected to Fortify WebInspect Enterprise" on the next page
l "Using a Selenium IDE Macro" on page 133
l "Automatically Creating a Login Macro" on page 134
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on page 133.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
3. Click the Next button.
If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows
scan, the Manage Workflows page appears.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 188. To use login macros:
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on page 133.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
Micro Focus Fortify WebInspect (19.2.0) Page 131 of 482
User Guide
Chapter 4: Working with Scans
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see "About
Privilege Escalation Scans" on page 188.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
l To perform the scan in unauthenticated mode, click No. For more information, see "About
Privilege Escalation Scans" on page 188.
The Application Authentication Step is complete. If you selected a Standard scan, the
Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows
page appears.
4. Select the Low-Privilege User Account Login Macro check box. This login macro is for the lower-
privilege user account, such as a viewer or consumer of the site content.
5. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see "Using a Selenium IDE Macro" on the next page.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
6. After recording or selecting the second macro, click the Next button.
If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows
scan, the Manage Workflows page appears.
Using a Login Macro when Connected to Fortify WebInspect Enterprise
For a Fortify WebInspect that is connected to Fortify WebInspect Enterprise, you can download and use
a login macro from the Fortify WebInspect Enterprise macro repository.
1. Select the Use a login macro for this site check box.
2. Click Download.
The Download a Macro from Fortify WebInspect Enterprise window appears.
3. Select the Application and Version from the drop-down lists.
4. Select a repository macro from the Macro drop-down list.
5. Click OK.
Note: Selecting a repository macro automatically syncs the Application and Version on the Final
Review page under Automatically Upload Scan to WIE.
Micro Focus Fortify WebInspect (19.2.0) Page 132 of 482
User Guide
Chapter 4: Working with Scans
Using a Selenium IDE Macro
Fortify WebInspect supports integration with Selenium IDE browser automation. When you click the
Import button and select a Selenium IDE macro to import, Fortify WebInspect detects that a Selenium
IDE macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must
include a logout condition. If a logout condition does not exist, you can add one using the Logout
Conditions Editor just as with any other macro. However, all other edits must be done in the Selenium
IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium IDE macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium IDE macros do not have a specific file extension and can be any type of text
file, including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the default settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To... Then...
Specify a logout condition a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
b. Add a logout condition and click OK.
Export the Selenium script to use a. Click Export.
elsewhere The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
Micro Focus Fortify WebInspect (19.2.0) Page 133 of 482
User Guide
Chapter 4: Working with Scans
To... Then...
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium IDE macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
Automatically Creating a Login Macro
You can enter a username and password and have Fortify WebInspect create a login macro
automatically.
Note: You cannot automatically create login macros for privilege-escalation and multi-user login
scans or for any scan using the Internet Explorer rendering engine.
To automatically create a login macro:
1. Select Auto-gen Login Macro.
2. Type a username in the Username field.
3. Type a password in the Password field.
Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before
advancing to the next stage in the Guided Scan wizard. If you need to cancel the validation test prior to
completion, click Cancel.
Important! To use an automatically-generated macro in the Workflows stage or the Enhanced
Coverage task of Guided Scan, you must click Test to generate a macro.
If the macro is invalid and fails to log in to the application, an error message appears. For more
information and troubleshooting tips, see "Testing Login Macros" on page 456.
About the Workflows Stage
The Workflows stage only appears if you selected Workflows as the Scan Type in the Site stage. If you
chose Standard, the Workflows stage will not appear.
You can create a Workflow macro to ensure Fortify WebInspect audits the pages you specify in the
macro. Fortify WebInspect audits only those URLs included in the macro and does not follow any
hyperlinks encountered during the audit.
Micro Focus Fortify WebInspect (19.2.0) Page 134 of 482
User Guide
Chapter 4: Working with Scans
You can create multiple Workflows macros; one for each use case on your site. A logout signature is not
required. This type of macro is used most often to focus on a particular subsection of the application. If
you select multiple macros, they will all be included in the same scan. In addition to allowing you to select
multiple macros, you can also import Burp proxy captures and add them to your scan.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium macros. You cannot use different types of macros in the same scan.
To complete the Workflows settings, click any of the following in the Workflows table:
l Record. Opens the Unified Web Macro Recorder, allowing you to create a macro.
l Edit. Opens the Unified Web Macro Recorder and loads the selected macro.
l Delete. Removes the selected macro (but does not delete it from your disk).
l Import. Opens a standard file-selection window, allowing you to select a previously recorded
.webmacro file, Burp Proxy captures, or a Selenium macro. If using a Selenium macro, you will need to
click Verify for Fortify WebInspect to play the macro. If the macro does not play successfully, the
Import Selenium Script window displays an error. You will need to debug and correct the error in
Selenium, and return to this procedure to try the import again.
Note: If you have installed Micro Focus Unified Functional Testing (UFT) on your computer,
then Fortify WebInspect detects this automatically and displays an option to import a UFT .usr
file.
For more information, see "Importing Micro Focus Unified Functional Testing (UFT) Files in a
Guided Scan" on page 140.
l Export a recorded macro. After a macro is selected or recorded, you may optionally specify allowed
hosts. Opens a standard file-selection window, allowing you to save a recorded macro.
After you specify and play a workflow macro, it appears in the Workflows table and its Allowed Hosts
are added to the Guided Scan > Workflows > Workflows > Manager Workflow page. You can
enable or disable access to particular hosts. For more information, see "Scan Settings: Allowed Hosts" on
page 355.
Adding Burp Proxy Results
If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a
Workflows macro, reducing the time it would otherwise take to rescan the same areas.
Adding Burp Proxy Results
To add Burp Proxy results to a workflow macro:
1. If you are not on the Workflows screen, click on the Manage Workflows step in the Guided Scan
tree.
2. Click the Import button.
The Import Macro file selector appears.
3. Change the file type box filter from Web Macro (*.webmacro) to Burp Proxy (*.*).
Micro Focus Fortify WebInspect (19.2.0) Page 135 of 482
User Guide
Chapter 4: Working with Scans
4. Navigate to your Burp Proxy files and select the desired file.
5. Click Open.
About the Active Learning Stage
During the Active Learning stage:
l The WebInspect Profiler is run to see if any settings need to be modified.
l Set scan optimization option if necessary.
l Navigate to key locations in your site that should be fully exercised.
Using the Profiler
The WebInspect Profiler conducts a preliminary examination of the target Web site to determine if
certain settings should be modified. If changes appear to be required, the Profiler returns a list of
suggestions, which you may accept or reject.
For example, the Profiler may detect that authorization is required to enter the site, but you have not
specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Profiler’s suggestion to configure the required
information before continuing.
Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found"
detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client
requests a resource that does not exist (they may instead return a status "200 OK," but the response
contains a message that the file cannot be found). If the Profiler determines that such a scheme has
been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to
accommodate this feature.
To launch the Profiler:
1. Click Profile.
The Profiler runs. For more information, see "Server Profiler" on page 229.
Results appear in the Optimize scan for box in the Settings section .
2. If necessary, provide any requested information.
3. Click the Next button.
Several options may be presented even if you do not run the Profiler, as described in the following
sections.
Autofill Web Forms
Select Auto-fill Web forms during crawl if you want Fortify WebInspect to submit values for input
controls on forms it encounters while scanning the target site. Fortify WebInspect will extract the values
from a prepackaged default file or from a file that you create using the Web Form Editor. See the "Web
Form Editor" chapter in the Tools Guide for Fortify WebInspect Products. You may:
1. Click the browser button to locate and load a file.
2. Click Edit to edit the selected file (or the default values) using the Web Form Editor.
Micro Focus Fortify WebInspect (19.2.0) Page 136 of 482
User Guide
Chapter 4: Working with Scans
3. Click Create to open the Web Form Editor and create a file.
Add Allowed Hosts
Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. For more information, see "Scan Settings: Allowed Hosts" on
page 355.
To add allowed domains:
1. Click Add.
2. In the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and
click OK.
Reuse Identified False Positives
Select scans containing vulnerabilities that were changed to false positives. If those false positives
match vulnerabilities detected in this scan, the vulnerabilities will be changed to false positives. For more
information, see "False Positives" on page 81.
To reuse identified false positives:
1. Select Import False Positives.
2. Click Select Scans.
3. Select one or more scans containing false positives from the same site you are now scanning.
4. Click OK.
Apply Sample Macro
Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login. If
you scan this site, select Apply sample macro to run the prepackaged macro containing the login
script.
Traffic Analysis
Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the
HTTP requests issued by Fortify WebInspect and the responses returned by the target server.
While scanning a Web site, Fortify WebInspect displays in the navigation pane only those sessions that
reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was
discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect adds the Traffic
Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by
Fortify WebInspect and the associated HTTP response received from the server.
Message
If the Profiler does not recommend changes, the Guided Scan wizard displays the message "No settings
changes are recommended. Your current scan settings are optimal for this site."
Click Next.
The Enhance coverage of your web site task appears highlighted in the left pane.
Micro Focus Fortify WebInspect (19.2.0) Page 137 of 482
User Guide
Chapter 4: Working with Scans
Enhance coverage of your web site
To enhance coverage of your application, navigate to key locations in your application to enhance
coverage.
When using the Enhance Coverage of Your Web Site feature in Guided Scan in conjunction with the
Privilege Escalation policy, the explored locations are collected while authenticated with the high-
privilege login macro.
See "Unified Web Macro Recorder" in the Tools Guide for Fortify WebInspect Products for detailed
information about using the Web Macro Recorder to navigate key locations in your application for
Guided Scan to use during the scan.
See the Guided Scan Tutorial for more information about how to use this page of the Guided Scan
wizard. To launch the tutorial, click Tutorial in the upper right corner of the page.
Web Form Values
Guided Scan recorded all of the web form values that you entered while you explored your Web site.
Here you can review and modify the values, which are part of the scan settings that are saved with the
scan. In the Web Forms section of the toolbar, you can click Export to save the values to a separate file
or click Import to use an existing set of values. The scan settings, including the web form values, serve
as defaults that you can modify in future scans.
Click Next.
The Final Review page appears with Configure Detailed Options highlighted in the left pane.
About the Settings Stage
To configure detailed options, specify any of the following settings.
Reuse Identified False Positives
Select the False Positives box to reuse false positives that Fortify WebInspect has already identified.
Traffic Analysis
1. To use the Web Proxy tool, select Launch and Direct Traffic through Web Proxy to use the Web
Proxy tool to examine the HTTP requests issued by Fortify WebInspect and the responses
returned by the target server.
Web Proxy is a stand-alone, self-contained proxy server that you can configure and run on your
desktop. Web Proxy allows you to monitor traffic from a scanner, a Web browser, or any other tool
that submits HTTP requests and receives responses from a server. Web Proxy is a tool for a
debugging and penetration scan; you can view every request and server response while browsing a
site.
2. Select the Traffic Monitor box to display and review each HTTP request sent by Fortify
WebInspect and the associated HTTP response received from the server.
While scanning a Web site, Fortify WebInspect displays only those sessions that reveal the
hierarchical structure of the Web site, plus those sessions in which a vulnerability was discovered.
However, if you select Enable Traffic Monitor, Fortify WebInspect allows you to display and
Micro Focus Fortify WebInspect (19.2.0) Page 138 of 482
User Guide
Chapter 4: Working with Scans
review each HTTP request sent by Fortify WebInspect and the associated HTTP response received
from the server.
3. Click Next.
The Validate Settings and Start Scan page appears with Configure Detailed Options highlighted
in the left pane.
Validate Settings and Start Scan
Options on this page allow you to save the current scan settings and, if WebInspect is integrated with
WebInspect Enterprise, to interact with WebInspect Enterprise.
1. To save your scan settings as an XML file, select Click here to save settings. Use the standard
Save as window to name and save the file.
2. If WebInspect is integrated with WebInspect Enterprise, a Templates section appears in the toolbar.
Continue according to the following table.
If you want to… Then…
Save the current scan settings as a template in a. Do one of the following:
the WebInspect Enterprise database o Click Save in the Templates section of
Note: When editing an existing template, the toolbar.
the Save is actually an update. You can o Select Click here to save template.
save any edits to settings and change the The Save Template window appears.
Template Name. However, you cannot
b. Select an application from the Application
change the Application, Version, or Global
drop-down list.
Template settings.
c. Select an application version from the
Version drop-down list.
d. Type a name in the Template field.
Load scan settings from a template a. Click Load in the Templates section of the
toolbar.
A confirmation message appears advising
that your current scan settings will be lost.
b. Click Yes.
The Load Template window appears.
c. Select an application from the Application
drop-down list.
d. Select an application version from the
Version drop-down list.
e. Select the template from the Template
drop-down list.
Micro Focus Fortify WebInspect (19.2.0) Page 139 of 482
User Guide
Chapter 4: Working with Scans
If you want to… Then…
f. Click Load.
Guided Scan returns to the Site Stage for you
to verify the Web site and step through the
settings from the template.
3. If WebInspect is integrated with WebInspect Enterprise, the WebInspect Enterprise section appears
on this page. You can interact with WebInspect Enterprise as follows:
a. Select an application from the Application drop-down list.
b. Select an application version from the Version drop-down list.
c. Continue according to the following table.
To run the scan… Then…
With a sensor in WebInspect i. Select Run in WebInspect Enterprise.
Enterprise ii. Select a sensor from the Sensor drop-down list.
iii. Select a Priority for the scan.
In WebInspect i. Select Run in WebInspect.
ii. If you want to automatically upload the scan
results to the specified application and version in
WebInspect Enterprise, select Auto Upload to
WebInspect Enterprise.
Note: If the scan does not complete
successfully, it will not be uploaded to
WebInspect Enterprise.
4. In the Scan Now area, review your scan settings, and then click Start Scan to begin the scan.
Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan
If you have the Micro Focus Unified Functional Testing application installed, Fortify WebInspect detects
it and allows you to import a UTF file (.usr) into your workflow scan to enhance the thoroughness and
attack surface of your scan. For more information, see Unified Functional Testing on the Micro Focus
Web site.
To import a UTF (.usr) file into a Fortify WebInspect Guided Scan:
1. Launch a Guided Scan, and then select Workflows Scan as the Scan Type. Additional text appears
under the Workflows scan option: Micro Focus Unified Functional Testing has been detected. You
can import scripts to improve the thoroughness of your security test.
2. Click the Next button.
Micro Focus Fortify WebInspect (19.2.0) Page 140 of 482
User Guide
Chapter 4: Working with Scans
3. In the Authentication section, Application Authentication is automatically selected. Complete the
fields as indicated.
4. On the Manage Workflows screen, click Import. The Import Scripts dialog box appears. On the
Import Scripts dialog box, you may:
l Type the filename.
l Browse to your file by clicking to locate your file with a .usr extension. Select Micro Focus
Unified Functional Testing from the drop-down file type, and then navigate to the file.
l Click Edit to launch the Micro Focus Unified Functional Testing application.
5. (Optional) On the Import Scripts dialog box, you may select either of the following options:
l Show Micro Focus Unified Functional Testing UI during import
l Open script result after import
6. Select the file to import, and then click Import. After your file is successfully imported, the file
appears in the Workflows table.
7. Select one of the following from the Workflows table:
l Record - launches the WebInspect Unified Macro Recorder. For more information, see "Unified
Web Macro Recorder" in the Tools Guide for Fortify WebInspect Products guide.
l Edit - allows you to modify the file using the Unified Web Macro Recorder. See "Unified Web
Macro Recorder" in the Tools Guide for Fortify WebInspect Products.
l Delete - deletes the script from the Workflows table.
l Import - imports another file.
l Export - saves a file in .webmacro format with the name and location you specify
8. Click the Next button.
When the first .usr script file is added to the list, its name (or default name) appears in the
Workflows table and an Allowed Hosts table is added to the pane.
Adding another .usr script file can add more allowed hosts. Any host that is enabled is available to
all the listed workflow .usr script files, not just the workflow.usr file for which it was added. The
Guided Scan will play all the listed workflow files and make requests to all the listed allowed hosts,
whether or not their check boxes are selected. If a check box for an allowed host is selected, Fortify
WebInspect will crawl or audit the responses from that host. If a check box is not selected, Fortify
WebInspect will not crawl or audit the responses from that host. In addition, if a particular
workflows .usr script uses parameters, a Macro Parameters table is displayed when that workflow
macro is selected in the list. Edit the values of the parameters as needed.
9. After you have completed changes or additions to the Workflows table, proceed in the Guided Scan
wizard to complete your settings and run the scan. For more information about recording a new
login macro or using an existing login macro, see the "Unified Web Macro Recorder" chapter in the
Tools Guide for Fortify WebInspect Products.
See Also
"Guided Scan Overview " on page 105
Micro Focus Fortify WebInspect (19.2.0) Page 141 of 482
User Guide
Chapter 4: Working with Scans
Using the Native Scan Template
Fortify WebInspect and Fortify WebInspect Enterprise allow you to scan the back-end traffic generated
by your Android or iOS app or service. Traffic can be generated by running your application on an
Android, Windows, or iOS device, or by running the software through an Android or iOS emulator.
The Guided Scan wizard includes a tutorial that runs the first time you launch a Guided Scan. If you
don't require the tutorial, you can close it at any time and return to it later by clicking the Tutorial
button at the top right of the display.
The Guided Scan wizard will step you through the necessary stages and steps required to scan your
application back-end traffic. If you need to return to a previous step or stage, click the back navigation
button, or click the step in the Guided Scan tree to be taken directly there.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Setting Up Your Mobile Device
Running a native scan requires that you configure the mobile device to work with a secure proxy. In
order to do that, you will need to:
l Set up a Mobile Device/Emulator Proxy (see "Setting the Mobile Device Proxy Address" on page 144)
l Install a Trusted Certificate (see "Adding a Trusted Certificate" on page 145)
Guided Scan Stages
A Guided Scan using a mobile template consists of four or five stages, each of which has one or more
steps. The stages are:
Native Mobile: where you choose a device or emulator, configure device/emulator proxy, and select the
type of scan you want to run.
Login: where you define the type of authentication if back-end of your mobile application requires it.
Application: where you run your app, record Web traffic, and identify the hosts and RESTful endpoints
to include in your scan.
Settings: where you review and validate your choices and run the scan.
Supported Devices
Fortify WebInspect and Fortify WebInspect Enterprise support scanning the back-end traffic on
Android, Windows, and iOS devices.
Micro Focus Fortify WebInspect (19.2.0) Page 142 of 482
User Guide
Chapter 4: Working with Scans
Android Device Support
Any Android device, such as an Android-based phone or tablet.
Windows Device Support
Any Windows device, such as a Windows phone or Surface tablet.
iOS Device Support
Any iOS device, such as a iPhone or iPad, running the latest version of iOS.
Supported Development Emulators
In addition to support for Android and iOS devices, you can run your application through your Android
or iOS emulator in your development environment. When scanning traffic generated via your device
emulator, you must ensure that the development machine is on the same network as Fortify WebInspect
or Fortify WebInspect Enterprise and that you have set up a proxy between Fortify WebInspect or
Fortify WebInspect Enterprise and your development machine.
Launching a Native Scan
In order to launch a Native Scan, you will need to make sure your device or emulator is on the same
network as Fortify WebInspect. In addition, you need to have authorization and access to the ports on
the machine where you are running Fortify WebInspect in order to successfully create a proxy
connection.
To launch a Native Scan:
1. Open Fortify WebInspect or Fortify WebInspect Enterprise.
2. Start a Guided Scan:
l For Fortify WebInspect, click Start a Guided Scan on the Fortify WebInspect Start page.
l For Fortify WebInspect Enterprise, click Guided Scan under Actions on the Web Console.
3. Select Native Scan from the Mobile Templates section.
The Guided Scan wizard displays the first step in the Native Mobile stage: Choose Device/Emulator.
About the Native Mobile Stage
The first stage in the process is the Native Mobile stage. In this stage you will:
l Set up the device or emulator to use a proxy connection.
l Log the device or emulator on to the same network as your instance of Fortify WebInspect or Fortify
WebInspect Enterprise.
l Install a client certificate on your device or emulator.
l Name the scan for future reference.
l Select a scan method.
Micro Focus Fortify WebInspect (19.2.0) Page 143 of 482
User Guide
Chapter 4: Working with Scans
l Select a scan policy.
l Select the crawl coverage amount.
Choose Device/Emulator Type Step
After launching the Guided Scan, you are provided with the options described in the following table.
Option Description
Profile The type of device or emulator you want to scan. Select a type from the drop-
down menu. For more information, see "Selecting a Profile" below.
Mobile The IP address and port number for the proxy that Fortify WebInspect or Fortify
Device/Emulator WebInspect Enterprise creates for listening to the traffic between your device or
Proxy emulator and the Web service or application being tested. Unless the IP address
and/or port are reserved for other activities, use the default settings. For more
information, see "Setting the Mobile Device Proxy Address" below.
Trusted The port and URL to acquire a client certificate for your device or emulator. To
Certificate download and install the certificate on your device or emulator, see "Adding a
Trusted Certificate" on the next page.
Selecting a Profile
To set the device profile, select one of the following from the Profile drop-down textbox:
l iOS Device - An iPad or iPhone running the latest version of iOS.
l iOS Simulator - The iOS emulator that is part of the iOS SDK.
l Android Device - A phone or tablet running the Android operating system.
l Android Emulator - The Android emulator that is part of the Android SDK.
l Windows Device - A Windows phone or Surface tablet.
Setting the Mobile Device Proxy Address
The Mobile Device/Emulator Proxy section lists the Host IP address and the Port number that will be
used to establish a proxy connection between your device or emulator and Fortify WebInspect or
Fortify WebInspect Enterprise. Use the suggested settings unless the IP address or port number are
unavailable on your system.
Note: If you are unable to connect to the server or access the Internet after setting your proxy, you
may need to open up or change the port on your firewall specified in the Native Mobile stage. If it
still does not work, you may need to select a different IP address. The IP address presented in the
Fortify WebInspect/WebInspect Enterprise interface allows you to click the address and select an
alternate from a drop-down list.
Micro Focus Fortify WebInspect (19.2.0) Page 144 of 482
User Guide
Chapter 4: Working with Scans
To set up a proxy on an iOS device:
1. Run the Settings application.
2. Select Wi-Fi.
3. Select the Wi-Fi network you are using to connect to Fortify WebInspect or Fortify WebInspect
Enterprise.
4. Scroll down to the HTTP Proxy section and select Manual.
The screen displays the network configuration options for the network your device is connected to.
5. Scroll down further and type in the Server IP address and the Port number provided by Fortify
WebInspect or Fortify WebInspect Enterprise. If you don't have this information, see "Choose
Device/Emulator Type Step" on the previous page.
6. In Fortify WebInspect or Fortify WebInspect Enterprise, click the Verify button in the Trusted
Certificate section to verify the connection is working properly.
The Verify activity progress bar appears.
7. Launch the default browser on your device and visit any site to verify that Fortify WebInspect or
Fortify WebInspect Enterprise is able to see the back-end traffic.
If everything is configured properly, after a few moments, the Verify activity progress bar will state
that the traffic has been successfully verified.
8. Click OK to dismiss the verification progress bar and then click Next to select a scan type.
To set up a proxy on an Android or Windows device, consult your operator’s instructions.
Adding a Trusted Certificate
If your site requires a secure connection, each time you run a scan, Fortify WebInspect or Fortify
WebInspect Enterprise generates a unique client certificate for your device or emulator. You will need to
install the certificate into the device’s (or emulator’s) certificate repository.
Note: You can add a client certificate to a Windows phone, but the only way to subsequently
remove it is to restore the phone to its default settings.
There are three ways to add a certificate:
l Scan the QR code from the Trusted Certificate section of Guided Scan (requires QR reader software).
l Type the address into the built-in browser on your device or device emulator.
l Copy the certificate to your system clipboard for applying later (used when scanning with a device
emulator).
Choose the option that best suits your needs.
Note: After completing the scan, you should remove the certificate from the repository on your
device. See "Post Scan Steps " on page 156.
To Add a Certificate to an iOS device or emulator:
1. After scanning the QR code or typing the provided URL into your browser, the Install Profile page
appears.
Micro Focus Fortify WebInspect (19.2.0) Page 145 of 482
User Guide
Chapter 4: Working with Scans
Note: The WebInspect Root certificate status will display as Not Trusted until you add it to
your root chain.
2. Tap the Install button.
A warning screen will appear stating that the certificate is not trusted. Once you add the certificate
to the certificate repository on your device or emulator, the warning will go away.
3. Tap Install on the Warning screen.
The display changes to that of the current network your device or emulator is connected to. Make
sure it is connected to the same network as Fortify WebInspect or Fortify WebInspect Enterprise.
Choose Scan Type Step
After setting up your device or emulator to work with Fortify WebInspect or Fortify WebInspect
Enterprise during the first part of the Native Mobile stage, you will need to select the type of scan you
would like to run.
Set the options listed below:
Option Description
Scan Name Type a name for the scan so that later you can identify the scan on the Manage Scans
page.
Scan Choose the type of scan you want from the following list:
Method
Crawl Only: maps the attack surface of the specified workflow(s).
Crawl and Audit: maps the attack surface of the specified workflow(s) and scans for
vulnerabilities.
Audit Only: only attack the specified workflows.
Policy Select a policy for the scan from the drop-down menu. For more information on
policies, see "Fortify WebInspect Policies" on page 424. For information on creating
and editing policies, see the "Policy Manager" chapter in the Tools Guide for Fortify
WebInspect Products.
Crawl Select the level of coverage you want using the Crawl Coverage slider.
Coverage
Enable When this option is selected for crawling and auditing single-page applications
SPA support (SPAs), the DOM script engine finds JavaScript includes, frame and iframe includes,
CSS file includes, and AJAX calls during the crawl, and then audits all traffic
generated by those events.
Micro Focus Fortify WebInspect (19.2.0) Page 146 of 482
User Guide
Chapter 4: Working with Scans
Option Description
Caution! SPA support should be enabled for single-page applications only.
Enabling SPA support to scan a non-SPA website will result in a slow scan.
For more information, see "About Single-page Application Scans" on page 190.
About the Login Stage
If the application you intend to scan requires login credentials, you can use the login stage to either
select a an existing login macro or record one for use with the scan.
If your application does not require login credentials, you can skip this section of the Guided Scan
wizard by clicking through the options without assigning values, or clicking the next step in the Guided
Scan tree to skip to the next stage.
In this stage you can:
l Configure network authorization
l Configure application authorization
l Create or assign a login macro
Network Authentication Step
If your application requires either network or application level authentication, you can assign it here.
Configuring Network Authentication
If your network requires user authentication, you can configure it here. If your network does not require
user authentication, click the Next navigation button or the next appropriate step in the Guided Scan
tree to continue on.
To configure network authentication:
1. Click the Network Authentication checkbox.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
are:
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and password information.
Micro Focus Fortify WebInspect (19.2.0) Page 147 of 482
User Guide
Chapter 4: Working with Scans
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
Micro Focus Fortify WebInspect (19.2.0) Page 148 of 482
User Guide
Chapter 4: Working with Scans
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
3. Type in the User Name and Password.
Configuring a Client Certificate
If your network is set up to accept a client certificate rather than a user name and password, you can
configure Fortify WebInspect or Fortify WebInspect Enterprise to provide the client certificate upon
request.
To configure a client certificate:
1. Select the Client Certificate check box.
2. Do one of the following:
l To use a certificate that is local to the computer and is global to all users on the computer, select
Local Machine.
l To use a certificate that is local to a user account on the computer, select Current User.
Note: Certificates used by a common access card (CAC) reader are user certificates and are
stored under Current User.
3. Do one of the following:
l To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down
list.
l To select a trusted root certificate, select Root from the drop-down list.
4. Does the website use a common access card (CAC) reader?
l If yes, do the following:
i. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.
Information about the selected certificate and a PIN field appear in the Certificate
Information area.
ii. If a PIN is required, type the PIN for the CAC in the PIN field.
Note: If a PIN is required and you do not enter the PIN at this point, you must enter the
PIN in the Windows Security window each time it prompts you for it during the scan.
iii. Click Test.
If you entered the correct PIN, a Success message appears.
Micro Focus Fortify WebInspect (19.2.0) Page 149 of 482
User Guide
Chapter 4: Working with Scans
l If no, select a certificate from the Certificate list.
Information about the selected certificate appears below the Certificate list.
Application Authentication Step
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login
macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is
successful. If the macro is invalid and fails to log in to the application, the scan stops and an error
message is written in the scan log file. For more information and troubleshooting tips, see "Testing
Login Macros" on page 456.
The following options are available for login macros:
l "Using a Login Macro without Privilege Escalation" below
l "Using Login Macros for Privilege Escalation" below
l "Using a Login Macro when Connected to Fortify WebInspect Enterprise" on the next page
l "Using a Selenium IDE Macro" on page 152
l "Testing the Macro" on page 153
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium IDE macro, see "Using a Selenium IDE Macro" on page 152.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
3. Click the Next button.
The Application Authentication Step is complete. Proceed to the Application Stage to run your
application.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 188. To use login macros:
Micro Focus Fortify WebInspect (19.2.0) Page 150 of 482
User Guide
Chapter 4: Working with Scans
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium IDE macro, see "Using a Selenium IDE Macro" on the next page.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see "About
Privilege Escalation Scans" on page 188.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
l To perform the scan in unauthenticated mode, click No. For more information, see "About
Privilege Escalation Scans" on page 188.
The Application Authentication Step is complete. Proceed to the Application Stage.
4. Select the Low-Privilege User Account Login Macro check box. This login macro is for the lower-
privilege user account, such as a viewer or consumer of the site content.
5. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium IDE macro, see "Using a Selenium IDE Macro" on the next page.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the Tools Guide for Fortify WebInspect Products.
6. After recording or selecting the second macro, click the Next button.
The Application Authentication Step is complete. Proceed to the Application Stage to run your
application.
Using a Login Macro when Connected to Fortify WebInspect Enterprise
For a Fortify WebInspect that is connected to Fortify WebInspect Enterprise, you can download and use
a login macro from the Fortify WebInspect Enterprise macro repository.
1. Select the Use a login macro for this site check box.
2. Click Download.
The Download a Macro from Fortify WebInspect Enterprise window appears.
Micro Focus Fortify WebInspect (19.2.0) Page 151 of 482
User Guide
Chapter 4: Working with Scans
3. Select the Application and Version from the drop-down lists.
4. Select a repository macro from the Macro drop-down list.
5. Click OK.
Note: Selecting a repository macro automatically syncs the Application and Version on the Final
Review page under Automatically Upload Scan to WIE.
Using a Selenium IDE Macro
Fortify WebInspect supports integration with Selenium IDE browser automation. When you click the
Import button and select a Selenium IDE macro to import, Fortify WebInspect detects that a Selenium
IDE macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must
include a logout condition. If a logout condition does not exist, you can add one using the Logout
Conditions Editor just as with any other macro. However, all other edits must be done in the Selenium
IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium IDE macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium IDE macros do not have a specific file extension and can be any type of text
file, including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the default settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To... Then...
Specify a logout condition a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
Micro Focus Fortify WebInspect (19.2.0) Page 152 of 482
User Guide
Chapter 4: Working with Scans
To... Then...
b. Add a logout condition and click OK.
Export the Selenium script to use a. Click Export.
elsewhere The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium IDE macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
Testing the Macro
Optionally, click Test to locate the login form and run macro validation tests before advancing to the
next stage in the Guided Scan wizard. If you need to cancel the validation test prior to completion, click
Cancel.
If the macro is invalid and fails to log in to the application, an error message appears. For more
information and troubleshooting tips, see "Testing Login Macros" on page 456.
About the Application Stage
The Application Stage is where you run your application. During the application stage:
l Run the mobile application to generate and collect Web traffic.
l Identify the hosts and RESTful endpoints you want to include.
Run Application Step
To run the application and generate and collect Web traffic:
1. Click the Record button.
2. Exercise the application, navigating through the interface as your customers will.
3. When you have generated enough traffic, click the Stop button.
4. Click Play to verify your workflow.
Micro Focus Fortify WebInspect (19.2.0) Page 153 of 482
User Guide
Chapter 4: Working with Scans
Finalizing Allowed Hosts and RESTful Endpoints
After running the application and collecting Web traffic, a list will be generated of the Allowed Hosts
and potential RESTful Endpoints.
To select the hosts to include in your audit, click the check boxes in the Enabled column of the Allowed
Hosts table.
The list of RESTful endpoints is generated by listing every possible combination that could be a
RESTful endpoint. Select the actual RESTful endpoints from the list by selecting their Enabled check
boxes. To reduce the list to a more likely subset, click the Detect button. Heuristics are applied, filtering
out some of the less likely results. Select the Enabled check boxes from the resultant list.
If Fortify WebInspect or Fortify WebInspect Enterprise didn’t find all of the RESTful endpoints, you can
add them manually.
To set up a new RESTful endpoint rule:
1. Click the New Rule button.
A new rule input box appears in the RESTful Endpoints table.
2. Following the sample format in the input box, type in a RESTful Endpoint.
To Import a List of RESTful Endpoints:
1. Click the Import button.
A file selector appears.
2. Select a Web Application Description Language (.wadl) file.
3. Click OK.
About the Settings Stage
During the final stage, you can set a number of options that affect how the collected traffic is audited.
The available options vary, based on the selections you have made.
Final Review Step
Configure Detailed Options
The Configure Detailed Options step allows you to set detailed options. These options will change from
scan to scan, as they are dependent on the choices made in the Guided Scan wizard. Some of the
options include:
Reuse Identified False Positives. Select a previous scan to identify vulnerabilities that have already
been identified as false positives.
Traffic Analysis. You can use a self-contained proxy server on your desktop. With it you can monitor
traffic from a scanner, a browser, or any other tool that submits HTTP requests and received responses
from a server. You can also enable the Traffic Monitor and display the hierarchical structure of the Web
site or Web service in a Fortify WebInspect navigation pane. It allows you to display and review every
HTTP request sent by Fortify WebInspect and the associated HTTP response received from the server.
Micro Focus Fortify WebInspect (19.2.0) Page 154 of 482
User Guide
Chapter 4: Working with Scans
Scan Mode. A crawl-only feature. Allows you to set Discovery (Path Truncation) Path truncation allows
you to make requests for known directories without file names. This can cause directory listings to be
displayed. You can also select the Passive Analysis (Keyword Search) option to examine every response
from the Web server for (error messages, directory listings, credit card numbers, etc. ) not properly
protected by the Web site.
Validate Settings and Start Scan
Options on this page allow you to save the current scan settings and, if WebInspect is integrated with
WebInspect Enterprise, to interact with WebInspect Enterprise.
1. To save your scan settings as an XML file, select Click here to save settings. Use the standard
Save as window to name and save the file.
2. If WebInspect is integrated with WebInspect Enterprise, a Templates section appears in the toolbar.
Continue according to the following table.
If you want to… Then…
Save the current scan settings as a template in a. Do one of the following:
the WebInspect Enterprise database o Click Save in the Templates section of
Note: When editing an existing template, the toolbar.
the Save is actually an update. You can o Select Click here to save template.
save any edits to settings and change the The Save Template window appears.
Template Name. However, you cannot
b. Select an application from the Application
change the Application, Version, or Global
drop-down list.
Template settings.
c. Select an application version from the
Version drop-down list.
d. Type a name in the Template field.
Load scan settings from a template a. Click Load in the Templates section of the
toolbar.
A confirmation message appears advising
that your current scan settings will be lost.
b. Click Yes.
The Load Template window appears.
c. Select an application from the Application
drop-down list.
d. Select an application version from the
Version drop-down list.
e. Select the template from the Template
drop-down list.
Micro Focus Fortify WebInspect (19.2.0) Page 155 of 482
User Guide
Chapter 4: Working with Scans
If you want to… Then…
f. Click Load.
Guided Scan returns to the Site Stage for you
to verify the Web site and step through the
settings from the template.
3. If WebInspect is integrated with WebInspect Enterprise, the WebInspect Enterprise section appears
on this page. You can interact with WebInspect Enterprise as follows:
a. Select an application from the Application drop-down list.
b. Select an application version from the Version drop-down list.
c. Continue according to the following table.
To run the scan… Then…
With a sensor in WebInspect i. Select Run in WebInspect Enterprise.
Enterprise ii. Select a sensor from the Sensor drop-down list.
iii. Select a Priority for the scan.
In WebInspect i. Select Run in WebInspect.
ii. If you want to automatically upload the scan
results to the specified application and version in
WebInspect Enterprise, select Auto Upload to
WebInspect Enterprise.
Note: If the scan does not complete
successfully, it will not be uploaded to
WebInspect Enterprise.
4. In the Scan Now area, review your scan settings, and then click Start Scan to begin the scan.
Post Scan Steps
After you have completed your scan and run Fortify WebInspect or Fortify WebInspect Enterprise, you
will need to reset your Android, Windows, or iOS device or emulator to its former state. The following
steps show how to reset your iOS device to the way it was before you began. Steps for other devices
and emulators are similar, but depend on the version of the OS you are running.
To remove the Fortify Certificate on an iOS device:
Run the Settings application.
1. Select General from the Settings column.
2. Scroll down to the bottom of the list and select Profile WebInspect Root.
Micro Focus Fortify WebInspect (19.2.0) Page 156 of 482
User Guide
Chapter 4: Working with Scans
3. Tap the Remove button.
To Remove the Proxy Settings on an iOS device:
1. Run the Settings application.
2. Select Wi-Fi from the Settings column.
3. Tap the Network name.
Delete the Server IP address and the Port number.
See Also
"Guided Scan Overview " on page 105
Running a Web Service Scan
When performing a Web service scan, Fortify WebInspect crawls the WSDL site and submits a value for
each parameter in each operation it discovers. These values are extracted from a file that you must
create using the Web Service Test Designer. It then audits the site by attacking each parameter in an
attempt to detect vulnerabilities such as SQL injection.
See "Auditing Web Services " on page 238 for more information on how a Web services vulnerability
scan differs from other types of scan actions.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Use the following procedure to conduct a Web Service scan.
1. On the Fortify WebInspect Start Page, click Start a Web Service Scan.
The Web Service ScanWizard appears.
2. Enter a name for the scan in the Scan Name box.
3. Select one of the following:
l Configure a Web Service Scan - Enter or select the full path and name of a Web Service
Definition Language (WSDL) file, or click to open a standard file-selection dialog box and
choose a WSDL file. You will import the WSDL file and later launch the Web Service Test
Designer to configure a file containing values for each operation in the service.
Note: For instructions on conducting a Web service scan of the Fortify WebInspect test site,
see "Scanning Web Services at zero.webappsecurity.com" on page 43.
l Scan with Existing Design File - Click to open a standard file-selection dialog box and
choose a Web Service Test Design (WSD) file that you previously created using the Web Service
Test Designer. This file contains values for each operation in the service.
4. Click Next.
Note: On any window presented by the Web Service Scan Wizard, you can click Settings (at the
Micro Focus Fortify WebInspect (19.2.0) Page 157 of 482
User Guide
Chapter 4: Working with Scans
bottom of the window) to modify the default settings or to load a settings file that you previously
saved. Any changes you make will apply to this scan only and will not be retained in the default
settings file. To make and retain changes to default settings, click the Fortify WebInspect Edit menu
and select Default Scan Settings.
Authentication and Connectivity
1. If you need to access the target site through a proxy server, select NetworkProxy and then
choose an option from the Proxy Profile list:
l Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig
file and use this to configure the browser's Web proxy settings.
l Use System Proxy: Import your proxy server information from the local machine.
l Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you
select this option, click Edit to enter the location (URL) of the PAC.
l Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit
to enter proxy information.
l Use Mozilla Firefox: Import your proxy server information from Firefox.
Note: Electing to use browser proxy settings does not guarantee that you will access the
Internet through a proxy server. If the Firefox browser connection settings are configured for
"No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server will not be used.
2. If server authentication is required, select Network Authentication and then select
an authentication method and enter your network credentials. The authentication methods are:
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
Micro Focus Fortify WebInspect (19.2.0) Page 158 of 482
User Guide
Chapter 4: Working with Scans
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
Micro Focus Fortify WebInspect (19.2.0) Page 159 of 482
User Guide
Chapter 4: Working with Scans
3. Click Next.
Detailed Scan Configuration
1. If you are creating a design test file, a message prompts you to launch the Web Service Test
Designer. The Scan Wizard will not advance until you use the designer to create a WSD file.
2. If you already selected a design test file, you may click Design to open the Web Service Test
Designer and edit a web service design (WSD) file containing values that should be submitted to
the WSDL file during the scan.
3. (Optional) You may select the following options:
l Launch and Direct Traffic through Web Proxy. (This option is not available if you are scheduling
a scan.)
l Enable Traffic Monitor.
4. Click Next.
Congratulations
1. If you anticipate running this scan again, you can save the settings in an XML file. Click the Save
hyperlink to name and save the file.
When starting a scan through the Web Service Scan Wizard, you can click Settings (at the bottom
of the window) to load this settings file.
2. If you are scheduling a scan, you can also elect to generate a report when the scan completes.
Select the Generate Report check box, and then click the Select reports hyperlink.
3. Click Scan (or click Schedule, if you are scheduling a scan).
Running a Basic Scan
The options displayed by default on this and subsequent windows are extracted from the Fortify
WebInspect default settings. Any changes you make will be used for this scan only. If you click Settings
(Default) at the bottom of the window to access the full complement of Fortify WebInspect settings,
any selections you make are also temporary. To change the default settings, you must select Default
Scan Settings from the Edit menu. For more information, see "Default Scan Settings" on page 338.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Micro Focus Fortify WebInspect (19.2.0) Page 160 of 482
User Guide
Chapter 4: Working with Scans
Basic Scan Options
1. In the Scan Name box, enter a name or brief description of the scan.
2. Select one of the following scan modes:
l Crawl Only: Completely map a site's hierarchical data structure. After a crawl has been
completed, you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit: Map the site's hierarchical data structure and audit each resource (page).
Depending on the default settings you select, the audit can be conducted as each resource is
discovered or after the entire site is crawled. For information regarding simultaneous vs.
sequential crawl and audit, see "Crawl and Audit Mode" on page 339.
l Audit Only: Apply the methodologies of the selected policy to determine vulnerability risks, but
do not crawl the Web site. No links on the site are followed or assessed.
l Manual: Allows you to navigate manually to whatever sections of your application you choose
to visit, using Firefox or Internet Explorer. Fortify WebInspect does not crawl the entire site, but
records information only about those resources that you encounter while manually navigating
the site. This feature is used most often to enter a site through a Web form logon page or to
define a discrete subset or portion of the application that you want to investigate. Once you
finish navigating through the site, you can audit the results to assess the security vulnerabilities
related to that portion of the site that you recorded.
Note: Manual mode is not available when scheduling a scan.
3. Select one of the following scan types:
l Standard Scan: Perform an automated analysis, starting from the target URL. This is the
normal way to start a scan.
l Manual Scan: (also known as Step Mode) allows you to navigate manually to whatever sections
of your application you choose to visit, using Firefox or Internet Explorer. This choice appears
only if you select the Manual Scan mode.
l List-Driven Scan: Perform a scan using a list of URLs to be scanned. Each URL must be fully
qualified and must include the protocol (for example, http:// or https://). You can use a text file,
formatted as comma-separated list or one URL per line.
o To import a list, click Import.
o To build or edit a list using the Site List Editor, click Manage. For more information, see
"Using the Site List Editor " on page 173.
l Workflow-Driven Scan: Audit only those URLs included in the macro that you previously
recorded and does not follow any hyperlinks encountered during the audit. A logout signature
is not required. This type of macro is used most often to focus on a particular subsection of the
application. If you select multiple macros, they will all be included in the same scan. You can use
.webmacro files, Burp Proxy captures, or a Selenium IDE macro. For more information, see
"Selecting a Workflow Macro " on page 226.
Important! If you use a login macro in conjunction with a workflow macro or startup macro
Micro Focus Fortify WebInspect (19.2.0) Page 161 of 482
User Guide
Chapter 4: Working with Scans
or both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or
all Selenium macros. You cannot use different types of macros in the same scan.
l API Scan: Create a macro from a REST API definition and perform an automated analysis.
Important! If HTTP Authorization credentials, such as a bearer token, are needed to access
the API definition, then before starting the scan, you must add the information as a Custom
Header in Scan Settings: Cookies/Headers as described in "Adding a Custom Header" on
page 369.
Example Header:
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
4. Continue according to the following table.
If you
selected... Then follow these instructions...
Standard Scan a. In the Start URL box, type or select the complete URL or IP address of
the site you want to examine.
If you enter a URL, it must be precise. For example, if you enter
MYCOMPANY.COM, Fortify WebInspect will not scan
WWW.MYCOMPANY.COM or any other variation (unless you specify
alternatives in the Allowed Hosts setting).
An invalid URL or IP address will result in an error. If you want to scan
from a certain point in your hierarchical tree, append a starting point for
the scan, such as http://www.myserver.com/myapplication/.
Scans by IP address will not pursue links that use fully qualified URLs (as
opposed to relative paths).
Fortify WebInspect supports both Internet Protocol version 4 (IPV4)
and Internet Protocol version 6 (IPV6). IPV6 addresses must be
enclosed in brackets. For more information, see "Internet Protocol
Version 6 " on page 337.
b. If you select Restrict to folder, you can limit the scope of the scan to
the area you choose from the drop-down list. The choices are:
o Directory only - Fortify WebInspect will crawl and/or audit only the
URL you specify. For example, if you select this option and specify a
URL of www.mycompany/one/two/, Fortify WebInspect will assess
only the "two" directory.
o Directory and subdirectories - Fortify WebInspect will begin
crawling and/or auditing at the URL you specify, but will not access
any directory that is higher in the directory tree.
Micro Focus Fortify WebInspect (19.2.0) Page 162 of 482
User Guide
Chapter 4: Working with Scans
If you
selected... Then follow these instructions...
o Directory and parent directories - Fortify WebInspect will begin
crawling and/or auditing at the URL you specify, but will not access
any directory that is lower in the directory tree.
For information about limitations to the Restrict to folder scan option,
see "Restrict to Folder Limitations" on page 182.
Manual Scan a. Enter a Start URL and, if desired, select Restrict to folder. See
Standard Scan described previously.
b. In the Browser drop-down list, select Firefox or Internet Explorer as the
browser to use for the manual scan.
List-Driven Do one of the following:
Scan l Click Import and select a text file or XML file containing the list of URLs
you want to scan.
l Click Manage to create or modify a list of URLs.
Workflow- Do one of the following:
Driven Scan l Click Manage to select, edit, record, import, export, or remove a macro.
l Click Record and create a macro.
Note: You can include more than one macro in a scan.
API Scan a. In the API Definition URL box, provide the URL to the Swagger or
OData definition file, as shown in the following example:
http://172.16.81.36/v1
Tip: Alternatively, you can paste in the full path to a definition file
that is saved on your local machine.
b. In the API Type drop-down list, select the API type to be scanned. The
options are Swagger and Odata.
Note: Fortify WebInspect supports the following REST API
definitions and protocols:
o OpenAPI Specification versions 2.0 and 3.0 (formerly known as
Swagger Specification). For more information, visit the Swagger
website at http://swagger.io/.
Micro Focus Fortify WebInspect (19.2.0) Page 163 of 482
User Guide
Chapter 4: Working with Scans
If you
selected... Then follow these instructions...
o Open Data (OData) protocol (versions 2, 3, and 4). For more
information, visit the OData website at http://www.odata.org/.
5. Click Next.
Authentication and Connectivity
1. If you need to access the target site through a proxy server, select Network Proxy and then
choose an option from the Proxy Profile list:
l Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig
file and use this to configure the browser's Web proxy settings.
l Use System Proxy: Import your proxy server information from the local machine.
l Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you
select this option, click Edit to enter the location (URL) of the PAC. For more information, see
"Configuring the Proxy Profile " on page 174.
l Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit
to enter proxy information. For more information, see "Configuring the Proxy Profile " on
page 174.
l Use Mozilla Firefox: Import your proxy server information from Firefox.
Note: Electing to use browser proxy settings does not guarantee that you will access the
Internet through a proxy server. If the Firefox browser connection settings are configured for
"No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server will not be used.
2. Select Network Authentication if server authentication is required. Then select an authentication
method and enter your network credentials. The authentication methods are:
Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
Micro Focus Fortify WebInspect (19.2.0) Page 164 of 482
User Guide
Chapter 4: Working with Scans
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
Micro Focus Fortify WebInspect (19.2.0) Page 165 of 482
User Guide
Chapter 4: Working with Scans
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
3. To configure a client certificate for a website, click Settings > Authentication and continue as
follows:
a. In the Client Certificates area, select the Enable check box.
b. Click Select.
The Client Certificates window opens.
c. Do one of the following:
o To use a certificate that is local to the computer and is global to all users on the computer,
select Local Machine.
o To use a certificate that is local to a user account on the computer, select Current User.
Note: Certificates used by a common access card (CAC) reader are user certificates and
are stored under Current User.
d. Do one of the following:
o To select a certificate from the "Personal" ("My") certificate store, select My from the drop-
down list.
o To select a trusted root certificate, select Root from the drop-down list.
e. Does the website use a CAC reader?
o If yes, do the following:
A. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.
Information about the selected certificate and a PIN field appear in the Certificate
Information area.
B. If a PIN is required, type the PIN for the CAC in the PIN field.
Note: If a PIN is required and you do not enter the PIN at this point, you must enter
the PIN in the Windows Security window each time it prompts you for it during the
scan.
C. Click Test.
If you entered the correct PIN, a Success message appears.
o If no, select a certificate from the Certificate list.
Information about the selected certificate appears below the Certificate list.
f. Click OK.
4. Select Site Authentication to use a recorded macro containing one or more usernames and
Micro Focus Fortify WebInspect (19.2.0) Page 166 of 482
User Guide
Chapter 4: Working with Scans
passwords that allows you to log in to the target site. The macro must also contain a "logout
condition," which indicates when an inadvertent logout has occurred so Fortify WebInspect can
rerun this macro to log in again.
If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login
macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is
successful. If the macro is invalid and fails to log in to the application, the scan stops and an error
message is written in the scan log file. For more information and troubleshooting tips, see "Testing
Login Macros" on page 456.
Continue according to the following table.
To... Then...
Use a pre-recorded Web Macro Click the ellipsis button (...) to select a macro.
Recorder macro If, after selecting the macro, you want to modify it using
the Web Macro Recorder, click Edit.
Tip: To erase the macro name, clear the Site
Authentication check box.
Use a pre-recorded Selenium Do the following:
IDE macro a. Click the ellipsis button (...) to browse for a saved
Selenium IDE macro.
The Select a Login Macro window appears.
b. Select Selenium IDE Test Case (*.*) from the file
type drop-down list.
Note: Selenium IDE macros do not have a
specific file extension and can be any type of
text file, including XML.
c. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
d. (Optional) To view and/or adjust how Selenium
behaves during macro replay, click the Settings plus
(+) sign.
The Settings area expands and the current settings
become visible. Make changes as necessary.
e. Click Verify.
Fortify WebInspect plays the macro, displaying the
verification progress and status in the Import
Selenium Script window.
Micro Focus Fortify WebInspect (19.2.0) Page 167 of 482
User Guide
Chapter 4: Working with Scans
To... Then...
f. Do one of the following:
o If the macro plays successfully, the message
"Successfully verified macro" appears. Continue
with Step g.
o If the macro does not play successfully, an error
message appears. Use the error message to
debug and correct the error in Selenium, and
return to Step i of this procedure to try the
import again.
g. To specify a logout condition, click Edit logout
conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
h. Add a logout condition and click OK.
i. Click OK to add the macro to the Scan Wizard.
Create a new macro Click Record.
The TruClient Web Macro Recorder opens.
Note: For more information about using the
TruClient Web Macro Recorder, see the Web Macro
Recorder Help.
Automatically create a login macro a. Select Auto-gen Login Macro.
Note: You cannot automatically b. Type a username in the Username field.
create login macros for c. Type a password in the Password field.
privilege-escalation and multi- Optionally, click Test to locate the login form, generate
user login scans. the macro, and run macro validation tests before
advancing to the next stage in the Scan wizard. If you
need to cancel the validation test prior to completion,
click Cancel.
If the macro is invalid and fails to log in to the
application, an error message appears. For more
information and troubleshooting tips, see "Testing Login
Macros" on page 456.
5. Click Next.
Micro Focus Fortify WebInspect (19.2.0) Page 168 of 482
User Guide
Chapter 4: Working with Scans
Coverage and Thoroughness
1. To optimize settings for an application built using either Oracle Application Development
Framework Faces components or IBM WebSphere Portal, select Framework and then choose
Oracle ADF Faces or WebSphere Portal from the Optimize scan for list. Fortify may develop
other settings overlays and make them available through Smart Update.
For more information about scanning a WebSphere portal, see "WebSphere Portal FAQ " on
page 272.
2. Use the CrawlCoverage slider to specify the crawler settings.
This slider may or may not be enabled, depending on the scan mode you selected. The label
associated with this slider also depends on your selection. If enabled, the slider allows you to select
one of four crawl positions. Each position represents a specific collection of settings, as represented
by the following labels:
Thorough
A Thorough crawl is an automated crawl that uses the following settings:
l Redundant Page Detection: OFF
l Maximum Single URL Hits: 10
l Maximum Web Form Submissions: 7
l Maximum Script Events Per Page: 2000
l Number of Dynamic Forms Allowed Per Session: Unlimited
l Include Parameters In Hit Count: True
Default
A Default crawl is an automated crawl that uses the following (default scan) settings:
l Redundant Page Detection: OFF
l Maximum Single URL Hits: 5
l Maximum Web Form Submissions: 3
l Maximum Script Events Per Page: 1000
l Number of Dynamic Forms Allowed Per Session: Unlimited
l Include Parameters In Hit Count: True
Moderate
A Normal crawl is an automated crawl that uses the following settings:
l Redundant Page Detection: OFF
l Maximum Single URL Hits: 5
l Maximum Web Form Submissions: 2
Micro Focus Fortify WebInspect (19.2.0) Page 169 of 482
User Guide
Chapter 4: Working with Scans
l Maximum Script Events Per Page: 300
l Number of Dynamic Forms Allowed Per Session: 1
l Include Parameters In Hit Count: False
Quick
A Quick crawl uses the following settings
l Redundant Page Detection: ON
l Maximum Single URL Hits: 3
l Maximum Web Form Submissions: 1
l Maximum Script Events Per Page: 100
l Number of Dynamic Forms Allowed Per Session: 0
l Include Parameters In Hit Count: False
If you click Settings (to open the Advanced Settings dialog box) and change a setting that
conflicts with any setting established by one of the four slider positions, the slider creates a fifth
position labeled Customized Coverage Settings.
3. Select a policy from the Audit Depth (Policy) list.
This list may or may not be enabled, depending on the scan mode you selected in Step 1. For
descriptions of policies, see "Fortify WebInspect Policies" on page 424.
4. Click Next.
Detailed Scan Configuration
Profiler
Fortify WebInspect conducts a preliminary examination of the target Web site to determine if certain
settings should be modified. If changes appear to be required, the Profiler returns a list of suggestions,
which you may accept or reject.
For example, the Server Profiler may detect that authorization is required to enter the site, but you have
not specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Server Profiler's suggestion to configure the
required information before continuing.
Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found"
detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client
requests a resource that does not exist (they may instead return a status "200 OK," but the response
contains a message that the file cannot be found). If the Profiler determines that such a scheme has
been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to
accommodate this feature.
To launch the Profiler each time you access this page, select Run Profiler Automatically.
To launch the Profiler manually, click Profile. For more information, see "Server Profiler" on page 229.
Micro Focus Fortify WebInspect (19.2.0) Page 170 of 482
User Guide
Chapter 4: Working with Scans
Results appear in the Settings section.
Settings
1. Accept or reject the suggestions. To reject, clear the associated check box.
2. If necessary, provide the requested information.
3. Click Next.
Several options may be presented even if you do not run the Profiler. They include:
l Auto fill Web forms
l Add allowed hosts
l Reuse identified false positives
l Apply sample macro
l Traffic analysis
Auto Fill Web Forms
Select Auto-fill Web forms during crawl if you want Fortify WebInspect to submit values for input
controls on forms it encounters while scanning the target site. Fortify WebInspect will extract the values
from a prepackaged default file or from a file that you create using the Web Form Editor. You may:
l Click the ellipsis button to locate and load a file.
l Click Edit to edit the selected file (or the default values) using the Web Form Editor.
l Click Create to open the Web Form Editor and create a file.
Add Allowed Hosts
Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. For more information, see "Scan Settings: Allowed Hosts" on
page 355.
To add allowed domains:
1. Click Add.
2. On the Specify Allowed Host window, enter a URL (or a regular expression representing a URL)
and click OK.
For more information about adding or editing Allowed Hosts, see "Specifying Allowed Hosts " on
page 176.
Reuse Identified False Positives
Select scans containing vulnerabilities that were changed to false positives. If those false positives
match vulnerabilities detected in this scan, the vulnerabilities will be changed to false positives. For more
information, see "False Positives" on page 81.
Micro Focus Fortify WebInspect (19.2.0) Page 171 of 482
User Guide
Chapter 4: Working with Scans
To reuse identified false positives:
1. Select Import False Positives.
2. Click SelectScans.
3. Select one or more scans containing false positives from the same site you are now scanning.
4. Click OK.
Note: You cannot import false positives when scheduling a scan or conducting an Enterprise scan.
Sample Macro
Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login. If
you scan this site, select Apply sample macro to run the sample macro containing the login script.
Traffic Analysis
Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the
HTTP requests issued by Fortify WebInspect and the responses returned by the target server.
While scanning a Web site, Fortify WebInspect displays in the navigation pane only those sessions that
reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was
discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect adds the Traffic
Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by
Fortify WebInspect and the associated HTTP response received from the server.
Message
If the profiler does not recommend changes, the Scan Wizard displays the message, "No settings
changes are recommended. Your current scan settings are optimal for this site."
Congratulations
The contents of this window vary, depending your choices and configuration.
Upload to Fortify WebInspect Enterprise Scan Template
When connected to an enterprise server (Fortify WebInspect Enterprise), you can send the settings for
this scan to Fortify WebInspect Enterprise, which will create a scan template. However, you must be
assigned to a role that allows you to create scan templates.
Save Settings
You can save the settings you configured for this scan, which would allow you to reuse the settings for
a future scan.
Micro Focus Fortify WebInspect (19.2.0) Page 172 of 482
User Guide
Chapter 4: Working with Scans
Generate Reports
If you are scheduling a scan, you can instruct Fortify WebInspect to generate a report when the scan
completes.
1. Select Generate Reports.
2. Click the Select reports hyperlink.
3. (Optional) Select a report from the Favorites list.
A "favorite" is simply a named collection of one or more reports and their associated parameters. To
create a favorite once you have selected reports and parameters, click the Favorites list and select
Add to favorites.
4. Select one or more reports.
5. Provide information for any parameters that may be requested. Required parameters are outlined
in red.
6. Click Next.
7. If you select Automatically Generate Filename, the name of the report file will be formatted as
<reportname> <date/time>.<extension>. For example, if creating a compliance report in pdf
format and the report is generated at 6:30 on April 5, the file name would be "Compliance
Report 04_05_2009 06_30.pdf." This is useful for recurring scans.
Reports are written to the directory specified for generated reports in the Application settings.
8. If you did not select Automatically Generate Filename, enter a name for the file in the Filename
box.
9. Select the report format from the Export Format list.
10. If you selected multiple reports, you can combine then all into one report by selecting Aggregate
reports into one report.
11. Select a template that defines the headers and footers used for the report and, if necessary,
provide the requested parameters.
12. Click Finished.
13. Click Schedule.
Using the Site List Editor
When performing a List-Driven Scan using the Basic Scan Wizard, you can build or edit the list of URLs
using the Site List Editor.
To access the Site List Editor:
l Click Manage under the List-Driven Scan option in the Basic Scan Wizard.
To add individual URLs manually:
1. Click Add.
2. Enter a URL that you want to include in the scan. If you do not specify the protocol, the editor will
add "http://" to the beginning of the URL.
3. Repeat as necessary.
Micro Focus Fortify WebInspect (19.2.0) Page 173 of 482
User Guide
Chapter 4: Working with Scans
To add URLs specified in a text file or XML file:
1. Click Import.
2. Using the standard file-selection window, locate the file and click Open.
3. Repeat as necessary.
Note: The editor does not check for duplicates. If you import two lists and both lists contain
the same URL, that URL will be listed twice.
Also, each URL must include the protocol (for example, http:// or https://). Unlike manual
entry, the editor will not automatically add a protocol to the beginning of an imported URL.
To edit an entry:
l Click a URL.
To delete an entry:
l Select a URL and click Delete.
See Also
"Running a Basic Scan" on page 160
Configuring the Proxy Profile
When performing a Basic Scan and using proxy settings from a Proxy Automatic Configuration (PAC)
file or specifying Explicit Proxy Settings, you can configure the proxy options in the Proxy Profile
window.
To access the Proxy Profile window:
l Click Edit under Network Proxy in the Basic Scan Wizard.
Configure proxy using a PAC file
Load proxy settings from a Proxy Automatic Configuration (PAC) file. Specify the file location in the
URL box.
Explicitly configure proxy
Configure a proxy by entering the requested information.
1. In the Server box, type the URL or IP address of your proxy server, followed (in the Port box) by
the port number (for example, 8080).
2. From the Type list, select a protocol for handling TCP traffic through a proxy server: SOCKS4,
SOCKS5, or standard.
3. If authentication is required, select a type from the Authentication list:
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Micro Focus Fortify WebInspect (19.2.0) Page 174 of 482
User Guide
Chapter 4: Working with Scans
Automatic detection slows the scanning process. If you know and specify one of the other
authentication methods, scanning performance is noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a window for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication window to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
Micro Focus Fortify WebInspect (19.2.0) Page 175 of 482
User Guide
Chapter 4: Working with Scans
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
NT LAN Manager (NTLM)
NTLM is an authentication process that is used by all members of the Windows NT family of
products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed password be sent across the
network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site.
Caution! After configuring Fortify WebInspect for NTLM authentication and scanning the
NTLM-protected sites, you might want to disable the NTLM authentication settings to prevent
any potential problem.
4. If your proxy server requires authentication, enter the qualifying user name and password.
5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing
sites), enter the addresses or URLs in the Bypass Proxy For box. Use commas to separate entries.
See Also
"Running a Basic Scan" on page 160
Specifying Allowed Hosts
Specify an Allowed Host to add domains to be crawled. If your Web presence uses multiple domains,
add those domains here. For example, if you were scanning "WIexample.com," you would need to add
"WIexample2.com" and "WIexample3.com" here if those domains were part of your Web presence and
you wanted to include them in the crawl or audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
l www.myco.com:80
l contact.myco.com:80
l www1.myco.com
l ethics.myco.com:80
l contact.myco.com:443
l wow.myco.com:80
l mycocorp.com:80
l www.interconnection.myco.com:80
Note that if you specify a port number, then the allowed host must be an exact match.
Micro Focus Fortify WebInspect (19.2.0) Page 176 of 482
User Guide
Chapter 4: Working with Scans
Specifying Allowed Hosts
To specify (add) allowed hosts:
1. On the Detailed Scan Configuration page of the Basic Scan Wizard, click Add.
2. On the Specify Allowed Host dialog box, enter a URL (or a regular expression representing a URL).
Note: When specifying the URL, do not include the protocol designator (such as http:// or
https://).
3. If you entered a regular expression for the allowed host, select Use Regular Expression.
For assistance creating a regular expression, click (to the right of the Allowed Host box).
4. Click OK.
Editing Allowed Hosts
To edit allowed hosts:
1. On the Detailed Scan Configuration page of the Basic Scan Wizard, select a host and then click
Edit.
2. On the Edit Allowed Host dialog box, edit the URL (or the regular expression representing the
URL).
Note: When editing the URL, do not include the protocol designator (such as http:// or
https://).
3. Click OK.
See Also
"Running a Basic Scan" on page 160
Multi-user Login Scans
Applications that allow only a single active login session per user prevent multi-threaded scanning. With
multiple logins, the threads invalidate each other's state, resulting in slow scan times.
A solution to this problem is to convert the recorded credentials in a login macro to parameters and use
multiple login accounts with the same application privileges. You can use the Multi-user Login option in
the Scan Settings: Authentication window to parameterize the username and password in a login
macro, and define multiple username and password pairs to use in a scan. This approach allows the scan
to run across multiple threads. Each thread has a different login session, resulting in faster scan times.
Micro Focus Fortify WebInspect (19.2.0) Page 177 of 482
User Guide
Chapter 4: Working with Scans
Before You Begin
You must use a parameterized login macro to configure a multi-user login scan. For more information,
see the Parameters Editor topic in the Unified Web Macro Recorder chapter of the Micro Focus Fortify
WebInspect Tools Guide.
Known Limitations
The following known limitations apply to the multi-user login feature:
l When using this feature, Fortify WebInspect does not detect several login-related Securebase checks.
l This feature currently supports only shared requestor threads. Using default scan settings with
separate crawl and audit threads is not supported. For more information, see "Scan Settings:
Requestor" on page 348.
l The scan does not distribute the work equally among the multiple users logged in. For example, one
configured user might use up to 75% of the scan activities while all other users are allocated to the
remaining 25% of scan activities.
Process Overview
To configure a multi-user login scan, use the process described in the following table.
Stage Description
1. Set the shared requestor to the desired number of users. For more information, see "Scan
Settings: Requestor" on page 348.
Important! The number of shared requestor threads should not be more than the
number of configured users. Requestor threads without valid users will cause the scan
to run longer. Remember to count the original username and password in the
parameterized macro as the first user when you configure multiple users.
2. Ensure that you have a login macro with parameterized username and password. For more
information, see the Parameters Editor topic in the Unified Web Macro Recorder chapter of
the Micro Focus Fortify WebInspect Tools Guide.
3. In the Basic Scan wizard or Guided Scan wizard, enable the multi-user checkbox as
described in "Configuring a Multi-user Login Scan" on the next page.
4. Add credentials for multiple users as described in "Adding Credentials" on the next page.
5. Continue through the scan wizard as normal and conduct the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 178 of 482
User Guide
Chapter 4: Working with Scans
Configuring a Multi-user Login Scan
To configure a multi-user login scan:
1. Do one of the following:
l From the Basic Scan wizard, click Edit > Current Scan Settings. Then, select Scan Settings >
Authentication.
l From the Guided Scan wizard, click Advanced in the ribbon, and then select Scan Settings >
Authentication.
2. Select the Use a login macro for forms authentication checkbox.
Important! You must select this checkbox to enable the multi-user login option.
3. Do one of the following:
l To record a new macro, click Record and record a login macro as usual.
Note: The Record button is not available for Guided Scan, because Guided Scan includes a
separate stage for recording a login macro. After recording the macro, you must
parameterize the credentials.
l To use an existing macro, click ... and select a saved macro that already has parameterized
credentials.
4. Select the Multi-user Login checkbox.
Note: If you clear the Multi-user Login checkbox prior to running the scan, the additional
credentials will not be used during the scan. Fortify WebInspect will use only the original
credentials recorded in the login macro.
5. Continue as follows:
l To add a user’s credentials, go to "Adding Credentials" below.
l To edit a user’s credentials, go to "Editing Credentials" on the next page.
l To delete a user’s credentials, go to "Deleting Credentials" on the next page.
6. After configuring the user's credentials, continue through the scan wizard as normal and conduct
the scan.
Adding Credentials
To add credentials:
1. Under Multi-user Login, click Add.
The Multi-user Credential Input dialog box appears.
2. In the Username field, type a username
3. In the Password field, type the corresponding password.
Micro Focus Fortify WebInspect (19.2.0) Page 179 of 482
User Guide
Chapter 4: Working with Scans
4. Click OK.
5. Repeat Steps 1-4 for each user login to add.
Important! The number of shared requestor threads should not be more than the number of
configured users. Requestor threads without valid users will cause the scan to run longer.
Remember to count the original username and password in the parameterized macro as the first
user when you configure multiple users. For more information, see "Scan Settings: Requestor" on
page 348.
Editing Credentials
To edit credentials:
1. Under Multi-user Login, select a Username/Password pair and click Edit.
The Multi-user Credential Input dialog box appears.
2. Edit the credentials as needed.
3. Click OK.
Deleting Credentials
To delete credentials:
1. Under Multi-user Login, select a Username/Password pair to be removed.
2. Click Delete.
Interactive Scans
Web applications using two-factor authentication or similar anti-scanning technology require an
interactive scan configuration in WebInspect. In an interactive scan, you are presented with a browser
window asking for user input for authentication. You can configure an automated interactive scan that
will pause only when an input field is encountered. This pause affects only the Requestor thread that
encounters the input field. The remaining threads are unaffected.
This configuration works for CAPTCHA, RSA ID token fields, virtual PIN pads, virtual keyboards, and
common access card (CAC) readers where the PIN or input is dynamic and changes.
Tip: For websites that use a CAC reader with a static PIN, you can configure the scan to use CAC
certificates. See one of the following topics:
l "Scan Settings: Authentication" on page 373
l "Running a Basic Scan" on page 160
l "Using the Native Scan Template" on page 142
l "Using the Mobile Scan Template" on page 124
l "Using the Predefined Template" on page 107
Micro Focus Fortify WebInspect (19.2.0) Page 180 of 482
User Guide
Chapter 4: Working with Scans
Configuring an Interactive Scan
The following table describes the process for configuring an interactive scan.
Stage Description
1. Prepare the Web forms input file as follows:
1. Record or enter the field name into the Web Form Editor tool.
2. Right-click the form name and select Mark As Interactive.
3. Save the Web Forms input file.
For more information, see the "Web Form Editor" chapter in the Tools Guide for
Fortify WebInspect Products.
2. Are you using a client-side certificate that requires a dynamic PIN?
l If yes, launch Internet Explorer and ensure that the client-side certificate is listed or
manually import it.
This action temporarily loads the certificate into the Windows certificate store.
Note: Plugging in the hardware token and entering the requested PIN may do
this automatically.
l If no, skip to Stage 3.
3. Configure the scan method for interactive scan mode as follows:
1. Open the Scan Settings: Method window.
2. In the Auto fill web forms field, specify the Web Forms input file you created in
Stage 1.
3. Select the Prompt for web form values during scan (interactive mode) check
box.
4. Select the Only prompt for tagged inputs check box.
Note: If this final check box is not selected, you will be prompted for all
inputs encountered on the site.
4. Are you using a client-side certificate that requires a dynamic PIN?
l If yes, configure authentication to use the client-side certificate:
a. Open the Scan Settings: Authentication window.
b. In the Client Certificates area, select the Enable check box and browse to select
Micro Focus Fortify WebInspect (19.2.0) Page 181 of 482
User Guide
Chapter 4: Working with Scans
Stage Description
the user's certificate.
Fortify WebInspect uses this certificate until it times out and fails to enter the
requested PIN, or until the hardware token is removed and Windows drops the
certificate from the store.
l If no, skip to Stage 5.
5. Save the scan settings and use them in a Fortify WebInspect scan.
Important! You must watch for the pop-ups to enter the form value as needed.
Restrict to Folder Limitations
This topic describes limitations to the Restrict to folder scan option when JavaScript include files are
encountered or when a login or workflow macro is used.
JavaScript Include Files
During a scan, the crawler and JavaScript engine might access external JavaScript include files. These
files are not actively audited, so no attacks are sent over HTTP. However, passive inspection can reveal
issues with JavaScript include files, and these files will be listed in the site tree.
Login Macros
If you use a login macro, then sessions requested in the macro will be listed in the site tree. The sessions
will be passively audited, meaning that no attacks will be sent, but vulnerabilities such as weak
encryption, unencrypted login forms, and so on might be revealed.
Workflow Macros
If you use a workflow macro in a Crawl and Audit scan or a Crawl Only scan, then the scan might violate
the Restrict to folder option. The assumption is that you wish to visit the URLs included in the workflow
macro.
Running an Enterprise Scan
An enterprise scan provides a comprehensive overview of your Web presence from an enterprise
network perspective. Fortify WebInspect will automatically discover all available ports for a range of IP
addresses. You can then select which servers to assess for vulnerabilities from all servers that are
discovered.
Micro Focus Fortify WebInspect (19.2.0) Page 182 of 482
User Guide
Chapter 4: Working with Scans
To start an Enterprise Scan:
1. Do one of the following to launch the Enterprise Scan Wizard:
l On the Fortify WebInspect Start Page, click Start an Enterprise scan.
l Click File > New > Enterprise Scan.
l Click the drop-down arrow on the New icon (on the toolbar) and select Enterprise Scan.
l On the Fortify WebInspect Start Page, click Manage Scheduled Scans, click Add, and then
select Enterprise Scan.
2. On Step 1 of the Enterprise Scan Wizard, specify when you want to conduct the scan. The choices
are:
l Immediately: The scan will run immediately after finishing the Scheduled Scan Wizard.
l Run Once Date / Time: Modify the date and time when the scan should begin. You can click the
drop-down arrow to reveal a calendar for selecting the date.
l Recurrence Schedule: Use the slider to select a frequency (Daily, Weekly, or Monthly). Then
specify the time when the scan should begin and (for Weekly or Monthly) provide other
schedule information.
3. Click Next.
4. On Step 2 of the Enterprise Scan Wizard, in the Enterprise Scan Name box, enter a unique name
for this enterprise scan.
5. At this point, you can perform one or more of the following functions:
l Instruct Fortify WebInspect to discover all available servers within a range of IP
addresses and ports that you specify.
Micro Focus Fortify WebInspect (19.2.0) Page 183 of 482
User Guide
Chapter 4: Working with Scans
To discover Web servers:
i. Click Discover.
The Search for Web Servers window appears.
ii. In the IPV4/IPV6 Addresses (or ranges) box, type one or more IP addresses or a range
of IP addresses.
l Use a semicolon to separate multiple addresses.
Example: 172.16.10.3;172.16.10.44;188.23.102.5
l Use a dash or hyphen to separate the starting and ending IP addresses in a range.
Example: 10.2.1.70-10.2.1.90.
Note: IPV6 addresses must be enclosed in brackets. See "Internet Protocol Version 6 "
on page 337.
iii. In the Ports (or ranges) box, type the ports you want to scan.
l Use a semicolon to separate multiple ports.
Example: 80;8080;443
l Use a dash or hyphen to separate the starting and ending ports in a range.
Example: 80-8080.
iv. (Optional) Click Settings to modify the number of sockets and timeout parameters used
for the discovery process.
v. Click Start to initiate the discovery process.
Results display in the Discovered End Points area.
l Click an entry in the IP Address column to view that site in a browser.
l Click an entry in the Identification column to open the Session Properties window,
where you can view the raw request and response.
Micro Focus Fortify WebInspect (19.2.0) Page 184 of 482
User Guide
Chapter 4: Working with Scans
vi. To remove a server from the list, clear the associated check box in the Selection column.
vii. Click OK.
The IP addresses appear in the "Hosts to Scan" list.
l Enter individual URLs or IP addresses of hosts to scan.
To manually enter a list of URLs or IP addresses you want to scan.
i. Click Add.
The Scan Wizard opens.
ii. Provide the information described in "Running a Basic Scan" on page 160.
iii. Repeat for additional servers.
l Import a list of servers that you want to scan (using a list that you previously created).
If you previously used the Enterprise Scan feature or the Web Discovery tool to detect servers
and then exported your findings to a text file, you can load those results by clicking Import and
then selecting the saved file.
Edit the 'Hosts to Scan' List
After building a list of servers using one or more of the above methods, you can modify the list .
To modify the settings for a specific scan:
1. Select a server.
2. Click Edit.
The Scan Wizard opens.
3. Change the settings.
4. Click Finish (on the Edit Basic Scan window).
To delete a server from the list:
1. Select a server.
2. Click Delete.
Export a List
To save the "Hosts to Scan" list:
1. Click Export.
2. Using a standard file-selection window, specify the file name and location.
Start the Scan
To begin the enterprise scan, click Schedule. Each server's scan results will automatically be saved upon
completion in your default Scans folder. The name of the server, along with a date and time stamp, will
Micro Focus Fortify WebInspect (19.2.0) Page 185 of 482
User Guide
Chapter 4: Working with Scans
be included in the file name.
Note: Fortify WebInspect licenses permit users to scan specific IP addresses or a range of
addresses. If a server has an IP address that is not permitted by your license, that server will not be
included in the scan.
Running a Manual Scan
A manual scan (also referred to as Step Mode) is a Basic Scan option that allows you to navigate
manually to whatever sections of your application you choose to visit, using Firefox or Internet
Explorer. It does not crawl the entire site, but records information only about those resources that you
encounter while manually navigating the site. This feature is used most often to enter a site through a
Web form logon page or to define a discrete subset or portion of the application that you want to
investigate. Once you finish navigating through the site, you can audit the results to assess the security
vulnerabilities related to that portion of the site that you recorded.
To conduct a manual scan:
1. On the Fortify WebInspect Start Page, select Start A Basic Scan.
2. Follow the instructions for configuring a Basic Scan as described in Basic Scan Wizard, selecting
Manual as the scan method. For more information, see "Running a Basic Scan" on page 160.
3. Click Scan.
4. When Firefox or Internet Explorer opens, use it to navigate through the site, visiting the areas you
want to record.
Note: If you want to visit certain areas of the application without recording the sessions,
return to Fortify WebInspect and click the Pause button displayed in the Step Mode view
of the Navigation pane. To resume recording sessions, click the Record button . For more
information, see "Navigation Pane" on page 61.
5. When done, close the browser.
Micro Focus Fortify WebInspect (19.2.0) Page 186 of 482
User Guide
Chapter 4: Working with Scans
Fortify WebInspect displays the Step Mode view in the Navigation pane, which lists the URL of
each resource you visited.
6. Do one of the following:
l To resume browsing the application, select a session and click Browse.
l To import the sessions into the scan, click Finish. You can exclude an individual session from the
import by clearing its associated check box.
7. To audit the recorded sessions, click (on the toolbar).
Micro Focus Fortify WebInspect (19.2.0) Page 187 of 482
User Guide
Chapter 4: Working with Scans
About Privilege Escalation Scans
Privilege escalation vulnerabilities result from programming errors or design flaws that grant an attacker
elevated access to an application and its data. Fortify WebInspect can detect privilege escalation
vulnerabilities by conducting either a low-privilege or unauthenticated crawl followed by a high-
privilege crawl and audit in the same scan. Fortify WebInspect includes a Privilege Escalation policy as
well as privilege escalation checks that can be enabled in other policies, including custom policies. In
Guided Scan, Fortify WebInspect automatically detects when you have selected a policy with privilege
escalation checks enabled, and prompts you for the required login macro(s).
Two Modes of Privilege Escalation Scans
Fortify WebInspect can perform privilege escalation scans in two modes, determined by the number of
login macros you use:
l Authenticated Mode – This mode uses two login macros: one for low-privilege access and one for
high-privilege access. In this mode, a low-privilege crawl is followed by a high-privilege crawl and
audit. You can perform this type of scan using Guided Scan. For more information, see "Running a
Guided Scan " on page 106.
Note: When using the Enhance Coverage of Your Web Site feature in Guided Scan in
conjunction with the Privilege Escalation policy, the explored locations are collected while
authenticated with the high-privilege login macro.
l Unauthenticated Mode – This mode uses only a high-privilege login macro. In this mode, the low-
privilege crawl is actually an unauthenticated crawl. Any privilege escalation detected during this scan
is moving from unauthenticated to high privilege. You can perform this type of scan using Guided
Scan (and providing only a high-privilege login macro) or the Basic Scan wizard. For more
information, see "Running a Basic Scan" on page 160.
What to Expect During the Scan
When conducting a scan with privilege escalation checks enabled, Fortify WebInspect first performs a
low-privilege crawl of the site. During this crawl, the Site view is not populated with the hierarchical
structure of the Web site. Nor are vulnerabilities populated in the Summary pane. However, you can
confirm that the scan is actively working by clicking the Scan Log tab in the Summary pane. You will see
messages in the log indicating the "Scan Start" time and the "LowPrivilegeCrawlStart" time. When the
low-privilege crawl of the site is complete, the high-privilege crawl and audit phase of the scan occurs.
During this phase, the Site view will be populated and any vulnerabilities found will appear in the
Summary pane. For more information, see "Summary Pane" on page 97.
Regex Patterns Used to Identify Restricted Pages
If your site includes restricted pages that are blocked using text such as “Forbidden,” “Restricted,” or
“Access Denied,” the Privilege Escalation check includes a regex pattern that determines that these
Micro Focus Fortify WebInspect (19.2.0) Page 188 of 482
User Guide
Chapter 4: Working with Scans
pages are forbidden for the current user. Therefore, these pages are not identified as being vulnerable
for privilege escalation. However, if your site uses other privilege restriction text that does not match
the built-in regex pattern, you must modify the regex to include your own text patterns. Otherwise, the
Privilege Escalation check may generate false positives for those pages.
Modifying Regex for Privilege Restriction Patterns
1. Click Edit > Default Scan Settings.
The Default Settings window appears.
2. Select Attack Exclusions in the Audit Settings group.
3. Click Audit Inputs Editor….
The Audit Inputs Editor appears
4. Select Check Inputs.
5. Select check 11388 Privilege Escalation.
The Privilege Restriction Patterns appear in the right pane. By default, the pattern is as follows:
‘forbidden|restricted|access\sdenied|(?:operation\snot\s
(?:allowed|permitted|authorized))|(?:you\s(?:do\snot|don’t)\shave\s
(?:access|permission|authorization))|(?:you\s(?:are\snot|aren’t)\s
(?:allowed|permitted|authorized))’
6. Using regex syntax, add any new forbidden action words that are used in your site.
7. Click OK to save the revised Check Inputs.
8. Click OK to close the Default Settings window.
Effect of Crawler Limiting Settings on Privilege Escalation Scans
Fortify WebInspect audits each parameter value during a scan. Therefore, a Privilege Escalation scan is
sensitive to settings that limit the crawler, such as:
l Limit maximum single URL hits to
l Include parameters in hit count
l Limit maximum Web form submission to
l Perform redundant page detection
For example, if you set “Limit maximum single URL hits to” 1 and the site contains links such as:
index.php?id=2
index.php?id=1
index.php?id=3
then during the high-privilege scan, Fortify WebInspect finds “index.php?id=1” and during the low-
privilege scan, it finds “index.php?id=3”. In this scenario, Fortify WebInspect will mark
“index.php?id=1” with a Privilege Escalation vulnerability. This vulnerability will be a false positive.
For more information, see "Scan Settings: General" on page 341.
Micro Focus Fortify WebInspect (19.2.0) Page 189 of 482
User Guide
Chapter 4: Working with Scans
Effect of Parameters with Random Numbers on Privilege
Escalation Scans
If the site contains parameters with random numbers, you can add the parameter to the list of HTTP
Parameters Used For State to exclude such sessions from audit and reduce the number of false
positives.
For example, for the following parameter:
index.php?_=1440601463586
index.php?_=1440601465662
index.php?_=1440601466365
you would add the parameter to the list of HTTP Parameters Used For State as shown below:
For more information, see "Scan Settings: HTTP Parsing" on page 356.
See Also
"Running a Basic Scan" on page 160
"Using the Predefined Template" on page 107
"Using the Mobile Scan Template" on page 124
"Using the Native Scan Template" on page 142
About Single-page Application Scans
This topic describes single-page application (SPA) support for crawling and auditing the Document
Object Model (DOM) of an application.
Important! This version of SPA support is provided as a technology preview.
Micro Focus Fortify WebInspect (19.2.0) Page 190 of 482
User Guide
Chapter 4: Working with Scans
Technology Preview
Technology preview features are currently unsupported, may not be functionally complete, and are not
suitable for deployment in production. However, these features are provided as a courtesy and the
primary objective is for the feature to gain wider exposure with the goal of full support in the future.
The Challenge of Single-page Applications
Developers use JavaScript frameworks such as Angular, Ext JS, and Ember.js to build SPAs. These
frameworks make it easier for developers to build applications, but more difficult for security testers to
scan those applications for security vulnerabilities.
Traditional sites use simple back-end server rendering, which involves constructing the complete HTML
web page on the server side. SPAs and other “Web 2.0” sites use front-end DOM rendering, or a mix of
front-end and back-end DOM rendering. With SPAs, if the user selects a menu item, the entire page can
be erased and recreated with new content. However, the event of selecting the menu item does not
generate a request for a new page from the server. The content update occurs without reloading the
page from the server.
With traditional vulnerability testing, the event that triggered the new content might destroy other
events that were previously collected on the SPA for audit. Through its SPA support, WebInspect
offers a solution to the challenge of vulnerability testing on SPAs.
Enabling SPA Support
When you enable SPA support, the DOM script engine finds JavaScript includes, frame and iframe
includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by
those events.
You can enable SPA support in the scan settings or in Guided Scan.
Caution! SPA support should be enabled for single-page applications only. Enabling SPA support
to scan a non-SPA website will result in a slow scan.
See also
"Scan Settings: JavaScript" on page 346
"Using the Predefined Template" on page 107
"Using the Mobile Scan Template" on page 124
"Using the Native Scan Template" on page 142
Micro Focus Fortify WebInspect (19.2.0) Page 191 of 482
User Guide
Chapter 4: Working with Scans
Scan Status
Unless otherwise specified, the scan status is read directly from the database. Scan statuses are
described in the following table.
Status Description
Running A scheduled scan or a scan initiated through the command-line interface (CLI) is
currently running on the local machine.
Locked Another instance of Fortify WebInspect has initiated the scan, which is running and its
heartbeat has not expired.
Note: Applies to remote SQL Server (full version) only.
Open A user on the local machine has the scan open in Fortify WebInspect. The user may be
the current user (in which case, the scan can be seen on the Scan tab) or it may be
another user on the same machine (when using Terminal services, for example). The
state stored in the scan database is ignored.
Interrupted The Fortify WebInspect or CLI instance that was last using the scan crashed. The
following conditions must be met:
l The remote database has a status of "Running."
l The heartbeat has expired.
l The scan is not open on the local machine.
Incomplete The user has paused the scan and closed it. It has not finished running.
Complete The scan has finished.
Updates to Information in the Scan Manager
The scan manager is not intended to give real-time status information on any of the scans currently
being displayed, with three notable exceptions:
l A new scan has been created or opened. In this case, the scan manager will list the new scan with a
status of Open.
l A scan that was previously opened by the current user is closed. For example, a user opens/creates a
scan, then closes it. The status in the scan manager for the scan is updated to reflect the status of the
scan at the time it was closed (for example, Completed, Incomplete, etc.). All statistics will be
refreshed for the single scan only.
l The duration field is not always accurate or available while a scan is open. Therefore, when a scan is in
Micro Focus Fortify WebInspect (19.2.0) Page 192 of 482
User Guide
Chapter 4: Working with Scans
the Open, Running, or Locked state, the Duration column will show that the value is unavailable
(instead of a number the user will see "-").
To see any other status changes or updated count information, the user MUST click the refresh button.
See Also
"Scheduled Scan Status " on page 209
Opening a Saved Scan
Use one of the following procedures to open a saved file containing the results of a previous scan.
Using the Menu or Tool bar:
l Click File > Open > Scan.
l Click the drop-down arrow on the Open button and select Scan.
From the Start Page tab:
l Click Start a Basic Scan.
l On the Home pane, click an entry in the Recently Opened Scans list.
l On the Manage Scans pane, select a scan and click Open (or double-click the scan name).
Fortify WebInspect loads the scan data and displays it on a separate tab.
Comparing Scans
You can compare the vulnerabilities revealed by two different scans of the same target and use this
information to:
l Verify fixes: Compare vulnerabilities detected in the initial scan with those in a subsequent scan of the
same site after the vulnerabilities were supposedly fixed.
l Check on scan health: Change scan settings and verify that those changes expand the attack surface.
l Find new vulnerabilities: Determine if new vulnerabilities have been introduced in an updated version
of the site.
l Investigate Issues: Pursue anomalies such as false positives or missed vulnerabilities.
l Compare authorization access: Conduct scans using two different user accounts to
discover vulnerabilities that are unique or common to both accounts.
Note: Data from both scans must be stored in the same database type (SQL Server Express Edition
or SQL Server Standard/Enterprise Edition).
Selecting Scans to Compare Scans
To compare two scans, do one of the following:
Micro Focus Fortify WebInspect (19.2.0) Page 193 of 482
User Guide
Chapter 4: Working with Scans
l From the Manage Scans page, select two scans and click Compare.
l From a tab containing an open scan (which will be Scan A in the comparison):
a. Click Compare.
b. Select a scan from the list on the Scan Comparison window. This scan will be Scan B in the
comparison.
c. Click Compare.
Note: If the open scan is a "site retest" (resulting from Rescan > Retest Vulnerabilities), Fortify
WebInspect automatically selects the parent scan for comparison. For example, if you created a
scan named "zero," and then verified vulnerabilities for that scan, the resulting scan would be
named (by default) "site retest - zero." With the retest scan open, if you select Compare, Fortify
WebInspect will compare "site retest - zero" with the parent scan "zero."
A warning message appears if the selected scans have different start URLs or used different scan
policies, or if the scans are of a different type (such as a Basic Scan vs. a Web service scan). You can
choose to continue, or you can terminate the function.
You cannot conduct a comparison if either of the scans is currently running.
Scan Compare Image
Reviewing the Scan Dashboard
The Scan Dashboard displays the scan comparison results.
Micro Focus Fortify WebInspect (19.2.0) Page 194 of 482
User Guide
Chapter 4: Working with Scans
Scan Descriptions
The Scan A and Scan B boxes provide the following information of the scans:
l Scan A or Scan B: Name of the scan.
l Date: Date and time the original scan was conducted.
l Policy: Policy used for the scan; see "Fortify WebInspect Policies" on page 424 for more information.
l Issues: Total number of issues identified on the Vulnerabilities tab, the Information tab, and the Best
Practices tab, as well as false positives detected.
l Unique/Total: Number of unique sessions created for this scan (that is, the number of sessions that
appear in this scan and not the other scan), compared to the total number of sessions for this scan.
l Coverage: Percentage of sessions that are common to both scans.
The Venn Diagram
The Venn diagram depicts the session coverage of Scan A (represented by a yellow circle) and the
session coverage of Scan B (represented by a blue circle). The intersection of the two sets is
represented by the green overlap. (In prior releases, the Venn diagram represented the overlap of
vulnerabilities.)
The Venn diagram is scaled to reflect the actual relationship between the sets.
Several examples of session coverage overlap are illustrated below.
No Intersection 50% Intersection A Encompasses Most of A Complete
B Intersects B Intersection
Vulnerabilities Bar Chart
In separate groupings for each vulnerability severity and for False Positives, the bottom of the Scan
Dashboard displays a set of bar charts that show the number of vulnerabilities found in Scan A, in Scan
Micro Focus Fortify WebInspect (19.2.0) Page 195 of 482
User Guide
Chapter 4: Working with Scans
B, and in their intersection (Intersect). The same color coding is used as in the Venn diagram. These bar
charts do not change based on the selected Compare Mode.
Effect of Scheme, Host, and Port Differences on Scan Comparison
Fortify WebInspect does not ignore the scheme, host, and port when comparing scans from two
duplicate sites that are hosted on different servers.
For example, the following site pairs would not be correlated in a scan comparison because of
differences in scheme, host, or port:
l Scheme
l Site A - http://zero.webappsecurity.com/
l Site B - https://zero.webappsecurity.com/
l Host
l Site A - http://dev.foo.com/index.html?par1=123&par2=123
l Site B - http://qa.foo.com/index.html?par1=123&par2=123
l Port
l Site A - http://zero.webappsecurity.com:80/
l Site B - http://zero.webappsecurity.com:8080/
Compare Modes
You can select one of the following options in the Compare Mode section to the left of the Scan
Dashboard to display different data in the Sequence area in the left pane (the data in the Scan
Dashboard is not affected):
l Mutual Exclusion: Lists sessions that appear in Scan A or Scan B, but not in both scans
l Only In A: Lists sessions that appear only in Scan A
l Only in B: Lists sessions that appear only in Scan B
l Union (the default): Lists sessions that appear in Scan A, Scan B, or both Scans A & B
Session Filtering
The Sequence pane lists each session that matches the selected Compare Mode. An icon to the left of
the URL indicates the severity of the vulnerability, if any, for that session. The severity icons are:
Critical High Medium Low
Micro Focus Fortify WebInspect (19.2.0) Page 196 of 482
User Guide
Chapter 4: Working with Scans
At the top of the Sequence pane, you can specify a filter and click Filter to limit the set of displayed
sessions in the following ways:
l You can enter the URL with only its starting characters, as a "starts with" match. Your entry must
begin with the protocol (http:// or https://).
l You can search for an exact match by specifying the URL in quotes. Your entry must begin with the
quotes and protocol ("http:// or "https://)
l You can use an asterisk (*) as a wildcard character at the beginning or end of the string you enter.
l You can use asterisks (*) at both the beginning and end of the string you enter, which requires
matches to contain the string between the asterisks.
l You can enter a question mark (?) followed by a full query parameter string to find matches to that
query parameter.
Using the Session Info Panel
When you select a session in the Sequence pane, the Session Info panel opens below the Compare
Mode options. With a session selected, you can select an option in the Session Info panel to display
more details about that session to the right of the Session Info panel. If the session contains data for
both scans, the data for some functions such as Web Browser, HTTP Request, and Steps are shown in
a split view with Scan A on the left side and Scan B on the right side.
Note: The Steps option displays the path taken by Fortify WebInspect to arrive at the session
selected in the Sequence pane or the URL selected in the Summary pane. Beginning with the
parent session (at the top of the list), the sequence reveals the subsequent URLs visited and
provides details about the scan methodology. In a scan comparison, if any of the steps for the
session are different between the scans, the In Both column is added to the Steps table (as the first
column). A value of Yes in the column for a particular step indicates that the step is the same for
that session for both scans A and B. A value of No in the column for a particular step indicates that
the step is different for that session between scans A and B.
Using the Summary Pane to Review Vulnerability Details
When comparing scans, the horizontal Summary pane at the bottom of the window provides a
centralized table of vulnerable resources and allows you to quickly access vulnerability information. You
can drag the horizontal divider above the table to show or hide more of the Summary pane.
The Vulnerabilities tab at the bottom of the page is selected by default. The Information and Best
Practices tabs display analogous data.
The set of entries (rows) displayed in the table depends on the option selected for Compare Mode, as
reflected in the Link column in the table.
Grouping and Sorting Vulnerabilities
For information on grouping and sorting vulnerabilities, see "Summary Pane" on page 97 and "Using
Filters and Groups in the Summary Pane" on page 235.
Micro Focus Fortify WebInspect (19.2.0) Page 197 of 482
User Guide
Chapter 4: Working with Scans
Filtering Vulnerabilities
You can click the filter icon ( ) at the right of any column heading to open a filter that allows you to
choose a variety of conditions regarding that column that must be met in order for a vulnerability (row)
to remain listed in the table after filtering. The available conditions include the full set of current values
in the column, and you can also specify logical expressions regarding the content of that column.
For example, in the filter for the Vuln Parameter column, suppose you:
1. Leave the top set of check boxes as is.
2. Below the Show rows with value that text, select Contains from the drop-down menu.
3. Type Id in the text box below the drop-down menu.
4. Click Filter.
Then the table will show only rows that contain the text "Id" in the Vuln Parameter column. This would
include rows for which the value of Vuln Parameter is accountId or payeeId or any other entry that
includes "Id."
You can specify filters for multiple columns, one column at a time, and they will all be applied.
If a filter for a column has been specified, its icon becomes a darker blue than the icons for unused
filters.
To quickly clear a filter, click Clear Filter while the filter is open to be specified.
Working with Vulnerabilities
Right-clicking an item in the Summary pane displays a shortcut menu containing the following
commands:
l Copy URL: Copies the URL to the Windows clipboard.
l Copy Selected Item(s): Copies the text of selected items to the Windows clipboard.
l Copy All Items: Copies the text of all items to the Windows clipboard.
l Export: Creates a comma-separated values (csv) file containing either all items or selected items and
displays it in Microsoft Excel.
l View in Browser: Renders the HTTP response in a browser.
l Review Vulnerability: Allows you to retest the vulnerability. If the vulnerability was detected in only
one scan, the Vulnerability Review window opens; if the vulnerability was detected in both scans, you
are first prompted to select a scan. See "Reviewing a Vulnerability " on page 240 for more
information.
Note: For Post and Query parameters, click an entry in the Parameters column to display a more
readable synopsis of the parameters.
See also
"Summary Pane" on page 97
"Using Filters and Groups in the Summary Pane" on page 235
Micro Focus Fortify WebInspect (19.2.0) Page 198 of 482
User Guide
Chapter 4: Working with Scans
Manage Scans
To manage scans:
1. On the Start Page, click Manage Scans.
A list of scans appears in the right-hand pane of the Start Page.
By default, Fortify WebInspect lists all scans saved in the SQL Server Express Edition on your
machine and in SQL Server Standard Edition (if configured). The current state of the scan is
indicated in the Status column. For more information, see "Scan Status " on page 192.
2. (Optional) To group scans into categories based on the column headings, drag the heading and
drop it on the grouping area.
3. Use the toolbar buttons to perform the functions listed below.
l To open scans, select one or more scans and click Open (or simply double-click an entry in the
list). Fortify WebInspect loads the scan data and displays each scan on a separate tab.
l To launch the Scan Wizard prepopulated with settings last used for the selected scan, click
Rescan > Scan Again.
l To reuse a scan, click Rescan and select the reuse option you want from the drop-down menu.
For more information, see "Reusing Scans" on the next page.
l To rescan only those sessions that contained vulnerabilities revealed during a previous scan,
select a scan and click Rescan > Retest Vulnerabilities.
l To merge scans, select two scans (using Ctrl + click), right-click and select Merge. For more
information, see "Incremental Scan" on page 201.
l To rename a selected scan, click Rename.
l To delete the selected scan(s), click Delete.
l To import a scan, click Import.
l To export a scan or scan details, or to export a scan to Software Security Center, click the drop-
down button on Export.
l To compare scans, select two scans (using Ctrl + click) and click Compare.
l By default, Fortify WebInspect lists all scans saved in the local SQL Server Express Edition and in
a configured SQL Server Standard Edition. To select one or both databases, or to specify a SQL
Server connection, click Connections.
l When necessary, click Refresh to update the display.
l To select which columns should be displayed, click Columns. You can rearrange the order in
which columns are displayed using the Move Up and Move Down buttons or, on the Manage
Scans list, you can simply drag and drop the column headers.
Micro Focus Fortify WebInspect (19.2.0) Page 199 of 482
User Guide
Chapter 4: Working with Scans
Note: You can also perform most of these functions by right-clicking an entry and selecting a
command from the shortcut menu. In addition, you can also choose to generate a report. For more
information, see "Generating a Report" on page 255.
See Also
"Managing Scheduled Scans " on page 205
"Start Page " on page 51
Reusing Scans
Reusing a scan uses data from a previous scan to assist a new scan. Two scans are involved when
conducting a reuse scan:
l The reuse scan is the new scan being conducted.
l The source or baseline scan is the scan from which data is used to reduce the work and time needed
to complete a reuse scan.
Reuse Options
Four options for scan reuse are available:
l Reuse Incremental — find new attack surface. This scan performs a normal crawl and compares each
session to the baseline scan. Only new sessions that did not exist in the baseline scan are audited. For
more information, see "Incremental Scan" on the next page.
l Reuse Crawl — import the crawl sessions from the baseline scan. This scan does not perform a crawl,
but performs an audit on all sessions from the baseline scan.
l Reuse Remediation — look for vulnerabilities that were found in the baseline scan. This scan creates
a policy that includes only those checks that flagged in the baseline scan, and audits the site again
using this custom policy. Therefore, this scan looks at only the checks that flagged in the baseline
scan.
l Reuse Crawl Remediation — reuse the crawl from the baseline scan. This scan uses the crawl from
the baseline scan to look for vulnerabilities that were found in the baseline scan.
Difference between Remediation Scans and Retest Vulnerability
Remediation scans apply a reduced policy that is derived directly from the flagged vulnerabilities in the
baseline scan to all sessions in the remediation scan, rather than to just the sessions that were
vulnerable in the baseline scan.
For example, a baseline scan found cross-site scripting (XSS) on session A but not session B.
Subsequently, XSS was fixed on session A, but created on session B. Using the Retest Vulnerabilities
option will not find the vulnerability on session B, but a remediation scan will find it. Therefore, a
remediation scan will evaluate all of the known attack surface area for previously found vulnerabilities.
Micro Focus Fortify WebInspect (19.2.0) Page 200 of 482
User Guide
Chapter 4: Working with Scans
Guidelines for Reusing Scans
Follow these guidelines when reusing scans:
l The baseline scan must be available on the machine where the reuse scan is executed.
l The baseline scan does not need to be in the same database as the reuse scan.
Reusing a Scan
To reuse a scan:
1. Do one of the following:
l From an open scan, click Rescan and select the reuse option you want from the drop-down
menu.
l On the Manage Scans page, right-click a scan, click Rescan, and then select the reuse option you
want from the menu.
l On the Manage Scans page, select a scan, click Rescan and select the reuse option you want
from the drop-down menu.
For information about the rescan options, see "Reuse Options" on the previous page.
2. Using the Scan Wizard, you may optionally modify the settings that were used for the original scan.
Tip: For incremental scans, it might be beneficial to change settings to discover new attack
surface. However, changing settings is not recommended for remediation scans.
Note: By default, the type of reuse scan you selected is prepended to the baseline scan name
and a -1 is appended to the end.
3. On the last step of the Scan Wizard, click Scan.
See Also
"Incremental Scan" below
"Reviewing and Retesting" on page 250
Incremental Scan
Incremental scanning provides a way for you to find and audit the areas of your web application that
change over time, while keeping all findings in a single scan. This involves performing incremental scans
and merging these scans back into the baseline scan. For more information about incremental scans and
baseline scans, see "Reusing Scans" on the previous page.
Micro Focus Fortify WebInspect (19.2.0) Page 201 of 482
User Guide
Chapter 4: Working with Scans
Merging Baseline and Incremental Scans
You can merge the baseline scan and the incremental scan into a single scan. Then you can use the
attack surface of the combined scans for future incremental scans.
After conducting an incremental scan, if you select the incremental scan and the baseline scan and then
right click, you will see a Merge option.
Important! You must click the baseline scan from which the incremental scan was derived to see
the Merge option enabled.
When you click Merge, the incremental scan is merged into the baseline scan. The baseline scan now
contains the union of the 2 scans. After merging, the resulting scan becomes the new baseline scan. You
can continuously perform incremental-merge-incremental-merge indefinitely to create a process for
continuous or deferred auditing. For more information, see "Incremental Scan with Continuous or
Deferred Audit" below.
To merge scans:
1. In the Manage Scans page, select the baseline scan and the incremental scan.
2. Right-click and select Merge.
Log entries, including the baseline and incremental scan IDs, are written to the scan log when scans are
merged.
Incremental Scan with Continuous or Deferred Audit
Incremental scanning provides the ability to perform continuous audit or deferred audit.
Incremental with Continuous Audit
With incremental scanning, you can put in place a process for continuous audit. This process would be
as follows:
1. Create a baseline scan.
2. When an incremental scan is needed:
a. Create an incremental audit scan from the baseline scan. During this scan, new surface is
audited.
b. Merge the incremental scan with the baseline scan. The merged scan becomes the new baseline
scan. For more information, see "Merging Baseline and Incremental Scans" above.
c. Delete the incremental scan.
d. Return to Step 2.
Micro Focus Fortify WebInspect (19.2.0) Page 202 of 482
User Guide
Chapter 4: Working with Scans
Incremental with Deferred Audit
With incremental scanning, you can put in place a process for deferred audit. This process would be as
follows:
1. Create a baseline scan.
2. When a new incremental scan is needed:
a. Create an incremental crawl-only scan from the baseline scan.
b. Merge the incremental scan with the baseline scan. The merged scan becomes the new baseline
scan. For more information, see "Merging Baseline and Incremental Scans" on the previous
page.
c. Delete the incremental scan.
d. If new attack surface is found, resume the baseline audit and audit the new surface.
e. Return to Step 2.
See Also
"Reusing Scans" on page 200
Schedule a Scan
You can schedule a Basic Scan, a Web Service Scan, or an Enterprise Scan to occur at a date and time of
your choosing.
The options and settings you select are saved in a special file and accessed by a Windows service that
starts Fortify WebInspect (if necessary) and initiates the scan. It is not necessary for Fortify WebInspect
to be running at the time you specify for the scan to begin.
Note: To access scheduled scans after they are complete, select the Start Page tab and click
Manage Scans.
To schedule a scan:
1. Do one of the following:
l Click the Schedule icon on the Fortify WebInspect toolbar.
l Click Manage Scheduled Scans on the Fortify WebInspect Start Page.
2. When the Manage Scheduled Scans window appears, click Add.
3. In the Type of Scan group, choose one of the following:
l Basic Scan
l Web Service Scan
l Enterprise Scan
4. To conduct the scan one time only, select Run Once and then edit the Start Date and Time. If you
click the drop-down arrow, you can use a calendar to select the date.
Micro Focus Fortify WebInspect (19.2.0) Page 203 of 482
User Guide
Chapter 4: Working with Scans
5. To scan a site periodically:
a. Select Recurring (or Recurrence Schedule), then specify the start time and choose a
frequency: Daily, Weekly, or Monthly.
b. If you select Weekly or Monthly, provide the additional requested information.
6. Click Next.
See Also
"Running a Basic Scan" on page 160
"Running a Web Service Scan " on page 157
"Running an Enterprise Scan " on page 182
"Configuring Time Interval for Scheduled Scan " below
Configuring Time Interval for Scheduled Scan
To configure when to run a scan or to set up recurring scans:
1. In the Type of Scan group, choose one of the following:
l Basic Scan
l Web Service Scan
l Enterprise Scan
2. To conduct a scan now, select Immediately.
3. To conduct a one-time-only scan at a later date or time:
a. Select Run Once.
b. Modify the date and time when the scan should begin.
Tip: Click the drop-down arrow to reveal a calendar for selecting the date.
4. To scan a site periodically:
a. Select Recurring.
b. Specify the time when the scan should start.
c. Choose a frequency: Daily, Weekly, or Monthly.
5. Click Next.
See Also
"Running a Basic Scan" on page 160
"Enter a name for the scan in the Scan Name box." on page 157
"At this point, you can perform one or more of the following functions:" on page 183
Micro Focus Fortify WebInspect (19.2.0) Page 204 of 482
User Guide
Chapter 4: Working with Scans
Managing Scheduled Scans
You can instruct Fortify WebInspect to conduct a scan at a time and date you specify. The options and
settings you select are saved in a special file and accessed by a Windows service that starts Fortify
WebInspect (if necessary) and initiates the scan. It is not necessary for Fortify WebInspect to be running
at the time you designate the scan to begin.
Note: Scheduled scans, when complete, do not appear in the Recent Scans list that displays on the
Fortify WebInspect Start page. To access scheduled scans after they are complete, select the Start
page and click Manage Scans.
On the Start Page, click Manage Schedule.
A list of scans you previously scheduled appears in the right-hand pane of the Start Page.
The current state of the scan is indicated in the Status column. For more information, see "Scheduled
Scan Status " on page 209.
You can perform the following tasks:
Delete a Scan
l To delete a scan from the list, select a scan and click Delete.
Edit Scan Settings
l To edit settings for a scheduled scan, select a scan and click Edit.
Run a Scan Immediately
l To run a scan immediately, without waiting for the scheduled time, select a scan and click Start (or
right-click a scan and select Start Scan from the shortcut menu). As with all scheduled scans, the
scan runs in the background and does not appear on a tab.
Stop a Scheduled Scan
l To stop a scheduled scan, select a scan that is running and click Stop (or right-click a running scan
and select Stop Scan from the shortcut menu).
Schedule a Scan
To schedule a scan:
1. Click Add.
2. In the Type of Scan group, choose one of the following:
l Basic Scan
l Web Service Scan
Micro Focus Fortify WebInspect (19.2.0) Page 205 of 482
User Guide
Chapter 4: Working with Scans
l Enterprise Scan
3. Specify when you want to conduct the scan. The choices are:
l Immediately
l Run Once: Modify the date and time when the scan should begin. You can click the drop-down
arrow to reveal a calendar for selecting the date.
l Recurrence Schedule: Use the slider to select a frequency (Daily, Weekly, or Monthly). Then
specify the time when the scan should begin and (for Weekly or Monthly) provide other
schedule information.
4. Click Next.
5. Enter the settings for the type of scan you selected.
6. For Web Site and Web Service Scans only, you can elect to run a report at the conclusion of the
scan:
a. Select Generate Reports and click the Select Reports hyperlink.
b. Continue with Selecting a Report (below).
7. To schedule the scan without generating a report, click Schedule.
Selecting a Report
If you opted to include a report with the scheduled scan, the Scheduled Scan Report Wizard appears:
Scheduled Scan Report Wizard (Step 1 of 2) Image
Micro Focus Fortify WebInspect (19.2.0) Page 206 of 482
User Guide
Chapter 4: Working with Scans
1. (Optional) Select a report from the Favorites list.
A "favorite" is simply a named collection of one or more reports and their associated parameters. To
create a favorite once you have selected reports and parameters, click the Favorites list and select
Add to favorites.
2. Select one or more reports.
3. Provide information for any parameters that may be requested. Required parameters are outlined
in red.
4. Click Next.
The Configure Report Settings window appears.
Configuring Report Settings
Scheduled Scan Report Wizard (Step 2 of 2) Image
Micro Focus Fortify WebInspect (19.2.0) Page 207 of 482
User Guide
Chapter 4: Working with Scans
1. If you select Automatically Generate Filename, the name of the report file will be formatted as
<reportname> <date/time>.<extension>. For example, if creating a compliance report in pdf
format and the report is generated at 6:30 on April 5, the file name would be "Compliance
Report 04_05_2009 06_30.pdf." This is useful for recurring scans.
Reports are written to the directory specified for generated reports in the Application settings.
2. If you did not select Automatically Generate Filename, enter a name for the file in the Filename
box.
3. Select the report format from the Export Format list.
4. If you selected multiple reports, you can combine then all into one report by selecting Aggregate
reports into one report.
5. Select a template that defines the headers and footers used for the report and, if necessary,
provide the requested parameters.
6. Click Finished.
7. Click Schedule.
See Also
"Start Page " on page 51
"Manage Scans " on page 199
"Scheduled Scan Status " on the next page
Micro Focus Fortify WebInspect (19.2.0) Page 208 of 482
User Guide
Chapter 4: Working with Scans
Stopping a Scheduled Scan
To halt a scheduled scan while it is running, select the scan from the Manage Schedule list and click
(or right-click the scan and select Stop Scan from the shortcut menu).
To restart a stopped scan, select the scan from the Manage Schedule list and click (or right-
click the scan and select Start Scan from the shortcut menu).
Scheduled Scan Status
The status of each scheduled scan appears in the Last Run Status column on the Manage Schedule
pane. The possible statuses are defined in the following table.
Status Definition
Failure Fortify WebInspect was unable to perform the scan.
Success The scan was conducted without error.
Not Yet Run The scan is queued to run at the scheduled time, which has not yet occurred.
Skipped The scheduled scan was not run because the service was down for some period
of time.
Stopping The user clicked the Stop button, but the scan has not yet stopped.
Stopped The scan has been stopped by the user.
Running The scheduled scan is in progress.
Running with The scan could not stop; see log for further details.
Error
Exporting a Scan
Use the Export Scan function to save information collected during a Fortify WebInspect crawl or audit.
Note: When exporting to Fortify Software Security Center, after exporting to the .fpr format, you
must manually upload the .fpr file to Fortify Software Security Center. Fortify does not support
uploading both Fortify WebInspect FPR artifacts and Fortify WebInspect Enterprise FPR artifacts
to the same application version in Fortify Software Security Center.
Micro Focus Fortify WebInspect (19.2.0) Page 209 of 482
User Guide
Chapter 4: Working with Scans
Follow the steps below to export a scan.
1. Do one of the following:
l Open a scan (or click a tab containing an open scan), click File > Export and select either Scan
or Scan to Software Security Center
l On the Manage Scans pane of the Start page, select a scan, click the drop-down arrow on the
Export button and select either Export Scan or Export Scan to Software Security Center.
The Export a Scan window (or the Export Scan to Software Security Center window) appears.
2. The Scrub Data group contains, by default, three non-editable regular expression functions that
will substitute X's for each digit in a string formatted as a Social Security number, credit card
number, or IP address. To include a search-and-replace function, select its associated check box.
This feature prevents any sensitive data from being included in the export.
3. To create a Scrub Data function:
a. Click Add.
b. On the Add Scrub Entry window, select either Regex or Literal from the Type list.
c. In the Match box, enter the string (or a regular expression representing a string) that you want
to locate. If using a regular expression, you can click the ellipsis button to open the Regular
Expression Editor, with which you can create and test your regular expression.
d. In the Replace box, enter the string that will replace the target specified by the Match string.
e. Click OK.
4. If you are exporting to Software Security Center, go to Step 7.
Micro Focus Fortify WebInspect (19.2.0) Page 210 of 482
User Guide
Chapter 4: Working with Scans
5. If you want to include an attachment:
a. In the Attachments group, click Add.
b. Using the standard file-selection window, navigate to the directory that contains the file you
want to attach.
c. Select a file and click Open.
6. To include the scan's log files, select Export Logs.
7. Click Export.
8. Using the standard file-selection window, select a location and click Save.
See Also
"Importing a Scan " on page 215
"Exporting Scan Details " below
Exporting Scan Details
Use this function to save information collected during a Fortify WebInspect crawl or audit.
1. Open a scan, or click a tab containing a scan.
2. Click File > Export > Scan Details.
The Export Scan Details window appears.
Micro Focus Fortify WebInspect (19.2.0) Page 211 of 482
User Guide
Chapter 4: Working with Scans
3. From the Details list, select the type of information you want to export. The options are as follows:
l Comments
l Emails
l Full (all details)
l Hidden Fields
l Offsite Links
l Parameters
l Requests
l Script
l Sessions
l Set Cookies
l URLs
Micro Focus Fortify WebInspect (19.2.0) Page 212 of 482
User Guide
Chapter 4: Working with Scans
l Vulnerabilities
l Web Crawl Dump
l Site Tree Dump
l Web Forms
Note: Not all choices are available for a Web Service scan.
4. Choose a format (either Text or XML) from the Export Format list.
5. The Scrub Data group contains, by default, three non-editable regular expression functions that
will substitute X's for each digit in a string formatted as a Social Security number, credit card
number, or an IP address. To include this search-and-replace function for a data type, select its
associated check box. This feature prevents any sensitive data from being included in the export.
6. To create a Scrub Data function:
a. Click Add.
b. On the Add Scrub Entry window, select either Regex or Literal from the Type list.
c. In the Match box, enter the string (or a regular expression representing a string) that you want
to locate. If using a regular expression, you can click the ellipsis button to open the Regular
Expression Editor, with which you can create and test your regular expression.
d. In the Replace box, enter the string that will replace the target specified by the Match string.
e. Click OK.
7. Click Export.
8. Using a standard file-selection window, specify a name and location for the exported file and click
Save.
See Also
"Exporting a Scan " on page 209
Export Scan to Software Security Center
This feature allows you to export the results of a Fortify WebInspect scan in a format (.fpr format) that
can be consumed by Fortify Software Security Center.
Note: After exporting to the .fpr format, you must manually upload the .fpr file to Fortify Software
Security Center. Fortify does not support uploading both Fortify WebInspect FPR artifacts and
Fortify WebInspect Enterprise FPR artifacts to the same application version in Fortify Software
Security Center.
1. Do one of the following:
l Open a scan (or click a tab containing an open scan) and click File > Export > Scan to
Software Security Center.
l On the Manage Scans pane of the Start page, select a scan, click the drop-down arrow on the
Micro Focus Fortify WebInspect (19.2.0) Page 213 of 482
User Guide
Chapter 4: Working with Scans
Export button and select Export Scan to Software Security Center.
The Export Scan to Software Security Center window appears.
2. The Scrub Data group contains, by default, three non-editable regular expression functions that
will substitute X's for each digit in a string formatted as a Social Security number, credit card
number, or IP address. To include a search-and-replace function, select its associated check box.
This feature prevents any sensitive data from being included in the export.
3. To create a Scrub Data function:
a. Click Add.
b. On the Add Scrub Entry window, select either Regex or Literal from the Type list.
c. In the Match box, enter the string (or a regular expression representing a string) that you want
to locate. If using a regular expression, you can click the ellipsis button to open the Regular
Expression Editor, with which you can create and test your regular expression.
d. In the Replace box, enter the string that will replace the target specified by the Match string.
e. Click OK.
4. Click Export.
5. Using the standard file-selection window, select a location and click Save.
Exporting Protection Rules to Web Application
Firewall
To generate and save a full export (.xml) file based on vulnerabilities detected by Fortify WebInspect
during a scan of your web application:
1. Open the scan of interest (or click a tab containing an open scan) and click File > Export >
Protection Rules to Web Application Firewall.
2. Specify the scrub data types in the same way as for the File > Export > Scan option. The Scrub
Data group contains, by default, three non-editable regular expression functions that will
substitute an X for each digit in a string formatted as a Social Security Number, credit card number,
or IP address. To include this search-and-replace function for a data type, select its associated
check box. This feature prevents any sensitive data from being included in the export.
3. Click Export.
4. Specify the path and filename to which you want to save the exported data and click Save.
A full export (.xml) file is saved as you specified.
Micro Focus Fortify WebInspect (19.2.0) Page 214 of 482
User Guide
Chapter 4: Working with Scans
Importing a Scan
To import a scan:
1. Click File > Import Scan.
2. Using a standard file-selection window, select an option from the Files Of Type list:
l Scan files (*.scan) - scan files designed for or created by Fortify WebInspect versions beginning
with 7.0.
l SPA files (*.spa) - scan files created by versions of Fortify WebInspect prior to version 7.0.
3. Choose a file and click Open.
If attachments were exported with the scan, those attachments will be imported and saved in a
subdirectory of the imported scan. The default location is C:\Users\<username>\AppData\HP\HP
WebInspect\ScanData\Imports\<DirectoryName>\<filename>, where DirectoryName is the ID
number of the exported/imported scan.
See Also
"Exporting a Scan " on page 209
Importing False Positives
You can import from a previous scan a list of vulnerabilities that were analyzed as being false positive.
Fortify WebInspect then correlates these false positives from a previous scan with vulnerabilities
detected in the current scan and flags the new occurrences as false positives.
Select a scan containing false positives from the same site you are now scanning.
Note: You cannot import false positives when scheduling a scan or conducting an Enterprise scan.
To import false positives:
1. In the scan currently being conducted, select False Positives in the Scan Info panel.
The Scan False Positives window appears.
2. Click Import False Positives.
The Select a Scan to Import False Positives window appears.
3. Select the checkbox(es) for the scan or scans from which you want to import false positives, and
click OK.
The Importing False Positives window appears, displaying the progress of the import.
4. When the import is complete, do one of the following:
l Click Details to view a log file for the import.
l Click Close to view the false positive(s) in the Scan False Positives window.
Micro Focus Fortify WebInspect (19.2.0) Page 215 of 482
User Guide
Chapter 4: Working with Scans
Importing Legacy Web Service Scans
Fortify WebInspect 10.00 and later offer minimal support for Web Service scans that were created with
versions of Fortify WebInspect earlier than 9.00. These scans do not contain all the information
required to render them properly in the current user interface and will exhibit the following attributes:
l The tree view may not show the correct structure.
l Even if the operations do not appear in the tree view, the vulnerabilities will appear in the
vulnerability list. You should be able to select these vulnerabilities and view the vulnerability
information, as well as the request and the response.
l Nothing will display in the XmlGrid.
l The rescan functionality should launch the Web Services scan wizard and select the first option
having the selected WSDL already populated. This should force the Web Service Test Designer to
open on page 3.
l The "Vulnerability Review" feature should be disabled.
l All reports should work as in previous Fortify WebInspect releases.
l The Scan view should render in "ReadOnly" mode, which disables the Start, Audit and Current
Settings buttons.
Fortify recommends that you rescan your Web service.
Changing Import/Export Settings
If you require different settings for different scan actions, you can save your settings in an XML file and
load them when needed. You can also reload the Fortify WebInspect factory default settings.
Tip: You can also create, edit, delete, import, and export scan settings files from the Manage
Settings window. Click Edit and select Manage Settings
To import, export, or restore settings:
1. Click Edit > Default Settings.
The Default Settings window appears.
2. To export settings:
a. Click Save settings as (at the bottom of the left pane).
b. On the Save Scan Settings window, select a folder and enter a file name.
c. Click Save.
3. To import settings:
a. Click Load settings from file (at the bottom of the left pane).
b. On the Open Scan Settings File window, select a file.
c. Click Open.
Micro Focus Fortify WebInspect (19.2.0) Page 216 of 482
User Guide
Chapter 4: Working with Scans
4. To restore factory default settings:
a. Click Restore factory defaults (at the bottom of the left pane).
b. When prompted to confirm your selection, click Yes.
Downloading a Scan from Enterprise Server
Use the following procedure to download a scan from the enterprise server (Fortify WebInspect
Enterprise) to Fortify WebInspect.
1. Click the Enterprise Server menu and select Download Scan.
2. On the Download Scan(s) window, select one or more scans from the list of available scans.
3. Click OK.
The downloaded scan is added to the list of scans on the Manage Scans pane. The scan date becomes
the date you downloaded the scan, not the date on which the site originally was scanned. For more
information, see "Manage Scans " on page 199.
Log Files Not Downloaded
Log files, including traffic session files, are not downloaded when downloading sensor scans from
Fortify WebInspect Enterprise to Fortify WebInspect. To obtain and view the log files for the scan, you
must manually export the scan from Fortify WebInspect Enterprise and then import the scan into
Fortify WebInspect. For more information, see "Importing a Scan " on page 215.
See Also
"Uploading a Scan to Enterprise Server" below
Uploading a Scan to Enterprise Server
Use the following procedure to upload a scan file from Fortify WebInspect to an enterprise server
(Fortify WebInspect Enterprise).
1. Click the Fortify WebInspect Enterprise Server menu and select Upload Scan.
2. On the Upload Scan(s) window, select one or more Fortify WebInspect scans from the Scan Name
column.
Note: To access scans in a different database, click Connections and, in the Database
application settings, change options under Connection Settings for Scan Viewing.
3. For each scan, select an Application and Version from the appropriate drop-down lists.
The program attempts to select the correct application and version based on the "Scan URL" in the
scan file, but you may select an alternative.
4. Click Upload.
See Also
Micro Focus Fortify WebInspect (19.2.0) Page 217 of 482
User Guide
Chapter 4: Working with Scans
"Downloading a Scan from Enterprise Server" on the previous page
Running a Scan in Enterprise Server
This feature is designed for users who prefer to configure a scan in Fortify WebInspect rather than
Fortify WebInspect Enterprise. You can modify the settings and run the scan in Fortify WebInspect,
repeating the process until you achieve what you believe to be the optimal settings. You can then send
the open scan's settings to Fortify WebInspect Enterprise, which creates a scan request and places it in
the scan queue for the next available sensor.
To run a scan in WebInspect Enterprise:
1. Open a scan.
2. If you are not connected to an enterprise server, click the Enterprise Server menu and select
Connect to WebInspect Enterprise.
3. Click the Scan menu and select Run in WebInspect Enterprise (or simply click the appropriate
button on the toolbar).
4. On the Run Scan in WebInspect Enterprise dialog box, enter a name for the scan.
5. Select an Application and a Version.
6. Click OK.
If you pass all permission checks, the scan is created and the priority assigned to the scan is the highest
priority allowed by your role (up to 3, which is the default).
Transferring Settings to/from Enterprise Server
Use this feature to:
l Create a Fortify WebInspect Enterprise scan template based on a Fortify WebInspect settings file and
upload it from Fortify WebInspect to an enterprise server (Fortify WebInspect Enterprise).
l Create a Fortify WebInspect settings file based on an enterprise server scan template and download
it to Fortify WebInspect.
Fortify WebInspect settings files and Fortify WebInspect Enterprise scan templates do not have the
same format; not all settings in one format are replicated in the other. Note the warnings that follow
descriptions of the conversion procedure.
Creating a Fortify WebInspect Enterprise Scan Template
To create a Fortify WebInspect Enterprise scan template:
1. Click the Fortify WebInspect Enterprise Server menu and select Transfer Settings.
2. On the Transfer Settings window, select a Fortify WebInspect settings file from the Local Settings
File list.
3. (Optional) Click View to review the settings as they appear in a Fortify WebInspect settings file. To
Micro Focus Fortify WebInspect (19.2.0) Page 218 of 482
User Guide
Chapter 4: Working with Scans
continue, click Close.
Note: This is a read-only file. Any changes you make will not be persisted.
4. Select the Application and Version to which the template will be transferred in Fortify WebInspect
Enterprise.
5. If necessary, click Refresh to ensure the lists include the latest settings files and scan templates.
6. Enter the name of the scan template that will be created. You cannot duplicate the name of an
existing template.
7. Click Upload.
All template settings that are not extracted from Fortify WebInspect will use the Fortify WebInspect
Enterprise template default settings.
l The scan template will not specify the policy used by the Fortify WebInspect settings file. Instead, it
will contain the "Use Any" option.
l Any client certificate information that may be included in the Fortify WebInspect settings file is
transferred to the scan template, but the certificates are not transmitted.
l All Fortify WebInspect settings are preserved in the scan template, even if they are not used by
Fortify WebInspect Enterprise. Therefore, if you subsequently create a Fortify WebInspect settings
file based on the scan template you created from the original settings file, the Fortify WebInspect
settings will be retained.
Creating a Fortify WebInspect Settings File
To create a Fortify WebInspect settings file:
1. Click the Fortify WebInspect Enterprise Server menu and select Transfer Settings.
2. Select the Application and Version from which the template will be transferred in Fortify
WebInspect Enterprise.
3. On the Transfer Settings window, select a scan template from the list.
4. (Optional) Click View to review the settings as they would appear in a Fortify WebInspect settings
file. To continue, click Close.
Note: This is a read-only file. Any changes you make will not be persisted.
5. If necessary, click Refresh to ensure the lists include the latest settings files and scan templates.
6. Click Download.
7. Using a standard file-selection window, name the settings file, select a location in which to save it,
and click Save.
The Fortify WebInspect settings file will not specify the policy used by the scan template. Instead, it will
specify the Standard policy.
Micro Focus Fortify WebInspect (19.2.0) Page 219 of 482
User Guide
Chapter 4: Working with Scans
Publishing a Scan (Fortify WebInspect Enterprise
Connected)
Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Fortify Software
Security Center.
Use the following procedure to transmit scan data from Fortify WebInspect to a Fortify Software
Security Center server, via Fortify WebInspect Enterprise.
Note: For information about managing the Fortify Software Security Center status of
vulnerabilities when conducting multiple scans of the same Web site or application, see "Integrating
with Fortify WebInspect Enterprise and Fortify Software Security Center " on the next page.
1. Configure Fortify WebInspect Enterprise and Fortify Software Security Center.
2. Run a scan in Fortify WebInspect (or use an imported or downloaded scan).
3. Click the Enterprise Server menu and select Connect to WebInspect Enterprise. You will be
prompted to submit credentials.
4. If a scan is open on a tab that has focus, and you want to publish only that scan:
a. Click .
b. Select an application and version, then click OK.
c. Examine the results. Columns will appear in the Summary pane specifying "Published Status"
and "Pending Status." The Published Status is the status of the vulnerability the last time this
scan was published to Fortify WebInspect Enterprise. The Pending Status is what the status of
the vulnerability will be after this scan is published. Depending on the Pending Status, you can
modify it to specify whether the vulnerability has been resolved or is still existing (see Step 7
below). In addition, a new tab named "Not Found" appears; this tab contains vulnerabilities
that were detected in previous scans but not in the current scan. You can add screenshots and
comments to vulnerabilities or mark vulnerabilities as false positive or ignored. You can also
review and retest vulnerabilities, modifying the scan results until you are ready to publish.
d. Click . Go to step 7.
5. To select from a list of scans:
a. Click the Enterprise Server menu and select Publish Scan.
b. On the Publish Scan(s) to Software Security Center dialog box, select one or more scans.
c. Select an application and version.
d. Click Next. Fortify WebInspect automatically synchronizes with Fortify Software Security
Center.
Micro Focus Fortify WebInspect (19.2.0) Page 220 of 482
User Guide
Chapter 4: Working with Scans
6. Fortify WebInspect lists the number of vulnerabilities to be published, categorized by status and
severity.
To determine the status, Fortify WebInspect compares previously submitted vulnerabilities
(obtained by synchronizing with Fortify Software Security Center) with those reported in the
current scan. If this is the first scan submitted to an application version, all vulnerabilities will be
"New."
If a vulnerability was previously reported, but is not in the current scan, it is marked as "Not
Found." You must determine if it was not found because it has been fixed or because the scan was
configured differently (for example, you may have used a different scan policy, or you scanned a
different portion of the site, or you terminated the scan prematurely). When examining the results
(step 4c), you can change the "pending status" of individual vulnerabilities detected by all but the
first scan (by right-clicking a vulnerability in the Summary pane). However, when publishing, you
must specify how Fortify WebInspect should handle any remaining "Not Found" vulnerabilities.
To retain these "Not Found" vulnerabilities in Fortify Software Security Center (indicating that they
still exist), select Retain: Assume all vulnerabilities still marked "Not Found" in the scan are
still present.
To remove them (implying that they have been fixed), select Resolve: Assume all vulnerabilities
still marked "Not Found" in the scan are fixed.
7. If this scan was conducted in response to a scan request initiated at Fortify Software Security
Center, select Associate scan with an "In Progress" scan request for the current application
version.
8. Click Publish.
Integrating with Fortify WebInspect Enterprise and
Fortify Software Security Center
Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Fortify Software
Security Center.
Fortify Software Security Center is a suite of tightly integrated solutions for identifying, prioritizing, and
fixing security vulnerabilities in software. It uses Fortify Static Code Analyzer to conduct static analysis
and Fortify WebInspect to conduct dynamic application security testing. Fortify WebInspect Enterprise
provides a central location for managing multiple Fortify WebInspect scanners and correlating scan
results that can be published directly to individual application versions within Fortify Software Security
Center.
Micro Focus Fortify WebInspect (19.2.0) Page 221 of 482
User Guide
Chapter 4: Working with Scans
Fortify WebInspect Enterprise maintains a history of all vulnerabilities for a particular Fortify Software
Security Center application version. After Fortify WebInspect conducts a scan, it synchronizes with
Fortify WebInspect Enterprise to obtain that history, compares vulnerabilities in the scan with those in
the history, and then assigns a status to each vulnerability. The statuses are described in the following
table.
Fortify Software
Security Center
Status Description
New A previously unreported issue.
Existing A vulnerability in the scan that is already in the history.
Not Found A vulnerability in the history that is not found in the scan. This can occur
because (a) the vulnerability has been remediated and no longer exists, or
(b) because the latest scan used different settings, or scanned a different
portion of the site, or for some other reason did not discover the
vulnerability.
Resolved A vulnerability that has been fixed.
Reintroduced A vulnerability that appears in a current scan but was previously reported
as "Resolved."
Still an Issue A vulnerability that was "Not Found" in the current scan does, in fact, exist.
To change the Fortify Software Security Center status for an individual vulnerability, right-click a
vulnerability on the Vulnerability tab and select Modify Pending Status. This option appears only
after connecting to Fortify WebInspect Enterprise and is enabled only after you have synchronized
Fortify WebInspect with Software Security Center.
The following example demonstrates a hypothetical series of scans for integrating vulnerabilities into
Fortify Software Security Center.
First scan
1. Scan the target site with Fortify WebInspect. In this example, assume that only one vulnerability
(Vuln A) is discovered.
2. Examine the results. You can add screenshots and comments to vulnerabilities or mark
vulnerabilities as false positive or ignored. You can also review, retest, and delete vulnerabilities.
3. Synchronize the scan with a application version in Fortify Software Security Center, then publish
the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 222 of 482
User Guide
Chapter 4: Working with Scans
Second scan
1. The second scan again reveals Vuln A, but also discovers four more vulnerabilities (Vulns B, C, D,
and E).
2. Synchronize the scan with the application version in Fortify Software Security Center.
3. Now examine the results. If you added audit data (such as comments and screenshots) to Vuln A
when publishing the first scan, the data will be imported into the new scan.
4. Publish the scan to Fortify Software Security Center. Vuln A will be marked "Existing," Vulns B-E will
be marked "New," and five items will exist in the Fortify Software Security Center system.
Third scan
1. The third scan discovers Vulns B, C, and D, but not Vuln A or Vuln E.
2. Synchronize the scan with the application version in Fortify Software Security Center.
3. After retesting Vuln A, you determine that it does, in fact, exist. You change its pending status to
"Still an Issue."
4. After retesting Vuln E, you determine that it does not exist. You change its pending status to
"Resolved."
5. Publish the scan to Fortify Software Security Center. Vulns B, C, and D will be marked
"Existing." Five items will exist in the Fortify Software Security Center system.
Fourth Scan
1. The fourth scan does not find Vuln A or Vuln B. The scan does find Vulns C, D, E, and F.
2. Synchronize the scan with the application version in Fortify Software Security Center.
3. Vuln E was previously declared to be resolved and so its status is set to “Reintroduced.”
4. You examine the vulnerabilities that were not found (A and B, in this example). If you determine
that the vulnerability still exists, update the pending status to “Still an Issue.” If a retest verifies that
the vulnerability does not exist, update the pending status to “Resolved.”
5. Publish the scan to Fortify Software Security Center. Vulns C and D remain marked "Existing."
Synchronize with Fortify Software Security Center
Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Fortify Software
Security Center.
Use this dialog box to specify an application and version and synchronize with Fortify Software Security
Center. Fortify WebInspect then downloads a list of vulnerabilities from Fortify Software Security
Center, compares the downloaded vulnerabilities to the vulnerabilities in the current scan, and assigns
an appropriate status (New, Existing, Reintroduced, or Not Found) to the vulnerabilities in the current
Micro Focus Fortify WebInspect (19.2.0) Page 223 of 482
User Guide
Chapter 4: Working with Scans
scan. For detailed information, see "Integrating with Fortify WebInspect Enterprise and Fortify Software
Security Center " on page 221.
To synchronize with Fortify Software Security Center:
1. Click Synchronize on the toolbar.
2. Select an application.
3. Select a version.
4. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 224 of 482
Chapter 5: Using Fortify WebInspect
Features
This chapter describes certain tools available in Fortify WebInspect, such as the Server Profiler and
Unified Web Macro Recorder. It also describes how to inspect the scan results and work with
vulnerabilities discovered during the scan. It describes using the WebInspect API, Regular Expressions,
and the Fortify WebInspect policies. This chapter also includes information about Compliance
Templates and the reporting capabilities of Fortify WebInspect.
For more information about all tools available in Fortify WebInspect, see the Tools Guide for Fortify
WebInspect Products.
Using Macros
A macro is a recording of the events that occur when you access and log in to a website. You can
subsequently instruct Fortify WebInspect to begin a scan using this recording. You can use the Web
Macro Recorder tool to record login macros or you can create them in the Basic Scan or Guided Scan
wizards. Macros that are created in a Basic Scan or a Guided Scan can be used in either type of scan.
There are two types of macros:
l A login macro is a recording of the events that occur when you access and log in to a Web site using
the event-based Web Macro Recorder. You can subsequently instruct Fortify WebInspect to begin a
scan using this recording. You can specify a login macro when you select Site Authentication on
Step 2 of the Guided Scan Wizard.
If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login
macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is
successful. If the macro is invalid and fails to log in to the application, the scan stops and an error
message is written in the scan log file. For more information and troubleshooting tips, see "Testing
Login Macros" on page 456.
l A workflow macro is a recording of HTTP events that occur as you navigate through a Web site using
the session-based Web Macro Recorder. Fortify WebInspect audits only those URLs included in the
macro that you previously recorded and does not follow any hyperlinks encountered during the
audit. You can specify a workflow macro when you select a Workflows scan in the Guided Scan or
Basic Scan wizards.
Any activity you record in a macro will override the scan settings. For example, if you specify a URL in
the Excluded URL setting, and then you actually navigate to that URL when creating a macro, Fortify
WebInspect will ignore the exclusion when it crawls and audits the site.
Note: When you play a macro, Fortify WebInspect will not send any cookie headers that may have
been incorporated in the recorded macro. Macros that were recorded in a Basic Scan or a Guided
Scan can be used in either type of scan.
Micro Focus Fortify WebInspect (19.2.0) Page 225 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Using Selenium Macros
Fortify WebInspect supports integration with Selenium IDE browser automation. When you click the
Import button in Guided Scan, the Scan Wizard, or Authentication Scan Settings and select a Selenium
IDE macro to import, Fortify WebInspect detects that a Selenium IDE macro is being used. Fortify
WebInspect opens Selenium and plays the macro.
For login macros, the macro must include a logout condition. If a logout condition does not exist, you
can add one using the Logout Conditions Editor just as with any other macro. However, all other edits
must be done in the Selenium IDE.
During the replay, there is full-support of Selenium IDE integration. This means that Fortify WebInspect
does not record the sessions. Instead, it opens a new Selenium IDE browser each time and replays the
login macro just as it does with the Unified Web Macro Recorder’s TruClient technology.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium IDE macros. You cannot use different types of macros in the same scan.
See Also
"Scan Settings: Authentication" on page 373
"Running a Guided Scan " on page 106
"Selecting a Workflow Macro " below
"Using the Unified Web Macro Recorder" on the next page
Selecting a Workflow Macro
When conducting a Workflow-driven Scan, you can select or create one or more macros that will be used
to navigate your Web site.
l Record - opens the Web Macro Recorder, allowing you to create a macro
l Edit - opens the Web Macro Recorder and loads the selected macro
l Remove - removes the selected macro (but does not delete it from your disk)
l Import - opens a standard file-selection window, allowing you to select a previously recorded
.webmacro file, Burp Proxy captures, or a Selenium IDE macro. For more information, see "Importing
a Selenium IDE Workflow Macro" on the next page.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium macros. You cannot use different types of macros in the same scan.
l Export - opens a standard file-selection window, allowing you to save a recorded macro
Once a macro is selected or recorded, you may optionally specify allowed hosts.
Micro Focus Fortify WebInspect (19.2.0) Page 226 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Importing a Selenium IDE Workflow Macro
To use a pre-recorded Selenium IDE workflow macro:
1. Click Manage.
The Select Workflow-Driven Scan Macros window appears.
2. Click Import.
The Import a Web Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Selenium IDE macros do not have a specific file extension and can be any type of text file, including
XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the current settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Do one of the following:
l If the macro plays successfully, the message "Successfully verified macro" appears. Continue with
Step 8.
l If the macro does not play successfully, an error message appears. Use the error message to
debug and correct the error in Selenium, and return to Step 1 of this procedure to try the import
again.
8. Click OK to add the macro to the list of macros.
The Allowed Hosts section is populated with the list of hosts accessed during the verification.
9. (Optional) To import another Selenium script to use in the workflow-driven scan, return to Step 2.
10. Click OK.
See Also
"Using Macros" on page 225
Using the Unified Web Macro Recorder
The Web Macro Recorder can be launched in several ways—while configuring a Guided Scan or a Basic
Scan, or outside of either scan in what is known as “stand-alone” mode.
Micro Focus Fortify WebInspect (19.2.0) Page 227 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The Web Macro Recorder operates by default using underlying Firefox browser technology to record
and play macros. It can also operate using Internet Explorer browser technology (also referred to here
as IE technology) to record and display web traffic data. Note the following:
l Web Macro Recorder does not support the recording of Flash or Silverlight applications.
l The TruClient technology used in the Web Macro Recorder is an adaptation of the Ajax TruClient
technology originally developed for use with Micro Focus LoadRunner and Micro Focus Performance
Center. It does not incorporate or support all the capabilities of the fully-featured version in those
products.
l When you play a macro, Fortify WebInspect does not send any cookie headers that may have been
incorporated in the recorded macro.
l If a URL is in a macro, the request is always sent when the macro is played, regardless of any
exclusion rules in scan settings.
l When launching the Web Macro Recorder, you may receive the following error message:
“Exc in ev handl: TypeError: this.oRoot.enable is not a function.”
This can occur if the McAfee SiteAdvisor is installed. Simply acknowledge the message and continue.
See Also
"Using Macros" on page 225
Traffic Monitor (Traffic Viewer)
Fortify WebInspect normally displays in the navigation pane only the hierarchical structure of the Web
site or Web service, plus those sessions in which a vulnerability was discovered. The Traffic Monitor or
Traffic Viewer allows you to display and review every HTTP request sent by Fortify WebInspect and the
associated HTTP response received from the web server.
The Traffic Monitor or Traffic Viewer is not available if Traffic Monitor Logging was not enabled prior
to conducting the scan. You can enable the feature in the default settings (click Edit > Default
Settings > Settings > General) or when you start a scan through the Scan Wizard (by selecting
Enable Traffic Monitor on the Detailed Scan Configuration window under Settings).
Traffic Session Data in Traffic Viewer
The original Traffic Monitor has been converted into a standalone Traffic Viewer tool that incorporates
functionality from both the original Traffic Monitor and the WebProxy tool. Traffic session files for the
standalone Traffic Viewer use a different format than the Traffic Monitor. For more information about
the standalone Traffic Viewer tool, refer to the Traffic Viewer tool online help or the Tools Guide for
Fortify WebInspect Products.
Viewing Traffic in the Traffic Viewer
To view the traffic session data in the Traffic Viewer:
l In the Scan Info panel for an open scan, click Traffic Monitor.
The Traffic Viewer tool opens with the traffic session data in view.
Micro Focus Fortify WebInspect (19.2.0) Page 228 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
See Also
"Scan Info Panel Overview " on page 72
Server Profiler
Use the Server Profiler to conduct a preliminary examination of a Web site to determine if certain Fortify
WebInspect settings should be modified. If changes appear to be required, the Profiler returns a list of
suggestions, which you may accept or reject.
For example, the Server Profiler may detect that authorization is required to enter the site, but you have
not specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Server Profiler's prompt to configure the required
information before continuing.
Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found"
detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client
requests a resource that does not exist (they may instead return a status "200 OK," but the response
contains a message that the file cannot be found). If the Profiler determines that such a scheme has
been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to
accommodate this feature.
The Server Profiler can be selected during a Guided Scan, or enabled in the Application settings. For
specific information, see "Application Settings: Server Profiler" on page 410.
Using the Server Profiler
You can use either of two methods to invoke the Server Profiler:
Launch Server Profiler as a Tool
Follow these steps to launch the Server Profiler:
1. Click the Fortify WebInspect Tools menu and select ServerProfiler.
2. In the URL box, enter or select a URL or IP address.
3. (Optional) If necessary, modify the Sample Size. Large Web sites may require more than the
default number of sessions to sufficiently analyze the requirements.
4. Click Analyze.
The Profiler returns a list of suggestions (or a statement that no modifications are necessary).
5. To reject a suggestion, clear its associated check box.
6. For suggestions that require user input, provide the requested information.
7. (Optional) To save the modified settings to a file:
a. Click Save Settings.
b. Using a standard file-selection window, save the settings to a file in your Settings directory.
Micro Focus Fortify WebInspect (19.2.0) Page 229 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Invoke Server Profiler when Starting a Scan
Follow these steps to launch the profiler when beginning a scan:
1. Start a scan using one of the following methods:
l On the Fortify WebInspect Start Page, click Start a Basic Scan.
l Click File > New > Basic Scan.
l Click the drop-down arrow on the New icon (on the toolbar) and select Basic Scan.
l On the Fortify WebInspect Start Page, click Manage Scheduled Scans, click Add, and then
select Basic Scan.
2. On step 4 of the Scan Wizard (Detailed Scan Configuration), click Profile (unless Run Profiler
Automatically is selected).
The Profiler returns a list of suggestions (or a statement that no modifications are necessary).
3. To reject a suggestion, clear its associated check box.
4. For suggestions that require user input, provide the requested information.
5. Click Next.
Inspecting the Results
This topic describes inspecting the results for a Basic Scan and a Web Services Scan.
Basic Scan
As soon as you start a Basic Scan, Fortify WebInspect begins scanning your Web application and
displays in the navigation pane an icon depicting each session (using either the Site or Sequence view).
It also reports possible vulnerabilities on the Vulnerabilities tab and Information tab in the summary
pane. For more information, see "Navigation Pane" on page 61 and "Summary Pane" on page 97.
If you click a URL listed in the summary pane, the program highlights the related session in the
navigation pane and displays its associated information in the information pane. For more information,
see "Information Pane " on page 71.
Sometimes the attack that detected a vulnerable session is not listed under attack information. That is, if
you select a vulnerable session in the navigation pane and then click Attack Info in the Session Info
panel, the attack information does not appear in the information pane. This is because attack
information is usually associated with the session in which the attack was created and not with the
session in which it was detected. When this occurs, select the parent session and then click Attack Info.
For more information, see "Session Info Panel Overview " on page 82.
Working with One or More Vulnerabilities
If you right-click one or more vulnerabilities in the summary pane, a shortcut menu allows you to:
Micro Focus Fortify WebInspect (19.2.0) Page 230 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l Copy URL - Copies the URL to the Windows clipboard.
l Copy Selected Item(s) - Copies the text of selected items to the Windows clipboard.
l Copy All Items - Copies the text of all items to the Windows clipboard.
l Export - Copies the item to a CSV file.
l View in Browser - Available if one vulnerability is selected; renders the HTTP response in a browser.
l Filter by Current Value - Available if one vulnerability is selected; restricts the display of
vulnerabilities to those that satisfy the criteria you select. For example, if you right-click on "Post" in
the Method column and then select Filter by Current Value, the list displays only those
vulnerabilities that were discovered by sending an HTTP request that used the Post method.
Note: The filter criterion is displayed in the combo box in the upper right corner of the summary
pane. Alternatively, you can manually enter or select a filtering criterion using this combo box.
For additional details and syntax rules, see "Using Filters and Groups in the Summary Pane" on
page 235.
l Change Severity - Allows you to change the severity level.
l Edit Vulnerability - Available if one vulnerability is selected; displays the Edit Vulnerabilities dialog,
allowing you to modify various vulnerability characteristics. For more information, see "Editing
Vulnerabilities" on page 242.
l Rollup Vulnerabilities - Available if multiple vulnerabilities are selected; allows you to roll up the
selected vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in Fortify
WebInspect, Fortify WebInspect Enterprise, and reports. For more information, see "About
Vulnerability Rollup" on page 245.
Note: If you have selected a rolled up vulnerability, this menu option is Undo Rollup
Vulnerabilities.
l Review Vulnerability - Available if one vulnerability is selected; allows you to retest the vulnerable
session, mark it as a false positive, or send it to Micro Focus Application Lifecycle Management
(ALM). For more information, see "Reviewing a Vulnerability " on page 240.
l Mark as - Flags the vulnerability as either a false positive (and allows you to add a note) or as
ignored. In both cases, the vulnerability is removed from the list. You can view a list of all false
positives by selecting False Positives in the Scan Info panel. You can view a list of false positives and
ignored vulnerabilities by selecting Dashboard in the Scan Info panel, and then clicking the
hyperlinked number of deleted items in the statistics column.
Note: You can recover "false positive" and "ignored" vulnerabilities. See "Recovering Deleted
Items" on page 253 for details.
l Send to - Converts the vulnerability to a defect and adds it to the Micro Focus Application Lifecycle
Management (ALM) database.
l Remove Location - Removes the selected session from the navigation pane (both Site and
Sequence views) and also removes any associated vulnerabilities.
Note: You can recover removed locations (sessions) and their associated vulnerabilities. See
"Recovering Deleted Items" on page 253 for details.
Micro Focus Fortify WebInspect (19.2.0) Page 231 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l Crawl - Available if one vulnerability is selected; re-crawls the selected URL.
l Tools - Available if one vulnerability is selected; presents a submenu of available tools.
l Attachments - Available if one vulnerability is selected; allows you to create a note associated with
the selected session, flag the session for follow-up, add a vulnerability note, or add a vulnerability
screenshot.
Working with a Group
If you right-click a group, a shortcut menu allows you to:
l Collapse/Expand All Groups
l Collapse/Expand Group
l Copy URL
l Copy Selected Item(s)
l Copy All Items
l Export
l Change Severity
l Rollup Vulnerabilities
l Mark as
l Send to
l Remove Location
Understanding the Severity
The relative severity of a vulnerability listed in the summary pane is identified by its associated icon, as
described in the following table.
Icon Description
Critical A vulnerability wherein an attacker might have the ability to execute commands
on the server or retrieve and modify private information.
High Generally, the ability to view source code, files out of the Web root, and sensitive
error messages.
Medium Indicates non-HTML errors or issues that could be sensitive.
Low Interesting issues, or issues that could potentially become higher ones.
Information An interesting point in the site, or detection of certain applications or Web
servers.
Micro Focus Fortify WebInspect (19.2.0) Page 232 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Working in the Navigation Pane
You can also select an object or session in the navigation pane and investigate the session using the
options available on the Session Info panel. For more information, see "Navigation Pane" on page 61
and "Session Info Panel Overview " on page 82.
Web Services Scan
Web services are programs that communicate with other applications (rather than with users) and
answer requests for information. Most Web services use Simple Object Access Protocol (SOAP) to send
XML data between the Web service and the client Web application that initiated the information
request. XML provides a framework to describe and contain structured data. The client Web application
can readily understand the returned data and display that information to the end user.
Web Services Scan Image
A client Web application that accesses a Web service receives a Web Services Definition Language
(WSDL) document so that it understands how to communicate with the service. The WSDL document
describes the procedures included in the Web service, the parameters those procedures expect, and the
type of return information the client Web application will receive.
After selecting a session object in the navigation pane or on the Vulnerabilities tab of the summary
pane, you can select options from the Session Info panel. For more information, see "Navigation Pane"
on page 61, "Summary Pane" on page 97, and "Session Info Panel Overview " on page 82.
See Also
"Reviewing and Retesting" on page 250
Micro Focus Fortify WebInspect (19.2.0) Page 233 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
"Auditing Web Services " on page 238
"Editing Vulnerabilities" on page 242
"User Interface Overview" on page 47
"Reviewing a Vulnerability " on page 240
"Recovering Deleted Items" on page 253
Search View
The Search view allows you to search across all sessions for various HTTP message components. For
example, if you select Response Raw from the drop-down and specify set-cookie as the search string,
Fortify WebInspect lists every session whose raw HTTP response includes the "set-cookie" command.
To use the Search view:
1. In the navigation pane, click Search (at the bottom of the pane). For more information, see
"Navigation Pane" on page 61.
If all buttons are not displayed, click the Configure Buttons drop-down at the bottom of the
button list and select Show More Buttons.
2. From the top-most list, select an area to search.
3. In the combo box, type or select the string you want to locate.
4. If the string represents a regular expression, select the Regular Expression check box. For more
information, see "Regular Expressions" on page 298.
5. To find an entire string in the HTTP message that exactly matches the search string, select the
Micro Focus Fortify WebInspect (19.2.0) Page 234 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Match Whole String check box. The exact match is not case-sensitive.
This option is not available for certain search targets.
6. Click Search.
See Also
"User Interface Overview" on page 47
Using Filters and Groups in the Summary Pane
This topics describes how to use filters and groups in the Summary Pane.
Using Filters
You can display a subset of items that match the criteria you specify using either of two methods:
l Enter filter criteria using the combo box in the top right corner of the pane.
Note: Click the filter criteria box and press CTRL + Space to view a pop-up list of all available
filter criteria, and then enter a value for that criterion.
l Right-click a value in any column and select Filter by Current Value from the shortcut menu.
This filtering capability is available on all Summary pane tabs except Scan Log.
No Filters
The following example shows unfiltered items on the Vulnerabilities tab.
Summary Pane with No Filters Image
Micro Focus Fortify WebInspect (19.2.0) Page 235 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Filtered by Method:Get
The following example is rendered after entering "Method:Get" in the filter criteria box.
Summary Pane with Filters Image
Note that the filtering criteria (Method:Get) appears in the combo box, which also contains a red X. Click
it to remove the filter and return the list to the original contents.
Specifying Multiple Filters
To specify multiple filters when typing criteria in the filter criteria combo box, insert a comma between
filters (such as Parameter:noteid, Method:GET).
Filter Criteria
You can enter the following identifiers:
l check - Check name
l cookienamerp - Cookie name in the HTTP response
l cookienamerq - Cookie name in the HTTP request
l cookievaluerp - Cookie value in the HTTP response
l cookievaluerq - Cookie value in the HTTP request
l duplicates - Duplicates detected by Fortify WebInspect Agent
l filerq - File name and extension in the HTTP request
l headernamerp - Header name in the HTTP response
l headernamerq - Header name in the HTTP request
l headervaluerp - Header value in the HTTP response
l headervaluerq - Header value in the HTTP request
l location - Path plus parameters identifying the resource
l manual - A location added manually (syntax is manual:True or manual:False)
l method - HTTP method (GET, POST)
l methodrq - Method specified in HTTP request
Micro Focus Fortify WebInspect (19.2.0) Page 236 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l parameters - Parameters specified in the HTTP request
l path - Path identifying the resource (without parameters)
l rawrp - Raw HTTP response
l rawrq - Raw HTTP request
l sessiondataid - Session data identifier (right-click on a session in the Navigation pane and select Filter
by Current Session)
l severity - Severity assigned to a vulnerability (critical, high, medium, low)
l stack - Stack tracereturned by Fortify WebInspect Agent (syntax is stack:True or stack:False)
l statuscode - HTTP status code
l typerq - Type of request: query, post, or SOAP
l vparam - The vulnerability parameter
Using Groups
You can group items into categories based on the column headings. To do so, simply drag the heading
and drop it on the grouping area at the top of the pane.
Vulnerabilities in the following illustration are grouped by risk and then by check name.
Summary Pane Using Groups Image
If you right-click a column header, Fortify WebInspect displays the following shortcut menu:
l Group by Field - Groups vulnerabilities according to the field you selected.
l Group by Box - Shows the "Group By" area in which you can arrange grouping by column headers.
l Columns - Allows you to select which columns are displayed.
l Save as Default View - Saves the current grouping paradigm as the default for all scans.
l Reset Default View - Restores the grouping paradigm to the default view that you created.
l Reset Factory Settings - Restores the grouping paradigm to the original view (Severity > Check).
Micro Focus Fortify WebInspect (19.2.0) Page 237 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Auditing Web Services
Web services are programs that communicate with other applications (rather than with users) and
answer requests for information. Most Web services use Simple Object Access Protocol (SOAP) to send
XML data between the Web service and the client Web application that initiated the information
request. Unlike HTML, which only describes how Web pages are displayed, XML provides a framework
to describe and contain structured data. The client Web application can readily understand the returned
data and display that information to the end user.
A client Web application that accesses a Web service receives a Web Services Description Language
(WSDL) document so that it understands how to communicate with the service. The WSDL document
describes what programmed procedures the Web service includes, what parameters those procedures
expect, and the type of return information the client Web application will receive.
Web Services Scan Image
Options Available from the Session Info Panel
The following table describes the options that are available from the Session Info panel.
Option Definition
Vulnerability Displays the vulnerability information for the session selected in the navigation
pane. For more information, see "Navigation Pane" on page 61.
HTTP Request Displays the raw HTTP request sent by Fortify WebInspect to the server hosting
Micro Focus Fortify WebInspect (19.2.0) Page 238 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Option Definition
the site you are scanning.
HTTP Response Displays the server's raw HTTP response to Fortify WebInspect's request.
Note: If you select a Flash (.swf) file, Fortify WebInspect displays HTML
instead of binary data. This allows Fortify WebInspect to display links in a
readable format.
Stack Traces This feature is designed to support Fortify WebInspect Agent when it is installed
and running on the target server. For certain checks (such as SQL injection,
command execution, and cross-site scripting), Fortify WebInspect Agent
intercepts Fortify WebInspect HTTP requests and conducts runtime analysis on
the target module. If this analysis confirms that a vulnerability exists, Fortify
WebInspect Agent appends the stack trace to the HTTP response. Developers
can analyze this stack trace to investigate areas that requires remediation.
Attachments Displays all notes, flags, and screenshots associated with the selected session.
To create an attachment, do one of the following:
l Right-click an operation or vulnerability in the navigation pane and select
Attachments from the shortcut menu.
l Right-click a URL on the Vulnerabilities tab of the summary pane and select
Attachments from the shortcut menu. For more information, see "Summary
Pane" on page 97.
l Select an operation or vulnerability in the navigation pane, then select
Attachments from the Session Info panel and click the Add menu (in the
information pane).
Fortify WebInspect automatically adds a note to the session information
whenever you send a defect to Micro Focus Application Lifecycle Management
(ALM).
Web Service Displays an exploded view of the SOAP envelope, header, and body elements
Request for the request.
Web Service Displays an exploded view of the SOAP envelope, header, and body elements
Response for the response.
XML Request Displays the associated XML schema embedded in the request (available when
selecting the WSDL object during a Web Service scan).
Micro Focus Fortify WebInspect (19.2.0) Page 239 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Option Definition
XML Response Displays the associated XML schema embedded in the response (available when
selecting the WSDL object during a Web Service scan).
For more information on how to conduct a Web services vulnerability scan, see "Running a Web Service
Scan " on page 157.
Reviewing a Vulnerability
After you conduct a scan and report discovered vulnerabilities, developers may correct their code and
update the site. You can then open the original scan, select the once-vulnerable session (now
supposedly remediated), and select Review Vulnerability from the shortcut menu. Assuming that the
fundamental architecture of the site has not changed, you can verify that the threat no longer exists
without rescanning the entire site (which, in some cases, could require several hours or even days).
Alternatively, you can use this feature simply to double-check a reported vulnerability, even while the
scan is still running.
To review a vulnerability:
1. Right-click a session from the Navigation pane (or right-click a URL on the Vulnerability tab of the
Summary pane). For more information, see "Navigation Pane" on page 61 and "Summary Pane" on
page 97.
2. Select Review Vulnerability from the shortcut menu.
The Retest Vulnerability window appears.
3. If you want to access the site through Web Proxy, click Options and select Launch and Direct
Traffic through Web Proxy.
4. If multiple vulnerabilities are associated with the selected session, choose one from the
Vulnerabilities to Review list.
5. Use the tabs to display information about the original session (as selected in the lower pane under
the URL column):
l Browser - The server's response, as rendered in a browser.
l Request - The raw HTTP request message.
l Response - The raw HTTP response message.
l Stack Trace - A report of the active stack frames at a certain point in time during the execution
of a program. This tab is present only when Fortify WebInspect Agent is running on the target
server.
l Vulnerability - A description of the vulnerability, its implications, and suggestions on how to fix
it.
l Attachments - Notes and screen shots, which you may add, view, edit, or delete.
6. To retest the session for the selected vulnerability, click Retest.
Micro Focus Fortify WebInspect (19.2.0) Page 240 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Results of the retest appear on the Status bar and in the lower pane in the Response Match
Status column.
The status is reported as either "Complete (Vulnerability Detected)" or "Complete (Vulnerability Not
Detected)."
Important! Fortify does not recommend retesting vulnerabilities in scans created using earlier
versions of Fortify WebInspect. While retesting scans from earlier versions may work in many
instances, it is not always reliable because individual checks may not flag the same vulnerability
during a retest. Failure of a check to flag the same vulnerability while retesting a scan from an
earlier version of Fortify WebInspect may not mean the vulnerability has been remediated.
The reliability of the reported findings is mitigated by the Response Match Status, which may have
the following values:
l Match - The resource has not changed significantly; Fortify WebInspect was able to access the
session via the same path used by the original scan.
l Inconclusive - Based on the HTTP response, the resource has changed in a manner that may or
may not substantiate the finding that a vulnerability has or has not been detected during the
retest.
l Different - The HTTP response is radically different from the response received during the
original scan, suggesting major changes to the resource.
7. If you think that Fortify WebInspect has erroneously determined that the vulnerability exists, you
can remove the vulnerability by clicking Mark as and selecting False Positive from the drop-down
list.
8. To ignore the vulnerability, click Mark as and select Ignored from the drop-down list.
9. To convert one or more vulnerabilities to defects and add them to the Micro Focus Application
Lifecycle Management (ALM) database, click Send To and select Micro Focus ALM.
Note: If you access the Vulnerability Review window from the Vulnerability Compare window,
the Mark As and Send To buttons are not enabled.
See Also
"Reviewing and Retesting" on page 250
"Sending Vulnerabilities to Micro Focus ALM " on page 254
"Mark As False Positive" on page 247
Adding/Viewing Vulnerability Screenshot
To add a vulnerability screenshot:
1. Do one of the following to select a vulnerability:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL. For more information, see "Summary Pane" on page 97.
Micro Focus Fortify WebInspect (19.2.0) Page 241 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l On the Navigation pane, right-click a vulnerable session or URL. For more information, see
"Navigation Pane" on page 61.
2. On the shortcut menu, click Attachments > Add Vulnerability Screenshot.
Note: An alternative method is to select a vulnerability, click Attachments in the Session Info
panel, and then select a command from the Add menu (in the information display area). For
more information, see "Information Pane " on page 71.
3. If you selected a session with multiple vulnerabilities, select the check box next to one or more
vulnerabilities.
4. Enter a name (40 characters max.) for the screenshot in the Name box.
5. Select an image file, using one of the following methods:
l Click the browse button and choose a file with the standard file-selection window.
l Click Copy from Clipboard to save the contents of the Windows clipboard.
Note: You can specify only one image file even if you have selected multiple vulnerabilities.
6. (Optional) Enter a note related to the vulnerability screenshot you selected.
7. Click OK.
Viewing Screenshots for a Selected Session
You can view notes, flags, and screenshots for a selected session by clicking Attachments on the
Session Info panel.
Viewing Screenshots for All Sessions
You can view notes, flags, and screenshots for all sessions by clicking Attachments on the Scan Info
panel.
See Also
"Vulnerability Note" on page 249
"Flag Session for Follow-Up" on page 247
"Scan Note" on page 248
Editing Vulnerabilities
After Fortify WebInspect assesses your application’s vulnerabilities, you may want to edit and save the
results for a variety of reasons, including:
l Security - If an HTTP request or response contains passwords, account numbers, or other sensitive
data, you may want to delete or modify this information before making the scan results available to
other persons in your organization.
Micro Focus Fortify WebInspect (19.2.0) Page 242 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l Correction - Fortify WebInspect occasionally reports a “false positive.” This occurs when Fortify
WebInspect detects indications of a possible vulnerability, but further investigation by a developer
determines that the problem does not actually exist. You can delete the vulnerability from the session
or delete the entire session. Alternatively, you can designate it as a false positive (right-click the
session in either the Site or Sequence view and select Mark As False Positive).
l Severity Modification - If you disagree with Fortify WebInspect’s ranking of a vulnerability, you can
assign a different level, using the following scale:
Range Severity
0 - 9 Normal
10 Information
11 - 25 Low
26 - 50 Medium
51 - 75 High
76 - 100 Critical
l Record Keeping - You can modify any of the report fields associated with an individual vulnerability
(Summary, Execution, Recommendation, Implementation, Fixes, and References). For example, you
could add a paragraph to the Fixes section describing how you actually fixed the problem.
l Enhancement - If you discover a new vulnerability, you could define it and add it to a session as a
custom vulnerability.
Editing a Vulnerable Session
To edit a vulnerable session:
1. Do one of the following to select a session:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a
vulnerable URL , or
l On the navigation pane, right-click a session or URL.
2. Select Edit Vulnerability from the shortcut menu.
Micro Focus Fortify WebInspect (19.2.0) Page 243 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The Edit Vulnerabilities window opens.
3. Select a vulnerability (if the session includes multiple vulnerabilities).
4. To add an existing vulnerability to the session (that is, one that exists in the database), click Add
Existing.
a. On the Add Existing Vulnerability window, enter part of a vulnerability name, or a complete
vulnerability ID number or type.
Note: The * and % characters can be used interchangeably as wildcards. However, a
wildcard is allowed only at the beginning, at the end, or at the beginning and end of a
string. If placed within a string (such as "mic*soft,"), these characters will not function as
wildcards.
b. Click Search.
c. Select one or more of the vulnerabilities returned by the search.
d. Click OK.
5. To add a custom vulnerability, click Add Custom.
You can then edit the vulnerability as described in Step 7.
6. To delete the vulnerability from the selected session, click Delete.
7. To modify the vulnerability, select different options from the Vulnerability Detail section. You
can also change the descriptions that appear on the Summary, Implication, Execution, Fix, and
Reference Info tabs.
8. Click OK to save the changes.
Micro Focus Fortify WebInspect (19.2.0) Page 244 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
About Vulnerability Rollup
Some sites contain a vulnerability class that is endemic throughout the site. For example, a cross-site
scripting vulnerability may exist in every POST and GET method for every parameter on an entire site
due to lack of input validation. This means that numerous cross-site scripting vulnerabilities will be listed
on the Vulnerabilities tab in the summary pane. To prevent overwhelming your development team, you
can roll up such vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in Fortify
WebInspect, Fortify WebInspect Enterprise, and reports.
What Happens to Rolled Up Vulnerabilities
When you select multiple vulnerabilities and use the rollup feature, all vulnerabilities except the first
selected vulnerability are marked as ignored. The first selected vulnerability remains visible and
represents the rollup. Although the rest of the selected vulnerabilities are marked as ignored, they do
not appear as ignored vulnerabilities in the Recover Deleted Items window.
Caution! Rolling up vulnerabilities indicates that they share the same root cause, and that fixing the
root cause will fix all rolled up vulnerabilities. Future scans will automatically ignore rolled up
vulnerabilities if found. If any of the rolled up vulnerabilities do not share the same root cause, they
will still be ignored.
Rollup Guidelines
The following guidelines apply to vulnerability rollup:
l Scans that include vulnerability rollups can be rescanned and bulk retested.
l Only the visible vulnerability is retested during bulk retest. The rest of the vulnerabilities are ignored
and will not show up as rolled up on the retest.
l Rollup is local to a scan and is not propagated between scans.
l Rollup works only when you select multiple vulnerabilities that have not been rolled up. Inadvertently
selecting a currently rolled up vulnerability will prevent the Rollup Vulnerability option from
appearing in the shortcut menu.
l You can only undo a rollup if you single select a vulnerability that is currently rolled up.
Rolling Up Vulnerabilities
To rollup vulnerabilities:
1. On the Vulnerabilities tab in the summary pane, select several vulnerabilities to rollup.
2. Right click and select Rollup Vulnerabilities from the shortcut menu.
Micro Focus Fortify WebInspect (19.2.0) Page 245 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The following warning appears:
Rolling up these vulnerabilities indicates that they share the same root cause, and that fixing the
root cause will fix all rolled up vulnerabilities. Future scans will automatically ignore rolled up
vulnerabilities if found. If any of these vulnerabilities do not share the same root cause, they will still
be ignored. Do you wish to continue?
3. Do one of the following:
l Click OK to rollup the vulnerabilities.
l Click Cancel to leave the vulnerabilities as they are.
If you click OK, the selected vulnerabilities are rolled into a single instance and the check name is
prefixed with the tag “[Rollup]”, as shown below. Additionally, a note is added to the Attachments
on the Session Info panel detailing the URLs that were rolled up and affected by the same
vulnerability. For more information, see "Viewing Notes for a Selected Session" on page 250.
Undoing Rollup
The rollup feature is reversible. To undo a rollup:
1. On the Vulnerabilities tab in the summary pane, right-click any vulnerability that has been rolled
up.
2. Select Undo Rollup Vulnerabilities.
The rollup is reversed, and the vulnerabilities appear on the Vulnerabilities tab. Additionally, the
note detailing the rolled up vulnerabilities is removed from the Attachments on the Session Info
panel.
Note: If you undo a rollup in a scan that has been published to Fortify Software Security
Center, the note that was added to the Attachments on the Session Info panel detailing the
roll up will be removed temporarily from Fortify WebInspect, but will reappear after
synchronization with Fortify Software Security Center.
See Also
"Vulnerabilities Tab" on page 98
Micro Focus Fortify WebInspect (19.2.0) Page 246 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Mark As False Positive
If you think that Fortify WebInspect has erroneously determined that a session contains a vulnerability,
you can remove the vulnerability from the session.
To mark as false positive:
1. Select the check box associated with one or more URLs.
2. (Optional) Enter a comment.
3. (Optional) To notify Fortify Customer Support personnel that you have found what you believe to
be a false positive, select Send to Micro Focus Support.
If you select this option, you may also select Preview Data Upload, which allows you to view the
contents of the data being sent to Fortify Customer Support. At that time, you can copy the data
to the Windows clipboard, cancel the upload, or allow it to proceed (by clicking OK).
4. Click OK.
Tip: To view a list of all sessions that have been marked as false positives, select False Positives
from the Scan Info panel. Note that this option is not displayed until you actually declare a
vulnerability as a false positive.
Mark As Vulnerability
If you think that someone has erroneously reclassified a detected vulnerability as a false positive, you
can restore the vulnerability to its original session.
1. Select the check box associated with one or more URLs.
2. (Optional) Enter a comment.
3. Click OK.
Flag Session for Follow-Up
To flag a session for follow-up:
1. Do one of the following to select a session:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL.
l On the Navigation pane, right-click a session or URL.
2. On the shortcut menu, click Attachments > Flag Session for Follow Up.
Note: You can also flag a session for follow-up by selecting a vulnerability or session, clicking
Attachments in the Session Info panel, and then click the Add menu (in the information
Micro Focus Fortify WebInspect (19.2.0) Page 247 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
display area).
3. Enter a note related to the session you selected.
4. Click OK.
Viewing Flags for a Selected Session
You can view notes, flags, and screenshots for a selected session by clicking Attachments on the
Session Info panel.
Viewing Flags for All Sessions
You can view notes, flags, and screenshots for all sessions by clicking Attachments on the Scan Info
panel.
Scan Note
To add a scan note:
1. Click Attachments on the Scan Info panel.
2. Click Add and select Scan Note.
3. On the Add Scan Note dialog box, enter a note related to the scan.
4. Click OK.
To delete a scan note (or any attachment):
1. Select the attachment.
2. Click Delete.
See Also
"Adding/Viewing Vulnerability Screenshot" on page 241
"Vulnerability Note" on the next page
"Flag Session for Follow-Up" on the previous page
Session Note
To add a session note:
1. Do one of the following to select a session:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL.
l On the Navigation pane, right-click a session or URL.
Micro Focus Fortify WebInspect (19.2.0) Page 248 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
2. On the shortcut menu, click Attachments > Add Session Note.
Note: You can also add a session note by selecting a vulnerability or session, clicking
Attachments in the Session Info panel, and then clicking the Add menu (in the information
display area).
3. Enter a note related to the session you selected.
4. Click OK.
Viewing Notes for a Selected Session
You can view notes, flags, and screenshots for a selected session by clicking Attachments on the
Session Info panel.
Viewing Notes for All Sessions
You can view notes, flags, and screenshots for all sessions by clicking Attachments on the Scan Info
panel.
See Also
"Information Pane " on page 71
"Navigation Pane" on page 61
"Summary Pane" on page 97
Vulnerability Note
To add a vulnerability note:
1. Do one of the following to select a vulnerability:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL. For more information, see "Summary Pane" on page 97.
l On the Navigation pane, right-click a vulnerable session or URL. For more information, see
"Navigation Pane" on page 61.
2. On the shortcut menu, click Attachments > Add Vulnerability Note.
Note: An alternative method is to select a vulnerability, click Attachments in the Session Info
panel, and then click the Add menu (in the information display area). For more information, see
"Information Pane " on page 71.
3. If you selected a session with multiple vulnerabilities, select the check box next to one or more
vulnerabilities.
4. Enter a note related to the vulnerability (or vulnerabilities) you selected.
5. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 249 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Viewing Notes for a Selected Session
You can view notes, flags, and screenshots for a selected session by clicking Attachments on the
Session Info panel. If the selected session includes rolled up vulnerabilities, a note in the Description
area details the URLs that were rolled up and affected by the same vulnerability. For more information,
see "About Vulnerability Rollup" on page 245.
Viewing Notes for All Sessions
You can view notes, flags, and screenshots for all sessions by clicking Attachments on the Scan Info
panel.
Reviewing and Retesting
Fortify WebInspect offers several methods for reviewing or retesting discovered vulnerabilities. You
may:
l Retest an individual vulnerability
l Verify all vulnerabilities discovered in a scan
l Rescan the entire site
l Compare two scans of the same site
Review Individual Vulnerability
The Review feature is an extremely powerful tool for confirming that developers have fixed a specific
vulnerability without having to conduct an entirely new scan.
To review a vulnerability:
1. Open a scan.
2. Right-click a vulnerable session in the Navigation pane or right-click a single vulnerability on the
Vulnerability tab of the Summary pane. For more information, see "Navigation Pane" on page 61
and "Summary Pane" on page 97.
3. Select Review Vulnerability from the shortcut menu.
4. On the Vulnerability Review window, click Retest.
Fortify WebInspect resubmits the entire vulnerability path to the server, compares each result to the
original response, and displays the percentage of retest responses that match the original. This
indicates whether the vulnerability was accurately reproduced. Each HTTP request and response for the
original session and the retest session can be compared side by side, instantly revealing any significant
variations. Once the item has been confirmed as a vulnerability, you can submit the defect to Micro
Focus Application Lifecycle Management (ALM).
Important! Fortify does not recommend retesting vulnerabilities in scans created using earlier
Micro Focus Fortify WebInspect (19.2.0) Page 250 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
versions of Fortify WebInspect. While retesting scans from earlier versions may work in many
instances, it is not always reliable because individual checks may not flag the same vulnerability
during a retest. Failure of a check to flag the same vulnerability while retesting a scan from an earlier
version of Fortify WebInspect may not mean the vulnerability has been remediated.
For more information, see "Reviewing a Vulnerability " on page 240.
Retest Vulnerabilities
This type of scan examines only those portions of the target site in which vulnerabilities were detected
during the original scan. Fortify WebInspect does not conduct a new crawl of the site, but simply
retraces the path of vulnerable sessions (as recorded in the original scan) and attacks the resources
using the same checks previously employed.
To retest all vulnerabilities:
1. Do one of the following:
l Open a scan.
l Select a scan on the Manage Scans pane of the Start page.
2. Click Rescan and select Retest Vulnerabilities.
The default name of the scan is "Site Retest - <original scan name>"; for example, the retest of a site
that originally resulted in a scan named MySite would produce a scan named Site Retest - MySite.
However, you can specify a different name when launching the scan.
Important! Fortify does not recommend retesting vulnerabilities in scans created using earlier
versions of Fortify WebInspect. While retesting scans from earlier versions may work in many
instances, it is not always reliable because individual checks may not flag the same vulnerability
during a retest. Failure of a check to flag the same vulnerability while retesting a scan from an
earlier version of Fortify WebInspect may not mean the vulnerability has been remediated.
3. Use the Vulnerability tab in the Summary pane to view the results. The grid contains an additional
column named "Reproducible," which may contain the following values:
l Not Found/Fixed - The vulnerability detected in the original scan was not found by the retest.
These vulnerabilities are displayed with gray text. You can conduct a vulnerability review and
retest of these items. The percentage in parentheses indicates a heuristic confidence level for
the determination.
l Complete - Both the original scan and the retest detected the same vulnerability. In other
words, the vulnerability still exists.
l New - The retest detected a vulnerability that was not reported in the original scan. This is most
likely attributable to content that was added to the resource after the original scan was
conducted.
Note: This bulk retest feature uses only those portions of a scan policy that revealed vulnerabilities
in the original scan. If new vulnerabilities have been introduced since then, they may be detectable
only by checks that were not used during the retest.
Micro Focus Fortify WebInspect (19.2.0) Page 251 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Also, because the retest does not use the entire policy, the name of the policy listed in the
dashboard statistics will be a dash (-).
For more information, see "Summary Pane" on page 97.
Rescan the Site
The Rescan feature allows you to transition easily from an open or selected scan into the scan wizard
with the original scan settings preloaded. You may wish to conduct an identical scan of an updated site
(using the same settings that were used for the original scan) to determine if previously discovered
vulnerabilities have been fixed and if new ones have been introduced. Alternatively, you might want to
tweak some of the settings to improve the crawl or audit.
There are also several options for reusing a scan: Reuse Incremental, Reuse Crawl, Reuse Remediation,
and Reuse Crawl Remediation. For more information, see "Reusing Scans" on page 200.
The rescan functionality is available in two areas: the Rescan button on the scan toolbar and the
Rescan button (and shortcut menu) for a selected scan on the Manage Scans pane.
1. Do one of the following:
l Open a scan, click Rescan and select Scan Again.
l On the Fortify WebInspect Start page, click Manage Scans; then select a scan and click Rescan.
2. Using the Scan Wizard, you may optionally modify the settings that were used for the original scan.
Note: The scan name is set by default to <original_scan_name>-1. If you conduct a rescan of a
rescan, the integer appended to the default name will be incremented by one.
3. On the last step of the Scan Wizard, click Scan.
Note: You cannot rescan the results of a "Retest Vulnerabilities" function.
Compare Scans
This feature allows you to compare the vulnerabilities revealed by two different scans of the same
target. You can use this information to:
l Verify fixes: Compare vulnerabilities detected in the initial scan with those in a subsequent scan of a
site in which the vulnerabilities were supposedly fixed.
l Check on scan health: Change scan settings and verify that those changes expand the attack
surface.
l Find new vulnerabilities: Determine if new vulnerabilities have been introduced in an updated
version of the site.
l Investigate Issues: Pursue anomalies such as false positives or missed vulnerabilities.
l Compare authorization access: Conduct scans using two different user accounts to
discover vulnerabilities that are unique or common to both accounts.
l Compare two instances of the same site: Conduct scans on two instances of the same site, such as
Production vs. Development, and compare findings.
Micro Focus Fortify WebInspect (19.2.0) Page 252 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Note: Data from both scans must be stored in the same database type (SQL Server Express Edition
vs. SQL Server Standard/Enterprise Edition).
To compare two scans, do one of the following:
l From the Manage Scans page, select two scans and click Compare.
l From a tab containing an open scan (which will be Scan A in the comparison):
a. Click Compare.
b. Select a scan from the list on the Scan Comparison window. This scan will be Scan B in the
comparison.
c. Click Compare.
Note: If the open scan is a "site retest" (resulting from Rescan > Retest Vulnerabilities), Fortify
WebInspect automatically selects the parent scan for comparison. For example, if you created a
scan named "zero," and then verified vulnerabilities for that scan, the resulting scan would be
named (by default) "site retest - zero." With the retest scan open, if you select Compare, Fortify
WebInspect will compare "site retest - zero" with the parent scan "zero."
See Also
"Comparing Scans " on page 193
"Reviewing a Vulnerability " on page 240
Recovering Deleted Items
When you remove a session or "ignore" a vulnerability, Fortify WebInspect deletes the item from the
Navigation pane (in both the Site and Sequence views) and from the Vulnerabilities tab in the
Summary pane. It also omits those items from any reports you may generate.
The number of deleted items is displayed on the Dashboard (under the Scan category). To recover
removed sessions and ignored vulnerabilities:
1. Click the highlighted number that appears next to the Deleted Items header.
The Recover Deleted Items window displays a list of deleted items.
2. Click the drop-down list to toggle between ignored vulnerabilities and removed sessions.
3. Select the check box next to one or more items you want to recover.
4. To view detailed information about the items, select Show details when selected.
5. Click Recover and then click Yes when prompted to verify your selection.
Recovered vulnerabilities reappear in the Navigation pane in both the Site and Sequence views (along
with their parent sessions) and also reappear in the Vulnerabilities tab in the Summary pane.
Recovered sessions also reappear in the Navigation pane along with any child sessions and their
vulnerabilities.
See Also
"Session Info Panel Overview " on page 82
Micro Focus Fortify WebInspect (19.2.0) Page 253 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Sending Vulnerabilities to Micro Focus ALM
You can convert one or more vulnerabilities to defects and add them to the Micro Focus Application
Lifecycle Management (ALM) database.
To send a vulnerability to your defect tracking system:
1. Right-click a vulnerability in either the Navigation pane or the Summary pane. For more
information, see "Navigation Pane" on page 61 and "Summary Pane" on page 97.
2. Select Send to and choose Micro Focus ALM.
3. On the Send to dialog box, choose a profile from the Profile list.
If you need to create or edit a profile, click Manage to access the Fortify WebInspect Application
Settings. For more information, see "Application Settings: Micro Focus ALM" on page 422.
Note: If the selected profile maps a Fortify WebInspect vulnerability to "Do not publish" (based
on its severity level), the vulnerability will not be exported.
4. To force the creation of a defect even if it has been previously reported, select Allow duplicate
defect assignment.
Fortify WebInspect recognizes duplicates only within the same scan. If you scan a site and send a
specific vulnerability to ALM, you can prevent Fortify WebInspect from sending that same
vulnerability if it is encountered again during that scan. However, if you conduct a subsequent scan
of that site and Fortify WebInspect again encounters that same vulnerability, Fortify WebInspect is
not programmatically aware that the vulnerability was sent to ALM during the previous scan.
5. To close this dialog box after sending the defect(s), select Close when finished.
6. If you have selected multiple vulnerabilities, you can exclude a vulnerability by removing the check
mark next to the ID number.
7. Click Send.
Additional Information Sent
Fortify WebInspect will also add a note to the session information indicating that the defect was sent to
Micro Focus ALM, as illustrated by the following example:
Defect #30 was created in Micro Focus ALM.
Check ID: 182
CheckName: Dan-o Log Information Disclosure
Profile: Thack
Server URL: http://qbakervm2003/qcbin
Project: test3
Priority: 3-High
Severity: 1-Low
Note: If you receive the error message, "Error authenticating with Micro Focus ALM," see "Disabling
Data Execution Prevention " on the next page.
Micro Focus Fortify WebInspect (19.2.0) Page 254 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Disabling Data Execution Prevention
When you attempt to integrate with Micro Focus Application Lifecycle Management (ALM), you may
receive the error message:
Error authenticating with Micro Focus ALM.
If so, you must disable Microsoft's Data Execution Prevention (DEP). For instructions on changing DEP
settings, refer to your Windows documentation.
Generating a Report
You can launch the Report Generator using a variety of methods:
l On the Start page, click Generate a Report in the left pane of the client area.
l On the Fortify WebInspect toolbar, click Reports.
l Click the Reports menu and select Generate Report.
l On the Manage Scans form, right-click a scan name and select Generate Report.
l With a scan open, right-click a session in the Site view and select Generate Session Report. For more
information, see "Site View" on page 63.
l When scheduling scans.
To generate a report:
1. Launch the Report Generator using one of the options listed above.
2. Select one or more scans from the Select a Scan window.
3. (Optional) Click Advanced (at the bottom of the window) to select options for saving reports and
for selecting a template for headers and footers.
4. Click Next.
5. (Optional) Select a report from the Favorites list.
Tip: "Favorites" is simply a named collection of one or more reports and their associated
parameters. To create a favorite once you have selected reports and parameters, click the
Favorites list and select Add to favorites.
6. Select one or more reports. See "Standard Reports" on page 258 for report descriptions.
7. Provide information for any parameters that may be requested. An exclamation mark indicates a
required parameter.
8. If you want to display each report on a separate tab (rather than combining all reports on one tab),
select Open Reports in Separate Tabs.
9. Click Finish.
Micro Focus Fortify WebInspect (19.2.0) Page 255 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Saving a Report
After Fortify WebInspect generates and displays the report, you can save it by clicking Save As on the
Report Viewer toolbar.
Reports can be saved in the following formats:
l Adobe Portable Data Format (.pdf)
l Hypertext Markup Language (.html)
l Native Fortify WebInspect internal format (.raw)
l Rich Text Format (.rtf)
l Text (.txt)
l Microsoft Excel (.xls)
See Also
"Standard Reports" on page 258
"Advanced Report Options" below
"Compliance Templates " on page 260
"Application Settings: Reports" on page 416
Advanced Report Options
The following table describes the advanced report options:
Option Description
Save reports to disk Select this option to output a report to a file.
Automatically If you select this option when saving the report to disk, the name of the
generate file name report file will be formatted as <reportname> <date/time>.<extension>.
For example, if creating a compliance report in pdf format and the report is
generated at 6:30 on April 5, the file name would be "Compliance
Report 04_05_2009 06_30.pdf." This is useful for recurring scans.
l If you select more than one report type, then <reportname> will be
"Combined Reports."
l Reports are written to the directory specified for generated reports in
the Application settings.
If you do not select Automatically generate filename, replace the default
name "auto-gen-filename" with a file name.
Micro Focus Fortify WebInspect (19.2.0) Page 256 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Option Description
Export Format Select a report format.
Header/Footer Select a format for the report's header and footer, and then enter or select
Report the components.
Report Viewer
Use the toolbar to navigate through the report, print or save the report, and to add notes.
Item Description
1 Show / Hide Table of Contents
2 Print Report
3 Copy
4 Search
5 Single Page View
6 Multi-Page View
7 Continuous Scroll
8 Zoom Out
9 Zoom In
10 Magnification
11 Previous Page
12 Next Page
13 Current Page Number / Total Number of
Pages
Micro Focus Fortify WebInspect (19.2.0) Page 257 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Item Description
14 Page Backward
15 Page Forward
16 Annotation (see "Adding a Note" below)
17 Save Report
Note: The Backward and Forward buttons function in the same manner as the Back and Forward
buttons on a browser. They navigate forward or backward one step in the history list.
Adding a Note
To add a note:
1. Click the Annotation icon.
2. Select a format.
3. Drag it to the report.
4. Right-click the note and select Properties.
5. Select the Text property and enter the contents of the note.
Standard Reports
The following table describes the standard reports that are available.
Report Description
Aggregate This report is designed for multiple scans. You can select which severity
categories to report, report sections (server content and vulnerability
detail), and session information (responses and requests). Stack traces can
also be reported, when available.
Alert View This report lists all vulnerabilities sorted by severity, with a hyperlink to
each HTTP request that elicited the vulnerability. It also includes an
appendix that describes each vulnerability in detail.
Attack Status For each attack agent (check) employed during the scan, this report lists
the vulnerability ID number, check name, vulnerability severity, whether or
not the check was enabled for the scan, whether or not the check passed or
failed (i.e., did or did not detect the vulnerability), and (if it failed) the
number of URLs where the vulnerability was detected. You can select to
Micro Focus Fortify WebInspect (19.2.0) Page 258 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Report Description
report vulnerabilities of a certain severity as well as the pass/fail status.
Compliance This report provides a qualitative analysis by grading how well your
application complies with certain government-mandated regulations or
corporate-defined guidelines.
Crawled URLs For each URL encountered during the crawl, this report lists any cookies
sent and the raw HTTP request and response.
Developer Reference Totals and detailed description of each form, JavaScript, e-mail, comment,
hidden control, and cookie discovered on the Web site. You can select one
or more of these reference types.
Duplicates This report contains information about vulnerabilities detected by Fortify
WebInspect Agent that were traceable to the same source. It begins with a
bar chart comparing the total number of uncorrelated vulnerabilities to the
number of unique vulnerabilities.
Executive Summary This report lists basic statistics, plus charts and graphs that reflect your
application's level of vulnerability.
False Positives This report displays information about URLs that Fortify WebInspect
originally classified as vulnerabilities, but were subsequently determined by
a user to be false positives.
QA Summary This report lists the URLs of all pages containing broken links, server
errors, external links, and timeouts. You can select one or more of these
categories.
Scan Difference This report compares two scans and reports the differences, such as
vulnerabilities, pages, and file-not-found responses that occur in one Web
site but not the other.
Scan Log Sequential list of the activities conducted by Fortify WebInspect during the
scan (as the information appears on the Scan Log tab of the summary
pane).
Trend This report allows you to monitor your development team's progress
toward resolving vulnerabilities. For example, you save the results of your
initial scan and your team begins fixing the problems. Then once a week,
you rescan the site and archive the results. To quantify your progress, you
run a trend report that analyzes the results of all scans conducted to date.
Micro Focus Fortify WebInspect (19.2.0) Page 259 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Report Description
The report includes a graph showing the number of vulnerabilities, by
severity, plotted on a timeline defined by the date on which each scan was
conducted. Important: To obtain reliable results, make sure you conduct
each scan using the same policy.
Vulnerability (Legacy) This is a detailed report of each vulnerability, with recommendations
concerning remediation.
Vulnerability This report also presents detailed information about discovered
vulnerabilities, sorted by severity.
Manage Reports
Use Manage Reports to rename, add, delete, or import report definition files.
Note that standard reports cannot be renamed, deleted, or exported.
Compliance Templates
The available compliance templates are described below. Additional templates may be downloaded
through SmartUpdate as they become available.
Template Description
21CFR11 Part 11 of Title 21 of the United States Code of Federal Regulation (commonly
abbreviated as “21 CFR 11”) includes requirements for electronic records and
electronic signatures. To assist medical companies in compliance, the US Food
and Drug Administration (FDA) has published guidance for the proper use of
electronic records and electronic signatures for records that are required to be
kept and maintained by FDA regulations. The guidance outlines "criteria under
which the agency considers electronic records, electronic signatures, and
handwritten signatures executed to electronic records to be trustworthy,
reliable, and generally equivalent to paper records and handwritten signatures
executed on paper."
Due to the law and FDA guidance, medical companies and organizations dealing
with highly sensitive medical information are being required to ensure that
electronic records and electronic signatures are trustworthy, reliable, and
Micro Focus Fortify WebInspect (19.2.0) Page 260 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
generally an equivalent substitute for paper records and handwritten
signatures. As interaction between equipment, operators, and computers
becomes commonplace, it is important to establish a secure means to
communicate and store information.
Basel II Basel II is a round of deliberations by central bankers from around the world,
under the auspices of the Basel Committee on Banking Supervision (BCBS) in
Basel, Switzerland, aimed at producing uniformity in the way banks and banking
regulators approach risk management across national borders. The BCBS is the
international rule-making body for banking compliance. In 2004, central bank
governors and the heads of bank supervisory authorities in the Group of Ten
(G10) countries endorsed the publication of “International Convergence of
Capital Measurement and Capital Standards: a Revised Framework,” the new
capital adequacy framework commonly known as Basel II.
Basel II essentially requires banks to increase their capital reserves or
demonstrate that they can systematically and effectively control their credit and
operational risk. The framework defines operational risk as “the risk of loss
resulting from inadequate or failed internal processes, people and systems or
from external events,” and highlights hacking and information theft through
inadequate systems security as loss events. While banks around the world are
experts at managing risk by virtue of operating in global financial markets, they
are relatively new at understanding and controlling the risks inherent with
operating online banking systems and keeping customer data secure.
Banks that practice effective information and systems security are able to
demonstrate to regulators that they should qualify for lower capital reserves
through reduced operational risk. The Basel II framework insists that banks
demonstrate that an effective system of policies and processes are in place to
protect information and that compliance to these policies and processes is
ensured, but is not prescriptive in how banks should implement security policies
and processes. The international standard ISO/ICE 17799 Code of Practice for
Information Security Management provides guidelines for implementing and
maintaining information security and is commonly used as a model for managing
and reporting operational risk related to information security in the context of
Basel II.
CA OPPA The California Online Privacy Protection Act (OPPA) was established in 2003 to
require all businesses and owners of commercial web sites in the state of
California to conspicuously post and comply with a privacy policy that clearly
Micro Focus Fortify WebInspect (19.2.0) Page 261 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
states the policies on the collection, use, and sharing of personal information.
The policy identifies the categories of personally identifiable information
collected about site visitors and the categories of third parties with whom the
operator may share the information.
Any business, organization, or individual that operates a Web site that collects
private personal information for a person residing in the state of California is
bound by the provisions of the law, so the California OPPA has a much greater
impact nationally than is typical for state legislation.
CASB 1386 California Senate Bill 1386 has established the most specific and restrictive
privacy breach reporting requirements of any state in the United States. The law
was enacted to force businesses, organizations, and individuals holding private
personal information for legitimate business purposes to inform consumers
immediately when their personal information has been compromised. The law
also gives consumers the right to sue businesses in civil court for damages
incurred through the compromise of information. Any business, organization, or
individual that holds private personal information for a person residing in the
state of California is bound by the provisions of the law.
COPPA The Children’s Online Privacy Protection Act (COPPA) was enacted in 2000 to
protect the online collection of personal information about children under the
age of 13. COPPA’s goal was to protect children’s privacy and safety online in
recognition of the easy access that children often have to the Web. The law
requires that Web site operators post a privacy policy on the site and outlines
requirements for Web site operators to seek parental consent to collect
children’s personal information in certain circumstances.
The law applies not only to Web sites that are clearly directed toward children
but to any Web site that contains general audience content where the Web site
operators have actual knowledge that they are collecting personal information
from children. An operator must post a link to a notice of its information
practices on the home page of its Web site or online service and at each area
where it collects personal information from children. An operator of a general
audience site with a separate children's area must post a link to its notice on the
home page of the children's area.
DCID This directive establishes the security policy and procedures for storing,
processing, and communicating classified intelligence information in information
systems. For purposes of this directive, intelligence information refers to
sensitive compartmented information and special access programs for
Micro Focus Fortify WebInspect (19.2.0) Page 262 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
intelligence under the purview of the Director of Central Intelligence.
DoD Application DISA Field Security Operations (FSO) conducts Application SRRs to provide a
Security minimum level of assurance to DISA, Joint Commands, and other Department of
Checklist Defense (DoD) organizations that their applications are reasonably secure
Version 2 against attacks that would threaten their mission. The complexity of most
mission critical applications precludes a comprehensive security review of all
possible security functions and vulnerabilities in the time frame allotted for an
Application SRR. Nonetheless, the SRR helps organizations address the most
common application vulnerabilities and identify information assurance (IA)
issues that pose an unacceptable risk to operations.
Ideally, IA controls are integrated throughout all phases of the development life
cycle. Integrating the Application Review process into the development lifecycle
will help to ensure the security, quality, and resilience of an application. Since the
Application SRR is usually performed close to or after the applications release,
many of the Application SRR findings must be fixed through patches or
modifications to the application infrastructure. Some vulnerabilities may require
significant application changes to correct. The earlier the Application Review
process is integrated into the development life cycle, the less disruptive the
remediation process will be.
DoD Application This compliance template reports all applicable web application components of
Security and the Application Security and Development Security Technical Implementation
Development Guide (STIG) Version 3, Release 1. The STIG provides security guidance for use
STIG V3 R2 throughout the application development lifecycle. Defense Information Systems
Agency (DISA) encourages sites to use these guidelines as early as possible in
the application development process.
EU Data The European Commission's Directive on Data Protection protects the
Protection fundamental rights of European Union citizens to privacy with respect to the
processing of personal data. The primary focus of the directive is on the
acceptable use and protection of personal data. Like all other European Union
privacy legislation, this directive also requires that personal data be collected,
stored, changed or disseminated only with a citizen's express consent and with
full disclosure as to the use of the data. The directive also prohibits the transfer
of personal data from European organizations to non-European Union nations
and organizations that do not adequately protect the safety and privacy of
personal data. The United States has developed a Safe Harbor framework for
U.S. organizations that are required to comply with this directive.
Micro Focus Fortify WebInspect (19.2.0) Page 263 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
EU Directive on European Union Directive on Privacy and Electronic Communications is part of a
Privacy and broader "telecoms package" of legislation that governs the electronic
Electronic communications sector in the European Union. The directive reinforces a basic
Communications European Union principle that all member states must ensure the confidentiality
of communications made over public communications networks and the
personal and private data inherent in those communications. The directive
governs the physical communication networks as well as the personal data that
is carried on it.
FISMA The United States Congress passed the E-Government Act of 2002 in
recognition of the importance of information security to the economic and
national security interests of the United States. Title III of the act, entitled the
Federal Information Security Management Act (FISMA), tasked the National
Institute of Standards and Technology with developing standards and
guidelines to be used by all U.S. federal government agencies in implementing
adequate information security as part of their information systems, underpinned
by three security objectives for information systems: confidentiality, integrity
and availability. FISMA requires the head of each federal agency to provide
information security protections commensurate with the risk and magnitude of
the harm that may result from unauthorized access, use, disclosure, disruption,
modification or destruction of its information and information systems. The
protection should apply not only within the agency, but also within contractor or
other organizations working on behalf of the agency.
GLBA The Gramm-Leach-Bliley Act (GLBA) mandates that financial institutions must
protect consumers' personal financial information. The main provision affecting
Web application security in the financial industry is the GLBA Safeguards Rule.
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) mandates the
privacy and security of personal health information from the various threats and
vulnerabilities associated with information management.
ISO17799 This is the most commonly accepted international standard for information
security management. Use this policy as a baseline in crafting a compliance policy
to meet the needs of your organization and its security policy.
ISO27001 ISO/IEC 27001 is an information security management system standard
published in October 2005 by the International Organization for
Standardization and the International Electrotechnical Commission. The basic
objective is to help establish and maintain an effective information management
Micro Focus Fortify WebInspect (19.2.0) Page 264 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
system using a continual improvement approach. ISO 27001 specifies the
requirements for the security management system itself. It is the standard, as
opposed to ISO 17799, against which certification is offered. Additionally, ISO
27001 is "harmonized" with other management standards, such as ISO 9001 and
ISO 14001.
JPIPA Japan enacted the Personal Information Protection Act (JPIPA) in 2003 to
protect individuals' rights and personal information while preserving the
usefulness of information technology and personal information for legitimate
purposes. The law establishes responsibilities for businesses that handle
personal information for citizens of Japan and outlines potential fines and
punishments for organizations that do not comply. The act requires businesses
to communicate their purpose in collecting and using personal information.
They must also take reasonable steps to protect personal information from
disclosure, unauthorized use or destruction.
NERC The North American Electric Reliability Council (NERC) was established in 1968
with the mission of ensuring that the electric system of the United States is
reliable, adequate and secure. After President Bill Clinton issued Presidential
Decision Directive 63 in 1998 to define infrastructure industries critical to the
United States' national economy and public well-being, the U.S. Department of
Energy designated the NERC to act as the coordinating agency for the electricity
industry, which was named one of the eight critical infrastructure industries.
NIST 800-53 The United States Congress passed the E-Government Act of 2002 in
recognition of the importance of information security to the economic and
national interests of the United States. Title III of the act, entitled the Federal
Information Security Management Act (FISMA), tasked the National Institute of
Standards and Technology with developing standards and guidelines to be used
by all U.S. federal government agencies in implementing adequate information
security as part of their information systems, underpinned by three security
objectives for information systems: confidentiality, integrity, and availability.
OMB This policy addresses major application security sections that were defined in
December 2004 by the Office of Management and Budget for federal agency
public Web sites. These are information resources funded in whole or in part by
the federal government and operated by an agency, contractor, or other
organization on behalf of the agency. They present government information or
provide services to the public or a specific non-federal user group and support
the proper performance of an agency function.
Micro Focus Fortify WebInspect (19.2.0) Page 265 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
OWASP Top Ten Many government agencies suggest testing for the Open Web Application
2004/2007/2010 Security Project (OWASP) Top Ten Web application vulnerabilities as a best
practice in ensuring the security of your Web application.
PCI Data The Payment Card Industry (PCI) Data Security Policy requires that all PCI Data
Security 1.2, 2.0 Security members, merchants, and service providers that store, process or
transmit cardholder data verify all purchased and custom Web applications,
including internal and external applications.
PIPEDA Canada's Personal Information Protection and Electronic Documents Act
(PIPEDA) is a new law that protects personal information in the hands of private
sector organizations and provides guidelines for the collection, use and
disclosure of that information in the course of commercial activity. The Act,
based on ten privacy principles developed by the Canadian Standards
Association, is overseen by the Privacy Commissioner of Canada and the Federal
Court. As of January 1, 2004, all Canadian businesses are required to comply
with the privacy principles set out by PIPEDA. The Act covers both traditional,
paper-based and on-line business.
Safe Harbor The European Commission's Directive on Data Protection prohibits the transfer
of personal data from European organizations to non-European Union nations
and organizations that do not adequately protect the safety and privacy of
personal data. Upon passage of this comprehensive European legislation, all
businesses and organizations in the United States that share data with
European Union organizations were obligated to comply with the regulations,
which could have disrupted many types of trans-Atlantic business transactions.
Due to the differences in approaches taken by the United States and European
Union nations in protecting personal data privacy, the U.S. Department of
Commerce, in consultation with the European Commission, developed a
streamlined "Safe Harbor" framework through which U.S. organizations could
comply with the Directive on Data Protection.
Organizations participating in the Safe Harbor are committed to complying with
these seven principles designed to ensure that personal data is properly used,
controlled and protected: Notice, Choice, Onward Transfer, Access, Security,
Data Integrity and Enforcement. Of particular significance to information
technology:
l The Notice principle requires organizations to inform individuals about the
purposes for which it collects information, such as through a privacy policy.
l The Security principle states that organizations will take reasonable
Micro Focus Fortify WebInspect (19.2.0) Page 266 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
precautions to protect personal data.
l The Enforcement principle mandates that organizations have procedures in
place for verifying that security commitments are satisfied, such as through
comprehensive security testing.
SANS CWE Top The SANS (SysAdmin, Audit, Network, Security) Institute was established in
25 1989 as a cooperative research and education organization. The SANS
Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software
Errors is a list of the most widespread and critical programming errors that can
lead to serious software vulnerabilities. They are dangerous because they
frequently allow attackers to completely take over the software, steal data, or
prevent the software from functioning. This compliance template reports all
applicable web application components of this list.
Sarbanes-Oxley The Sarbanes-Oxley Act, which falls under the umbrella of the U.S. Securities
and Exchange Commission (SEC), was enacted on July 30, 2002. It focuses on
regulating corporate behavior for the protection of financial records, rather than
enhancing the privacy and security of confidential customer information.
UK Data The European Commission's Directive on Data Protection protects the
Protection fundamental rights of European Union citizens to privacy with respect to the
processing of personal data. The primary focus of the directive is on the
acceptable use and protection of personal data. The United Kingdom
implemented the protections mandated by the directive through its Data
Protection Act of 1998, summarized as follows:
l Personal data should be processed fairly and lawfully and only with consent.
l Personal data should be obtained only for specified and lawful purposes, and
should not be further processed in any manner incompatible with those
purposes.
l Personal data should be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.
l Personal data should be accurate and kept up to date.
l Personal data processed for any purpose should not be kept for longer than
is necessary for that purpose.
l Personal data should be processed in accordance with the rights of data
subjects.
l Appropriate technical and organizational measures should be taken against
unauthorized or unlawful processing of personal data and against accidental
Micro Focus Fortify WebInspect (19.2.0) Page 267 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Template Description
loss or destruction of, or damage to, personal data.
l Personal data should not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data.
WASC This compliance template is based on the Web Application Security Consortium
threat classes. The WASC Threat Classification is a cooperative effort to clarify
and organize the threats to the security of a web site. When used in conjunction
with the All Checks policy, you can generate a compliance report that includes
each vulnerability check contained in SecureBase.
Managing Settings
This feature allows you to create, edit, delete, import, and export scan settings files.
You can also load and save settings and restore factory default settings from the Default Settings
window. Click Edit and select Default Scan Settings.
From the Fortify WebInspect Edit menu, select Manage Settings.
The Manage Settings window opens.
Creating a Settings File
To create a settings file:
1. Click Add.
2. On the Create New Settings window, change settings.
3. When finished, click OK.
4. Using a standard file-selection dialog box, name and save the file.
Editing a Settings File
To edit a settings file:
1. Select a file.
2. Click Edit.
3. On the Create New Settings window, change settings.
4. When finished, click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 268 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Deleting a Settings File
To delete a settings file:
1. Select a file.
2. Click Delete.
Importing a Settings File
To import a settings file:
1. Click Import.
2. Using a standard file-selection dialog box, select a settings file and click Open.
Exporting a Settings File
To export a settings file:
1. Select a file.
2. Click Export.
3. Using a standard file-selection dialog box, name the file and select a location.
4. Click Save.
Scanning with a Saved Settings File
To scan with a saved settings file:
1. From the Fortify WebInspect Edit menu, select Default Settings.
2. At the bottom of the Default Settings window, in the left column, click Load settings from file.
3. Using a standard file-selection dialog box, select the settings file you want to use and click Open.
The file you select is now your default settings file.
SmartUpdate
For installations connected to the Internet, the SmartUpdate feature contacts the Micro Focus data
center to check for new or updated adaptive agents, vulnerability checks, and policy information.
SmartUpdate will also ensure that you are using the latest version of Fortify WebInspect, and will
prompt you if a newer version of the product is available for download.
You can configure Fortify WebInspect settings to conduct a SmartUpdate each time you start the
application (select Application Settings from the Edit menu and choose Smart Update).
Micro Focus Fortify WebInspect (19.2.0) Page 269 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
You can also run SmartUpdate on demand through the Fortify WebInspect user interface by selecting
Start SmartUpdate from the Fortify WebInspect Start Page, by selecting SmartUpdate from the
Tools menu, or by clicking the SmartUpdate button on the standard toolbar. For more information, see
"Tools Menu " on page 54 and "Toolbars " on page 57.
For installations lacking an Internet connection, see "Performing a SmartUpdate (Offline)" on the next
page.
Caution! For enterprise installations, if SmartUpdate changes or replaces certain files used by
Fortify WebInspect, the sensor service might stop and the sensor will display a status of "off line."
You must launch the Fortify WebInspect application and restart the service. To do so:
1. Click Edit > Application Settings.
2. Select Run as a Sensor.
3. Click the Start button in the Sensor Status area.
Performing a SmartUpdate (Internet Connected)
To perform a SmartUpdate when WebInspect is connected to the Internet:
1. Do one of the following:
l From the toolbar, click SmartUpdate.
l Select SmartUpdate from the Tools menu.
l Select Start SmartUpdate from the Fortify WebInspect Start Page.
If updates are available, the SmartUpdater window opens with the Summary tab in view. The
Summary tab displays up to three separate collapsible panes for downloading the following:
l New and updated checks
l Fortify WebInspect software
l SmartUpdate software
2. Select the check box associated with one or more of the download options.
3. (Optional) To view details about the checks being updated:
a. Click the Check Detail tab.
In the left pane is a list showing the ID, Name, and Version of checks being updated. The list is
grouped by Added, Updated, and Deleted.
b. To view the policies that include a specific check being updated, select the check in the list.
A list of affected policies appears in the Related Policies pane.
4. (Optional) To view details about the policies affected:
a. Click the Policy Detail tab.
In the left pane is an alphabetical list of the policies affected by the update.
Note: The list shows only those policies that are affected by updated checks. The Policy
Detail tab does not show other policy changes that could be included in the update, such
Micro Focus Fortify WebInspect (19.2.0) Page 270 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
as associating new checks with a policy or changing a policy name.
b. To view the checks being updated in a specific policy, select the policy in the list.
A list showing the ID, Name, and Version of checks being updated appears in the Related
Checks pane. The list is grouped by Added, Updated, and Deleted.
5. To install the updates, click Download.
Downloading Checks without Updating Fortify WebInspect
Engine updates are required for some checks to be run during scans. If you are not using the latest
version of Fortify WebInspect, it is likely that some of the checks in your SecureBase cannot be run
during a scan. To test your application with all the latest checks, ensure that you are using the latest
version of Fortify WebInspect.
Performing a SmartUpdate (Offline)
Follow this process to perform a SmartUpdate for WebInspect that is offline.
Stage Description
1. Open a support case. Customer Support personnel will provide you with the
offline FTP server URL and login credentials (if needed). For more information,
see "Contact Customer Support" on page 458.
2. On a machine that can access the Internet, access the offline FTP server.
3. Download the Fortify WebInspect static SmartUpdate ZIP file.
4. On the machine where Fortify WebInspect is installed, extract all files from the
ZIP file.
5. Close Fortify WebInspect.
6. Copy the extracted SecureBase.sdf and version.txt files to the directory where
your SecureBase data resides.
l If your system is not FIPS enabled, then the default location is
C:\ProgramData\HP\HP WebInspect\SecureBase.
l If your system is FIPS enabled, then the location is C:\ProgramData\HP\HP
WebInspect\FIPS\SecureBase.
Note: By default, these folders are hidden in Windows. Be sure to change
folder options to show hidden files.
Micro Focus Fortify WebInspect (19.2.0) Page 271 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
WebSphere Portal FAQ
How do you know if an application is running on WebSphere Portal?
WebSphere Portal applications typically have very long URLs that begin with /wps/portal or
/wps/myportal followed by encoded sections. For example:
http://myhost.com/wps/portal/internet/customers/home/!ut/p/b1/fY7BcoIwFAC_
xS94T4QCx6Rpk6qlo20x5tIJShEIJoID0q-vnfFq97Yze1hQIEEddV8W-lzaozZ_rh6-
HjkRfrhERBZ4-EKESBmde5ggzEEVxmbXNGW7-sIsKdgTW3c_
B3xmpzBfnacLv6QuIfxVHKJGhmNfzToue8nWdKg4fx8jtaT9MJpB2zQPgqLp9GrADyey0tvvL1F9S
nftm_
y0cbuw8Xbmvg2NN6412wlsQP27GAa3AO9AEBJhmxxcnWHlk8kverBIBQ!!/dl4/d5/L2dBISEvZ0F
BIS9nQSEh/
Which versions of WebSphere Portal are supported?
Versions 6.1 and later are supported.
Why does Fortify WebInspect require special settings to scan a WebSphere Portal application?
The encoded sections of the URL include what is called "navigation state," which contains information
about how to display elements in the current page (similar to VIEWSTATE in .Net) plus the navigation
history. It is this navigation history that is troublesome for automated crawlers. As the crawler visits
each link, the navigation state is being updated. This causes links on a page that the crawler may have
already visited to continuously change. Since these look like new links, the crawler visits them and
becomes trapped in an endless cycle.
When the WebSphere Portal overlay is selected, Fortify WebInspect can decode the navigation state in a
URL and determine if the URL has already been visited. This prevents the crawler from continuously
visiting the same page over and over again.
How does Fortify WebInspect decode the navigation state?
WebSphere Portal 6.1 and later include a URL decoding service. When the WebSphere Portal overlay is
selected, Fortify WebInspect can pass a URL to the decoding service and evaluate the response to
determine if this URL has already been visited. Although the decoding service is on by default, it is
possible to turn it off in your WebSphere Portal server configuration. To get a good scan of your site
with Fortify WebInspect, the decoding service must be enabled.
Is the navigation state just a special kind of session ID?
No. Navigation state does not contain any session information. Session is maintained via cookies.
Any special instructions when recording a login macro?
Make sure that the cookies JSESSIONID and LtpaToken are set as state parameters.
Why does the site tree contain deeply nested folders?
Fortify WebInspect's site tree does not currently understand how to parse the navigation state in
WebSphere Portal URLs. It treats each section as a directory. These are, of course, not real directories.
You will generally need to drill down to the lowest level of each branch to see the real content.
Micro Focus Fortify WebInspect (19.2.0) Page 272 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Is there any limitation on what types of attacks Fortify WebInspect can perform on WebSphere
Portal applications?
Fortify WebInspect can perform all manipulation attacks on WebSphere Portal applications. This
includes (but is not limited to) XSS, SQL Injection, CSRF, RFI, LFI and others. Fortify WebInspect will not
perform any site search attacks when scanning a WebSphere Portal site. These include searching for
backup files (.bak, .old), hidden files, hidden directories and platform specific configuration files. The
reason for this exclusion is because almost any request will result in a 200 response to the default portal
view and so there is no way to distinguish between an error response and a valid response.
How can you tell if the crawler is working correctly on a WebSphere Portal site?
The WebSphere Portal decoding service must be enabled and reachable on the server for the crawler to
perform optimally. You can confirm if this is working by manually decoding a URL. Copy a URL from
your site and modify it like this:
http://myhost.com/wps/poc?uri=state: path with navigation
state>&mode=download
You should get an xml response. Alternatively, start a scan of your site with the WebSphere Portal
overlay selected. Enable Traffic Monitor or run the scan through the Web Proxy. You should see
periodic requests to the decoder service in the following format:
http://myhost.com/wps/poc?uri=state: path with navigation
state>&mode=download.
Another thing to consider is that the path of the decoding service can be changed on the server. If this
is the case, you will need to modify your scan settings manually. Contact Fortify Customer Support for
assistance.
It is also possible to modify the navigation state marker. By default this is !ut/p. If this is changed from
the default on the server, you will need to modify your scan settings manually. Contact Fortify
Customer Support for assistance.
For more information, see "Contact Customer Support" on page 458.
Command-line Execution
Fortify WebInspect includes the following applications that you can use by way of the command-line
interface (CLI):
l WI.exe – Allows you to configure and conduct a scan using an existing macro, export scan files and
reports, merge scans, reuse scans, and test the login macro of an existing scan. For more information,
see "Using WI.exe" on the next page.
l WIScanStopper.exe – Allows you to stop a scan that is currently running. For more information, see
"Using WIScanStopper.exe" on page 287.
l MacroGenServer.exe – Allows you to create a login macro. For more information, see "Using
MacroGenServer.exe" on page 288.
These applications are installed in the same directory as Fortify WebInspect. By default, the installation
directory is:
Micro Focus Fortify WebInspect (19.2.0) Page 273 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
C:\Program Files\Fortify\Fortify WebInspect
Launching the CLI
To launch the CLI:
l Right-click the Windows Command Prompt (cmd.exe) application, and select Run as
administrator.
The Administrator: Command Prompt window appears.
Important! At the command prompt, use the cd command to change the current working
directory to the directory where the applications are installed.
CLI Limitations in Fortify WebInspect on Docker
Some parameters and features accessible from the command-line interface are not supported in Fortify
WebInspect on Docker. Items that are not supported are indicated as such.
Using WI.exe
You can initiate several Fortify WebInspect functions via a command-line interface (CLI) using the
program WI.exe. Use the following syntax when typing a command:
wi.exe -u url [-api type] [-s file] [-ws file] [-Framework name]
[-CrawlCoverage name] [-ps policyID | -pc path]
[-ab|an|ad|aa|ak|at creds] [-macro path] [-o|c] [-n name]
[-e[abcdefghijklmnopst] file] [-x|xd|xa|xn] [-b filepath] [-db]
[-d filepath -m filename] [-i[erxd] scanid | -ic scanid scanname
| -im option scanid scanlist] [-r report_name -y report_type
-w report_favorite -f report_export_file -g[phacxe]
[-t compliance_template_file] [-v] [-?]
To run multiple scans from the command line, create and execute a batch file, using a format similar to
the following:
c:
cd \program files\Fortify\Fortify WebInspect
wi.exe -u http://172.16.60.19 -ps 4
wi.exe -u http://www.mywebsite.com
wi.exe -u http://172.16.60.17
wi.exe -u http://172.16.60.16
Micro Focus Fortify WebInspect (19.2.0) Page 274 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Options
The options are defined in the following table. Items in italics require a value.
Category Parameter Definition
General -? Displays the usage help.
-u {url} Specifies the start URL or IP address.
Caution! When using the -u
parameter with -s (a settings file), be
sure to specify an -x, -xa, -xd, or -xn
parameter to restrict a scan to folders,
if desired. Failure to do so may result in
an unrestricted audit under certain
conditions.
If the URL contains an ampersand (&),
you must enclose the URL within
quotation marks.
-api {type} Specifies the API type to be scanned. Valid
values for type are:
l Swagger
l OData
Important! You must provide the URL
to the Swagger or OData definition file,
as shown in the following example:
-u http://172.16.81.36/v1 -
api Swagger
-s {filename} Specifies the settings file.
Note: Command line parameters take
precedence over values in a settings
file.
-db Indicates to use the database defined in
settings file. If omitted, Fortify
WebInspect defaults to database
Micro Focus Fortify WebInspect (19.2.0) Page 275 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
connection defined in application settings.
-ws {filename} Identifies the Web Service Design file to
use.
-o Specifies an Audit-only scan.
-c Specifies a Crawl-only scan.
-n {name} Specifies the scan name.
-b {filepath} Specifies the SecureBase file to use. For
path, specify the full path and file name.
-d {filepath} Moves the database to the specified
filepath.
-m {filename} Moves the database to specified filename.
-v Creates verbose output.
-l Disables telemetry data collection (for this
scan only).
-ie {scanid} Starts configured scan with the specified
scan ID (GUID).
-ir {scanid} Resumes scan with the specified scan ID
(GUID).
-ix {scanid} Uses existing scan with the specified scan
ID (GUID), but does not continue the scan.
-id {scanid} Deletes scan with the specified scan ID
(GUID).
-ii {scanid} Imports scan.
{file path}
Note: This parameter is not supported
in Fortify WebInspect on Docker.
Restrict to Root -x Restricts scan to directory only (self).
Folder
Micro Focus Fortify WebInspect (19.2.0) Page 276 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
-xa Restricts scan to directory and parents
(ancestors).
-xd Restricts scan to directory and
subdirectories (descendants).
-xn Ignores “restrict to folder” rules in
referenced settings file.
Restrict to folder parameters (x| xa| xb| xn)
can be in their own category (as report or
output).
Framework -framework Specifies name of framework; currently
{framework_name} only Oracle ADF Faces (Oracle) and IBM
WebSphere Portal (WebSpherePortal) are
supported. Optimizes scanning of
application built with either of these
technologies.
Crawl Coverage -CrawlCoverage Specifies the type of scan coverage. Values
{Coveragename} for Coveragename are:
Thorough = Exhaustive crawl of entire site
Default = Focus more on coverage than
performance
Moderate = Balance of coverage and
speed
Quick = Focus on breadth and
performance
Audit Policy -ps {policy id} Identifies the non-custom policy to use.
Values for policy id are as follows:
Best Practices
1 = Standard
1012 = OWASP Top 10 Application
Security Risks 2013
1024 = SANS Top 25 2011
1025 = OWASP Top 10 2017
1027 = General Data Protection Regulation
(GDPR)
1034 = DISA-STIGV4R9
Micro Focus Fortify WebInspect (19.2.0) Page 277 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
By Type
3 = SOAP
7 = Blank
1001 = SQL Injection
1002 = Cross-Site Scripting
1005 = Passive
1008 = Critical and High Vulnerabilities
1010 = Aggressive SQL Injection
1011 = NoSQL and Node.js
1013 = Mobile
1015 = Apache Struts
1016 = Transport Layer Security
1020 = Privilege Escalation
1021 = Server-side
1022 = Client-side
1026 = DISA-STIG-V4R4
1029 = DISA-STIG-V4R5
1030 = DISA-STIG-V4R6
1031 = DISA-STIG-V4R7
1032 = DISA-STIGV4R8
1033 = WebSocket
Deprecated
2 = Assault (Deprecated)
4 = Quick (Deprecated)
5 = Safe (Deprecated)
6 = Development (Deprecated)
16 = QA (Deprecated)
17 = Application (Deprecated)
18 = Platform (Deprecated)
1009 = OWASP Top 10 Application
Security Risks 2010 (Deprecated)
1014 = OpenSSL Heartbleed (Deprecated)
1018 = Standard (Deprecated)
1019 = Deprecated Checks
Hazardous
1004 = All Checks
-pc {policy path} Specifies a custom policy to use. For path,
Micro Focus Fortify WebInspect (19.2.0) Page 278 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
specify the full path and file name, such as:
C:\MyPolicies\MyCustomPolicy.
policy
Authentication -ab "userid:pwd" Specifies Basic mode (user name and
password).
-an "userid:pwd" Specifies NTLM mode (user name and
password).
-ad "userid:pwd" Specifies Digest mode (user name and
password).
-aa "userid:pwd" Specifies Automatic mode (user name and
password).
-ak "userid:pwd" Specifies Kerberos mode (user name and
password).
-am {macro path} Deprecated; use the -macro option.
-at "{type} {token}" Specifies the authentication mode (type
and token) for API scans, such as:
-at "Basic
YWxh0GRpbjpvcGVuc2VzYW1l"
Authentication modes for type are as
follows:
Basic
Bearer
Digest
HOBA
Mutual
Negotiate
OAuth
SCRAM-SHA-1
SCRAM-SHA-256
vapid
Note: The type and token must be
enclosed in double quotation marks as
shown previously.
Micro Focus Fortify WebInspect (19.2.0) Page 279 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
Macro -macro {macro path} Specifies macro name and directory path
for web macro authentication.
-macro {url} Creates auto-generated macro for
{username} {password} authentication.
Login Macro -ls "userid:pwd" Replaces the SmartCredentials UserName
Parameters and Password with the supplied values.
-lt " Replaces existing TruClient login
name0:value0;name1:value1; parameters that match the specified names.
...nameN:valueN"
Output -ea {filepath} Exports scan in legacy full XML format.
-eb {filepath} Exports scan details (Full) in legacy XML
format.
-ec {filepath} Exports scan details (Comments) in legacy
XML format.
-ed {filepath} Exports scan details (Hidden Fields) in
legacy XML format.
-ee {filepath} Exports scan details (Script) in legacy XML
format.
-ef {filepath} Exports scan details (Set Cookies) in legacy
XML format.
-eg {filepath} Exports scan details (Web Forms) in legacy
XML format.
-eh {filepath} Exports scan details (URLs) in legacy XML
format.
-ei {filepath} Exports scan details (Requests) in legacy
XML format.
-ej {filepath} Exports scan details (Sessions) in legacy
XML format.
-ek {filepath} Exports scan details (E-mails) in legacy
XML format.
Micro Focus Fortify WebInspect (19.2.0) Page 280 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
-el {filepath} Exports scan details (Parameters) in legacy
XML format.
-em {folderpath} Exports scan details (Web Dump) in legacy
XML format.
-en {filepath} Exports scan details (Offsite Links) in
legacy XML format.
-eo {filepath} Exports scan details (Vulnerabilities) in
legacy XML format.
-ep {filepath} Exports scan in FPR format to specified file.
-es {filepath} Exports scan in .scan format to specified
file.
-et {filepath} Exports scan with logs in .scan format to
specified file.
-eu {filepath} Exports scan settings to specified file after
applying all other overrides.
Note: This parameter does not run the
scan. It exports the settings and exits.
Reports - r {report_name} Identifies the name of the report to run.
Valid values for report_name are:
For multiple reports, separate Aggregate
report names with a semicolon. All Alert View
Attack Status
reports will be contained in a
Compliance
single file.
Crawled URLs
Developer Reference
Duplicates
Executive Summary
False Positive
QA Summary
Scan Difference
Scan Log
Trend
Vulnerability
Vulnerability (Legacy)
Micro Focus Fortify WebInspect (19.2.0) Page 281 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
Note: Report names containing a
space must be enclosed in quotation
marks.
-w {favorite_name} Identifies the name of the report favorite to
run.
-ag Aggregates reports in report favorite.
-y {report_type} Specifies the type of report: Standard or
Custom.
-f {export_file} Specifies the file path and file name where
the report will be saved.
-gp Exports as Portable Document Format
(PDF) file.
-gh Exports as HTML file.
-ga Exports as raw report file.
-gc Exports as rich text format (RTF) file.
-gx Exports as text file.
-ge Exports as Excel file.
-t {filepath} Specifies compliance template file to use.
Scan Merge -ic {scan id} Creates a merge target scan. For more
{scan name} information, see "Merging Scans" on
page 286 in this topic.
Note: This parameter is not supported
in Fortify WebInspect on Docker.
-im /o:{option} Merges scans. For more information, see
{merge target scan id} "Merging Scans" on page 286 in this topic.
{source scan id1} Choices for option are:
{source scan id2}
l Replace - Replace target session and
vulnerabilities with source session and
Micro Focus Fortify WebInspect (19.2.0) Page 282 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
vulnerabilities.
l ReplaceMergeVulns - Replace target
session with source session, and add
source vulnerabilities to target scan.
l Skip - When session IDs are the same in
both scans, do not merge sessions or
vulnerabilities.
l SkipMergeVulns - When session IDs
are the same in both scans, do not
replace target session and copy
vulnerabilities from source.
l Smart - Consider source and target
policy and times when merging.
Important! Use the -ic parameter to
create the merge target scan before
using the -im parameter.
Note: This parameter is not supported
in Fortify WebInspect on Docker.
Scan Reuse -iz /o:{option} Creates reuse scan settings. Choices for
{source scan id} option are:
{settings filename}
l Incremental - Use same settings as
source scan, with a modified policy that
disables checks that flagged in source
scan and that should only flag once. This
mode audits only new crawl surface. A
new crawl is performed, but only new
sessions are audited.
l Remediation - Use same settings as
source scan, with a modified policy that
disables checks that did not flag in
source scan.
l ReuseCrawl - Use same settings as
source scan, with crawl sessions copied
from source scan.
Micro Focus Fortify WebInspect (19.2.0) Page 283 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
l ReuseCrawlRemediation - Use same
settings as source scan, with crawl
sessions copied from source scan and a
modified policy that disables checks that
did not flag in source scan.
The settings filename is the name of the
modified settings file being created.
Note: This parameter is not supported
in Fortify WebInspect on Docker.
Scan -iv <guid> {[<severity> | Creates a settings file that you can use to
Vulnerability <vuln ID prefix>] ...} /s start a scan to retest vulnerabilities. You
Retest <file path> can retest vulnerabilities by severity or
unique sessionCheckFoundID or both. If
you do not provide a severity or
sessionCheckFoundID, then all
vulnerabilities in the base scan are retested.
Parameter components are as follows:
l <guid> is the base scan ID. This is
required.
l <severity> is the vulnerability severity
or severities to retest. All vulnerabilities
from the base scan that were flagged
with the listed severity or severities will
be retested. Options for severity are:
Critical, High, Medium, Low.
l <vuln ID prefix> is the unique
sessionCheckFoundID, which can be
retrieved by way of the
SessionCheckFounds API endpoint. For
more information, see the Fortify
WebInspect REST API Swagger UI.
Tip: You can specify a prefix of the
sessionCheckFoundID. For example,
012f would match
sessionCheckFoundID
Micro Focus Fortify WebInspect (19.2.0) Page 284 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
012fa34124.
l /s <file path> is the directory path
and file name for the vulnerability retest
settings file that will be created. This
parameter is required, and modifies the
settings from the original scan to specify
a retest. The new settings file that is
created identifies the vulnerability or
vulnerabilities being retested.
You can provide a list consisting of
severities and sessionCheckFoundIDs in
any order. The following example shows a
valid list:
Critical 3156 High 1234
Note: This feature is a technology
preview. Technology preview features
are currently unsupported, may not be
functionally complete, and are not
suitable for deployment in production.
However, these features are provided
as a courtesy and the primary objective
is for the feature to gain wider
exposure with the goal of full support
in the future.
Test Login Macro -it {scan id} Tests login macro of existing scan.
Selenium Macro -selenium_workflow Creates a Selenium workflow scan.
{ArrayOfSeleniumCommand
object}
For the complete process and procedures
involved in using this command, see
"Integrating with Selenium WebDriver" on
page 308.
-selenium_no_validation Disables validation of Selenium commands
before running the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 285 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Category Parameter Definition
Important! When using this
parameter, you must specify one or
more allowed hosts.
For more information, see "Integrating with
Selenium WebDriver" on page 308.
Examples
The following examples illustrate command line execution as if executed from the WebInspect home
directory:
wi.exe -u www.anywebsite.com -ps 1 -ab MyUsername:Mypassword
wi.exe -u https://zero.webappsecurity.com
-s c:\program files\webinspect\scans\scripted\
-r "Executive Summary";Vulnerability -y Standard
-f c:\program files\webinspect\scans\scripted\zero051105.xml -gx
If you do not specify a policy, Fortify WebInspect will crawl (but not audit) the Web site.
If you specify an invalid policy number, Fortify WebInspect will not conduct the scan.
Merging Scans
Note: This feature is not supported in Fortify WebInspect on Docker.
You cannot merge into an existing scan. You must first create a merge target using the "ic" parameter.
The scans to be merged are sorted by scan date and are merged in that order. Order is important
because information is lost when session IDs are the same in the two scans. When this occurs, by default
the earlier session and vulnerability are overwritten with the later session and vulnerability. To prevent
this when merging, you can choose another option for handling identical session IDs.
Note: Merging may work best with two scans that have few or no identical session IDs.
For all merge scan options, only sessions with an audit status of “Complete” in the source scan are
merged. Session Exclusions (excluded from audit) are not merged. See "Audit Settings: Attack
Exclusions" on page 397 for more information.
Micro Focus Fortify WebInspect (19.2.0) Page 286 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Hyphens in Command Line Arguments
You can use hyphens in command line arguments (output files, etc.) only if the argument is enclosed in
double quotes, as illustrated by the "export path" argument in the following command:
wi.exe -u http://zero.webappsecurity.com -ea "c:\temp\command-line-test-
export.xml"
Note: The process, as it appears in the Task Manager, is WI.exe. Scan data will be cached
temporarily in the Working directory and then moved to the Scans directory.
Using WIScanStopper.exe
The WIScanStopper.exe application allows you to stop a scan that is currently running.
Note: This feature is not supported in Fortify WebInspect on Docker.
To stop a scan that is running, type the following on the command line:
WIScanStopper {scanid}
The WIScanStopper.exe application stops the scan with the specified scan ID (GUID). The application
returns one of the exit codes described in the following table.
Code Description
0 The scan successfully stopped.
1 The given argument is not a GUID. Try the command again with a valid scan ID
(GUID).
2 The scan with the given GUID was not found to be running on the machine.
Verify the scan ID (GUID) and try the command again.
3 A timeout occurred while waiting for the scan to stop.
There is a 60 second timeout. When the stop command is sent, the process waits
for the scan to stop. If 60 seconds elapses before the scan status changes, then
the timeout occurs and the process returns this code.
4 Some other exception has occurred.
Tip: You can restart a scan that is stopped using the WI.exe application with the -ir {scanid}
parameter. For more information, see "Options" on page 275.
Micro Focus Fortify WebInspect (19.2.0) Page 287 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Using MacroGenServer.exe
The MacroGenServer.exe application allows you to create a login macro from the command-line
interface (CLI) by providing the start URL, username, and password. The following text provides sample
syntax for using the application on the CLI:
macrogenserver.exe -u http://zero.webappsecurity.com/login.html -mu username
-mp password
Options
The available options are defined in the following table.
Parameter Definition
-u Specifies the start URL. This parameter is required.
-mu Specifies the login form username. This parameter is required.
Important! If the username contains special characters, you must wrap the
string in double quotation marks. If the username contains the double
quotation mark character, you must use the escape character to pass the
quotation mark as part of the username. Refer to the documentation for the
specific command-line interface you are using to determine the escape
character.
-mp Specifies the login form password. This parameter is required.
Important! If the password contains special characters, you must wrap the
string in double quotation marks. If the password contains the double
quotation mark character, you must use the escape character to pass the
quotation mark as part of the password. Refer to the documentation for the
specific command-line interface you are using to determine the escape
character.
-engine Defines the version of macro to create. Options are:
l 4.0 – Creates a macro that uses macro engine 4.0 technology. This is the
default version of macro.
l 5.0 – Creates a macro that uses macro engine 5.0 technology. This is the new
version of macro, and may be beneficial for scanning applications built in
modern frameworks.
Micro Focus Fortify WebInspect (19.2.0) Page 288 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Parameter Definition
-m Specifies the file path where you want to save the login macro.
-ps Identifies the IP address or host name of the proxy server.
Examples:
macrogenserver.exe -u http://zero.webappsecurity.com -mu
username -mp password -ps 127.0.0.1 -pp 8080
macrogenserver.exe -u http://zero.webappsecurity.com -mu
username -mp password -ps myproxyhostname -pp 8080
-pp Identifies the proxy server port.
-at Specifies the network authentication type. Options are:
l Basic
l Digest
l Ntlm
-au Specifies the username for network authentication.
-ap Specifies the password for network authentication.
-h Displays the MacroGenServer application help.
Using the WISwag.exe Tool
You can use the WISwag.exe tool in advanced situations for scanning a REST API, such as when you
need to provide a configuration file that includes parameter values. The WISwag.exe tool is a command
line tool that parses a REST API definition and converts it into a format that Fortify WebInspect
understands.
Supported API Definitions and Protocols
The WISwag tool supports the following REST API definitions and protocols:
l OpenAPI Specification versions 2.0 and 3.0 (formerly known as Swagger Specification). For more
information, visit the Swagger website at http://swagger.io/.
l Open Data (OData) protocol (versions 2, 3, and 4). For more information, visit the OData website at
http://www.odata.org/.
Tip: When using the WISwag tool with OData, if a POST fails to successfully create a request for
Micro Focus Fortify WebInspect (19.2.0) Page 289 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
an entity set, view the error in the HTTP details tab of the Web Macro Recorder to determine the
requirements for the entity.
Process Overview
The process for scanning a REST API is as follows.
Stage Description
1. Get the REST API definition from your development team.
2. Do one of the following:
l If you do not have a settings file, use the WISwag.exe tool to convert the REST API
definition into a Fortify WebInspect settings file. This option also generates a
workflow macro and custom parameter rules, and embeds them in the settings file.
See "Converting the API Definition to a Settings File" on page 292.
l If you have a settings file, use the WISwag.exe tool to convert the REST API
definition into a Fortify WebInspect workflow macro. See "Converting the API
Definition to a Macro" on page 292.
3. Use the webmacro or settings file to conduct a scan of your REST API.
WISwag.exe Parameters
The WISwag.exe parameters are defined in the following table.
Parameter Description
-a Generates a json-formatted, human readable version of the API definition in the
specified output file. The output file uses the .json extension. This parameter can be
useful for debugging because the API definition is base64 encoded in the generated
settings file. For more information, see "-s" on page 292.
Example:
-a ./<api-def_filename>.json
-ab Passes the supplied authorization token as bearer-type authentication in the
Authorization header. This parameter is applicable only if the API definition specifies
“Authorization: Bearer” in the description.
Example:
Micro Focus Fortify WebInspect (19.2.0) Page 290 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Parameter Description
-ab QWxhZGRpbjpPcGVuU2VzYW1l
-c Generates custom parameter rules as a list of strings in the specified output file. The
output file uses the .txt extension. The generated text file can be imported into the
URL rewriting settings from the Advanced Settings in the Basic Scan Wizard. For
more information, see "Scan Settings: Custom Parameters" on page 361.
Example output:
/odata-v4-test/Odata4Service.svc/Products({ID})
/odata-v4-test/Odata4Service.svc/Categories({ID})
-h Generates http requests for each audit session to be scanned in the specified output
file. The output file uses the .txt extension. You can copy requests and paste them to
the http editor for debugging.
Example output:
GET http://bhillwin7.spidynamics.com:8080/odata-v4-
test/Odata4Service.svc/Products HTTP/1.1
Accept: application/json;odata.metadata=full
Host: bhillwin7.spidynamics.com:8080
X-WISwag-ID: GET_/odata-v4-test/Odata4Service.svc/Products
OData-Version: 4.0
If-Match: *
-i Specifies the input file and location. The input file can be an API definition file or a
configuration file. To override default settings and control which endpoints are
processed, use a configuration file. For more information, see "Using a Configuration
File" on page 293.
The location can be a URL or a local file.
Examples:
-i http://mysite.com/api_def.json
-i C:/myapi.json
-it Specifies the input type. Valid values are odata and swagger.
Examples:
-it swagger
Micro Focus Fortify WebInspect (19.2.0) Page 291 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Parameter Description
-it odata
-m Generates a WebInspect macro in the specified output file. The output file uses the
.webmacro extension.
Example:
-m ./<macro_filename>.webmacro
-ma Injects the authorization header into the request for the API definition file.
Note: This is useful if you use an authorization header in the configuration file
and you need the same authorization header to be injected into the request for
the API definition file.
-s Generates a WebInspect settings file in the specified output file. The API definition
along with any configuration overrides are added to the settings file. This is the
recommended option when scanning a REST API. The output file uses the .xml
extension.
Example:
-s ./<settings_filename>.xml
Converting the API Definition to a Macro
You can convert the API definition into a Fortify WebInspect workflow macro that you can then use to
scan your REST API. To do this, enter the following command at the command line prompt:
WISwag.exe -it swagger –i http://<input_file_location> -m ./<macro_
filename>.webmacro
Afterward, open the macro in the Web Macro Recorder tool and explore its contents.
Converting the API Definition to a Settings File
You can convert the API definition into a Fortify WebInspect settings file. The settings file is configured
to run as Audit Only and contains a workflow macro and custom parameter rules derived from the
REST API definition.
To do this, enter the following command at the command line prompt:
WISwag.exe -it swagger –i http://<input_file_location> -s ./<settings_
filename>.xml
Micro Focus Fortify WebInspect (19.2.0) Page 292 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Open the scan settings in Fortify WebInspect and explore the contents. You should find that a workflow
macro and custom parameter rules are already defined.
Using a Configuration File
If you use a REST API definition file to create the workflow macro and settings file, then the macro and
settings file will include only default values and settings. For more advanced control over the HTTP
requests generated by the WISwag tool, you can pass a configuration file to the WISwag tool instead of
a REST API definition. This advanced configuration is useful in cases where control over specific
operations or parameters is required. For example, you might need to exclude certain operations, such
as logout or delete operations, from a Fortify WebInspect scan. You can accomplish this by listing the
operation IDs in the 'excludeOperations' property. Operation IDs are defined in the REST API definition.
Sometimes a white-list approach is easier when only a few operations need to be tested. In this case, use
the 'includeOperations' list.
Configuration File Format
The configuration file has the following format:
{
apiDefinition : 'http://mysite.com/api_def.json', /* can also be a local
file (ex. C:/myapi.json) */
host : 'localhost:8080', /* replace the host in every generated request */
schemes : ['https', 'http'], /* generate output for both of these schemes */
preferredContentType : 'application/json', /* if given a choice, prefer json
*/
excludeOperations : [ 'logoutUser', 'deleteUser' ], /* generate no output
for these operations */
parameterRules :
[
{
name : 'userId',
value : 42,
location : 'path',
type : 'number',
includeOperations : ['createNewUser', 'getUser'] /* only apply this rule
to these operations */
},
{
name : 'file',
value : 'my file payload',
filename : 'myfile.txt',
location : 'body',
type : 'file'
Micro Focus Fortify WebInspect (19.2.0) Page 293 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
},
{
name : 'Authorization',
value : 'Basic QWxhZGRpbjpPcGVuU2VzYW1l',
location : 'header',
inject : true /* add this header to every generated request */
}
]
}
Configuration Properties
The configuration properties are described in the following table.
Required /
Property Optional Description
apiDefinition Required Identifies the URL or file location of a supported REST
API definition.
host Optional Overrides the host in the REST API definition.
Example:
localhost:8080
schemes Optional Overrides the schemes defined in the REST API
definition, expressed as an array of schemes.
Example:
['http','https']
If defined, a series of requests will be generated for each
scheme. Otherwise, a series of requests will only be
generated for the first scheme listed in the REST API
definition.
preferredContentType Optional Sets the preferred content type of the request payload.
If preferredContentType is in the list of supported
content types for an operation, the generated request
payload will be of that type. Otherwise, the first content
type listed in an operation will be used.
Micro Focus Fortify WebInspect (19.2.0) Page 294 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Required /
Property Optional Description
excludeOperations Optional Defines a black-list of operation IDs that should be
excluded from the output, expressed as an array of
operation IDs.
Example:
[ 'operation1', 'operation2',
'operationN' ]
includeOperations Optional Defines a white-list of operation IDs that should be
included in the output, expressed as an array of
operation IDs .
Example:
[ 'operation1', 'operation2',
'operationN' ]
parameterRules Optional Defines specific values for a parameter when the default
value is not appropriate or when the parameter is not
defined in the API definition.
Example:
A parameter, such as an authorization header which
is not defined in the API definition, needs to be
injected into every request.
The property is expressed as an array of 'parameterRule'
objects. The 'parameterRule' objects are described in
"Parameter Rule Objects" below.
Parameter Rule Objects
The 'parameterRule' objects are described in the following table.
Required /
Object Optional Description
name Required Specifies the parameter name to match.
To override a property when you have a name conflict,
Micro Focus Fortify WebInspect (19.2.0) Page 295 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Required /
Object Optional Description
specify the type of object from the API definition in front of
the parameter name, separated by a slash in the format
'<type_of_object>/<parameter_name>'.
For example, if you have a parameter named “name” and a
nested parameter also named “name”, you must specify the
type of object for the nested parameter as shown below.
{
name : 'name',
value : 'Romeo',
location : 'body',
type : 'string',
includeOperations : [ 'addPet']
},
{
name : 'tag/name',
value : 'Juliet',
location : 'body',
type : 'string',
includeOperations : [ 'addPet']
},
value Required Specifies the parameter value to substitute or inject.
location Optional Identifies the parameter location to match. Options are:
l 'body'
l 'header'
l 'path'
l 'query'
l 'any'
The default is 'any' and matches all locations .
type Optional Identifies the parameter type to match. Options are:
l 'number'
l 'boolean'
l 'string'
l 'file' (See filename below.)
l 'date'
Micro Focus Fortify WebInspect (19.2.0) Page 296 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Required /
Object Optional Description
l 'any'
The default is 'any' and matches all types.
filename Optional Replaces the filename attribute of a matching multipart or
form file entry. Valid only if type is 'file'.
inject Optional Replaces parameter values. Options are:
l true - injects the parameter in the specified location
regardless of whether a matching name or type is found.
l false - replaces only parameter values that match the
specified name, location, and type.
The default is false.
base64Decode Optional Specifies whether 'value' is base64 encoded binary data.
Options are:
l true - 'value' is assumed to be base64 encoded binary
data and will be decoded into a byte array when inserted
into a generated HTTP request.
l false - 'value' is not base64 encoded binary data.
The default is false.
includeOperations Optional Applies this parameter rule to the operation IDs in the list,
expressed an array of operation IDs.
Example:
[ 'operation1', 'operation2', 'operationN'
]
excludeOperations Optional Does not apply this parameter rule to the operation IDs in
the list, expressed as an array of operation IDs.
Example:
[ 'operation1', 'operation2',
'operationN' ]
Micro Focus Fortify WebInspect (19.2.0) Page 297 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Regular Expressions
Special metacharacters and sequences are used in writing patterns for regular expressions. The
following table describes some of these characters and includes short examples showing how the
characters are used. Another recommended resource is the Regular Expression Library at
http://regexlib.com/Default.aspx.
To verify the syntax of regular expressions you create, use the Regular Expression Editor (if it is
installed on your system).
Character Description
\ Marks the next character as special. /n/ matches the character " n ". The sequence /\n/
matches a line feed or newline character.
^ Matches the beginning of input or line.
Also used with character classes as a negation character. For example, to exclude
everything in the content directory except /content/en and /content/ca, use: /content/[^
(en|ca)].*/.* . Also see \S \D \W.
$ Matches the end of input or line.
* Matches the preceding character zero or more times. /zo*/ matches either " z " or "zoo."
+ Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."
? Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in "never."
. Matches any single character except a newline character.
[xyz] A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a" in
"plain."
\b Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never early."
\B Matches a nonword boundary. /ea*r\B/ matches the "ear" in "never early."
\d Matches a digit character. Equivalent to [0-9].
\D Matches a nondigit character. Equivalent to [^0-9].
\f Matches a form-feed character.
\n Matches a line feed character.
Micro Focus Fortify WebInspect (19.2.0) Page 298 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Character Description
\r Matches a carriage return character.
\s Matches any white space including space, tab, form-feed, and so on. Equivalent to [
\f\n\r\t\v]
\S Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]
\w Matches any word character including underscore. Equivalent to [A-Za-z0-9_].
\W Matches any nonword character. Equivalent to [^A-Za-z0-9_].
Fortify WebInspect developers have also created and implemented extensions to the normal regular
expression syntax. For more information, see "Regex Extensions" below.
Regex Extensions
Fortify engineers have developed and implemented extensions to the normal regular expression (regex)
syntax. When building a regular expression, you can use the tags and operators described below.
Regular Expression Tags
l [STATUSCODE]
l [BODY]
l [ALL]
l [URI]
l [HEADERS]
l [COOKIES]
l [STATUSLINE]
l [STATUSDESCRIPTION]
l [SETCOOKIES]
l [METHOD]
l [REQUESTLINE]
l [VERSION]
l [POSTDATA]
l [TEXT]
Micro Focus Fortify WebInspect (19.2.0) Page 299 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Regular Expression Operators
l AND
l OR
l NOT
l []
l ( )
Examples
l To detect a response in which (a) the status line contains a status code of "200" and (b) the phrase
"logged out" appears anywhere in the message body, use the following regular expression:
[STATUSCODE]200 AND [BODY]logged\sout
l To detect a response indicating that the requested resource resides temporarily under a different
URI (redirection) and having a reference to the path "/Login.asp" anywhere in the response, use the
following:
[STATUSCODE]302 AND [ALL]Login.asp
l To detect a response containing either (a) a status code of "200" and the phrase "logged out" or
"session expired" anywhere in the body, or (b) a status code of "302" and a reference to the path
"/Login.asp" anywhere in the response, use the following regular expression:
( [STATUSCODE]200 AND [BODY]logged\sout OR [BODY]session\sexpired ) OR
( [STATUSCODE]302 AND [ALL]Login.asp )
Note: You must include a space (ASCII 32) before and after an "open" or "close" parenthesis;
otherwise, the parenthesis will be erroneously considered as part of the regular expression.
l To detect a redirection response where "login.aspx" appears anywhere in the redirection Location
header, use the following regular expression:
[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx
l To detect a response containing a specific string (such as "Please Authenticate") in the Reason-
Phrase portion of the status line, use the following regular expression:
[STATUSDESCRIPTION]Please\sAuthenticate
See Also
"Regular Expressions" on page 298
Micro Focus Fortify WebInspect (19.2.0) Page 300 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Fortify WebInspect REST API
This topic provides information about the Fortify WebInspect REST API.
What is the Fortify WebInspect REST API?
The Fortify WebInspect REST API provides a RESTful interface between your systems and Fortify
WebInspect for remotely controlling the proxy and scanner. It runs as a lightweight Windows service
(named WebInspect API) that is installed automatically when you install Fortify WebInspect. You
configure, start, and stop the service using the Fortify Monitor tool. You can use the Fortify WebInspect
REST API to add security audit capabilities to your existing automation scripts.
The Fortify WebInspect REST API is fully described and documented using the industry-standard
Swagger RESTful API Documentation Specification version 2.0 (now known as OpenAPI Specification).
The Swagger documentation provides detailed schema, parameter information, and sample code to
simplify consumption of the REST API. It also provides functionality for testing the endpoints before
using them in production.
Important! Due to limitations with SQL Express, running multiple scans using a SQL Express
database may cause unsatisfactory results. For this reason, Fortify recommends not conducting
concurrent (or parallel) scans for installations using SQL Express.
Configuring the Fortify WebInspect REST API
Before you can use the Fortify WebInspect REST API, you must configure it.
1. From the Windows Start menu, click All Programs > Fortify > Fortify WebInspect > Micro
Focus Fortify Monitor.
The Micro Focus Fortify Monitor icon appears in the system tray.
2. Right-click the Micro Focus Fortify Monitor icon, and select Configure WebInspect API.
The Configure WebInspect API dialog box appears.
3. Configure the API Server settings as described in the following table.
Setting Value
Host Both Fortify WebInspect and the Fortify WebInspect REST API must reside on
the same machine. The default setting, +, is a wild card that tells the Fortify
WebInspect REST API to intercept all request on the port identified in the Port
field. If you have another service running on the same port and want to define
a specific hostname just for the API service, this value can be changed.
Port Use the provided value or change it using the up/down arrows to an available
Micro Focus Fortify WebInspect (19.2.0) Page 301 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Setting Value
port number.
Authentication Choose None, Windows, Basic, or Client Certificate from the Authentication
drop-down list.
If you choose Basic for authentication, you must provide user name(s) and
password(s). To do this:
a. Click the Edit passwords button and select a text editor.
The wircserver.keys file opens in the text editor. The file includes
sample user name and password entries:
username1:password1
username2:password2
b. Replace the samples with user credentials for access to your server. If
additional credentials are needed, add a user name and password,
separated by a colon, for each user to be authenticated. There should be
only one user name and password per line.
c. Save the file.
If you choose Client Certificate for authentication, you must first generate a
client certificate based on your root SSL certificate issued by a trusted
certificate authority (CA), and then install it on the client machine.
Tip: You can use a tool, such as the MakeCert utility in the Windows
Software Development Kit (SDK), to create your client certificate.
Use HTTPS Select this check box to access the server over an HTTPS connection.
To run the server over HTTPS, you must create a server certificate and bind it
to the API service. To quickly create a self-signed certificate to test the API
over HTTPS, run the following script in an Administrator PowerShell console:
$rootcertID = (New-SelfSignedCertificate -DnsName "DO NOT
TRUST - WIRC Test Root CA","localhost",
"$($env:computername)" -CertStoreLocation
"cert:\LocalMachine\My").Thumbprint
$rootcert = (Get-Item -Path
"cert:\LocalMachine\My\$($rootcertID)")
$trustedRootStore = (Get-Item -Path
"cert:\LocalMachine\Root")
$trustedRootStore.open("ReadWrite")
$trustedRootStore.add($rootcert)
$trustedRootStore.close()
Micro Focus Fortify WebInspect (19.2.0) Page 302 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Setting Value
netsh http add sslcert ipport=0.0.0.0:8443
certhash=$($rootcertID) appid="{160e1003-0b46-47c2-a2bc-
01ea1e49b9dc}"
The preceding script creates a certificate for the local host and the computer
name, puts the certificate in the Personal Store and Trusted Root, and binds
the certificate to port 8443. If you use a different port, specify the port you
use in the script.
Important! Use the self-signed certificate created by the preceding script
for testing only. The certificate works only on your local machine and does
not provide the security of a certificate from a certificate authority. For
production, use a certificate that is generated by a certificate authority.
Log Level Choose the level of log information you want to collect.
Note: You can view the API log files using the Windows Event Viewer. The
log files are located under Applications and Services Logs >
WebInspect API.
4. Do one of the following:
l To start the Fortify WebInspect REST API service and test the API configuration, click Test API.
The service starts, and a browser opens and navigates to the Fortify WebInspect REST API
Swagger UI page. For more information about this page, see "Accessing the Fortify WebInspect
REST API Swagger UI" below.
l To start the Fortify WebInspect REST API service without testing the API configuration, click
Start.
Accessing the Fortify WebInspect REST API Swagger UI
Complete documentation—including detailed schema, parameter information, sample code, and
functionality for testing endpoints—is included in the Fortify WebInspect REST API.
To access this information:
1. After configuring and starting the Fortify WebInspect REST API service, open a browser.
2. Type http://<hostname>:<port>/webinspect/api in the address field and press Enter.
Example: If you used the default settings when configuring the Fortify WebInspect REST API,
you would type http://localhost:8083/webinspect/api.
Micro Focus Fortify WebInspect (19.2.0) Page 303 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The WebInspect REST API Swagger UI page appears.
Using the Swagger UI
To use the Swagger UI:
1. On the Swagger UI page, click an endpoint category.
2. Click the endpoint method to use.
Detailed schema, parameter information, sample code, and functionality for testing the endpoint
appear.
Micro Focus Fortify WebInspect (19.2.0) Page 304 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Automating Fortify WebInspect
You can use the Fortify WebInspect API to add Fortify WebInspect to your existing automation scripts.
As long as the user agent can access the Service Router, the scripts can exist in an entirely different
environment from Fortify WebInspect.
Fortify WebInspect Updates and the API
After updating Fortify WebInspect, you must open the Fortify WebInspect user interface and then open
a scan so that any database schema changes can be applied to the scan database. Otherwise, you may
not be able to run certain API commands without receiving an error.
Scanning with a Postman Collection
You can use your existing Postman automation test scripts, also known as collections, with the Fortify
WebInspect REST API to conduct scans of REST API applications. This topic provides additional
information about Postman, tips for creating a good Postman collection, a process overview, and
troubleshooting tips.
What is Postman?
Postman is an API development environment that allows you to design, collaborate on, and test APIs.
Postman lets you create collections for your API calls, where each collection can be organized into
subfolders and multiple requests. You can import and export collections, making it easy to share files
across your development and testing environment. Through the use of a Collection Runner such as
Newman, tests can be run in multiple iterations, saving time on repetitive tests.
Benefits of a Postman Collection
A REST API application does not expose all the endpoints in a format that a human with a browser or
an automated tool can consume. It is often simply a collection of endpoints that accepts various posts,
puts, and gets with a specific set of request data. To successfully audit these endpoints, Fortify
WebInspect needs to understand key details about the API. A well-defined Postman collection can
expose these endpoints so that Fortify WebInspect can audit the API application.
Prerequisites
While you must have a Postman collection for use in the scan, it is not necessary to install Postman on
the machine where the Fortify WebInspect REST API is installed.
Micro Focus Fortify WebInspect (19.2.0) Page 305 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
However, you must install the following third-party software on the machine where the Fortify
WebInspect REST API is installed:
l Node.js and Node Package Manager (npm)
l Newman command-line Collection Runner
Important! You must install Newman globally rather than locally. You can do this by adding a
-g argument to the installation command, as follows:
npm install -g newman
Additionally, you must add a System environment variable for the Newman path. The
environment variable will be similar to the following:
<directory_path>\AppData\Roaming\npm
System variables are read only when the machine boots, so after adding the path variable, you
must restart your machine. Refer to your Windows documentation for specific instructions on
adding a System environment variable.
For specific supported version numbers, see the Micro Focus Fortify Software System Requirements
available at https://www.microfocus.com/support-and-services/documentation/.
Ensure Valid Responses
In order to get valid responses, the collection must be complete and executable. Requests must include:
l A valid request URL
l The correct HTTP method (POST, GET, PUT, PATCH, or DELETE)
l Valid parameter data that allows proper exercising of the API
For example, if you have a “name” parameter, then you must provide actual sample data such as "King
Lear" or "Hamlet," rather than the default data type “string.”
Order of Requests
Remember that the order of operations or requests is important. For example, you must create (or
POST) sample data to a parameter before you can do a GET or a DELETE operation on the data.
Tip: To avoid URL errors while running the collection in Fortify WebInspect, after bundling the API
requests in the correct order in your collection, save each request individually by clicking the
request and then clicking Save.
Micro Focus Fortify WebInspect (19.2.0) Page 306 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Handling Authentication
If your API requires authentication, you must configure it in the Postman collection. Follow these
guidelines when configuring authentication:
l The user credentials must be current and not expired.
l If you use an environment to specify authentication information, select the type of authentication
environment in the Postman collection.
l It is possible that not all requests in the collection require authentication or not all requests require
the same type of authentication. If this is the case in your collection, be sure to specify the
appropriate authentication type for each request in the collection.
Including Multiple Collection Files Simultaneously
If you include multiple Postman collection files in a single API endpoint command, all files will be
processed at the same time. In the results, you will not see multiple files. All the files will be included in a
single scan file (GUID). To have separate scans, you must create a separate API request for each
collection file.
Sample Postman Scripts
Sample code for leveraging the Postman API can be found at
https://github.com/fortify/WebInspectAutomation.
A sample Postman collection is available for download on the Fortify repository on GitHub at
https://github.com/fortify/WebInspectAutomation/tree/master/PostmanSamples.
Conducting a Scan Using a Postman Collection
The process for conducting a scan using a Postman collection is described in the following table.
Stage Description
1. Do the following in Postman:
1. Create a Postman collection file, following the guidelines mentioned previously in this
topic.
2. Save each API call in Postman individually.
3. Click Runner to open the Newman command-line Collection Runner.
2. Do the following in Newman command-line Collection Runner:
1. With the collection open in the Collection Runner, ensure that the API calls are in the
correct order for execution.
Micro Focus Fortify WebInspect (19.2.0) Page 307 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Stage Description
2. Click Run <Collection Name>.
3. Inspect the responses from each call to ensure the requests were successful.
3. Do the following in Fortify WebInspect:
1. Configure and start the Fortify WebInspect API. See "Configuring the Fortify
WebInspect REST API" on page 301.
2. Access the Postman API endpoint in the Swagger UI. See "Accessing the Fortify
WebInspect REST API Swagger UI" on page 303.
3. Configure the endpoint according to the instructions in the Swagger UI.
4. Execute the endpoint sample scripts from the Swagger UI or your API tool of choice.
Important! Include a scan settings file with the appropriate settings that provide
access to the site in your Postman collection. For example, include the correct
allowed hosts, proxy settings, and so on.
4. The endpoint returns the scan ID (GUID) and the results of the Postman collection.
Troubleshooting the Postman Scan
Use the following troubleshooting tips if you encounter issues while running a scan with a Postman
collection:
1. Check the proxy configuration in the scan settings to ensure that Postman can run through the
proxy and access the site for testing. One option is to try running Newman manually with the proxy
configuration.
2. Check the results of the request:
a. View the total requests sent to ensure that they match the requests in the Postman file.
b. Ensure that there are no failed requests.
3. Check the API server logs for more detailed information about which requests executed and which
ones failed. You can view the API server logs in the active WIRCServer.exe window.
Integrating with Selenium WebDriver
Note: This feature is a technology preview. Technology preview features are currently
unsupported, may not be functionally complete, and are not suitable for deployment in production.
However, these features are provided as a courtesy and the primary objective is for the feature to
gain wider exposure with the goal of full support in the future.
Micro Focus Fortify WebInspect (19.2.0) Page 308 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
You can integrate Fortify WebInspect with Selenium Webdriver, also known as Selenium 2.0, to do the
following:
l Conduct a scan using the WI.exe command-line tool
l Create a workflow macro using the Fortify WebInspect REST API
Known Limitations
The following are known limitations for integrating Fortify WebInspect with Selenium Webdriver:
l Fortify WebInspect supports Selenium WebDriver only.
l Fortify WebInspect does not support Selenium WebDriver with remote server configuration, such as
the RemoteWebDriver class.
l A Selenium WebDriver macro can be used as a workflow macro only. It cannot be a login or startup
macro.
l You can initiate a scan using a Selenium WebDriver macro from the command line interface (CLI) or
the API only. While you cannot initiate a scan from the user interface, you can rescan and
import/export a Selenium WebDriver macro.
l Support for Fortify WebInspect Enterprise is limited. You can use a macro file that was created from
the CLI or API, but only if you have completed setup of the Selenium WebDriver environment on the
sensor machine.
Process Overview
The process for integrating Fortify WebInspect with Selenium WebDriver is described in the following
table.
Stage Description
1. Fortify WebInspect must be able to capture traffic from a web browser using the Fortify
WebInspect proxy. Do one of the following to enable proxy capture:
l Add the proxy to your Selenium scripts directly in the code or using a placeholder in the
command line interface as described in "Adding the Proxy to Selenium Scripts" on the
next page.
l Use the Fortify WebInspect geckodriver.exe for capturing traffic when using Firefox as
described in "Using the Fortify WebInspect geckodriver.exe" on page 315.
2. Install the Selenium WebDriver environment on the machine running Fortify WebInspect
as described in "Installing the Selenium WebDriver Environment" on page 316.
3. Ensure that you can start up the Selenium Webdriver scripts from the command line and
define your Allowed Hosts as described in "Testing from the Command Line" on page 316.
4. Optionally, upload all scripts and their dependencies to the Selenium API or manually copy
Micro Focus Fortify WebInspect (19.2.0) Page 309 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Stage Description
them to the machine running Fortify WebInspect as described in "Uploading Files to Fortify
WebInspect" on page 319.
5. Use the command from Stage 3 to run a scan using WI.exe or create a macro using the
WebInspect REST API as described in "Using the Selenium Command" on page 319.
6. Fix any errors that occur.
When conducting a scan with WI.exe or creating a macro in the API, the macro is validated.
Errors and warnings are returned for each Selenium command. This feature is enabled by
default. To disable it:
l In WI.exe, use the argument -selenium_no_validation parameter. For more
information, see "Using WI.exe" on page 274.
l In the API, set the VerifyMacro parameter to false. For more information, see the
Fortify WebInspect REST API Swagger UI.
To troubleshoot issues, view the Scan logs for errors and the StateRequestor logs for
warnings.
Tip: Generally, logs are written to the following directory paths:
l If an API scan runs as the SYSTEM USER, which is the default user, then logs are
written to:
C:\ProgramData\HP\HP WebInspect\Schedule\logs\<scan_
guid>\ScanLog
C:\ProgramData\HP\HP WebInspect\Schedule\logs\<scan_
guid>\StateRequestor
l All CLI and UI scans, and if an API scan runs as the current user, then logs are
written to:
C:\Users\<user.name>\AppData\Local\HP\HP
WebInspect\Logs\<scan_guid>\ScanLog
C:\Users\<user.name>\AppData\Local\HP\HP
WebInspect\Logs\<scan_guid>\StateRequestor
Adding the Proxy to Selenium Scripts
To use this method of capturing traffic from the web browser, you must add Fortify code that applies
the proxy to your Selenium initialization directly in your code or, if applicable, passed as an argument in
the command line interface (CLI).
Micro Focus Fortify WebInspect (19.2.0) Page 310 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Advantages
This approach provides flexibility, as it can run from any browser that Selenium supports. Additionally,
this approach should provide some upgrade protection. The Fortify code resides in your scripts, so you
should be able to continue using it in future versions of Selenium with only minor code changes.
Disadvantages
This approach involves a one-time manual task of adding Fortify code to your scripts for initializing the
browser correctly.
Sample Code
You must get the value from the environmental variable named Fortify_WI_Proxy, and then store it
as an HTTP and HTTPS proxy for the web browser and trust certificate. How you do this depends on
your programming language. The following sections provide sample code for several languages.
Note: These code samples are based on Selenium WebDriver version 3.14. Code for your specific
version might be different.
C#
In your C# code, you must find where the browser driver is initialized and add browser options to it. The
following is an example for the Chrome browser.
ChromeOptions chromeOptions = new ChromeOptions();
string proxy = Environment.GetEnvironmentVariable("Fortify_WI_
Proxy");
if (!String.IsNullOrEmpty(proxy))
{
chromeOptions.AcceptInsecureCertificates = true;
chromeOptions.Proxy = new Proxy();
chromeOptions.Proxy.HttpProxy = proxy;
chromeOptions.Proxy.SslProxy = proxy;
}
…. new ChromeDriver(chromeOptions) // options should go into this
class
The following is an example for the Firefox browser.
FirefoxOptions config = new FirefoxOptions();
string proxy = Environment.GetEnvironmentVariable("Fortify_WI_
Proxy");
Micro Focus Fortify WebInspect (19.2.0) Page 311 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
if (!String.IsNullOrEmpty(proxy))
{
config.AcceptInsecureCertificates = true;
config.Proxy = new Proxy();
config.Proxy.HttpProxy = proxy;
config.Proxy.SslProxy = proxy;
}
… new FirefoxDriver(config))
Java
In your Java code, you must find where the browser driver is initialized and add browser options to it.
The following is an example for the Chrome browser.
ChromeOptions options = new ChromeOptions();
String wi_proxy = System.getenv("Fortify_WI_Proxy");
if (wi_proxy != null) {
Proxy proxy = new Proxy();
proxy.setHttpProxy(wi_proxy);
proxy.setSslProxy(wi_proxy);
options.setProxy(proxy);
options.setAcceptInsecureCerts(true);
}
ChromeDriver driver=new ChromeDriver(options);
The following is an example for the Firefox browser.
FirefoxOptions options = new FirefoxOptions();
String wi_proxy = System.getenv("Fortify_WI_Proxy");
if (wi_proxy != null) {
Proxy proxy = new Proxy();
proxy.setHttpProxy(wi_proxy);
proxy.setSslProxy(wi_proxy);
options.setProxy(proxy);
options.setAcceptInsecureCerts(true);
}
FirefoxDriver driver=new FirefoxDriver(options);
JavaScript
In your JavaScript code, you must find where the browser driver is initialized and add browser options
to it. The following is an example for the Chrome browser.
Micro Focus Fortify WebInspect (19.2.0) Page 312 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
const selProxy = require('selenium-webdriver/proxy');
……
(async function example() {
let env = process.env.Fortify_WI_Proxy;
if (env) {
let caps = { acceptInsecureCerts: true }; //allow to accept all
certificates
let proxy = { http: env, https: env }; // apply env variable as proxy
driver = await new Builder().withCapabilities(caps).setProxy
(selProxy.manual(proxy)).forBrowser('chrome').build(); // set proxy and
acceptInsecureCerts
}else
driver = await new Builder().forBrowser('chrome').build();
The following is an example for the Firefox browser.
const selProxy = require('selenium-webdriver/proxy');
……
let env = process.env.Fortify_WI_Proxy;
if (env) {
let caps = { acceptInsecureCerts: true }; //allow to accept all
certificates
let proxy = { http: env, https: env }; // apply env variable as proxy
driver = await new Builder().withCapabilities(caps).setProxy
(selProxy.manual(proxy)).forBrowser('firefox').build(); // set proxy and
acceptInsecureCerts
}else
driver = await new Builder().forBrowser('firefox').build();
Python
In your Python code, you must find where the browser driver is initialized and add browser options to it.
The following is an example for the Chrome browser.
capabilities1 = DesiredCapabilities.CHROME.copy()
Fortify = os.environ.get('Fortify_WI_Proxy')
if Fortify is not None:
prox = Proxy()
prox.proxy_type = ProxyType.MANUAL
prox.http_proxy = Fortify
prox.ssl_proxy = Fortify
prox.add_to_capabilities(capabilities1)
cls.driver = webdriver.Chrome(executable_path='C:/chromedriver.exe',
Micro Focus Fortify WebInspect (19.2.0) Page 313 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
desired_capabilities=capabilities1)
The following is an example for the Firefox browser.
import os
from selenium.webdriver import DesiredCapabilities
from selenium.webdriver.common.proxy import Proxy, ProxyType
……
capabilities1 = DesiredCapabilities.FIREFOX.copy()
Fortify = os.environ.get('Fortify_WI_Proxy')
if Fortify is not None:
capabilities1['acceptInsecureCerts'] = True
prox = Proxy()
prox.proxy_type = ProxyType.MANUAL
prox.http_proxy = Fortify
prox.ssl_proxy = Fortify
prox.add_to_capabilities(capabilities1)
cls.driver = webdriver.Firefox(executable_path='C:/geckodriver.exe',
capabilities=capabilities1)
Ruby
In your Ruby code, you must find where the browser driver is initialized and add browser options to it.
The following is an example for the Chrome browser.
http_proxy = ENV['Fortify_WI_Proxy']
if http_proxy
proxy = Selenium::WebDriver::Proxy.new(http: http_proxy, ssl: http_proxy)
capabilities = Selenium::WebDriver::Remote::Capabilities.chrome(accept_
insecure_certs: true)
capabilities.proxy = proxy;
else
capabilities = Selenium::WebDriver::Remote::Capabilities.chrome()
end
driver = Selenium::WebDriver.for :chrome, desired_capabilities:
capabilities
The following is an example for the Firefox browser.
http_proxy = ENV['Fortify_WI_Proxy']
Micro Focus Fortify WebInspect (19.2.0) Page 314 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
if http_proxy
proxy = Selenium::WebDriver::Proxy.new(http: http_proxy, ssl: http_proxy)
capabilities = Selenium::WebDriver::Remote::Capabilities.firefox(accept_
insecure_certs: true)
capabilities.proxy = proxy;
else
capabilities = Selenium::WebDriver::Remote::Capabilities.firefox()
end
driver = Selenium::WebDriver.for :firefox, desired_capabilities:
capabilities
Using the CLI
If your scripts accept an argument that configures the proxy, then you can use this method to add the
Fortify WebInspect proxy to your scripts. For example, if you have an argument named -proxy
"<host:port>", then you can use the placeholder {Fortify_WI_Proxy} in the command at run
time as shown here:
-proxy "{Fortify_WI_Proxy}"
If you must specify the host and port separately, then you can use a placeholder for each as shown here:
-proxy "{Fortify_WI_Proxy_Host}:{Fortify_WI_Proxy_Port}"
These arguments will replace the placeholder in your scripts with the Fortify WebInspect proxy at run
time.
Using the Fortify WebInspect geckodriver.exe
GeckoDriver is a proxy that helps W3C WebDriver-compatible clients communicate with Gecko-based
browsers. The geckodriver.exe application provides this proxy for Firefox browsers. To use this
method of capturing traffic from the web browser, you must replace your existing geckodriver.exe
with the Fortify WebInspect geckodriver.exe, which you can find in the <Installation
Directory>\ Extensions folder.
Note: The default installation directory is C:\Program Files\Fortify\Fortify
WebInspect\Extensions.
Advantages
This approach requires less work for you.
Disadvantages
You will not be able to use the latest version of geckodriver.exe, and you must use only Firefox scripts.
Micro Focus Fortify WebInspect (19.2.0) Page 315 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Installing the Selenium WebDriver Environment
On the machine where Fortify WebInspect is installed, you must install all the software and tools that
you need to run Selenium scripts. This includes, but is not limited to, such items as:
l A browser
l A test runner
l All prerequisite software to support running Selenium scripts
For example, for .NET NUnit framework, you must install .NET and nunit3-console.exe as the
executable that runs the Selenium scripts.
Important! The list of required software and tools varies depending on your programming
language.
Testing from the Command Line
To ensure that you are able to start up and run Selenium Webdriver scripts from the command line, you
must create and use a command that will execute your Selenium script. The command that you use
varies depending on the programming language and testing framework that you are using to conduct
Selenium tests.
For example, to run NUnit in .NET, you can run a command similar to the following:
D:\tmp\selenium_wd\bin\net35\nunit3-console.exe "D:\tmp\selenium_wd\selenium_
c_sharp-master\Selenium\bin\Debug\Selenium.dll"
In this example, the nunit3-console.exe is the unit test runner, and Selenium.dll is the DLL that
contains the unit tests. For more examples, see "Creating a Selenium Command" below.
Tip: You can use the POST /configuration/selenium/folder and GET
/configuration/selenium/file/{foldername} API endpoints to show the full path to the
files you deployed. You can use this information to update the command in the CLI. For more
information, see "Uploading Files to Fortify WebInspect" on page 319.
Creating a Selenium Command
The Selenium command is used on the command line to execute unit tests. In most cases, the command
can be found during a run of unit tests on the build server or while debugging. This command varies
based on the unit test framework that you are using. Each framework has its own runner and command-
line arguments. The following sections provide tips and sample commands for several frameworks in
various languages.
.NET MSTest
The MSTest framework uses a tool called Vstest.console.exe with the following syntax:
<Path_to_Vstest_Executable>\Vstest.console.exe <Path_to_Unit_Test_
dlls>\<TestFileNames> <Options>
Micro Focus Fortify WebInspect (19.2.0) Page 316 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
In most cases, you must call this executable with a list of DLLs, which are the test file names that you
want to run. The following sample code runs two test files:
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\
CommonExtensions\Microsoft\TestWindow\vstest.console.exe"
"C:\Projects\Tests\bin\TestHomepage_unittest.dll"
"C:\Projects\Tests\bin\AddCart_unittest.dll"
.NET NUnit
The NUnit framework uses a tool called nunit3-console.exe (version 3.x) with the following syntax:
NUNIT3-CONSOLE <InputFiles> <Options>
You must call this executable with a list of DLLs, which are the test file names that you want to run. The
following sample code runs two test files:
C:\nunit\net35\nunit3-console.exe
"C:\Projects\Tests\bin\TestHomepage_unittest.dll"
"C:\Projects\Tests\bin\AddCart_unittest.dll"
xUnit.net
The xUnit.net framework provides two command-line runners: xunit.console.exe and
xunit.console.x86.exe. You use the following syntax:
xunit.console <assemblyFile> [configFile] [assemblyFile [configFile]...]
[options] [reporter] [resultFormat filename [...]]
xUnit.net accepts .json and .xml file extensions as configuration files (configFile).
You must call the appropriate executable with a list of DLLs, which are the test file names that you want
to run. The following sample code runs two test files:
C:\xunit\xunit.console.exe
"C:\Projects\Tests\bin\TestHomepage_unittest.dll"
"C:\Projects\Tests\bin\AddCart_unittest.dll"
Java TestNG
The TestNG framework requires testng.jar libraries with a classpath (-cp) option and the java.exe
application. In the -cp option, you must list all the library classes that you need to run your project. You
use the following syntax:
java -cp "<Path_to_testngjar>/testng.jar:<Path_to_Test_Classes>"
org.testng.TestNG <Path_to_Test_xml>
The following sample code runs an XML test file:
C:\Program Files\Java\jdk-12.0.1\bin\java.exe -cp
".\libs\: C:\Program Files\jbdevstudio4\studio\plugins\*"
Micro Focus Fortify WebInspect (19.2.0) Page 317 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
org.testng.TestNG testng.xml
Java JUnit
The JUnit framework has several versions and each version has its own command to execute tests. In
the -cp option, you must list all the library classes that you need to run your project.
JUnit version 5.x uses the following syntax:
java -jar junit-platform-console-standalone-<version>.jar --class-path <Path_
to_Compiled_Test_Classes> --scan-class-path
JUnit version 4.x uses the following syntax:
java -cp .\libs\:<Path_to_Junitjar>\junit.jar org.junit.runner.JUnitCore
[test class name]
JUnit version 3.x uses the following syntax:
java -cp .\libs\:<Path_to_Junitjar>\junit.jar junit.textui.TestRunner [test
class name]
The following sample code runs a test class:
C:\Program Files\Java\jdk-12.0.1\bin\java -cp
C\java\libs\:C:\junit\junit.jar org.junit.runner.JUnitCore
C:\project\test.class
Python unittest and PyUnit
Python provides built-in unit test modules (-m): Python unittest and PyUnit, depending on the version
of Python you are using. These frameworks use the following syntax:
python -m unittest [options] [tests]
In this syntax, the [tests] can be a list of any number of test modules, classes, and test methods. The
following command displays the unittest help in Python:
python -m unittest -h
The following sample code runs a test file named tests.py in the unittest module:
C:\Python\Python37-32\python.exe -m unittest
C:\SampleProjects\POMProjectDemo\Tests\tests.py
Ruby RSpec
The RSpec framework provides unit testing libraries for Ruby code. This framework uses the following
syntax:
<Path_to_RSpec>\rspec.bat [options] [files or directories]
Micro Focus Fortify WebInspect (19.2.0) Page 318 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The following sample code runs a test library:
C:\Ruby26-x64\bin\rspec.bat -I C:\Ruby26-x64\Project\lib\
C:\Ruby26-x64\Project\spec\calculator_spec.rb
JavaScript Jest
Jest a JavaScript library for creating and running tests on JavaScript code. This framework uses the
following syntax:
<Path_to_Jest>\jest.js [--config=<pathToConfigFile>] [TestPathPattern]
The following sample code runs a test library:
C:\Users\admin\AppData\Roaming\npm\jest.cmd"
--config=C:\Users\admin\AppData\Roaming\npm\jest.config.js
C:/Users/admin/AppData/Roaming/npm/sum.test.js
Uploading Files to Fortify WebInspect
To run a scan in the command-line interface (CLI) or create a macro using the API, you must upload all
scripts and their dependencies to the machine where Fortify WebInspect is installed.
Using the CLI
To run a scan from the CLI, you must manually copy the files to the machine where Fortify WebInspect
is installed.
Using the API
The Fortify WebInspect REST API provides the following endpoints for deploying these files:
l POST /configuration/selenium/folder – Upload and unzip ZIP file(s)
l GET /configuration/selenium/folder – Get a list of ZIP files that are already uploaded
l GET /configuration/selenium/file/{foldername} – Get a list of files that are contained in
the ZIP file
l DELETE /configuration/selenium/folder/{foldername} – Delete the ZIP file
For details about using these endpoints, see the specific endpoint methods in the Swagger UI. For more
information, see "Accessing the Fortify WebInspect REST API Swagger UI" on page 303.
Using the Selenium Command
After creating and testing the Selenium command, you can use it to run a scan using WI.exe or create a
macro using the API.
Micro Focus Fortify WebInspect (19.2.0) Page 319 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Running a Scan Using WI.exe
For the command-line interface (CLI), WI.exe includes a -selenium_workflow parameter that accepts
an XML object called ArrayOfSeleniumCommand as a file or a string.
Important! If you run a command as a string rather than a file, and the command contains the
double-quotation mark character ("), then the character must be escaped with the backslash
character (\) when you save it in the <Command> tag. For example, if the command includes spaces
in the path, and you use double-quotation marks to pass the path in the Command, then the
quotation marks must be escaped as shown here:
<Command>\"C:\Program Files\nunit\nunit3-console.ex\"
C:\Projects\Tests\bin\TestHomepage_unittest.dll
\"C:\Projects\Tests Main\bin\AddCart_unittest.dll\"</Command>
You place the Selenium command you created previously in the Command tag in the following syntax.
For more information, see "Creating a Selenium Command" on page 316.
<ArrayOfSeleniumCommand>
<SeleniumCommand>
<Command>"Commands"</Command>
<AllowedHosts>
<string>http://hostname/</string>
</AllowedHosts>
<WorkingDirectory>C:\pathtoprojectfolder\</WorkingDirectory>
</SeleniumCommand>
<SeleniumCommand>
...
</SeleniumCommand>
...
</ArrayOfSeleniumCommand>
To pass the command as a file, use the following syntax:
-selenium_workflow "@PathToFile"
The following sample code pass a file named wd_firefox.txt as the command:
-selenium_workflow "@D:\tmp\selenium_wd\wd_firefox.txt"
For more information, see "Using WI.exe" on page 274.
Creating a Macro Using the API
To create a macro using the API, use the following endpoint:
POST /configuration/selenium/macro
The following sample code adds a macro using cURL:
Micro Focus Fortify WebInspect (19.2.0) Page 320 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
curl -X POST --header "Content-Type: application/json" -d
"{\"VerifyMacro\":true,\"name\": \"test\",\"command\":
\"D:\\tmp\\selenium_wd\\bin\\net35\\nunit3-console.exe
\\\"D:\\tmp\\selenium_wd\\selenium_c_sharp-master\\Selenium\\
bin\\Debug\\Selenium.dll\\\"\",\"allowedHosts\":
[\"http://zero.webappsecurity.com\"]}"
http://localhost:8083/webinspect/configuration/selenium/macro
The following sample code starts a scan using cURL:
curl.exe -X POST --header "Content-Type: application/json"
--header "Accept: application/json" -d "{\"settingsName\":
\"Default\", \"overrides\": { \"startOption\": \"macro\",
\"workflowMacros\": [\"test \"],\"AllowedHosts\":[\"\\*\"] ,
\"crawlAuditMode\": \"auditOnly\" } }"
http://localhost:8083/webinspect/scanner/scans
Complete usage information and sample code are included in the Swagger UI, and objects are similar to
those described in "Running a Scan Using WI.exe" on the previous page. For more information, see
"Using the Swagger UI" on page 304.
The WorkingDirectory and AllowedHosts arguments are optional. In some cases, AllowedHosts
can be determined automatically. However, Fortify recommends that you set AllowedHosts for each
macro.
In some cases, you must set the Working Directory path, which is the "current working directory," for the
WorkingDirectory argument.
About the Burp API Extension
The Burp Suite is a toolkit for performing security testing of web applications. Fortify WebInspect
includes a Burp extension that allows Burp Suite users to connect Fortify WebInspect to Burp via the
Fortify WebInspect API.
Benefits of Using the Burp API Extension
Connecting Fortify WebInspect to Burp provides the following benefits:
l Create Burp issues with vulnerabilities from a Fortify WebInspect scan
l Request vulnerabilities detected in a currently running or completed scan
l Request vulnerabilities based on a specified criteria, such as Severity
Note: Fortify WebInspect check IDs and names do not map to Burp issue IDs and names.
Micro Focus Fortify WebInspect (19.2.0) Page 321 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
l Select sessions in Burp and send to Fortify WebInspect
Note: Sessions could be selected for the following reasons:
l Locations that need to be added to Fortify WebInspect’s crawl in a running scan
l New vulnerabilities that need to be added to a running scan
l New vulnerabilities that need to be added to a completed scan
l Get Scan Information from Fortify WebInspect
l Get status of a specific scan
l Get a list of scans available in the currently connected Fortify WebInspect database
l Get a list of scans based on scan status (Running/Complete)
Supported Versions
The Fortify WebInspect Burp API extension is compatible with the new Burp Extension API.
See Also
"Fortify WebInspect REST API" on page 301
"Using the Burp API Extension" below
Using the Burp API Extension
This topic describes how to set up and use the Fortify WebInspect Burp extension.
Micro Focus Fortify WebInspect (19.2.0) Page 322 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Loading the Burp Extension
Perform the following steps in Burp to load the Fortify WebInspect Burp extension:
1. On the Extender tab, select Extensions and click Add.
The Load Burp Extension window appears.
2. In the Extension file (.jar) field, click Select file and navigate to the WebInspectBurpExtension.jar
file.
Tip: The WebInspectBurpExtension.jar file can be found in the Extensions directory in the
Fortify WebInspect installation location. The default location is one of the following:
C:\Program Files\Fortify\Fortify WebInspect\Extensions
C:\Program Files (x86)\Fortify\Fortify WebInspect\Extensions
3. Ensure that the Show in UI option is selected under the Standard Output and Standard Error
sections.
4. Click Next.
Micro Focus Fortify WebInspect (19.2.0) Page 323 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
WebInspect Connector appears in the list of Burp Extensions and a tab labeled "WebInspect" is
added to the Burp user interface. If you do not see the WebInspect tab, then the Burp extension
did not load correctly. In this case, look in the Output and Errors tabs for information that may help
you to troubleshoot the issue.
Connecting to Fortify WebInspect
Perform the following steps in Burp to connect to Fortify WebInspect:
1. Ensure that the WebInspect API service is running. For more information, see "Micro Focus Fortify
Monitor " on page 103.
2. On the WebInspect > Configure tab, do the following:
a. If the API requires HTTPS authentication, select the HTTPS check box.
b. Type the Host name and Port number for the Fortify WebInspect API service.
c. If the API is configured to require authentication, type the Username and Password.
d. Click Options to configure proxy settings for the API HTTP requests.
A proxy settings window appears.
Micro Focus Fortify WebInspect (19.2.0) Page 324 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
e. Select the Use Proxy checkbox, and type the Proxy Host name and the Proxy Port number.
f. Click Save.
3. Click Connect.
Micro Focus Fortify WebInspect (19.2.0) Page 325 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
A list of Fortify WebInspect scans should appear in the WebInspect tab.
Refreshing the List of Scans
To update the list of Fortify WebInspect scans, click Refresh Scans.
Working with a Scan in Burp
Perform the following steps in Burp to work with a Fortify WebInspect scan:
1. Do one of the following to open a scan:
l Double-click on a scan in the list.
l Select a scan in the list and click Open Scan.
Micro Focus Fortify WebInspect (19.2.0) Page 326 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The scan opens in a new tab under the WebInspect tab, with Crawl sessions and Vulnerable
sessions listed. The list of sessions is automatically sorted by Type with Vulnerabilities first followed
by Crawl sessions.
2. To re-sort on a sorted column in reverse order, click the column heading. To sort the list using
different sort criteria, click the heading of the column you want to sort by. The following table
describes some sort scenarios:
If you... Then Sort By...
Have multiple hosts in the scan and want to Host
group sessions by hosts
Want to see all sessions that used a specific Method and scroll to the specific method you
method want
Want to see all sessions affecting a specific URL and scroll to the specific page you want
page in your Web site
Want to select all sessions with Critical and Severity and scroll to the sessions with Critical
High severities and send them to a Burp tool and High severities
Want to select all sessions with the same check Name and scroll to the specific check name you
name want
Micro Focus Fortify WebInspect (19.2.0) Page 327 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
3. To update the list of sessions—such as when Burp is connected to a scan that is still running—click
Refresh Sessions.
4. To view the request for a session, click the session in the list.
The session request information appears at the bottom of the window. Click the request to see the
response.
5. To send one or more sessions to a Burp tool for further analysis, select the session(s), right-click
and select the appropriate "Send To" option.
Note: Current options are Send To Spider, Send To Intruder, and Send To Repeater. For more
information about Burp tools, see the Burp Suite documentation.
6. To create an issue for a Vulnerable session and add it to the Scanner tab in Burp, right-click on the
session and select Create Issue.
The issue is populated with report data from Fortify WebInspect and the issue name is tagged with
[WebInspect] to indicate that the issue was added from an external resource.
Note: The Create Issue option is only available in the Burp Professional Edition and is not
available for Crawl sessions.
7. To continue a stopped scan, click Resume Scan.
8. To close the Fortify WebInspect scan, click Close Tab.
Micro Focus Fortify WebInspect (19.2.0) Page 328 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Sending Items from Burp to Fortify WebInspect
Perform the following steps in Burp to send requests/responses and issues to Fortify WebInspect to be
crawled:
1. Ensure that the desired Fortify WebInspect scan is open in the WebInspect tab.
Tip: The Send To WebInspect option will not be available in the context menu if a Fortify
WebInspect scan is not open in Burp.
2. Click the Scanner tab and then the Results tab.
3. To send a request/response to Fortify WebInspect to be crawled, right click the request and select
Send To WebInspect > [scan name].
Fortify WebInspect creates a session for the request that is ready to be crawled. You can return to
the scan in the WebInspect tab and click Resume Scan to crawl the session.
Note: Scan settings for the open scan apply to the session being sent. This may affect what
Fortify WebInspect does with the session. For instance, if the open scan is for Host A and you
send a session from Host B, but Host B is not in the Allowed Hosts list for the open scan, the
session will be excluded and will not be crawled.
4. To send an issue to Fortify WebInspect as a manual finding, right click the issue and select Send To
WebInspect > [scan name].
Micro Focus Fortify WebInspect (19.2.0) Page 329 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
The issue is populated with report data from Burp and the issue name is tagged with [Burp] to
indicate that the issue was added from an external resource.
See Also
"About the Burp API Extension" on page 321
"Fortify WebInspect REST API" on page 301
"Micro Focus Fortify Monitor " on page 103
About the WebInspect SDK
The WebInspect Software Development Kit (SDK) is a Visual Studio extension that enables software
developers to create an audit extension to test for a specific vulnerability in a session response.
Caution! Fortify recommends that the WebInspect SDK be used only by qualified software
developers who have expertise in developing code using Visual Studio.
Audit Extensions / Custom Agents
The WebInspect SDK provides the developer with entry points into the Fortify WebInspect code. When
Fortify WebInspect creates a request/response pair, the developer can examine the response and create
Micro Focus Fortify WebInspect (19.2.0) Page 330 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
an audit extension that will flag a vulnerability. After the extension has been created, the developer
sends it to the local copy of SecureBase, the Fortify WebInspect database of adaptive agents and
vulnerability checks, where it is stored as a custom agent. The custom agent is assigned a Globally
Unique Identifier (GUID) and becomes available for use in policies in the Policy Manager for a Fortify
WebInspect product.
Note: Custom agents will not be overwritten by SecureBase updates.
When inspecting the scan results, you can perform the same actions—such as Copy URL and Review
Vulnerability—on a vulnerability discovered by a custom agent as you can a vulnerability discovered by
a standard check. For more information, see "Inspecting the Results" on page 230.
SDK Functionality
The SDK provides developers with the functionality to:
l Inspect sessions generated by the Fortify WebInspect crawler and auditor
l Inject values into parameters (parameter and sub-parameter fuzzing)
l Queue a URL for crawling (for the Fortify WebInspect crawler to crawl)
l Flag a vulnerability
l Send a raw HTTP request through the Fortify WebInspect requestor
l Request and response parsing via ParseLib
l Log events and errors
Installation Recommendation
The WebInspect SDK does not need to be installed on the same machine as a Fortify WebInspect
product. In most cases, it will be installed on the software developer’s development machine. However, if
you are developing new extensions that will require debugging, Fortify recommends that you install
Fortify WebInspect on the development machine where you will be creating the extension. Doing so will
allow you to test your extension locally. For existing extensions that do not require debugging, you do
not need to install Fortify WebInspect locally.
Refer to the Micro Focus Fortify Software System Requirements document for minimum requirements
for installing and using the WebInspect SDK.
Installing the WebInspect SDK
To use the WebInspect SDK, the developer must install a Visual Studio extension file named
WebInspectSDK.vsix.
During installation of Fortify WebInspect, a copy of the WebInspectSDK.vsix file is installed in the
Extensions directory in the Fortify WebInspect installation location. The default location is one of the
following:
l C:\Program Files\Fortify\Fortify WebInspect\Extensions
l C:\Program Files (x86)\Fortify\Fortify WebInspect\Extensions
Micro Focus Fortify WebInspect (19.2.0) Page 331 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
To install the local copy where Fortify WebInspect is installed on the developer's machine:
1. Navigate to the Extensions folder and double click the WebInspectSDK.vsix file.
The VSIX Installer is launched.
2. When prompted, select the Visual Studio product(s) to which you want to install the extension and
click Install.
The WebInspect Audit Extension project template is created in Visual Studio. Continue with
"Verifying the Installation" below.
To install the local copy where Fortify WebInspect is NOT installed on the developer's machine:
1. Navigate to the Extensions folder and copy the WebInspectSDK.vsix file to portable media, such
as a USB drive.
2. Insert the drive into the development box that has Visual Studio 2013 installed, as well as the
related required software and hardware.
3. Navigate to the USB drive and double click the WebInspectSDK.vsix file.
The VSIX Installer is launched.
4. When prompted, select the Visual Studio product(s) to which you want to install the extension and
click Install.
The WebInspect Audit Extension project template is created in Visual Studio. Continue with
"Verifying the Installation" below.
Verifying the Installation
To verify that the extension was successfully installed:
1. In Visual Studio, select Tools > Extensions and Updates.
2. Scroll down the list of extensions.
If you see WebInspect SDK in the list, the extension was installed successfully.
After Installation
After installing and configuring the WebInspect SDK, the developer can create a new WebInspect Audit
Extension project in Visual Studio. In this project, the developer will create an audit extension, debug
and test the extension, and publish the extension to SecureBase as a custom agent. For information
about using the WebInspect Audit Extension project template, refer to the WebInspect SDK
documentation in Visual Studio.
After the developer has sent the custom agent to SecureBase, the agent can be selected in policies in
the Policy Manager. See the Policy Manager documentation for more information.
Add Page or Directory
If you use manual inspection or other security analysis tools to detect resources that Fortify WebInspect
did not discover, you can add these locations manually and assign a vulnerability to them. Incorporating
Micro Focus Fortify WebInspect (19.2.0) Page 332 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
the data into a Fortify WebInspect scan allows you to report and track vulnerabilities using Fortify
WebInspect features.
Note: When creating additions to the data hierarchy, you must manually add resources in a logical
sequence. For example, to create a subdirectory and page, you must create the subdirectory before
creating the page.
1. Replace the default name of the page or directory with the name of the resource to be added.
2. If necessary, edit the HTTP request and response. Do not change the request path.
3. You can send a request to the resource and record the response in the session data. This will also
verify the existence of the resource that was not discovered by Fortify WebInspect:
a. Click HTTP Editor to open the HTTP Editor.
b. If necessary, modify the request.
c. Click .
d. Close the HTTP Editor.
e. When prompted to use the modified request and response, select Yes.
4. (Optional) To delete all request and response modifications, click Reset.
5. When finished, click OK.
Add Variation
If you use manual inspection or other security analysis tools to detect resources that Fortify WebInspect
did not discover, you can add these locations manually and assign a vulnerability to them. Incorporating
the data into a Fortify WebInspect scan allows you to report and track vulnerabilities using Fortify
WebInspect features.
A variation is a subnode of a location that lists particular attributes for that location. For example, the
login.asp location might have the variation:
(Post) uid=12345&Password=foo&Submit=Login
Variations, like any other location, can have vulnerabilities attached to them, as well as subnodes.
1. In the Name box, replace the default "attribute=value" with the actual parameters to be sent (for
example, uid=9999&Password=kungfoo&Submit=Login.
2. Select either Post or Query.
3. If necessary, edit the HTTP request and response. Do not change the request path.
4. You can send a request to the resource and record the response in the session data. This will also
verify the existence of the resource that was not discovered by Fortify WebInspect:
a. Click HTTP Editor to open the HTTP Editor.
b. If necessary, modify the request.
c. Click .
Micro Focus Fortify WebInspect (19.2.0) Page 333 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
d. Close the HTTP Editor.
e. When prompted to use the modified request and response, select Yes.
5. (Optional) To delete all request and response modifications, click Reset.
6. When finished, click OK.
Fortify Monitor: Configure Enterprise Server Sensor
This configuration information is used for integrating Fortify WebInspect into Fortify WebInspect
Enterprise as a sensor. After providing the information and starting the sensor service, you should
conduct scans using the Fortify WebInspect Enterprise Web console, not the Fortify WebInspect
graphical user interface.
The sensor configuration items are described in the following table.
Item Description
Manager URL Enter the URL or IP address of the Enterprise Server Manager.
Sensor Enter a user name (formatted as domain\username) and password, then click
Authentication Test to verify the entry.
Enable Proxy If Fortify WebInspect must go through a proxy server to reach the Enterprise
Server manager, select Enable Proxy and then provide the IP address and port
number of the server. If authentication is required, enter a valid user name and
password.
Override Fortify WebInspect normally stores scan data in the device you specify in the
Database Application Settings for Fortify WebInspect Database. However, if Fortify
Settings WebInspect is connected to Fortify WebInspect Enterprise as a sensor, you can
select this option and then click Configure to specify an alternative device.
Service Account You can log on to the sensor service using either the LocalSystem account or an
account you specify.
Sensor Status This area displays the current status of the Sensor Service and provides buttons
allowing you to start or stop the service.
After Configuring as a Sensor
After configuring Fortify WebInspect as a sensor, click Start.
Micro Focus Fortify WebInspect (19.2.0) Page 334 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
Blackout Period
When Fortify WebInspect is connected to Fortify WebInspect Enterprise, a user may attempt to conduct
a scan during a blackout period, which is a block of time during which scans are not permitted by the
enterprise manager. When this occurs, the following error message appears:
"Cannot start Scanner because the start URL is under the following blackout period(s)..."
You must wait until the blackout period ends before conducting the scan.
Similarly, if a scan is running when a blackout period begins, the enterprise manager will suspend the
scan, place it in the pending job queue, and finish the scan when the blackout period ends. In cases
where a blackout is defined for multiple IP addresses, the enterprise manager will suspend the scan only
if the scan begins at one of the specified IP addresses. If the scan begins at a non-excluded IP address,
but subsequently pursues a link to a host whose IP address is specified in the blackout setting, the scan
will not be suspended.
Creating an Exclusion
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
3. If you selected Query Parameter, Post Parameter, or Response Header as the target, enter the
Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l Matches Regex - Matches the regular expression you specify in the Match String box.
l Matches Regex Extension - Matches a syntax available from Fortify's regular expression
extensions you specify in the Match String box. For more information, see "Regex Extensions"
on page 299.
l Matches - Matches the text string you specify in the Match String box.
l Contains - Contains the text string you specify in the Match String box.
5. In the Match String box, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click .
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
Micro Focus Fortify WebInspect (19.2.0) Page 335 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a
scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL N/A contains Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL N/A contains logout
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target Target Name Match Type Match String
Query parameter username matches John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
Micro Focus Fortify WebInspect (19.2.0) Page 336 of 482
User Guide
Chapter 5: Using Fortify WebInspect Features
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type Match String
URL N/A matches regex /W3SVC[0-9]*/
Internet Protocol Version 6
Fortify WebInspect (beginning with version 8.1) supports Internet Protocol version 6 (IPv6) addresses
in web site and web service scans. When you specify the Start URL, you must enclose the IPv6 address
in brackets. For example:
l http://[::1]
Fortify WebInspect scans "localhost."
l http://[fe80::20c:29ff:fe32:bae1]??/subfolder/??
Fortify WebInspect scans the host at the specified address starting in the "subfolder" directory.
l http://[fe80::20c:29ff:fe32:bae1]??:8080/subfolder/??
Fortify WebInspect scans a server running on port 8080 starting in "subfolder."
Micro Focus Fortify WebInspect (19.2.0) Page 337 of 482
Chapter 6: Default Scan Settings
This chapter describes the Default Scan Settings.
Use Default Settings to establish scanning parameters for your scan actions. Fortify WebInspect uses
these options unless you specify alternatives while initiating a scan (using the options available through
the Scan Wizard or by accessing Current Settings).
See Also
"Crawl Settings" on page 383
"Audit Settings" on page 394
Scan Settings: Method
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Method.
Scan Mode
The Scan Mode options are described in the following table.
Option Description
Crawl Only This option completely maps a site's tree structure. After a crawl has been
completed, you can click Audit to assess an application’s vulnerabilities.
Crawl and Audit As Fortify WebInspect maps the site's hierarchical data structure, it audits
each resource (page) as it is discovered (rather than crawling the entire site
and then conducting an audit). This option is most useful for extremely
large sites where the content may possibly change before the crawl can be
completed. This is described in the Default Settings Crawl and Audit Mode
option called Simultaneously. For more information, see "Crawl and Audit
Mode" on the next page.
Audit Only Fortify WebInspect applies the methodologies of the selected policy to
determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
Manual Manual mode allows you to navigate manually to whatever sections of your
application you choose to visit. It does not crawl the entire site, but records
(Not available for
Micro Focus Fortify WebInspect (19.2.0) Page 338 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
Guided Scan) information only about those resources that you encounter while manually
navigating the site. This feature is used most often to enter a site through a
Web form logon page or to define a discrete subset or portion of the
application that you want to investigate. After you finish navigating
through the site, you can audit the results to assess the security
vulnerabilities related to that portion of the site that you recorded.
Crawl and Audit Mode
The Crawl and Audit Mode options are described in the following table.
Option Description
Simultaneously As Fortify WebInspect maps the site's hierarchical data structure, it audits
each resource (page) as it is discovered (rather than crawling the entire site
and then conducting an audit). This option is most useful for extremely
large sites where the content may possibly change before the crawl can be
completed.
Sequentially In this mode, Fortify WebInspect crawls the entire site, mapping the site's
hierarchical data structure, and then conducts a sequential audit, beginning
at the site's root.
Crawl and Audit Details
The Crawl and Audit Details options are described in the following table.
Option Description
Include search probes If you select this option, Fortify WebInspect will send requests for files and
(send search attacks) directories that might or might not exist on the server, even if those files
are not found by crawling the site.
This option is selected by default only when the Scan Mode is set to Crawl
& Audit. The option is cleared(unchecked) by default when the Scan Mode
is set to Crawl Only or Audit Only.
Crawl links on File Not If you select this option, Fortify WebInspect will look for and crawl links on
Found responses responses that are marked as “file not found.”
This option is selected by default when the Scan Mode is set to Crawl Only
Micro Focus Fortify WebInspect (19.2.0) Page 339 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
or Crawl & Audit. The option is not available when the Scan Mode is set to
Audit Only.
Navigation
The Navigation options are described in the following table.
Option Description
Auto-fill Web forms If you select this option, Fortify WebInspect submits values for input
during crawl controls found on all forms. The values are extracted from a file you create
using the Web form editor. Use the browse button to specify the file
containing the values you want to use. Alternatively, you can select the
Edit button (to modify the currently selected file) or the Create
button (to create a Web form file).
Caution! Do not rely on this feature for authentication. If the crawler
and the auditor are configured to share state, and if Fortify
WebInspect never inadvertently logs out of the site, then using values
extracted by the Web Form Editor for a login form may work. However,
if the audit or the crawl triggers a logout after the initial login, then
Fortify WebInspect will not be able to log in again and the auditing will
be unauthenticated. To prevent Fortify WebInspect from terminating
prematurely if it inadvertently logs out of your application, go to Scan
Settings - Authentication and select Use a login macro for forms
authentication.
Prompt for Web form If you select this option, Fortify WebInspect pauses the scan when it
values encounters an HTTP or JavaScript form and displays a window that allows
you to enter values for input controls within the form. However, if you also
select Only prompt for tagged inputs, Fortify WebInspect will not pause
for user input unless a specific input control has been designated Mark as
Interactive Input (using the Web Form Editor). This pausing for input is
termed "interactive mode" and you can cancel it at any time during the scan.
For more information about configuring an interactive scan, see
"Interactive Scans" on page 180.
Use Web Service This option applies only to Web Service scans.
Micro Focus Fortify WebInspect (19.2.0) Page 340 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
Design When performing a Web service scan, Fortify WebInspect crawls the WSDL
site and submits a value for each parameter in each operation. These values
are contained in a file that you create using the Web Service Test Designer
tool. Fortify WebInspect then audits the site by attacking each parameter in
an attempt to detect vulnerabilities such as SQL injection.
Use the browse button to specify the file containing the values you want to
use. Alternatively, you can select the Edit button (to modify the
currently selected file) or the Create button (to create a SOAP values
file).
SSL/TLS Protocols
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols provide secure HTTP
(HTTPS) connections for Internet transactions between Web browsers and Web servers. SSL/TLS
protocols enable server authentication, client authentication, data encryption, and data integrity for
Web applications.
Select the SSL/TLS protocol(s) used by your Web server. The following options are available:
l Use SSL 2.0
l Use SSL 3.0
l Use TLS 1.0
l Use TLS 1.1
l Use TLS 1.2
If you do not configure the SSL/TLS protocol to match your Web server, Fortify WebInspect will still
connect to the site, though there may be a performance impact.
For example, if the setting in Fortify WebInspect is configured to Use SSL 3.0 only, but the Web server is
configured to accept TLS 1.2 connections only, Fortify WebInspect will first try to connect with SSL 3.0,
but will fail. Fortify WebInspect will then implement each protocol until it discovers that TLS 1.2 is
supported. The connection will then succeed, although more time will have been spent in the effort. The
correct setting (Use TLS 1.2) in Fortify WebInspect would have succeeded on the first try.
Scan Settings: General
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select General.
Micro Focus Fortify WebInspect (19.2.0) Page 341 of 482
User Guide
Chapter 6: Default Scan Settings
Scan Details
The Scan Details options are described in the following table.
Option Description
Enable Path Path truncation attacks are requests for known directories without file
Truncation names. This may cause directory listings to be displayed. Fortify
WebInspect truncates paths, looking for directory listings or unusual errors
within each truncation.
Example: If a link consists of
http://www.site.com/folder1/folder2/file.asp, then truncating the path
to look for http://www.site.com/folder1/folder2/ and
http://www.site.com/folder1/ may cause the server to reveal directory
contents or may cause unhandled exceptions.
Case-sensitive request Select this option if the server at the target site is case-sensitive to URLs.
and response handling
Recalculate correlation This option is used only for comparing scans. The setting should be
data changed only upon the advice of Fortify Customer Support personnel.
Compress response If you select this option, Fortify WebInspect saves disk space by storing
data each HTTP response in a compressed format in the database.
Enable Traffic Monitor During a Basic Scan, Fortify WebInspect displays in the navigation pane
Logging only those sessions that reveal the hierarchical structure of the Web site
plus those sessions in which a vulnerability was discovered. However, if you
select the Traffic Monitor option, Fortify WebInspect adds the Traffic
Monitor button to the Scan Info panel, allowing you to display and review
every single HTTP request sent by Fortify WebInspect and the associated
HTTP response received from the server.
Encrypt Traffic All sessions are normally recorded in the traffic monitor file as clear text. If
Monitor File you are concerned about storing sensitive information such as passwords
on your computer, you can elect to encrypt the file.
Encrypted files cannot be compressed. Selecting this option will
significantly increase the size of exported scans containing log files.
Note: The Traffic Viewer tool does not support the encryption of
traffic files. The Encrypt Traffic Monitor File option is reserved for
Micro Focus Fortify WebInspect (19.2.0) Page 342 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
use under special circumstances with legacy traffic files only.
Maximum crawl-audit When an attack reveals a vulnerability, Fortify WebInspect crawls that
recursion depth session and follows any link that may be revealed. If that crawl and audit
reveals a link to yet another resource, the depth level is incremented and
the discovered resource is crawled and audited. This process can be
repeated until no other links are found. However, to avoid the possibility
of entering an endless loop, you may limit the number of recursions. The
default value is 2. The maximum recursion level is 1,000.
Crawl Details
By default, Fortify WebInspect uses breadth-first crawling, which begins at the root node and explores
all the neighboring nodes (one level down). Then for each of those nearest nodes, it explores their
unexplored neighbor nodes, and so on, until all resources are identified. The following illustration
depicts the order in which linked pages are accessed using a breadth-first crawl. Node 1 has links to
nodes 2, 3, and 4. Node 2 has links to nodes 5 and 6.
You cannot change this crawling method in the user interface. However, the configurable Crawl Details
options are described in the following table.
Option Description
Enable keyword search A keyword search, as its name implies, uses an attack engine that examines
audit server responses and searches for certain text strings that typically indicate
a vulnerability. Normally, this engine is not used during a crawl-only scan,
but you can enable it by selecting this option.
Perform redundant Highly dynamic sites could create an infinite number of resources (pages)
page detection that are virtually identical. If allowed to pursue each resource, Fortify
WebInspect would never be able to finish the scan. This option, however,
Micro Focus Fortify WebInspect (19.2.0) Page 343 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
allows Fortify WebInspect to identify and exclude processing of redundant
resources.
Limit maximum single Sometimes, the configuration of a site will cause a crawl to loop endlessly
URL hits to through the same URL. Use this field to limit the number of times a
single URL will be crawled. The default value is 5.
Include parameters in If you select Limit maximum single URL hits to (above), a counter is
hit count incremented each time the same URL is encountered. However, if you also
select Include parameters in hit count, then when parameters are
appended to the URL specified in the HTTP request, the crawler will crawl
that resource up to the single URL limit. Any differing set of parameters is
treated as unique and has a separate count.
For example, if this option is selected, then "page.aspx?a=1" and
"page.apsx?b=1" will both be counted as unique resources (meaning that
the crawler has found two pages).
If this option is not selected, then "page1.aspx?a=1" and "page.aspx?b=1"
will be treated as the same resource (meaning that the crawler has found
the same page twice).
Note: This setting applies to both GET and POST parameters.
Limit maximum This setting defines the maximum number of sub-directories and pages to
directory hit count to be traversed within each directory during the crawl. This setting reduces
the scope of the crawl and might be useful in reducing scan times for some
sites, such as those consisting of a content management system (CMS).
The default setting is 200.
Minimum folder depth If you select Limit maximum directory hit count to (above), this setting
defines the folder depth at which the maximum directory hit count will
begin to apply. The default setting is 1.
Limit maximum link This option restricts the number of hyperlinks that can be sequentially
traversal sequence to accessed as Fortify WebInspect crawls the site. For example, if five
resources are linked as follows
l Page A contains a hyperlink to Page B
l Page B contains a hyperlink to Page C
l Page C contains a hyperlink to Page D
Micro Focus Fortify WebInspect (19.2.0) Page 344 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
l Page D contains a hyperlink to Page E
and if this option is set to "3," then Page E will not be crawled. The default
value is 15.
Limit maximum crawl This option limits the number of directories that may be included in a single
folder depth to request. The default value is 15.
For example, if the URL is
http://www.mysite.com/Dir1/Dir2/Dir3/Dir4/Dir5/Dir6/Dir7
and this option is set to "4," then the contents of directories 5, 6, and 7 will
not be crawled.
Limit maximum crawl This feature restricts the number of HTTP requests sent by the crawler and
count to should be used only if you experience problems completing a scan of a
large site.
Note: The limit set here does not directly correlate to the Crawled
progress bar that is displayed during a scan. The maximum crawl count
set here applies to links found by the Crawler during a crawl of the
application. The Crawled progress bar includes all sessions (requests
and responses) that are parsed for links during a crawl and audit, not
just the links found by the Crawler during a crawl.
Limit maximum Web Normally, when Fortify WebInspect encounters a form that contains
form submission to controls having multiple options (such as a list box), it extracts the first
option value from the list and submits the form; it then extracts the second
option value and resubmits the form, repeating this process until all option
values in the list have been submitted. This ensures that all possible links
will be followed.
There are occasions, however, when submitting the complete list of values
would be counterproductive. For example, if a list box named "State"
contains one value for each of the 50 states in the United States, there is
probably no need to submit 50 instances of the form.
Use this setting to limit the total number of submissions that Fortify
WebInspect will perform. The default value is 3.
Suppress Repeated Many sites have text that resembles relative paths that become unusable
Path Segments URLs after Fortify WebInspect parses them and appends them to the URL
Micro Focus Fortify WebInspect (19.2.0) Page 345 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
being crawled. These occurrences can result in a runaway scan if paths are
continuously appended, such as /foo/bar/foo/bar/. This setting helps
reduce such occurrences and is enabled by default.
With the setting enabled, the options are:
1 – Detect a single sub-folder repeated anywhere in the URL and reject the
URL if there is a match. For example, /foo/baz/bar/foo/ will match
because “/foo/” is repeated. The repeat does not have to occur adjacently.
2 – Detect two (or more) pairs of adjacent sub-folders and reject the URL if
there is a match. For example, /foo/bar/baz/foo/bar/ will match
because “/foo/bar/” is repeated.
3 – Detect two (or more) sets of three adjacent sub-folders and reject the
URL if there is a match.
4 – Detect two (or more) sets of four adjacent sub-folders and reject the
URL if there is a match.
5 – Detect two (or more) sets of five adjacent sub-folders and reject the
URL if there is a match.
If the setting is disabled, repeating sub-folders are not detected and no
URLs are rejected due to matches.
Scan Settings: JavaScript
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select JavaScript.
JavaScript Settings
The JavaScript analyzer allows Fortify WebInspect to crawl links defined by JavaScript, and to create
and audit any documents rendered by JavaScript.
Tip: To increase the speed at which Fortify WebInspect conducts a crawl while analyzing script,
change your browser options so that images/pictures are not displayed.
Micro Focus Fortify WebInspect (19.2.0) Page 346 of 482
User Guide
Chapter 6: Default Scan Settings
Configure the settings as described in the following table.
Option Description
Crawl links found from If you select this option, the crawler will follow dynamic links (i.e., links
script execution generated during JavaScript execution).
Verbose script parser If you select this setting AND if the Application setting for logging level is
debug logging set to Debug, Fortify WebInspect logs every method called on the DOM
object. This can easily create several gigabytes of data for medium and
large sites.
Log JavaScript errors Fortify WebInspect logs JavaScript parsing errors from the script parsing
engine.
Enable JS Framework With this option selected, the Fortify WebInspect JavaScript parser ignores
UI Exclusions common JQuery and Ext JS user interface components, such as a calendar
control or a ribbon bar. These items are then excluded from JavaScript
execution during the scan.
Max script events per Certain scripts endlessly execute the same events. You can limit the number
page of events allowed on a single page to a value between 1 and 9999. The
default value is 1000.
Enable Site-Wide Event When this option is selected, the crawler and JavaScript engine recognize
Reduction common functional areas that appear among different parts of the website,
such as common menus or page footers. This eliminates the need to find
within HTML content the dynamic links and forms that have already been
crawled, resulting in quicker scans. This option is enabled by default and
should not normally be disabled.
Enable SPA support When this option is selected for single-page applications, the DOM script
engine finds JavaScript includes, frame and iframe includes, CSS file
includes, and AJAX calls during the crawl, and then audits all traffic
generated by those events.
Caution! SPA support should be enabled for single-page applications
only. Enabling SPA support to scan a non-SPA website will result in a
slow scan.
For more information, see "About Single-page Application Scans" on
page 190.
Micro Focus Fortify WebInspect (19.2.0) Page 347 of 482
User Guide
Chapter 6: Default Scan Settings
Scan Settings: Requestor
A requestor is the software module that handles HTTP requests and responses.
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Requestor.
Requestor Performance
The Requestor Performance options are described in the following table.
Option Description
Use a shared requestor If you select this option, the crawler and the auditor use a common
requestor when scanning a site, and each thread uses the same state, which
is also shared by both modules. This replicates the technique used by
previous versions of Fortify WebInspect and is suitable for use when
maintaining state is not a significant consideration. You also specify the
maximum number of threads (up to 75).
Use separate If you select this option, the crawler and auditor use separate requestors.
requestors Also, the auditor's requestor associates a state with each thread, rather
than having all threads use the same state. This method results in
significantly faster scans.
When performing crawl and audit, you can specify the maximum number of
threads that can be created for each requestor. The Crawl requestor
thread count can be configured to send up to 25 concurrent HTTP
requests before waiting for an HTTP response to the first request; the
default setting is 5. The Audit requestor thread count can be set to a
maximum of 50; the default setting is 10. Increasing the thread counts may
increase the speed of a scan, but might also exhaust your system resources
as well as those of the server you are scanning.
Note: Depending on the capacity of the application being scanned,
increasing thread counts may increase request failures due to
increased load on the server, causing some responses to exceed the
Request timeout setting. Request failures may reduce scan coverage
because the responses that failed may have exposed additional attack
surface or revealed vulnerabilities. If you notice increased request
failures, you might reduce them by either increasing the Request
Micro Focus Fortify WebInspect (19.2.0) Page 348 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
timeout or reducing the Crawl requestor thread count and Audit
requestor thread count.
Also, depending on the nature of the application being scanned,
increased crawl thread counts may reduce consistency between
subsequent scans of the same site due to differences in crawl request
ordering. By reducing the default Crawl requestor thread count
setting to 1, consistency may be increased.
Requestor Settings
The Requestor Settings options are described in the following table.
Option Description
Limit maximum Select this option to limit the size of accepted server responses, and
response size to then specify the maximum size (in kilobytes). The default is 1000 kilobytes.
Note that Flash files (.swf) and JavaScript "include" files are not subject to
this limitation.
Request retry count Specify how many times Fortify WebInspect will resubmit an HTTP request
after receiving a "failed" response (which is defined as any socket error or
request timeout). The value must be greater than zero.
Request timeout Specify how long Fortify WebInspect will wait for an HTTP response from
the server. If this threshold is exceeded, Fortify WebInspect resubmits the
request until reaching the retry count. If it then receives no response,
Fortify WebInspect logs the timeout and issues the first HTTP request in
the next attack series. The default value is 20 seconds.
Note: The first time a timeout occurs, Fortify WebInspect will extend
the timeout period to confirm that the server is unresponsive. If the
server responds within the extended Request timeout period, then the
extended period becomes the new Request timeout for the current
scan.
Stop Scan if Loss of Connectivity Detected
There may be occasions during a scan when a Web server fails or becomes too busy to respond in a
timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the
Micro Focus Fortify WebInspect (19.2.0) Page 349 of 482
User Guide
Chapter 6: Default Scan Settings
number of timeouts.
The options are described in the following table.
Option Description
Consecutive "single Enter the number of consecutive timeouts permitted from one specific
host" retry failures to server. The default value is 75.
stop scan
Consecutive "any host" Enter the total number of consecutive timeouts permitted from all hosts.
retry failures to stop The default value is 150.
scan
Nonconsecutive "single Enter the total number of nonconsecutive timeouts permitted from a single
host" retry failures to host. The default value is "unlimited."
stop scan
Nonconsecutive "any Enter the total number of nonconsecutive timeouts permitted from all
host" retry failures to hosts. The default value is 350.
stop scan
If first request fails, Selecting this option will force Fortify WebInspect to terminate the scan if
stop scan the target server does not respond to Fortify WebInspect's first request.
Response codes to Enter the HTTP status codes that, if received, will force Fortify WebInspect
stop scan if received to terminate the scan. Use a comma to separate entries; use a hyphen to
specify an inclusive range of codes.
Scan Settings: Session Storage
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Session Storage.
Log Rejected Session to Database
You can specify which rejected sessions should be saved to the Fortify WebInspect database. This saved
information can be used for two purposes.
l If you pause a scan, change any of the settings associated with the Reject Reasons in this panel, and
then resume the scan, Fortify WebInspect retrieves the saved data and sends HTTP requests that
previously were suppressed.
Micro Focus Fortify WebInspect (19.2.0) Page 350 of 482
User Guide
Chapter 6: Default Scan Settings
l Fortify Customer Support personnel can extract the generated (but not sent) HTTP requests for
analysis.
Sessions may be rejected for the reasons cited in the following table.
Reject Reason Explanation
Invalid Host Any host that is not specified in Default (or Current) Scan Settings/Scan
Settings/Allowed Hosts.
Excluded File Files having an extension that is excluded by settings specified in Default
Extension (or Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or
Rejected File Extensions; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded or Rejected File Extensions; also
Default (or Current) Scan Settings/Audit Settings/Session
Exclusions/Excluded or Rejected File Extensions.
Excluded URL URLs or hosts that are excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or
Rejected URLs and Hosts; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded or Rejected URLs and Hosts; also
Default (or Current) Scan Settings/Audit Settings/Session
Exclusions/Excluded or Rejected URLs and Hosts.
Outside Root URL If the Restrict to Folder option is selected when starting a scan, any
resource not qualified by the available options (Directory Only, Directory
and Subdirectories, or Directory and Parent Directories).
Maximum Folder HTTP requests were not sent because the value specified by the Limit
Depth Exceeded maximum crawl folder depth to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
Maximum URL Hits HTTP requests were not sent because the value specified by the Limit
Maximum Single URL hits to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
404 Response Code In the Default (or Current) Scan Settings/Scan Settings/File Not Found
group, the option Determine File Not Found (FNF) using HTTP
response codes is selected and the response contains a code that matches
the requirements.
Solicited File Not In the Default (or Current) Scan Settings/Scan Settings/File Not Found
Found group, the option Auto detect FNF page is selected and Fortify
WebInspect determined that the response constituted a "file not found"
condition.
Micro Focus Fortify WebInspect (19.2.0) Page 351 of 482
User Guide
Chapter 6: Default Scan Settings
Reject Reason Explanation
Custom File Not Found In the Default (or Current) Scan Settings/Scan Settings/File Not Found
group, the option Determine FNF from custom supplied signature is
selected and the response contains one of the specified phrases.
Rejected Response Files having a MIME type that is excluded by settings specified in Default
(or Current) Scan Settings/Scan Settings/Session Exclusions/Excluded
MIME Types; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded MIME Types; also Default (or
Current) Scan Settings/Audit Settings/Session Exclusions/Excluded MIME
Types.
Session Storage
Fortify WebInspect normally saves only those attack sessions in which a vulnerability was discovered. To
save all attack sessions, select Save non-vulnerable attack sessions.
Scan Settings: Session Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Session Exclusions.
These settings apply to both the crawl and audit phases of a Fortify WebInspect vulnerability scan. To
specify exclusions for only the crawl or only the audit, use the Crawl Settings: Session Exclusions or the
Audit Settings: Session Exclusions.
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
l Reject - Fortify WebInspect will not request files of the type you specify.
l Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will
not examine them for links to other resources.
By default, most image, drawing, media, audio, video, and compressed file types are rejected.
To add a file extension to reject or exclude:
1. Click Add.
The Exclusion Extension window opens.
2. In the File Extension box, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 352 of 482
User Guide
Chapter 6: Default Scan Settings
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. By default, image,
audio, and video types are excluded.
To add a MIME Type to exclude:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-type box, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing Criteria
To edit the default criteria:
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host/URL box, enter a URL or fully qualified host name, or a regular expression designed to
match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Adding Criteria
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
Micro Focus Fortify WebInspect (19.2.0) Page 353 of 482
User Guide
Chapter 6: Default Scan Settings
3. If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l Matches Regex - Matches the regular expression you specify in the Match String box.
l Matches Regex Extension - Matches a syntax available from Fortify's regular expression
extensions you specify in the Match String box.
l Matches - Matches the text string you specify in the Match String box.
l Contains - Contains the text string you specify in the Match String box.
5. In the Match String box, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click (or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a
scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL N/A contains Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL N/A contains logout
Micro Focus Fortify WebInspect (19.2.0) Page 354 of 482
User Guide
Chapter 6: Default Scan Settings
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target Target Name Match Type Match String
Query parameter username matches John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type Match String
URL N/A matches regex /W3SVC[0-9]*/
Scan Settings: Allowed Hosts
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Allowed Hosts.
Using the Allowed Host Setting
Use the Allowed Host setting to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. For example, if you were scanning "WIexample.com," you
would need to add "WIexample2.com" and "WIexample3.com" here if those domains were part of your
Web presence and you wanted to include them in the crawl and audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
l www.myco.com:80
l contact.myco.com:80
l www1.myco.com
l ethics.myco.com:80
l contact.myco.com:443
Micro Focus Fortify WebInspect (19.2.0) Page 355 of 482
User Guide
Chapter 6: Default Scan Settings
l wow.myco.com:80
l mycocorp.com:80
l www.interconnection.myco.com:80
Adding Allowed Domains
To add allowed domains:
1. Click Add.
2. On the Specify Allowed Host window, enter a URL (or a regular expression representing a URL)
and click OK.
Note: When specifying the URL, do not include the protocol designator (such as http:// or
https://).
Editing or Removing Domains
To edit or remove an allowed domain:
1. Select a domain from the Allowed Hosts list.
2. Click Edit or Remove.
Scan Settings: HTTP Parsing
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select HTTP Parsing.
Options
The HTTP Parsing options are described in the following table.
Option Description
HTTP Parameters If your application uses URL rewriting or post data techniques to maintain
Used for State state within a Web site, you must identify which parameters are used. For
example, a PHP4 script can create a constant of the session ID named SID,
which is available inside a session. By appending this to the end of a URL,
the session ID becomes available to the next page. The actual URL might
look something like the following:
.../page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
Because session IDs change with each connection, an HTTP
Micro Focus Fortify WebInspect (19.2.0) Page 356 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
request containing this URL would create an error when you tried to replay
it. However, if you identify the parameter (PHPSESSID in this example),
then Fortify WebInspect will replace its assigned value with the new session
ID obtained from the server each time the connection is made.
Similarly, some state management techniques use post data to pass
information. For example, the HTTP message content may include
userid=slbhkelvbkl73dhj. In this case, "userid" is the parameter you would
identify.
Note: You need to identify parameters only when the application uses
URL rewriting or posted data to manage state. It is not necessary when
using cookies.
Fortify WebInspect can identify potential parameters if they occur as
posted data or if they exist within the query string of a URL. However, if
your application embeds session data in the URL as extended path
information, you must provide a regular expression to identify it. In the
following example, "1234567" is the session information:
http://www.onlinestore.com/bikes/(1234567)/index.html
The regular expression for identifying the parameter would be: /\
([\w\d]+\)/
Enable CSRF The Enable CSRF option should only be selected if the site you are
scanning includes Cross-Site Request Forgery (CSRF) tokens as it adds
overhead to the process. For more information, see "CSRF" on page 360.
Determine State from If your application determines state from certain components in the URL
URL Path path, select this check box and add one or more regular expressions that
identify those components. Two default regular expressions identify two
ASP.NET cookieless session IDs. The third regular expression
matches jsessionid cookie.
Enable Response State If your application maintains client state with bearer tokens, select this
Rules option and create a rule that will identify the bearer token from the
response and add it to the next request automatically.
To add a rule:
1. After selecting the Enable Response State Rules check box, click
Add.
Micro Focus Fortify WebInspect (19.2.0) Page 357 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
The Rule Search and Replace window appears.
2. In the Rule Name field, type a unique name for the rule. An example is
Bearer.
3. Click Add next to the Search in Response field.
The Search in Response dialog box appears.
4. Construct a regular expression to use as criteria for searching in the
response. An example is:
"Authentication" value="(?<Bearer>[A-Za-z0-9]*)"
Tip: Click the arrow to the right of the field for regular expression
tips or to launch the Regular Expressions Editor.
5. Click OK.
The regular expression is validated. You must correct any errors that
are found before continuing.
6. Click Add next to the Replace in Request field.
The Replace in Request dialog box appears.
7. Construct a regular expression to use as criteria for adding the token
to the request. An example is:
"Authorization: Bearer (?<Bearer>[A-Za-z0-9]*)"
8. Click OK.
The regular expression is validated. You must correct any errors that
are found before continuing.
9. Click OK to close the Rule Search and Replace window.
Important! To avoid regular expressions that could drain your system
resources and affect scan performance, do not use the following text
strings when constructing your regular expressions:
l Any character with infinite numbers ".*" or ".+"
l Positive lookahead "(?=…)"
l Negative lookahead "(?!...)"
l Positive lookbehind "(?<=…)"
l Negative lookbehind "(?<!...)"
HTTP Parameters Some sites contain only one directly accessible resource, and then rely on
Used for Navigation query strings to deliver the requested information, as in the following
Micro Focus Fortify WebInspect (19.2.0) Page 358 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
examples:
Ex. 1 — http://www.anysite.com?Master.asp?Page=1
Ex. 2 — http://www.anysite.com?Master.asp?Page=2;
Ex. 3 — http://www.anysite.com?Master.asp?Page=13;Subpage=4
Ordinarily, Fortify WebInspect would assume that these three requests
refer to identical resources and would conduct a vulnerability scan on only
one of them. Therefore, if your target Web site employs this type of
architecture, you must identify the specific resource parameters that are
used.
Examples 1 and 2 contain one resource parameter: "Page."
Example 3 contains two parameters: "Page" and "Subpage.
To identify resource parameters:
1. Click Add.
2. On the HTTP Parameter window, enter the parameter name and click
OK.
The string you entered appears in the Parameter list.
3. Repeat this procedure for additional parameters.
Advanced HTTP Most Web pages contain information that tells the browser what character
Parsing set to use. This is accomplished by using the Content-Type response
header (or a META tag with an HTTP-EQUIV attribute) in the HEAD
section of the HTML document.
For pages that do not announce their character set, you can specify which
language family (and implied character set) Fortify WebInspect should use.
Treat query parameter This setting defines how Fortify WebInspect interprets query parameters
value as parameter without values. For example:
name when only value
http://somehost?param
is present
If this checkbox is selected, Fortify WebInspect will interpret “param” to be
a parameter named “param” with an empty value.
If this checkbox is not selected, Fortify WebInspect will interpret “param” to
be a nameless parameter with the value “param”.
This setting can influence the way Fortify WebInspect calculates the hit
count (see the "Limit maximum single URL hits to " on page 344 setting
Micro Focus Fortify WebInspect (19.2.0) Page 359 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
under Scan Settings: General). This setting is useful for scenarios in which a
URL contains an anti-caching parameter. These often take the form of a
numeric counter or timestamp. For example, the following parameters are
numeric counters:
l http://somehost?1234567
l http://somehost?1234568
In such cases, the value is changing for each request. If the value is treated
as the parameter name, and the “Include parameters in hit count” setting is
selected, the crawl count may inflate artificially, thus increasing the scan
time. In these cases, clearing the “Treat query parameter value as
parameter name when only value is present” checkbox will prevent these
counters from contributing to the hit count and produce a more
reasonable scan time.
CSRF
The Enable CSRF option should only be selected if the site you are scanning includes Cross-Site
Request Forgery (CSRF) tokens as it adds overhead to the process.
About CSRF
Cross-Site Request Forgery (CSRF) is a malicious exploit of a website where unauthorized commands
are transmitted from a user’s browser that the website trusts. CSRF exploits piggyback on the trust that
a site has in a user’s browser; using the fact that the user has already been authenticated by the site and
the chain of trust is still open.
Example:
A user visits a bank, is authenticated, and a cookie is placed on the user’s machine. After the user
completes the banking transaction, he or she switches to another browser tab and continues a
conversation on an enthusiast Web site devoted to the user’s hobby. On the site, someone has
posted a message that includes an HTML image element. The HTML image element includes a
request to the user’s bank to extract all of the cash from the account and deposit it into another
account. Because the user has a cookie on his or her device that has not expired yet, the transaction
is honored and all of the money in the account is withdrawn.
CSRF exploits often involve sites that rely on trust in a user’s identity, often maintained through the use
of a cookie. The user’s browser is then tricked into sending HTTP requests to the target site in hopes
that a trust between the user’s browser and the target site still exists.
Micro Focus Fortify WebInspect (19.2.0) Page 360 of 482
User Guide
Chapter 6: Default Scan Settings
Using CRSF Tokens
To stop Cross-site request forgeries from occurring, common practice is to set up the server to generate
requests that include a randomly generated parameter with a common name such as "CSRFToken". The
token may be generated once per session or a new one generated for each request. If you have used
CSRF tokens in your code and enabled CSRF in Fortify WebInspect, we will take this into consideration
when crawling your site. Each time Fortify WebInspect launches an attack, it will request the form again
to acquire a new CSRF token. This adds significantly to the time it take for Fortify WebInspect to
complete a scan, so do not enable CSRF if you are not using CSRF tokens on your site.
Enabling CSRF Awareness in Fortify WebInspect
If your site uses CSRF tokens, you can enable CSRF awareness in Fortify WebInspect as follows:
1. Select Default Scan Settings from the Edit menu.
The Scan Settings window appears.
2. From the Scan Settings column, select HTTP Parsing.
3. Select the Enable CSRF box.
Scan Settings: Custom Parameters
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Custom Parameters.
Custom Parameters are used to accommodate sites that use URL rewriting techniques and/or
Representation State Transfer (REST) web services technologies. You can write rules for these custom
parameters, or you can import rules from a common configuration file written in Web Application
Description Language (WADL).
URL Rewriting
Many dynamic sites use URL rewriting because static URLs are easier for users to remember and are
easier for search engines to index the site. For example, an HTTP request such as
http://www.pets.com/ShowProduct/7
is sent to the server's rewrite module, which converts the URL to the following:
http://www.pets.com/ShowProduct.php?product_id=7
In this example, the URL causes the server to execute the PHP script "ShowProduct" and display
the information for product number 7.
Micro Focus Fortify WebInspect (19.2.0) Page 361 of 482
User Guide
Chapter 6: Default Scan Settings
When Fortify WebInspect scans a page, it must be able to determine which elements are variables so
that its attack agents can thoroughly check for vulnerabilities. To enable this, you must define rules that
identify these elements. You can do so using a proprietary Fortify WebInspect syntax.
Examples:
HTML: <a href="someDetails/user1/">User 1 details</a>
Rule: /someDetails/{username}/
HTML: <a href="TwoParameters/Details/user1/Value2">User 1 details</a>
Rule: /TwoParameters/Details/{username}/{parameter2}
HTML: <a href="/Value2/PreFixParameter/Details/user1">User 1 details</a>
Rule: /{parameter2}/PreFixParameter/Details/{username}
RESTful Services
A RESTful web service (also called a RESTful web API) is a simple Web service implemented using HTTP
and the principles of REST. It has gained widespread acceptance across the Web as a simpler alternative
to web services based on SOAP and Web Services Description Language (WSDL).
The following request adds a name to a file using an HTTP query string:
GET /adduser?name=Robert HTTP/1.1
This same function could be achieved by using the following method with a Web service. Note that the
parameter names and values have been moved from the request URI and now appear as XML tags in
the request body.
POST /users HTTP/1.1 Host: myserver
Content-Type: application/xml
<?xml version="1.0"?>
<user>
<name>Robert</name>
</user>
In the case of both URL rewriting and RESTful web services, you must create rules that instruct Fortify
WebInspect how to create the appropriate requests.
Creating a Rule
To create a rule:
1. Click New Rule.
2. In the Expression column, enter a rule. See "Path Matrix Parameters" on page 364 for guidelines
and examples.
The Enabled check box is selected by default. Fortify WebInspect examines the rule and, if it is valid,
removes the red X.
Micro Focus Fortify WebInspect (19.2.0) Page 362 of 482
User Guide
Chapter 6: Default Scan Settings
Deleting a Rule
To delete a rule:
1. Select a rule from the Custom Parameters Rules list.
2. Click Delete.
Disabling a Rule
To disable a rule without deleting it:
1. Select a rule.
2. Clear the check mark in the Enabled column.
Importing Rules
To import a file containing rules:
1. Click .
2. Using a standard file-selection dialog box, select the type of file (.wadl or .txt) containing the
custom rules you want to apply.
3. Locate the file and click Open.
Enable automatic seeding of rules that were not used during scan
The most reliable rules for custom parameters are those deduced from a WADL file or created by
developers of the Web site. If a rule is not invoked during a scan (because the rule doesn't match any
URL), then Fortify WebInspect can programmatically assume that a valid portion of the site has not
been attacked. Therefore, if you select this option, Fortify WebInspect will create sessions to exercise
these unused rules in an effort to expand the attack surface.
Double Encode URL Parameters
Double-encoding is an attack technique that encodes user request parameters twice in hexadecimal
format in an attempt to bypass security controls or cause unexpected behavior from the application. For
example, a cross-site scripting (XSS) attack might normally appear as:
<script>alert('FOO')</script>
This malicious code could be inserted into a vulnerable application, resulting in an alert window with the
message “FOO.” However, the web application can have a filter that prohibits characters such as < (less
than) > (greater than) and / (forward slash), since they are used to perform Web application attacks.
The attacker could attempt to circumvent this safeguard by using a "double encoding" technique to
exploit the client’s session. The encoding process for this JavaScript is:
Char Hex encode Encoded % Sign Double encoded result
< %3C %25 %253C
Micro Focus Fortify WebInspect (19.2.0) Page 363 of 482
User Guide
Chapter 6: Default Scan Settings
/ %2F %25 %252F
> %3E %25 %253E
Finally, the malicious code, double-encoded, is:
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
If you select this option, Fortify WebInspect will create double-encoded URL parameters (instead of
single-encoded parameters) and submit them as part of the attack sequence. This is recommended
when the Web server uses, for example, Apache mod-rewrite plus PHP or Java URL Rewrite Filter 3.2.0.
Path Matrix Parameters
There are three ways rules can be created in the system. Rules may be:
l Entered manually
l Generated from a WADL file specified by the user or received through Fortify WebInspect Agent
l Imported from a flat file containing a list of rules
When entering rules manually, you specify the path segments of a URL that should be treated as
parameters.
The rules use special characters to designate parts of the actual URL that contain parameters. If a URL
matches a rule, Fortify WebInspect parses the parameters and attacks them. Notable components of a
rule are:
l Path (gp/c/{book_name}/)
l Query (anything that follows "?")
l Fragment (anything that follows "#")
Definition of Path Segment
A path segment starts with ‘/’ characters and is terminated either by another ‘/’ character or by end of
line. To illustrate, path "/a" has one segment whereas path "/a/" has two segments (the first containing
the string “a” and the second being empty. Note that paths "/a" and "/a/" are not equal. When
attempting to determine if a URL matches a rule, empty segments are considered.
Special Elements for Rules
A rule may contain the special elements described in the following table.
Element Description
* Asterisk. May appear in production defined below; presence in non-path productions
means that this part of the URL will not participate in matching (or, in other words, will
Micro Focus Fortify WebInspect (19.2.0) Page 364 of 482
User Guide
Chapter 6: Default Scan Settings
Element Description
match anything).
{ } Group; a named parameter that may appear within the path of the rule. The content has
no special meaning and is used during reporting as the name of the attacked parameter.
The character set allowed within the delimiting brackets that designate a group { } is
defined in RFC 3986 as *pchar:
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
pct-encoded = "%" HEXDIG HEXDIG
unreserved = ALPHA DIGIT - . _ ~
reserved = gen-delims / sub-delims
gen-delims = : / ? # [ ] @"
sub-delims = ! $ & ' ( ) * + , ; =
A group’s content cannot include the "open bracket" and "close bracket" characters, unless
escaped as pct-encoded element.
The rules for placing * out of path are described below. Within a path segment, any amount of * and {}
groups can be placed, provided they’re interleaved with plain text. For example:
Valid rule: /gp/c/*={param}
Invalid rule: /gp/c/*{}
Rules with segments having **, *{}, {}* or {}{} entries are invalid.
For a rule to match a URL, all components of the rule should match corresponding components of the
crawled URL. Path comparison is done segment-wise, with * and {} groups matching any number of
characters (including zero characters), plain text elements matching corresponding plain text elements
of the path segment of the URL. So, for example:
/gp/c/{book_name} is a match for these URLs:
l http://www.amazon.com:8080/gp/c/Moby_Dick
l http://www.amazon.com/gp/c/Singularity_Sky?format=pdf&price=0
l https://www.amazon.com/gp/c/Hobbit
But it is not a match for any of these:
l http://www.amazon.com /gp/c/Moby_Dick/ (no match because of trailing slash)
l http://www.amazon.com/gp/c/Sex_and_the_City/Horror (no match because it has a different
number of segments)
Fortify WebInspect will treat elements of path segments matched by {…} groups in the rule URL as
parameters, similar to those found in a query. Moreover, query parameters of crawled URLs matched by
rule will be attacked along with parameters within the URL’s path. In the following example of a
matched URL, Fortify WebInspect would conduct attacks on the format and price parameters and on
the third segment of the path (Singularity_Sky):
http://www.amazon.com/gp/c/Singularity_Sky?format=pdf&:price=0
Micro Focus Fortify WebInspect (19.2.0) Page 365 of 482
User Guide
Chapter 6: Default Scan Settings
Asterisk Placeholder
The “*” placeholder may appear in the following productions and subproductions of the URL:
l Path – cannot be matched as a whole, since * in path matches a single segment or less.
l Path segments – as in /gp/*/{param}, which will match URLs with schema HTTP, hostname
www.amazon.com, path containing three segments (first is exactly “gp”, second is any segment,
and the third segment will be treated as parameter and won’t participate in matching).
l Part of path segment – as in /gp/ref=*, which will match URLs with path containing two
segments (first is exactly “gp”, second containing any string with prefix “ref=”).
l Query – as in /gp/c/{param}?*, which matches any URL with path of three segments (first
segment is “gp”, second segment is “c” and third segment being a parameter, so it won’t participate in
matching); this URL also MUST contain a query string of arbitrary structure. Note the difference
between rules /gp/c/{param} and /gp/c/{param}?*. The first rule will match URL
http://www.amazon.com/gp/c/Three_Little_Blind_Mice, while the second will not.
l Key-value pair of query – as in /gp/c/{param}?format=* which will match URL only if query
string has exactly one key-value pair, with key name being “format.”
l Key-value pair of query – as in /gp/c/{param}?*=pdf which will match URL only if query string
has exactly one key-value pair, with value being “pdf.”
l Fragment – as in case /gp/c/{param}#* which matches any URL with fragment part being present
Benefit of Using Placeholders
The main benefit of using placeholders is that it enables you to create rules that combine matrix
parameters and URL path-based parameters within single rule. For relevant URL
http://www.amazon.com/gp/color;foreground=green;background=black/something?format=dvi
the following rule will allow attacks on all parameters
gp/*/{param}
with the matrix parameter segment being ignored by * placeholder within second segment of the path,
but recognized by Fortify WebInspect and attacked properly.
Multiple Rules Matching a URL
In the case of multiple rules matching a given URL, there are two options:
l Stop iterating over the rules once a match is found and so use only the first rule.
l Iterate over all of the rules and collect all custom parameters that match.
For instance, for the following URL
http://mySite.com/store/books/Areopagitica/32/1
the following rules both match
Micro Focus Fortify WebInspect (19.2.0) Page 366 of 482
User Guide
Chapter 6: Default Scan Settings
l */books/{booktitle}/32/{paragraph}
l store/*/Areopagitica/{page}/{paragraph}
Fortify WebInspect will try to collect parameters from both rules to ensure the greatest attack coverage,
so all three segments (“Areopagitica”, “32” and “1” in the example above) will be attacked.
Scan Settings: Filters
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Filters.
Use the Filters settings to add search-and-replace rules for HTTP requests and responses. This feature
is used most often to avoid the disclosure of sensitive data such as credit card numbers, employee
names, or social security numbers. It is a means of disguising information that you do not want to be
viewed by persons who use Fortify WebInspect or those who have access to the raw data or generated
reports.
Options
The Filter options are described in the following table.
Option Description
Filter HTTP Request Use this area to specify search-and-replace rules for HTTP requests.
Content
Filter HTTP Response Use this area to specify search-and-replace rules for HTTP responses.
Content
Adding Rules for Finding and Replacing Keywords
Follow the steps below to add a regular expression rule for finding or replacing keywords in requests or
responses:
1. In either the Request Content or the Response Content group, click Add.
The Add Request/Response Data Filter Criteria window opens.
2. In the Search for text box, type (or paste) the string you want to locate (or enter a regular
expression that describes the string).
Click to insert regular expression notations or to launch the Regular Expression Editor (which
facilitates the creation and testing of an expression).
3. In the Search for text In box, select the section of the request or response you want to search for
the filter pattern. The options are:
Micro Focus Fortify WebInspect (19.2.0) Page 367 of 482
User Guide
Chapter 6: Default Scan Settings
l All – Search the entire request or response.
l Headers – Search each header individually. Some headers, such as Set-Cookie and HTTP
Version headers, are not searched.
Note: To ensure that all headers are searched, select Prefix.
l Post Data – For requests only, search all of the HTTP message body data.
l Body – Search all of the HTTP message body data.
l Prefix – Simultaneously search everything that is in the request or status line, all headers, and
the empty line prior to the body.
4. Type (or paste) the replacement string in the Replace search text with box.
Click for assistance with regular expressions.
5. For case-sensitive searches, select the Case sensitive match check box.
6. Click OK.
Scan Settings: Cookies/Headers
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Cookies/Headers.
Standard Header Parameters
The options in this section are described in the following table.
Option Description
Include 'referer' in Select this check box to include referer headers in Fortify WebInspect
HTTP request headers HTTP requests. The Referer request-header field allows the client to
specify, for the server's benefit, the address (URI) of the resource from
which the Request-URI was obtained.
Include 'host' in HTTP Select this check box to include host headers with Fortify WebInspect
request headers HTTP requests. The Host request-header field specifies the Internet host
and port number of the resource being requested, as obtained from the
original URI given by the user or referring resource (generally an HTTP
URL).
Append Custom Headers
Use this section to add, edit, or delete headers that will be included with each audit Fortify WebInspect
performs. For example, you could add a header such as "Alert: You are being attacked by Consultant
Micro Focus Fortify WebInspect (19.2.0) Page 368 of 482
User Guide
Chapter 6: Default Scan Settings
ABC" that would be included with every request sent to your company's server when Fortify
WebInspect is auditing that site. You can add multiple custom headers.
The default custom headers are described in the following table.
Header Description
Accept: */* Any encoding or file type is acceptable to the crawler.
Pragma: no-cache This forces a fresh response; cached or proxied data is not acceptable.
Adding a Custom Header
To add a custom header:
1. Click Add.
The Specify Custom Header window opens.
2. In the Custom Header box, enter the header using the format <name>: <value>.
3. Click OK.
Append Custom Cookies
Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by
Fortify WebInspect to the server when conducting a vulnerability scan.
The default custom cookie used to flag the scan traffic is:
CustomCookie=WebInspect;path=/
Adding a Custom Cookie
To add a custom cookie:
1. Click Add.
The Specify Custom Cookie window opens.
2. In the Custom Cookie box, enter the cookie using the format <name>=<value>.
For example, if you enter
CustomCookie=ScanEngine
then each HTTP-Request will contain the following header:
Cookie: CustomCookie=ScanEngine
3. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 369 of 482
User Guide
Chapter 6: Default Scan Settings
Scan Settings: Proxy
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Proxy.
Options
The Proxy options are described in the following table.
Option Description
Direct Connection Select this option if you are not using a proxy server.
(proxy disabled)
Auto detect proxy Use the Web Proxy Autodiscovery (WPAD) protocol to locate a proxy
settings autoconfig file and configure the browser's Web proxy settings.
Use System proxy Import your proxy server information from the local machine.
settings
Use Firefox proxy Import your proxy server information from Firefox.
settings
Note: Electing to use Firefox proxy settings does not guarantee that
you will access the Internet through a proxy server. If the Firefox
browser connection settings are configured for "No proxy," then a
proxy will not be used.
Configure proxy using Load proxy settings from a Proxy Automatic Configuration (PAC) file in
a PAC file URL the location you specify in the URL box.
Explicitly configure Configure a proxy by entering the requested information:
proxy
1. In the Server box, type the URL or IP address of your proxy server,
followed (in the Port box) by the port number (for example, 8080).
2. Select a protocol Type for handling TCP traffic through a proxy
server: SOCKS4, SOCKS5, or standard.
3. If authentication is required, select a type from the Authentication
list:
Automatic
Allow Fortify WebInspect to determine the correct authentication
type.
Micro Focus Fortify WebInspect (19.2.0) Page 370 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
Note: Automatic detection slows the scanning process. If you
know and specify one of the other authentication methods,
scanning performance is noticeably improved.
Digest
The Windows Server operating system implements the Digest
Authentication protocol as a security support provider (SSP), a
dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the
network in the clear, but is always transmitted as an MD5 digest of the
user's password. In this way, the password cannot be determined by
sniffing network traffic.
HTTP Basic
A widely used, industry-standard method for collecting user name and
password information.
a. The Web browser displays a window for a user to enter a
previously assigned user name and password, also known as
credentials.
b. The Web browser then attempts to establish a connection to a
server using the user's credentials.
c. If a user's credentials are rejected, the browser displays an
authentication window to re-enter the user's credentials.
d. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established.
The advantage of Basic authentication is that it is part of the HTTP
specification and is supported by most browsers. The disadvantage is
that Web browsers using Basic authentication transmit passwords in
an unencrypted form. By monitoring communications on your
network, an attacker can easily intercept and decode these passwords
using publicly available tools. Therefore, Basic authentication is not
recommended unless you are confident that the connection between
the user and your Web server is secure.
NT LAN Manager (NTLM)
NTLM (NT LanMan) is an authentication process that is used by all
members of the Windows NT family of products. Like its predecessor
Micro Focus Fortify WebInspect (19.2.0) Page 371 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed
password be sent across the network.
Use NTLM authentication for servers running IIS. If NTLM
authentication is enabled, and Fortify WebInspect has to pass through
a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site. Use
caution when configuring Fortify WebInspect for scans of sites
protected by NTLM. After scanning, you may want to disable the
NTLM authentication settings to prevent any potential problem.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a
trusted third party, termed a Key Distribution Center (KDC), which
consists of two logically separate parts: an Authentication Server (AS)
and a Ticket Granting Server (TGS). The client authenticates itself to
AS, then demonstrates to the TGS that it is authorized to receive a
ticket for a service (and receives it). The client then demonstrates to a
Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to
negotiate for an authentication protocol. When the client requests
access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based
on the protocol that is its first choice.
For example, the server might list Kerberos and NTLM, and send a
Kerberos challenge. The client examines the contents of the reply and
checks to determine whether it supports any of the specified
protocols. If the client supports the preferred protocol, authentication
proceeds. If the client does not support the preferred protocol, but
does support one of the other protocols listed by the server, the client
lets the server know which authentication protocol it supports, and
the authentication proceeds. If the client does not support any of the
listed protocols, the authentication exchange fails.
4. If your proxy server requires authentication, enter the qualifying user
name and password.
Micro Focus Fortify WebInspect (19.2.0) Page 372 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
5. If you do not need to use a proxy server to access certain IP addresses
(such as internal testing sites), enter the addresses or URLs in the
Bypass Proxy For box. Use commas to separate entries.
Specify Alternative For proxy servers accepting HTTPS connections, select Specify
Proxy for HTTPS Alternative Proxy for HTTPS and provide the requested information.
Scan Settings: Authentication
To access this feature in a Basic Scan, click the Edit menu and select Default Scan Settings or Current
Scan Settings. Then, in the Scan Settings category, select Authentication.
Authentication is the verification of identity as a security measure. Passwords and digital signatures are
forms of authentication. You can configure automatic authentication so that a user name and password
will be entered whenever Fortify WebInspect encounters a server or form that requires authentication.
Otherwise, a crawl might be prematurely halted for lack of logon information.
Scan Requires Network Authentication
Select this check box if users must log on to your Web site or application.
Authentication Method
If authentication is required, select the authentication method as described in the following table:
Authentication
Method Description
Automatic Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify
one of the other authentication methods, scanning performance is
noticeably improved.
HTTP Basic A widely used, industry-standard method for collecting user name and
password information.
1. The Web browser displays a window for a user to enter a previously
assigned user name and password, also known as credentials.
2. The Web browser then attempts to establish a connection to a server
using the user's credentials.
Micro Focus Fortify WebInspect (19.2.0) Page 373 of 482
User Guide
Chapter 6: Default Scan Settings
Authentication
Method Description
3. If a user's credentials are rejected, the browser displays an
authentication window to re-enter the user's credentials. Internet
Explorer allows the user three connection attempts before failing the
connection and reporting an error to the user.
4. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established.
The advantage of Basic authentication is that it is part of the HTTP
specification and is supported by most browsers. The disadvantage is that
Web browsers using Basic authentication transmit passwords in an
unencrypted form. By monitoring communications on your network, an
attacker can easily intercept and decode these passwords using publicly
available tools. Therefore, Basic authentication is not recommended unless
you are confident that the connection between the user and your Web
server is secure.
NT LAN Manager NTLM (NT LanMan) is an authentication process that is used by all
(NTLM) members of the Windows NT family of products. Like its predecessor
LanMan, NTLM uses a challenge/response process to prove the client’s
identity without requiring that either a password or a hashed password be
sent across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication
is enabled, and Fortify WebInspect has to pass through a proxy server to
submit its requests to the Web server, Fortify WebInspect may not be able
to crawl or audit that Web site. Use caution when configuring Fortify
WebInspect for scans of sites protected by NTLM. After scanning, you may
want to disable the NTLM authentication settings to prevent any potential
problem.
Digest The Windows Server operating system implements the Digest
Authentication protocol as a security support provider (SSP), a dynamic-
link library (DLL) that is supplied with the operating system. Using digest
authentication, your password is never sent across the network in the clear,
but is always transmitted as an MD5 digest of the user's password. In this
way, the password cannot be determined by sniffing network traffic.
Kerberos Kerberos uses the Needham-Schroeder protocol as its basis. It uses a
trusted third party, termed a Key Distribution Center (KDC), which consists
of two logically separate parts: an Authentication Server (AS) and a Ticket
Micro Focus Fortify WebInspect (19.2.0) Page 374 of 482
User Guide
Chapter 6: Default Scan Settings
Authentication
Method Description
Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a
service (and receives it). The client then demonstrates to a Service Server
that it has been approved to receive the service.
Authentication Credentials
Type a user ID in the User name box and the user's password in the Password box. To guard against
mistyping, repeat the password in the Confirm Password box.
Caution! Fortify WebInspect will crawl all servers granted access by this password (if the
sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your
administrative systems, do not use a user name and password that has administrative rights. If you
are unsure about your access rights, contact your System Administrator or internal security
professional, or contact Fortify Customer Support.
Client Certificates
Client certificate authentication allows users to present client certificates rather than entering a user
name and password. You can select a certificate from the local machine or a certificate assigned to a
current user. You can also select a certificate from a mobile device, such as a common access card (CAC)
reader that is connected to your computer. To use client certificates:
1. In the Client Certificates area, select the Enable check box.
2. Click Select.
The Client Certificates window opens.
3. Do one of the following:
l To use a certificate that is local to the computer and is global to all users on the computer, select
Local Machine.
l To use a certificate that is local to a user account on the computer, select Current User.
Note: Certificates used by a common access card (CAC) reader are user certificates and are
stored under Current User.
4. Do one of the following:
l To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down
list.
l To select a trusted root certificate, select Root from the drop-down list.
5. Does the website use a CAC reader?
Micro Focus Fortify WebInspect (19.2.0) Page 375 of 482
User Guide
Chapter 6: Default Scan Settings
l If yes, do the following:
i. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.
Information about the selected certificate and a PIN field appear in the Certificate
Information area.
ii. If a PIN is required, type the PIN for the CAC in the PIN field.
Note: If a PIN is required and you do not enter the PIN at this point, you must enter the
PIN in the Windows Security window each time it prompts you for it during the scan.
iii. Click Test.
If you entered the correct PIN, a Success message appears.
l If no, select a certificate from the Certificate list.
Information about the selected certificate appears below the Certificate list.
6. Click OK.
Editing the Proxy Config File for WebInspect Tools
When using tools that incorporate a proxy (specifically Web Macro Recorder, Web Proxy, and Web Form
Editor), you may encounter servers that do not ask for a client certificate even though a certificate is
required. To accommodate this situation, you must perform the following tasks to edit the
SPI.Net.Proxy.Config file.
Task 1: Find your certificate's serial number
1. Open Microsoft Internet Explorer.
2. From the Tools menu, click Internet Options.
3. On the Internet Options window, select the Content tab and click Certificates.
4. On the Certificates window, select a certificate and click View.
5. On the Certificate window, click the Details tab.
6. Click the Serial Number field and copy the serial number that appears in the lower pane (highlight
the number and press Ctrl + C).
7. Close all windows.
Task 2: Create an entry in the SPI.Net.Proxy.Config file
1. Open the SPI.Net.Proxy.Config file for editing. The default location is C:\Program
Files\Fortify\Fortify WebInspect.
2. In the ClientCertificateOverrides section, add the following entry:
<ClientCertificateOverride HostRegex="RegularExpression"
CertificateSerialNumber="Number" />
where:
RegularExpression is a regular expression matching the host URL (example:
.*austin\.microfocus\.com).
Micro Focus Fortify WebInspect (19.2.0) Page 376 of 482
User Guide
Chapter 6: Default Scan Settings
Number is the serial number obtained in Task 1.
3. Save the edited file.
Enable Macro Validation
Most dynamic application scans require user authentication to expose the complete surface of the
application. Failure of the login macro to log in to the application results in a poor quality scan. If the
login macro quality is measured before the scan, then low quality scans can be avoided.
Select Enable macro validation to enable Fortify WebInspect to test for inconsistencies in macro
behavior at the start of the scan. For more information about the specific tests performed, see "Testing
Login Macros" on page 456.
Use a login macro for forms authentication
This type of macro is used primarily for Web form authentication. It incorporates logic that will prevent
Fortify WebInspect from terminating prematurely if it inadvertently logs out of your application. When
recording this type of macro, be sure to specify the application's log-out signature. Click the ellipsis
button to locate the macro. Click Record to record a macro. For information about using a pre-
recorded Selenium IDE macro, see "Using a Selenium IDE Macro" on the next page.
Note: The Record button is not available for Guided Scan, because Guided Scan includes a separate
stage for recording a login macro.
Login Macro Parameters
This section appears only if you have selected Use a login macro for forms authentication and the
macro you have chosen or created contains fields that are designated username and password
parameters.
If you start a scan using a macro that includes parameters for user name and password, then when you
scan the page containing the input elements associated with these entries, Fortify WebInspect
substitutes the user name and password specified here. This allows you to create the macro using your
own user name and password, yet when other persons run the scan using this macro, they can
substitute their own user name and password.
Use a startup macro
This type of macro is used most often to focus on a particular subsection of the application. It specifies
URLs that Fortify WebInspect will use to navigate to that area. It may also include login information, but
does not contain logic that will prevent Fortify WebInspect from logging out of your application. Fortify
WebInspect visits all URLs in the macro, collecting hyperlinks and mapping the data hierarchy. It then
calls the Start URL and begins a normal crawl (and, optionally, audit). Click the ellipsis button to
locate the macro. Click Record to record a macro.
Micro Focus Fortify WebInspect (19.2.0) Page 377 of 482
User Guide
Chapter 6: Default Scan Settings
Using a Selenium IDE Macro
Fortify WebInspect supports integration with Selenium IDE browser automation. When you click the
Import button in Guided Scan, the Scan Wizard, or Authentication Scan Settings and select a Selenium
IDE macro to import, Fortify WebInspect detects that a Selenium IDE macro is being used. Fortify
WebInspect opens Selenium and plays the macro.
For login macros, the macro must include a logout condition. If a logout condition does not exist, you
can add one using the Logout Conditions Editor just as with any other macro. However, all other edits
must be done in the Selenium IDE.
During the replay, there is full-support of Selenium IDE integration. This means that Fortify WebInspect
does not record the sessions. Instead, it opens a new Selenium IDE browser each time and replays the
login macro just as it does with the Unified Web Macro Recorder’s TruClient technology.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium IDE macros. You cannot use different types of macros in the same scan.
To use a pre-recorded Selenium IDE macro:
1. Click the ellipsis button (...) to browse for a saved Selenium IDE macro.
The Select a Login Macro window appears.
2. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium IDE macros do not have a specific file extension and can be any type of text
file, including XML.
3. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
4. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the current settings become visible. Make changes as necessary.
5. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
6. Do one of the following:
l If the macro plays successfully, the message "Successfully verified macro" appears. Continue with
Step 7.
l If the macro does not play successfully, an error message appears. Use the error message to
debug and correct the error in Selenium, and return to Step 1 of this procedure to try the import
again.
7. To specify a logout condition, click Edit logout conditions.
The Logout Conditions Editor appears. Currently, only Regex is supported.
8. Add a logout condition and click OK.
9. Click OK to add the macro to the Default Settings.
Micro Focus Fortify WebInspect (19.2.0) Page 378 of 482
User Guide
Chapter 6: Default Scan Settings
Multi-user Login
You can use the Multi-user Login option to parameterize the username and password in a login macro,
and then define multiple username and password pairs to use in a scan. This approach allows the scan
to run across multiple threads. Each thread has a different login session, resulting in faster scan times.
Important! To use Multi-user Login, you must first select Use a login macro for forms
authentication and record a new macro or select an existing macro to use. See "Use a login macro
for forms authentication" on page 377.
To use multiple user logins to conduct the scan:
1. Select the Multi-user Login checkbox.
Note: If you clear the Multi-user Login checkbox prior to running the scan, the additional
credentials will not be used during the scan. Fortify WebInspect will use only the original
credentials recorded in the login macro.
2. Continue according to the following table:
To... Then...
Add a user’s a. Under Multi-user Login, click Add.
credentials The Multi-user Credential Input dialog box appears.
b. In the Username field, type a username
c. In the Password field, type the corresponding password.
d. Click OK.
e. Repeat Steps a-d for each user login to add.
Important! The number of shared requestor threads should not
be more than the number of configured users. Requestor threads
without valid users will cause the scan to run longer. Remember to
count the original username and password in the parameterized
macro as the first user when you configure multiple users. For more
information, see "Scan Settings: Requestor" on page 348.
Edit a user’s a. Under Multi-user Login, select a Username/Password pair and click
credentials Edit.
The Multi-user Credential Input dialog box appears.
b. Edit the credentials as needed.
c. Click OK.
Delete a user’s a. Under Multi-user Login, select a Username/Password pair to be
Micro Focus Fortify WebInspect (19.2.0) Page 379 of 482
User Guide
Chapter 6: Default Scan Settings
To... Then...
credentials removed.
b. Click Delete.
For more information, see "Multi-user Login Scans" on page 177.
Scan Settings: File Not Found
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select File Not Found.
Options
The File Not Found options are described in the following table.
Option Description
Determine "file not Select this option to rely on HTTP response codes to detect a file-not-
found" (FNF) using found response from the server. You can then identify the codes that fit
HTTP response codes the following categories:
l Forced Valid Response Codes (Never an FNF): You can specify HTTP
response codes that should never be treated as a file-not-found
response.
l Forced FNF Response Codes (Always an FNF): Specify those HTTP
response codes that will always be treated as a file-not-found response.
Fortify WebInspect will not process the response contents.
Enter a single response code or a range of response codes. For ranges, use
a dash or hyphen to separate the first and last code in the list (for example,
400-404). You can specify multiple codes or ranges by separating each
entry with a comma.
Determine "file not Use this area to add information about any custom 404 page notifications
found" from custom that your company uses. If your company has configured a different page
supplied signature to display when a 404 error occurs, add the information here. False
positives can result in Fortify WebInspect from 404 pages that are unique
to your site.
Auto detect "file not Some Web sites do not return a status "404 Not Found" when a client
found" page requests a resource that does not exist. Instead, they may return a status
"200 OK" but the response contains a message that the file cannot be
Micro Focus Fortify WebInspect (19.2.0) Page 380 of 482
User Guide
Chapter 6: Default Scan Settings
Option Description
found, or they might redirect to a home page or login page. Select this
check box if you want Fortify WebInspect to detect these "custom" file-not-
found pages.
Fortify WebInspect attempts to detect custom file-not-found pages by
sending requests for resources that cannot possibly exist on the server. It
then compares each response and measures the amount of text that differs
between the responses. For example, most messages of this type have the
same content (such as "Sorry, the page you requested was not found"),
with the possible exception being the name of the requested resource. If
you select the Auto detect check box, you can specify what percentage of
the response content must be the same. The default is 90 percent.
Scan Settings: Policy
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Scan Settings category, select Policy.
You can change to a different policy when starting a scan through the Scan Wizard, but the policy you
select here will be used if you do not select an alternate.
You can also create, import, or delete policies.
Creating a Policy
To create a policy:
1. Click Create.
The Policy Manager tool opens.
2. Select New from the File menu (or click the New Policy icon).
3. Select the policy on which you will model a new one.
4. Refer to the Policy Manager on-line Help for additional instructions.
Editing a Policy
To edit a policy:
1. Select a custom policy.
Only custom policies may be edited.
2. Click Edit.
Micro Focus Fortify WebInspect (19.2.0) Page 381 of 482
User Guide
Chapter 6: Default Scan Settings
The Policy Manager tool opens.
3. Refer to the on-line Help for additional instructions.
Importing a Policy
To import a policy:
1. Click Import.
2. On the Import Custom Policy window, click the ellipses button .
3. Using the Files of type list on the standard file-selection window, choose a policy type:
l Policy Files (*.policy): Policy files designed and created for versions of Fortify WebInspect
beginning with version 7.0.
l Old Policy Files (*.apc): Policy files designed and created for versions of Fortify WebInspect prior
to version 7.0.
l All Files (*.*): Files of any type, including non-policy files.
4. Click OK.
A copy of the policy is created in the Policies folder (the default location is C:\ProgramData\HP\HP
WebInspect\Policies\). The policy and all of its enabled checks are imported into SecureBase using
the specified policy name. Custom agents are not imported.
Deleting a Policy
To delete a policy:
1. Select a custom policy.
Only custom policies may be deleted.
2. Click Delete.
Micro Focus Fortify WebInspect (19.2.0) Page 382 of 482
Chapter 7: Crawl Settings
This chapter describes the Crawl Settings that are used by the Fortify WebInspect crawler.
The Fortify WebInspect crawler is a software program designed to follow hyperlinks throughout a Web
site, retrieving and indexing pages to document the hierarchical structure of the site. The parameters
that control the manner in which Fortify WebInspect crawls a site are available from the Crawl Settings
list.
See Also
"Crawl Settings: Link Parsing" below
"Crawl Settings: Link Sources" below
"Crawl Settings: Session Exclusions" on page 390
Crawl Settings: Link Parsing
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Crawl Settings category, select Link Parsing.
Fortify WebInspect follows all hyperlinks defined by HTML (using the <a href> tag) and those defined
by scripts (JavaScript and VBScript). However, you may encounter other communications protocols that
use a different syntax for specifying links. To accommodate this possibility, you can use the Custom
Links feature and regular expressions to identify links that you want Fortify WebInspect to follow.
These are called special link identifiers.
Adding a Specialized Link Identifier
To add a specialized link identifier:
1. Click Add.
The Specialized Link Entry window opens.
2. In the Specialized Link Pattern box, enter a regular expression designed to identify the link.
3. (Optional) Enter a description of the link in the Comment box.
4. Click OK.
Crawl Settings: Link Sources
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Crawl Settings category, select Link Sources.
Micro Focus Fortify WebInspect (19.2.0) Page 383 of 482
User Guide
Chapter 7: Crawl Settings
What is Link Parsing?
The Fortify WebInspect crawler sends a request to a start URL and recursively parses links (URLs) from
the response content. These links are added to a work queue and the crawler iterates through the
queue until it is empty. The techniques used to extract the link information from the HTTP responses
are collectively referred to as ‘link parsing.’ There are two choices for how the crawler performs link
parsing: Pattern-based and DOM-based.
Pattern-based Parsing
Pattern-based link parsing uses a combination of text searching and pattern matching to find URLs.
These URLs include the ordinary content that is rendered by a browser, such as <A> elements, as well as
invisible text that may reveal additional site structure.
This option matches the default behavior of Fortify WebInspect 10.40 and earlier versions. This is a
more aggressive approach to crawling the website and can increase the amount of time it takes to
conduct a scan. The aggressive behavior can cause the crawler to create many extra links which are not
representative of actual site content. For these situations, DOM-based parsing should expose the site’s
URL content with fewer false positives.
Note: All of the DOM-based Parsing techniques for finding links are used when Pattern-based
Parsing is selected. Pattern-based Parsing, however, is not capable of computing the metadata for
the link source. DOM-based Parsing is capable of computing this information and thus provides
more intelligent parsing. DOM-based Parsing also provides more control over which parsing
techniques are used.
DOM-based Parsing
The Document Object Model (DOM) is a programming concept that provides a logical structure for
defining and building HTML and XML documents, navigating their structure, and editing their elements
and content.
A graphical representation of an HTML page rendered as DOM would resemble an upside-down tree:
starting with the HTML node, then branching out in a tree structure to include the tags, sub-tags, and
content. This structure is called a DOM tree.
Using DOM-based parsing, Fortify WebInspect parses HTML pages into a DOM tree and uses the
detailed parsed structure to identify the sources of hyperlinks with higher fidelity and greater
confidence. DOM-based parsing can reduce false positives and may also reduce the degree of
‘aggressive link discovery.’
On some sites, the crawler iteratively requests bad links and the resulting responses echo those links
back in the response content, sometimes adding extra text that compounds the problem. These
repeated cycles of ‘bad links in and bad links out’ can cause scans to run for a long time or, in rare cases,
forever. DOM-based parsing and careful selection of link sources provide a mechanism for limiting this
runaway scan behavior. Web applications vary in structure and content, and some experimentation may
be required to get optimal link source configurations.
Micro Focus Fortify WebInspect (19.2.0) Page 384 of 482
User Guide
Chapter 7: Crawl Settings
To refine DOM-based Parsing, select the techniques you want to use for finding links. Clearing
techniques that may not be a concern for your site may decrease the amount of time it takes to
complete the scan. For a more thorough scan, however, select all techniques or use Pattern-based
Parsing. The DOM-based Parsing techniques are described in the following table. For more information,
see "Limitations of Link Source Settings" on page 390.
Technique Description
Include Programmers may leave notes to themselves that include links inside HTML comments
Comment that are not visible on the site, but may be discovered by an attacker. Use this option to
Links find links inside HTML comments. Fortify WebInspect will find more links, but these
(Aggressi may not always be valid URLs, causing the crawler to try to access content that does
ve) not exist. Also, the same link can be on every page and those links can be relative, which
can exponentially increase the URL count and lengthen the scan time.
Include A conditional comment link occurs when the HTML on the page is conditionally
Condition included or excluded depending on the user agent (browser type and version) making
al the request.
Comment
Regular comment example:
Links
<!—hidden.txt -->
Conditional comment example:
<!--[if lt IE9]>
<script
src="//www.somesite.com/static/v/all/js/html5sh.js"></script>
<link rel="stylesheet" type"text/css"
href='//www.somesite.com/static/v/fn-hp/css/IE8.css'>
<![endif]-->
Fortify WebInspect emulates browser behaviors in evaluating HTML code and
processes the DOM differently depending on the user agent. A link found in a
comment by one user agent is a normal HTML link for other user agents.
Use this option to find conditional links that are inside HTML commands, such as those
commented out based on browser version. These conditional statements may also
contain script includes that need to be executed when script parsing is enabled.
Crawling these links will be more thorough, but can increase the scan time. Additionally,
such comments may be out of date and pointless to crawl.
Include Plain text in a .txt file or a paragraph inside HTML code can be formatted as a URL,
Plain Text such as http://www.something.com/mypage.html. However, because this is only
Links text and not a true link, the browser would not render it as a link, and the text would
not be functionally part of the page. For example, the content may be part of a page
that describes how to code in HTML using fake syntax that is not meant to be clicked
by users. Use this option for Fortify WebInspect to parse these text links and queue
Micro Focus Fortify WebInspect (19.2.0) Page 385 of 482
User Guide
Chapter 7: Crawl Settings
them for a crawl.
Also, using smart pattern matches, Fortify WebInspect can identify common file
extensions, such as .css, .js, .bmp, .png, .jpg, .html, etc., and add these files to the crawl
queue. Auditing these files that are referenced in plain text can produce false positives.
Include Use this option for Fortify WebInspect to examine inside the opening and closing script
Links in tags for text that looks like links. Valid links may be found inside these script blocks, but
Static developers may also leave comments that include text resembling links inside the
Script opening and closing script tags. For example:
blocks
<script type="text/javascript">
// go to http://www.foo.com/blah.html for help
var url = "http:www.foo.com/xyz/" + path + "?help"
</script>
Additionally, JavaScript code inside these tags can be handled by the JavaScript
execution engine during the scan. However, searching for static links in a line of code
that sets a variable, such as the “var url” in the example above, can create problems
when those partial paths are added to the queue for crawling. If the variable includes a
relative link with a common extension, such as “foo.html”, the crawler will append the
extension to the end of every page that includes the line of code. This can produces
unusable URLs and may create false positives.
Parse Use this option for Fortify WebInspect to parse any text that is inside an href attribute
URLs and add it to the crawl queue. The following is an example of a URL embedded in a
Embedded URL:
in URLs
<a
href="http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz.c
om%2Fblah" />
On some sites, however, file not found pages return the URL in a form action tag and
append the URL to the original URL as follows:
<form
action="http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz
.com%2Fblah?
http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz.com%2Fb
lah" />
Fortify WebInspect will then request the form action, and receive another file not found
response, again with the URL appended in a form action, as shown below:
<form
action="http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz
.com%2Fblah?
Micro Focus Fortify WebInspect (19.2.0) Page 386 of 482
User Guide
Chapter 7: Crawl Settings
http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz.com%2Fb
lah?
http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz.com%2Fb
lah?
http://www.foo.com/xyz/bar.html?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.zzzz.com%2Fb
lah" />
On such a site, these URLs will continue to produce file not found responses that add
more URLs to the crawl queue, creating an infinite crawl loop. To avoid adding this type
of URL to the crawl queue, do not use this option.
Allow Un- This option modifies the behavior of the previous five options. Some URLs do not
rooted include the specific scheme, such as http, and are not fully qualified domain names.
URLs (for These URLs, which may resemble xyz.html, are considered unanchored or “un-
the above rooted.” The assumption is that the un-rooted URL is relative to the request.
items)
For example, the non-fully qualified URL <a href='foo.html' /> does not include
a scheme. This URL uses the scheme of the context URL. If an HTTPS page requested
to get the content, then HTTPS would be prepended to the URL.
Use this option to treat un-rooted URLs as links when parsing. If this option is selected,
the scan will be more thorough and more aggressive, but may take considerably longer
to complete.
URL Samples and Parsing Results
The following samples describe various URLs and how they are parsed during a crawl.
A Normal URL
The URL in the following request includes a forward (or anchor) slash.
Request from http://www.foo.com/x/y/z/
For <a href='/bar.html' />
Results in a link to http://www.foo.com/bar.html.
Simple Un-rooted URL
The URL in the following request is un-rooted because it does not include a forward
slash.
Request from http://www.foo.com/
For <a href='bar.html' />
Results in a link to http://www.foo.com/bar.html.
Long Un-rooted URL
The following request shows a long, un-rooted URL.
Micro Focus Fortify WebInspect (19.2.0) Page 387 of 482
User Guide
Chapter 7: Crawl Settings
Request from http://www.foo.com/x/y/z/
For <a href='bar.html' />
Results in a link to http://www.foo.com/x/y/z/bar.html.
Comments in Code
You may include comments, such as <!-- baz_ads.js -->, in your code before a
script include. The following request shows how this comment is interpreted during an
aggressive crawl.
Request from http://www.foo.com/x/y/z/
For <!-- baz_ads.js -->
Results in a link to http://www.foo.com/x/y/z/baz_ads.js
If you include this comment on your master page, then during an aggressive scan, the
comment will be discovered on many, if not all, page responses in the site. This
configuration can cause runaway scans.
The comment <!-- baz_ads.js --> on the master page results in multiple links:
http://www.foo.com/baz_ads.js
http://www.foo.com/x/baz_ads.js
http://www.foo.com/x/y/baz_ads.js
http://www.foo.com/x/y/z/baz_ads.js
And so on for all pages in the site.
Form Actions, Script Includes, and Stylesheets
Some link types—such as form actions, script includes, and stylesheets—are special and are treated
differently than other links. On some sites, it may not be necessary to crawl and parse these links.
However, if you want an aggressive scan that attempts to crawl and parse everything, the following
options will help accomplish this goal. For more information, see "Limitations of Link Source Settings" on
page 390.
Note: You can also allow un-rooted URLs for each of these options. See “Allow Un-rooted URLs” in
this topic.
Option Description
Crawl Form Action When Fortify WebInspect encounters HTML forms during the crawl, it
Links creates variations on the inputs that a user can make and submits the
forms as requests to solicit more site content. For example, for forms with a
POST method, Fortify WebInspect can use a GET instead and possibly
reveal information. In addition to this type of crawling, use this option for
Fortify WebInspect to treat form targets as normal links.
Micro Focus Fortify WebInspect (19.2.0) Page 388 of 482
User Guide
Chapter 7: Crawl Settings
Crawl Script Include A script include imports JavaScript from a .js file and processes it on the
Links current page. Use this option for Fortify WebInspect to crawl the .js file as a
link.
Crawl Stylesheet A stylesheet link imports the style definitions from a .css file and renders
Links them on the current page. Use this option for Fortify WebInspect to crawl
the .css file as a link.
Miscellaneous Options
The following additional options may help improve link parsing for your site. For more information, see
"Limitations of Link Source Settings" on the next page.
Option Description
Crawl Links on FNF If you select this option, Fortify WebInspect will look for and crawl links on
Pages responses that are marked as “file not found.”
This option is selected by default when the Scan Mode is set to Crawl Only
or Crawl & Audit. The option is not available when the Scan Mode is set to
Audit Only.
Suppress URLs with Many sites have text that resembles relative paths that become unusable
Repeated Path URLs after Fortify WebInspect parses them and appends them to the URL
Segments being crawled. These occurrences can result in a runaway scan if paths are
continuously appended, such as /foo/bar/foo/bar/. This setting helps
reduce such occurrences and is enabled by default.
With the setting enabled, the options are:
1 – Detect a single sub-folder repeated anywhere in the URL and reject the
URL if there is a match. For example, /foo/baz/bar/foo/ will match
because “/foo/” is repeated. The repeat does not have to occur adjacently.
2 – Detect two (or more) pairs of adjacent sub-folders and reject the URL if
there is a match. For example, /foo/bar/baz/foo/bar/ will match
because “/foo/bar/” is repeated.
3 – Detect two (or more) sets of three adjacent sub-folders and reject the
URL if there is a match.
4 – Detect two (or more) sets of four adjacent sub-folders and reject the
URL if there is a match.
5 – Detect two (or more) sets of five adjacent sub-folders and reject the
Micro Focus Fortify WebInspect (19.2.0) Page 389 of 482
User Guide
Chapter 7: Crawl Settings
URL if there is a match.
If the setting is disabled, repeating sub-folders are not detected and no
URLs are rejected due to matches.
Limitations of Link Source Settings
Clearing a link source check box prevents the crawler from processing that specific kind of link when it is
found using static parsing. However, these links can be found in many other ways. For example, clearing
the Crawl Stylesheet Links option does not control path truncation nor suppress .css file requests
made by the script engine. Clearing this setting only prevents static link parsing of the .css response
from the server. Similarly, clearing the Crawl Script Include Links option does not suppress .js, AJAX,
frameIncludes, or any other file request made by the script engine. Therefore, clearing a link source
check box is not a universal filter for that type of link source.
The goal for clearing a check box is to prevent potentially large volumes of bad links from cluttering the
crawl and resulting in extremely long scan times.
Crawl Settings: Session Exclusions
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the
Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray
(not black) text. If you do not want these objects to be excluded from the crawl, you must remove them
from the Scan Settings - Session Exclusions panel.
This panel (Crawl Settings - Session Exclusions) allows you to specify additional objects to be
excluded from the crawl.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested.
If you select Exclude, files having the specified extension will be requested, but will not be audited.
Adding a File Extension to Exclude/Reject
To add a file extension:
1. Click Add.
The Exclusion Extension window opens.
2. In the File Extension box, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 390 of 482
User Guide
Chapter 7: Crawl Settings
Excluded MIME Types
Files associated with the MIME types you specify will not be audited.
Adding a MIME Type to Exclude
To add a MIME Type:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-type box, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing the Default Criteria
To edit the default criteria:
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host/URL box, enter a URL or fully qualified host name, or a regular expression designed to
match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Adding Exclusion/Rejection Criteria
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
Micro Focus Fortify WebInspect (19.2.0) Page 391 of 482
User Guide
Chapter 7: Crawl Settings
2. Select an item from the Target list.
3. If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l Matches Regex - Matches the regular expression you specify in the Match String box.
l Matches Regex Extension - Matches a syntax available from Fortify's regular expression
extensions you specify in the Match String box.
l Matches - Matches the text string you specify in the Match String box.
l Contains - Contains the text string you specify in the Match String box.
5. In the Match String box, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click (or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a
scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL N/A contains Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL N/A contains logout
Micro Focus Fortify WebInspect (19.2.0) Page 392 of 482
User Guide
Chapter 7: Crawl Settings
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target Target Name Match Type Match String
Query parameter username matches John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type Match String
URL N/A matches regex /W3SVC[0-9]*/
Micro Focus Fortify WebInspect (19.2.0) Page 393 of 482
Chapter 8: Audit Settings
This chapter describes the Audit Settings used by Fortify WebInspect during an audit scan.
An audit is the probe or attack conducted by Fortify WebInspect which is designed to detect
vulnerabilities. The parameters that control the manner in which Fortify WebInspect conducts that
probe are available from the Audit Settings list.
See Also
"Audit Settings: Attack Exclusions" on page 397
"Audit Settings: Attack Expressions" on page 400
"Audit Settings: Session Exclusions" below
"Audit Settings: Smart Scan" on page 401
"Audit Settings: Vulnerability Filtering" on page 400
Audit Settings: Session Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Audit Settings category, select Session Exclusions.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the
Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray
(not black) text. If you do not want these objects to be excluded from the audit, you must remove them
from the Scan Settings - Session Exclusions panel.
This panel (Audit Settings - Session Exclusions) allows you to specify additional objects to be
excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, Fortify WebInspect will not request files having the specified extension.
If you select Exclude, Fortify WebInspect will request files having the specified extension, but will not
audit them.
Adding a File Extension to Exclude/Reject
To add a file extension:
1. Click Add.
The Exclusion Extension window opens.
2. In the File Extension box, enter a file extension.
Micro Focus Fortify WebInspect (19.2.0) Page 394 of 482
User Guide
Chapter 8: Audit Settings
3. Select either Reject, Exclude, or both.
4. Click OK.
Excluded MIME Types
Fortify WebInspect will not audit files associated with the MIME types you specify.
Adding a MIME Type to Exclude
To add a MIME type:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-type box, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing the Default Criteria
To edit the default criteria:
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host/URL box, enter a URL or fully qualified host name, or a regular expression designed to
match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 395 of 482
User Guide
Chapter 8: Audit Settings
Adding Exclusion/Rejection Criteria
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
3. If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l Matches Regex - Matches the regular expression you specify in the Match String box.
l Matches Regex Extension - Matches a syntax available from Fortify's regular expression
extensions you specify in the Match String box.
l Matches - Matches the text string you specify in the Match String box.
l Contains - Contains the text string you specify in the Match String box.
5. In the Match String box, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click (or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a
scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL N/A contains Microsoft.com
Micro Focus Fortify WebInspect (19.2.0) Page 396 of 482
User Guide
Chapter 8: Audit Settings
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL N/A contains logout
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target Target Name Match Type Match String
Query parameter username matches John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type Match String
URL N/A matches regex /W3SVC[0-9]*/
Audit Settings: Attack Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Audit Settings category, select Attack Exclusions.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to
attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA
parameters.
Micro Focus Fortify WebInspect (19.2.0) Page 397 of 482
User Guide
Chapter 8: Audit Settings
Adding Parameters to Exclude
To prevent certain parameters from being modified:
1. In the Excluded Parameters group, click Add.
The Specify HTTP Exclusions window opens.
2. In the HTTP Parameter box, enter the name of the parameter you want to exclude.
Click to insert regular expression notations.
3. Choose the area in which the parameter may be found: HTTP query data or HTTP POST data. You
can select both areas, if necessary.
4. Click OK.
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack
the Web site. This feature is used to avoid corrupting cookie values.
This setting requires you to enter the name of a cookie.
In the following example HTTP response, the name of the cookie is "FirstCookie."
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
Excluding Certain Cookies
To exclude certain cookies:
1. In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a cookie using either a text string or a regular expression.
2. To enter a text string:
a. In the Expression box, type a cookie name.
b. Click OK.
3. To enter a regular expression:
a. In the Expression box, type or paste a regular expression that you believe will match the text
for which you are searching.
Click to insert regular expression notations.
b. In the Comparison Text box, type or paste the text that is known to contain the string you
want to find (as specified in the Expression box).
c. To find only those occurrences matching the case of the expression, select the Match Case
check box.
d. If you want to replace the string identified by the regular expression, select the Replace check
Micro Focus Fortify WebInspect (19.2.0) Page 398 of 482
User Guide
Chapter 8: Audit Settings
box and then type or select a string from the Replace box.
e. Click Test to search the comparison text for strings that match the regular expression. Matches
will be highlighted in red.
f. Did your regular expression identify the string?
o If yes, click OK.
o If no, verify that the Comparison Text contains the string you want to identify or modify the
regular expression.
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to
attack the Web site. This feature is used to avoid corrupting header values.
Excluding Certain Headers
To prevent certain headers from being modified, create a regular expression using the procedure
described below.
1. In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a header using either a text string or a regular expression.
2. To enter a text string:
a. In the Expression box, type a header name.
b. Click OK.
3. To enter a regular expression:
a. In the Expression box, type or paste a regular expression that you believe will match the text
for which you are searching.
Click to insert regular expression notations.
b. In the Comparison Text box, type or paste the text that is known to contain the string you
want to find (as specified in the Expression box).
c. To find only those occurrences matching the case of the expression, select the Match Case
check box.
d. If you want to replace the string identified by the regular expression, select the Replace check
box and then type or select a string from the Replace box.
e. Click Test to search the comparison text for strings that match the regular expression. Matches
will be highlighted in red.
f. Did your regular expression identify the string?
o If yes, click OK.
o If no, verify that the Comparison Text contains the string you want to identify or modify the
regular expression.
Micro Focus Fortify WebInspect (19.2.0) Page 399 of 482
User Guide
Chapter 8: Audit Settings
Audit Inputs Editor
Using the Audit Inputs Editor, you can create or modify parameters for audit engines and checks that
require inputs.
l To launch the tool, click Audit Inputs Editor.
l To load inputs that you previously created using the editor, click Import Audit Inputs.
Audit Settings: Attack Expressions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Audit Settings category, select Attack Expressions.
Additional Regular Expression Languages
You may select one of the following language code-country code combinations (as used by the
CultureInfo class in the .NET Framework Class Library):
l zh-cn: Chinese - China
l zh-tw: Chinese - Taiwan
l ja-jp: Japanese - Japan
l ko-kr: Korean - Korea
l pt-br: Portuguese - Brazil
l es-es: Spanish - Spain
The CultureInfo class holds culture-specific information, such as the associated language, sublanguage,
country/region, calendar, and cultural conventions. This class also provides access to culture-specific
instances of DateTimeFormatInfo, NumberFormatInfo, CompareInfo, and TextInfo. These objects
contain the information required for culture-specific operations, such as casing, formatting dates and
numbers, and comparing strings.
Audit Settings: Vulnerability Filtering
To access this feature, click the Edit menu and select Default Settings or Current Settings. Then, in
the Audit Settings category, select Vulnerability Filtering.
By applying certain filters, you can limit the display of certain vulnerabilities reported during a scan. The
options are:
l Standard Vulnerability Definition - This filter sorts parameter names for determining equivalency
between similar requests. For example, if a SQL injection vulnerability is found in parameter "a" in
both http://x.y?a=x;b=y and http://x.y?b=y;a=x, it would be considered equivalent.
l Parameter Vulnerability Roll-Up - This filter consolidates multiple parameter manipulation and
Micro Focus Fortify WebInspect (19.2.0) Page 400 of 482
User Guide
Chapter 8: Audit Settings
parameter injection vulnerabilities discovered during a single session into one vulnerability.
l 403 Blocker - This filter revokes vulnerabilities when the status code of the vulnerable session is 403
(Forbidden).
l Response Inspection DOM Event Parent-Child - This filter disregards a keyword search
vulnerability found in JavaScript if the same vulnerability has already been detected in the parent
session.
Adding a Vulnerability Filter
To add a filter to your default settings:
1. Click the Edit menu and select Default Scan Settings.
2. In the Audit Settings panel in the left column, select Vulnerability Filtering.
All available filters are listed in either the Disabled Filters list or the Enabled Filters list.
3. To enable a filter, select a filter in the Disabled Filters list and click Add.
The filter is removed from the Disabled Filters list and added to the Enabled Filters list.
4. To disable a filter, select a filter in the Enabled Filters list and click Remove.
The filter is removed from the Enabled Filters list and added to the Disabled Filters list.
You can also modify the settings for a specific scan by clicking the Settings button at the bottom of the
Scan Wizard or the Web Service Scan Wizard.
Suppressing Off-site Vulnerabilities
If your Web application includes links to hosts that are not in your Allowed Hosts list, Fortify
WebInspect may identify passive vulnerabilities on those hosts. To suppress all vulnerabilities against
sessions for off-site hosts that are not in your Allowed Hosts list, select the Suppress Offsite
Vulnerabilities check box.
For more information about Allowed Hosts, see "Scan Settings: Allowed Hosts" on page 355.
Audit Settings: Smart Scan
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings.
Then, in the Audit Settings category, select Smart Scan.
Enable Smart Scan
Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and
checks for known vulnerabilities against that specific server type. For example, if you are scanning a site
hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is
susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.
If you select this option, you can choose one or more of the identification methods described below.
Micro Focus Fortify WebInspect (19.2.0) Page 401 of 482
User Guide
Chapter 8: Audit Settings
Use regular expressions on HTTP responses
This method, employed by previous releases of Fortify WebInspect, searches the server response for
strings that match predefined regular expressions designed to identify specific servers.
Use server analyzer fingerprinting and request sampling
This advanced method sends a series of HTTP requests and then analyzes the responses to determine
the server/application type.
Custom server/application type definitions
If you know the server type for a target domain, you can select it using the Custom server/application
type definitions section. This identification method overrides any other selected method for the server
you specify.
To specify a custom definition:
1. Click Add.
The Server/Application Type Entry window opens.
2. In the Host box, enter the domain name or host, or the server's IP address.
3. (Optional) Click Identify.
Fortify WebInspect contacts the server and uses the server analyzer fingerprinting method to
determine the server type. If successful, it selects the corresponding check box in the
Server/Application Type list.
Note: Alternatively, if you select the Use Regular Expressions option, enter a regular
expression designed to identify a server. Click to insert regular expression notations or to
launch the Regular Expression Editor (which facilitates the creation and testing of an
expression).
4. Select one or more entries from the Server/Application Type list.
5. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 402 of 482
Chapter 9: Application Settings
This chapter describes the settings that define where Fortify WebInspect stores scan data and log files,
as well as settings for licensing, telemetry, and SmartUpdates. These settings also configure Fortify
WebInspect to interact with other applications, such as Micro Focus Application Lifecycle Management
(ALM).
Application Settings: General
To access this feature, click Edit > Application Settings and then select General.
General
The General options are described in the following table.
Option Description
Enable Active Content Select this option to allow execution of JavaScript and other dynamic
in Browser Views content in all browser windows within Fortify WebInspect.
For example, one Fortify WebInspect attack tests for cross-site scripting by
attempting to embed a script in a dynamically generated Web page. That
script instructs the server to display an alert containing the number
"76712." If active content is enabled and if the attack is successful (i.e.,
cross-site scripting is possible), then selecting the vulnerable session and
clicking on Web Browser in the Session Info panel will execute the script
and display the following:
Note: If you initiate or open a scan while this option is disabled, and
you then enable this option, the browser will not execute the active
content until you close and then reopen the scan.
Micro Focus Fortify WebInspect (19.2.0) Page 403 of 482
User Guide
Chapter 9: Application Settings
Option Description
Enable Diagnostic File If the Fortify WebInspect application should ever fail, this option
Creation forces Fortify WebInspect to create a file containing data that was stored in
main memory at the time of failure. You can then provide the file to Fortify
support personnel.
If you select this option, you may also specify how many diagnostic files
should be retained. When the number of files exceeds this limit, the oldest
file will be deleted.
Reset "Don't Show Me By default, Fortify WebInspect displays various prompts and dialog boxes
Again" messages to remind you of certain consequences that may occur as a result of an
action you take. These dialog boxes contain a check box labeled "Don't
show me again." If you select that option, Fortify WebInspect discontinues
displaying those messages. You can force Fortify WebInspect to resume
displaying those messages if you click Reset "Don't Show Me Again"
messages.
Use Seven Pernicious This option allows you to select The Seven Pernicious Kingdoms taxonomy
Kingdom (7PK) for ordering and organizing the reported vulnerabilities.
Taxonomy
Seven Pernicious Kingdoms (7PK) is a taxonomy of software security
errors developed by the Fortify Software Security Research Group
together with Dr. Gary McGraw. Each vulnerability category is accompanied
by a detailed description of the issue with references to original sources
and code excerpts, where applicable, to better illustrate the problem.
The organization of the classification scheme is described with the help of
terminology borrowed from biology: vulnerability categories are referred to
as phyla, while collections of vulnerability categories that share the same
theme are referred to as kingdoms. Vulnerability phyla are classified into
pernicious kingdoms presented in the order of importance to software
security.
The seven kingdoms are:
1. Input Validation and Representation
2. API Abuse
3. Security Features
4. Time and State
5. Errors
6. Code Quality
Micro Focus Fortify WebInspect (19.2.0) Page 404 of 482
User Guide
Chapter 9: Application Settings
Option Description
7. Encapsulation
* Environment
The first seven kingdoms are associated with security defects in source
code, while the last one describes security issues outside the actual code.
The primary goal of defining this taxonomy is to organize sets of security
rules that can be used to help software developers understand the kinds of
errors that have an impact on security. By better understanding how
systems fail, developers will better analyze the systems they create, more
readily identify and address security problems when they see them, and
generally avoid repeating the same mistakes in the future. For more
information, see https://vulncat.fortify.com/.
You might want to use the Seven Pernicious Kingdoms taxonomy if you
are integrating Fortify WebInspect with other Micro Focus Fortify products
as it provides for a unified taxonomy.
WebInspect Agent
The Fortify WebInspect Agent options are described in the following table.
Option Description
Use WebInspect If this option is selected and Fortify WebInspect detects that Fortify
Agent information WebInspect Agent is installed on a target server, it will incorporate Fortify
when encountered on WebInspect Agent information to improve overall scan efficiency.
target site
A notation on the Fortify WebInspect dashboard indicates whether or not
Fortify WebInspect Agent has been detected.
Automatically group If this option is selected and Fortify WebInspect Agent information is used
by duplicate (above setting), then vulnerabilities listed on the Vulnerability tab in the
vulnerabilities in Summary pane will be grouped by check and then by equivalent
vulnerability window vulnerabilities.
Allow WebInspect If this option is selected and Fortify WebInspect information is used (see
Agent to suggest Use WebInspect Agent Information When Encountered on Target Site
attack strategy above), the agent operates in an active mode and can suggest attack
strategies to Fortify WebInspect to improve accuracy and performance.
This feature requires version 4.1 or above of the Fortify WebInspect Agent
and you must be using the Seven Pernicious Kingdoms taxonomy.
Micro Focus Fortify WebInspect (19.2.0) Page 405 of 482
User Guide
Chapter 9: Application Settings
Web Macro Recorder
Fortify WebInspect includes two versions of the Web Macro Recorder, each using a different version of
the macro engine for navigating web sites and recording macros. The Web Macro Recorder with Macro
Engine 4.0 is the default version. However, for improved compatibility with recording macros on
applications built in modern frameworks, you can use the new Web Macro Recorder with Macro Engine
5.0.
Important! The Web Macro Recorder with Macro Engine 5.0 is provided as a technology preview.
Technology preview features are currently unsupported, may not be functionally complete, and are
not suitable for deployment in production. However, these features are provided as a courtesy and
the primary objective is for the feature to gain wider exposure with the goal of full support in the
future.
When you first launch Fortify WebInspect, the application prompts you with the option to enable the
new Web Macro Recorder with Macro Engine 5.0. If you do not enable the new version at that time, you
can enable it in the Application Settings: General.
To enable the Web Macro Recorder with Macro Engine 5.0:
1. In the Default Web Macro Recorder drop-down list, select Macro Engine 5.0.
2. Click OK.
The new version of the Web Macro Recorder is set as default.
Accessibility of Web Macro Recorder with Macro Engine 5.0
The Web Macro Recorder with Macro Engine 5.0 is:
l Accessible from the Basic Scan Wizard in Fortify WebInspect only
l Not accessible from nor compatible with the Guided Scan Wizard
l Not accessible from Fortify WebInspect Enterprise
Application Settings: Database
To access this feature, click Edit > Application Settings and then select Database.
Connection Settings for Scan/Report Storage
Select the device that will store Fortify WebInspect scan and report data. The choices are:
l Use SQL Server Express (for SQL Server Express Edition). Data for each scan will be stored in a
separate database.
l Use SQL Server (for SQL Server Standard Edition). Data for multiple scans will be stored in a single
database. You can configure multiple database settings and assign a "profile name" to each collection
of settings, allowing you to switch easily from one configuration to another.
Micro Focus Fortify WebInspect (19.2.0) Page 406 of 482
User Guide
Chapter 9: Application Settings
SQL Server Database Privileges
The account specified for the database connection must also be a database owner (DBO) for the named
database. However, the account does not require sysadmin (SA) privileges for the database server. If
the database administrator (DBA) did not generate the database for the specified user, then the
account must also have the permission to create a database and to manipulate the security permissions.
The DBA can rescind these permissions after Fortify WebInspect sets up the database, but the account
must remain a DBO for that database.
Configuring SQL Server Standard Edition
To configure a profile for SQL Server Standard Edition:
1. Click Configure (to the right of the drop-down list).
The Manage Database Settings dialog box appears.
2. Click Add.
The Add Database dialog box appears.
3. Enter a name for this database profile.
4. Select a server from the Server Name list.
5. In the Log on to the server group, specify the type of authentication used for the selected server:
l Use Windows Authentication - Log on by submitting the user's Windows account name and
password.
l Use SQL Server Authentication - Use SQL Server authentication, which relies on the internal
user list maintained by the SQL Server computer. Enter the user name and password.
6. Enter or select a specific database, or click New to create a database.
7. Click OK to close the Add Database dialog box.
8. Click OK to close the Manage Database Settings dialog box.
Connection Settings for Scan Viewing
When displaying a list of scans (using either the Manage Scans view or the Report Generator wizard),
Fortify WebInspect can access scan data stored in SQL Server Standard Edition and/or SQL Server
Express Edition. You can select either or both options.
l Show Scans Stored in SQL Server Express: Select this option if you want to access scan data
stored in a local SQL Server Express Edition.
l Show Scans Stored in SQL Server Standard: Select this option if you want to access data in SQL
Server Standard Edition. See "Configuring SQL Server Standard Edition" above for instructions.
Micro Focus Fortify WebInspect (19.2.0) Page 407 of 482
User Guide
Chapter 9: Application Settings
Creating Scan Data for Site Explorer
During a scan, Fortify WebInspect creates a SQL Express database (.mdf) file or adds the scan to an
existing SQL Server database (.mdf) file. However, Site Explorer uses a variation of the traffic session
file (.tsf) format. You can configure Fortify WebInspect to create a .tsf file during a scan.
Note: The .tsf file created for Site Explorer does not include vulnerabilities and other details that
are available in the standard scan files.
To have Fortify WebInspect create a traffic file that can be displayed in Site Explorer, select the Create
Scan Data for Site Explorer check box.
When enabled, Fortify WebInspect creates a file in the format <ScanID>.tsf in the scandata folder in
the user's Fortify WebInspect directory, such as:
c:\users\<username>\appdata\local\hp\hp webinspect\scandata
If you select this check box while a scan is running, it will have no effect on the current scan. Only scans
started after this check box is selected will generate a .tsf file for Site Explorer.
Application Settings: Directories
To access this feature, click Edit > Application Settings and then select Directories.
Changing Where Fortify WebInspect Files Are Saved
You can change the locations in which Fortify WebInspect files are saved. To change locations:
1. Click the ellipsis button next to a category of information.
2. Use the Browse For Folder dialog box to select or create a directory.
3. Click OK.
Application Settings: License
To access this feature, click Edit > Application Settings and then select License.
License Details
This section provides pertinent information about the Fortify WebInspect license. If you want to change
certain provisions of the license, click Configure Licensing, which will invoke the License Wizard.
Micro Focus Fortify WebInspect (19.2.0) Page 408 of 482
User Guide
Chapter 9: Application Settings
The contents of the lower section of the window depend on the type of license management currently
employed:
l Connected directly to the Micro Focus license server. See "Direct Connection to Micro Focus" below.
l Connected to a local AutoPass License Server (APLS). See "Connection to APLS" below.
l Connected to a local License and Infrastructure Manager (LIM). See "Connection to LIM" on the next
page.
Direct Connection to Micro Focus
Options are described in the following table.
Option Description
Update If you upgrade from a trial version or if you otherwise modify the
conditions of your license, click Update. The application will contact the
license server and update the information stored locally on your machine.
Note: This option is not available for installations using an AutoPass
license.
Deactivate Fortify WebInspect licenses are assigned to specific computers. If you
would like to transfer this license to a different computer:
1. Copy the activation token.
Take care not to lose or misplace this number. Write it or print it, and
keep it in a safe place.
2. Click Deactivate.
The application will contact the license server and release your license,
allowing you to install Fortify WebInspect on another computer.
3. At the new computer, access the Fortify WebInspect application
settings for licensing and enter the activation token.
Connection to APLS
While using a concurrent (floating) license managed by your APLS, Fortify WebInspect must be
connected to your APLS at all times. If the Status shows "Disconnected," click Reconnect to reestablish a
connection of your APLS.
Micro Focus Fortify WebInspect (19.2.0) Page 409 of 482
User Guide
Chapter 9: Application Settings
Connection to LIM
Select the manner in which you want the License and Infrastructure Manager to handle the Fortify
WebInspect license assigned to this computer. Options are described in the following table.
Option Description
Connected License The computer can run the Fortify software only when the computer is able
to contact the LIM. Each time you start the software, the LIM allocates a
seat from the license pool to this installation. When you close the software,
the seat is released from the computer and allocated back to the pool,
allowing another user to consume the license.
Detached License The computer can run the Fortify software anywhere, even when
disconnected from your corporate intranet (on which the LIM is normally
located), but only until the expiration date you specify. This allows you to
take your laptop to a remote site and run the software. When you
reconnect to the corporate intranet, you can access the Application License
settings and reconfigure from Detached to Connected.
Application Settings: Server Profiler
To access this feature, click Edit > Application Settings and then select Server Profiler.
Before starting a scan, Fortify WebInspect can invoke the Server Profiler to conduct a preliminary
examination of the target Web site to determine if certain scan settings should be modified. If changes
appear to be required, the Server Profiler returns a list of suggestions, which you may accept or reject.
To enable this preliminary examination, click Profile (or select Run Profiler Automatically) on Step 4.
By default, 10 specific modules are enabled. To exclude a module, clear its associated check box.
Modules
The Server Profiler modules are described in the following table.
Module Description
Check for case- This module determines if the host server is case-sensitive when
sensitive servers discriminating among URLs. For example, some servers (such as IIS) do not
differentiate between www.mycompany.com/samplepage.htm and
www.mycompany.com/SamplePage.htm. If the profiler determines that the
Micro Focus Fortify WebInspect (19.2.0) Page 410 of 482
User Guide
Chapter 9: Application Settings
Module Description
server is not case-sensitive, you can disable Fortify WebInspect’s case-
sensitive feature, which would improve the speed and accuracy of the
crawl.
Check ‘Maximum The maximum folder depth setting is intended primarily for sites that
Folder Depth’ setting programmatically append subfolders to URLs. Without such a limit, Fortify
WebInspect would endlessly crawl these dynamic folders. This module
determines if the site contains valid URLs that extend beyond that limit
and, if so, allows you to increase the setting.
Verify client This module determines which authentication (sign-in) protocol, if any, is
authentication required. Fortify WebInspect supports HTTP Basic, NTLM, Digest,
protocol Kerberos.
Check for additional This module searches the target site for references to additional host
hosts servers and allows you to include them as allowed hosts.
Reveal navigation This module determines if the target site uses query parameters in URLs to
parameters specify the content of the page and, if so, displays a list of parameters and
values that were encountered during the analysis. You can select one or
more parameters for Fortify WebInspect to use during the scan.
Check for non- This module determines if a site returns a response code other than 404
standard ‘file not when the client requests a non-existent resource. Recognizing this will
found’ responses prevent Fortify WebInspect from auditing non-essential responses.
Check for session state Instead of using cookies, some servers embed session state in URLs. Fortify
embedded in URLs WebInspect detects this practice by analyzing the URL with regular
expressions. This module attempts to determine if changes to the regular
expressions are required.
Analyze thread count This module determines if the thread count should be lowered. Relatively
high thread counts, while enabling a faster scan, can sometimes exhaust
server resources.
Check for invalid audit Fortify WebInspect settings prevent pages with certain file extensions from
exclusions being audited (see "Audit Settings: Session Exclusions" on page 394). The
specified extensions are for pages that ordinarily do not have query
parameters in the URL of the request. If the settings are incorrect, the audit
will not be as thorough. The profiler can detect when pages having audit-
excluded extensions actually contain query parameters and will recommend
Micro Focus Fortify WebInspect (19.2.0) Page 411 of 482
User Guide
Chapter 9: Application Settings
Module Description
removing those exclusions.
Verify maximum A Fortify WebInspect scan setting specifies the maximum response size
response size allowed; the default is 1,000 kilobytes. This module attempts to detect
responses larger than the maximum and, if found, recommends that you
increase the limit.
Optimize settings for This module determines if you are scanning a well-known test site (such as
specific applications WebGoat, Hacme Bank, etc.) and determines if Fortify WebInspect has a
prepopulated settings file (a template) designed specifically for that site.
These templates are configured to optimize the crawl, audit, and
performance of your scans.
Add/Remove Trailing This module determines if the target site requires or prohibits a trailing
Slash slash on the start URL.
Check for cross-site Cross-site request forgery, also known as a one-click attack or session
request forgery riding, is often abbreviated as CSRF. CSRF is a type of website exploit
where unauthorized commands are transmitted from a user that the
website trusts. Unlike cross-site scripting , which exploits the trust a user
has for a particular site, CSRF exploits the trust that a site has in a user's
browser. For more on CSRF, see "CSRF" on page 360.
Check for WebSphere WebSphere servers require additional settings changes; enables the
servers Profiler to detect these changes are required.
Application Settings: Step Mode
To access this feature, click Edit > Application Settings and then select Step Mode.
Options for Step Mode are described in the following table.
Option Description
Default Audit Mode Select one of the following choices:
l Audit as you browse: While you are navigating a target Web site,
Fortify WebInspect concurrently audits the pages you visit.
l Manual Audit: This option allows you to pause the Step Mode scan and
return to Fortify WebInspect, where you can select a specific session and
audit it.
Micro Focus Fortify WebInspect (19.2.0) Page 412 of 482
User Guide
Chapter 9: Application Settings
Option Description
Proxy Listener Select the following options:
l Local IP Address: Step Mode requires a proxy. Specify the IP address
that the proxy should use.
l Port: Specify the port that the proxy should use, or select
Automatically Assign Port.
Application Settings: Logging
To access this feature, click Edit > Application Settings and then select Logging.
The Logging options are described in the following table.
Option Description
Clear Logs Click this button to clear all logs.
Minimum Logging Specify how Fortify WebInspect should log different functions and events
Level that occur within the application. The choices are (from most verbose to
least verbose) Debug, Info, Warn, Error, and Fatal.
Threshold for Log If you do not select Never Purge, Fortify WebInspect deletes all logs when
Purging either the total amount of disk space used by all logs exceeds the size you
specify or the number of logs exceeds the number you specify.
Alternatively, you can elect to Never Purge log files.
Rolling Log File Specify the maximum size (in kilobytes) that any log file may attain. When a
Maximum Size file reaches this limit, Fortify WebInspect simply stops writing to it.
Application Settings: Proxy
To access this feature, click Edit > Application Settings and then select Proxy Settings.
Fortify WebInspect Web services are used for update and support communications. Configure how
these services are accessed in the Proxy Settings.
Not Using a Proxy Server
If you are not using a proxy server to access these services, select Direct Connection (proxy disabled).
Micro Focus Fortify WebInspect (19.2.0) Page 413 of 482
User Guide
Chapter 9: Application Settings
Using a Proxy Server
If you are required to use a proxy server to access these services, select an option as described in the
following table.
Option Description
Auto detect proxy Use the Web Proxy Autodiscovery (WPAD) protocol to locate a proxy
settings autoconfig file and configure the browser's Web proxy settings.
Use System Proxy Import your proxy server information from the local machine.
settings
Note: Electing to use system proxy settings does not guarantee that
you will access the Internet through a proxy server. If the Internet
Explorer setting "Use a proxy server for your LAN" is not selected, then
a proxy will not be used.
Use Firefox proxy Import your proxy server information from Firefox.
settings
Note: Electing to use Firefox proxy settings does not guarantee that
you will access the Internet through a proxy server. If the Firefox
browser connection settings are configured for "No proxy," then a
proxy will not be used.
Configure a proxy Load proxy settings from a Proxy Automatic Configuration (PAC) file in
using a PAC file the location you specify in the URL box.
Explicitly configure Configure a proxy by entering the requested information. See "Configuring
proxy a Proxy" below in this topic.
Configuring a Proxy
To configure a proxy:
1. In the Server box, type the URL or IP address of your proxy server, followed (in the Port box) by
the port number (for example, 8080).
2. From the Type list, select a protocol for handling TCP traffic through a proxy server: SOCKS4,
SOCKS5, or standard.
Important: Smart Update is not available if you use a SOCKS4 or SOCKS5 proxy server
configuration. Smart Update is available only when using a standard proxy server.
3. If authentication is required, select a type from the Authentication list:
Micro Focus Fortify WebInspect (19.2.0) Page 414 of 482
User Guide
Chapter 9: Application Settings
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Note: Automatic detection slows the scanning process. If you know and specify one of the
other authentication methods, scanning performance is noticeably improved.
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the network in the clear, but is
always transmitted as an MD5 digest of the user's password. In this way, the password cannot be
determined by sniffing network traffic.
HTTP Basic
A widely used, industry-standard method for collecting user name and password information.
a. The Web browser displays a dialog box for a user to enter a previously assigned user name and
password, also known as credentials.
b. The Web browser then attempts to establish a connection to a server using the user's
credentials.
c. If a user's credentials are rejected, the browser displays an authentication dialog box to re-enter
the user's credentials. Internet Explorer allows the user three connection attempts before
failing the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password correspond to a valid user account,
a connection is established.
The advantage of Basic authentication is that it is part of the HTTP specification and is supported
by most browsers. The disadvantage is that Web browsers using Basic authentication transmit
passwords in an unencrypted form. By monitoring communications on your network, an attacker
can easily intercept and decode these passwords using publicly available tools. Therefore, Basic
authentication is not recommended unless you are confident that the connection between the user
and your Web server is secure.
NT LAN Manager (NTLM)
NTLM (NT LanMan) is an authentication process that is used by all members of the Windows NT
family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to
prove the client’s identity without requiring that either a password or a hashed password be sent
across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and Fortify
WebInspect has to pass through a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site. Use caution when configuring Fortify
WebInspect for scans of sites protected by NTLM. After scanning, you may want to disable the
NTLM authentication settings to prevent any potential problem.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a
Micro Focus Fortify WebInspect (19.2.0) Page 415 of 482
User Guide
Chapter 9: Application Settings
Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication
Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a service (and receives it). The
client then demonstrates to a Service Server that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate for an authentication
protocol. When the client requests access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based on the protocol that is its first
choice.
For example, the server might list Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it supports any of the
specified protocols. If the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of the other protocols listed
by the server, the client lets the server know which authentication protocol it supports, and the
authentication proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
4. If your proxy server requires authentication, enter the qualifying user name and password.
Application Settings: Reports
To access this feature, click Edit > Application Settings and then select Reports.
Options
The Reports options are described in the following table.
Option Description
Always prompt to A "favorite" is simply a named collection of one or more reports and their
save favorites associated parameters. When using the Report Generator, you can select reports
and parameters, and then select Favorites > Add to favorites to create the
combination. If you select this option, then Fortify WebInspect will prompt you
to save the favorite whenever you modify it by adding or removing a report.
Smart truncate Generated reports can contain very lengthy HTTP request and response
vulnerability text messages. To save space and help focus on the pertinent data related to a
vulnerability, you can exclude message content that precedes and follows the
data that identifies or confirms the vulnerability (identified by red highlighting).
The following example illustrates the report of a cross-site scripting vulnerability
using "smart" truncation and a padding size of 20 characters. The complete
header is always reported. The remaining message text is deleted, except for the
Micro Focus Fortify WebInspect (19.2.0) Page 416 of 482
User Guide
Chapter 9: Application Settings
Option Description
vulnerability and the 20 characters preceding it and the 20 characters following
it. The retained text is then bracketed by the notation "...TRUNCATED..." to
indicate that truncation has occurred. Note that the length of the original
message was 2,377 characters (Content-Length: 2377).
To use smart truncation in reports, select Smart truncate vulnerability text
and then specify the number of characters to retain preceding and following the
data that identifies or confirms the vulnerability. A maximum of 10
vulnerabilities can be reported in a single request or response.
Note: This feature functions as described only if the report controls
containing the RequestText and ResponseText data fields have the
TruncateVulnerability property set to True and the MaxLength property
set to zero. If TruncateVulnerability is set to True and the MaxLength
property is nonzero, then the application setting for padding size is
overridden by the MaxLength value.
Headers and Footers
Select a template containing the headers and footers to be used by default on all reports. Also, if
necessary, enter the requested parameters.
The Fortify WebInspect Master Report uses three images to create a report.
l The cover page image appears in the center of the cover page, with the top of the image
approximately 3.5 inches from the top.
l The header logo image appears on the left side of the header on every page.
Application Settings: Telemetry
To access this feature, click Edit > Application Settings and then select Telemetry.
Micro Focus Fortify WebInspect (19.2.0) Page 417 of 482
User Guide
Chapter 9: Application Settings
About Telemetry
Telemetry provides an automated process for collecting and sending Fortify WebInspect usage
information to Fortify. Fortify software developers use this information to help improve the product.
Note: The information collected contains no personally identifiable data.
Use the Application Settings: Telemetry page to configure the type of information you want sent to
Fortify, as well as other Telemetry settings.
Enabling Telemetry
Select the Telemetry check box to allow Fortify WebInspect to collect and send usage information to
Fortify.
Uploading Scans via Telemetry
You can choose to upload a scan file as part of the data transmitted via telemetry. To be prompted to
upload a scan file when the scan is paused or completed, select Prompt for scan upload when a scan
stops.
The prompt enables you to upload the scan with log files or upload the scan log files only.
Setting the Upload Interval
The Upload interval (in minutes) box defines how often the collected information is sent to Fortify.
The range of values is 5-45 minutes. The default setting is 10 minutes. To change the interval:
l To increase the interval and send information to Fortify less often, click the up arrow in the Upload
interval (in minutes) box until the desired setting appears.
l To decrease the interval and send information to Fortify more often, click the down arrow in the
Upload interval (in minutes) box until the desired setting appears.
l To set a specific time interval, type the number in the Upload interval (in minutes) box.
Setting the On-disk Cache Size
The Maximum on-disk cache size (in MB) box specifies how much disk cache can be allocated to the
information collected for Telemetry. The range of values is 250-1024 MB. The default setting is 500
MB. To change the interval:
l To increase or decrease the allocated disk cache, click the up or down arrow in the Maximum on-disk
cache size (in MB) box until the desired setting appears.
l To set a specific cache size, type the number in the Maximum on-disk cache size (in MB) box.
Micro Focus Fortify WebInspect (19.2.0) Page 418 of 482
User Guide
Chapter 9: Application Settings
Identifying Categories of Information to Send
The Categorized Telemetry Opt-in options specify the types of information to collect and send. All
options are selected by default and will be included in the data sent to Fortify. The options include such
categories as the various Fortify WebInspect features, tools, and the user interface.
To opt-out of a category:
l Clear the category check box.
Application Settings: Run as a Sensor
To access this feature, click Edit > Application Settings and then select Run as a Sensor.
Sensor
This configuration information is used for integrating Fortify WebInspect into Fortify WebInspect
Enterprise as a sensor. After providing the information and starting the sensor service, you should
conduct scans using the Fortify WebInspect Enterprise console, not the Fortify WebInspect graphical
user interface.
The following table describes the options.
Option Description
Manager URL Enter the URL or IP address of the Fortify WebInspect Enterprise Manager.
Sensor Authentication Enter a user name (formatted as domain\username) and password, then
click Test to verify the entry.
Enable Proxy If Fortify WebInspect must go through a proxy server to reach the Fortify
WebInspect Enterprise manager, select Enable Proxy and then provide the
IP address and port number of the server. If authentication is required,
enter a valid user name and password.
Override Database Fortify WebInspect normally stores scan data in the device you specify in
Settings the Application Settings for database connectivity. For more information,
see "Application Settings: Database" on page 406. However, if Fortify
WebInspect is connected to Fortify WebInspect Enterprise as a sensor, you
can select this option and then click Configure to specify an alternative
device.
Service Account Select one of the following options to specify the account under which the
Micro Focus Fortify WebInspect (19.2.0) Page 419 of 482
User Guide
Chapter 9: Application Settings
Option Description
service should run:
l Local system account: The LocalSystem account is a predefined local
account used by the service control manager. The service has complete
unrestricted access to local resources.
l This account: Identify the account and provide the password.
Sensor Status This area displays the current status of the Sensor Service and provides
buttons allowing you to start or stop the service.
After configuring Fortify WebInspect as a sensor, click Start.
Note: Normally, when Fortify WebInspect is configured as a sensor,
launching Fortify WebInspect as a standalone application halts
the Sensor Service. When you subsequently close Fortify WebInspect,
the service restarts, placing Fortify WebInspect once again under the
control of the Fortify WebInspect Enterprise manager. However, if you
conduct a Smart Update while Fortify WebInspect is running as a
standalone application, the service will not restart automatically. You
must click the Start button (or right-click the Fortify icon in the
notification area of the taskbar and select Start Sensor).
Application Settings: Override SQL Database
Settings
To access this feature, click Edit > Application Settings > Run as a Sensor > Configure.
Override Database Settings
Fortify WebInspect normally stores scan data in the device you specify in the Application Settings for
database connectivity. For more information, see "Application Settings: Database" on page 406.
However, if Fortify WebInspect is connected to Fortify WebInspect Enterprise as a sensor, you can
select this option and then click Configure to specify an alternative device.
Configure SQL Database
To configure SQL Database settings for Fortify WebInspect as a sensor:
1. On the Application Settings window, select Override Database Settings, and then click
Configure.
Micro Focus Fortify WebInspect (19.2.0) Page 420 of 482
User Guide
Chapter 9: Application Settings
The Configure SQL Settings dialog box appears.
2. Select one of the following options:
l Use SQL Server Express
l Use SQL Server
3. If you selected Use SQL Server Express, click OK to complete the task and return to the
Application Settings window.
4. If you selected Use SQL Server, then type the Server Name or select a Server Name from the list.
5. To update the server name, click Refresh.
6. In the Log on to the server area, select one of the following authentication options:
l Use Windows Authentication
l Use SQL Server Authentication
7. Type the User name and Password to log on to the server. In the Connect to a Database area,
Select or enter a database name from the list, or click New to browse to a database.
8. Click OK.
Application Settings: Smart Update
To access this feature, click Edit > Application Settings and then select Smart Update.
Options
The Smart Update Options are described in the following table.
Option Description
Service Enter the URL for the Smart Update service. The default is:
https://smartupdate.fortify.microfocus.com/
Enable Smart Update Select this option to check for updates automatically when starting Fortify
on Startup WebInspect.
For more information, including instructions for updating WebInspect that is offline, see "SmartUpdate"
on page 269.
Application Settings: Support Channel
To access this feature, click Edit > Application Settings and then select Support Channel.
Micro Focus Fortify WebInspect (19.2.0) Page 421 of 482
User Guide
Chapter 9: Application Settings
The Fortify WebInspect support channel allows Fortify WebInspect to send data to and download
messages from Micro Focus. It is used primarily for sending logs and "false positive" reports and for
receiving "What's New" notices.
Opening the Support Channel
Select the Allow connection to Micro Focus option to open the Fortify WebInspect support channel.
You may then specify the following:
l Support Channel URL - The default is:
https://supportchannel.fortify.microfocus.com/service.asmx
l Upload Directory - The default is:
C:\ProgramData\HP\HP WebInspect\SupportChannel\Upload\
l Download Directory - The default is:
C:\ProgramData\HP\HP WebInspect\SupportChannel\Download\
Application Settings: Micro Focus ALM
To access this feature, click Edit > Application Settings and then select Micro Focus ALM.
To integrate Fortify WebInspect with Micro Focus Application Lifecycle Management (ALM), you must
create one or more profiles that describe the ALM server, project, defect priority, and other attributes.
You can then convert a Fortify WebInspect vulnerability to an ALM defect and add it to the ALM
database.
ALM License Usage
Creating or editing a profile consumes a license issued to ALM. The license is released, however, when
the ALM application settings are closed. Similarly, sending a vulnerability to ALM consumes a license,
but it is released after the vulnerability is sent.
Before You Begin
Make sure that the ALM Client Registration Add-in is installed on the same machine as Fortify
WebInspect before creating a profile. Refer to your ALM documentation for more details.
Creating a Profile
To create a profile:
1. Click Add, and then enter a profile name in the Add Profile dialog box.
2. Enter or select the URL of an ALM server. If you haven't previously visited an ALM site, the list is
empty. To enter a URL, use the format http://<qc-server>/qcbin/. Do not append "start_a.htm" (or
other file name) to the URL.
Micro Focus Fortify WebInspect (19.2.0) Page 422 of 482
User Guide
Chapter 9: Application Settings
3. Enter the user name and password that will allow you to access the server, and then
click Authenticate.
If the authentication credentials are accepted, the server populates the Domain and Project lists.
4. Click Connect, and then select a subject in the Defect Reporting group.
5. From the Defect priority list, select a priority that will be assigned to all Fortify WebInspect
vulnerabilities reported to ALM using this profile.
6. Use the Assign defects to list to select the person to whom the defect will be assigned, and then
select an entry from the Project found in list.
7. Use the remaining lists to map the Fortify WebInspect vulnerability rating to an ALM defect rating.
If you select Do Not Publish, the vulnerability will not be exported. You must select at least one of
the file mappings.
8. To export notes and screenshots associated with a Fortify WebInspect vulnerability, select Upload
vulnerability attachments to defect.
9. In the Required/Optional Fields group, double-click an entry and enter or select the requested
information. If you try to save your work without supplying a required field, Fortify WebInspect
prompts you to enter it.
Micro Focus Fortify WebInspect (19.2.0) Page 423 of 482
Chapter 10: Reference Lists
This chapter provides lists of WebInspect Policies, Scan Log Messages, and HTTP Status Codes.
Fortify WebInspect Policies
A policy is a collection of vulnerability checks and attack methodologies that Fortify WebInspect deploys
against a Web application. Each policy is kept current through SmartUpdate functionality, ensuring that
scans are accurate and capable of detecting the most recently discovered threats.
Fortify WebInspect contains the following packaged policies that you can use to determine the
vulnerability of your Web application.
Best Practices
The Best Practices group contains policies designed to test applications for the most pervasive and
problematic web application security vulnerabilities.
l General Data Protection Regulation (GDPR): The EU General Data Protection Regulation (GDPR)
replaces the Data Protection Directive 95/46/EC and provides a framework for organizations on how
to handle personal data. The GDPR articles that pertain to application security and require businesses
to protect personal data during design and development of their products and services are as follows:
l Article 25, data protection by design and by default, which requires businesses to implement
appropriate technical and organizational measures for ensuring that, by default, only personal
data that is necessary for each specific purpose of the processing is processed.
l Article 32, security of processing, which requires businesses to protect their systems and
applications from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or
access to personal data.
This policy contains a selection of checks to help identify and protect personal data specifically
related to application security for the GDPR.
l OWASP Top 10 <year>: This policy provides a minimum standard for web application security. The
OWASP Top 10 represents a broad consensus about the most critical web application security flaws.
Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software
development culture within your organization into one that produces secure code. Multiple releases
of the OWASP Top Ten policy may be available. For more information, consult the OWASP Top Ten
Project.
l SANS Top 25: The SANS Top 25 Most Dangerous Software Errors provides an enumeration of the
most widespread and critical errors, categorized by Common Weakness Enumeration (CWE)
identifiers, that lead to serious vulnerabilities in software. These software errors are often easy to find
and exploit. The inherent danger in these errors is that they can allow an attacker to take over the
software completely, steal data, or prevent the software from working altogether.
Micro Focus Fortify WebInspect (19.2.0) Page 424 of 482
User Guide
Chapter 10: Reference Lists
l Standard: A standard scan includes an automated crawl of the server and performs checks for
known and unknown vulnerabilities such as SQL Injection and Cross-Site Scripting as well as poor
error handling and weak SSL configuration at the web server, web application server, and web
application layers.
By Type
The By Type group contains policies designed with a specific application layer, type of vulnerability, or
generic function as its focus. For instance, the Application policy contains all checks designed to test an
application, as opposed to the operating system.
l Aggressive SQL Injection: This policy performs a comprehensive security assessment of your web
application for SQL Injection vulnerabilities. SQL Injection is an attack technique that takes
advantage of non-validated input vulnerabilities to pass arbitrary SQL queries and/or commands
through the web application for execution by a backend database. This policy performs a more
accurate and decisive job, but has a longer scan time.
l Apache Struts: This policy detects supported known advisories against the Apache Struts
framework.
l Blank: This policy is a template that you can use to build your own policy. It includes an automated
crawl of the server and no vulnerability checks. Edit this policy to create custom policies that only scan
for specific vulnerabilities.
l Client-side: This policy intends to detect all issues that require an attacker to perform phishing in
order to deliver an attack. These issues are typically manifested on the client, thus enforcing the
phishing requirement. This includes Reflected Cross-site Scripting and various HTML5 checks. This
policy may be used in conjunction with the Server-side policy to provide coverage across both the
client and the server.
l Criticals and Highs: Use the Criticals and Highs policy to quickly scan your web applications for the
most urgent and pressing vulnerabilities while not endangering production servers. This policy
checks for SQL Injection, Cross-Site Scripting, and other critical and high severity vulnerabilities. It
does not contain checks that may write data to databases or create denial-of-service conditions, and
is safe to run against production servers.
l Cross-Site Scripting: This policy performs a security scan of your web application for cross-site
scripting (XSS) vulnerabilities. XSS is an attack technique that forces a website to echo attacker-
supplied executable code, such as HTML code or client-side script, which then loads in a user's
browser. Such an attack can be used to bypass access controls or conduct phishing expeditions.
l DISA STIG <version>: The Defense Information Systems Agency (DISA) Security Technical
Implementation Guide (STIG) provides security guidance for use throughout the application
development lifecycle. This policy contains a selection of checks to help the application meet the
secure coding requirements of the DISA STIG <version>. Multiple versions of the DISA STIG policy
may be available.
l Mobile: A mobile scan detects security flaws based on the communication observed between a
mobile application and the supporting backend services.
l NoSQL and Node.js: This policy includes an automated crawl of the server and performs checks for
known and unknown vulnerabilities targeting databases based on NoSQL, such as MongoDB, and
server side infrastructures based on JavaScript, such as Node.js.
Micro Focus Fortify WebInspect (19.2.0) Page 425 of 482
User Guide
Chapter 10: Reference Lists
l Passive Scan: The Passive Scan policy scans an application for vulnerabilities detectable without
active exploitation, making it safe to run against production servers. Vulnerabilities detected by this
policy include issues of path disclosure, error messages, and others of a similar nature.
l Privilege Escalation: The Privilege Escalation policy scans your web application for programming
errors or design flaws that allow an attacker to gain elevated access to data and applications. The
policy uses checks that compare responses of identical requests with different privilege levels.
l Server-side: This policy contains checks that target various issues on the server-side of an
application. This includes various injection attacks, transport layer security, and privacy violation, but
does not include attack surface discovery such as directory enumeration or backup file search. All
vulnerabilities detected by this policy may be directly targeted by an attacker. This policy may be used
in conjunction with the Client-side policy to provide coverage across both the client and the server.
l SQL Injection: The SQL Injection policy performs a security scan of your web application for SQL
injection vulnerabilities. SQL injection is an attack technique that takes advantage of non-validated
input vulnerabilities to pass arbitrary SQL queries and/or commands through the web application for
execution by a backend database.
l Transport Layer Security: This policy performs a security assessment of your web application for
insecure SSL/TLS configurations and critical transport layer security vulnerabilities, such as
Heartbleed, Poodle, and SSL Renegotiation attacks.
l WebSocket: This policy detects vulnerabilities related to WebSocket implementation in your
application.
Custom
The Custom group contains all user-created policies and any custom policies modified by a user.
Hazardous
The Hazardous group contains a policy with potentially dangerous checks, such as a denial-of-service
attack, that could cause production servers to fail. Use this policy against non-production servers and
systems only.
l All Checks: An All Checks scan includes an automated crawl of the server and performs all active
checks from SecureBase, the database. This scan includes all checks that are listed in the compliance
reports that are available in Fortify web application and web services vulnerability scan products. This
includes checks for known and unknown vulnerabilities at the web server, web application server, and
web application layers.
Caution! An All Checks scan includes checks that may write data to databases, submit forms, and
create denial-of-service conditions. Fortify strongly recommends using the All Checks policy only
in test environments.
Micro Focus Fortify WebInspect (19.2.0) Page 426 of 482
User Guide
Chapter 10: Reference Lists
Deprecated Checks and Policies
The following policies and checks are deprecated and are no longer maintained.
l Application (Deprecated): The Application policy performs a security scan of your web application
by submitting known and unknown web application attacks, and only submits specific attacks that
assess the application layer. When performing scans of enterprise level web applications, use the
Application Only policy in conjunction with the Platform Only policy to optimize your scan in terms of
speed and memory usage.
l Assault (Deprecated): An assault scan includes an automated crawl of the server and performs
checks for known and unknown vulnerabilities at the web server, web application server, and web
application layers. An assault scan includes checks that can create denial-of-service conditions. It is
strongly recommended that assault scans only be used in test environments.
l Deprecated Checks: As technologies go end of life and fade out of the technical landscape it is
necessary to prune the policy from time to time to remove checks that are no longer technically
necessary. Deprecated checks policy includes checks that are either deemed end of life based on
current technological landscape or have been re-implemented using smart and efficient audit
algorithms that leverage latest enhancements of core WebInspect framework.
l Dev (Deprecated): A Developer scan includes an automated crawl of the server and performs checks
for known and unknown vulnerabilities at the web application layer only. The policy does not execute
checks that are likely to create denial-of-service conditions, so it is safe to run on production systems.
l OpenSSL Heartbleed (Deprecated): This policy performs a security assessment of your web
application for the critical TLS Heartbeat read overrun vulnerability. This vulnerability could
potentially disclose critical server and web application data residing in the server memory at the time a
malicious user sends a malformed Heartbeat request to the server hosting the site.
l OWASP Top 10 Application Security Risks - 2010 (Deprecated): This policy provides a minimum
standard for web application security. The OWASP Top 10 represents a broad consensus about what
the most critical web application security flaws are. Adopting the OWASP Top 10 is perhaps the most
effective first step towards changing the software development culture within your organization into
one that produces secure code. This policy includes elements specific to the 2010 Top Ten list. For
more information, consult the OWASP Top Ten Project.
l Platform (Deprecated): The Platform policy performs a security scan of your web application
platform by submitting attacks specifically against the web server and known web applications. When
performing scans of enterprise-level web applications, use the Platform Only policy in conjunction
with the Application Only policy to optimize your scan in terms of speed and memory usage.
l QA (Deprecated): The QA policy is designed to help QA professionals make project release decisions
in terms of web application security. It performs checks for both known and unknown web
application vulnerabilities. However, it does not submit potentially hazardous checks, making it safe
to run on production systems.
l Quick (Deprecated): A Quick scan includes an automated crawl of the server and performs checks
for known vulnerabilities in major packages and unknown vulnerabilities at the web server, web
application server and web application layers. A quick scan does not run checks that are likely to
create denial-of-service conditions, so it is safe to run on production systems.
l Safe (Deprecated): A Safe scan includes an automated crawl of the server and performs checks for
Micro Focus Fortify WebInspect (19.2.0) Page 427 of 482
User Guide
Chapter 10: Reference Lists
most known vulnerabilities in major packages and some unknown vulnerabilities at the web server,
web application server and web application layers. A safe scan does not run any checks that could
potentially trigger a denial-of-service condition, even on sensitive systems.
l Standard (Deprecated): Standard (Deprecated) policy is copy of the original standard policy before
it was revamped in R1 2015 release. A standard scan includes an automated crawl of the server and
performs checks for known and unknown vulnerabilities at the web server, web application server
and web application layers. A standard scan does not run checks that are likely to create denial-of-
service conditions, so it is safe to run on production systems.
Scan Log Messages
This topic describes the messages that appear in the scan log. Messages are arranged alphabetically.
Audit Engine Initialization Error
Full Message
Audit Engine initialization error, engine:%engine%, error:%error%"
Description
An unrecoverable error occurred while attempting to initialize an audit engine. Contact Fortify
Customer Support.
Argument Descriptions
Engine: The engine that was attempting to initialize.
Error: The actual error that occurred.
Possible Fixes
Not Applicable
External Links
Not Applicable
Auditor Error
Full Message
Error: Auditor error, session: <session ID> engine:<engine>, error:<error>
Description
An error occurred during an audit.
Argument Descriptions
Session: The session being audited when the error occurred.
Engine: The engine being run when the error occurred.
Micro Focus Fortify WebInspect (19.2.0) Page 428 of 482
User Guide
Chapter 10: Reference Lists
Error: The actual error that occurred.
Possible Fixes
Not Applicable
External Links
Not Applicable
Auditor Skipping Session
Full Message
Warn:Auditor skipping Session: 8BE3AFEC5051507168B66AEC59C8915B
Description
A session was skipped due to the Skip button.
Argument Descriptions
Session: Session ID of the session being skipped.
Possible Fixes
Not Applicable
External Links
Not Applicable
Check Error
Full Message
Error: Check error, session:8BE3AFEC5051507168B66AEC59C8915B, Check:10346, engine:
SPI.Scanners.Web.Audit.Engines.RequestModify
Description
An error occurred while processing a check.
Argument Descriptions
Session: Session where the check error occurred.
Check: The check that encountered the problem.
Engine: The engine being run when the error occurred.
Error: The error.
Possible Fixes
Install the latest version of SmartUpdate.
External Links
Micro Focus Fortify WebInspect (19.2.0) Page 429 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
Completed Post-Scan Analysis Module
Full Message
Completed Post-Scan Analysis Module: %module%
Description
One of the post-scan analysis modules has ended.
Argument Descriptions
module: the name of the post-scan analysis module.
Possible Fixes
Not Applicable
External Links
Not Applicable
Concurrent Crawl and Audit Start
Full Message
Info:Concurrent Crawl and Audit Start
Description
This message indicates that Concurrent Crawl and Audit has started.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Concurrent Crawl and Audit Stop
Full Message
Info:Concurrent Crawl and Audit Stop
Description
This message indicates that Concurrent Crawl and Audit has stopped.
Argument Descriptions
Micro Focus Fortify WebInspect (19.2.0) Page 430 of 482
User Guide
Chapter 10: Reference Lists
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Concurrent Crawl Start
Full Message
Info:Concurrent Crawl Start:
Description
This message indicates that Concurrent Crawl has started.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Concurrent Crawl Stop
Full Message
Info:Concurrent Crawl Stop
Description
This message indicates that Concurrent Crawl has stopped.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Connectivity Issue, Reason
Full Message
Micro Focus Fortify WebInspect (19.2.0) Page 431 of 482
User Guide
Chapter 10: Reference Lists
Connectivity issue, Reason: FirstRequestFailed, HTTP Status:404,
Description This message indicates a network connectivity issue. Fortify WebInspect was unable to
communication with the remote host.
Argument Descriptions
Reason: FirstRequestFailed - a requested has failed.
HTTP Status: 404 - The status returned for the failed request.
Possible Fixes
l Power cycle your network hardware
If the issue persists, unplug your modem and router, wait a few seconds, then plug them back in.
Sometimes, these devices simply need to be refreshed. This could be due to a network outage or
improperly configured network settings.
l Use Microsoft's network diagnostic tools
Open Network Diagnostics by right-clicking the network icon in the notification area, and then
clicking Diagnose and repair.
l Check wiring
Make sure that all wires are connected properly.
l Check host's power
If you're trying to connect to another computer, make sure that computer is powered on.
l Check connection settings
If the problem began after you installed new software, check your connection settings to see if
they have been changed. Open Network Connections by clicking the Start button , clicking
Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then
clicking Manage network connections. Right-click the connection, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password or provide
confirmation.
l Troubleshoot all Firewalls
External Links
Troubleshoot network connection problems
Internet Connectivity Evaluation Tool
Connectivity Issue, Reason, Error
Full Message
Connectivity issue, Reason:FirstRequestFailed, Error:Server:zero.webappsecurity.com:80, Error:
(11001)Unable to connect to remote host : No such host is known:
Description
This message indicates a network connectivity issue. Fortify WebInspect was unable to
communication with the remote host.
Micro Focus Fortify WebInspect (19.2.0) Page 432 of 482
User Guide
Chapter 10: Reference Lists
Argument Descriptions
Reason: FirstRequestFailed - a requested has failed.
Server: The server to which the request was sent.
Error: (11001)Unable to connect to remote host : No such host is known: - Communication to the
remote host failed due to connectivity issues.
Possible Fixes
l Power cycle your network hardware
If the issue persists, unplug your modem and router, wait a few seconds, then plug them back in.
Sometimes, these devices simply need to be refreshed. This could be due to a network outage or
improperly configured network settings.
l Use Microsoft's network diagnostic tools
Open Network Diagnostics by right-clicking the network icon in the notification area, and then
clicking Diagnose and repair.
l Check wiring
Make sure that all wires are connected properly.
l Check host's power
If you're trying to connect to another computer, make sure that computer is powered on.
l Check connection settings
If the problem began after you installed new software, check your connection settings to see if
they have been changed. Open Network Connections by clicking the Start button , clicking
Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then
clicking Manage network connections. Right-click the connection, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password or provide
confirmation.
l Troubleshoot all firewalls
External Links
Troubleshoot network connection problems
Internet Connectivity Evaluation Tool
Crawler Error
Full Message
Error: Crawler error, session: <session ID> error:<error>
Description
The crawler failed to process the session. Not user-correctable. Contact Fortify Customer Support.
Argument Descriptions
Session: The session in which the error occurred.
Micro Focus Fortify WebInspect (19.2.0) Page 433 of 482
User Guide
Chapter 10: Reference Lists
Error: The actual error.
Possible Fixes
Not Applicable
External Links
Not Applicable
Database Connectivity Issue
Full Message
Error: SPI.Scanners.Web.Framework.Session in updateExisting,retries failed, giving up calling
iDbConnetivityHandler.OnConnectivityIssueDetected
Description
This message indicates that the database stopped responding.
Argument Descriptions
Error Text: Contains a description of the error that triggered the message
Possible Fixes
Make sure the database server is running and responding.
External Links
Not Applicable
Engine Driven Audit Start
Full Message
Info:Engine Driven Audit Start
Description
This message indicates Engine Driven Audit has started.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Micro Focus Fortify WebInspect (19.2.0) Page 434 of 482
User Guide
Chapter 10: Reference Lists
Engine Driven Audit Stop
Full Message
Info:Engine Driven Audit Stop
Description
This message indicates Engine Driven Audit has stopped.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Engine Driven Engine Skip
Full Message
Info:Engine Driven Engine Start, Engine: LFI Agent
Description
Engine driven audit skipped for the engine due to the Skip button.
Argument Descriptions
Engine: The Engine that is being skipped.
Possible Fixes
Not Applicable
External Links
Not Applicable
Engine Driven Engine Start
Full Message
Info:Engine Driven Engine Start, Engine: LFI Agent
Description
This message indicates the engine indicated has started execution.
Argument Descriptions
Engine: The Engine that is starting.
Possible Fixes
Micro Focus Fortify WebInspect (19.2.0) Page 435 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
External Links
Not Applicable
Engine Driven Engine Stop
Full Message
Info:Engine Driven Engine Stop, Engine: LFI Agent Sessions Processed:406
Description
Engine driven audit completed for the specified engine.
Argument Descriptions
Engine: The Engine that has been stopped.
Sessions processed: Number of sessions processed by the engine.
Possible Fixes
Not Applicable
External Links
Not Applicable
License Issue
Full Message
Error: License issue: License Deactivated
Description
A problem has occurred with the license.
Argument Descriptions
Issue: The issue that occurred.
Possible Fixes
Make sure Fortify WebInspect is properly licensed.
External Links
Not Applicable
Log Message Occurred
Full Message :
<Level>: <ScanID> , <Logger>: <Exception>
Micro Focus Fortify WebInspect (19.2.0) Page 436 of 482
User Guide
Chapter 10: Reference Lists
Description:
Generic message for exceptions
Argument Descriptions
ScanID: Scan ID.
Logger: Name of logger.
Exception: The exception thrown.
Possible Fixes
Not Applicable
External Links
Not Applicable
Memory Limit Reached
Full Message
Warn: Memory limit reached: level:1,limit:1073610752, actual:1076625408.
Error: Memory limit reached: level:0,limit:1073610752, actual:1076625408.
Description
The memory limits of the WI process have been reached.
Argument Descriptions
Level: The severity of the problem.
Limit: The memory limit of the process.
Actual: The actual memory allocated to the process.
Possible Fixes
Close other scans that are not running.
Run only one scan at a time in a given Fortify WebInspect instance.
External Links
Not Applicable
Missing Session for Vulnerability
Full Message
Info: Missing Session for Vulnerability
Description
Micro Focus Fortify WebInspect (19.2.0) Page 437 of 482
User Guide
Chapter 10: Reference Lists
Cannot find session that is associated with a vulnerability.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
New Blind SQL Check Not Enabled
Full Message
New Blind SQL check (checkid newcheckid%) is not enabled. A policy with both check %newcheckid%
and check %oldcheckid% enabled is recommended.
Description
The newer check for blind SQL injection is not included in the scan policy.
Argument Descriptions
newcheckid: The identifier of the newer SQL injection check (10962)
oldcheckid: The identifier of the older SQL injection check (5659)
Possible Fixes
Add the newer check (10962) to the scan policy.
External Links
Not Applicable
Persistent Cross-Site Scripting Audit Start
Full Message
Info:Persistent Cross-Site Scripting Audit Start
Description
Persistent Cross-Site Scripting Audit has started.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Micro Focus Fortify WebInspect (19.2.0) Page 438 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
Persistent Cross-Site Scripting Audit Stop
Full Message
Info:Persistent Cross-Site Scripting Audit Stop
Description
Persistent Cross-Site Scripting Audit has stopped.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Post-Scan Analysis Started
Full Message
Post-Scan Analysis started.
Description
Post-scan analysis has begun. Additional messages will be displayed for each module used
(authentication, macro, file not found, etc.).
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Post-Scan Analysis Completed
Full Message
Post-Scan Analysis completed.
Description
Post-scan analysis has ended. Additional messages will be displayed for each module used
(authentication, macro, file not found, etc.).
Micro Focus Fortify WebInspect (19.2.0) Page 439 of 482
User Guide
Chapter 10: Reference Lists
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Reflect Audit Start
Full Message
Info:Reflect Audit Start
Description
Reflection phase started.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Reflect Audit Stop
Full Message
Info:Reflect Audit Stop
Description
Reflection phase completed.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Micro Focus Fortify WebInspect (19.2.0) Page 440 of 482
User Guide
Chapter 10: Reference Lists
Scan Complete
Full Message
Info:Scan Complete, ScanID:<id-number>
Description
This message indicates that the scan has completed successfully.
Argument Descriptions
ScanID: Unique identifier of a scan
Possible Fixes
Not Applicable
External Links
Not Applicable
Scan Failed
Full Message
Info:Scan Failed, ScanID::<id-number>
Description
This message indicates that the scan has failed.
Argument Descriptions
ScanID: Unique identifier of a scan
Possible Fixes
Depends upon the reason the scan failed, which is specified in a different message.
External Links
Not Applicable
Scan Start
Full Message
Info:Scan Start, ScanID:<id-number> Version:X.X.X.X, Location:C:\Program Files\Fortify\Fortify
WebInspect\WebInspect.exe
Description
This message indicates the start of a scan.
Argument Descriptions
ScanID: Unique identifier of a scan.
Micro Focus Fortify WebInspect (19.2.0) Page 441 of 482
User Guide
Chapter 10: Reference Lists
Version: Version of Fortify WebInspect running the scan.
Location: The physical location of the Fortify WebInspect executable.
Possible Fixes
Not Applicable
External Links
Not Applicable
Scan Start Error
Full Message
Scan start error: %error%
Description
An unrecoverable error occurred while starting the scan. Contact Fortify Customer Support.
Argument Descriptions
error: description of the problem.
Possible Fixes
Not Applicable
External Links
Not Applicable
Scan Stop
Full Message
Info:Scan Stop, ScanID:<id-number>
Description
This message indicates that the scan has been stopped.
Argument Descriptions
ScanID: Unique identifier of a scan.
Possible Fixes
Not Applicable
External Links
Not Applicable
Micro Focus Fortify WebInspect (19.2.0) Page 442 of 482
User Guide
Chapter 10: Reference Lists
Scanner Retry Start
Full Message
Info:Scanner Retry Start
Description
Retry phase started.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Scanner Retry Stop
Full Message
Info:Scanner Retry Stop
Description
Retry phase stopped.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Sequential Audit Start
Full Message
Info:Sequential Audit Start
Description
This message indicates that the Sequential Audit has started.
Argument Descriptions
Not applicable
Possible Fixes
Micro Focus Fortify WebInspect (19.2.0) Page 443 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
External Links
Not Applicable
Sequential Audit Stop
Full Message
Info:Sequential Audit Stop
Description
This message indicates that the Sequential Audit has stopped.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Sequential Crawl Start
Full Message
Info:Sequential Crawl Start
Description
This message indicates that Sequential Crawl has started.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Sequential Crawl Stop
Full Message
Info:Sequential Crawl Stop
Description
Micro Focus Fortify WebInspect (19.2.0) Page 444 of 482
User Guide
Chapter 10: Reference Lists
This message indicates that the Sequential Crawl has stopped.
Argument Descriptions
Not applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Settings Override
Full Message
Settings Override, Setting:<setting, Original Value:<original>, New Value:<newValue>,
Reason:<reason>
Description
A setting was changed by the product. This may indicate a setting upgrade issue.
Argument Descriptions
Setting: The setting that is being overridden.
Original Value: The original value of the setting.
New Value: The value to which the setting is being changed.
Reason: The reason for the override.
Possible Fixes
Restore factory defaults and reapply custom settings.
External Links
Not Applicable
Skipping Auditor Retry
Full Message
Info: Skipping Auditor Retry
Description
The retry phase was skipped due to the Skip button.
Argument Descriptions
Not Applicable
Possible Fixes
Micro Focus Fortify WebInspect (19.2.0) Page 445 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
External Links
Not Applicable
Skipping Crawl
Full Message
Warn:Skipping Crawl
Description
The crawl was skipped due to the skip button.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Skipping Persistent Cross-Site Scripting Audit
Full Message
Warn: Skipping Persistent Cross-Site Scripting Audit
Description
The Persistent Cross-Site Scripting phase was skipped due to the Skip button.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Skipping Reflect Audit
Full Message
Warn: Skipping Reflect Audit
Description
Micro Focus Fortify WebInspect (19.2.0) Page 446 of 482
User Guide
Chapter 10: Reference Lists
The reflection phase was skipped due to the Skip button.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Skipping Verify Audit
Full Message
Warn: Skipping Verify Audit
Description
The verify phase was skipped due to the Skip button.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Start URL Error
Full Message
Start Url Error:%url%, error:%error%
Description
An unrecoverable error occurred processing the start URL. Check url syntax; if correct, contact
Fortify Customer Support.
Argument Descriptions
url: The URL that caused the error.
error: Description of the error.
Possible Fixes
Not Applicable
External Links
Micro Focus Fortify WebInspect (19.2.0) Page 447 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
Start URL Rejected
Full Message
Start Url Rejected:%url%, reason:%reasons%, session:%session%
Description
The URL was rejected due to request rejection settings; settings should be modified or a different
start URL used.
Argument Descriptions
url: the start URL
reason: Reason for the rejection.
session: The session during which the error occurred.
Possible Fixes
Not Applicable
External Links
Not Applicable
Starting Post-Scan Analysis Module
Full Message
Starting Post-Scan Analysis Module: %module%
Description
One of the post-scan analysis modules has begun.
Argument Descriptions
module: the name of the post-scan analysis module.
Possible Fixes
Not Applicable
External Links
Not Applicable
Stop Requested
Full Message
Info:Stop Requested, reason=Pause button pushed
Micro Focus Fortify WebInspect (19.2.0) Page 448 of 482
User Guide
Chapter 10: Reference Lists
Description
Scan is entering suspended state.
Argument Descriptions
Reason: Reason for the stop.
Possible Fixes
Not Applicable
External Links
Not Applicable
Verify Audit Start
Full Message
Info:Verify Audit Start
Description
Verify phase started.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Not Applicable
Verify Audit Stop
Full Message
Info:Verify Audit Stop
Description
Verify phase completed.
Argument Descriptions
Not Applicable
Possible Fixes
Not Applicable
External Links
Micro Focus Fortify WebInspect (19.2.0) Page 449 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
Web Macro Error
Full Message
Error: Web Macro Error, Name: Login webmacro Error: RequestAborted
Description
An error occurred during playback of a web macro.
Argument Descriptions
Name: Name of the macro being played when the error occurred.
Error: The error that occurred.
Possible Fixes
Depends on the error encountered. For RequestAborted error, the server did not respond during
macro playback. If this occurs frequently, the value of Request timeout should be increased. See
Connectivity issue for other potential solutions.
External Links
Not Applicable
Web Macro Status
Full Message
Error: Web Macro Status, Name: login.webmacro Expected:302, Actual:200, Url:<URL>
Description
Fortify WebInspect received a response during macro playback that did not match the response
obtained during the recording of the macro.
Argument Descriptions
Name: Name of the web macro.
Expected: The status code expected to be returned.
Actual: The status code that was actually returned.
URL: The target URL of the request.
Possible Fixes
This could indicate that Fortify WebInspect is attempting to log in when it is already logged in or
that Fortify WebInspect is failing to log in. Check to see if Fortify WebInspect is successfully
logged in during a scan. If not, record the login macro again.
External Links
Micro Focus Fortify WebInspect (19.2.0) Page 450 of 482
User Guide
Chapter 10: Reference Lists
Not Applicable
HTTP Status Codes
The following list of status codes was extracted from the Hypertext Transfer Protocol version 1.1
standard (RFC 2616). You can find more information at http://www.w3.org/Protocols/.
Code Definition
100 Continue
101 Switching Protocols
200 OK Request has succeeded
201 Created Request fulfilled and new resource being created
202 Accepted Request accepted for processing, but processing not completed.
203 Non-Authoritative The returned metainformation in the entity-header is not the definitive set
Information as available from the origin server, but is gathered from a local or a third-
party copy.
204 No Content The server has fulfilled the request but does not need to return an entity-
body, and might want to return updated metainformation.
205 Reset Content The server has fulfilled the request and the user agent should reset the
document view which caused the request to be sent.
206 Partial Content The server has fulfilled the partial GET request for the resource.
300 Multiple Choices The requested resource corresponds to any one of a set of
representations, each with its own specific location, and agent-driven
negotiation information (section 12) is being provided so that the user (or
user agent) can select a preferred representation and redirect its request to
that location.
301 Moved The requested resource has been assigned a new permanent URI and any
Permanently future references to this resource should use one of the returned URIs.
302 Found The requested resource resides temporarily under a different URI.
303 See Other The response to the request can be found under a different URI and
Micro Focus Fortify WebInspect (19.2.0) Page 451 of 482
User Guide
Chapter 10: Reference Lists
Code Definition
should be retrieved using a GET method on that resource.
304 Not Modified If the client has performed a conditional GET request and access is allowed,
but the document has not been modified, the server should respond with
this status code.
305 Use Proxy The requested resource MUST be accessed through the proxy given by the
Location field.
306 Unused Unused.
307 Temporary The requested resource resides temporarily under a different URI.
Redirect
400 Bad Request The request could not be understood by the server due to malformed
syntax.
401 Unauthorized The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource.
402 Payment Required This code is reserved for future use.
403 Forbidden The server understood the request, but is refusing to fulfill it.
404 Not Found The server has not found anything matching the Request-URI.
405 Method Not The method specified in the Request-Line is not allowed for the resource
Allowed identified by the Request-URI.
406 Not Acceptable The resource identified by the request is only capable of generating
response entities which have content characteristics not acceptable
according to the accept headers sent in the request.
407 Proxy This code is similar to 401 (Unauthorized), but indicates that the client
Authentication must first authenticate itself with the proxy.
Required
408 Request Timeout The client did not produce a request within the time that the server was
prepared to wait.
409 Conflict The request could not be completed due to a conflict with the current state
of the resource.
Micro Focus Fortify WebInspect (19.2.0) Page 452 of 482
User Guide
Chapter 10: Reference Lists
Code Definition
410 Gone The requested resource is no longer available at the server and no
forwarding address is known.
411 Length Required The server refuses to accept the request without a defined Content-
Length.
412 Precondition The precondition given in one or more of the request-header fields
Failed evaluated to false when it was tested on the server.
413 Request Entity The server is refusing to process a request because the request entity is
Too Large larger than the server is willing or able to process.
414 Request-URI Too The server is refusing to service the request because the Request-URI is
Long longer than the server is willing to interpret.
415 Unsupported The server is refusing to service the request because the entity of the
Media Type request is in a format not supported by the requested resource for the
requested method.
416 Requested Range A server should return a response with this status code if a request
Not Satisfiable included a Range request-header field (section 14.35), and none of the
range-specifier values in this field overlap the current extent of the selected
resource, and the request did not include an If-Range request-header field.
417 Expectation Failed The expectation given in an Expect request-header field (see section
14.20) could not be met by this server, or, if the server is a proxy, the server
has unambiguous evidence that the request could not be met by the next-
hop server.
500 Internal Server The server encountered an unexpected condition which prevented it from
Error fulfilling the request.
501 Not Implemented The server does not support the functionality required to fulfill the
request. This is the appropriate response when the server does not
recognize the request method and is not capable of supporting it for any
resource.
502 Bad Gateway The server, while acting as a gateway or proxy, received an invalid response
from the upstream server it accessed in attempting to fulfill the request.
503 Service The server is currently unable to handle the request due to a temporary
Unavailable overloading or maintenance of the server.
Micro Focus Fortify WebInspect (19.2.0) Page 453 of 482
User Guide
Chapter 10: Reference Lists
Code Definition
504 Gateway Timeout The server, while acting as a gateway or proxy, did not receive a timely
response from the upstream server specified by the URI (e.g., HTTP, FTP,
LDAP) or some other auxiliary server (e.g., DNS) it needed to access in
attempting to complete the request.
505 HTTP Version Not The server does not support, or refuses to support, the HTTP protocol
Supported version that was used in the request message.
Micro Focus Fortify WebInspect (19.2.0) Page 454 of 482
Chapter 11: Troubleshooting and Support
This chapter provides troubleshooting tables and contact information for Fortify Support and for
suggesting an enhancement.
Troubleshooting WebInspect
The following paragraphs provide troubleshooting information for Fortify WebInspect and WebInspect
Tools.
Connectivity Issues
The following table describes issues with connectivity.
Symptom or Error
Message Possible Cause Possible Solution
When using a macro The user running Fortify Modify the permissions of
recorder or the Guided WebInspect does not have C:\ProgramData\Microsoft\Crypto\RSA\
Scan Wizard while testing required access to the MachineKeys.
a site that uses HTTPS Windows MachineKeys
On the folder properties Security tab,
rather than HTTP, there is folder.
use the Advanced button and configure
no connectivity to the site.
permissions to allow full control for the
user for This folder, subfolders and
files.
Scan Initialization Failed
The following table describes issues with scan initialization.
Symptom or Error
Message Possible Cause Possible Solution
Scan Initialization fails The SQL Express service is Verify that the service is running. The
when using SQL Express not running. service name is “SQL Server
as the scan database. (SQLEXPRESS)" or similar.
The SQL Express cache To clear the cache:
Micro Focus Fortify WebInspect (19.2.0) Page 455 of 482
User Guide
Chapter 11: Troubleshooting and Support
Symptom or Error
Message Possible Cause Possible Solution
may have become 1. Stop all SQL related services and
corrupted. processes.
2. Delete the SQL Express cache folder.
A typical location is as follows or
similar:
C:\Users\<username>
\AppData\Local\Microsoft\Microsof
t SQL Server Data\SQLEXPRESS
3. Restart the machine.
Testing Login Macros
Fortify WebInspect performs tests on the login macro in the following instances:
l When an auto-generated macro, newly-recorded macro, or pre-existing macro is tested during scan
configuration
l At the start of the scan with any login macro if Enable macro validation is selected in Scan Settings:
Authentication
Validation Tests Performed
The following table describes the tests that Fortify WebInspect performs.
Test Result of Failure
Determine if the validation step is missing. The scan continues, but a warning is written to
the scan log.
Verify that the auto-generated macro logs into The scan stops and an error is written to the scan
the application. log.
Verify that the replay of the macro logs into the The scan stops and an error is written to the scan
application. log.
If a scan stops after failing a test, it may be possible to examine the specific error message in the scan log
to determine and resolve the issue. Use the error message and the troubleshooting tips in this topic to
help resolve the issue.
Micro Focus Fortify WebInspect (19.2.0) Page 456 of 482
User Guide
Chapter 11: Troubleshooting and Support
Troubleshooting Tips
In all cases of macro failure, it is possible that an invalid macro was recorded. However, a previously
good macro that fails is almost always due to site changes or credentials.
The following table provides possible causes and solutions for each error message.
Note: This table does not include all possible causes and solutions for each error message.
Additional troubleshooting may be necessary.
Error Message Possible Cause Possible Solution
Automatic login generation The login macro could not be Try the Auto-gen Login Macro
failed created because the user option again using credentials
credentials provided are not that are known to be valid.
valid.
Execution Failed An HTML element, such as a Record a new macro in the Web
verification element, username, Macro Recorder to identify the
or password, was not located. login input elements.
The username has been Record a new macro in the Web
deactivated (removed from the Macro Recorder using
database) and/or the password credentials that are known to be
has changed. valid.
Logged in verification step not The login macro does not Edit the macro in the Web Macro
found contain a verification step. Recorder to add a verification
step to indicate a successful
login.
Verification step did not fail The verification step succeeded Edit the macro in the Web Macro
after invalid login after an invalid login attempt. A Recorder to select another
valid verification step should object for the verification step.
only succeed upon successful
login. This indicates that an
incorrect login verification
object was selected.
For specific information about using the Web Macro Recorder, see Micro Focus Fortify WebInspect
Tools Guide.
Micro Focus Fortify WebInspect (19.2.0) Page 457 of 482
User Guide
Chapter 11: Troubleshooting and Support
Contact Customer Support
When contacting Fortify Customer Support, provide the following product information:
Version: 19.2.0
Date: November 2019
Contacting Micro Focus Fortify Customer Support
If you have questions or comments about using this product, contact Micro Focus Fortify Customer
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://softwaresupport.softwaregrp.com
To Call Support
1.844.260.7219
For More Information
For more information about Fortify software products:
https://software.microfocus.com/solutions/application-security
Suggest Enhancement
We value the opinions of our users and would greatly appreciate any suggestions you may have for
improving the quality and usefulness of our products.
To suggest an enhancement:
1. Click Help > Support > Request an Enhancement.
2. Select Suggestion or Enhancement from the Type list.
3. Do one of the following:
l Select a category that most closely matches your area of interest.
l Select General if no category appears suitable.
4. In the Synopsis box, enter a brief topic summary.
5. In the Description area, tell us how we can improve Fortify WebInspect.
6. Click Submit.
Micro Focus Fortify WebInspect (19.2.0) Page 458 of 482
User Guide
Chapter 11: Troubleshooting and Support
Purchases and Renewals
This topic describes how to purchase Micro Focus Fortify products and renew product licenses.
New Purchases
Visit Contact Micro Focus to obtain the telephone number of Micro Focus Fortify sales representatives
who can assist you, or to send an e-mail inquiring about Fortify products.
Renew Your Product License
You can renew your license online at the Fortify Customer Portal.
Uninstalling Fortify WebInspect
When uninstalling, you can choose to repair Fortify WebInspect or remove it from your computer.
Options for Removing
If you select Remove, you may choose one or both of the following options:
l Remove product completely - Deletes the Fortify WebInspect application and all related files,
including scan data stored on a local (non-shared) SQL server, settings files, and logs.
l Deactivate license - Releases your Fortify WebInspect license, which allows you to install Fortify
WebInspect on a different computer. Application data and files are not deleted.
About WebInspect
Use the About WebInspect window to view the application version number and display information
about the Fortify WebInspect license.
Micro Focus Fortify WebInspect (19.2.0) Page 459 of 482
Appendix A: Using the License and
Infrastructure Manager
This appendix provides information and instructions on using the License and Infrastructure Manager
(LIM).
Introduction
The Fortify License and Infrastructure Manager (LIM) allows you to manage concurrent licenses for
Fortify WebInspect in a manner that best suits your organization's development and testing
environment.
For example, your company may have WebInspect installed on 25 machines, but holds a concurrent
license that permits a maximum of 10 instances to be active at any one time. Using the LIM, you can
allocate and deallocate those 10 seats in any way you like, without coordinating or negotiating through
the Micro Focus central licensing facility.
The LIM does not generate activation tokens. Micro Focus generates activation tokens that specify the
number of licenses purchased. You add your activation token to the LIM database, and then use the
LIM to assign and release license seat leases to users.
Getting Started
To get started, perform the following tasks:
1. Configure the License and Infrastructure Manager as described in "Server Configuration" below.
2. Add administrators as described in "Administrative Users" on page 462.
3. Add a product license to the database as described in "Product Licenses" on page 464.
4. Create a license pool, add a license to the pool, and add/delete license pool seats as described in
"License Pools" on page 465.
Server Configuration
You can review and configure the following items for the server on the Server Configuration page:
l Activation (see "Activation" on the next page)
l Proxy (see "Proxy" on the next page)
l Updates (see "Updates" on the next page)
l E-mail (see "E-mail" on page 462)
To access the page, click Admin > Server Configuration.
Micro Focus Fortify WebInspect (19.2.0) Page 460 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Activation
When you first install the License and Infrastructure Manager (LIM), enter the activation token
provided to you by Micro Focus. If the token is valid, the LIM displays information about your license.
If this computer does not have Internet access, clear the check box next to Server has internet
connection. The screen will repopulate and display instructions for offline activation.
Proxy
To configure a proxy server:
1. Select the Proxy tab.
2. Do one of the following:
l To configure a proxy server for connecting to the Fortify global licensing service, click Fortify
Global Licensing Server Proxy.
l To configure a proxy server for obtaining application updates for your LIM, click Fortify Smart
Update Server Proxy.
3. Provide the requested information.
4. When complete, click OK.
Updates
The LIM can check for software updates and notify you when and if any updates are available. To
review and configure the update settings:
1. Select the Updates tab.
2. Enter the SmartUpdate URL or IP address of the update server.
The default is https://smartupdate.fortify.microfocus.com/.
3. Specify how often you want to check for updates in the SmartUpdate Frequency (Days) field.
For example: 1=every day , 2=every second day , 3=every third day, etc.
4. Enter the time you want to check for updates in the SmartUpdate Scheduled Time field.
Use the format HH:MM, where HH is the hour and MM is the minute. For midnight, use 00:00.
5. Click OK.
If updates are available, the LIM will send an e-mail to all administrators and will post a notice on the LIM
Updates page. It will not install the update.
To manually check if updates are available, or to schedule the installation of an update, select the LIM
Updates page.
Micro Focus Fortify WebInspect (19.2.0) Page 461 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
E-mail
You can receive email notices for a variety of events, including SmartUpdate patch notification
availability, status of an applied update (success/failure), and notification that a license pool has been
exhausted. To review and configure the Simple Mail Transfer Protocol (SMTP)server information for
email notification:
1. Enter the SMTP Server address (IP address) and SMTP Port (port number) of your e-mail server.
2. Enter your SMTP Server User ID and SMTP Server Password.
3. For the SMTP Authentication Type, select either None, Basic, or NTLM.
4. If the SMTP server requires a secure link, select SMTP Requires SSL.
5. Enter an Email Address to be used as From. This email address will appear as the originator of
the message in the "From" field.
6. Click OK.
Administrative Users
The License and Infrastructure Manager (LIM) administrators are authorized to add product licenses,
create and maintain license pools, manage license-related activities, and check for updates.
Adding an Administrator
To add an administrator:
1. Click Admin > Administrative Users.
2. Click Add Administrator.
3. Type a User Name.
4. Type a Login Name.
Note: This is the name the user will type at the Log In page.
5. Type an Email Address for the administrator.
6. To enable the LIM to send email notification of certain events to the administrator, select Receives
Email.
7. Enter and confirm a Password.
8. To send the administrator email notification of the new account, select Send Welcome Email.
Micro Focus Fortify WebInspect (19.2.0) Page 462 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Editing an Administrator's Account
To edit an administrator's account, including the user's password:
1. Click Admin > Administrative Users.
2. Click Edit next to the user name.
3. Make changes as needed and click OK.
Removing an Administrator
To remove a user:
1. Click Admin > Administrative Users.
2. Click Delete next to the user name.
3. Click OK to confirm the deletion.
Editing Your LIM Administrator Account
You can modify the following attributes of your License and Infrastructure Manager
(LIM) administrator account:
l User Name
l Email Address
l Receive Emails or not
l Password
Note: There are no restrictions on the password.
Editing Your Account
To edit your account:
1. Click My Account > Edit My Account.
2. Make changes as needed
3. When finished, click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 463 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Product Licenses
You can view all Micro Focus product licenses currently associated with the License and Infrastructure
Manager (LIM) on the Product Licenses page. From this page, you can view product license details or
delete the license by clicking the associated button next to the product name. On this page, you can
also:
l Add a product license (see "Adding a License" below)
l Add a license pool (see "Adding a License Pool" below)
l Force a license refresh (see "Forcing a License Refresh" on the next page)
Adding a License
To add a license to the LIM database:
1. On the Product Licenses page, click Add Product License.
2. Enter (type or paste) the Activation Token associated with the product license sent to you by
Micro Focus.
Note: The token is a 36-character string formatted as in the following example:
0xx1111e-a5a6-1234-a123-490abcdef801
3. (Optional) Enter a Description of the license.
4. Click OK.
Adding a License Pool
To create a license pool, click Add License Pool.
1. Enter the Pool Name.
2. Enter a Pool Description.
3. Enter and confirm the Pool Password.
There are no restrictions on the password.
4. If you want to allow detached licenses, select the Allow Detached Leases check box.
A detached lease allows the computer to run WebInspect anywhere, even when disconnected from
your corporate intranet (on which the LIM is normally located), but only for the number of days
you specify. This allows users to take a laptop to a remote site and run WebInspect. When users
reconnect to the corporate intranet, they can access the program's Application License settings and
reconfigure from Detached to Connected.
5. If you elect to allow detached leases, in the Detached Lease Duration Limit box, enter the
number of days that the lease may be detached. Also enter, in the Detached Lease Limit box, the
number of seats that may be assigned a detached lease.
6. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 464 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Forcing a License Refresh
If you renew the concurrent license for your product, you must refresh the license to update the license
information in the LIM database.
To refresh your licenses:
l On the Product Licenses page, click Force License Refresh to initiate communication with the Micro
Focus global license server.
The latest information regarding each license in your system is downloaded.
Product License Details
You can view detailed license information on the Product License Detail page. The page also lists the
license pool (or pools) to which seats associated with this license have been assigned.
Viewing Product License Details
To view detailed license information:
1. Click License Management > Product Licenses.
The Product Licenses page appears.
2. Click the Details button for the license you want to view.
The Product License Detail page appears for the selected product license.
Editing a Pool
To edit pool information or to modify the number of seats currently assigned to a pool:
1. Click the Edit button next to the pool name.
2. Make changes as needed.
3. When complete, click OK.
License Pools
The License Pools page lists all license pools currently defined within the License and Infrastructure
Manager (LIM). You can view the license pool details or delete the pool by clicking the associated
button next to the pool name.
Note: Deleting a pool does not delete the licenses or the seats assigned to that pool. Those
licenses/seats simply become unassigned.
Micro Focus Fortify WebInspect (19.2.0) Page 465 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Creating a License Pool
To create a license pool, click Add License Pool.
1. Enter the Pool Name.
2. Enter a Pool Description.
3. Enter and confirm the Pool Password.
There are no restrictions on the password.
4. If you want to allow detached licenses, select the Allow Detached Leases check box.
A detached lease allows the computer to run WebInspect anywhere, even when disconnected from
your corporate intranet (on which the LIM is normally located), but only for the number of days
you specify. This allows users to take a laptop to a remote site and run WebInspect. When users
reconnect to the corporate intranet, they can access the program's Application License settings and
reconfigure from Detached to Connected.
5. If you elect to allow detached leases, in the Detached Lease Duration Limit box, enter the
number of days that the lease may be detached. Also enter, in the Detached Lease Limit box, the
number of seats that may be assigned a detached lease.
6. Click OK.
Adding a License to a Pool
To add a license to a pool:
1. Click the Details button next to a pool name.
2. On the Edit License Pool window, click Add License.
A pop-up window appears, requesting a license number and a seat count.
3. Select a license from the License list.
4. In the Seat Count box, enter the number of seats to be assigned to this pool.
5. Click OK.
6. On the Edit License Pool window:
a. If you want to allow detached licenses, select the Allow Detached Leases check box.
A detached lease allows the computer to run the WebInspect software product anywhere, even
when disconnected from your corporate intranet (on which the LIM is normally located), but
only for the number of days you specify. This allows users to take a laptop to a remote site and
run the WebInspect software. When users reconnect to the corporate intranet, they can access
the program's Application License settings and reconfigure from Detached to Connected.
b. If you elect to allow detached leases, in the Detached Lease Duration Limit box, enter the
number of days that the lease may be detached. Also enter, in the Detached Lease Limit box,
the number of seats that may be assigned a detached lease.
7. Click OK.
Micro Focus Fortify WebInspect (19.2.0) Page 466 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Editing a License Pool
To add a license to a pool:
1. Click the Details button next to a pool name.
2. On the Edit License Pool window, make changes as needed.
3. When finished, click OK.
Modifying Number of Seats for a License
To modify the number of seats assigned to this pool from a specific license:
1. On the Edit License Pool window, Click the Details button next to the product name associated
with the license.
2. On the pop-up window that appears, select a license from the License list.
3. In the Seat Count box, enter the number of seats to be assigned to this pool.
4. Click OK.
Current Product Usage
You can view the product seats currently in use on the Current Product Usage page. To access the
page, click Activity Management > Current Product Usage.
The following table describes the information shown on this page for each product.
Field Description
Product The name of the product
Seats The total number of seats available
In Use The number of seats in use
# Licenses The number of licenses associated with the product
To assure that you are viewing the most recent information available, click Refresh.
Viewing License Details
To view license details for a product (and to add a product license, add a license pool, or force a license
refresh), click the associated Activation Tokens hyperlink.
Micro Focus Fortify WebInspect (19.2.0) Page 467 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Viewing Current Activity for a Product
To view the current activity for a product, click the value in the In Use column.
Current Activity
You can view the current activity involving licenses on the Current Activity page. To access the page,
select Activity Management > Current Activity Detail.
Information Displayed
The following table describes the information shown on the Current Activity page about each instance
of a product that is currently in use.
Field Description
User Name The Windows account using the product
Machine Name The name of the user’s workstation machine
Product The name of the product
Pool The license pool containing the seat allocation for the user
Active Since The date and time when the current instance of the product was started
Process Count The number of products sharing a single lease
Connection Mode The current status of the machine, either "Detached" or "Connected" to the
License and Infrastructure Manager (LIM)
Detached If detached, the date by which the machine is scheduled to be reconnected to
Expiration Date the LIM
Available Actions
Three actions are available on the Current Activity page:
l Releasing a Seat (see "Releasing a Seat" on the next page)
l Revoking a Seat (see "Revoking a Seat" on the next page)
l Releasing All Seats (see "Releasing All Seats" on the next page)
Micro Focus Fortify WebInspect (19.2.0) Page 468 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Releasing a Seat
This action applies to connected concurrent licenses. It is used to disconnect a connected LIM client that
has a seat lease refreshed through a regular five-minute heartbeat. Release can be performed
singlehandedly by the LIM administrator. Once released, the seat becomes available to be leased by
another client. The next time it polls the LIM, the client that held the seat receives a notification that it
no longer has a license and the application stops working.
To release a seat and return it to a license pool, click the Release button associated with that seat.
Revoking a Seat
This action applies to detached leases. Revocation also frees up seats, but because clients with detached
seat leases do not poll the LIM, the client cannot be stopped. To revoke a lease, Fortify Customer
Support must be involved. The inclusion of support is a control measure designed to discourage
concurrent license theft.
To revoke a seat:
1. Contact Fortify Customer Support and identify the lease that needs to be revoked.
2. Click the Revoke button associated with that seat.
Note: Steps 1 and 2 may be reversed.
3. Support logs into the license portal processes the revoke request.
4. Click Refresh.
Releasing All Seats
To release all seats, click Release All Licenses.
Lease History
A lease is defined as the period of time during which a product licensed through the License and
Infrastructure Manager (LIM) is active.
The following table describes the information shown on the Lease History page for each lease.
Field Description
Acquired Date The date and time when the product was activated
Activation Token The license used to activate this instance of the WebInspect software product
User Name The identifier used for authenticating to system services
Micro Focus Fortify WebInspect (19.2.0) Page 469 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Field Description
Machine Name The name of the computer as it appears on a network
Product The WebInspect software product
Pool The named collection of seats, associated with one or more licenses, to which
this application instance is assigned
Lease Length The amount of time during which the product is or was in use, formatted as
HH:MM:SS, where
l HH = hours
l MM = minutes
l SS = seconds
Release Status The condition under which the product became inactive. Possible values are:
l Released: A product using a connected concurrent license shut down
normally. The seat was returned to the pool; the client is no longer licensed.
l Revoked: A LIM administrator initiated a revoke on the lease, Fortify
Customer Support processed the revoke, and the LIM connected and
received the approved revocation. The seat was made available in the pool.
The client still has a functioning license because it does not connect to the
LIM on a regular basis.
l Expired: A detached lease reached the end of the user-defined lease period
and expired. The seat was returned to the pool. The client is no longer
licensed.
To assure that you are viewing the most recent information available, click Refresh.
LIM Updates
You can check for the availability of software updates and schedule the installation of any updates that
may be available on the License and Infrastructure Manager (LIM) Updates page.
Note: You can configure the LIM to check automatically for available updates. See "Server
Configuration" on page 460 for more information.
Updates are available if the status is "PendingDownload."
Checking for Updates
To manually check for available updates, click Check for Updates.
Micro Focus Fortify WebInspect (19.2.0) Page 470 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Scheduling an Update
To schedule the installation of an update:
1. Click Schedule Updates.
2. Enter the date on which the update should be downloaded and installed.
Use the format dd/mm/yyyy, where dd=day, mm=month, and yyyy=year.
3. Enter the time when the installation should occur.
Use the format hh:mm, where hh is the hour and dd is the minute. Use 00:00 for midnight.
4. Click OK.
Data Migration
The following procedure is recommended for installations that currently use Microsoft SQL Server
Compact Edition, but would like to use Microsoft SQL Server Enterprise Edition.
1. Open the installed version of the License and Infrastructure Manager (LIM) Admin Console.
2. Return all detached licenses to the LIM.
3. For each license pool, save a record of all licenses and seats assigned to the pool.
4. Detach all licenses from the original database. Be sure to keep a record of each license token before
removing it.
5. Deactivate all LIM licenses.
6. Exit the LIM Admin Console.
7. Install the latest version of the LIM and be sure to select Microsoft SQL Server Enterprise Edition
during LIM initialization.
Note: If you have already installed a version of the LIM that accommodates Enterprise Edition,
simply run the LIM initialization program. The application name is License and Infrastructure
Manager Initialize.
8. Open the LIM Admin Console.
9. Click Admin > Server Configuration and activate the LIM license.
10. Use the Proxy, Updates, and E-mail tabs to add or verify information.
11. Add all licenses.
12. Recreate all pools.
13. Attach licenses to pools.
14. If your previous installation had multiple administrators, click Admin > Administrative Users and
define administrator accounts.
Micro Focus Fortify WebInspect (19.2.0) Page 471 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Backing Up and Restoring the LIM
Read this document in its entirety before backing up your License and Infrastructure Manager (LIM)
investment.
Note: Restoration of the LIM may require a call to Fortify Customer Support to deactivate the
existing LIM license.
Task 1: Copy the LIM
Make a back-up copy of the LIM database and other files. The easiest back-up process tested by Fortify
is to stop the Web server and save the entire LIM directory to a ZIP file. Essential files to restore are:
l x:\<install-path>\DB\*.*
l x:\<install-path>\logs\*.*
Task 2: Restore the LIM onto Another Server
1. If possible, deactivate the existing LIM installation.
Note: The Fortify Customer Support team can perform this for you if your LIM has failed and
you are restoring from back-up.
a. Click the Admin menu and select Server Configuration.
b. On the Activation tab, click Release; this releases the LIM token and all of the associated
product tokens.
2. Install the LIM on the new server, but do not initialize the application.
3. Restore the LIM database and logs to the new server.
4. Run the initialization. The application name is License and Infrastructure Manager Initialize.
Task 3: Activate the Restored Application
1. Log in to the admin console.
2. Click the Admin menu and select Server Configuration.
3. On the Activation tab, click Activate.
4. Was activation successful?
l If yes, go to Task 4.
l If no, contact Fortify Customer Support and ask them to deactivate the old LIM instance. After
the old instance has been deactivated, repeat step 3.
Micro Focus Fortify WebInspect (19.2.0) Page 472 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Task 4: Refresh Product Licenses
1. Click the License Management menu and select Product Licenses.
2. Click Force License Refresh.
Task 5: Verify License Pools and Tokens
1. View product tokens and execute forced license refresh.
2. View License pools – verify token associations, etc.
Task 6: Configure Clients to Use New Server
For security purposes, client applications configured to use a LIM do not accept responses that redirect
the lease request to a new LIM. This action prevents compromise of an organization’s legitimately
purchased license.
When a LIM has failed, you can use either of two option to ensure that the products can use the LIM
replacement.
l Option A: Name the rebuilt LIM exactly the same as its predecessor. This tactic ensures minimal
reconfiguration of client products, some of which may be virtualized and used only rarely.
l Option B: Rebuild the LIM with a new name. Then update each installed product configured for
concurrent license use to direct requests to the new LIM URL at runtime (i.e., change the locally
installed license server URL from the old LIM URL to the new LIM URL).
Alternative Back-Up Strategy
1. Run the LIM on a virtual machine.
2. Back up the virtual machine.
3. Restore the virtual machine on new hardware if the virtual server fails.
The LIM supports virtualized Windows server environments.
LIM Troubleshooting
This section addresses some of the problems or malfunctions that may occur when using the License
and Infrastructure Manager (LIM).
Required components not installed
See the Micro Focus Fortify Software System Requirements for a list of required modules.
Micro Focus Fortify WebInspect (19.2.0) Page 473 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
If any module is not installed, the installer will report the problem and terminate. To continue, provide
the missing components and restart the installation.
Consult your Windows server documentation for assistance with the following:
l Adding IIS
l Enabling ASP.Net on a Web site
l Installing IIS 6 Management Compatibility (for IIS 7 on server 2008)
l Enabling/restoring the network services account
LIM installer appears to stop responding
After completing the installation, the Installer program launches the Initializer program. On some
systems, the Initializer window opens behind the Installer window and is effectively hidden. The
Installation cannot complete until the initialize window has closed.
1. Move the installer window to check for initialize window.
2. Click on initialize to bring to foreground.
3. Complete or cancel initialize.
4. Click Finish on install wizard.
LIM initializer appears to stop responding
After completing the installation, the Installer program launches the Initializer program. On systems
where the initialize fails to open, error dialogs may also fail to open and be hidden behind other
Windows.
1. Move the initialize and installer Windows to check for error dialogs.
2. Note the error message and acknowledge the dialog.
3. Address the cause of error.
Service fails to start at initialize
Always check the logs to determine the reason. Logs are located in X:\installdir\Logs , where X is the
drive and installdir is the directory in which the LIM was installed. The logs are:
l HP.AppSec.Lim.Initialize.log (Initialization log)
l HP.AppSec.Lim.Service.log (Service log)
l HP.AppSec.Lim.Agent.log (Agent log )
Service may fail to start for the following reasons:
Pre-existing Secure Sockets Layer (SSL) and/or Authentication required by the Web site prior
to LIM installation and initialization may prevent the LIM Windows service from starting.
Micro Focus Fortify WebInspect (19.2.0) Page 474 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
1. Using IIS site configuration, modify the Web site:
a. Remove the SSL required setting.
b. Enable Anonymous access.
c. Save the site settings and apply them to all child nodes.
d. Restart the site.
2. Launch the LIM initializer from the Windows Programs menu (Start > All Programs > Fortify >
License and Infrastructure Manager Initialize).
3. Rerun the LIM initialize.
a. Select the SSL certificate from list in initialize.
b. Set the SSL required bit in initialize.
c. Complete the initialize workflow.
4. When Initialize is complete, verify that SSL required is set in IIS manager site configuration.
5. Verify that {drive}:\installpath\Bin\HP.AppSec.Lim.Agent.exe.config has been
updated to require SSL on the three lines specifying URLs:
l LeaseServiceUrl
l HP.AppSec.Lim.Agent.Properties.Settings - HP_AppSec_Lim_Agent_AgentTaskService
l HP.AppSec.Lim.Agent.Properties.Settings - HP_AppSec_Lim_Agent_AgentTaskService_
AgentTaskService
6. Verify that the web.config element used by the Menu control and the Help file has been updated to
require HTTPS:
a. On the LIM server, go to the {drive}:\\Installpath\ directory.
b. Open the web.config file.
c. Update the line add key="Http Protocol" to change the value from https to http.
7. Using IIS site configuration, modify the website as follows:
a. Restore the SSL required setting.
b. Disable Anonymous access.
c. Save the site settings and apply them to all child nodes.
d. Restart the site.
8. In Windows Services Management, do the following:
a. Locate the Fortify License and Infrastructure Manager Agent Service.
b. Attempt to start the service.
Dependencies removed after installation prevent services from starting or functioning
properly.
1. Verify the presence of the dependencies. Consider rerunning the LIM installation program.
2. Install any missing dependencies.
Service originally installed to a directory that no longer exists but is still referenced in original
configuration file and registry setting, preventing service from starting (reinstall/reinitialize
issue).
Micro Focus Fortify WebInspect (19.2.0) Page 475 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
1. Open Windows Service Manager: Start > All Programs > Administrative Tools > Services.
2. Double-click the Fortify License and Infrastructure Manager Agent Service in the list of
services.
3. Verify that the path to the executable (HP.AppSec.LIM.Agent.exe) is valid: open the referenced
directory and confirm that the file exists.
4. If not valid, consult Windows documentation for instructions on changing the path.
LIM Windows Service does not have permissions to access the site.
This could occur for either of two reasons:
l The site was created and set with authenticated access prior to the LIM installation. The underlying
site has been configured with a restrictive set of users and does not allow the LIM Windows service
account access.
l The Network Service account was not installed or does not have permissions.
To correct this issue:
1. Verify the existence of the network service account and its activity status.
2. One possible solution is to enable permission to the service account to access the LIM virtual
directories or the underlying Web site. Consult your Windows documentation for assistance in
adding users or groups to a site .
3. Another possible solution is to update the Windows service to run with an account allowed by the
site. This can be an account specifically created to access the LIM site virtual directories and no
others. The account will need to be added to the allowed list for the virtual directories.
License update returns message that provided public key value is
different from expected one
This message occurs when the keys used by the LIM during SmartUpdate are other than expected.
The solution is to simply re-activate the LIM's token with the Admin > Server Configuration activation
function.
Note: This often occurs immediately after restoring a LIM during disaster recovery.
LIM cannot activate its license (manual process)
This occurs if the LIM fails to connect to the Micro Focus license service.
1. Check your proxy settings. You may need to enter network credentials for the web service to use
when connecting to Micro Focus for license activation and recurring license checks.
2. After updating proxy settings, retry license activation.
3. Use the command line to verify that the activation URL resolves to an IP address.
4. Use a browser on the LIM server to visit a public Web site such as Google or Yahoo.
For machines without Internet access, see instructions for offline activation in the LIM help.
Micro Focus Fortify WebInspect (19.2.0) Page 476 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
LIM receives message during activation that all instances are in
use
LIM tokens are issued with a maximum active instance count of 1. This means a single license token
GUID cannot be used to activate multiple LIMs. If the token has been used to activate a previous LIM,
the token can be deactivated and exchanged, or the active instance can be deactivated allowing reuse of
the existing token.
l If the LIM has been reinstalled, contact Fortify Customer Support and ask to have the previous
instance deactivated for that specific activation token.
l If the LIM was not reinstalled, contact Fortify Customer Support and inquire about other installations
of the LIM for that specific activation token. Discuss deactivation and exchange options with the
Support representative.
Error message indicates that the token is not valid for the product
The activation token is a unique string of characters. Mistyping the string will prevent activation. An
activation token is unique for a specific product.
Re-enter or paste the LIM token from the original Micro Focus email and resubmit. Make sure there are
no trailing spaces.
Use the command line interface to resolve the IP address of the license service URL and verify that the
address is correct.
Contact Fortify Customer Support and verify that the license token exists in the license database and is
intended for the product being activated. Also verify that the token is configured to be a concurrent
license.
LIM cannot activate a concurrently licensed product
There are several possible reasons:
l The LIM manager is unable to connect to the Internet to complete the activation action.
l The license token entered is incorrect.
l The license token was incorrectly created and did not have the concurrent flag enabled.
l The license token was already activated and associated with another LIM.
Use the following procedure to investigate:
1. Verify that the computer hosting the LIM is connected to the Internet.
2. If the network configuration has changed, bring your computer into compliance.
3. If using a proxy that requires a password, make sure you provide the correct password.
4. Re-enter the token included in the original Micro Focus e-mail and resubmit. Make sure there are
no trailing spaces.
5. Contact Fortify Customer Support and verify that the license token exists in the license database
Micro Focus Fortify WebInspect (19.2.0) Page 477 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
and is intended for the product being activated. Also verify that the token is configured to be a
concurrent license.
LIM does not release expired leases automatically
The LIM Windows service is unable to communicate with the LIM web services.
Verify that the Windows service is running.
1. Launch the LIM and click LIM in the menu bar.
You should see the following message:
The Fortify License and Infrastructure Manager Agent Service is running.
2. If the Windows service is not running, use Windows Control Panel > Administrative tools >
Services to locate the LIM service and attempt to start the service.
Windows service may not be able to connect to LIMservice. Check the service log for entries stating
that the Windows service could not connect.
LIM does not refresh licenses automatically
There are several possible reasons:
l The LIM is unable to connect to the Internet to complete the activation action.
l The license token is no longer active or available in the Micro Focus database.
l The Windows service is not executing automated tasks.
Use the following procedure to investigate:
1. Attempt a manual refresh of the licenses.
2. Verify proxy settings.
3. Use a browser on the Windows server running LIM to contact a site on the Internet.
4. See also LIM does not refresh licenses manually and Windows service not executing
automated tasks.
If unsuccessful, contact Fortify Customer Support and verify that the license token exists in the license
database and is intended for the product being activated. Also verify that the token is configured to be
a concurrent license
LIM does not refresh licenses manually
The LIM may be unable to connect to the Internet to complete the activation action, or the license token
has been deactivated on the Micro Focus license server.
Micro Focus Fortify WebInspect (19.2.0) Page 478 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
The following test requires physical or remote access to the Windows server running the LIM. The LIM
uses a web console. A machine that can access the LIM may also be able to access the license service,
even if the LIM cannot.
1. Verify that the computer hosting the LIM is connected to the Internet: open a browser and visit a
site such as https://software.microfocus.com.
2. If the network configuration has changed, bring your computer into compliance.
3. If using a proxy that requires a password, make sure you provide the correct password.
If unsuccessful, contact Fortify Customer Support and verify that the license token exists in the license
database and is intended for the product being activated. Also verify that the token is configured to be
a concurrent license.
LIM does not SmartUpdate automatically
The proxy configuration for SmartUpdate may not be valid.
1. Open the admin console.
2. Select Admin > Server Configuration from the menu.
3. In the server configuration screen, select the Proxy tab.
4. Click Fortify Smart Update Server proxy and verify proxy settings.
5. Click the Pending Updates menu.
6. Attempt a manual “check for updates.”
7. Review the status. If successful, click Admin > Server Configuration and select the Updates tab.
8. Check the scheduled time and frequency, and configure an update to occur.
9. Examine the logs to determine why the update failed.
The Windows service may not be running or is unable to poll the LIMservice for update times.
1. Review the logs to determine the reason the update failed.
2. Attempt a manual SmartUpdate. If successful, review the procedure.
Windows service not executing automated tasks
Physical or remote desktop access to the LIM server is required for diagnosis and issue resolution.
Always check the logs to determine the reason for the issue. Possible reasons include:
l The site was created and set with authenticated access prior to the LIM installation. The underlying
site has been configured with a restrictive set of users and does not allow the LIM Windows service
account access.
l The site was configured to require SSL after the LIM was installed and initialized.
l The Network Service account is not installed or does not have permissions.
Verify the existence of the network service account and its activity status.
One possible solution is to enable permission to the service account to access the LIM virtual directories
or the underlying website. Consult your Windows documentation for assistance in adding users or
groups to a site.
Micro Focus Fortify WebInspect (19.2.0) Page 479 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Another possible solution is to update the Windows service to run with an account allowed by the site.
This can be an account specifically created to access the LIM site virtual directories and no others. The
account will need to be added to the allowed list for the virtual directories.
On the machine where the LIM is installed:
1. Open Windows Service Manager: Start > All Programs > Administrative Tools > Services.
2. Identify the Fortify License and Infrastructure Manager Agent Service.
3. Check the service status.
4. If the service is not running, try to start the service. If it doesn't start, verify that the path to the
executable (HP.AppSec.LIM.Agent.exe) is valid.
5. Open the referenced directory and confirm that the file exists. If not valid, consult Windows
documentation for instructions on changing the path.
6. If the service is running, open the LIM agent and LIM service logs and look for recent entries
stating that the service cannot be contacted (scheme incorrect, site not available, access denied,
etc). If the site requires SSL, verify that the web-config file specifies the correct protocol (HTTPS
and not HTTP):
a. Verify the {drive}:\installpath\Bin\HP.AppSec.Lim.Agent.exe.config has been
updated to require SSL on the three lines specifying URLs:
o LeaseServiceUrl
o HP.AppSec.Lim.Agent.Properties.Settings - HP_AppSec_Lim_Agent_AgentTaskService
o HP.AppSec.Lim.Agent.Properties.Settings - HP_AppSec_Lim_Agent_AgentTaskService_
AgentTaskService
b. Update the LIM's web.config file to require HTTPS:
i. On the LIM server, go to the directory where LIM is installed.
ii. Open the web.config file.
iii. Update the line add key="Http Protocol" to change “http” to “https” (or reverse).
Help File errors on open – message specifies HTTPS required
During initialization or post-initialization, the LIM administration site was configured to require HTTPS
and required changes were not made to the Help file configuration. Simply changing the URL to use
https:// from http:// will overcome the problem short term.
For a longer term solution:
1. On the LIM server, go to the directory where LIM is installed.
2. Open the web.config file.
3. Update the line add key="Http Protocol" to change “http” to “https” (or reverse).
Note: On sites where SSL is enabled but not required, the pop-up will always occur with one
scheme http or https.
Micro Focus Fortify WebInspect (19.2.0) Page 480 of 482
User Guide
Appendix A: Using the License and Infrastructure Manager
Annoying message bar pops up from IE every time LIM menu is
moused over
The menu expects either SSL or non-SSL connectivity, depending upon the site setup. This can be
changed by editing the LIMadmin page's web.config. By default the web.config expects an SSL
connection for the menu. This typically occurs on sites where SSL was not required and users are
connecting to the Admin pages using HTTP.
1. On the LIM server, go to the directory where LIM is installed.
2. Open the web.config file.
3. Update the line add key="Http Protocol" to change “http” to “https” (or reverse).
Note: On sites where SSL is enabled but not required, the popup will always occur with one scheme
http or https.
Micro Focus Fortify WebInspect (19.2.0) Page 481 of 482
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this computer, click the link above and an email window opens with the
following information in the subject line:
Feedback on User Guide (Fortify WebInspect 19.2.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to [email protected].
We appreciate your feedback!
Micro Focus Fortify WebInspect (19.2.0) Page 482 of 482
You might also like
- Micro Focus Fortify Software Security Center: User GuideNo ratings yetMicro Focus Fortify Software Security Center: User Guide326 pages
- CA Wily Introscope. Workstation User Guide. Version 8.2No ratings yetCA Wily Introscope. Workstation User Guide. Version 8.2198 pages
- ArcSight SOAR CyberRes Galaxy Threat Accelerator Integration GuideNo ratings yetArcSight SOAR CyberRes Galaxy Threat Accelerator Integration Guide8 pages
- Digital Divide: By: Nielmar C. DescalsoNo ratings yetDigital Divide: By: Nielmar C. Descalso217 pages
- Webinspect Automated Dynamic Application Security Testing DsNo ratings yetWebinspect Automated Dynamic Application Security Testing Ds2 pages
- Micro Focus Security Arcsight Logger: Configuration and Tuning Best PracticesNo ratings yetMicro Focus Security Arcsight Logger: Configuration and Tuning Best Practices44 pages
- Abstraction and Specification in Program Development 1st Edition by Barbara Liskov, John Guttag ISBN 0262121123 9780262121125 DownloadNo ratings yetAbstraction and Specification in Program Development 1st Edition by Barbara Liskov, John Guttag ISBN 0262121123 9780262121125 Download66 pages
- Micro Focus Fortify Static Code Analyzer: Installation GuideNo ratings yetMicro Focus Fortify Static Code Analyzer: Installation Guide23 pages
- Micro Focus Security Fortify 18.10 ReleaseNo ratings yetMicro Focus Security Fortify 18.10 Release3 pages
- FMX / Cruiso / BW 8-12: Ganzeboom Transmission Parts & Torque ConvertersNo ratings yetFMX / Cruiso / BW 8-12: Ganzeboom Transmission Parts & Torque Converters2 pages
- Identify Exploitable Security Vulnerabilities in Web Applications and ServicesNo ratings yetIdentify Exploitable Security Vulnerabilities in Web Applications and Services4 pages
- OPA Annex 4 Request For Funds Format (15 March 2018)No ratings yetOPA Annex 4 Request For Funds Format (15 March 2018)5 pages
- Exaugural Speech by Outgoing President Ronaldo NiloNo ratings yetExaugural Speech by Outgoing President Ronaldo Nilo1 page
- Islamic Investment Fund: Tahreem Zafar Roll No. 172026 Course Instructor Dr. Mian AbbasNo ratings yetIslamic Investment Fund: Tahreem Zafar Roll No. 172026 Course Instructor Dr. Mian Abbas38 pages
- Newcomer Interview Form: Community ConnectionsNo ratings yetNewcomer Interview Form: Community Connections5 pages
- Installing Gui Hash Generator and Comparing DigestsNo ratings yetInstalling Gui Hash Generator and Comparing Digests1 page
- Research Methodology: Types of Taboo Words Are Used in What Is The Function of Taboo Words Are Used inNo ratings yetResearch Methodology: Types of Taboo Words Are Used in What Is The Function of Taboo Words Are Used in3 pages
