HPE Security Fortify WebInspect Enterprise User Guide

HPE Security
Fortify WebInspect Enterprise
Software Version: 16.20
Windows® operating systems
User Guide
Document Release Date: September 2016
Software Release Date: September 2016
User Guide
Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211
and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by
you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned,
and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third
party.
Copyright Notice
© Copyright 2001 - 2016 Hewlett Packard Enterprise Development LP
Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.
This product includes an interface of the 'zlib' general purpose compression library, which is Copyright © 1995-2002 Jeanloup Gailly and Mark Adler.
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HPE sales
representative for details.
About this PDF Version of Online Help
This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the
help information or read the online help in PDF format. Because this content was originally created to be viewed as online
help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF
version. Those topics can be successfully printed from within the online help.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 2 of 362
User Guide
Contents
Preface
Contacting HPE Security Fortify Support
For More Information
About the Documentation Set
17
17
17
17
Change Log
18
Chapter 1: About Fortify WebInspect Enterprise
Benefits of Fortify WebInspect Enterprise
Fortify WebInspect Enterprise Components
About Scanning: Considerations and Tips
Increased Network Traffic
Increased Form Input
Increased HTTP Requests and Invalid Input
Uploading of Files
Related Documents
All Products
HPE Security Fortify WebInspect
HPE Security Fortify WebInspect Enterprise
19
19
19
20
21
21
22
22
22
22
23
25
Chapter 2: WebInspect Enterprise Administrative Console
About the User Interface
About the Groups and Their Shortcuts
Scans Group
Sensors Group
Administration Group
Menu Bar and Toolbar
Logging On
Changing the Screen Refresh Rate
Selecting Which Table Columns to Display
Grouping and Sorting Items in Lists
Managing SmartUpdates
Managing the SmartUpdate History and Schedules
Performing a Manual SmartUpdate
Adding a SmartUpdate Schedule
Approving and Declining SmartUpdates
Managing Proxy Server Settings
About Roles and Permissions
Managing Roles and Permissions
27
27
27
28
28
28
29
30
30
31
31
32
33
34
34
35
36
36
37
HPE Security Fortify WebInspect Enterprise (16.20)
Page 3 of 362
User Guide
Adding, Removing, and Distributing Global Roles
Adding a Global Role
Removing a Global Role
Distributing an Existing Global Role to All Organizations
Adding a User Or Group To Multiple Roles
Displaying or Removing Roles of Users or Groups
About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions
Adding an Organization
Adding and Removing Fortify WebInspect Enterprise System Administrators
Adding a Fortify WebInspect Enterprise System Administrator
Removing a Fortify WebInspect Enterprise System Administrator
Managing Fortify WebInspect Enterprise System Roles and Permissions
Adding a Fortify WebInspect Enterprise System Role
Assigning Groups or Users to a Fortify WebInspect Enterprise System Role
Copying a Fortify WebInspect Enterprise System Role
About Organization Administrators, Roles, and Permissions
Adding, Removing, and Renaming Organizations
Adding an Organization
Removing an Organization
Renaming an Organization
Adding and Removing Organization Administrators
Adding an Organization Administrator
Removing an Organization Administrator
Configuring Organization Options
Configuring Option: Organization Maximum Security Priority
Configuring Option: Disable Retest Browser Tab
Managing Organization Roles And Permissions
Adding an Organization Role
Adding Groups or Users to an Organization Role
Copying or Moving an Organization Role
Removing an Organization Role
Renaming an Organization Role
Specifying Resources Available to Organizations
Moving or Copying Objects to Groups or Other Organizations
About Group Administrators, Roles, and Permissions
Adding, Removing, and Renaming Groups
Adding a Group
Removing a Group
Renaming a Group
Adding and Removing Group Administrators
Adding a Group Administrator
Removing a Group Administrator
Configuring Group Options
Configuring Option: Group Maximum Security Priority
Configuring Option: Group IP and Host Permissions
Managing Group Roles And Permissions
Adding a Group Role
Adding Groups or Users to a Group Role
HPE Security Fortify WebInspect Enterprise (16.20)
38
39
39
39
40
40
41
42
42
42
42
43
43
44
44
45
46
46
46
47
47
47
48
48
48
48
49
49
50
50
51
51
52
53
54
55
55
56
56
56
57
57
57
57
58
58
58
59
Page 4 of 362
User Guide
Copying or Moving a Group Role
Removing a Group Role
Renaming a Group Role
Specifying Resources Available to Groups
Moving or Copying Objects to Organizations or Other Groups
Managing Scans, Sensors, and Sensor Users
About Controlling Scans Using the Scan Queue
Controlling Scans Using the Scan Queue
About Managing Scan Policies
Managing Scan Policies
Creating Custom and Master Scan Policies
Adding, Editing, and Deleting Export Paths for Saving Scans
Specifying Export Paths for Saving Scans
About Sensor Management
Managing Sensors and Their Scans
Managing Sensor Users
Managing E-mail and SNMP Alerts
Adding, Editing, and Deleting E-mail Alerts
Specifying E-mail Alert Settings
Understanding Assigned Risks and the Total Risk Score
Assigned Risks
Total Risk Score
Where Total Risk Score Appears
Adding, Editing, and Deleting SNMP Alerts
Specifying SNMP Alert Settings
Working with Fortify Software Security Center
Configuring Settings for Fortify Software Security Center
Disabling Automatic Publishing of Scans to Fortify Software Security Center
Importing Projects into Fortify Software Security Center from a .csv File
Working with AMP Sites
About Migrating AMP Sites
Migrating AMP Sites
Managing Users and the Activity Log
About Managing Connected Users
Managing Connected Users
Viewing License Information
Managing the Activity Log
Reference Lists
Policies List
Scan Status Messages List
HTTP Status Codes List
Sensor Status List
Chapter 3: WebInspect Enterprise Services Manager
About the Fortify WebInspect Enterprise Services Manager
HPE Security Fortify WebInspect Enterprise (16.20)
60
60
61
61
62
63
63
64
64
66
66
68
69
69
70
71
71
71
73
74
74
74
75
75
76
77
77
79
79
80
80
82
83
83
84
84
85
86
86
88
89
92
94
94
Page 5 of 362
User Guide
Configuring the Scan Uploader Service
Service Status
Fortify WebInspect Enterprise Configuration
Dropbox Configuration
Logging Configuration
Starting the Service
Configuring the Task Service
Service Status
Database Configuration
Logging Configuration
Fortify Software Security Center Poll Interval
Starting the Service
Configuring the Scheduler Service
Service Status
Fortify WebInspect Enterprise Manager
Logging Configuration
Starting the Service
Chapter 4: WebInspect Enterprise Web Console
Using the Interface
Navigation Pane
Toolbar
Configuring Toolbar Options
Configuring Form Layouts
Columns
Grouping
Sorting
Paging
Enabling New Scan Schedules
Enabling New Blackout Periods
Conducting Scans
Accessing Guided Scan
Scanning a Web Site
Authentication and Connectivity
Coverage and Thoroughness
Congratulations
Scan Dependencies
Internet Protocol Version 6
About Web Services
Scanning a Web Service
Authentication and Connectivity
Coverage and Thoroughness
Congratulations
Scan Schedules
Reviewing Scheduled Scan Settings
Using the Context Menu
HPE Security Fortify WebInspect Enterprise (16.20)
94
94
95
95
96
96
96
96
97
97
98
98
98
98
99
99
99
100
100
100
101
102
103
103
104
105
105
105
105
106
106
106
108
109
110
110
110
111
111
112
112
112
113
113
113
Page 6 of 362
User Guide
Using the Icons Above the Form Grid
Searching On This Page
Scheduled Scan Dependencies
Using Scan Requests from Fortify Software Security Center
Processing a Pending Request
Associating Scans Manually
Creating a Scan Request in Fortify Software Security Center
Using Scan Templates
Searching On This Page
Scan Template Dependencies
Blackouts Overview
Using Blackouts
Searching On This Page
Creating a Blackout Period
Policies List
Working with Projects
Creating New Project Versions
Creating a Project Version
Viewing Project Versions
Searching On This Page
Reviewing Project Version Details
All Scans
Issues
Scan Templates
Schedules
Properties
Notes
Aliases
Macros
Additional Functions
Searching On This Page
Viewing Vulnerabilities
Viewing Deleted Projects
About Dependencies
Adding or Editing an Alias
When to Set Up Aliases
Creating an Alias
Working with the Macro Repository
Adding a New Macro
Downloading a Macro
Updating a Macro
Deleting a Macro
Using Repository Macros in Scans
Working with Scans
Reviewing the Scan List
Scans Form Columns
Available Functions
HPE Security Fortify WebInspect Enterprise (16.20)
113
114
115
115
116
116
117
117
119
120
120
121
122
123
126
128
128
128
129
130
131
131
132
133
133
134
134
134
134
135
135
136
137
138
138
138
139
139
139
140
140
140
141
141
141
141
142
Page 7 of 362
User Guide
Searching On This Page
Reviewing Scan Results
Toolbar
Reviewing the Scan Dashboard
Progress Bars
Progress Bar Descriptions
Progress Bar Colors
Activity Meters
Scan Status
Fortify WebInspect Agent Detected or Not Detected
Vulnerabilities Graphics
Statistics Panel - Scan Section
Statistics Panel - Crawl Section
Statistics Panel - Audit Section
Statistics Panel - Network Section
Adding a Page or Directory
Adding a Variation
What is a Variation?
Procedure
Comparing Scans
Effect of Scheme, Host, and Port Differences on Scan Comparison
Scheme
Host
Port
Selecting Scans to Compare
Reviewing the Scan Dashboard
Scan Descriptions
Venn Diagram
Vulnerabilities Bar Chart
Compare Modes
Session Filtering
Using the Session Info Panel
Using the Summary Pane to Review Vulnerability Details
About Publishing Scans to Fortify Software Security Center
Publishing Scans to Fortify Software Security Center
Working with Vulnerabilities
Reviewing Vulnerabilities
Retesting the Session
Editing and Adding Vulnerabilities
To Edit or Add a Vulnerability
To Remove Edits
Adding a Vulnerability Note
Adding a Vulnerability Screenshot
Marking a Vulnerability as a False Positive
Recovering Deleted Items
About Vulnerability Rollup
What Happens to Rolled Up Vulnerabilities
HPE Security Fortify WebInspect Enterprise (16.20)
145
146
157
158
158
158
159
159
160
160
160
160
161
161
162
162
163
163
163
163
164
164
164
164
164
165
165
166
166
167
167
167
168
169
170
171
171
172
173
173
174
174
174
175
175
176
176
Page 8 of 362
User Guide
Rollup Guidelines
Rolling Up Vulnerabilities
Undoing Rollup
Advanced Settings
Scan: General
Scan
Scan URL
Priority
Sensor
Scan Settings: Method
Scan Mode
Crawl and Audit Mode
Scan Behavior
Scan Settings: General
Scan Details
Crawl Details
Audit Details
Scan Settings: Content Analyzers
Content Analyzers
Parser Settings
Scan Settings: Requestor
Requestor Performance
Requestor Settings
Stop Scan if Loss of Connectivity Detected
Scan Settings: Session Storage
Log Rejected Session to Database
Session Storage
Scan Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Excluded or Rejected URLs and Hosts
MIME Types
Scan Settings: Allowed Hosts
Allowable Hosts for Crawl and Audit
Scan Settings: HTTP Parsing
HTTP Parameters Used for State
Determine State from URL Path
Scan Settings: Filters
Using the Filter Settings
Scan Settings: Cookies/Headers
Standard Header Parameters
Append Custom Headers
Append Custom Cookies
Scan Settings: Proxy
Proxy Settings
Scan Settings: Authentication
Scan Requires Network Authentication
HPE Security Fortify WebInspect Enterprise (16.20)
176
177
178
178
178
178
178
180
180
180
180
180
181
182
182
182
184
184
185
185
186
186
186
187
187
188
189
189
189
189
190
191
191
191
192
192
193
193
194
194
194
195
195
195
196
196
196
Page 9 of 362
User Guide
Scan Settings: File Not Found
Scan Settings: Policy
Scan Policy
Crawl Settings: Link Parsing
Link Parsing
Crawl Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Excluded or Rejected URLs and Hosts
Audit Settings: Session Exclusions
Excluded or Rejected File Extensions
Audit Settings: Attack Exclusions
Excluded Parameters
Excluded Cookies
Excluded Headers
Audit Inputs Editor
Audit Settings: Attack Expressions
Additional Regular Expression Languages
Audit Settings: Vulnerability Filters
Select Vulnerability Filters to Enable
Audit Settings: Smart Scan
Smart Scan
Custom Server/Application Type Definitions (more accurate detection)
Scan Behavior: Blackout Action
Export: General
Export Scan Results
Scheduled Scan Settings
Scheduled Scan - Schedule: General
Scheduled Scan - Schedule: Recurrence
Scheduled Scan - Scan: General
Scan URL
Priority
Sensor
Scheduled Scan - Scan Settings: Method
Scan Mode
Crawl and Audit Mode
Scan Behavior
Scheduled Scan - Scan Settings: General
Scan Details
Crawl Details
Audit Details
Scheduled Scan - Scan Settings: Content Analyzers
Content Analyzers
Parser Settings
Scheduled Scan - Scan Settings: Requestor
Requestor Performance
Requestor Settings
HPE Security Fortify WebInspect Enterprise (16.20)
198
199
199
199
199
200
200
200
200
201
201
202
202
203
203
203
203
204
204
204
205
205
205
205
206
206
206
207
208
208
208
209
210
210
210
210
211
212
212
212
214
214
215
215
216
216
216
Page 10 of 362
User Guide
Stop Scan if Loss of Connectivity Detected
Scheduled Scan - Scan Settings: Session Storage
Log Rejected Session to Database
Session Storage
Scheduled Scan - Scan Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Excluded or Rejected URLs and Hosts
Scheduled Scan - Scan Settings: Allowed Hosts
Allowable Hosts for Crawl and Audit
Scheduled Scan - Scan Settings: HTTP Parsing
HTTP Parameters Used for State
Determine State from URL Path
Scheduled Scan - Scan Settings: Filters
Using Filters
Scheduled Scan - Scan Settings: Cookies/Headers
Standard Header Parameters
Append Custom Headers
Append Custom Cookies
Scheduled Scan - Scan Settings: Proxy
Proxy Settings
Scheduled Scan - Scan Settings: Authentication
Scan Requires Network Authentication
Scheduled Scan - Scan Settings: File Not Found
Scheduled Scan - Scan Settings: Policy
Scan Policy
Scheduled Scan - Crawl Settings: Link Parsing
Link Parsing
Scheduled Scan - Crawl Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Excluded or Rejected URLs and Hosts
Scheduled Scan - Audit Settings: Session Exclusions
Excluded or Rejected File Extensions
Scheduled Scan - Audit Settings: Attack Exclusions
Excluded Parameters
Excluded Cookies
Excluded Headers
Audit Inputs Editor
Scheduled Scan - Audit Settings: Attack Expressions
Additional Regular Expression Languages
Scheduled Scan - Audit Settings: Vulnerability Filters
Select Vulnerability Filters to Enable
Scheduled Scan - Audit Settings: Smart Scan
Smart Scan
Custom Server/Application Type Definitions (more accurate detection)
Scheduled Scan - Scan Behavior: Blackout Action
Scheduled Scan - Export: General
HPE Security Fortify WebInspect Enterprise (16.20)
217
217
218
219
219
219
219
220
221
221
222
222
222
223
223
224
224
224
225
225
225
226
226
227
228
229
229
229
229
230
230
230
231
231
232
232
232
233
233
233
233
234
234
234
235
235
235
236
Page 11 of 362
User Guide
Export Scan Results
Scan Template Settings
Scan Template - Scan: General
Scan URL
Scan Template - Scan Settings: Method
Scan Mode
Crawl and Audit Mode
Scan Behavior
Scan Template - Scan Settings: General
Scan Details
Crawl Details
Audit Details
Scan Template - Scan Settings: Content Analyzers
Content Analyzers
Parser Settings
Scan Template - Scan Settings: Requestor
Requestor Performance
Requestor Settings
Stop Scan if Loss of Connectivity Detected
Scan Template - Scan Settings: Session Storage
Log Rejected Session to Database
Session Storage
Scan Template - Scan Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Excluded or Rejected URLs and Hosts
Scan Template - Scan Settings: Allowed Hosts
Allowable Hosts for Crawl and Audit
Scan Template - Scan Settings: HTTP Parsing
HTTP Parameters Used for State
Determine State from URL Path
Scan Template - Scan Settings: Filters
Scan Template - Scan Settings: Cookies/Headers
Standard Header Parameters
Append Custom Headers
Append Custom Cookies
Scan Template - Scan Settings: Proxy
Proxy Settings
Scan Template - Scan Settings: Authentication
Scan Requires Network Authentication
Scan Template - Scan Settings: File Not Found
Scan Template - Scan Settings: Policy
Scan Policy
Scan Template - Crawl Settings: Link Parsing
Link Parsing
Scan Template - Crawl Settings: Session Exclusions
Excluded or Rejected File Extensions
HPE Security Fortify WebInspect Enterprise (16.20)
236
236
236
237
238
238
239
239
240
240
241
243
243
243
243
244
244
245
245
246
246
247
248
248
248
248
249
250
250
250
251
252
252
253
253
253
254
254
255
255
256
257
257
258
258
258
259
Page 12 of 362
User Guide
Scan Template - Audit Settings: Session Exclusions
Excluded or Rejected File Extensions
Scan Template - Audit Settings: Attack Exclusions
Excluded Parameters
Excluded Cookies
Excluded Headers
Audit Inputs Editor
Scan Template - Audit Settings: Attack Expressions
Additional Regular Expression Languages
Scan Template - Audit Settings: Vulnerability Filters
Select Vulnerability Filters to Enable
Scan Template - Audit Settings: Smart Scan
Smart Scan
Custom Server/Application Type Definitions (more accurate detection)
Blackout Settings
Blackout: General
Creating a Blackout Period
Blackout: Recurrence
Recurring
259
260
261
261
261
262
262
262
262
263
263
263
264
264
264
264
265
266
266
Chapter 5: WebInspect Enterprise Thin Client
About the Thin Client Download
Launching a Guided Scan
Selecting the Type of Guided Scan to Run
Generating a Report
Configuring a Guided Scan
Predefined Templates for Scanning Web Sites
Mobile Templates for Scanning Mobile Sites or Recording Back-End Traffic
Configuring Web Site Scans Using a Predefined Template
Toolbar Buttons
Overview of Guided Scan Stages and Steps
Site
Login
Workflows
Active Learning
Settings
Configuring Mobile Web Site Scans Using a Mobile Template
About Mobile Web Site Scans
Creating a Mobile Web Site Scan
About the Site Stage
About the Login Stage
About the Workflows Stage
About the Active Learning Stage
About the Settings Stage
Configuring Native Scans Using a Mobile Template
About Native Scans
267
267
267
268
268
269
269
270
270
270
271
273
275
280
281
284
284
285
286
287
289
294
295
297
298
298
HPE Security Fortify WebInspect Enterprise (16.20)
Page 13 of 362
User Guide
Supported Devices
Supported Development Emulators
Creating a Native Scan
About the Native Mobile Stage
About the Login Stage
Application Authentication Step
About the Application Stage
About the Settings Stage
Post Scan Steps
About Privilege Escalation Scans
Two Modes of Privilege Escalation Scans
What to Expect During the Scan
Advanced Guided Scan Settings
Scan Settings: Method
Scan Mode
Crawl and Audit Mode
Crawl and Audit Details
Navigation
SSL/TLS Protocols
Scan Settings: General
Scan Details
Crawl Details
Audit Details
Scan Settings: Content Analyzers
Flash
JavaScript/VBScript
Silverlight
Scan Settings: Requestor
Requestor Performance
Requestor Settings
Stop Scan if Loss of Connectivity Detected
Scan Settings: Session Storage
Log Rejected Session to Database
Session Storage
Scan Settings: Session Exclusions
Excluded or Rejected File Extensions
Excluded MIME Types
Other Exclusion/Rejection Criteria
Editing Criteria
Adding Criteria
Scan Settings: Allowed Hosts
Using the Allowed Host Setting
Adding Allowed Domains
Editing or Removing Domains
Scan Settings: HTTP Parsing
Options
Scan Settings: Custom Parameters
HPE Security Fortify WebInspect Enterprise (16.20)
299
299
299
300
302
304
307
308
309
309
309
310
310
310
310
311
311
312
313
313
313
314
317
318
318
318
319
319
320
320
321
322
322
323
323
324
324
324
324
325
326
327
327
327
327
328
330
Page 14 of 362
User Guide
URL Rewriting
Examples:
RESTful Services
Enable automatic seeding of rules that were not used during scan
Double Encode URL Parameters
Scan Settings: Filters
Options
Adding Rules for Finding and Replacing Keywords
Scan Settings: Cookies/Headers
Standard Header Parameters
Append Custom Headers
Adding a Custom Header
Append Custom Cookies
Adding a Custom Cookie
Scan Settings: Proxy
Options
Scan Settings: Authentication
Network Authentication
Authentication Method
Authentication Credentials
Client Certificate
Task 1: Find your certificate's serial number
Task 2: Create an entry in the SPI.Net.Proxy.Config file
Use a Login Macro for Forms Authentication
Login Macro Parameters
Use a Startup Macro
Scan Settings: File Not Found
Options
Scan Settings: Policy
Creating a Policy
Editing a Policy
Importing a Policy
Deleting a Policy
Crawl Settings: Link Parsing
Adding a Specialized Link Identifier
Crawl Settings: Link Sources
What is Link Parsing?
Pattern-based Parsing
DOM-based Parsing
Form Actions, Script Includes, and Stylesheets
Miscellaneous Options
Limitations of Link Source Settings
Crawl Settings: Session Exclusions
Excluded or Rejected File Extensions
Adding a File Extension to Exclude/Reject
Excluded MIME Types
Adding a MIME Type to Exclude
Other Exclusion/Rejection Criteria
HPE Security Fortify WebInspect Enterprise (16.20)
330
330
331
332
332
333
333
333
334
334
334
335
335
335
335
335
338
338
338
340
340
341
341
341
341
342
342
342
343
343
344
344
344
344
345
345
345
345
346
348
349
350
350
350
350
350
351
351
Page 15 of 362
User Guide
Editing the Default Criteria
Adding Exclusion/Rejection Criteria
Audit Settings: Session Exclusions
Excluded or Rejected File Extensions
Adding a File Extension to Exclude/Reject
Excluded MIME Types
Adding a MIME Type to Exclude
Other Exclusion/Rejection Criteria
Editing the Default Criteria
Adding Exclusion/Rejection Criteria
Audit Settings: Attack Exclusions
Excluded Parameters
Adding Parameters to Exclude
Excluded Cookies
Excluding Certain Cookies
Excluded Headers
Excluding Certain Headers
Audit Inputs Editor
Audit Settings: Attack Expressions
Additional Regular Expression Languages
Audit Settings: Vulnerability Filtering
Adding a Vulnerability Filter
Audit Settings: Smart Scan
Enable Smart Scan
Use regular expressions on HTTP responses to identify server/application types
Use server analyzer fingerprinting and request sampling to identify
server/application types
Custom server/application type definitions (more accurate detection)
Send Documentation Feedback
HPE Security Fortify WebInspect Enterprise (16.20)
351
351
353
353
353
354
354
354
354
354
356
356
356
357
357
357
358
358
358
359
359
359
360
360
360
360
360
362
Page 16 of 362
User Guide
Preface
Preface
Contacting HPE Security Fortify Support
If you have questions or comments about using this product, contact HPE Security Fortify Technical
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hpe.com
To Call Support
1.844.260.7219
For More Information
For more information about HPE Security software products: http://www.hpe.com/software/fortify
About the Documentation Set
The HPE Security Fortify Software documentation set contains installation, user, and deployment
guides for all HPE Security Fortify Software products and components. In addition, you will find
technical notes and release notes that describe new features, known issues, and last-minute updates.
You can access the latest versions of these documents from the following HPE Security user community
website:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will need to register for an account.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 17 of 362
User Guide
Change Log
Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.
Software Release /
Document Version
Changes
16.20
Added: Recommendation about not retesting vulnerabilities in scans from
earlier versions of Fortify WebInspect. See "Reviewing Scan Results" on
page 146 and "Reviewing Vulnerabilities" on page 171.
16.10
Added: Information about using the Enhance Coverage of Your Web Site
feature in Guided Scan with the Privilege Escalation policy. See "About
Privilege Escalation Scans" on page 309.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 18 of 362
Chapter 1: About Fortify WebInspect
Enterprise
HPE Security Fortify WebInspect Enterprise employs a distributed network of Fortify WebInspect
sensors controlled by a system manager with a centralized database. Fortify WebInspect Enterprise
must be integrated with HPE Security Fortify Software Security Center and it provides Fortify Software
Security Center with information detected through dynamic scans of Web sites and Web services.
Benefits of Fortify WebInspect Enterprise
This innovative architecture allows you to:
l Conduct a large number of automated security scans using any number of sensors in various
locations to scan Web applications and Web services.
l Manage large or small deployments of Fortify WebInspect sensors across your organization
controlling product updates, scan policies, scan permissions, tools usage, and scan results, all centrally
from the Fortify WebInspect Enterprise Administrative Console.
l Detect, track, and manage your new and existing Web applications and monitor all activity associated
with them.
l Independently schedule scans and blackout periods, manually launch scans, and update repository
information by using Fortify WebInspect or the Fortify WebInspect Enterprise Administrative
Console.
l Limit exposure to enterprise-sensitive components and data by using centrally defined roles for
users.
l Obtain an accurate snapshot of the organization's risk and policy compliance through a centralized
database of scan results and trend analysis.
l Facilitate integration with third-party products and deployment of customized Web-based front ends
using the WebServices application programming interface (API).
Fortify WebInspect Enterprise Components
Fortify WebInspect Enterprise comprises the following:
l The Fortify WebInspect Enterprise Administrative Console, also known as the WebInspect Enterprise
Console. The Administrative Console is used for administrative and security functions. See About the
User Interface.
l The Fortify WebInspect Enterprise Services Manager, also known as the WebInspect Enterprise
Services Configuration Utility. This interface is used to configure or modify services associated with
Fortify WebInspect Enterprise.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 19 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
l The Fortify WebInspect Enterprise Web Console, also known as the Web Console. This is a browserbased interface designed for non-administrative functions such as running and managing scans, and
for which this Help system is provided.
l The Fortify WebInspect Enterprise Thin Client download, which provides the following:
l Guided Scan. This function directs you through the best steps to configure a scan that is tailored
to your application, and is the preferred alternative to the standard Web Site scan.
l Report generation. This function creates a new report from a scan the user selects. The reports
available in Fortify WebInspect Enterprise are a subset of the reports available in Fortify
WebInspect.
The first time a user launches Guided Scan (or creates a report) from Fortify WebInspect Enterprise
or Fortify Software Security Center, the Fortify WebInspect Enterprise Thin Client application:
l Runs a wizard that verifies the user's computer meets the prerequisites for installing the Thin
Client.
l Downloads and installs itself on the user's computer, along with a Help system.
l Launches either Guided Scan or reporting, depending on which the user selected.
l Fortify WebInspect sensors. A Fortify WebInspect sensor is the Fortify WebInspect application when
connected to Fortify WebInspect Enterprise for the purpose of performing remotely scheduled or
requested scans with no direct user interaction through the Fortify WebInspect graphical user
interface. The sensor receives its instructions exclusively from the configurable connection to Fortify
WebInspect Enterprise.
l Microsoft SQL Server.
A scan consists of a crawl and an audit, and you can also run only a crawl or only an audit. A crawl
identifies the structure of the target Web site. An audit is the identification of vulnerabilities.
Fortify WebInspect Enterprise uses SmartUpdate technology to keep your threat protection current.
See "Managing SmartUpdates" on page 32.
For information about system requirements, see the HPE Security Fortify Software System
Requirements. For information about installing or upgrading Fortify WebInspect Enterprise, see the
HPE Security Fortify WebInspect Enterprise Installation and Implementation Guide. You can access
these documents from the Resources link on the Administrative Console.
See Also
"About Scanning: Considerations and Tips" below
Using Help
About the User Interface
About Scanning: Considerations and Tips
HPE Security Fortify WebInspect is an aggressive Web application analyzer that rigorously inspects
your entire Web site for real and potential security vulnerabilities. This procedure is intrusive to varying
degrees. The scan policy and other options you select can affect server and application throughput and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 20 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
efficiency. When using the most aggressive policies, you should perform this analysis in a controlled
environment while monitoring your servers.
Increased Network Traffic
The Fortify WebInspect Enterprise manager typically experiences a large amount of traffic from the
Fortify WebInspect Enterprise Administrative Console and the Fortify WebInspect sensor.
Increased Form Input
Most Web applications contain HTML or JavaScript forms composed of special elements called input
controls (text boxes, buttons, drop-down lists, etc.). Users generally “complete” a form by modifying its
input controls (such as entering text or checking boxes) before submitting the form to an agent for
processing. Usually, this processing will lead the user to another page or section of the application. For
example, after completing a logon form, the user will proceed to the application’s beginning page.
To conduct a thorough scan, Fortify WebInspect attempts to identify every page, form, file, and folder
in your application. If you select the option to submit forms during a crawl of your site, Fortify
WebInspect will complete and submit all forms it encounters.
To navigate through all possible links in the application, Fortify WebInspect submits appropriate data
for each form by using a file containing the names of input controls and the associated values that need
to be submitted during the scan. Fortify WebInspect includes a default Web form file containing sample
name/value pairs. You can use the Web Form Editor to create and edit your own file containing web
form values. The pre-defined forms enable Fortify WebInspect to navigate seamlessly through your
application, but they may also produce the following consequences:
l When a user normally submits a form, if the application creates and sends email messages or bulletin
board postings (to a product support or sales group, for example), Fortify WebInspect will also
generate these messages as part of the audit.
Tip: If your system generates email messages in response to user-submitted forms, you might want
to disable your mail server. Alternatively, you could redirect all emails to a queue and then, after the
audit, manually review and delete those emails that were generated in response to forms submitted
by Fortify WebInspect.
l If normal form submission causes records to be added to a database, then forms submitted by Fortify
WebInspect will create spurious records.
During the audit phase of a scan, Fortify WebInspect resubmits forms numerous times, manipulating
every possible parameter to reveal problems in the application. This will greatly increase the number
of messages and database records created.
Tip: For systems that write records to a back-end server (database, LDAP, etc.) based on forms
submitted by clients, some users, before auditing their production system, create a backup copy of
the database and then reinstall it after the audit is complete. If this is not feasible, you can query your
servers after the audit, searching for and deleting records that contain one or more of the default
form values used by Fortify WebInspect. You can determine these values by using the Web Form
Editor.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 21 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
Increased HTTP Requests and Invalid Input
During an audit of any type, Fortify WebInspect submits a large number of requests, many of which
have "invalid" parameters. On slower systems, the volume of HTTP requests may degrade or deny
access to the system by other users. Additionally, if you are using an intrusion detection system, it will
identify numerous illegal access attempts.
Uploading of Files
Fortify WebInspect tests for certain vulnerabilities by attempting to upload files to your server. If your
server allows such uploading, Fortify WebInspect will record this susceptibility and attempt to delete the
uploaded file. Sometimes, however, the server will not allow a file to be deleted.
Tip: If your server allows uploading files, your post-scan maintenance should include searching for and
deleting files whose name begins with "CreatedByHP."
Tip: In general, you can restrict the crawl and/or audit phases of a scan to a particular directory, or to a
directory and its subdirectories in the directory tree, or to its parents in the directory tree. You can also
specify particular URLs, host names, file extensions, and other entities to exclude from a crawl and/or an
audit.
See Also
"About Fortify WebInspect Enterprise" on page 19
Related Documents
This topic describes documents that provide information about HPE Security Fortify WebInspect
Enterprise.
Note: The Protect724 site location is https://www.protect724.hpe.com/community/fortify/fortifyproduct-documentation.
All Products
The following documents provide general information for all products.
Document / File Name
Description
HPE Security Fortify Software
System Requirements
This document provides the
Included with product
details about the environments download and on the
and products supported for this Protect724 site
version of HPE Security Fortify
Software.
HPE_Sys_Reqs_<version>.pdf
HPE Security Fortify Software
This document provides an
HPE Security Fortify WebInspect Enterprise (16.20)
Location
Included on the Protect724 site
Page 22 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
Document / File Name
Description
Release Notes
HPE_FortifySW_RN_
<version>.txt
overview of the changes made
to HPE Security Fortify
Software for this release and
important information not
included elsewhere in the
product documentation.
What’s New in HPE Security
Fortify Software <version>
This document describes the
new features in HPE Security
Fortify Software products.
Included on the Protect724 site
This document provides open
source and third-party software
license agreements for software
components used in HPE
Security Fortify Software.
Included with product
download and on the
Protect724 site
This document provides
definitions for HPE Security
Fortify Software terms.
Included with product
download and on the
Protect724 site
HPE_Whats_New_
<version>.pdf
HPE Security Fortify Open
Source and Third-Party
License Agreements
HPE_OpenSrc_<version>.pdf
HPE Security Fortify Glossary
HPE_Glossary.pdf
Location
HPE Security Fortify WebInspect
The following documents provide information about Fortify WebInspect.
Document / File Name
Description
Location
HPE Security Fortify
WebInspect Installation Guide
This document provides an
overview of Fortify WebInspect
and instructions for installing
Fortify WebInspect and
activating the product license.
Included with product
download and on the
Protect724 site
HPE_WI_Install_<version>.pdf
PDF only; no help file
HPE Security Fortify
WebInspect User Guide
HPE_WI_Guide_<version>.pdf
Help file available in product
This document describes how to Included with product
configure and use HPE Security download and on the
Fortify WebInspect to scan and Protect724 site
analyze Web applications and
Web services.
Note: This document is a
PDF version of the Fortify
WebInspect help. This PDF
file is provided so you can
easily print multiple topics
from the help information
HPE Security Fortify WebInspect Enterprise (16.20)
Page 23 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
Document / File Name
Description
Location
or read the help in PDF
format. Because this
content was originally
created to be viewed as
help in a web browser, some
topics may not be
formatted properly.
Additionally, some
interactive topics and linked
content may not be present
in this PDF version.
HPE Security Fortify
WebInspect Tools Guide
HPE_WI_Tools_Guide_
<version>.pdf
Help files available in individual
tools
HPE Security Fortify
WebInspect Runtime Agent
Installation Guide
HPE_WI_RT_Agent_Install_
<version>.pdf
HPE_WI_RT_Agent_Install_
Help_<version>
This document describes how to Included with product
use the Fortify WebInspect
download and on the
diagnostic and penetration
Protect724 site
testing tools and configuration
utilities packaged with Fortify
WebInspect and Fortify
WebInspect Enterprise.
This document describes how to Included with product
install the Fortify WebInspect
download and on the
Runtime Agent for applications Protect724 site
running under a supported Java
Runtime Environment (JRE) on
a supported application server
or service and applications
running under a supported
.NET Framework on a
supported version of IIS.
Included with product
download and on the
Protect724 site
PDF only; no help file
This document describes the
detection capabilities of Fortify
WebInspect Agent Rulepack Kit.
Fortify WebInspect Agent
Rulepack Kit runs atop HPE
Security Fortify’s Runtime
Agent, allowing it to monitor
your code for software security
vulnerabilities as it runs. Fortify
WebInspect Agent Rulepack Kit
provides the runtime
technology to help connect
your dynamic results to your
static ones.
HPE Security Fortify
WebInspect Open Source and
This document provides open
source and third-party software
Included with product
download and on the
HPE Security Fortify
WebInspect Agent Rulepack
Kit Guide
HPE_WI_Agent_Rulepack_
Guide_<version>.pdf
HPE Security Fortify WebInspect Enterprise (16.20)
Page 24 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
Document / File Name
Description
Location
Third-Party Software License
Agreements
license agreements for software
components used in Fortify
WebInspect.
Protect724 site
HPE_WI_OpenSrc_
<version>.pdf
PDF only; no help file
HPE Security Fortify WebInspect Enterprise
The following documents provide information about Fortify WebInspect Enterprise.
Document / File Name
Description
Location
HPE Security Fortify
WebInspect Enterprise
Installation and
Implementation Guide
This document provides an
overview of Fortify WebInspect
Enterprise and instructions for
installing Fortify WebInspect
Enterprise, integrating it with
Fortify Software Security
Center and Fortify WebInspect,
and troubleshooting the
installation. It also describes
how to configure the
components of the Fortify
WebInspect Enterprise system,
which include the Fortify
WebInspect Enterprise
application, database, sensors,
and users.
Included with product
download and on the
Protect724 site
HPE_WIE_Install_<version>.pdf
PDF only; no help file
HPE Security Fortify
WebInspect Enterprise User
Guide
HPE_WIE_Guide_<version>.pdf
Help files available in product
This document describes how to Included with product
use Fortify WebInspect
download and on the
Enterprise to manage a
Protect724 site
distributed network of Fortify
WebInspect sensors to scan and
analyze Web applications and
Web services.
Note: This document is a
PDF version of the Fortify
WebInspect Enterprise help.
This PDF file is provided so
you can easily print multiple
topics from the help
information or read the
help in PDF format.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 25 of 362
User Guide
Chapter 1: About Fortify WebInspect Enterprise
Document / File Name
Description
Location
Because this content was
originally created to be
viewed as help in a web
browser, some topics may
not be formatted properly.
Additionally, some
interactive topics and linked
content may not be present
in this PDF version.
HPE Security Fortify
WebInspect Tools Guide
HPE_WI_Tools_Guide_
<version>.pdf
Help files available in individual
tools
HPE Security Fortify
WebInspect Enterprise Open
Source and Third-Party
Software License Agreements
HPE_WIE_OpenSrc_
<version>.pdf
This document describes how to Included with product
use the Fortify WebInspect
download and on the
diagnostic and penetration
Protect724 site
testing tools and configuration
utilities packaged with Fortify
WebInspect and Fortify
WebInspect Enterprise.
This document provides open
source and third-party software
license agreements for software
components used in Fortify
WebInspect Enterprise.
Included with product
download and on the
Protect724 site
PDF only; no help file
HPE Security Fortify WebInspect Enterprise (16.20)
Page 26 of 362
Chapter 2: WebInspect Enterprise
Administrative Console
The WebInspect Enterprise Administrative Console, also known as the WebInspect Enterprise Console,
is used for administrative and security functions.
About the User Interface
The Administrative Console user interface comprises the following main areas:
l Menu bar
l Toolbar
l Shortcut pane
l Groups pane
l Form
The following image identifies the (1) Shortcuts, (2) Groups, and (3) Form.
About the Groups and Their Shortcuts
The buttons in the Groups pane represent groups of Fortify WebInspect Enterprise functions.
When you click a group button, the associated shortcuts appear above.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 27 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Click a shortcut to display a form containing related information or controls associated with the selected
function.
In the screen capture above, the user selected the Administration group and then clicked the Roles
and Permissions shortcut to display a form that allows you to manage the roles of administrative
resources and the specific activities they are allowed to perform.
Scans Group
The Scans group has the following shortcuts:
l Scan Queue (See "About Controlling Scans Using the Scan Queue" on page 63.)
l Scan Policies (See "About Managing Scan Policies" on page 64.)
Sensors Group
The Sensors group has the following shortcut:
l Sensors (See "About Sensor Management " on page 69.)
Administration Group
The Administration group has the following shortcuts:
Activity Log (See "Managing the Activity Log" on page 85.)
Connected Users (See "About Managing Connected Users" on page 83.)
Licensing (See "Viewing License Information" on page 84.)
SmartUpdate (See "Managing SmartUpdates" on page 32.)
SmartUpdate Approval (See "Approving and Declining SmartUpdates" on page 35.)
Export Paths (See "Adding, Editing, and Deleting Export Paths for Saving Scans" on page 68.)
E-Mail Alerts (See "Adding, Editing, and Deleting E-mail Alerts" on page 71.)
SNMP Alerts (See "Adding, Editing, and Deleting SNMP Alerts" on page 75.)
Sensor Users (See "Managing Sensor Users" on page 71.)
Roles and Permissions (See "About Roles and Permissions" on page 36.)
Proxy Server Settings (See "Managing Proxy Server Settings" on page 36.)
Software Security Center (See "Configuring Settings for Fortify Software Security Center" on
page 77.)
l Site Migration (See "About Migrating AMP Sites" on page 80.)
l
l
l
l
l
l
l
l
l
l
l
l
Note: The Site Migration shortcut is available only if Fortify WebInspect Enterprise was
installed as a migration from Assessment Management Platform (AMP) and there are still AMP
sites that can be migrated to Fortify WebInspect Enterprise project versions, and only if the
logged-in user is a Fortify WebInspect Enterprise system administrator and a group
administrator for the AMP site.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 28 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
The procedures in this Help system describe how to use the form accessed by each shortcut. The
availability of particular actions can depend on the permissions granted to you by your assigned role
and on other factors (although system administrators have no restrictions on the functions they can
perform).
Menu Bar and Toolbar
The menus and toolbar buttons are described in the following table.
Menu/Button
Description
File
Allows you to:
l Log off from the Administrative Console.
l Refresh the display.
l Import to Fortify Software Security Center a set of projects that were
sites discovered by the Web Discovery tool. (This option is also available
when you select the Software Security Center shortcut in the
Administration group.)
l Exit the application.
Tools
Allows you to:
l Manually initiate a SmartUpdate. See "Managing SmartUpdates" on
page 32.
l Change the refresh rate for the console. See "Changing the Screen
Refresh Rate " on the next page.
l Launch various tools described in the HPE Security Fortify WebInspect
Tools Guide.
Help
Allows you to:
l Open this Help file.
l Open your e-mail application to send an e-mail to HPE Security Fortify
Support.
l Open the About WebInspect Enterprise Console dialog.
Log On / Log Off
Log on to or log off from the Administrative Console.
Refresh
Refresh the screen.
SmartUpdate
Manually initiate a SmartUpdate. See "Managing SmartUpdates" on
page 32.
Web Console
Log on to the Fortify WebInspect Enterprise Web Console, which allows
you and authorized users to configure, run, and manage scans from a
browser. The Web Console has its own, separate Help system.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 29 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
See Also
"About Fortify WebInspect Enterprise" on page 19
"Logging On" below
"Changing the Screen Refresh Rate " below
"Grouping and Sorting Items in Lists" on the next page
Logging On
To log on to the Administrative Console:
1. Click Start > HP WebInspect Enterprise 16.20 Console.
The Log On to WebInspect Enterprise window appears.
Note: This window does not appear if you previously selected the option Automatically log
on when this application starts.
2. Using the Log on to list, enter or select the URL of the Fortify WebInspect Enterprise manager.
3. Enter the Username and Password for an account that has permission to access the
Administrative Console. This user is permitted to perform all restricted functions.
4. Select the option Save password as desired.
5. Select the option Automatically log on when this application starts if you want administrators
not to have to enter login credentials in the future.
6. To go through a proxy server to reach the Fortify WebInspect Enterprise manager:
a. Click the Proxy tab.
b. Select one of the following:
o Use the Internet Explorer proxy (to use the proxy server specified in Tools > Internet
Options > Connections > LAN Settings).
o Use the proxy below, and then provide the proxy server's IP address and port number.
c. Provide a valid Username and Password.
7. Click OK.
Tip: If you see a message indicating that the server refused the request, you may have entered
your user name and password incorrectly, or your account has not been assigned to a role.
See Also
About the User Interface
Changing the Screen Refresh Rate
To specify a refresh rate for the Fortify WebInspect Enterprise Administrative Console:
1. After you log on, from the Tools menu, select Options.
The WebInspect Enterprise Options window opens.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 30 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
2. To refresh the display of Fortify WebInspect Enterprise information periodically, select
Automatically refresh display and specify how often (in seconds) the display should be updated.
3. Click OK.
See Also
About the User Interface
Selecting Which Table Columns to Display
If a window includes a table that has configurable columns and you select the Action > Column Setting
option, use the following buttons on the Column Setting dialog to specify which columns should be
displayed in the table.
Button
Description
Move all current column headings from the Available (left) section to the Selected (right)
section to show all the columns in the table.
Select specific column headings in the Available (left) section. Then click this button to
move those column headings to the Selected (right) section and add them to the table.
(You can select one column heading and then use Shift + click or Ctrl + click to select
multiple headings.)
Select specific column headings in the Selected (right) section. Then click this button to
move those column headings to the Available (left) section and remove them from the
table. (You can select one column heading and then use Shift + click or Ctrl + click to
select multiple headings.)
Move all current column headings from the Selected (right) section to the Available (left)
section to hide all the columns in the table.
You can also select the Auto Resize Columns check box to make the sum of all column widths
automatically match the width of the window in which the table is displayed.
After you make your changes, click OK.
See Also
About the User Interface
Grouping and Sorting Items in Lists
The Fortify WebInspect Enterprise Administrative Console allows you to group and sort listed items on
some windows. Grouping is designed as a tree structure in the upper section of the window. When
nothing is grouped, this area displays the text "Drag a column header here to group by that column."
HPE Security Fortify WebInspect Enterprise (16.20)
Page 31 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
To group listed items:
1. Drag the desired column header to the "Drag a column header..." area. The selected column header
becomes the "root" of the tree view in the list.
2. Drag a second column header and place it to the left or right of the first header. Red arrows
indicate the expected insertion point.
l Place it to the right to create a subordinate branch.
l Place it to the left to make the second header the root and the first header the subordinate
branch.
To sort the listed items, click a column header in the tree.
Certain columns cannot be grouped. If you drag these columns, the program displays a circle with an X
(rather than the red arrow indicators).
The same column header may be inserted in more than one spot on the grouping tree view, if desired.
You can also drag column headers to rearrange the order in which columns are listed.
See Also
About the User Interface
Managing SmartUpdates
HPE engineers uncover new vulnerabilities almost every day. They develop attack agents to search for
these malicious threats and then update the HPE corporate database so that you will always be on the
leading edge of Web application security. Use SmartUpdate to obtain HPE's latest adaptive agents and
programs, as well as vulnerability and policy information.
Each time you log in to the Fortify WebInspect Enterprise Administrative Console, the Fortify
WebInspect Enterprise server contacts the HPE data center via the Internet and downloads any
available binary updates, including new or updated adaptive agents, vulnerability checks, and policy
information.
You can also obtain updates to the SecureBase, as well as binary updates for Fortify WebInspect
Enterprise-connected products such as Fortify WebInspect, either manually or automatically on a
schedule you specify.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 32 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Note: If you need to use a proxy server to communicate with the HPE SmartUpdate database,
select the Proxy Server Settings shortcut in the Administration group in the Administrative
Console.
Tip: If your Fortify WebInspect Enterprise server is not allowed to connect to the Internet, contact
HPE Security Fortify Support to obtain an offline SmartUpdate utility.
Note: Scans cannot start while sensors are receiving a SmartUpdate. Scheduled scans stay in
"pending" state until SmartUpdate completes. This prevents sensors from picking up partial
SmartUpdates when they update their local SecureBase from Fortify WebInspect Enterprise.
To display the SmartUpdate form, select Administration in the left pane and then select the
SmartUpdate shortcut above.
The top section of the SmartUpdate form lists each update package that has been downloaded from
HPE. Each item includes (by default):
l The date and time the download started.
l The date and time the download completed.
l The status of the event.
l If applicable, an error message describing any problem that occurred.
Select an item in the SmartUpdate History list to display details about that event.
The bottom section of the SmartUpdate form lists any updates that are scheduled. Each item includes
(by default):
l
l
l
l
The name assigned to the update.
How often it is scheduled to occur (if it is a recurring event).
The date and time it last occurred (if it is a recurring event).
The next date and time it is scheduled to occur.
Managing the SmartUpdate History and Schedules
To manage the SmartUpdate history and schedules:
1. Select Administration in the left pane and then select the SmartUpdate shortcut above.
2. Click Action and then click one of the following options:
l Clear Completed Updates. Delete from the list the SmartUpdates that have been completed.
l Add Schedule. Schedule a SmartUpdate. See "Adding a SmartUpdate Schedule " on the next
page.
l Edit Schedule. After you select a scheduled SmartUpdate in the SmartUpdate Schedules list,
modify its settings in the SmartUpdate Settings window.
l Delete Schedule. After you select a scheduled SmartUpdate in the SmartUpdate Schedules list,
HPE Security Fortify WebInspect Enterprise (16.20)
Page 33 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
delete it.
l History Column Setting. Open the Column Setting window, allowing you to specify which
columns should appear in the SmartUpdate History section of the form.
l Schedule Column Setting. Open the Column Setting window, allowing you to specify which
columns should appear in the SmartUpdate Schedules section of the form.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
Performing a Manual SmartUpdate
To perform a manual SmartUpdate:
1. In the Fortify WebInspect Enterprise Administrative Console, click SmartUpdate in the toolbar, or
select Administration in the left pane and then select the SmartUpdate shortcut above.
A message informs you that SmartUpdate was started.
2. Click OK.
3. To view the results of the update:
a. Select Administration in the left pane and then select the Activity Log shortcut above.
b. Examine the messages related to SmartUpdate.
Adding a SmartUpdate Schedule
To add a schedule for SmartUpdates:
1. Select Administration in the left pane and then select the SmartUpdate shortcut above.
2. Click the Add Schedule option in the Action menu.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
The SmartUpdate Settings window opens.
3. Select the General form in the left pane.
a. Type a name for the event in the Scheduled SmartUpdate Name field.
b. In the Start Time field, specify the date and time when SmartUpdate should run.
To change the date, click the drop-down arrow and select a date from the calendar.
c. Select the Time Zone as needed.
d. If you want only one SmartUpdate to occur, skip to Step 5 below.
4. If you want SmartUpdates to recur on a regular schedule:
a. Select the Recurrence form in the left column.
b. Select the Recurring check box.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 34 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
c. Use the Pattern group to select the frequency of the event (daily, every x days, every weekday,
weekly, every x weeks, monthly, every x months, or yearly) and then provide the associated
results.
d. Use the Range group to specify the starting date and the ending date (or select Never if the
event is to run indefinitely). You can also limit the number of times the SmartUpdate should
occur.
5. Click OK to schedule the update.
See Also
"Approving and Declining SmartUpdates" below
Approving and Declining SmartUpdates
The SmartUpdate Approval form lists all binary updates that have been received for Fortify WebInspect
Enterprise's client products, such as Fortify WebInspect and sensors. None of these applications can be
modified until an administrator specifically approves the update. Items in the list can be grouped
according to product, importance, or approval status.
The possible approval statuses are:
l Not Approved - Update has not yet been reviewed by the administrator.
l Approved - Update has been approved by the administrator and is available to clients.
l Decline - Update has been withheld by the administrator and is not available to clients.
Once administrative approval is obtained, the update becomes available to client applications. For
Fortify WebInspect, the SmartUpdate utility displays a window notifying users that an update is
available. Users may either accept or reject the update. Updates for sensors (which do not have a user
interface) are controlled by the Fortify WebInspect Enterprise Manager. If approved updates are
available, a sensor will be required to download and apply the update before a scan can be assigned.
Typically, administrators prefer to update a single application instance and test it before performing a
system-wide installation. This can be done by manually installing the updates on a test system. Sensor
scans can be tested on a non-approved version of Fortify WebInspect (such as a special build developed
for a specific customer) by selecting the specific sensor when configuring the scan in Fortify WebInspect
Enterprise.
Note: Ordinarily, sensors that are running a non-approved version of Fortify WebInspect (such as a
special build developed for a specific customer) will not be selected to run a scan when you choose
the Can participate in "Any Available" sensor scans option. You can remove that restriction,
however, by selecting the non-approved sensor on the Sensors form and then selecting the option
Can participate in "Any Available" sensor scans. Sensors that are newer than the latest
approved version are then eligible to be selected.
To approve or decline SmartUpdates:
1. Select Administration in the left pane and then select the SmartUpdate Approval shortcut
above.
2. Click Action and then click one of the following options:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 35 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Approve. Make the binary update available to clients.
l Decline. Withhold distribution of the binary update.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
Note: Scans cannot start while sensors are receiving a SmartUpdate. Scheduled scans stay in
“pending” state until SmartUpdate completes. This prevents sensors from picking up partial
SmartUpdates when they update their local SecureBase from Fortify WebInspect Enterprise.
See Also
"Managing SmartUpdates" on page 32
Managing Proxy Server Settings
If you use a proxy server to communicate with HPE for SmartUpdates and licensing issues:
1.
2.
3.
4.
Select Administration in the left pane and then select the Proxy Server Setting shortcut above.
Select the Use Proxy Server option.
Provide the requested information.
Click Save.
Note: SmartUpdates are not available if you use a SOCKS4 or SOCKS5 proxy server configuration.
SmartUpdates are available through a proxy server only when using a standard proxy server.
About Roles and Permissions
A role is a named collection of permissions that administrators specify. From the Administrative
Console, select Administration in the left pane and then select the Roles and Permissions shortcut
above to display the Roles and Permissions form. This form allows you to assign administrators and
roles for three levels of Security Group Hierarchy—Fortify WebInspect Enterprise System, organization,
and group. Each level has at least one administrator.
Administrators at each level can define roles, assign users to roles, and configure other security-related
parameters. By assigning other users to roles, administrators can give them access to the Fortify
WebInspect Enterprise system while limiting the functions they are allowed to perform, considering
security. A user can be a member of more than one role.
You can specify one or more organizations, and each organization can have one or more subordinate
groups. At installation, there is one organization named Default Organization, which contains one
group named Default Group.
Each security level has categories of activities, and some of the categories are used in several levels. The
set of activities in each category varies among categories. You can set the permission for an entire
category or for its individual activities to Allowed, Unassigned, or Denied. Examples:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 36 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Fortify WebInspect Enterprise System and organizations include the Policies category. Its activities
are Can Import, Can View, Can Update, and Can Delete. When you create a role for Fortify
WebInspect Enterprise System or an organization, you can set the permission to Allowed,
Unassigned, or Denied for each Policies activity independently, or for the entire Policies category at
once.
l Organizations and groups include the Blackout category. Its activities are Can Create, Can View, Can
Update, and Can Delete. (Notice that this is a slightly different set of activities than the Policies
category of the previous example.) When you create a role for an organization or a group, you can
set the permission to Allowed, Unassigned, or Denied for each Blackout activity independently, or for
the entire Blackout category at once.
Note: Having the set of options Allowed, Unassigned, and Denied for permissions may seem
ambiguous or redundant, but it enables Fortify WebInspect Enterprise to resolve conflicting
permissions when a user is a member of more than one role. The precedences are as follows:
l Allowed outranks Unassigned—If the permission for a particular activity in Role A is Allowed and
the permission for the same activity in Role B is Unassigned, then a user who is a member of both
Role A and Role B can perform the activity.
l Denied outranks Allowed—If the permission for a particular activity in Role A is Allowed, and the
permission for the same activity in Role B is “Denied,” then a user who is a member of both Role
A and Role B cannot perform the activity.
l Unassigned (only) equals Denied—If a user’s permission for a particular activity is Unassigned
and no other permissions are assigned to that user in another role for the same activity, then the
user cannot perform the activity.
For information about managing roles and permissions at the Fortify WebInspect Enterprise System
level, see "About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on
page 41.
For information about managing roles and permissions at the organization level, see "About
Organization Administrators, Roles, and Permissions" on page 45.
For information about managing roles and permissions at the group level, see "About Group
Administrators, Roles, and Permissions" on page 54.
See Also
"Managing Roles and Permissions" below
"About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on page 41
"About Organization Administrators, Roles, and Permissions" on page 45
"About Group Administrators, Roles, and Permissions" on page 54
Managing Roles and Permissions
To manage roles and permissions functions that can be accessed from the Action menu items in the
Roles and Permissions shortcut:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 37 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an entry in the Security Group Hierarchy (WebInspect Enterprise System, an organization, or
a group).
3. Click Action or right-click the selected item in the Security Group Hierarchy, and then click one of
the following options:
l Add Organization. After you select WebInspect Enterprise System in the Security Group
Hierarchy, create an organization. See "Adding, Removing, and Renaming Organizations" on
page 46.
l Rename Organization. After you select an organization in the Security Group Hierarchy, change
its name. See "Adding, Removing, and Renaming Organizations" on page 46.
l Remove Organization. After you select an organization in the Security Group Hierarchy,
remove (delete) it. See "Adding, Removing, and Renaming Organizations" on page 46.
l Add Group. After you select an organization in the Security Group Hierarchy, add a new group
to it. See "Adding, Removing, and Renaming Groups" on page 55.
l Rename Group. After you select a group in the Security Group Hierarchy, change its name. See
"Adding, Removing, and Renaming Groups" on page 55.
l Remove Group. After you select a group in the Security Group Hierarchy, remove (delete) it. See
"Adding, Removing, and Renaming Groups" on page 55.
l Add User(s) to Roles. After you select an item in the Security Group Hierarchy, add a user to
multiple roles simultaneously. See "Adding a User Or Group To Multiple Roles" on page 40.
l Role Membership and Removal. After you select an item in the Security Group Hierarchy, click
the option, specify a user name or group name, and display members in the role, optionally
remove a user or group from a role. See "Displaying or Removing Roles of Users or Groups" on
page 40.
Note: The availability of particular options depends on the type of item selected in the Security
Group Hierarchy and on the permissions granted to you by your assigned role.
See Also
"About Roles and Permissions" on page 36
Adding, Removing, and Distributing Global Roles
A global role is one that defines permissions for all three hierarchical levels (Fortify WebInspect
Enterprise System, organization, and group). When it is created, Fortify WebInspect Enterprise
automatically copies the role to all levels (that is, to the Fortify WebInspect Enterprise System, to every
organization, and to every group). However, you may subsequently remove the global role from specific
organizations. Users can be added independently at each level, but permissions can be changed only at
HPE Security Fortify WebInspect Enterprise (16.20)
Page 38 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
the Fortify WebInspect Enterprise System level, and only on the Global Roles tab. Any and all changes
to a global role are propagated to each copy at all hierarchical levels.
Adding a Global Role
To add a global role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Global Roles tab.
4. Click Add (the button above Rename).
5. On the New Role dialog, enter a name for the role, select the default permission category that will
be assigned to each activity, and click OK.
6. In the Permissions list, expand the System, Organization and Group permissions and select the
Unassigned, Allowed, or Denied permission for each category of activities or for particular
activities in each category, as desired.
Removing a Global Role
To remove a global role from specific organizations:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Global Roles tab.
4. Select a role.
5. If the All Organizations check box is selected, clear it.
6. Select an organization from which the selected role should be deleted.
7. Click Remove.
Distributing an Existing Global Role to All Organizations
To distribute a global role to all organizations if it is currently restricted to particular organizations:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Global Roles tab.
4. Select a role assigned to specific organizations.
5. Select All Organizations.
Note: Whenever you create an organization, Fortify WebInspect Enterprise automatically
distributes to that organization all the global roles for which the All Organizations option is
selected.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 39 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
See Also
"About Roles and Permissions" on page 36
"About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on the next page
Adding a User Or Group To Multiple Roles
You can add a user or group to roles in individual organizations or groups, repeating the process as
often as necessary until the user or group has been inserted into all desired roles. Although this is quick
and easy when dealing with one user or group and one role, it can be repetitious and time-consuming
for multiple users or groups and roles. The Action menu option Add User(s) to Roles allows you to
add a user or group to multiple roles simultaneously.
To add a user or group to multiple roles simultaneously:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Click Action and select Add User(s) to Roles.
The Add User to Roles dialog opens.
3. Type a user name or group name in the User/Group name text box, or click Browse to open the
Select SSC Users or Groups dialog and select a user or group.
4. Select a role from the Roles list.
For information about global roles, which include “(global)” as a suffix, see "Adding, Removing, and
Distributing Global Roles" on page 38.
“All Custom Roles” are the roles that have been added at all levels—Fortify WebInspect Enterprise
System, organizations, and groups.
5. If you selected a global role, under Project Hierarchy select which organizations and groups
containing that role are to be updated to include the user or group you selected.
If you selected (All Custom Roles), under Project Hierarchy select the roles to which the user or
group you selected is to be assigned.
6. Click Apply.
See Also
"About Roles and Permissions" on page 36
Displaying or Removing Roles of Users or Groups
The Role Membership and Removal form displays the roles to which the user or group you specify is
assigned. You can then remove the user or group from that role.
To display and optionally remove roles assigned to a user or group:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut above.
2. Click Action and select Role Membership and Removal.
The Role Membership and Removal dialog appears.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 40 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
3. Type a user or group name, or click Browse to find and select a user or group.
4. Click Search.
If you entered your own user name or the name of a group to which you belong, Fortify WebInspect
Enterprise displays all the roles to which you are assigned.
If you entered a user name or group name other than your own, you must be an administrator to
see their roles. Fortify WebInspect Enterprise displays the roles to which the specified user or group
is assigned, but only for those organizations and groups for which you are an administrator.
5. To remove a user or group (that is, a member) from a role, select the check boxes for the roles from
which they are to be removed and click Remove.
See Also
"About Roles and Permissions" on page 36
About Fortify WebInspect Enterprise System Administrators,
Roles, and Permissions
Fortify WebInspect Enterprise system administrators have all permissions with no IP restrictions. No one
else can log on until the initial system administrator assigns other users to roles during or after the
installation procedures. A Fortify WebInspect Enterprise system administrator can:
l Add other users as Fortify WebInspect Enterprise system administrators.
l Create, rename, and delete organizations.
l Create roles that allow access to certain Fortify WebInspect Enterprise Administrative Console
features and assign users to those roles (thereby limiting the functions a specific user may perform).
Fortify WebInspect Enterprise System roles have the following categories of activities:
l Activity Log
l Licensing
l SmartUpdate
l E-mail Alerts
l SNMP Alerts
l Export Paths
l Sensors
l Policies
When you select WebInspect Enterprise System from the Security Group Hierarchy pane, the
following tabs appear in the System Permissions section:
l Administrators. Use this tab to add or remove system administrators. See "Adding and Removing
Fortify WebInspect Enterprise System Administrators" on the next page.
l Roles. Use this tab to add a Fortify WebInspect Enterprise System role, assign groups or users to a
Fortify WebInspect Enterprise System role, or copy a Fortify WebInspect Enterprise System role for
use at the Fortify WebInspect Enterprise System level, the organization level, or the group level. See
"Managing Fortify WebInspect Enterprise System Roles and Permissions" on page 43.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 41 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Global Roles. Use this tab to add or remove global roles, and to distribute a global role to all
organizations if it is currently restricted to particular organizations. See "Adding, Removing, and
Distributing Global Roles" on page 38.
Adding an Organization
Every system must have at least one organization. You can add an organization with any of the tabs
selected. For more information, see "Adding, Removing, and Renaming Organizations" on page 46.
See Also
"About Roles and Permissions" on page 36
Adding and Removing Fortify WebInspect Enterprise System
Administrators
Fortify WebInspect Enterprise system administrators have all permissions with no IP restrictions. No one
else can log on until the initial system administrator assigns other users to roles during or after the
installation procedures. A Fortify WebInspect Enterprise system administrator can:
l Add other users as Fortify WebInspect Enterprise system administrators.
l Create, rename, and delete organizations.
l Create roles that allow access to certain Fortify WebInspect Enterprise Administrative Console
features and assign users to those roles (thereby limiting the functions a specific user may perform).
This topic describes how to add and remove Fortify WebInspect Enterprise System administrators.
Adding a Fortify WebInspect Enterprise System Administrator
To add a Fortify WebInspect Enterprise system administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Click Add.
5. On the Select SSC Users or Groups dialog, select users from the Select Users list.
6. Click OK.
Removing a Fortify WebInspect Enterprise System Administrator
To remove a Fortify WebInspect Enterprise system administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 42 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
3. Click the Administrators tab.
4. Select a user group or user name.
5. Click Remove.
See Also
"About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on page 41
Managing Fortify WebInspect Enterprise System Roles and
Permissions
This topic describes how to:
l Add a Fortify WebInspect Enterprise System role
l Assign groups or users to a Fortify WebInspect Enterprise System role
l Copy a Fortify WebInspect Enterprise System role. The copy can be used at the Fortify WebInspect
Enterprise System level, the organization level, or the group level.
Adding a Fortify WebInspect Enterprise System Role
To add a Fortify WebInspect Enterprise System role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Click Add (to the right of the Role Name pane).
5. On the New Role dialog, enter a name for the role, select the default permission that will be
assigned to each activity, and click OK.
6. In the Permissions list, expand the nodes to view the activities associated with each category.
Note: Having the set of options Allowed, Unassigned, and Denied for permissions enables
Fortify WebInspect Enterprise to resolve conflicting permissions when a user is a member of
more than one role. The precedences are as follows:
l Allowed outranks Unassigned—If the permission for a particular activity in Role A is
Allowed and the permission for the same activity in Role B is Unassigned, then a user who is
a member of both Role A and Role B can perform the activity.
l Denied outranks Allowed—If the permission for a particular activity in Role A is Allowed,
and the permission for the same activity in Role B is “Denied,” then a user who is a member
of both Role A and Role B cannot perform the activity.
l Unassigned (only) equals Denied—If a user’s permission for a particular activity is
Unassigned and no other permissions are assigned to that user in another role for the same
activity, then the user cannot perform the activity.
7. To assign the same permission to all activities within a single category:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 43 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
a. Click the category name (such as “Activity Log”).
b. Click the drop-down arrow that appears on the far right end of the row.
c. Select a permission.
8. To change permission for a single activity:
a. Expand a category.
b. Click the activity name (such as “Can view log”).
c. Click the drop-down arrow that appears on the far right end of the row.
d. Select a permission.
Assigning Groups or Users to a Fortify WebInspect Enterprise System Role
To assign groups or users to a Fortify WebInspect Enterprise System role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a name in the Role name list.
5. Click Add (on the far right of the User group or user names pane).
6. On the Select SSC Users or Groups dialog, select users from the Select Users list.
7. Click OK.
Copying a Fortify WebInspect Enterprise System Role
You can copy a Fortify WebInspect Enterprise System role and keep it at the Fortify WebInspect
Enterprise System level or assign it to an organization or group. You must be an administrator of an
organization or group to copy a Fortify WebInspect Enterprise System role to it.
To copy a Fortify WebInspect Enterprise System role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Copy/Move.
6. On the Copy/Move Role dialog, specify the Role Name for the copy and select the organization or
group to which the role will be assigned.
The same role can be assigned to multiple organizations and groups.
7. To retain the list of users assigned to this role, select Copy Users. Otherwise, the role will be copied,
but no users will be associated with this role in the copy.
8. To retain the permissions assigned to this role, select Copy Permissions. This option is not
available when copying a Fortify WebInspect Enterprise System role to an organization or a group.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 44 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
9. Select the organization or group to which the Fortify WebInspect Enterprise System role will be
copied.
10. Click OK.
See Also
"About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on page 41
About Organization Administrators, Roles, and Permissions
The system administrator who creates an organization automatically becomes an administrator for that
organization. An organization administrator can:
l Assign other users as organization administrators.
l Determine which objects are available to that organization (for example, select which of the available
scanning policies may be used by projects within an organization).
l Set the maximum priority level that can be assigned to scans conducted by this organization.
l Create and assign users to roles, thereby limiting their ability to perform various functions or access
certain features of the Fortify WebInspect Enterprise Web Console.
l Copy objects (such as blackouts, policies, e-mail alerts, etc.) or move them from one organization to
another.
l Create, rename, and delete projects.
You are not required to configure multiple organizations. If you prefer, you may associate all projects
with a single organization.
Organization roles have the following categories of activities:
l Blackouts
l Policies
l E-mail Alerts
l SNMP Alerts
l Reports
Security within the Fortify WebInspect Enterprise system is arranged according to a hierarchy of
organizations and groups. A Fortify WebInspect Enterprise system can have one or more organizations,
and each organization can have one or more subordinate groups. At installation, there is one
organization named Default Organization, which contains one group named Default Group.
When you select an organization from the Security Group Hierarchy pane, the following tabs appear in
the Organization Permissions section:
l Administrators. Use this tab to add or remove organization administrators. See "Adding and
Removing Organization Administrators" on page 47.
l Configuration. Use this tab to set the maximum scan priority for an organization and to enable or
disable the Retest feature, which allows you to view the server's response as rendered in a browser.
See "Configuring Organization Options" on page 48.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 45 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Roles. Use this tab to add groups or users to an organization role. See "Managing Organization Roles
And Permissions" on page 49.
l Resources. From this tab, you can make export paths, policies, and sensors available or unavailable to
a selected organization. See "Specifying Resources Available to Organizations" on page 52.
l Move/Copy Objects. Use this tab to copy an organization role to any hierarchy level or to move a
role from one organization to another. See "Moving or Copying Objects to Groups or Other
Organizations" on page 53.
Note: When a project version is created in HPE Security Fortify Software Security Center, it is also
created automatically in Fortify WebInspect Enterprise, where it is added to the Default Group in
the Default Organization. If you want a different group in the same or a different organization to
have access to a particular project version in Fortify WebInspect Enterprise, use the Administrative
Console to move that project version to that group. See "About Group Administrators, Roles, and
Permissions" on page 54.
See Also
"About Roles and Permissions" on page 36
Adding, Removing, and Renaming Organizations
This topic describes how to add an organization, remove an organization, and rename an organization.
Adding an Organization
To add an organization:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Click Action and select Add Organization.
The Create Organization dialog appears.
5. In the Name field, type a name for the organization.
6. Click OK.
Note: Whenever you create an organization, Fortify WebInspect Enterprise automatically
distributes to that organization all global roles for which the All Organizations option is selected.
Removing an Organization
To remove an organization:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 46 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
3. Click Action and select Remove Organization.
4. Confirm that you want to remove the organization.
Renaming an Organization
To rename an organization:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click Action and select Rename Organization.
The Rename Organization dialog appears.
4. Type a new name for the organization.
5. Click OK.
See Also
"About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions" on page 41
"About Organization Administrators, Roles, and Permissions" on page 45
Adding and Removing Organization Administrators
The system administrator who creates an organization automatically becomes an administrator for that
organization. An organization administrator can:
l Assign other users as organization administrators.
l Determine which objects are available to that organization (for example, select which of the available
scanning policies may be used by projects within an organization).
l Set the maximum priority level that can be assigned to scans conducted by this organization.
l Create and assign users to roles, thereby limiting their ability to perform various functions or access
certain features of the Fortify WebInspect Enterprise Web Console.
l Copy objects (such as blackouts, policies, e-mail alerts, etc.) or move them from one organization to
another.
l Create, rename, and delete projects.
This topic describes how to add or remove organization administrators.
Adding an Organization Administrator
To add an organization administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Click Add.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 47 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
The Select SSC Users or Groups dialog appears.
5. Select users from the Select Users list.
6. Click OK.
Removing an Organization Administrator
To remove an organization administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Select a user group or user name.
5. Click Remove.
See Also
"About Organization Administrators, Roles, and Permissions" on page 45
Configuring Organization Options
To configure the organization options:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Configuration tab.
Configuring Option: Organization Maximum Security Priority
If two or more scans are scheduled to occur during the same time period, the scan with the highest
priority will take precedence. For each organization, you can specify the maximum priority level that may
be assigned to scans.
Select the highest priority level that a user in this organization may assign to a scan. Choices range from
1 (highest priority) to 5 (lowest priority).
A group administrator can limit the members of the group to running scans of the same or lower (but
not higher) maximum priority than is specified for the parent organization. For example, if the maximum
priority for an organization is 3, the administrator of a group within that organization can set the group
maximum priority to 3, 4 or 5, but not to 1 or 2.
Configuring Option: Disable Retest Browser Tab
The Retest feature allows you to view the server’s response as rendered in a browser. Retesting a crosssite scripting vulnerability, however, may cause the script to loop infinitely on the Browser tab when
using Microsoft Internet Explorer. If you are concerned about executing a cross-site scripting attack
HPE Security Fortify WebInspect Enterprise (16.20)
Page 48 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
that may be embedded in your application, select the Disable Retest Browser Tab option to disable
the Retest feature.
See Also
"About Organization Administrators, Roles, and Permissions" on page 45
Managing Organization Roles And Permissions
This topic describes how to:
l Add an organization role
l Add groups or users to an organization role
l Copy or move an organization role
Note: A copy can be used at the Fortify WebInspect Enterprise System level, the organization
level, or the group level, and you can move a role from one organization to another.
l Remove an organization role
l Rename an organization role
Adding an Organization Role
To add an organization role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Click Add (to the right of the Role Name pane).
5. On the New Role dialog, enter a name for the role, select the default permission that will be
assigned to each activity, and click OK.
6. In the Permissions list, expand the nodes to view the activities associated with each category.
Note: Having the set of options Allowed, Unassigned, and Denied for permissions enables
Fortify WebInspect Enterprise to resolve conflicting permissions when a user is a member of
more than one role. The precedences are as follows:
l Allowed outranks Unassigned—If the permission for a particular activity in Role A is
Allowed and the permission for the same activity in Role B is Unassigned, then a user who is
a member of both Role A and Role B can perform the activity.
l Denied outranks Allowed—If the permission for a particular activity in Role A is Allowed,
and the permission for the same activity in Role B is “Denied,” then a user who is a member
of both Role A and Role B cannot perform the activity.
l Unassigned (only) equals Denied—If a user’s permission for a particular activity is
Unassigned and no other permissions are assigned to that user in another role for the same
activity, then the user cannot perform the activity.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 49 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
7. To assign the same permission to all activities within a single category:
a. Click the category name (such as “Blackouts" or "Policies”).
b. Click the drop-down arrow that appears on the far right end of the row.
c. Select a permission.
8. To change permission for a single activity:
a. Expand a category.
b. Click the activity name (such as “Can create" or "Can view”).
c. Click the drop-down arrow that appears on the far right end of the row.
d. Select a permission.
Adding Groups or Users to an Organization Role
Note: To save time when assigning a user to multiple roles, see "Adding a User Or Group To
Multiple Roles" on page 40.
To add groups or users to an organization role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a name in the Role name list.
5. Click Add (on the far right of the User group or user names pane).
6. On the Select SSC Users or Groups dialog, select users from the Select Users list.
7. Click OK.
Copying or Moving an Organization Role
You can copy an organization role to any level (system, organization, or group). You can also move a
role from one organization to another, which will remove it from the original organization. You must be
an administrator of the target organization to copy or move an organization role to it.
To move or copy an organization role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Copy/Move.
6. On the Copy/Move Role dialog, specify the Role Name for the copy and select the organization or
group to which the role will be assigned.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 50 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
The same role can be assigned to multiple organizations and groups. The permissions associated
with a role can be copied or moved only between similar levels (that is, from one group to another or
from one organization to another).
7. To retain the list of users assigned to this role, select Copy Users. Otherwise, the role will be copied,
but no users will be associated with this role in the copy.
8. To retain the permissions assigned to this role, select Copy Permissions. This option is not
available when copying an organization role and assigning it to a group or to the system.
9. Select the system, organization, or group to which the organization role will be copied or moved.
10. Do one of the following:
l Click OK to copy the organization role.
l Click Move to move the organization role. This option is available only if you move the
organization role, along with its users and permissions, to another organization.
Removing an Organization Role
Note: You cannot remove a global role.
To remove an organization role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Remove.
6. Confirm that you want to remove the organization role.
Renaming an Organization Role
Note: You cannot rename a global role.
To rename an organization role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Rename.
6. Type a new name for the organization role.
7. Click OK.
See Also
"About Organization Administrators, Roles, and Permissions" on page 45
HPE Security Fortify WebInspect Enterprise (16.20)
Page 51 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Specifying Resources Available to Organizations
You can specify which resources—export paths, policies, or sensors—are available to an organization.
For example, the Fortify WebInspect Enterprise system contains approximately 20 scanning policies.
Your organization administrator can choose to allow members of the organization to use only particular
policies.
Note: A group administrator can further restrict which resources are available to a group in the
organization.
To manage resources that are available to organizations:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Click the Resources tab.
4. Select an item in the Object Type list. On the Resources tab, organizations have the following
object types:
l Export Paths
l Policies
l Sensors
Objects of the selected type that are not allowed appear in the Available column. Objects that are
allowed appear in the Allowed column.
5. Do one of the following to make one or more objects available (but not allowed), or allowed:
l To move particular objects from the Available column to the Allowed column, select one or
more of them and click
.
l To move all objects from the Available column to the Allowed column, click
.
l To move particular objects from the Allowed column to the Available column, select one or
more of them and click
.
l To move all objects from the Allowed column to the Available column, click
.
See Also
"About Organization Administrators, Roles, and Permissions" on page 45
HPE Security Fortify WebInspect Enterprise (16.20)
Page 52 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Moving or Copying Objects to Groups or Other Organizations
You can assign a particular user-created object to a different organization (and optionally to a group)
by either moving it or copying it. Moving an object removes it from its currently assigned location.
Copying an object retains its current location while also placing a copy in a new location.
To move or copy an object from an organization to a different organization and optionally to a group:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select an organization in the Security Group Hierarchy pane.
3. Select the Move/Copy Objects tab.
4. Select an item in the Object Type list. On the Move/Copy Objects tab, organizations have the
following object types:
l Blackouts
l Policies
l E-mail Alerts
l SNMP Alerts
5. Click Retrieve.
All user-created objects of the selected type appear in the Object Results list.
6. Select one or more of the listed objects. If you select multiple objects, they cannot be moved or
copied to different locations.
7. Click Move or Copy.
8. On the Move Objects or Copy Objects window, select an organization from the Target
Organization list.
9. (Optional) Select a group from the Security Group list.
10. If the object being moved or copied has dependent relationships with other objects, the related
objects appear in the Object Dependencies list. Examples:
l You are not allowed to move a user-created (custom) policy from Organization A to Organization
B if that policy is to be used for a scheduled scan in Organization A.
l If you are moving a user-created scan template from one organization to another, and that
template uses a scan policy that is not in the target organization, then you must also move (or
copy) the scan policy.
For each dependent object, click the drop-down arrow in the Action column under Object
Dependencies and select the appropriate action (such as Move to, Copy to, or Allow).
11. Click Move or Copy.
12. When a dialog appears informing you that all dependencies have been satisfied and prompting you
to commit the move or copy, click Yes.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 53 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
See Also
"About Organization Administrators, Roles, and Permissions" on page 45
About Group Administrators, Roles, and Permissions
An organization administrator who creates a group automatically becomes an administrator for that
group. A group administrator can:
l Assign other users as group administrators.
l Determine which objects are available to that group (for example, select which of the scanning
policies made available to the organization may be used by this group).
l Set the maximum priority level that can be assigned to scans conducted by this group (within the
limits established for the organization’s maximum priority level).
l Specify which URLs or IP addresses may be scanned by this group.
l Create and assign users to roles, thereby limiting their ability to perform various functions or access
certain features of the Fortify WebInspect Enterprise Web Console.
l Copy objects (such as blackouts, policies, e-mail alerts, etc.) or move them from one group to another.
Group roles have the following categories of activities:
l Project Versions
l Scans
l Scan Templates
l Scheduled Scans
l E-mail Alerts
l SNMP Alerts
l Blackouts
l HPE Toolkit
Security within the Fortify WebInspect Enterprise system is arranged according to a hierarchy of
organizations and groups. A Fortify WebInspect Enterprise system can have one or more organizations,
and each organization can have one or more subordinate groups. At installation, there is one
organization named Default Organization, which contains one group named Default Group.
When you select a group from the Security Group Hierarchy pane, the following tabs appear in the
Group Permissions section:
l Administrators. Use this tab to add or remove group administrators. See "Adding and Removing
Group Administrators" on page 56.
l Configuration. Use this tab to set the maximum scan priority for a group and to configure group IP
and host permissions. See "Configuring Group Options" on page 57.
l Roles. Use this tab to add groups or users to an group role. See "Managing Group Roles And
Permissions" on page 58.
l Resources. From this tab, you can make export paths, policies, and sensors available or unavailable to
a selected group. See "Specifying Resources Available to Groups" on page 61.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 54 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Move/Copy Objects. Use this tab to copy a group role to any hierarchy level or to move a role from
one group to another. See "Moving or Copying Objects to Organizations or Other Groups" on
page 62.
Each group must be associated with an organization. If you don't want a certain user to see certain sites
or scans, you must create separate groups and assign the user to a role in one group or the other.
Note: When a project version is created in HPE Security Fortify Software Security Center, it is also
created automatically in Fortify WebInspect Enterprise, where it is added to the Default Group in
the Default Organization. If you want a different group in the same or a different organization to
have access to a particular project version in Fortify WebInspect Enterprise, use the Administrative
Console to move that project version to that group. See About Group Administrators, Roles, and
Permissions.
See Also
"About Roles and Permissions" on page 36
Adding, Removing, and Renaming Groups
This topic describes how to add a group, remove a group, and rename a group.
Adding a Group
To add a group:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. In the Security Group Hierarchy pane, select the organization to which you want to add a group.
3. Click the Administrators tab.
4. Click Action and select Add Group.
The Create Group dialog appears.
5. In the Name field, type a name for the group.
6. Select the highest priority level that a user in this group may assign to a scan. Choices range from 1
(highest priority) to 5 (lowest priority).
If two or more scans are scheduled to occur during the same time period, the scan with the highest
priority will take precedence. Your choices may be restricted by your organization.
7. In the Scan Permissions section, click Add.
8. In the Host field, type a host name (wild cards are allowed), IP address, or IP address range, and
click OK.
To specify a range of addresses, enter the lowest numerical address, followed by a dash (-), and
then followed by the highest numerical address, such as 134.55.33.4-134.55.33.244.
You can also use wild cards, such as 134.55.33.* and www.mysite.*. Enter only an asterisk (*) to
allow all possible IP addresses.
9. In the Properties pane, you can:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 55 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Change the IP address or the host name.
l Change permissions for running a Web Site scan and Web Service scan.
10. Click OK.
Note: A user who creates a group is automatically assigned as an administrator of that group.
Removing a Group
To remove a group:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click Action and Remove Group.
4. Confirm that you want to remove the group.
Renaming a Group
To rename a group:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click Action and select Rename Group.
The Rename Group dialog appears.
4. Type a new name for the group.
5. Click OK.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Adding and Removing Group Administrators
An organization administrator who creates a group automatically becomes an administrator for that
group. A group administrator can:
l Assign other users as group administrators.
l Determine which objects are available to that group (for example, select which of the scanning
policies made available to the organization may be used by this group).
l Set the maximum priority level that can be assigned to scans conducted by this group (within the
limits established for the organization’s maximum priority level).
l Specify which URLs or IP addresses may be scanned by this group.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 56 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Create and assign users to roles, thereby limiting their ability to perform various functions or access
certain features of the Fortify WebInspect Enterprise Web Console.
l Copy objects (such as blackouts, policies, e-mail alerts, etc.) or move them from one group to another.
This topic describes how to add or remove group administrators.
Adding a Group Administrator
To add a group administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Click Add.
The Select SSC Users or Groups dialog appears.
5. Select users from the Select Users list.
6. Click OK.
Removing a Group Administrator
To remove a group administrator:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Administrators tab.
4. Select a user group or user name.
5. Click Remove.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Configuring Group Options
To configure the group options:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Configuration tab.
Configuring Option: Group Maximum Security Priority
If two or more scans are scheduled to occur during the same time period, the scan with the highest
priority will take precedence. For each group, you can specify the maximum priority level that may be
HPE Security Fortify WebInspect Enterprise (16.20)
Page 57 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
assigned to scans.
Select the highest priority level that a user in this group may assign to a scan. Choices range from 1
(highest priority) to 5 (lowest priority).
A group administrator can limit the members of the group to running scans of the same or lower (but
not higher) maximum priority than is specified for the parent organization. For example, if the maximum
priority for an organization is 3, the administrator of a group within that organization can set the group
maximum priority to 3, 4 or 5, but not to 1 or 2.
Configuring Option: Group IP and Host Permissions
For each group, the ability to scan web sites is restricted to those IP addresses or hosts specified as
follows:
1. Click Add.
2. Enter an IP address or host name and click OK.
To specify a range of addresses, enter the lowest numerical address, followed by a dash (-), and then
followed by the highest numerical address, such as 134.55.33.4-134.55.33.244.
You can also use wild cards, such as 134.55.33.* and www.mysite.*. Enter only an asterisk ( * ) to
allow all possible IP addresses.
3. In the Properties pane, select Can Run Scan, click the drop-down arrow that appears, and select
Unassigned, Allowed, or Denied.
4. Repeat this procedure to specify additional targets.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Managing Group Roles And Permissions
This topic describes how to:
l Add a group role
l Add groups or users to a group role
l Copy or move a group role
Note: A copy can be used at the Fortify WebInspect Enterprise System level, the organization
level, or the group level, and you can move a role from one group to another.
l Remove a group role
l Rename a group role
Adding a Group Role
To add a group role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 58 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
2.
3.
4.
5.
Select a group in the Security Group Hierarchy pane.
Click the Roles tab.
Click Add to the right of the Role Name pane).
On the New Role dialog, enter a name for the role, select the default permission that will be
assigned to each activity, and click OK.
6. In the Permissions list, expand the nodes to view the activities associated with each category.
Note: Having the set of options Allowed, Unassigned, and Denied for permissions enables
Fortify WebInspect Enterprise to resolve conflicting permissions when a user is a member of
more than one role. The precedences are as follows:
l Allowed outranks Unassigned—If the permission for a particular activity in Role A is
Allowed and the permission for the same activity in Role B is Unassigned, then a user who is
a member of both Role A and Role B can perform the activity.
l Denied outranks Allowed—If the permission for a particular activity in Role A is Allowed,
and the permission for the same activity in Role B is “Denied,” then a user who is a member
of both Role A and Role B cannot perform the activity.
l Unassigned (only) equals Denied—If a user’s permission for a particular activity is
Unassigned and no other permissions are assigned to that user in another role for the same
activity, then the user cannot perform the activity.
7. To assign the same permission to all activities within a single category:
a. Click the category name (such as “Blackouts").
b. Click the drop-down arrow that appears on the far right end of the row.
c. Select a permission.
8. To change permission for a single activity:
a. Expand a category.
b. Click the activity name (such as “Can Create" or "Can View”).
c. Click the drop-down arrow that appears on the far right end of the row.
d. Select a permission.
Adding Groups or Users to a Group Role
Note: To save time when assigning a user to multiple roles, see "Adding a User Or Group To
Multiple Roles" on page 40.
To add groups or users to a group role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a name in the Role name list.
5. Click Add (on the far right of the User group or user names pane).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 59 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
6. On the Select SSC Users or Groups dialog, select users from the Select Users list.
7. Click OK.
Copying or Moving a Group Role
You can copy a group role to any level (system, organization, or group). You can also move a role from
one group to another, which will remove it from the original group. You must be an administrator of the
target group to copy or move a group role to it.
To move or copy a group role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Copy/Move.
6. On the Copy/Move Role dialog, specify the Role Name for the copy and select the organization or
group to which the role will be assigned (or select the WebInspect Enterprise system).
The same role can be assigned to multiple organizations and groups. The permissions associated
with a role can be copied or moved only between similar levels (that is, from one group to another or
from one organization to another).
7. To retain the list of users assigned to this role, select Copy Users. Otherwise, the role will be copied,
but no users will be associated with this role in the copy.
8. To retain the permissions assigned to this role, select Copy Permissions. This option is not
available when copying a group role and assigning it to an organization or to the system.
9. Select the system, organization, or group to which the group role will be copied or moved.
10. Do one of the following:
l Click OK to copy the group role.
l Click Move to move the group role. This option is available only if you move the group role, along
with its users and permissions, to another group.
Removing a Group Role
Note: You cannot remove a global role.
To remove a group role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 60 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
5. Click Remove.
6. Confirm that you want to remove the group role.
Renaming a Group Role
Note: You cannot rename a global role.
To rename a group role:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Roles tab.
4. Select a role from the Role name list.
5. Click Rename.
6. Type a new name for the group role.
7. Click OK.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Specifying Resources Available to Groups
You can specify which resources—export paths, policies, or sensors—are available to a group. For
example, the Fortify WebInspect Enterprise system contains approximately 20 scanning policies. Your
organization administrator can choose to allow members of the organization to use only particular
policies. Of those, you can allow even fewer to be used in your group.
To manage resources that are available to groups:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Click the Resources tab.
4. Select an item in the Object Type list. On the Resources tab, groups have the following object
types:
l Export Paths
l Policies
l Sensors
Objects of the selected type that are not allowed appear in the Available column. Objects that are
allowed appear in the Allowed column.
5. Do one of the following to make one or more objects available (but not allowed), or allowed:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 61 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l To move particular objects from the Available column to the Allowed column, select one or
more of them and click
.
l To move all objects from the Available column to the Allowed column, click
.
l To move particular objects from the Allowed column to the Available column, select one or
more of them and click
.
l To move all objects from the Allowed column to the Available column, click
.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Moving or Copying Objects to Organizations or Other Groups
You can assign a particular user-created object to a different group (and optionally to an organization)
by either moving it or copying it. Moving an object removes it from its currently assigned location.
Copying an object retains its current location while also placing a copy in a new location.
To move or copy an object from a group to a different group and optionally to an organization:
1. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
2. Select a group in the Security Group Hierarchy pane.
3. Select the Move/Copy Objects tab.
4. Select an item in the Object Type list. On the Move/Copy Objects tab, groups have the following
object types:
l Blackouts
l E-mail Alerts
l SNMP Alerts
l Project Versions
l Deleted Project Versions
5. Click Retrieve.
All user-created objects of the selected type appear in the Object Results list.
6. Select one or more of the listed objects. If you select multiple objects, they cannot be moved or
copied to different locations.
7. Click Move or Copy (or Recover if you are restoring deleted project versions).
8. On the Move Objects or Copy Objects window, select a group from the Target Group list.
9. (Optional) Select a group from the Security Group list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 62 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
10. If the object being moved or copied has dependent relationships with other objects, the related
objects appear in the Object Dependencies list.
For each dependent object, click the drop-down arrow in the Action column under Object
Dependencies and select the appropriate action (such as Move to, Copy to, or Allow).
11. Click Move or Copy.
12. When a dialog appears informing you that all dependencies have been satisfied and prompting you
to commit the move or copy, click Yes.
See Also
"About Group Administrators, Roles, and Permissions" on page 54
Managing Scans, Sensors, and Sensor Users
The following pages provide information on:
l Scan management
l Sensor Management
l Sensor User Management
About Controlling Scans Using the Scan Queue
This topic describes the capabilities provided by the Scan Queue form to control scans. For procedures,
see "Controlling Scans Using the Scan Queue" on the next page.
When you resume a suspended scan, if the sensor that started the scan is available, then that sensor will
reload the scan data and resume scanning. If the sensor that started the scan is now running a different
scan, then that sensor will compare the priority of both scans. If the first (suspended) scan has a lower
priority, the sensor will place it back in the queue and continue running the current scan. If the first scan
has a higher priority, the sensor will suspend the second scan (placing it in the queue), reload the data
from the first scan, and resume scanning. In any case, resumed scans are always assigned to the same
sensor on which they began.
When you select a scan on the Scan Queue form, you can:
l Stop the scan if it is running, and remove the scan request from the queue. This is useful if, for
example, the scan is taking too long to run. Scan results, though incomplete, are available for
inspection.
l Suspend the scan at its current point and later resume it where it left off.
When you resume a suspended scan, if the sensor that started the scan is available, then that sensor
will reload the scan data and resume scanning. If the sensor that started the scan is now running a
different scan, then that sensor will compare the priority of both scans. If the first (suspended) scan
has a lower priority, the sensor will place it back in the queue and continue running the current scan.
If the first scan has a higher priority, the sensor will suspend the second scan (placing it in the queue),
reload the data from the first scan, and resume scanning. In any case, resumed scans are always
assigned to the same sensor on which they began.
l Remove the scan results and request from the Fortify WebInspect Enterprise database.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 63 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Note: The availability of particular options depends on the status of the selected scan and on the
permissions granted to you by your assigned role.
For each scan that is running or waiting to run, the Scan Queue form displays (by default):
l The name assigned to the scan
l The scan's priority
l The date and time the scan request was created
l The sensor conducting the scan
l The scan's status
l The organization and group
For procedures, see "Controlling Scans Using the Scan Queue" below.
See Also
"Scan Status Messages List" on page 88
Controlling Scans Using the Scan Queue
To control the running of scans in the queue:
1. Select Scans in the left pane and then select the Scan Queue shortcut above.
2. Select a scan request in the queue (unless you plan to change which columns to display in the
form).
3. Click Action or right-click the selected scan request, and then click one of the following options:
l Stop. Stop the scan if it is running, and remove the scan request from the queue. The results,
although incomplete, are available for inspection.
l Suspend. Suspend the scan so that you can resume it later.
l Resume. Resume the scan where it left off when it was suspended.
l Delete. Remove the scan from the Fortify WebInspect Enterprise database.
l Column Setting. Specify which columns to display in the form.
Note: The availability of particular options depends on the status of the selected scan and on
the permissions granted to you by your assigned role.
See Also
"About Controlling Scans Using the Scan Queue" on the previous page
About Managing Scan Policies
This topic describes the capabilities provided by the Scan Policies form to manage scan policies. For
procedures, see "Managing Scan Policies" on page 66 and "Creating Custom and Master Scan Policies"
HPE Security Fortify WebInspect Enterprise (16.20)
Page 64 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
on page 66. For a list of each policy and its purpose, see Policies List.
Fortify WebInspect Enterprise provides many standard system policies that determine which types of
vulnerabilities the scan should focus on. Each policy is kept current using the SmartUpdate function,
ensuring that scans are accurate and can detect the most recent discovered threats. One or more of
these policies can meet your needs well.
As a system administrator operating at the WebInspect Enterprise system permissions level, you can
copy a system policy and modify it as needed, making it a custom policy. You can create multiple custom
policies and assign each one to a different organization and groups as needed.
A system administrator can designate one custom policy as the master policy, and any changes to it will
be automatically propagated to the organizations and groups, eliminating the need to update each
individual copy of that policy in each organization and group.
When you select a standard system policy on the Scan Policies form, you can:
l View it, but not edit it.
l Copy it and rename it to make it a custom policy.
When you select a custom policy on the Scan Policies form, you can:
l Edit it.
l Delete it.
l Specify whether or not it is the master policy.
All sensors connected to Fortify WebInspect Enterprise access common policies from the database. If
you want to run Fortify WebInspect independent of Fortify WebInspect Enterprise and incorporate the
results of the Fortify WebInspect scans into Fortify WebInspect Enterprise, you can import a standard
or custom policy into Fortify WebInspect Enterprise from Fortify WebInspect or export a custom policy
from Fortify WebInspect Enterprise to Fortify WebInspect.
The Scan Policies form displays:
l Each policy that is configured in your environment
l The product to which each policy applies
l Whether or not the policy is a pre-packaged (system) policy
l When the policy was last updated
l For custom policies, the organization to which the policy is assigned
For procedures, see:
l "Managing Scan Policies" on the next page
l "Creating Custom and Master Scan Policies" on the next page
See Also
Policies List
HPE Security Fortify WebInspect Enterprise (16.20)
Page 65 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Managing Scan Policies
For details about the Policy Manager tool described in this topic, see the HPE Security Fortify
WebInspect Tools Guide or the Help system for that tool.
To manage system scan policies (that is, policies provided with Fortify WebInspect Enterprise) or
custom scan policies (which are created by administrators):
1. Select Scans in the left pane and then select the Scan Policies shortcut above.
2. Select a scan policy (unless you plan to import or export a policy).
3. Click Action or right-click the selected policy, and then click one of the following options:
l Edit. (Custom policies only) Open the Policy Manager tool, allowing you to view and modify the
selected policy. (You can double-click the policy name instead.)
l View. (System policies only) Open the Policy Manager tool, allowing you to view the selected
policy. (You can double-click the policy name instead.)
l Copy. Copy the selected policy. After you rename the policy, the Policy Manager tool opens and
loads the selected policy, allowing you to edit it. When you then save the policy, it is added to the
list of policies as a custom policy. For more details about creating a custom policy, which you can
optionally specify to be a master policy, see "Creating Custom and Master Scan Policies" below.
l Delete. (Custom policies only) Delete the selected policy.
l Rename. (Custom policies only) Rename the custom policy.
l Import. Import a policy from Fortify WebInspect.
l Export. (Custom policies only) Export a custom policy to Fortify WebInspect.
Note: The availability of particular options depends on whether the policy is a system policy or a
custom policy and on the permissions granted to you by your assigned role.
See Also
"About Managing Scan Policies" on page 64
"Creating Custom and Master Scan Policies" below
Policies List
Creating Custom and Master Scan Policies
As a system administrator operating at the Fortify WebInspect Enterprise system permissions level, you
can copy a system policy and modify it as needed, making it a custom policy. You can create multiple
custom policies and assign each one to a different organization and groups as needed.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 66 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
A system administrator can designate one custom policy as the master policy, and any changes to it will
be automatically propagated to the organizations and groups, eliminating the need to update each
individual copy of that policy in each organization and group.
When you select a standard system policy on the Scan Policies form, you can:
l View it, but not edit it.
l Copy it and rename it to make it a custom policy.
When you select a custom policy on the Scan Policies form, you can:
l Edit it.
l Delete it.
l Specify whether or not it is the master policy.
To create a custom policy, optionally make it a master policy, and then make the new policy available to
an organization you select:
1. Enable the required permissions:
a. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
b. Select WebInspect Enterprise System in the Security Group Hierarchy pane.
c. Click the Roles tab.
d. Select or create a role.
e. In the Permissions area, select Policies.
f. Select Allowed for all Policies permissions.
2. Create a custom policy:
a. Select Scans in the left pane and then select the Scan Policies shortcut above.
b. Select a policy that you want to use as the template for the new custom policy.
c. Click Copy in the Action menu or in the shortcut menu that appears when you right-click the
selected policy.
Note: The availability of particular options depends on the permissions granted to you by
your assigned role.
Fortify WebInspect Enterprise checks for and downloads any updates to the policy.
d. In the Copy Policy dialog, enter a name for the new policy and assign it to an organization.
e. If you want the new policy to be a master policy, select the Use as Master option.
f. Click OK.
The Policy Manager tool opens.
g. Modify the policy as needed.
h. When finished, save the new custom policy and close the Policy Manager.
The custom policy now appears in the list of Scan Policies.
3. Add the custom policy to an organization:
a. Select Administration in the left pane and then select the Roles and Permissions shortcut
above.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 67 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
b.
c.
d.
e.
Select an organization in the Security Group Hierarchy pane.
Click the Resources tab.
Select Policies from the Object Type list.
To add the new custom policy to the list of allowed policies, select the policy from the Available
list and click
See Also
.
"About Managing Scan Policies" on page 64
"Managing Scan Policies" on page 66
Policies List
Adding, Editing, and Deleting Export Paths for Saving Scans
The Export Paths form displays a list of destinations (paths) that may be used for saving scan results.
Fortify WebInspect Enterprise uses these paths to populate the drop-down list from which Fortify
WebInspect Enterprise Web Console users select a location for storing the data.
To manage paths that can be used for saving scan results:
1. Click Administration in the left pane and then select the Export Paths shortcut above.
2. If you plan to edit or delete an existing export path, select it in the Export Paths list.
3. Click Action and then click one of the following options:
Note: When specifying a path for the Add and Edit options, use the Universal Naming
Convention (or click the Browse button and select a folder).
If you browse for a folder and select a local (rather than a network) folder, the selection refers
to the hard drive of the machine on which the Fortify WebInspect Enterprise server is installed.
The Fortify WebInspect Enterprise server must have access to any location you designate as an
export path.
l Add. Open the Export Path Settings window and add a path.
l Edit. Open the Export Path Settings window and modify the selected path.
l Delete. Delete the selected path. You cannot delete an export path that is currently being used
or that is associated with a scheduled scan.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
4. If you have added or edited a path, click OK in the Export Path Settings window.
See Also
"Specifying Export Paths for Saving Scans" on the next page
HPE Security Fortify WebInspect Enterprise (16.20)
Page 68 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Specifying Export Paths for Saving Scans
The Export Path Settings dialog opens when you add or edit an export path from the Export Paths
form, which displays a list of destinations (paths) that may be used for saving scan results. Fortify
WebInspect Enterprise uses these paths to populate the drop-down list from which Fortify WebInspect
Enterprise Web Console users select a location for storing the data.
When specifying a path for the Add and Edit options, use the Universal Naming Convention (or click
the Browse button and select a folder).
If you browse for a folder and select a local (rather than a network) folder, the selection refers to the
hard drive of the machine on which the Fortify WebInspect Enterprise server is installed.
The Fortify WebInspect Enterprise server must have access to any location you designate as an export
path.
Note: When specifying a path for the Add and Edit options, use the Universal Naming Convention
(or click the Browse button and select a folder).
If you browse for a folder and select a local (rather than a network) folder, the selection refers to
the hard drive of the machine on which the Fortify WebInspect Enterprise server is installed.
The Fortify WebInspect Enterprise server must have access to any location you designate as an
export path.
For detailed information about adding, editing, and deleting export paths, see "Adding, Editing, and
Deleting Export Paths for Saving Scans" on the previous page.
About Sensor Management
This topic describes the capabilities provided by the Sensors form to manage sensors. For procedures,
see "Managing Sensors and Their Scans" on the next page.
A sensor is defined as Fortify WebInspect (and only Fortify WebInspect) when connected to Fortify
WebInspect Enterprise for the purpose of performing remotely scheduled or requested scans with no
direct user interaction.
For each sensor in the system, the Sensors form displays:
l Sensor name
l Host name
l Sensor status
l Sensor version
l Status message, indicating the result of the most recent action attempted.
If necessary, click the Sensor Detail tab (at the bottom of the form) to display additional information
about the selected sensor. This includes the option Can participate in "Any Available" sensor scans.
Ordinarily, sensors that are running a non-approved version of Fortify WebInspect (such as a special
build developed for a specific customer) will not be selected to run a scan when you choose the Can
HPE Security Fortify WebInspect Enterprise (16.20)
Page 69 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
participate in "Any Available" sensor scans option. You can remove that restriction, however, by
selecting the non-approved sensor on the Sensors form and then selecting the option Can participate
in "Any Available" sensor scans. Sensors that are newer than the latest approved SmartUpdate are
then eligible to be selected.
Note: If you do not see a list of installed sensors, you must install the required version of Microsoft
.NET Framework.
For procedures, see "Managing Sensors and Their Scans" below.
Managing Sensors and Their Scans
To manage sensors and their scans:
1. Select Sensors in the left pane and then select the Sensors shortcut above.
2. Select a sensor.
3. Click Action or right-click the selected sensor, and then click one of the following options:
l Edit Sensor Details. Modify the name, location, and description of the sensor.
l Stop Scan. Stop the scan. The job cannot be resumed.
l Suspend Scan. Interrupt the scan. The scan can be resumed from the point where it was
interrupted.
l Pause Sensor. Temporarily halt the sensor. If a scan is running on that sensor, the scan will be
suspended. Use this option to conduct maintenance on the machine with the sensor or to
prevent the sensor from accepting any scans.
Note: This feature is a transient state held in memory on the sensor; it will not be
remembered if the sensor service is ever restarted. For a long-term status, disable the sensor.
l Continue Sensor. Enable the sensor after pausing. "Paused" must appear in the Status column. If
the sensor was running a scan when it was paused, the scan will resume automatically.
l Enable/Disable. Disassociate the sensor from the WebInspect Enterprise system. Turn the
server on or off. You must be a member of the security administrator's group to enable a new
sensor.
l Rename Sensor. Change the sensor name.
l Migrate Sensor. Reassign all schedules, pending scans, etc., from one sensor to another. Used
primarily when installing a replacement sensor.
l Delete Sensor. Disassociate the sensor from the WebInspect Enterprise system. To enable this
option, you must stop the Fortify WebInspect Sensor service (Start > Control Panel >
Administrative Tools > Services), taking the sensor offline.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role and on the status of the selected sensor.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 70 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
See Also
"About Sensor Management " on page 69
Managing Sensor Users
The Sensor Users form lists all Fortify WebInspect sensor users, which exist to run scans on behalf of
Fortify WebInspect Enterprise users. To run scans, at least one Windows user account must be assigned
as a sensor user. Prior to or during the installation of Fortify WebInspect Enterprise, at least one
Windows user account should have been created for use as a Fortify WebInspect Enterprise sensor user.
To make a Windows user account a Fortify WebInspect Enterprise sensor user:
1. Select Administration in the left pane and then select the Sensor Users shortcut above.
2. Click Add in the right pane of the Sensor Users form.
3. In the Select Users or Groups dialog, type the name of a Windows user to add, in the format of
localhost\user or domain\user. If you specify only the user, you can click Check Names to help
identify the localhost or domain.
Click Advanced on the Select Users or Groups dialog to search for users or groups.
4. Click OK.
5. Verify that the sensor user you specified has been added to the list of Sensor Users in the dialog.
To remove a sensor user:
1. Select a sensor user from the list.
2. Click Remove.
Managing E-mail and SNMP Alerts
The following pages describe how to set up and manage e-mail messages and Simple Network
Management Protocol (SNMP) messages that are sent to recipients you specify whenever certain
WebInspect Enterprise events occur.
Adding, Editing, and Deleting E-mail Alerts
You can direct Fortify WebInspect Enterprise to send an e-mail message to recipients you specify
whenever certain Fortify WebInspect Enterprise events occur. Such a message is called an e-mail alert.
The E-mail Alerts form lists all e-mail alerts configured for the system. Each item includes:
l
l
l
l
l
l
The name of the alert
The address of the e-mail recipient
The IP addresses of scanned sites that may elicit an alert
The event or action that will trigger the alert
The organization
The group
HPE Security Fortify WebInspect Enterprise (16.20)
Page 71 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
To add, edit, or delete e-mail alerts:
1. Click Administration in the left pane and then select the E-mail Alerts shortcut above.
2. Click SMTP Settings (at the bottom of the form) to configure Simple Mail Transfer Protocol
(SMTP) settings as needed for sending e-mail alerts for specific Fortify WebInspect Enterprise
events:
l SMTP Server: The name of the server used for outgoing e-mail.
l SMTP Port: The port number used for outgoing e-mail.
l Sender: The text that will appear in the "From" field of the e-mail. It need not be a valid e-mail
account, but it must be in the format Sender text1@text2.text3, where the Sender and text
fields are any text you want to use, such as WebInspect Enterprise alerts@hpe.com.
l Use SSL: Select this check box if you want to use Secure Sockets Layer (SSL) protocol.
l Authentication: If your server requires authentication, select Basic or NTLM, and then provide
a user name and password.
3. If you plan to edit or delete an existing e-mail alert, select it in the E-mail Alerts list.
4. Click Action and then click one of the following options:
l Add. Open the E-Mail Alert Settings window and add an e-mail alert.
l Edit. Open the E-Mail Alert Settings window and modify the selected e-mail alert.
l Delete. Delete the selected e-mail alert.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
5. If you are adding or editing an e-mail alert, complete the fields in the E-Mail Alert Settings window
as follows:
a. Enter a name for the alert in the Name field.
b. Select System, Organization, or Security Group.
c. If you selected Organization or Security Group, select an organization or group from the
drop-down list.
d. In the Recipient e-mail address field, enter the e-mail address of the person who should
receive the alert. To specify multiple recipients, insert a semicolon between e-mail addresses.
e. If the alert should be sent only when selected actions occur related to a host name or specific IP
address or range of IP addresses, in the Host name, address, or IP Address Range field,
enter the host name or IP address. You can specify multiple addresses or a range of addresses.
For a range, use a hyphen to separate the lower address from the higher (example:
111.222.254.254-125.254.254.254).
Separate multiple addresses or ranges with a semicolon.
Enter an asterisk (*) to allow alerts for all IP addresses.
f. Select one or more actions that will trigger the alert.
System alerts can be sent for:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 72 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
o Sensor error
o SmartUpdate completed
o SmartUpdate failed
Organization or security group alerts can be sent for:
o Scan completed
o Scan started
o Scan failed
o Critical vulnerability detected
g. Click OK.
Specifying E-mail Alert Settings
To add or edit an e-mail alert, complete the fields in the E-Mail Alert Settings window as follows:
1. Enter a name for the alert in the Name field.
2. Select System, Organization, or Security Group.
3. If you selected Organization or Security Group, select an organization or group from the dropdown list.
4. In the Recipient e-mail address field, enter the e-mail address of the person who should receive
the alert. To specify multiple recipients, insert a semicolon between e-mail addresses.
5. If the alert should be sent only when selected actions occur related to a host name or specific IP
address or range of IP addresses, in the Host name, IP address, or IP Address Range field, enter
the host name or IP address. You can specify multiple addresses or a range of addresses.
For a range, use a hyphen to separate the lower address from the higher (example:
111.222.254.254-125.254.254.254).
Separate multiple addresses or ranges with a semicolon.
Enter an asterisk (*) to allow alerts for all IP addresses.
6. Select one or more actions that will trigger the alert.
System alerts can be sent for:
l Sensor error
l SmartUpdate completed
l SmartUpdate failed
Organization or security group alerts can be sent for:
l Scan completed
Note: The Scan Completed email notification includes the total number of vulnerabilities
found in each severity level—Critical, High, Medium, Low, Best Practice, and Info—and a
Total Risk Score. For more information, see "Understanding Assigned Risks and the Total
Risk Score" on the next page.
l Scan started
HPE Security Fortify WebInspect Enterprise (16.20)
Page 73 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Scan failed
l Critical vulnerability detected
7. Click OK.
Note: You must also configure the SMTP Settings on the SMTP Alerts form by clicking SMTP
Settings (at the bottom of the form). For detailed information about adding, editing, and deleting
e-mail alerts, including configuring the SMTP Settings, see "Adding, Editing, and Deleting E-mail
Alerts" on page 71.
Understanding Assigned Risks and the Total Risk Score
Each vulnerability in the HPE SecureBase has an associated severity level ranging from critical to
informational. For example, most SQL Injection vulnerabilities are rated as critical, while Statistics
Information Disclosure is considered a low risk.
Assigned Risks
Each severity level is assigned a risk value as shown in the following table.
Severity Level
Assigned Risk
Critical
5
High
4
Medium
3
Low
2
Best Practice
1
Info
0
Total Risk Score
Fortify WebInspect Enterprise uses the assigned risks and the following calculation to determine the
Total Risk Score:
(#Criticals * 5) + (#Highs * 4) + (#Mediums * 3) + (#Lows * 2) + (#BestPractices * 1) = Total
Risk Score
The Info severity level has an assigned risk of “0” and is not included in the Total Risk Score.
For example, suppose a completed scan has the following vulnerability Severity Level counts:
l Critical – 54
l High – 13
l Medium – 4
HPE Security Fortify WebInspect Enterprise (16.20)
Page 74 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Low – 21
l Best Practice – 31
l Info - 5 (not included in the Total Risk Score)
The scan would have a Total Risk Score as determined by the following calculation:
(54 * 5) + (13 * 4) + (4 * 3) + (21 * 2) + (31 * 1) = Total Risk Score
(270) + (52) + (12) + (42) + (31) = 407
Where Total Risk Score Appears
The Scan Completed email notification includes the total number of vulnerabilities found in each
severity level—Critical, High, Medium, Low, Best Practice, and Info—and a Total Risk Score. For more
information, see "Specifying E-mail Alert Settings" on page 73.
Adding, Editing, and Deleting SNMP Alerts
You can direct Fortify WebInspect Enterprise to send a Simple Network Management Protocol (SNMP)
message to IP addresses you specify whenever certain Fortify WebInspect Enterprise events occur.
Such a message is called an SNMP alert.
The SNMP Alerts form lists all SNMP alerts configured for the system. Each item includes:
l The name of the alert
l The IP address of the SNMP alert recipient
l The action or event that will trigger the alert
l The organization
l The group
To add, edit, or delete SNMP alerts:
1. Click Administration in the left pane and then select the SNMP Alerts shortcut above.
2. Click SNMP Settings (at the bottom of the form) and configure SNMP settings as needed for
sending SNMP alerts for specific Fortify WebInspect Enterprise events:
l SNMP Host: The IP address of the server that will receive the alert and forward it to the
intended recipient.
l SNMP Port: The port number for SNMP alerts on the SNMP host.
l Community: An SNMP community is a text string that acts as a password for authenticating
messages sent between the management station (the SNMP manager) and the device (the
SNMP agent). There are typically two types of community names:
o A read-only community name that allows queries of the agent
o A read-write community name that allows an NMS to perform set operations
3. If you plan to edit or delete an existing SNMP alert, select it in the SNMP Alerts list.
4. Click Action and then click one of the following options:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 75 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Add. Open the SNMP Alert Settings window and add an SNMP alert.
l Edit. Open the SNMP Alert Settings window and modify the selected SNMP alert.
l Delete. Delete the selected SNMP alert.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
5. If you are adding or editing an SNMP alert, complete the fields in the SNMP Alert Settings window
as follows:
a. Enter a name for the alert in the Name field.
b. Select System, Organization, or Security Group.
c. If you selected Organization or Security Group, select an organization or group from the
drop-down list.
d. In the Host name, IP address, or IP Address Range field, enter the host name or IP address
of the SNMP-compliant device that should receive the alert. You can specify multiple addresses
or a range of addresses.
For a range, use a hyphen to separate the lower address from the higher (example:
111.222.254.254-125.254.254.254).
Separate multiple addresses or ranges with a semicolon.
Enter an asterisk (*) to allow alerts for all IP addresses.
e. Select one or more actions that will trigger the alert.
System alerts can be sent for:
o Sensor error
o SmartUpdate completed
o SmartUpdate failed
Organization or security group alerts can be sent for:
o Scan completed
o Scan started
o Scan failed
o Critical vulnerability detected
f. Click OK.
Specifying SNMP Alert Settings
To add or edit an SNMP alert, complete the fields in the SNMP Alert Settings window as follows:
1. Enter a name for the alert in the Name field.
2. Select System, Organization, or Security Group.
3. If you selected Organization or Security Group, select an organization or group from the dropdown list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 76 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
4. In the Host name, IP address, or IP Address Range field, enter the host name or IP address of
the SNMP-compliant device that should receive the alert. You can specify multiple addresses or a
range of addresses.
For a range, use a hyphen to separate the lower address from the higher (example:
111.222.254.254-125.254.254.254).
Separate multiple addresses or ranges with a semicolon.
Enter an asterisk (*) to allow alerts for all IP addresses.
5. Select one or more actions that will trigger the alert.
System alerts can be sent for:
l Sensor error
l SmartUpdate completed
l SmartUpdate failed
Organization or security group alerts can be sent for:
l Scan completed
l Scan started
l Scan failed
l Critical vulnerability detected
6. Click OK.
Note: You must also configure the SNMP Settings on the SNMP Alerts form by clicking SNMP
Settings (at the bottom of the form). For detailed information about adding, editing, and deleting
SNMP alerts, including configuring the SNMP Settings, see "Adding, Editing, and Deleting SNMP
Alerts" on page 75.
Working with Fortify Software Security Center
The following pages describe how to configure HPE Security Fortify Software Security Center settings
in the WebInspect Enterprise Administrative Console for automatic publishing of scans to Fortify
Software Security Center and importing projects into Fortify Software Security Center.
Configuring Settings for Fortify Software Security Center
The HPE Security Fortify Software Security Center settings in the Software Security Center form in the
Fortify WebInspect Enterprise Administrative Console must be configured in order to do the following:
l Publish scans to Fortify Software Security Center. When Fortify Software Security Center settings
are correctly configured, scans are automatically published to Fortify Software Security Center by
default.
Note: To disable automatic publishing, see Disabling Automatic Publishing of Scans to Fortify
Software Security Center.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 77 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Import projects into Fortify Software Security Center from a .csv file that was created by using the
Web Discovery tool.
Initial settings for Fortify Software Security Center are established during installation of Fortify
WebInspect Enterprise. If necessary, use the Software Security Center form to modify the settings as
follows:
1. Click Administration in the left pane and then select the Software Security Center shortcut
above.
2. Enter the following information:
l WebInspect Enterprise URL: The URL of the Fortify WebInspect Enterprise server.
l Software Security Center URL: The URL of the Fortify Software Security Center server.
l Administrator: User Name and Password: The user name and password of a general Fortify
Software Security Center administrator account created in Fortify Software Security Center.
Web Console users, when publishing scans to Fortify Software Security Center, will be required
to enter their own credentials.
Note: If the Fortify Software Security Center administrator's password expires or he
changes it, or if a new Fortify Software Security Center administrator is chosen for
interaction with Fortify WebInspect Enterprise, a Fortify WebInspect Enterprise
administrator will need to rerun the Initialization Wizard (Start > All Programs > HP > HP
WebInspect Enterprise 16.20 > WebInspect Enterprise Initialize) and specify the new
credentials for the Fortify Software Security Center administrator. The Initialization Wizard
will detect that your newly specified Fortify Software Security Center administrator exists in
Fortify Software Security Center but she is not a System Administrator in Fortify
WebInspect Enterprise. In this case, the Wizard will display the Administrator Role Page,
which allows you to add her to Fortify WebInspect Enterprise with the System
Administrator role by selecting the Add Current User to System Administrator Role
check box and clicking Next.
l WebInspect Enterprise Service Account: User Name and Password: The user name and
password of an account in Fortify Software Security Center with the role of Fortify WebInspect
Enterprise System. This service controls the sharing of project versions with Fortify WebInspect
Enterprise and obtains lists of completed and running scans from Fortify WebInspect Enterprise.
l Security Group: The organization/group to which new project versions are assigned when
created by Fortify Software Security Center. To change the organization/group for new project
versions, select a different entry from the dropdown list.
3. To verify the settings for connection to Fortify Software Security Center, click Test.
4. To save the settings, click Save.
5. (Optional) Click Action and then click one of the following options:
l Import Projects to SSC: Import projects into Fortify Software Security Center from a .csv
file created from IP addresses found using the Web Discovery tool. See "Importing Projects into
Fortify Software Security Center from a .csv File" on the next page
l Synchronize Projects: Synchronize projects between Fortify WebInspect Enterprise and
Fortify Software Security Center. This process generally occurs automatically.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 78 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Unregister WebInspect Enterprise: Disconnect Fortify WebInspect Enterprise from Fortify
Software Security Center. Use this option only if you are moving to another instance of Fortify
Software Security Center.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
Disabling Automatic Publishing of Scans to Fortify Software Security Center
To disable automatic publishing of scans to Fortify Software Security Center:
1. If you are authorized to do so, open the following file:
C:\Program Files\HP\HP WebInspect Enterprise 16.20\ManagerWS\web.config
2. Change the value in
<add key="AutoPublishScans" value="true" />
from true to false
3. Save and close the file.
Importing Projects into Fortify Software Security Center from a
.csv File
You can use the Web Discovery tool to discover sites over a range of IP addresses and convert the
discovered sites to projects in a .csv file. Then you can edit the data and import the projects into
Fortify Software Security Center (SSC), as follows:
1. Run the Web Discovery tool against the desired range of IP addresses. See the "Web Discovery"
chapter in the HPE Security Fortify WebInspect Tools Guide.
In the Web Discovery tool, you will click File > Export > To CSV File to save the set of discovered
sites, and specify the desired name and location for the .csv file.
2. Open the .csv file in Microsoft Excel.
3. Review the .csv file. Adjust the widths and edit the values of the following columns as desired. For
example, you can specify Fortify Software Security Center project and project version names that
are meaningful to you.
l SSC Project (required): The name to be given to the project to be imported into Fortify
Software Security Center. By default, the value is the IP address that was discovered.
l SSC Project Version (optional): The name to be given to the project version to be imported
into Fortify Software Security Center. By default, the value is Production.
l URL (optional): By default, the value is the URL to be used for a scan.
l Server Information (optional): By default, the value is the web platform of the detected
server. It appears in project version properties in Fortify WebInspect Enterprise, but does not
appear in Fortify Software Security Center.
l Finish Using Project (optional): In conjunction with the following field, specify the project and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 79 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
project version with the project template attributes that will be used to finish the project version
to be imported into Fortify Software Security Center.
l Finish Using Project Version (optional): In conjunction with the preceding field, specify the
project and project version with the project template attributes that will be used to finish the
project version to be imported into Fortify Software Security Center.
4. Save the edited file.
5. In the Fortify WebInspect Enterprise Administrative Console, click File > Import Projects to SSC.
The Create Project Versions from imported CSV file dialog opens.
6. Browse to the .csv file location and select the file.
7. Select the appropriate option:
l WebInspect Enterprise Admin Console is running on the same machine as the WIE server
l WebInspect Enterprise Admin Console is running on a remote machine
Note: If you indicate the WIE server is running on the same machine but it is actually
remote, the task will fail and an error message will be written to the TaskService_
trace.log file.
8. Click OK.
The projects and project versions are queued for import into Fortify Software Security Center.
Working with AMP Sites
The following pages describe options for migrating Assessment Management Platform (AMP) sites to
Fortify WebInspect Enterprise project versions.
About Migrating AMP Sites
The Site Migration shortcut appears under the Administration group in the Administrative Console
only if:
l A migration from Assessment Management Platform (AMP) version 9.20 to Fortify WebInspect
Enterprise version 10.20 was performed before an upgrade to the current version of Fortify
WebInspect Enterprise, and
l The logged-in Fortify WebInspect Enterprise administrator is also a group administrator for one or
more AMP sites that have not been migrated to project versions yet. That administrator cannot
migrate other AMP sites.
If Site Migration is available, it is optional—Fortify WebInspect Enterprise does not require anyone to
migrate any sites at any particular time.
This topic describes the capabilities provided by the Site Migration form to migrate any remaining
unmigrated AMP sites. For procedures, see "Migrating AMP Sites" on page 82.
The form displayed for the Site Migration shortcut operates as follows:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 80 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l The form initially lists (in a table) every AMP site for which the logged-in Fortify WebInspect
Enterprise system administrator is also a group administrator. Thus, different system administrators
could see different AMP sites listed. (It does not matter whether any or all of the AMP site’s scans
have been published, or even whether any scans have been run.) All the listed AMP sites can have
site-specific data that you might want to migrate to a project version. For each AMP site (table row),
the form also provides a drop-down list of all the project versions to which the AMP site can be
migrated.
l The form allows the Fortify WebInspect Enterprise system administrator to assign one or more
particular currently unassigned AMP sites to a project version. The available project versions can
already exist or can be created at the time of assignment. When the Fortify WebInspect Enterprise
system administrator applies the assignments, all the remaining data that has not been previously
migrated from those AMP sites is migrated to Fortify WebInspect Enterprise.
l When the Fortify WebInspect Enterprise system administrator uses the option to create a new project
version, the project version is not "finished" until its required fields are specified, but he can still create
the project version and delay finishing it. Alternatively, to finish the project version immediately, he
can copy the required fields of an existing finished project version that he selects from a list. A scan
cannot be published to Fortify Software Security Center until its associated project version is
finished.
l At any point in time, the form lists every remaining unmigrated AMP site for which the logged-in
Fortify WebInspect Enterprise system administrator is also a group administrator. When the last AMP
site has been assigned to a project version and migrated, no AMP sites are listed in the Site
Migration form; the Site Migration shortcut will no longer appear the next time that administrator
logs in to the Administrative Console.
This design allows users to start running Fortify WebInspect Enterprise as soon as installation is
complete, regardless of the migration status of any AMP sites.
Each scan that was published from AMP to Fortify Software Security Center was associated with a
project version when it was published. During Fortify WebInspect Enterprise installation, the
Initialization Wizard associated the scan with the same project version in Fortify WebInspect Enterprise,
and the scan can be viewed in Fortify WebInspect Enterprise. When you use the Site Migration
shortcut to migrate an AMP site to a Fortify WebInspect Enterprise project version, all of the scan data
associated with that site’s unpublished scans is migrated to that project version. This data includes:
l Scans.
l Scheduled scans.
l Scan templates. In AMP, a scan template can be associated with either a project or an organization. In
Fortify WebInspect Enterprise, a scan template can be associated with one or more selected project
versions, or it can be created as a "global" scan template that is associated with all the project versions
of one or more selected projects.
l If a scan template created in AMP was associated with a project, site migration makes it a global
scan template associated with that project.
l If a scan template created in AMP was associated with an organization, site migration makes it a
global scan template associated with that organization, and the read-only Use Organization
check box in the global scan template is selected. Users cannot edit (or create) global scan
templates associated with organizations in Fortify WebInspect Enterprise, but system
HPE Security Fortify WebInspect Enterprise (16.20)
Page 81 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
administrators and organization administrators can change their permissions at the organization
level.
In addition to scan data, various types of data not associated with scans are also migrated from AMP,
including blackout periods for sensors, custom policies, roles, proxy settings, configuration settings for
email alerts and SNMP alerts and SecureBase data.
Scans that were unpublished before performing site migration remain unpublished after site migration.
See Also
"Migrating AMP Sites" below
Migrating AMP Sites
To migrate particular AMP sites to the desired Fortify WebInspect Enterprise project versions:
1. Start the Administrative Console if you have not already done so. Click Start > HP WebInspect
Enterprise 16.20 Console and log on.
2. Select Administration in the left pane and then select the Site Migration shortcut above.
The Site Migration window appears in the right pane. The Site column lists the sites in AMP that
remain unmigrated and can be assigned to new or existing project versions in Fortify WebInspect
Enterprise. The drop-down list in the Project Version column displays existing project versions.
3. Select the site of interest in the Site column.
Note: You can assign multiple sites to the same project version. You can repeat Step 3 and
Step 4 to assign various AMP sites to the same project versions or to various project versions,
all at the same time when you later click Apply.
4. If you want to assign the site to an existing project version, select the desired project version from
the Project Version drop-down list in the same row as the site you selected.
If you want to assign the site to a new project version that you create using this form:
a. Click New Project Version at the bottom of the form.
b. In the Create SSC Project Version dialog, do one of the following:
o Select an existing project from the Project drop-down list.
o Click New Project and then in the Create SSC Project dialog, enter a name for the new
project and click OK. The new project appears in the Project field in the Create SSC Project
Version dialog.
c. Enter a name for the new Project Version.
d. The optional Finish Using field provides a drop-down list of all the finished project versions in
Fortify Software Security Center. If you select one of these finished project versions, when you
later click Apply the values of the attributes in the project template from the finished project
version will be copied to the new project version, and the new project version will thereby be
finished automatically.
If you do not select a value for this field, the project version you create will be unfinished. Until
a project version is finished, you cannot publish scans to it (but finishing the project version will
not automatically publish existing unpublished scans.)
HPE Security Fortify WebInspect Enterprise (16.20)
Page 82 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
e. Click OK.
The new project version is added to the Project Version drop-down list so that you can select
it (but the new project version is not actually created until you use it to perform the site
migration in Step 6).
f. Select the new Project Version from the drop-down list.
An icon in the column to the left of the Site column marks the site as ready for migration.
You can click Refresh Project Versions at any time to update the list of project versions, in case
you or other users have updated the set of project versions in Fortify Software Security Center.
5. Repeat Step 3 and Step 4 for other AMP sites, as needed.
6. Click Apply.
Any new project versions you specified and selected for site migration are created. The AMP sites
that you assigned to project versions are migrated and removed from the list of sites in the Site
Migration form. The unpublished scans that were created in AMP can now be viewed in scan
visualizations in Fortify WebInspect Enterprise.
After site migration, a site's existing unpublished scans remain unpublished even if the project
version to which the site has been migrated is finished.
You can click Refresh Sites at any time to update the list of sites to be migrated, in case other users are
simultaneously migrating sites.
See Also
"About Migrating AMP Sites" on page 80
Managing Users and the Activity Log
The following pages describe how to manage users who are currently logged in to the WebInspect
Enterprise system and the Activity Log that lists significant WebInspect Enterprise events. It also
describes accessing and viewing the license information.
About Managing Connected Users
This topic describes the capabilities provided by the Connected Users form to manage users who are
currently logged in to the Fortify WebInspect Enterprise system. You can release a user license to make
it available to another user. For procedures, see "Managing Connected Users" on the next page.
The Connected Users form lists each logged-in user.
Each item in the form includes (by default):
l
l
l
l
l
Application Type, such as WebInspect Enterprise (WIE) or WebInspect
Application Subtype, such as Console or Console-Web
Application Version
The user's name
The user's IP Address
HPE Security Fortify WebInspect Enterprise (16.20)
Page 83 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l The time and date when the user connected to the system
l Status
l Message
A summary at the bottom of the from shows the total number of user licenses in use, the total number
of available user licenses, and the logon session timeout period (which you can edit).
For procedures, see "Managing Connected Users" below.
See Also
"Viewing License Information" below
Managing Connected Users
To control the set of connected (logged-in) users:
1. Select Administration in the left pane and then select the Connected Users shortcut above.
2. Select a user (unless you plan to change which columns to display in the form).
3. Click Action or right-click the selected user, and then click one of the following options:
l Release User License. Intended for use with licenses that permit multiple users. Disassociate the
selected user from the license, allowing another user to occupy that position.
l Column Setting. Specify which columns to display in the form.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
See Also
"About Managing Connected Users" on the previous page
Viewing License Information
To display the following license information, select Administration in the left pane and then select the
Licensing shortcut above:
l Activation ID: The unique identifier for the license issued by HPE.
If you upgrade from a trial version or if you otherwise modify the conditions of your license, click
Update to update your license.
l User Information: Information about the person to whom the license is granted.
l License Information
l Licensed IP or Host Ranges: The IP addresses or hosts to which scans are restricted.
l Bypass DNS: Indicates if the application is allowed to bypass a domain name server.
l Valid To: The ending date of the period for which the license is valid.
l Maintenance End Date: The date on which the maintenance contract terminates.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 84 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Total available sensor licenses: The maximum number of sensors that may be connected to
Fortify WebInspect Enterprise.
l Total Scan Count: The maximum number of scans that may be conducted.
l License Usage Information
l Available Scan Count: Remaining number of scans allowed.
l Total in use sensor licenses: Number of licensed sensors in use.
l Total in use concurrent user licenses: Number of concurrent licensed sensors in use.
Note: If the Fortify WebInspect Enterprise Administrative Console is installed on a machine that
does not have Internet access, see the HPE Security Fortify WebInspect Enterprise Installation and
Implementation Guide for instructions on activating the application.
See Also
"About Managing Connected Users" on page 83
Managing the Activity Log
The Activity Log lists significant Fortify WebInspect Enterprise events. Each item includes (by default):
l The date and time the event occurred
l A message indicating the event or activity
l For scan-related events, the URL or IP address or the job name associated with this activity
l The sensor associated with this activity
l The name of the user
l The IP address of the workstation
You can display all entries in the Activity Log or restrict the listing to those activities that occurred on or
after a specific date.
To limit the size of the Activity Log, click Activity Log Settings (at the bottom of the form) and set the
desired limits.
To manage the activity log in other ways:
1. Select Administration in the left pane and then select the Activity Log shortcut above.
2. Click Action and then click one of the following options:
l Export Activity Log to TSV. Save the activity log to a text file using a tab-separated format.
l Export Activity Log to CSV. Save the activity log to a text file using a comma-separated format.
l Export Activity Log to XML. Save the activity log to a text file using an XML format.
l Clear Activity Log. Delete all entries in the activity log.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 85 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l Copy Message(s) to Clipboard. Copy the text in all columns of all selected list entries.
l Column Setting. Specify which columns to display in the form.
Note: The availability of particular options depends on the permissions granted to you by your
assigned role.
Reference Lists
The following pages provide lists of policies, scan status messages, HTTP status codes, and sensor
statuses.
Policies List
Fortify WebInspect provides various policies that you can use with your scans and crawls to determine
the vulnerability of your Web application. Each policy is kept current using the SmartUpdate function,
ensuring that assessments are accurate and capable of detecting the most recently discovered threats.
The provided policies are:
l Aggressive SQL Injection: This policy performs a comprehensive security assessment of your web
application for SQL Injection vulnerabilities. SQL Injection is an attack technique that takes
advantage of non-validated input vulnerabilities to pass arbitrary SQL queries and/or commands
through the web application for execution by a backend database. This policy performs a more
accurate and decisive job, but has a longer scan time.
l All Checks: An All Checks scan includes an automated crawl of the server and performs all active
checks from SecureBase, the HPE check database. This includes checks for known and unknown
vulnerabilities at the Web server, Web application server, and Web application layers.
l Apache Struts: This policy detects supported known advisories against the Apache Struts
framework.
l Application: This policy performs a security assessment of your Web application by submitting
known and unknown Web application attacks, and only submits specific attacks that assess the
application layer. When performing assessments of enterprise level Web applications, use the
Application Only policy in conjunction with the Platform Only policy to optimize your assessment in
terms of speed and memory usage.
l Assault: An assault scan includes an automated crawl of the server and performs checks for known
and unknown vulnerabilities at the Web server, Web application server, and Web application layers.
An assault scan includes checks that can create denial-of-service conditions. HPE strongly
recommends that you use assault scans in test environments only.
l Blank: This policy is a template that you can use to build your own policy. It includes an automated
crawl of the server and no vulnerability checks. Edit this policy to create custom policies that only scan
for specific vulnerabilities.
l Criticals and Highs: Use this policy to quickly scan your Web applications for the most urgent and
pressing vulnerabilities while not endangering production servers. This policy checks for SQL
Injection, Cross-Site Scripting, and other critical and high severity vulnerabilities. It also will list
HPE Security Fortify WebInspect Enterprise (16.20)
Page 86 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
l
l
l
l
l
l
l
l
l
l
l
l
l
directories that could potentially lead to discovery of critical or high vulnerabilities. This policy does
not contain checks that may write data to databases or create denial-of-service conditions, and it is
safe to run against production servers.
Cross-Site Scripting: This policy performs a security assessment of your Web application for Crosssite Scripting (XSS) vulnerabilities. XSS is an attack technique that forces a Web site to echo attackersupplied executable code, such as HTML code or client-side script, which then loads in a user's
browser. Such an attack can be used to bypass access controls or conduct phishing expeditions.
Deprecated Checks: The Deprecated Checks policy includes checks that are either deemed to have
reached end of life based on the current technological landscape or have been re-implemented using
smart and efficient audit algorithms that leverage the latest enhancements of the core Fortify
WebInspect framework.
Dev: A Developer scan includes an automated crawl of the server and performs checks for known
and unknown vulnerabilities at the Web application layer only. The Developer policy does not
execute checks that are likely to create denial-of-service conditions, so it is safe to run on production
systems.
DevInspectEclipse: This is the standard policy for use by DevInspect Java Eclipse. It performs both a
crawl and an audit, and tests the application for known and unknown vulnerabilities.
DevInspectVS: This is the standard policy for use by DevInspect VS. It performs both a crawl and an
audit, and tests the application for known and unknown vulnerabilities.
Mobile: A mobile scan will detect security flaws based on the communication observed between a
mobile application and the supporting backend services.
NoSQL and Node.js: A NoSQL and Node.js scan includes an automated crawl of the server and
performs checks for known and unknown vulnerabilities targeting databases based on NoSQL such
as MongoDB and server side infrastructures based on JavaScript such as NodeJS. This policy
includes checks that are available to Fortify WebInspect release 9.3 and above.
OpenSSL Heartbleed: This policy performs a security assessment of your web application for the
critical TLS Heartbeat read overrun vulnerability. This vulnerability could potentially disclose critical
server and web application data residing in the server memory at the time a malicious user sends a
malformed Heartbeat request to the server hosting the site.
OWASP Top 10: Many organizations suggest testing for the Open Web Application Security Project
(OWASP) Top Ten Web Application vulnerabilities as a best practice in ensuring the security of your
Web application. Multiple releases of the OWASP Top Ten may be available.
Passive Scan: This policy scans an application for vulnerabilities detectable without active
exploitation, making it safe to run against production servers. Vulnerabilities detected by this policy
include issues of path disclosure, error messages, and others of a similar nature.
Platform: This policy performs a security assessment of your Web application platform by
submitting attacks specifically against the Web server and known Web applications. When performing
assessments of enterprise-level Web applications, use the Platform policy in conjunction with the
Application policy to optimize your assessment in terms of speed and memory usage.
Privilege Escalation: The Privilege Escalation policy scans your web application for programming
errors or design flaws that allow an attacker to gain elevated access to data and applications. The
policy uses checks that compare responses of identical requests with different privilege levels.
QA: This policy is designed to help QA professionals make project release decisions in terms of Web
application security. It performs checks for both known and unknown Web application vulnerabilities.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 87 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
However, it does not submit potentially hazardous checks, making it safe to run on production
systems.
l Quick: A Quick scan includes an automated crawl of the server and performs checks for known
vulnerabilities in major packages and unknown vulnerabilities at the Web server, Web application
server, and Web application layers. A Quick scan does not run checks that are likely to create denialof-service conditions, so it is safe to run on production systems.
l Safe: A Safe scan includes an automated crawl of the server and performs checks for most known
vulnerabilities in major packages and some unknown vulnerabilities at the Web server, Web
application server, and Web application layers. A Safe scan does not run any checks that could
potentially trigger a denial-of-service condition, even on sensitive systems.
l SQL Injection: This policy performs a security assessment of your Web application for SQL Injection
vulnerabilities. SQL Injection is an attack technique that takes advantage of non-validated input
vulnerabilities to pass arbitrary SQL queries and/or commands through the Web application for
execution by a backend database.
l Standard: A Standard scan includes an automated crawl of the server and performs checks for
known and unknown vulnerabilities at the Web server, Web application server, and Web application
layers. A Standard scan does not run checks that are likely to create denial-of-service conditions, so it
is safe to run on production systems.
l Standard (Deprecated): The Standard (Deprecated) policy is a copy of the original standard policy
before it was revised in the R1 2015 release.
l Transport Layer Security: This policy performs a security assessment of your web application for
insecure SSL/TLS configurations and critical transport layer security vulnerabilities, such as
Heartbleed, Poodle, and SSL Renegotiation attacks.
See Also
"About Managing Scan Policies" on page 64
Scan Status Messages List
The following table describes the status messages that may be returned by Fortify WebInspect.
Status
Definition
Pending
A user has created a job by scheduling a scan or attempting to start a scan manually
when the sensor is not available. The job appears in the Queued Scans list and will be
started automatically when the sensor becomes available (if it is not preempted by a
job with a higher priority).
Running
A sensor is conducting the scan. The job appears in the Running Scans list.
Suspended
A user has started or scheduled another scan with a higher priority; the suspended
scan has been placed in the Queued Scans list and will be resumed when the sensor
becomes available.
Complete
The scan has finished without error. The job appears in the Completed Scans list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 88 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Status
Definition
Failed
The sensor encountered an error that prevented the scan from completing.
Aborted
A user has stopped a scan.
Offline
The sensor conducting the scan is no longer connected to the WebInspect Enterprise
system. This can occur because of network disruption or if a console user stopped the
Fortify WebInspect Enterprise Sensor service (Start/Settings/Control
Panel/Administrative Tools/Services), taking the sensor offline.
Suspended_
Manual
A user has temporarily interrupted a running scan. The suspended scan appears in
the Queued Scans list, but will not be resumed until the user enters the command to
do so.
Suspending_ A user has temporarily interrupted a running scan. The sensor is in the process of
Manual
suspending the scan and placing it in the queue.
Imported
The user's attempt to import the scan was successful.
Blackout_
Pending
A user has created a job by scheduling a scan or attempting to start a scan manually,
but a blackout period prohibits the job from starting. The scan appears in the Queued
Scans list and will be started automatically when the blackout period expires and a
sensor becomes available.
Blackout_
Suspended
The scan was running when a blackout period started. The scan has been placed in
the Queued Scans list and will be resumed automatically when the blackout period
expires and a sensor becomes available.
Blackout_
Suspending
The scan was running when a blackout period started. The sensor is in the process of
suspending the scan and placing it in the Queued Scans list.
See Also
"About Controlling Scans Using the Scan Queue" on page 63
HTTP Status Codes List
The following list of status codes was extracted from the Hypertext Transfer Protocol version 1.1
standard (rfc 2616). You can view the complete standard at
http://www.w3.org/Protocols/rfc2616/rfc2616.html
Code
Definition
100
Continue.
101
Switching Protocols.
200 OK
Request has succeeded.
201 Created
Request fulfilled and new resource being created.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 89 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Code
Definition
202 Accepted
Request accepted for processing, but processing not completed.
203 Non-Authoritative The returned metainformation in the entity-header is not the definitive set
Information
as available from the origin server, but is gathered from a local or a thirdparty copy.
204 No Content
The server has fulfilled the request but does not need to return an entitybody, and might want to return updated metainformation.
205 Reset Content
The server has fulfilled the request and the user agent should reset the
document view which caused the request to be sent.
206 Partial Content
The server has fulfilled the partial GET request for the resource.
300 Multiple Choices
The requested resource corresponds to any one of a set of
representations, each with its own specific location, and agent-driven
negotiation information (section 12) is being provided so that the user (or
user agent) can select a preferred representation and redirect its request to
that location.
301 Moved
Permanently
The requested resource has been assigned a new permanent URI and any
future references to this resource should use one of the returned URIs.
302 Found
The requested resource resides temporarily under a different URI.
303 See Other
The response to the request can be found under a different URI and
should be retrieved using a GET method on that resource.
304 Not Modified
If the client has performed a conditional GET request and access is allowed,
but the document has not been modified, the server should respond with
this status code.
305 Use Proxy
The requested resource MUST be accessed through the proxy given by the
Location field.
306 Unused
Unused.
307 Temporary
Redirect
The requested resource resides temporarily under a different URI.
400 Bad Request
The request could not be understood by the server due to malformed
syntax.
401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource.
402 Payment Required This code is reserved for future use.
403 Forbidden
The server understood the request, but is refusing to fulfill it.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 90 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Code
Definition
404 Not Found
The server has not found anything matching the Request-URI.
405 Method Not
Allowed
The method specified in the Request-Line is not allowed for the resource
identified by the Request-URI.
406 Not Acceptable
The resource identified by the request is only capable of generating
response entities which have content characteristics not acceptable
according to the accept headers sent in the request.
407 Proxy
Authentication
Required
This code is similar to 401 (Unauthorized), but indicates that the client
must first authenticate itself with the proxy.
408 Request Timeout
The client did not produce a request within the time that the server was
prepared to wait.
409 Conflict
The request could not be completed due to a conflict with the current state
of the resource.
410 Gone
The requested resource is no longer available at the server and no
forwarding address is known.
411 Length Required
The server refuses to accept the request without a defined ContentLength.
412 Precondition
Failed
The precondition given in one or more of the request-header fields
evaluated to false when it was tested on the server.
413 Request Entity
Too Large
The server is refusing to process a request because the request entity is
larger than the server is willing or able to process.
414 Request-URI Too
Long
The server is refusing to service the request because the Request-URI is
longer than the server is willing to interpret.
415 Unsupported
Media Type
The server is refusing to service the request because the entity of the
request is in a format not supported by the requested resource for the
requested method.
416 Requested Range
Not Satisfiable
A server should return a response with this status code if a request
included a Range request-header field (section 14.35), and none of the
range-specifier values in this field overlap the current extent of the selected
resource, and the request did not include an If-Range request-header field.
417 Expectation Failed
The expectation given in an Expect request-header field (see section
14.20) could not be met by this server, or, if the server is a proxy, the server
has unambiguous evidence that the request could not be met by the nexthop server.
500 Internal Server
Error
The server encountered an unexpected condition which prevented it from
fulfilling the request.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 91 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Code
Definition
501 Not Implemented
The server does not support the functionality required to fulfill the
request. This is the appropriate response when the server does not
recognize the request method and is not capable of supporting it for any
resource.
502 Bad Gateway
The server, while acting as a gateway or proxy, received an invalid response
from the upstream server it accessed in attempting to fulfill the request.
503 Service
Unavailable
The server is currently unable to handle the request due to a temporary
overloading or maintenance of the server.
504 Gateway Timeout
The server, while acting as a gateway or proxy, did not receive a timely
response from the upstream server specified by the URI (e.g., HTTP, FTP,
LDAP) or some other auxiliary server (e.g., DNS) it needed to access in
attempting to complete the request.
505 HTTP Version Not The server does not support, or refuses to support, the HTTP protocol
Supported
version that was used in the request message.
Sensor Status List
The following table describes the statuses that a sensor can display.
Status
Definition
Offline
The sensor is not connected.
Initializing
The sensor is initializing.
Idle
The sensor is not busy.
Starting
The sensor is starting a new scan.
Running
The sensor is conducting a scan.
Complete
The current scan has completed, but the sensor is not ready to start another scan.
Aborting
The sensor is aborting the current scan, but is not ready to start another scan.
Aborted
The current scan has been aborted.
Paused
The sensor is not available; scans may not be passed to this sensor.
Suspending The sensor is suspending the current scan, but is not ready to start another scan.
Suspended
The current scan has been suspended.
Resuming
The sensor is resuming a suspended scan.
Warning
An error occurred on the sensor, but it was not severe enough to abort the current
HPE Security Fortify WebInspect Enterprise (16.20)
Page 92 of 362
User Guide
Chapter 2: WebInspect Enterprise Administrative Console
Status
Definition
scan.
Error
A fatal error occurred on the sensor.
Unlicensed
A license is not assigned to this sensor.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 93 of 362
Chapter 3: WebInspect Enterprise Services
Manager
This chapter describes how to use the WebInspect Enterprise Services Manager to configure or modify
the scan uploader service, task service, and scheduler service.
About the Fortify WebInspect Enterprise Services
Manager
Use the Fortify WebInspect Enterprise Services Manager, also known as the Fortify WebInspect
Enterprise Services Configuration Utility, to configure or modify the following services associated with
Fortify WebInspect Enterprise:
l The scan uploader service handles the transfer of scans from Fortify WebInspect to Fortify
WebInspect Enterprise. For more information, see "Configuring the Scan Uploader Service" below.
l The task service monitors the queue for various tasks, including Fortify Software Security Center
project version updates and Fortify Software Security Center issue synchronization. For more
information, see "Configuring the Task Service" on page 96.
l The scheduler service handles the scheduling of scans, discovery scans, and smart updates. For more
information, see "Configuring the Scheduler Service" on page 98.
To start the utility, click Start > All Programs > HP > HP WebInspect Enterprise 16.20 >
WebInspect Enterprise Services Manager.
To access information about configuring the services, click its button in the left column.
Configuring the Scan Uploader Service
If the Fortify WebInspect Enterprise Scan Uploader Service was installed, Fortify WebInspect can scan a
website and export the scan results to a location called a "dropbox." The Scan Uploader Service accesses
each dropbox periodically and, if files exist, it uploads those files to the Fortify WebInspect Enterprise
Manager.
Service Status
This area of the interface reports the current status of the Scan Uploader service. You can start, stop,
restart, or configure the service.
To configure the service:
1. Click Configure in the Service Status section.
The Configure Service dialog appears.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 94 of 362
User Guide
Chapter 3: WebInspect Enterprise Services Manager
2. Select which credentials should be used for logging on to the service:
l Local system account - This account is a predefined local account used by the service control
manager (SCM). It has extensive privileges on the local computer, and acts as the computer on
the network. A service that runs in the context of the Local System account inherits the security
context of the SCM.
l This account - An account identified by the credentials you specify.
3. If you select This account, enter an account name and password.
4. Click OK.
Fortify WebInspect Enterprise Configuration
This area of the interface reports the Fortify WebInspect Enterprise configuration.
To configure Fortify WebInspect Enterprise:
1. Click Configure in the WebInspect Enterprise Configuration section.
The WebInspect Enterprise Configuration dialog appears.
2. Enter the URL of the Fortify WebInspect Enterprise Manager.
3. Provide the Fortify WebInspect Enterprise Manager's authentication credentials.
4. To verify that the user name and password are correct, click Test.
5. If the Scan Uploader service uses a proxy, select Enable Proxy and provide the requested
information.
6. Click OK.
Dropbox Configuration
Fortify WebInspect can scan a Web site and export the scan results to a location called a "dropbox." The
purpose of the Fortify WebInspect Enterprise Uploader Service is to access each dropbox periodically
and, if files exist, to upload those files to the Fortify WebInspect Enterprise Manager.
To create a dropbox:
1. Click Add in the Dropbox Configuration section.
The Configure Dropbox dialog appears.
2. Enter a dropbox name.
3. Enter the full path and name of the folder that will be used as the dropbox (or click Browse to
select or create a folder).
Be sure to select or create a folder that will not be used for any other purpose.
4. Enter the project version that will be serviced by this dropbox.
5. Click OK.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 95 of 362
User Guide
Chapter 3: WebInspect Enterprise Services Manager
Logging Configuration
This area of the interface reports current settings for the logging function.
To configure logging:
1. Click Configure in the Logging Configuration section.
The Logging Configuration dialog appears.
2. The logging output is contained in UploaderService_trace.log. To specify the location of the
logs, choose one of the following:
l Default location - For Windows Server 2008 or Windows Server 2012, the default location is:
\ProgramData\HP\WIE\UploaderService
l Enter location for log file - Type a path to the folder that will contain the logs, or click Browse
to select a location.
3. For the logging level, choose either INFO (the default) or DEBUG (which records more data).
4. In the Max file size field, specify the maximum file size of a log file (in megabytes).
5. In the Number of backup files field, specify the maximum number of log files that will be retained.
When a log file reaches its maximum size, Fortify WebInspect Enterprise closes it and opens
another file, repeating this process until the maximum number of log files is created. When that file
is full, Fortify WebInspect Enterprise closes it, deletes the oldest file, and opens a new one. Files are
named in sequence: UploaderService_trace.log, UploaderService_trace.log.1, etc.
6. Click OK.
Starting the Service
Click Start in the Service Status section to start the service if it is not already running.
Configuring the Task Service
Service Status
This area of the interface reports the current status of the Task service, which handles background
tasks such as Fortify Software Security Center project version updates and Fortify Software Security
Center issue synchronization. You can start, stop, restart, or configure the service.
To configure the service:
1. Click Configure in the Service Status section.
The Configure Service dialog appears.
2. Select which credentials should be used for logging on to the service:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 96 of 362
User Guide
Chapter 3: WebInspect Enterprise Services Manager
l Local system account - This account is a predefined local account used by the service control
manager (SCM). It has extensive privileges on the local computer, and acts as the computer on
the network. A service that runs in the context of the Local System account inherits the security
context of the SCM.
l This account - An account identified by the credentials you specify.
3. If you select This account, enter an account name and password.
4. Click OK.
Database Configuration
This area of the interface reports the database server name and database name.
To configure the database:
1. Click Configure in the Database Configuration section.
The Database Configuration dialog appears.
2. Enter a server name.
3. Specify the account under which Fortify WebInspect Enterprise will connect to the database.
l Windows Authentication - The name and password specified in the Fortify WebInspect
Enterprise Manager’s user account is used to authenticate to the database. When working in a
domain environment, the Fortify WebInspect Enterprise Manager’s user account should be a
domain account. When working in a workgroup environment, you must have the exact same
user name and password on both the Fortify WebInspect Enterprise Manager and the database
computers.
l SQL Authentication - Enter the SQL Server user name and password.
4. Enter or select a database.
5. Click OK.
Logging Configuration
This area of the interface reports current settings for the logging function.
To configure logging:
1. Click Configure in the Logging Configuration section.
The Logging Configuration dialog appears.
2. The logging output is contained in TaskService_trace.log. To specify the location of the logs,
choose one of the following:
l Default location - For Windows Server 2008 or Windows Server 2012, the default location is:
\ProgramData\HP\WIE\TaskService
l Enter location for log file - Type a path to the folder that will contain the logs, or click Browse
to select a location.
3. For the logging level, choose either INFO (the default) or DEBUG (which records more data).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 97 of 362
User Guide
Chapter 3: WebInspect Enterprise Services Manager
4. In the Max file size field, specify the maximum file size of a log file (in megabytes).
5. In the Number of backup files field, specify the maximum number of log files that will be retained.
When a log file reaches its maximum size, Fortify WebInspect Enterprise closes it and opens
another file, repeating this process until the maximum number of log files is created. When that file
is full, Fortify WebInspect Enterprise closes it, deletes the oldest file, and opens a new one. Files are
named in sequence: TaskService_trace.log, TaskService_trace.log.1, etc.
6. Click OK.
Fortify Software Security Center Poll Interval
This area of the interface determines how often Fortify WebInspect Enterprise contacts Fortify
Software Security Center (SSC) for updates.
To configure settings:
1. In the SSC project version updates polling interval field, specify (in seconds) how frequently
Fortify WebInspect Enterprise contacts Fortify Software Security Center to check for project
version name changes or deletions.
2. In the SSC issue synchronization interval field, specify (in minutes) how frequently Fortify
WebInspect Enterprise contacts Fortify Software Security Center to check for changes to audit
information, comments, attachments, and “not an issue” and “suppressed” status.
3. Click Apply.
Starting the Service
Click Start in the Service Status section to start the service if it is not already running.
Configuring the Scheduler Service
Service Status
This area of the interface reports the current status of the Scheduler service. You can start, stop, restart,
or configure the service.
To configure the service:
1. Click Configure in the Service Status section.
The Configure Service dialog appears.
2. Select which credentials should be used for logging on to the service:
l Local system account - This account is a predefined local account used by the service control
manager (SCM). It has extensive privileges on the local computer, and acts as the computer on
the network. A service that runs in the context of the Local System account inherits the security
HPE Security Fortify WebInspect Enterprise (16.20)
Page 98 of 362
User Guide
Chapter 3: WebInspect Enterprise Services Manager
context of the SCM.
l This account - An account identified by the credentials you specify.
3. If you select This account, enter an account name and password.
4. Click OK.
Fortify WebInspect Enterprise Manager
If the Fortify WebInspect Enterprise Manager URL is changed using IIS or another tool, change the URL
here as well.
Logging Configuration
This area of the interface reports current settings for the logging function.
To configure logging:
1. Click Configure in the Logging Configuration section.
The Logging Configuration dialog appears.
2. The logging output is contained in Scheduler_trace.log. To specify the location of the logs,
choose one of the following:
l Default location - For Windows Server 2008 or Windows Server 2012, the default location is:
\ProgramData\HP\WIE\Scheduler
l Enter location for log file - Type a path to the folder that will contain the logs, or click Browse
to select a location.
3. For the logging level, choose either INFO (the default) or DEBUG (which records more data).
4. In the Max file size field, specify the maximum file size of a log file (in megabytes).
5. In the Number of backup files field, specify the maximum number of log files that will be retained.
When a log file reaches its maximum size, Fortify WebInspect Enterprise closes it and opens
another file, repeating this process until the maximum number of log files is created. When that file
is full, Fortify WebInspect Enterprise closes it, deletes the oldest file, and opens a new one. Files are
named in sequence: Scheduler_trace.log, Scheduler_trace.log.1, etc.
6. Click OK.
Starting the Service
Click Start in the Service Status section to start the service if it is not already running.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 99 of 362
Chapter 4: WebInspect Enterprise Web
Console
The WebInspect Enterprise Web Console, also known as the Web Console, is a browser-based interface
designed for non-administrative functions such as running and managing scans.
Using the Interface
The Fortify WebInspect Enterprise Web Console user interface comprises the following main areas:
l Toolbar - Links in the upper right of the page to capabilities that are available for all Fortify
WebInspect Enterprise Web Console screens
l Navigation pane - Left pane to select the action to take or the associated view or form to display in
the right pane.
l Views and forms - Displays the view or form selected in the navigation pane.
In the following screen capture, the Scans option in the Navigation pane on the left has been selected
and a form containing a list of all scans in the Fortify WebInspect Enterprise system is displayed. (For
more information about displaying and managing scans, see "Reviewing the Scan List" on page 141.)
Navigation Pane
The Navigation pane contains the following groups and commands:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 100 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Actions
l New Project Version (if the user has Administrator privileges) - See "Creating New Project
Versions" on page 128
l Guided Scan (Launches Guided Scan, the preferred method for performing a website scan. See the
Guided Scan Help system for information about the Guided Scan client application.) - See
"Configuring a Guided Scan " on page 269
l Scan Web Site (appears only if Enable "New Scan" Action in Options has been selected) - See
Scan Web Site
l Scan Web Service (appears only if Enable "New Web Service" Action in Options has been
selected) - See "Scanning a Web Service" on page 111
l New Scan Schedule (appears only if Enable "New Scan Schedule" Action in Options has been
selected) - See "Enabling New Scan Schedules" on page 105
l New Blackout (appears only if Enable "New Blackout" Action in Options has been selected) See "Enabling New Blackout Periods" on page 105
l Filtered Views
l Project Versions - See "Viewing Project Versions" on page 129
l Scans - See "Reviewing the Scan List" on page 141
l Scan Requests - See "Using Scan Requests from Fortify Software Security Center" on page 115
l Scan Schedules - See "Scan Schedules" on page 113
l Resources
l Scan Templates - See "Using Scan Templates" on page 117
l Blackouts - See "Using Blackouts" on page 121
l Administration
l Deleted Projects (appears only after a project version has been removed) - See "Viewing Deleted
Projects" on page 137
Click a command to display a form containing related information or controls, or to initiate a function.
Toolbar
The Fortify WebInspect Enterprise Web Console toolbar at the top right contains the following links:
Link
Description
Log Off
Logs you off the Fortify WebInspect Enterprise Web Console application.
Options
Opens the Configure Options window, allowing you to select a default group,
choose a time zone for the web console, and enable or disable other options. For
more information, see "Configuring Toolbar Options" on the next page.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 101 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Link
Description
Resources
Opens a Fortify WebInspect Enterprise page on the HPE website.
Help
Opens the Help file for the Web Console.
About
Opens a window that displays the Fortify WebInspect Enterprise manager
version and the database schema version.
In addition, you can click the HPE logo to return to the home page of the Fortify WebInspect Enterprise
application.
Configuring Toolbar Options
Click the Options link on the Fortify WebInspect Enterprise toolbar to configure the following options.
Option
Description
Default Group
Select a group that will be used by client applications that cannot specify a
group. A client application is Fortify WebInspect or any application that uses the
Fortify WebInspect Enterprise application programming interface (API). Each
user account is associated with a default group. If Fortify WebInspect Enterprise
receives a call to create an object and the calling client application is not aware of
the Fortify WebInspect Enterprise "group" category, Fortify WebInspect
Enterprise will use the default group specified here.
Web Console
Time Zone
Select the time zone in which you work.
Enable "Scan
This option allows you to initiate a Web Site scan from the Web Console, using
Web Site" Action the Scan Web Site function in the Actions group. If not selected, Scan Web Site
does not appear in the Actions group in the navigation pane. This option is
selected by default.
Enable "Scan
Web Service"
Action
This option allows you to initiate a Web Service scan from the Web Console,
using the Scan Web Service function in the Actions group. If not selected, Scan
Web Service does not appear in the Actions group in the navigation pane. This
option is selected by default.
Enable "New
Scan Schedule"
Action
This option allows you to schedule a scan from the Web Console, using the New
Scan Schedule function in the Actions group.If not selected, New Scan
Schedule does not appear in the Actions group in the navigation pane. This
option is not selected by default.
Enable "New
This option allows you to create and modify blackout periods from the Web
Blackout" Action Console. If not selected, New Blackout does not appear in the Actions group in
the navigation pane. This option is not selected by default.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 102 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Configuring Form Layouts
Most forms contain an Edit Layout icon that, when clicked, displays the Configure Columns dialog that
allows you to change the number of rows on the page, modify column widths, specify which columns are
displayed, and sort data by columns.
This dialog has four tabs:
l
l
l
l
Columns
Grouping
Sorting
Paging
Columns
Use this tab to specify which columns are displayed on the grid. Column headers listed in the Selected
list will be displayed. Use the controls illustrated below to move column headers between the Selected
list and the Available list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 103 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
To change the column width:
1. Select a column header.
2. Enter a value in the Width field (or use the slider to select a width).
3. Click OK.
Grouping
You can group objects in views (projects, scans, and scan schedules) according to the available column
names. Any grouping you define is applied to every tab on the form you are viewing.
In the following example, vulnerabilities are grouped by severity and then by check name within each
severity category.
1. In the Navigation pane, click Scans.
2. Click the Edit Layout icon .
3. On the Configure Columns dialog, click the Grouping tab.
4. In the Available list, select Security Groupand click >.
5. Select Policyand click >.
Both column headers are now removed from the Available list and appear in the Selected list.
6. Click OK.
When you return to the Scans tab, the Group pane displays the grouped results. When you select a
group name (such as DEV Group, in this example), Fortify WebInspect Enterprise displays only those
scans belonging to that group. Redundant items (policy names, in this example) are combined and the
number of instances is reported in parentheses following the policy name.
You can open or close the pane using the Group pane toggle.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 104 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Sorting
To arrange the column data alphabetically, select one or more column headers and then select either
Ascending or Descending.
Paging
To specify the number of rows displayed on a page, select a value from the Page Size list.
Enabling New Scan Schedules
The New Scan Schedule action allows you to specify settings (options) for a scan and designate the
time when the scan should begin.
This feature does not appear in the Actions group in the navigation pane unless Enable "New Scan
Schedule" action is selected in the toolbar options. To enable or disable this feature, click the Options
link on the Fortify WebInspect Enterprise toolbar. (It is disabled by default.) See "Using the Interface"
and "Configuring Toolbar Options" on page 102 if necessary.
See Also
"Scheduled Scan - Schedule: General" on page 207
"Scheduled Scan - Schedule: Recurrence" on page 208
Enabling New Blackout Periods
The New Blackout action allows you to specify settings (options) for a blackout period.
This feature does not appear in the Actions group in the navigation pane unless Enable "New
Blackout" action is selected in the toolbar options. To enable or disable this feature, click the Options
link on the Fortify WebInspect Enterprise toolbar. (It is disabled by default.) See "Using the Interface"
and "Configuring Toolbar Options" on page 102 if necessary.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 105 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Conducting Scans
The following pages describe scanning a web site, Guided Scan, scan schedules, scan templates, and
blackout periods.
Accessing Guided Scan
The first time you launch Guided Scan (or create a report) from Fortify WebInspect Enterprise or Fortify
Software Security Center, the Fortify WebInspect Enterprise Thin Client application does the following:
l Runs a wizard that verifies your computer meets the prerequisites for installing the Thin Client
l Downloads and installs itself and a Help system on your computer
l Launches either Guided Scan or reporting, depending on which you selected
You can launch Guided Scan in the following ways:
l In the Fortify WebInspect Enterprise Web Console, click Actions > Guided Scan.
l In Fortify Software Security Center, on the Projects tab select a project and project version, and click
Guided Scan in the Quick Links.
l In Fortify Software Security Center, open a particular project version in the Projects tab, click the
Scans tab for that project version, and click Guided Scan.
Scanning a Web Site
Note: This feature does not appear in the Actions group in the navigation pane unless Enable
"Scan Web Site" action is selected in the toolbar options. To enable or disable this feature, click
the Options link on the Fortify WebInspect Enterprise toolbar. (It is enabled by default.) See "Using
the Interface" and "Configuring Toolbar Options" on page 102 if necessary.
The Web Site Scan Wizard steps you through the process of creating settings for a Web site scan
(known in Fortify WebInspect as a Basic Scan). The options displayed by default on this and
subsequent windows are extracted from the Advanced settings. Any changes you make will be used for
this scan only. When each dialog appears, provide the requested information as described in the
following procedure.
To start the Web Site Scan Wizard, do one of the following:
l Click Scan Web Site in the Actions section of the navigation pane in the Fortify WebInspect
Enterprise Web Console.
l In Fortify Software Security Center, select a project version on the Projects tab and click New Scan in
the Quick Links section. In this case, the Project and Project Version on the first screen of the scan
are automatically populated.
Note: Click Advanced Settings at the bottom of any dialog to access the full complement of
Fortify WebInspect Enterprise settings. Any selections you make will be applied to this scan only,
and you will not be able to return to the Scan Wizard.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 106 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Select a Project and Project Version from the appropriate lists.
2. In the Scan Name field, enter a name or brief description of the scan.
3. Instead of specifying each individual setting every time you conduct a scan, you can create
templates that contain different settings and then simply select a template from the Scan
Template list. You are not required to use a template.At the end of the Web Site Scan Wizard, you
can save the options you have selected as a new template.
4. Select one of the following scan modes:
l Crawl Only: This option completely maps a site's hierarchical data structure.
l Crawl and Audit: Fortify WebInspect maps the site's hierarchical data structure and audits each
resource (page). Depending on the default settings you select, the audit can be conducted as
each resource is discovered or after the entire site is crawled. For information regarding
simultaneous vs. sequential crawl and audit, see "Scan Settings: Method" on page 180.
l Audit Only: Fortify WebInspect applies the methodologies of the selected policy to determine
vulnerability risks, but does not crawl the Web site. No links on the site are followed or assessed.
5. Select one of the following scan types:
Standard Scan:
Fortify WebInspect performs an automated analysis, starting from the target URL. This is the
normal way to start a scan.
a. In the Start URL field, type or select the complete URL or IP address of the site you want to
examine.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify
WebInspect will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify
alternatives in the Allowed Hosts setting).
An invalid URL or IP address will result in an error. If you want to scan from a certain point in
your hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect supports both Internet Protocol version 4 (IPV4) and Internet Protocol
version 6 (IPV6). IPV6 addresses must be enclosed in brackets. See "Internet Protocol Version
6" on page 110.
b. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from
the drop-down list. The choices are:
o Directory only (self) - Fortify WebInspect will crawl and/or audit only the URL you specify.
For example, if you select this option and specify a URL of www.mycompany/one/two/,
Fortify WebInspect will assess only the "two" directory.
o Directory and subdirectories - Fortify WebInspect will begin crawling and/or auditing at
the URL you specify, but will not access any directory that is higher in the directory tree.
o Directory and parent directories - Fortify WebInspect will begin crawling and/or auditing
at the URL you specify, but will not access any directory that is lower in the directory tree.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 107 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
List-Driven Scan:
Perform a scan using a list of URLs to be scanned. Each URL must be fully qualified and must
include the protocol (for example, http:// or https://). You can use a text file, formatted as commaseparated list or one URL per line, or the XML file generated by the FilesToURLs utility.
If you select List-Driven Scan, do one of the following:
l Click Import and select a text file or XML file containing the list of URLs you want to scan.
l Click Manage to create or modify a list of URLs.
Workflow-Driven Scan:
Fortify WebInspect audits only those URLs included in the macro that you previously recorded and
does not follow any hyperlinks encountered during the audit. A logout signature is not required.
This type of macro is used most often to focus on a particular subsection of the application. If you
select multiple macros, they will all be included in the same scan.
If you select Workflow-Driven Scan, do one of the following:
l Click Import to select a macro containing the URLs you want to you want to scan.
l Click Manage to import or remove a macro, and to specify allowed hosts.
l If you have access to the Fortify WebInspect Enterprise Administrative Console, click Tools >
Workflow Macro Recorder to create a workflow macro. See the HPE Security Fortify
WebInspect Tools Guide.
6. Click Next.
Authentication and Connectivity
1. If you need to access the target site through a proxy server, select Network Proxy and then
choose an option from the Proxy Profile list.
Note: Using browser proxy settings does not guarantee that you will access the Internet through a
proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the
Internet Explorer setting "Use a proxy server for your LAN" is not selected, then a proxy server will
not be used.
l Autodetect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig
file and use this to configure the browser's Web proxy settings.
l Use Internet Explorer proxy settings on the sensor machine: Import your proxy server
information from Internet Explorer, to use it for the user account running the sensor that
attempts to run a scan. Note that the sensor should run on a user account that has proxy
settings configured, not on the local system.
l Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you
select this option, click Edit to enter the location (URL) of the PAC.
l Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit
to enter proxy information.
l Use Mozilla Firefox proxy settings on the sensor machine: Import your proxy server
HPE Security Fortify WebInspect Enterprise (16.20)
Page 108 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
information from Firefox, to use it for the user account running the sensor that attempts to run
a scan. Note: The sensor should run on a user account that has proxy settings configured, not
on the local system.
2. Select Network Authentication if server authentication is required. Then select an authentication
method and enter your network credentials.
3. Select Site Authentication to use a recorded macro containing a user name and password that
allows you to log on to the target site. The macro must also contain a "logout condition," which
indicates when an inadvertent logout has occurred so Fortify WebInspect Enterprise can rerun this
macro to log on again. Do one of the following:
l To use a macro from the macro repository:
i. Click Download.
ii. Select a macro from the Macro Name drop-down list.
iii. Click OK.
l To use a local copy of a macro, click
to select a macro.
l To create a macro, use the Fortify WebInspect Enterprise console and launch the Web Macro
Recorder from the Tools menu.
l To create a login macro, from the Fortify WebInspect Enterprise Administrative Console, click
Tools > Login Macro Recorder. See the HPE Security Fortify WebInspect Tools Guide.
l To erase the macro name, clear the Site Authentication check box.
A table appears if input parameters were used when the macro was recorded using the Web Macro
Recorder or if Smart Credentials were used when the macro was created using the Event-Based IE
Compatible Web Macro Recorder. For more information, see the HPE Security Fortify WebInspect
Tools Guide. Enter a user name and password. When scanning the page containing the input
control associated with this entry, Fortify WebInspect will substitute these credentials for those
used in the macro. This feature allows you to create a macro using your user name and password,
yet when other persons run the scan using this macro, they can substitute their own user
credentials.
4. Click Next.
Coverage and Thoroughness
1. Select a policy from the Audit Depth (Policy) list.
For descriptions of policies, see "Policies List" on page 126.
2. If you want Fortify WebInspect to submit values for input controls on forms it encounters while
scanning the target site:
a. Select Auto-fill Web forms during crawl. Fortify WebInspect will extract the values from a file
that you create using the Web Form Editor.
b. Click Load to locate and load the file.
3. If you want to capture traffic session data to view in the Traffic Viewer tool, select Enable Traffic
Monitor.
4. If your site is case-sensitive, select the Case-Sensitive URL option to ensure the URL is treated as
HPE Security Fortify WebInspect Enterprise (16.20)
Page 109 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
case-sensitive during the scan.
Example: Some servers (such as IIS) do not differentiate between
www.mycompany.com/samplepage and www.mycompany.com/SamplePage.
5. Click Next.
Congratulations
1. If you want to create a template containing the settings you configured for this scan, specify a
template name and click Save.
2. Select a priority from 1 (highest) to 5 (lowest). If a scheduling conflict occurs, the scan with the
highest priority will take precedence.
3. Select which sensor should run the scan. You can choose a specific sensor or select the Run on Any
Available Sensor option.
4. Click Scan.
Note: Even while the scan is under way, you can change the status of vulnerabilities that have
already been identified, add attachments to them, mark them as false positives, or mark them to be
ignored.
When the scan completes, the Scan Visualization appears. For detailed information, see "Reviewing Scan
Results" on page 146.
Scan Dependencies
Certain objects in Fortify WebInspect Enterprise are linked together, meaning that the existence of one
object is dependent on another. You must dissolve this relationship before you are allowed to delete the
parent object.
For example, if a scan uses a scan template, you cannot delete the template until you either delete all
scans that use that template or modify those scan settings to use a different template. If the scan is
currently running, you must cancel it.
Internet Protocol Version 6
Fortify WebInspect Enterprise supports Internet Protocol version 6 (IPv6) addresses in web site and
web service scans. When you specify the Start URL, you must enclose the IPv6 address in brackets. For
example:
l http://[::1]
Fortify WebInspect Enterprise scans "localhost."
l http://[fe80::20c:29ff:fe32:bae1]??/subfolder/?
Fortify WebInspect Enterprise scans the host at the specified address starting in the "subfolder"
directory.
l http://[fe80::20c:29ff:fe32:bae1]??:8080/subfolder/??
Fortify WebInspect Enterprise scans a server running on port 8080 starting in "subfolder."
HPE Security Fortify WebInspect Enterprise (16.20)
Page 110 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
About Web Services
Web services are programs that communicate with other applications (rather than with users) and
answer requests for information. Most Web services use Simple Object Access Protocol (SOAP) to send
XML data between the Web service and the client Web application that initiated the information
request. Unlike HTML, which only describes how Web pages are displayed, XML provides a framework
to describe and contain structured data. The client Web application can readily understand the returned
data and display that information to the end user.
A client Web application that accesses a Web service receives a Web Services Description Language
(WSDL) document so that it understands how to communicate with the service. The WSDL document
describes the programmed procedures included in the Web service, the parameters those procedures
expect, and the type of return information the client Web application will receive.
Scanning a Web Service
Note: This feature does not appear in the Actions group in the navigation pane unless Enable
"Scan Web Service" action is selected in the toolbar options. To enable or disable this feature, click
the Options link on the Fortify WebInspect Enterprise toolbar. (It is enabled by default.) See "Using
the Interface" and "Configuring Toolbar Options" on page 102 if necessary.
The Web Service Scan Wizard steps you through the process of creating settings for a Web service scan.
The options displayed by default on this and subsequent windows are extracted from the Advanced
Settings. Any changes you make will be used for the current scan only. When each dialog appears,
provide the requested information as described in the following procedure.
To start the Web Service Scan Wizard, click Scan Web Service in the Actions section of the navigation
pane in the Fortify WebInspect Enterprise Web Console.
Note: Click Advanced Settings at the bottom of any dialog to access the full complement of
Fortify WebInspect Enterprise settings. Any selections you make will be applied to this scan only,
and you will not be able to return to the Scan Wizard.
1. Select a project and project version from the appropriate lists.
2. In the Scan Name field, enter a name or brief description of the scan.
3. Instead of specifying each individual setting every time you conduct a scan, you can create
templates that contain different settings and then simply select a template from the Scan
Template list. You are not required to use a template.
4. Click Import to open a standard file-selection dialog and choose a Web Service Test Design (WSD)
file that you previously created using the Web Service Test Designer. This file contains values for
each operation in the service. For more information, see the HPE Security Fortify WebInspect
Tools Guide.
5. Click Next.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 111 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Authentication and Connectivity
1. If you need to access the target site through a proxy server, select Network Proxy and then
choose an option from the Proxy Profile list.
Note: Using browser proxy settings does not guarantee that you will access the Internet
through a proxy server. If the Firefox browser connection settings are configured for "No
proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server will not be used.
l Autodetect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig
file and use this to configure the browser's Web proxy settings.
l Use Internet Explorer proxy settings on the sensor machine: Import your proxy server
information from Internet Explorer, to use it for the user account running the sensor that
attempts to run a scan. Note: The sensor should run on a user account that has proxy settings
configured, not on the local system.
l Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you
select this option, click Edit to enter the location (URL) of the PAC.
l Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit
to enter proxy information.
l Use Mozilla Firefox proxy settings on the sensor machine: Import your proxy server
information from Firefox, to use it for the user account running the sensor that attempts to run
a scan. Note: The sensor should run on a user account that has proxy settings configured, not
on the local system.
2. Select Network Authentication if server authentication is required. Then select an authentication
method and enter your network credentials.
3. Click Next.
Coverage and Thoroughness
You cannot select a policy. The Simple Object Access Protocol (SOAP) policy is used by default.
Click Next.
Congratulations
1. If you want to create a template containing the settings you configured for this scan, specify a
template name and click Save.
2. Select a priority from 1 (highest) to 5 (lowest). If a scheduling conflict occurs, the scan with the
highest priority will take precedence.
3. Select which sensor should run the scan. You can choose a specific sensor or select the Run on Any
Available Sensor option.
4. Click Scan.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 112 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Note: Even while the scan is under way, you can change the status of vulnerabilities that have already
been identified, add attachments to them, mark them as false positives, or mark them to be ignored.
When the scan completes, the Scan Visualization appears. For detailed information, see "Reviewing Scan
Results" on page 146.
Scan Schedules
The Scan Schedules form displays information about each scheduled scan.
Note: This feature does not appear in the Actions group in the navigation pane unless Enable
"New Scan Schedule" action is selected in the toolbar options. To enable or disable this feature,
click the Options link on the Fortify WebInspect Enterprise toolbar. (It is disabled by default.) See
"Using the Interface" and "Configuring Toolbar Options" on page 102 if necessary.
Reviewing Scheduled Scan Settings
Click a schedule name to review the settings for the scheduled scan.
Using the Context Menu
You can perform additional functions by clicking the drop-down arrow next to a schedule name and
selecting an option from the context menu.
The available functions are:
l Edit - Copies all settings that were used for the selected scheduled scan and pastes them into the
Configure Scheduled Scan window, allowing you to edit the settings for this scheduled scan.
l Copy - Copies all settings that were used for the selected scheduled scan and pastes them into the
Configure Scheduled Scan window, allowing you to edit the settings and create an additional
scheduled scan.
l Delete - Deletes the schedule.
l Enable - Activates a disabled scheduled scan. Requests are enabled, by default, when created.
l Disable - Deactivates a scheduled scan. The request remains in the grid, but the scan will not be
executed unless the request is enabled prior to the scheduled time and date.
You can also delete a scheduled scan by selecting the check box next to the schedule name and clicking
Delete above the form grid.
Using the Icons Above the Form Grid
You can perform additional functions using the icons at the top of the form.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 113 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Icon
Function
Schedule a scan. For more information, see "Scheduled Scan - Schedule: General"
on page 207
Remove the scheduled event.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
Searching Numbers and Dates
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
HPE Security Fortify WebInspect Enterprise (16.20)
Page 114 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
Scheduled Scan Dependencies
Certain objects in Fortify WebInspect Enterprise are linked together, meaning that the existence of one
object is dependent on another. You must dissolve this relationship before you are allowed to delete the
parent object.
A scheduled scan may be linked to a scan template. You cannot delete the template until you either
delete all scheduled scans that use the template or modify those scan settings to use a different
template. If the scan is currently running, you must cancel it.
Using Scan Requests from Fortify Software Security Center
The Scan Requests form lists all requests issued by Fortify Software Security Center to Fortify
WebInspect Enterprise to conduct a scan. The possible values for the status column are Pending, In
Progress, and Complete.
For instructions on how a Fortify Software Security Center user can generate a scan request, see
"Creating a Scan Request in Fortify Software Security Center" on page 117.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 115 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Processing a Pending Request
Use the following procedure to process a request.
1. In the Filtered Views section of the navigation pane, click Scan Requests.
2. On the Scan Requests window, select a pending request. The information entered by the original
requester is displayed on the Details tab in the lower pane.
You can restrict the display of scan requests to those that match criteria you specify. Simply click
in the header of one or more columns and enter the appropriate filter information.
3. On the Details tab in the lower pane, click the Status list and select In Progress.
4. Click Create a Web Site Scan or Create a Web Service Scan (or you can postpone running the
scan until a later, more convenient time).
Note: Fortify WebInspect Enterprise determines the start URL from the data in the Scan
Request that was sent from Fortify Software Security Center.The Scan Wizard opens and the
Start URL field is auto-filled with the URL from the scan request. If the URI is not properly
formatted in the Scan Request, the Start URL cannot be determined and default information is
used in the Scan Wizard. When this occurs, you can copy the URL Value from the Details tab
on the Scan Requests page and paste it into the Start URL field of the Scan Wizard.
When the scan is complete, review the results. You may want to retest or delete vulnerabilities, mark
vulnerabilities as ignored or false positive, attach screenshots, or investigate the scan data in other
ways facilitated by Fortify WebInspect Enterprise.
Even while the scan is under way, you can change the status of vulnerabilities that have already
been identified, add attachments to them, mark them as false positives, or mark them to be ignored.
5. Publish the scan.
a. Do one of the following:
o From the Project Version Details form, select the scan and click Publish.
o From the Scans form, select the scan and click Publish.
o Open a scan in the Scan Visualization window and click Publish.
b. When the Status Summary is displayed, select Associate scan with an "In Progress" scan
request for the current project version. The scan will appear on the Associated Scans tab of
the appropriate scan request in the Scan Request form. See the Note below.
6. Return to the Scan Request form and select the request for the scan you have reviewed and
published.
7. Click the Status list and select Completed.
8. Click Change Status.
Associating Scans Manually
Associating a scan with a scan request is simply a tracking tool that provides a historical record of the
scan activity related to a specific request. You can associate scans automatically when publishing (as in
step 5, above), or you can associate scans manually, using the following procedure:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 116 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Select a scan request from the top pane.
2. In the bottom pane, click the Associated Scans tab.
3. Click Associate Scans.
The program displays a list of all scans associated with the selected project version that have not
been associated with a specific request.
4. Select a scan and click OK.
Creating a Scan Request in Fortify Software Security Center
Use the following procedure in HPE Security Fortify Software Security Center to create a request for
Fortify WebInspect Enterprise to conduct a dynamic scan:
1. Click the Projects tab.
2. Select a project version and click View Details.
3. On the Issues tab of the Details window, click the drop-down arrow on the Dynamic Scan
Request button and select Create.
4. Enter the requested information and click Submit.
The request is transmitted to Fortify WebInspect Enterprise and placed in the Scan Requests form.
Using Scan Templates
A scan template is any convenient collection of scan settings, potentially including particular macros,
that you can reuse when you run scans. This form lists all scan templates that you have permission to
view.
For each template, this form displays (by default) the following information:
l Name - The name assigned to the template.
l Project Version - The version associated with the specified project.
To view or modify details about a template, click the template name.
Depending on how the scan template was created, it is displayed with one of the following sets of fields:
l The Global Template check box (not selected), and the Project and Project Version fields that
were selected when it was created
l The Global Template check box (selected), the organization and group combination that was
selected when it was created, and the Use Organization check box. Use Organization is selected
only if:
l This Fortify WebInspect Enterprise instance was a migration from the Assessment Management
Platform (AMP) product, and
l This scan template was created in AMP and associated with an organization in AMP.
You can perform additional functions by clicking the drop-down arrow for a specific template.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 117 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The functions unique to this menu are:
l Edit - Displays the Configure Scan Template form, allowing you to modify the settings defined for
the selected template.
l Copy - Opens the Configure Scan Template forms, allowing you to modify (if necessary) and save the
scan template settings.
l Delete - Delete the scan template.
l Dependencies - Displays a list of objects (such as scans and scheduled scans) that are linked to this
template. You cannot delete this template until you either delete the scheduled scan, assign a
different template to the scheduled scan, or cancel the scan (if it is currently running). See "About
Dependencies" on page 138 for more information.
You can also perform these functions using the icons at the top of the form.
Icon
Function
Add
Create a template that contains default settings as the base.
Import
Select Oracle Settings to create a template that contains settings that are
optimized for Oracle.
Select Websphere Settings to create a template that contains settings that are
optimized for WebSphere.
Delete
Delete the selected templates from the list.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Click the Add button to add a scan template. The Configure Scan Template page opens with the SCAN:
General category selected and its form displayed.
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated. Alternatively, if you select the Global Template check box, then instead of specifying a
project and project version from drop-down lists, you must select an organization and group from a
drop-down list.
Specify a Scan Template Name, the type of scan and associated data as needed, and click Finish.
The scan template becomes available to select in the Scan Template field when you run a scan.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 118 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you select Global Template, all the other forms you can select in the left column also show the
Global Template option as selected and show the organization and group you selected, rather than
the project and project version.
Because the global scan template can be associated with any project version, you do not have to specify
the URL if you choose a Standard Scan in the Scan URL section of the form. You can subsequently
select this global template as the scan template for any Web Site Scan.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
Searching Numbers and Dates
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
HPE Security Fortify WebInspect Enterprise (16.20)
Page 119 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
Scan Template Dependencies
Certain objects in Fortify WebInspect Enterprise are linked together, meaning that the existence of one
object is dependent on another. You must dissolve this relationship before you are allowed to delete the
parent object.
A scan template may be linked to the following objects:
l Scheduled scan
l Scan (only if scan has not completed)
l Site
You cannot delete this template until you either delete the associated scheduled scan, assign a different
template to the scheduled scan, delete the site, or cancel the scan (if it is currently running).
Blackouts Overview
A blackout period is a block of time during which scans are not permitted. You can also create a partial
ban by specifying that scans should not be conducted on specific hosts (identified by URL or IP
address) during the time period you specify.
You may alternatively assign a contrary definition to the blackout, specifying that scans may occur only
during this time period. In effect, this creates a blackout period covering all but the period of time you
specify.
Fortify WebInspect Enterprise will not prevent you from scheduling a scan or attempting to start a scan
manually during a blackout period. It will, however, display a message notifying you of the restriction. If
you opt to override the warning, the Fortify WebInspect Enterprise manager will place the job in the
pending job queue and will start the scan when the blackout period ends.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 120 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Similarly, if a scan is running when a blackout period begins, the Fortify WebInspect Enterprise manager
will suspend the scan, place it in the pending job queue, and finish the scan when the blackout period
ends. In cases where a blackout is defined for multiple IP addresses, the Fortify WebInspect Enterprise
manager will suspend the scan only if the scan begins at one of the specified IP addresses. If the scan
begins at a non-excluded IP address, but subsequently pursues a link to a host whose IP address is
specified in the blackout setting, the scan will not be suspended.
A configuration file on the server allows you to disable this automatic suspension feature, allowing a
running job to run to completion even if a blackout period begins during the scan.
To change this setting, contact technical support.
Using Blackouts
A blackout period is a block of time during which scans are not permitted. You can also create a partial
ban by specifying that scans should not be conducted on specific hosts (identified by URL or IP
address) during the time period you specify.
You may alternatively assign a contrary definition to the blackout, specifying that scans may occur only
during this time period. In effect, this creates a blackout period covering all but the period of time you
specify.
For each blackout defined in the system, the Blackouts form displays (by default) the following
information:
Item
Description
Blackout Name
The identifier for this blackout period.
Type
Allow or deny scans during this period.
IP Range
IP address (or range of IP addresses) that are affected by this blackout period.
Use an asterisk ( * ) to specify all possible IP addresses.
Status
Future, or Scans Disallowed, or Scans Allowed.
Recurrence
One time only, or the defined recurrence pattern.
Next Occurrence
The date and time when the blackout is next scheduled to start, using the Web
Console time zone specified in the Web Console options.
Next Occurrence
(Target)
The date and time when the blackout is next scheduled to start, using the time
zone for the location of the target server that is affected by the blackout. This is
significant only when the Web Console user and the target server are in
different time zones.
Security Group
Name of the security group with which this blackout is associated.
Organization
Name
Name of the organization with which this blackout is associated.
To view or modify details about a blackout, click the blackout name.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 121 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
You can perform additional functions by clicking the drop-down arrow next to a blackout name.
The function unique to this menu is:
Copy: Opens the Configure Blackout form containing blackout settings. You can modify the settings (if
desired) and rename the blackout.
You can also perform additional functions using the commands at the top of the form:
Icon
Function
Add
Display the Configure Blackout window, allowing you to specify parameters
associated with a blackout period.
Delete
Delete the selected blackout period.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 122 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
Searching Numbers and Dates
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
Creating a Blackout Period
To create a blackout period:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 123 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Do one of the following:
l In the Actions group on the navigation pane, click New Blackout.
Note: This action does not appear unless it is enabled from the toolbar Options.
l In the Resources group on the navigation pane, click Blackoutsand then click Add.
2. On the BLACKOUT: General window, enter the following information:
Field
Description
Security Group Select an organization and group. To associate the
blackout with all groups in an organization, select Use
Organization.
Name
Name for the blackout period.
Address
The URL or IP address (or range of IP addresses) that are
affected by this blackout period.
The value can be a single URL or IP address, or a range of
IP addresses. If you need to exclude multiple ranges, you
must create additional (overlapping) blackout periods. To
specify a range, separate the beginning address and
ending address with a hyphen. You can use the asterisk ( *
) as a wild card. The default setting (an asterisk) means all
addresses. Wildcards in IP addresses must be at the end of
the address as shown, but wildcards for host names must
be at the beginning.
Examples:
l 192.16.12.1-192.16.12.210
l 192.16.12.*
l *.domain.com
Schedule
In the Schedule group, enter the Start Time (the date and
time at which the blackout period begins) and the End
Time (the date and time at which the blackout period
expires). You can enter the data manually or select the date
from a calendar popup and the time from a clock popup.
Time Zone is the time zone for the location of the target
server that is affected by the blackout. The time zone
defaults to the zone in which you are working (as selected
using the Configure Options window). If the target server
is in a different time zone, you should usually select the
server’s time zone and specify the blackout period using
local time. For example, if you are in New York City, USA
(UTC-05:00) and the Fortify WebInspect Enterprise
manager is in Rome, Italy (UTC+01:00), and you want to
schedule a blackout to begin at 8 a.m. Rome time, you
HPE Security Fortify WebInspect Enterprise (16.20)
Page 124 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Field
Description
could do either of the following:
l Select the UTC+01:00 time zone (Rome) and specify a
Start Time of 8 a.m.
l Select the UTC-05:00 time zone (New York City) and
specify a Start Time of 2 a.m.
Duration is the length of time during which the blackout is
in effect. This value is calculated automatically after you
specify the Start Time and End Time. Alternatively, if you
specify the Start Time and the Duration, the End Time is
calculated. If you edit the Duration, the End Time is
recalculated.
The format of Duration is d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
Blackout Type
Select one of the following:
l Allow scans during this period: Scans of the specified
targets are allowed only during the specified time
period.
l Deny scans during this period: Scans of the specified
targets are prohibited during the specified time period.
Allowing or denying scans works very much like allowing or
denying permissions. Deny always takes precedence over
allow, so a scan can occur only at a particular time if there
are no blackout periods that deny that time. An allow
blackout period means that you will deny scans unless you
are in the allowed range, not that you will allow scans only
if you are in the allowed range. If you configure two
separate “allow” blackout periods, a scan will be allowed
only during the union of those periods. For example, if
blackout period A allows scans from 1 p.m. to 3 p.m. and
period B allows scans from 2 p.m. to 6 p.m., then scans will
be allowed only from 2 p.m. to 3 p.m.
3. To schedule a blackout on a recurring basis, on the BLACKOUT: Recurring window:
a. Select the Recurring check box to impose recurring blackouts. Do not select this option if you
want to schedule a one-time-only event.
b. Use the Pattern group to select the frequency of the blackout (daily or every x days, weekly,
monthly, or yearly) and then provide the appropriate information.
c. Using the Range group, specify the starting date and the ending date (or select Never if the
event is to run indefinitely). You can also limit the number of times the blackout should occur.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 125 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Policies List
Fortify WebInspect provides various policies that you can use with your scans and crawls to determine
the vulnerability of your Web application. Each policy is kept current using the SmartUpdate function,
ensuring that assessments are accurate and capable of detecting the most recently discovered threats.
The provided policies are:
l Aggressive SQL Injection: This policy performs a comprehensive security assessment of your web
application for SQL Injection vulnerabilities. SQL Injection is an attack technique that takes
advantage of non-validated input vulnerabilities to pass arbitrary SQL queries and/or commands
through the web application for execution by a backend database. This policy performs out a more
accurate and decisive job, but has a longer scan time.
l All Checks: An All Checks scan includes an automated crawl of the server and performs all active
checks from SecureBase, the check database. This includes checks for known and unknown
vulnerabilities at the Web server, Web application server, and Web application layers.
l Apache Struts: This policy detects supported known advisories against the Apache Struts
framework.
l Application: This policy performs a security scan of your Web application by submitting known and
unknown Web application attacks, and only submits specific attacks that assess the application layer.
When performing scans of enterprise-level Web applications, use the Application Only policy in
conjunction with the Platform Only policy to optimize your assessment in terms of speed and
memory usage.
l Assault: An assault scan includes an automated crawl of the server and performs checks for known
and unknown vulnerabilities at the Web server, Web application server, and Web application layers.
An assault scan includes checks that can create denial-of-service conditions. HPE strongly
recommends that you use assault scans in test environments only.
l Blank: This policy is a template that you can use to build your own policy. It includes an automated
crawl of the server and no vulnerability checks. Copy, rename, and edit this policy to create custom
policies that only scan for specific vulnerabilities.
l Criticals and Highs: Use this policy to quickly scan your Web applications for the most urgent and
pressing vulnerabilities while not endangering production servers. This policy checks for SQL
Injection, Cross-Site Scripting, and other critical and high severity vulnerabilities. It does not contain
checks that may write data to databases or create denial-of-service conditions, and is safe to run
against production servers.
l Cross-Site Scripting: This policy performs a security assessment of your Web application for crosssite scripting (XSS) vulnerabilities. XSS is an attack technique that forces a Web site to echo attackersupplied executable code, such as HTML code or client-side script, which then loads in a user’s
browser. Such an attack can be used to bypass access controls or conduct phishing expeditions.
l Deprecated Checks: The Deprecated Checks policy includes checks that are either deemed to have
reached end of life based on the current technological landscape or have been re-implemented using
smart and efficient audit algorithms that leverage the latest enhancements of the core Fortify
WebInspect framework.
l Dev: A Developer scan includes an automated crawl of the server and performs checks for known
and unknown vulnerabilities at the Web application layer only. The Developer policy does not
HPE Security Fortify WebInspect Enterprise (16.20)
Page 126 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l
l
l
l
l
l
l
l
l
l
l
l
l
execute checks that are likely to create denial-of-service conditions, so it is safe to run on production
systems.
DevInspectEclipse: The DevInspectEclipse policy is the standard policy for use by DevInspect Java
Eclipse. It performs both a crawl and audit, and tests the application for known and unknown
vulnerabilities.
DevInspectVS: This is the standard policy for use by DevInspect VS. It performs both a crawl and
audit, and tests the application for known and unknown vulnerabilities.
Mobile: A mobile scan will detect security flaws based on the communication observed between a
mobile application and the supporting backend services.
NoSQL and Node.js: A NoSQL and Node.js scan includes an automated crawl of the server and
performs checks for known and unknown vulnerabilities targeting databases based on NoSQL such
as MongoDB and server side infrastructures based on JavaScript such as NodeJS. This policy
includes checks that are available to Fortify WebInspect release 9.3 and above.
OpenSSL Heartbleed: This policy performs a security assessment of your web application for the
critical TLS Heartbeat read overrun vulnerability. This vulnerability could potentially disclose critical
server and web application data residing in the server memory at the time a malicious user sends a
malformed Heartbeat request to the server hosting the site.
OWASP Top 10: Many organizations suggest testing for the Open Web Application Security Project
(OWASP) Top Ten Web application vulnerabilities as a best practice in ensuring the security of your
Web application. Multiple releases of the OWASP Top Ten may be available.
Passive Scan: This policy scans an application for vulnerabilities detectable without active
exploitation, making it safe to run against production servers. Vulnerabilities detected by this policy
include issues of path disclosure, error messages, and others of a similar nature.
Platform: This policy performs a security assessment of your Web application platform by
submitting attacks specifically against the Web server and known Web applications. When performing
assessments of enterprise-level Web applications, use the Platform policy in conjunction with the
Application policy to optimize your assessment in terms of speed and memory usage.
Privilege Escalation: The Privilege Escalation policy scans your web application for programming
errors or design flaws that allow an attacker to gain elevated access to data and applications. The
policy uses checks that compare responses of identical requests with different privilege levels.
QA: This policy is designed to help QA professionals make project release decisions in terms of Web
application security. It performs checks for both known and unknown Web application vulnerabilities.
However, it does not submit potentially hazardous checks, making it safe to run on production
systems.
Quick: A Quick scan includes an automated crawl of the server and performs checks for known
vulnerabilities in major packages and unknown vulnerabilities at the Web server, Web application
server and Web application layers. A Quick scan does not run checks that are likely to create denialof-service conditions, so it is safe to run on production systems.
Safe: A Safe scan includes an automated crawl of the server and performs checks for most known
vulnerabilities in major packages and some unknown vulnerabilities at the Web server, Web
application server and Web application layers. A Safe scan does not run any checks that could
potentially trigger a denial-of-service condition, even on sensitive systems.
SQL Injection: This policy performs a security assessment of your Web application for SQL injection
vulnerabilities. SQL injection is an attack technique that takes advantage of non-validated input
HPE Security Fortify WebInspect Enterprise (16.20)
Page 127 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
vulnerabilities to pass arbitrary SQL queries and/or commands through the Web application for
execution by a backend database.
l Standard: A Standard scan includes an automated crawl of the server and performs checks for
known and unknown vulnerabilities at the Web server, Web application server, and Web application
layers. A Standard scan does not run checks that are likely to create denial-of-service conditions, so it
is safe to run on production systems.
l Standard (Deprecated): The Standard (Deprecated) policy is a copy of the original standard policy
before it was revised in the R1 2015 release.
l Transport Layer Security: This policy performs a security assessment of your web application for
insecure SSL/TLS configurations and critical transport layer security vulnerabilities, such as
Heartbleed, Poodle, and SSL Renegotiation attacks.
Working with Projects
The following pages describe how to create and view project versions, and view project version details,
deleted projects, and vulnerabilities. It also describes how to work with an alias and the macro
repository.
Creating New Project Versions
Fortify WebInspect Enterprise users with the "Can Create Project Version" permission can create a new
Project Version directly in WebInspect Enterprise. These new Project Versions are automatically added
to Fortify Software Security Center. Fortify Software Security Center users who can view the new
Project Version in WebInspect Enterprise at the time of creation are automatically assigned to the new
project version in Fortify Software Security Center. For additional users to be able to use the Project
Version in Fortify Software Security Center, the WIE Administrator for Fortify Software Security Center
must assign new users to the new Project Version.
Creating a Project Version
To create a Project Version:
1. Under Actions, select New Project Version.
2. On the General page, do the following:
a. Select an organization and security group from the Business Unit drop-down list.
Note: This list includes only those organizations and security groups to which you have
access.
b. Select an existing Project Name from the drop-down list or click Add to create a new Project
Name.
c. Type a Project Version Name.
d. Optionally, type the URL for the new Project Version.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 128 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
e. Optionally, add or remove IP Addresses in the Host section.
f. Optionally, select the Virtual Host option to indicate the hosts reside on a single server.
3. On the Information page, it is optional to do the following:
a. Type the Operating System and Web Platform information.
b. Type the contact Name and Email address.
c. Type any Notes that may be pertinent for the new Project Version.
4. Click Finish.
The new Project Version is created in WebInspect Enterprise and is ported to Fortify Software
Security Center during a subsequent sync.
See Also
"Viewing Project Versions" below
"Reviewing Project Version Details" on page 131
Viewing Project Versions
The Project Versions form displays, in the left column, a list of all defined projects and their component
versions.
Note: When a project version is created in Fortify Software Security Center (SSC), it automatically
appears in the Project Versions here in Fortify WebInspect Enterprise.
Click a project name to display information about all associated versions, or click a single version name.
For each version selected, this form displays:
l The project version name
l The number of issues detected in each of six categories
l The name of the security group with which this version is associated
l The name of the organization with which this version is associated
l The name of the project with which this version is associated
Click a version name to view project version details. See "Reviewing Project Version Details" on
page 131.
To view project version details, click a project version name, or click the drop-down arrow to the left of
the project version name and click Project Version Details.
You can perform additional functions by clicking the drop-down arrow for a specific project version.
The functions unique to this menu are:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 129 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Scan Now - Open the New Scan form, allowing you to enter scan settings and initiate a scan.
l Schedule Scan - Open the Configure Scheduled Scan form, allowing you enter scan settings and
schedule a scan.
l View in SSC - Launch Fortify Software Security Center and navigate to the Issues tab of the Project
Version window.
l Scan Requests - View all Fortify Software Security Center scan requests associated with this project
version.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
Searching Numbers and Dates
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
HPE Security Fortify WebInspect Enterprise (16.20)
Page 130 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
See Also
"Creating New Project Versions" on page 128
"Reviewing Project Version Details" below
Reviewing Project Version Details
This form provides complete details about the selected project version, categorized on the tabs
described in this topic.
All Scans
The All Scans tab lists all scans conducted for the project version and displays (by default) the
following information:
l Scan name
l Scan status (failed or complete)
l Date and time the scan was conducted
HPE Security Fortify WebInspect Enterprise (16.20)
Page 131 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Date and time the scan was published
Whether the scan was requested by HPE Security Fortify Software Security Center (SSC)
Number of vulnerabilities detected, categorized by severity
Published status (Unpublished, Uploading to SSC, Error Uploading to SSC, Processing in SSC, Error
Processing in SSC, or Processing Complete in SSC)
Icons allow you to add scans, delete scans, move scans to a different project version, publish scans to
SSC, and change the state of a scan. Click a scan name to open the Scan Visualization window for that
scan.
l
l
l
l
Click the drop-down arrow for a specific scan and select an option to:
View scan details in the Scan Visualization window.
Move the scan to a different project version.
Delete the scan.
Publish scan data to SSC.
Export the scan in Fortify WebInspect format, as XML, or as FPR, or export settings for the selected
scan.
Note: After exporting to the .fpr format, you must manually upload the .fpr file to Fortify Software
Security Center. HPE does not support uploading both Fortify WebInspect FPR artifacts and Fortify
WebInspect Enterprise FPR artifacts to the same project version in Fortify Software Security Center.
l Perform other functions.
l
l
l
l
l
Issues
This tab lists all vulnerabilities, sorted by severity, detected in this project version and displays (by
default) the following information:
Check ID - Identification number of the Fortify WebInspect probe that discovered the vulnerability.
Check Name - Name of the check that discovered the vulnerability.
Vulnerable URL - Location of the vulnerability.
Severity - A relative assessment of the vulnerability, ranging from low to critical.
Scan - Name of the scan.
SSC Status - Indicates whether or not the issue has been uploaded to Fortify Software Security
Center.
l Ignored - If a check mark appears in column, a user classified this vulnerability as Ignored (using the
Review Vulnerability form).
l False Positive - If a check mark appears in column, a user classified this vulnerability as a false positive
(using the Review Vulnerability form).
Click the drop-down arrow for a specific issue to view details or view the project version in Fortify
Software Security Center.
l
l
l
l
l
l
Click a check name to open the Issue Details form. This form has the following tabs:
l Vulnerability - Contains a complete description of the detected vulnerability, including instructions
for verifying and fixing the problem.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 132 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Request - Displays the HTTP request sent to the target site as a probe for the vulnerability.
l Response - Displays the HTTP response returned by the target site.
l Stack Trace - This feature is designed to support Fortify WebInspect Agent when it is installed and
running on the target server. For certain checks (such as SQL injection, command execution, and
cross-site scripting), Fortify WebInspect Agent intercepts Fortify WebInspect HTTP requests and
conducts runtime analysis on the target module. If this analysis confirms that a vulnerability exists,
Fortify WebInspect Agent appends the stack trace to the HTTP response. Developers can analyze
this stack trace to investigate areas that require remediation.
l Additional Info - For Flash files, displays decompiled code.
An icon allows you to show or hide ignored issues.
Scan Templates
This tab displays a list of scan templates associated with this project version and displays (by default)
the following information for each template:
l Name - The name assigned to the template
l Project version - The project version associated with the specified project. Not applicable to global
templates.
Click the drop-down arrow for a specific template and select options to edit, copy, or delete the
template, or display dependencies associated with the template.
Click a template name to open the Configure Scan Template window to view or modify template
settings.
Icons allow you to create or delete a template, or import a template that contains settings that are
optimized for Oracle.
For more information about scan templates, see "Using Scan Templates" on page 117.
Schedules
This tab displays a list of all scans scheduled for the project version and displays (by default) the
following information:
l
l
l
l
l
l
l
l
l
l
l
Name of the scheduled scan
URL of the scan target
Recurrence
Project version
Sensor
Policy
Priority
Scan type
Last occurrence
Last occurrence (target)
Next occurrence
HPE Security Fortify WebInspect Enterprise (16.20)
Page 133 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Next occurrence (target)
l Security group
l Organization
Click a schedule name to open the Configure Scheduled Scan window to view or modify settings for the
scan.
Click the drop-down menu next to each Check ID to edit, copy, delete, or enable/disable the scheduled
scan.
Icons allow you to add or delete scheduled scans.
Properties
This tab lists information about the project version, including the project version name and URL,
platform information, the contact's name and e-mail address, and host information.
Notes
This tab allows you to create or view notations associated with the project version.
Aliases
This tab displays all aliases created for the project version, and displays, for each alias, the following
information:
l Primary URL for this project version
l Description of the alias
l Indication of whether or not the server differentiates between URLs based on case sensitivity
Click the drop-down menu for a specific alias to edit or delete the alias. See "Adding or Editing an Alias"
on page 138 for detailed instructions.
Icons allow you to add or delete aliases, or recalculate all scans.
Macros
You can create macros that are reusable at different locations and among different security groups
across your enterprise. Macros are added and maintained at the Project Version level, and are stored in
a macro repository.
This tab displays a list of macros that are available in the macro repository for the Project and Project
Version being viewed. The list provides the Macro Name and the date and time of its last update.
You can add a new macro to the repository on the Macros tab. You can also edit, download new
versions, or delete individual macros that are already in the list. See "Working with the Macro
Repository" on page 139 for more information.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 134 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Additional Functions
You can also perform additional functions using the icons at the top of the form. These icons are
available regardless of the tab being viewed.
Icon
Function
Scan Now
Display scan settings, as entered for the previous scan. You can modify the
settings, if desired, before initiating the scan.
View in SSC
Launch the Fortify Software Security Center application and navigate to the
Issues tab of the Project Version window.
Scan Requests
Navigate to the Scan Requests form, where you can process requests issued from
Fortify Software Security Center.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
HPE Security Fortify WebInspect Enterprise (16.20)
Page 135 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Searching Numbers and Dates
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
See Also
"Creating New Project Versions" on page 128
"Reviewing Project Version Details" on page 131
Viewing Vulnerabilities
The Vulnerability Viewer can be invoked from the Issues tab on the Project Version Details window
using either of two methods:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 136 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l If you click an entry in the Check Name column, the viewer appears at the bottom of the window.
l If you click the drop-down arrow next to the Check ID and select View Details from the menu, the
viewer appears in a separate window.
The Vulnerability Viewer has the following tabs:
l Vulnerability - Contains a complete description of the detected vulnerability, including instructions
for verifying and fixing the problem.
l Request - Displays the HTTP request sent to the target site as a probe for the vulnerability.
l Response - Displays the HTTP response returned by the target site.
l Stack Trace - This feature is designed to support HPE Security Fortify WebInspect Agent when it is
installed and running on the target server. For certain checks (such as SQL injection, command
execution, and cross-site scripting), Fortify WebInspect Agent intercepts Fortify WebInspect HTTP
requests and conducts runtime analysis on the target module. If this analysis confirms that a
vulnerability exists, Fortify WebInspect Agent appends the stack trace to the HTTP response.
Developers can analyze this stack trace to investigate areas that require remediation.
l Additional Info - For Flash files, displays decompiled code.
Viewing Deleted Projects
Note: This feature does not appear in the navigation pane until project versions are deleted from
Fortify Software Security Center and those project versions have scans, scan templates, or
schedules associated with them.
This form displays, in the left column, a list of project versions that have been removed from Fortify
Software Security Center.
For each version, this form displays:
l The project version name
l The number of issues detected in each of six severity categories
l The name of the security group
l The name of the organization
l The name of the project
Click a version name to view project version details; see "Reviewing Project Version Details" on page 131.
System administrators can recover deleted project versions using the Administration - Roles and
Permissions feature of the Fortify WebInspect Enterprise Console.
To permanently delete a project version, click the drop-down arrow next to a project version name and
select Purge (or select one or more project versions and click the Purge icon at the top of the form).
Purged versions cannot be recovered.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 137 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
About Dependencies
Certain objects in Fortify WebInspect Enterprise are linked together, meaning that the existence of one
object is dependent on another. You must dissolve this relationship before you are allowed to delete the
parent object.
For example, if you have a project version that contains scans, you cannot delete that project version
unless you first delete the associated scans or assign them to a different project version.
The dependencies are categorized in the following table. Dependent objects must be disassociated from
the parent object before the parent object can be deleted.
Parent Object
Dependent Objects
Scan Template
l Scheduled scan
l Scan (only if scan has not completed)
You cannot delete a scan template until you either delete the scheduled
scan, assign a different template to the scheduled scan, or cancel the scan
(if it is currently running or paused).
Project Version
Scan
You cannot delete a project version until you delete the associated scans or
move them to a different project version.
Custom Policy
l Scan
l Scheduled scan
You cannot delete a custom policy until you either delete the scan or the
scheduled scan (or assign a different policy to the scheduled scan).
Adding or Editing an Alias
Sometimes, identical Web applications are deployed on different hosts. For example, during the
development process, the same application may be deployed and tested on QA.testsite.com,
Staging.testsite.com, and finally Production.testsite.com. This becomes problematic when performing a
dynamic analysis scan because correlation uses the URL as a key component to match multiple
vulnerabilities.
To overcome this problem, you can create an alias for those project versions by identifying all the
equivalent URLs and hostnames for the Web application, which allows correlation to occur for all active
and future scans.
When to Set Up Aliases
You should set up aliases before publishing. Otherwise, if conflicts occur, you may lose the vulnerability
history because the correlation IDs may change. If you add or edit aliases after a scan has been
published for that project version, you will be prompted to recalculate.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 138 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Note: Correlation is a mathematical calculation that uses a variety of values to determine if the
vulnerability is really a duplicate of another vulnerability. You should recalculate whenever you
change an alias.
Creating an Alias
To create an alias:
1. Select Project Versions from the navigation pane.
2. Click the name of a project version (in the Project Version column) for which you want to create an
alias.
3. On the Project Version Details form, click the Aliases tab.
4. Click Add.
5. On the Add New Alias dialog, in the Primary URL field, enter the alias URL (the umbrella under
which other scans will be associated). Using the above example, you might enter
http://Production.testsite.com. Be sure to include the protocol (for example, http://).
6. If the server differentiates between URLs based on case sensitivity, select Case Sensitive URL.
7. Enter a description of the URL.
8. Click Add.
9. In the Equivalent URLs field, enter the URL of a host that will be covered by this alias. Using the
above example, you might enter http://QA.testsite.com.
10. To add other URLs, repeat steps 8-9.
11. When finished, click Save.
12. When notified that the alias was saved successfully, click OK.
The primary URL is listed on the form.
Working with the Macro Repository
You can create macros that are reusable at different locations and among different security groups
across your enterprise. Macros are added and maintained at the Project Version level, and are stored in
a macro repository.
Adding a New Macro
You add a macro to the repository by uploading it. To add a new macro:
1. On the Project Version Details page, select the Macros tab.
2. Click Add.
The Add New Macro window appears.
3. Type a Macro Name for the macro.
4. Click Browse and select the macro to be added.
5. Click Open.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 139 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The new macro is added to the list of available macros.
6. Click OK.
Downloading a Macro
To update an existing macro in the repository, you can download the macro to your desktop, open it in
the Web Macro Recorder, and record the changes. Afterward, use the Edit button to browse and upload
the modified version.
To download an existing macro:
1. On the Project Version Details page, select the Macros tab.
A list of available macros appears.
2. Click the drop-down menu next to the Macro Name and select Download.
The Opening macro window appears.
3. Click Save File and OK.
4. Navigate to your desktop and save the file there.
After recording changes in the Web Macro Recorder, follow the procedure to update the macro with the
new version described in "Updating a Macro" below.
Updating a Macro
After revising a macro, you can update the macro in the repository with the new version. The revised
macro will be updated in Scheduled Scans and Scan Templates where the macro is used.
Caution: The macro repository does not maintain multiple versions of a macro. Updating a macro
will overwrite and replace the existing macro.
To update the macro:
1. On the Project Version Details page, select the Macros tab.
A list of available macros appears.
2. Click the drop-down menu next to the Macro Name and select Edit.
The Edit Macro window appears.
3. Click Update.
4. Click Browse and select the revised macro to be uploaded.
5. Click Save.
Deleting a Macro
To delete a macro from the repository:
1. On the Project Version Details page, select the Macros tab.
A list of available macros appears.
2. Do one of the following:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 140 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Select one or more macros in the list and click Delete.
l Click the drop-down menu next to the Macro Name and select Delete.
Using Repository Macros in Scans
Macros are added and maintained at the Project Version level and are available for use only within the
Project Version for which it was added. Repository macros are not available when using a global
template.
Working with Scans
This section describes how to review the scan list, scan results, and scan dashboard, and how to add
pages, directories, and variations. It also describes how to compare scans and publish to Fortify
Software Security Center.
Reviewing the Scan List
The following is an example of the Scans form. In the Web Console, the user has selected Filtered
Views > Scans in the left pane.
Scans Form Columns
Each scan in the Fortify WebInspect Enterprise database is listed in the Scans form. The table displays
(by default) the following columns:
l Name - The name assigned to the scan.
l Scan URL - Target Web site URL or IP address.
l Status - Current state of the scan (imported, complete, etc.).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 141 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Project Version - Project version to which this scan is assigned. Click this field to open the associated
Project Version Details form.
l Policy - The policy used for the scan.
l Sensor - The sensor that conducted the scan.
l Creator - User name of the person who initiated the scan.
l Created - Date and time the scan object was created or imported.
l Started - Date and time the scan started.
l Completed - Date and time the scan finished.
l App Type - Application type.
l App Version - Application version number.
l Scan Request? - If a check mark appears in this column, the scan was requested by Fortify Software
Security Center (SSC).
l Results? - If a check mark appears in this column, the number of vulnerabilities detected appears in
columns sorted by severity.
l Priority - A relative value assigned to the scan; it is used to determine precedence if a sensor
scheduling conflict occurs.
l Vulnerabilities (in columns sorted by severity) - Number of vulnerabilities detected.
l WebInspect Agent Detected - Indicator (Yes/No) whether Fortify WebInspect Agent was detected
during the scan. For certain checks (such as SQL injection, command execution, and cross-site
scripting), Fortify WebInspect Agent intercepts Fortify WebInspect HTTP requests and conducts
runtime analysis on the target module. If this analysis confirms that a vulnerability exists, Fortify
WebInspect Agent appends the stack trace to the HTTP response. Developers can analyze this stack
trace to investigate areas that require remediation.
l Publish Status - Unpublished, Uploading to SSC, Error Uploading to SSC, Processing in SSC, Error
Processing in SSC, or Processing Complete in SSC..
l Publish Date - The date on which the scan data was published to Fortify Software Security Center.
Available Functions
You can perform additional functions by clicking the drop-down arrow next to a scan name. In the
example below, the user clicked the arrow for the second scan in the list, and slid the cursor to the right
to see the suboptions for View.
The options are:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 142 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l View
l Scan Visualization - Open the Scan Visualization window, allowing you to examine the scan
results. You can also click a scan name to open the Scan Visualization window. See "Reviewing
Scan Results" on page 146.
l View Configuration - View (but not edit) the settings used for the selected scan.
l Manage
l Repeat Scan - Rescan the target site using the same settings as the original scan.
l Copy - Copy all settings that were used for this scan and pastes them into the Configure Scan
window, allowing you to edit the settings before initiating the scan.
l Copy to Schedule - Copy all settings that were used for this scan and pastes them into the
Configure Scheduled Scan window, allowing you to edit the settings before scheduling the scan.
l Create Template from the Scan - Create a scan template containing the settings that were used
to produce this scan.
l Rename - Assign a different name to the scan.
l Move - Assign the scan to a different project version.
l Delete - Delete the scan.
l Retest Vulnerabilities - Conduct a scan that examines only those portions of the target site in
which vulnerabilities were detected during the original scan. Fortify WebInspect Enterprise does not
conduct a new crawl of the site, but simply retraces the path of vulnerable sessions (as recorded in
the original scan) and attacks the resources using the same checks previously employed. The default
name of the scan is "Site Retest - <original scan name>"; for example, the retest of a site that originally
resulted in a scan named MySite would produce a scan named Site Retest - MySite. However, you can
specify a different name when launching the scan. For more information, see "Reviewing and
Retesting Vulnerabilities ".
l Create Report - Create a report for the scan. For more information, see the description of the Create
Report icon below.
l Publish - Send scan data to Fortify Software Security Center. See "Publishing Scans to Fortify
Software Security Center" on page 170.
l Export - Export the scan in Fortify WebInspect format, as XML, or as FPR, or export settings for the
selected scan.
Note: After exporting to the .fpr format, you must manually upload the .fpr file to Fortify Software
Security Center. HPE does not support uploading both Fortify WebInspect FPR artifacts and Fortify
WebInspect Enterprise FPR artifacts to the same project version in Fortify Software Security Center.
l Change Scan State - Start, stop, resume, or suspend the scan.
Note: When attempting to export scans using Internet Explorer, errors will result if the Internet
option "Do not save encrypted pages to disk" is selected.
You can also perform additional functions using the icons at the top of the form:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 143 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Icon
Function
Add
Start a new Guided Scan, Web site scan or Web service scan. Each choice
launches the Scan Wizard, which guides you through the steps required to
start a scan. You can use this as an alternative to selecting Guided Scan,
Scan Web Site, or Scan Web Service in the Actions section of the
navigation pane.
Import
Import a scan. This feature invokes the Scan Uploader, which allows you to
consolidate scans from Fortify WebInspect and Fortify WebInspect
Enterprise and upload them to a project version.
Note: Fortify WebInspect Enterprise may display the message, "You cannot
start application Scan Uploader from this location because it is already
installed from a different location." This can occur when you have multiple
Fortify WebInspect Enterprise managers, or you rename your Fortify
WebInspect Enterprise manager, or you access the same Fortify WebInspect
Enterprise manager using different URLs, and you are importing to a Fortify
WebInspect Enterprise manager that is different from the one into which
you previously imported. The workaround solution is to uninstall the Scan
Uploader utility and click Import again (which will reinstall the utility that is
paired with the correct URL). Alternatively, launch the utility using the
desktop shortcut instead of the Import button.
Scans can also be uploaded through the Scan Uploader service provided by
the Fortify WebInspect Enterprise Services Manager. If you scan a Web site
with Fortify WebInspect, you can copy the results to a location called a
“dropbox.” The Scan Uploader service (which is separate from the Scan
Uploader utility) can access each dropbox periodically and, if files exist, it
uploads those files to the Fortify WebInspect Enterprise Manager. You can
configure this feature through the Fortify WebInspect Enterprise Services
Configuration utility. Initial configuration is performed as part of product
installation; for more information, see the HPE Security Fortify WebInspect
Enterprise Installation and Implementation Guide.
Delete
Use the check boxes to select scans and delete those scans.
Move
Use the check boxes to select scans and assign those scans to a different
project version.
Create Report
Select a check box for one scan and create a report for that scan. The first
time you create a report (or launch a Guided Scan) from Fortify WebInspect
Enterprise or Fortify Software Security Center, the Fortify WebInspect
Enterprise Thin Client application:
l Runs a wizard that verifies your computer meets the prerequisites for
installing the Thin Client.
l Downloads and installs itself on your computer, along with a Help system.
l Launches either reporting or Guided Scan, depending on which you
selected.
For detailed information about creating a report, see the Thin Client
download Help.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 144 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Icon
Function
Publish
Use the check boxes to select scans and send their scan data to Fortify
Software Security Center. See "Publishing Scans to Fortify Software
Security Center" on page 170.
Change Scan State
Use the check boxes to select scans and select one of the following:
l
l
l
l
l
Start the scans.
Stop the scans (if running).
Resume the scans (if suspended).
Suspend the scans (if running).
Repeat the scans.
You can also use the icons illustrated below.
Icon
Function
Repopulate the form.
Change the number of rows on the page, modify column widths, specify which
columns are displayed, sort grid data, and arrange listed items into groups. See
"Configuring Form Layouts" on page 103.
Searching On This Page
You can use global search to search on any column that is available on this page. For example, you can
type in a portion of a URL, project name, or project version to find the specific project you are searching
for.
Data Types
The column data types are:
l Text
l Date
l Number
Searching Text
If you are searching on a column that contains text, you can type in the exact name you are searching
for. If what you are searching for includes embedded spaces, such as "Offshore QA Org", you can include
those spaces in your search string. If you do not know the exact name, you can perform a wildcard
search. Wildcard searches are entered as follows:
l *searchstring = ends with the text you are searching for
l searchstring* = begins with the text you are searching for
l *searchstring* = contains the text you are searching for
Searching Numbers and Dates
HPE Security Fortify WebInspect Enterprise (16.20)
Page 145 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you are searching on a number or a date, global search will attempt to parse the input into the value
type. If global search can successfully parse the value, it will search on the value. You can also use
"greater than" or "less than" searches. These searches are entered as follows:
l > 5 (search for values greater than 5)
l < 5 (search for values less than 5)
If you search on a date (i.e. 12/14/2015), global search will search for anything that occurred that day. If
you search on an hour (i.e. 12/14/2015 11:00 PM), global search will search everything in that hour.
Searching for Time Spans
When searching for time spans, such as in the Duration column for Blackouts, the format is:
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
So for a 4 hour duration, the span is displayed as “0.04:00”. Use a similar format to search for time
spans.
Searching Boolean Data and Check Boxes
If you search on a boolean data column or a check box column, enter “True” or “False” into the search
box to filter on them. For a check box, "True" means that the check box is selected.
To perform a global search:
1. In the Filter list, select the column of data to search on.
2. In the text box next to the Filter list, type the search criteria.
3. Press Enter or click the refresh button.
The table displays all records that meet the search criteria.
To clear the filter:
1. Clear the Filter list or the search criteria.
2. Press Enter or click the refresh button.
The table displays all records.
Reviewing Scan Results
The Scan Visualization window emulates the Fortify WebInspect graphical presentation of scan results.
To open this window, do one of the following:
l In the Fortify WebInspect Enterprise Web Console, select the Scans shortcut from the Filtered
Views group and click the name of a scan (or click the drop-down arrow for the scan and select View
> Scan Visualization).
l On the Projects tab in Fortify Software Security Center, select a project version and click View
Details (or double-click the project version), click the Scan tab, select a scan, and click View Scan. By
this method, if you are already working in Fortify Software Security Center, you do not need to open
Fortify WebInspect Enterprise to see the scan results.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 146 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The work area of the scan visualization is shown in the following screen capture:
The scan visualization is divided into the following three regions:
Navigation Pane
Information Pane
Summary Pane
Navigation Pane
The navigation pane on the left side of the scan visualization includes the Site, Sequence, and Excluded
Hosts buttons, which determine the contents (or "view") presented in the navigation pane.
l Site view - Fortify WebInspect Enterprise displays in the navigation pane only those sessions that
reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was
discovered. During the crawl of the site, Fortify WebInspect selects the check box next to each
session (by default) to indicate that the session will also be audited. When conducting a sequential
crawl and audit (where the site is completely crawled before being audited), you can exclude a session
from the audit by clearing its associated check box before the audit begins.
l Sequence view - Fortify WebInspect Enterprise displays server resources in the order they were
encountered during a scan. You can specify a filter to limit which resources are displayed.
l Excluded Hosts view - Fortify WebInspect Enterprise displays a list of all disallowed hosts. These are
hosts that may be referenced anywhere within the target site, but cannot be scanned because they
are not specified in the Allowed Hosts setting (see "Scan Settings: Allowed Hosts" on page 191). To
the right of the Host heading, you can click the filter icon to open a filter that allows you to choose a
variety of conditions that must be met in order for an excluded host listed after filtering. The
available conditions include the full set of current values, and you can also specify logical expressions
regarding the values.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 147 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Note: In both Site view and Sequence view, blue text denotes a directory or file that was identified by
Fortify WebInspect, rather than a resource that was discovered through a link. For example, Fortify
WebInspect always submits the request “GET /backup/ HTTP/1.1” in an attempt to discover if the
target Web site contains a directory named “backup.”
Navigation Pane Icons
Use the following table to identify resources displayed in the Sequence and Site views.
Icon
Definition
Server/host: Represents the top level of your site's tree structure.
Blue folder: A private folder discovered not by crawling, but by attacks that often reveal
vulnerabilities.
Yellow folder: A folder whose contents are available over your Web site.
Gray folder: A folder indicating the discovery of an item via path truncation. Once the parent
is found, the folder will display in either blue or yellow, depending on its properties.
File.
Query or post.
Document Object Model (DOM) event.
Vulnerability Icons
Icons superimposed on a folder or file indicate a discovered vulnerability.
Icon Definition
A red dot with an exclamation point indicates the object contains a critical vulnerability. An
attacker might have the ability to execute commands on the server or retrieve and modify
private information.
A red dot indicates the object contains a high vulnerability—generally, the ability to view
source code, files out of the Web root, and sensitive error messages.
A gold dot indicates the object contains a medium vulnerability. These are generally nonHTML errors or issues that could be sensitive.
A blue dot indicates the object contains a low vulnerability. These are generally interesting
issues, or issues that could potentially become higher ones.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 148 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Icon Definition
An "i" in a blue circle indicates an informational item. These are interesting points in the site, or
certain applications or Web servers.
A red check mark indicates a "best practice" violation.
Each object represents a session, which is a matched set comprising the HTTP request sent by Fortify
WebInspect to test for vulnerabilities and the HTTP response from the server.
Navigation Pane Shortcut Menu
If you right-click an item in the navigation pane while using the Site view or Sequence view (except as
stated below), a shortcut menu presents the following options:
l Expand Children - (Site view only) Expands branching nodes in the site tree.
l Collapse Children - (Site view only) Contracts branching nodes into the superior node.
l Copy URL - Copies the URL of the selected session to the Windows clipboard (the same as selecting
Edit > Copy URL).
l View in Browser - Displays the server's HTTP response in a browser.
l Add - Allows you to add a page, directory, or vulnerability discovered by means other than a scan
(manual inspection, other tools, etc) for information purposes. You can then add any discovered
vulnerabilities to those locations so that a more complete picture of the site is archived for analysis.
l Page - A distinct URL (resource).
l Directory - A folder containing a collection of pages.
Choosing either Page or Directory opens a dialog that allows you to name the page or directory
and edit the HTTP request and response.
l Variation - A subnode of a location that lists particular attributes for that location. For example,
the login.asp location might have the variation:
“(Query) Username=12345&Password=12345&Action=Login”
Variations, like any other location, can have vulnerabilities attached to them, as well as subnodes.
Choosing Variation opens the Add Variation dialog, allowing you to edit the variation attributes,
specify Post or Query, and edit the HTTP request and response.
l Vulnerability - A specific security threat. Choosing Vulnerability invokes the Edit Vulnerabilities
dialog, allowing you to edit the various attributes, specify Post or Query, and edit the HTTP
request and response.
l Remove Location - Removes the selected session from the navigation pane (both Site and Sequence
views) and also removes any associated vulnerabilities.
Note: You can recover removed locations (sessions) and their associated vulnerabilities. See
"Recovering Deleted Items" on page 175 for details.
l Edit Vulnerability - Allows you to add an existing or custom vulnerability to the session, or change
the Summary, Implication, Execution, Fix, and Reference Info descriptions associated with the
vulnerability.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 149 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Review Vulnerability - Allows you to retest the vulnerability or mark it as "ignored" or "false
positive." See "Reviewing Vulnerabilities" on page 171.
l Mark as False Positive - Flags the vulnerability as a false positive and allows you to add a note.
l Attachments - Allows you to create a note or screenshot associated with the selected vulnerability.
Note: Notes longer than 2000 characters will be truncated when sent to Fortify Software Security
Center.
Information Pane
When conducting or viewing a scan, the information pane contains one or two collapsible information
panels (Scan Info and Session Info) and an information display area.
Scan Info Panel
This panel contains the following selections:
l Dashboard - The Dashboard displays a real-time summary of the scan results and a graphic
representation of the scan progress. See "Reviewing the Scan Dashboard" on page 158 for additional
information.
l Attachments - This feature lists all the notes and screenshots that are associated with all the objects
in the scan. Attachments are added in the Session Info panel for individual objects, as described in
the Session Info Panel section below.
You can click the filter icon at the right of any column heading to open a filter that allows you to
choose a variety of conditions regarding that column that must be met in order for an attachment
(row) to remain listed in the table after filtering. The available conditions include the full set of
current values in the column, and you can also specify logical expressions regarding the content of
that column.
l Traffic Monitor - This feature allows you to display and review every HTTP request sent by Fortify
WebInspect and the associated HTTP response received from the web server. This information
comes from the traffic session file, which is stored in the database on the Fortify WebInspect
Enterprise server along with the accompanying scan file. When you click the Traffic Monitor button,
the traffic session file is downloaded to the program data folder on your local machine. The Traffic
Viewer tool opens with the traffic session file in view.
This feature is available only if:
l Traffic Monitor Logging was enabled prior to conducting the scan
l The scan Status is "Aborted" or "Complete"
For scans that were conducted in a standalone Fortify WebInspect 10.50 or later version and include
a traffic session file, you can view the traffic sessions after the scan is uploaded to Fortify WebInspect
Enterprise. When such a scan is opened in Fortify WebInspect Enterprise, the Traffic Monitor button
appears automatically in the Scan Info panel.
For more information about enabling Traffic Monitor Logging, see "Scanning a Web Site" on
page 106 in this document and the Fortify WebInspect Enterprise Thin Client Download help.
Note: Traffic Monitor Logging cannot be enabled for Scheduled Scans.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 150 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
For more information about the Traffic Viewer tool, refer to the Traffic Viewer tool online help or the
HPE Security Fortify WebInspect Tools Guide.
l False Positives - This feature lists all URLs that Fortify WebInspect Enterprise originally flagged as
containing a vulnerability, but which a user later determined were false positives.
You can click the filter icon at the right of any column heading to open a filter that allows you to
choose a variety of conditions regarding that column that must be met in order for a false positive
(row) to remain listed in the table after filtering. The available conditions include the full set of
current values in the column, and you can also specify logical expressions regarding the content of
that column.
You can mark a selected false positive as a vulnerability, thereby removing it from the list of false
positives, or you can edit its description.
You can select one or more column headers and drag them above the table to organize the entries in
the desired hierarchy.
l Deleted Items - Lists either deleted sessions or deleted vulnerabilities, depending on your selection.
To recover a deleted item, select a session or vulnerability and click Recover.
You can click the filter icon at the right of any column heading to open a filter that allows you to
choose a variety of conditions regarding that column that must be met in order for a session or
vulnerability (row) to remain listed in the table after filtering. The available conditions include the full
set of current values in the column, and you can also specify logical expressions regarding the
content of that column.
You can select one or more column headers and drag them above the table to organize the entries in
the desired hierarchy.
Note: To delete a session, right-click a session in the navigation pane or an item in the summary pane
and select Remove Location from the shortcut menu.
To delete a vulnerability, do one of the following:
l Right-click an item on the Vulnerabilities tab, Information tab, or Best Practices tab in the
summary pane and select Mark As Ignored from the shortcut menu.
l Right-click a vulnerable session in the navigation pane, select Edit Vulnerabilities from the shortcut
menu, and (on the Edit Vulnerabilities dialog) click Delete.
l Right-click an item on any tab in the summary pane except Scan Log or Reports, select Edit
Vulnerability from the shortcut menu, and (on the Edit Vulnerabilities dialog) click Delete.
Session Info Panel
Fortify WebInspect Enterprise lists each session created during a scan in the navigation pane using
either the Site view or Sequence view. Select a session and then click one of the options in the Session
Info panel to display related information about that session. Some options appear only for specific
types of scans as noted. Also, options are enabled only if they are relevant to the selected session. The
available options are:
l Vulnerabilities - Displays the vulnerability information for the session selected in the navigation
pane.
l Web Browser - (Web Site Scan or Guided Scan only; not available for Web Service Scan.) Displays the
server's response as rendered by a Web browser for the session selected in the navigation pane. For
Web Site scans only; not available for Web Service scans.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 151 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l HTTP Request - Displays the raw HTTP request sent by Fortify WebInspect to the server hosting
the site you are scanning.
l HTTP Response - Displays the server's raw HTTP response to Fortify WebInspect's request. If you
select a Flash (.swf) file, Fortify WebInspect displays HTML instead of binary data. This allows Fortify
WebInspect Enterprise to display links in a readable format.
l Stack Traces - Displays stack traces provided for certain checks by Fortify WebInspect Agent, if
Fortify WebInspect Agent is detected to be available. For certain checks (such as SQL injection,
command execution, and cross-site scripting), Fortify WebInspect Agent intercepts Fortify
WebInspect HTTP requests and conducts runtime analysis on the target module. If this analysis
confirms that a vulnerability exists, Fortify WebInspect Agent appends the stack trace to the HTTP
response. Developers can analyze this stack trace to investigate areas that require remediation.
l Details - (Web Site Scan or Guided Scan only; not available for Web Service Scan.) Displays request
and response details, such as the size of the response and the request method, for the session
selected in the navigation pane. Note that the Response section contains two entries for content
type: returned and detected. The Returned Content Type indicates the media type specified in the
Content-Type entity-header field of the HTTP response. The Detected Content Type indicates the
actual content-type as determined by Fortify WebInspect.
l Steps - (Web Site Scan or Guided Scan only; not available for Web Service Scan.) Displays the route
taken by Fortify WebInspect to arrive at the session selected in the navigation pane or the URL
selected in the summary pane. Beginning with the parent session (at the top of the list), the sequence
reveals the subsequent URLs visited and provides details about the scan methodology.
l Links - (Web Site Scan or Guided Scan only; not available for Web Service Scan.) Displays (under
Linked From) all resources at the target site that contain links to the selected resource. The links may
be rendered by HTML tags, scripts, or HTML forms. It also lists (under Linked To) all resources that
are referenced by links within the HTTP response for the selected session.
l Attachments - Displays all notes and screenshots associated with the selected session in the
navigation pane (Site or Sequence view). If the selected session includes rolled up vulnerabilities, a
note in the Comments area details the URLs that were rolled up and affected by the same
vulnerability. For more information, see "About Vulnerability Rollup" on page 176.
You can click the filter icon at the right of any column heading to open a filter that allows you to
choose a variety of conditions regarding that column that must be met in order for an attachment
(row) to remain listed in the table after filtering. The available conditions include the full set of
current values in the column, and you can also specify logical expressions regarding the content of
that column.
Icons allow you to add a note or screenshot as an attachment to the selected vulnerability, or to edit,
view, or delete the selected attachment.
Note: Notes longer than 2000 characters will be truncated when sent to Fortify Software Security
Center.
To add an attachment to a session, do one of the following:
l Right-click a session (Web Site Scan or Guided Scan) or an operation or vulnerability (Web Service
Scan) in the navigation pane and select Attachments from the shortcut menu.
l Right-click an item on the Vulnerabilities tab of the summary pane and select Attachments from
the shortcut menu.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 152 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Select a session (Web Site Scan or Guided Scan) or an operation or vulnerability (Web Service
Scan) in the navigation pane, then select Attachments from the Session Info panel and click the
Add icon (in the information pane).
Scan Dashboard
For information about the contents of the Scan Dashboard, see "Reviewing the Scan Dashboard" on
page 158.
Summary Pane
When conducting or viewing a scan, the horizontal Summary pane at the bottom of the window
provides a centralized table of vulnerable resources and allows you to quickly access vulnerability
information. You can click and drag the horizontal divider above the table to show or hide more of the
Summary pane.
The table in the Summary pane has a set of default columns. To add or delete columns, right-click the
column header bar and select or deselect the desired columns. Except as noted, the available columns
are:
l Link: Whether the information applies to Scan A,to Scan B, or to both Scans A and B.
l Severity: (Available for Vulnerabilities and Not Found tabs; not available for Information and
Best Practices tabs) A relative assessment of the vulnerability, ranging from low to critical. A table of
associated severity icons is shown earlier in this topic.
l Check: A Fortify WebInspect probe for a specific vulnerability, such as cross-site scripting,
unencrypted log-in form, etc.
l Path: The hierarchical path to the resource.
l Method: HTTP method, such as GET, PUT, etc.
l Vuln Parameter: The name of the vulnerable parameter.
l Parameters: Names of parameters and values assigned to them.
l Reproducible: Valid values are Reproduced, Not Found/Fixed, or New. Column is available for Site
Retests only (Retest Vulnerabilities).
l SSC Publish Status:The status as it exists in Fortify Software Security Center (SSC), if previously
published.
l SSC Status: Expected status of the vulnerability when the scan is published to Fortify Software
Security Center.
l Stack Trace?: Stack trace information obtained from Fortify WebInspect Agent.
l CWE IDs: The Common Weakness Enumeration identifier(s) associated with the vulnerability.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 153 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Kingdom: The category in which this vulnerability is classified, using a taxonomy of software security
errors developed by the HPE Security Fortify Software Security Research Group.
l Application: The application or framework in which the vulnerability is found, such as ASP.NET or
Microsoft IIS server.
l Response Length: The response size in bytes for the vulnerable session.
You can click any column heading to sort the entries by that column.
You can group the data in a hierarchy by selecting column headings and dragging them to the area
immediately above the column headings. For example, you can click and drag the Severity column
heading and then click and drag the Check column heading to group by Severity, then by type of Check.
Then, the table is organized by those hierarchical groupings, which no longer appear as columns in the
table. By default, the Vulnerabilities and Not Found tabs are organized by Severity and then by
Check; the Information and Best Practices tabs are organized by Check.
You can click the filter icon at the right of any column heading to open a filter that allows you to choose
a variety of conditions regarding that column that must be met in order for an item (row) to remain
listed in the table after filtering. The available conditions include the full set of current values in the
column, and you can also specify logical expressions regarding the content of that column. For example,
in the filter for the Vuln Parameter column, suppose you:
1. Leave the top set of check boxes as is.
2. Below the Show rows with value that text, select Contains from the drop-down menu.
3. Type Id in the text box below the drop-down menu.
4. Click Filter.
Then the table will show only rows that contain the text "Id" in the Vuln Parameter column. This would
include rows for which the value of Vuln Parameter is accountId or payeeId or any other entry that
includes "Id."
You can specify filters for multiple columns, one column at a time, and all the filters will be applied.
If a filter for a column has been specified, its icon becomes a darker blue than the icons for unused
filters.
To quickly clear a filter, click Clear Filter while the filter is open to be specified.
Summary Pane Tabs
The summary pane has the following tabs:
l Vulnerabilities
l Not Found
l Information
l Best Practices
l Scan Log
l Server Information
l Reports
More information about each of these tabs follows.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 154 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Vulnerabilities Tab
The Vulnerabilities tab lists information about each vulnerability discovered during an audit of your
Web presence. The severity of vulnerabilities is indicated by the following icons.
Critical
High
Medium
Low
With a session selected, you can also view associated information by selecting an option from the
Session Info panel.
Right-clicking an item in the Summary pane displays a shortcut menu containing the following
commands:
l Copy URL - Copies the URL to the Windows clipboard.
l Copy Selected Item(s) - Copies the text of selected items to the Windows clipboard.
l Copy All Items - Copies the text of all items to the Windows clipboard.
l Export - Creates a comma-separated values (.csv) file containing either all items or selected items
and displays it in Microsoft Excel.
l View in Browser - Renders the HTTP response in a browser.
l Change Severity - Change the severity level.
l Edit Vulnerability - Display the Edit Vulnerabilities dialog, allowing you to modify various
vulnerability characteristics.
l Rollup Vulnerabilities - Available if multiple vulnerabilities are selected; allows you to roll up the
selected vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in Fortify
WebInspect Enterprise and reports. See "About Vulnerability Rollup" on page 176 for more
information.
Note: If you have selected a rolled up vulnerability, this menu option is Unroll Vulnerabilities.
l Review Vulnerability - Available if one vulnerability is selected; allows you to retest the vulnerability.
If the vulnerability was detected in only one scan, the Retest Vulnerabilities window opens; if the
vulnerability was detected in both scans, you are first prompted to select a scan. See "Reviewing
Vulnerabilities" on page 171 for more information.
Note: The Mark As and Send To buttons are not enabled on the Retest Vulnerabilities window.
l Mark as - Flag the vulnerability as a false positive or as ignored. In both cases, the vulnerability is
removed from the list. To view a list of all false positives, click False Positives in the Scan Info panel.
To view (and optionally recover) deleted sessions and vulnerabilities, click Deleted Items in the Scan
Info panel.
l Remove Location - Delete from the navigation pane the session associated with the selected
vulnerability and also delete any associated vulnerabilities. To view (and optionally recover) deleted
sessions, click Deleted Items in the Scan Info panel.
l Attachments - Create a note or associate an image with the selected vulnerability.
Note: Notes longer than 2000 characters will be truncated when sent to Fortify Software Security
Center.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 155 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Update SSC Status - Change the status of an issue to be submitted to Fortify Software Security
Center. Statuses are: New, Existing, Reintroduced, Resolved, Still an Issue, and Not Found. The
availability of a specific status is determined by the current status.
Note: For Post and Query parameters, click an entry in the Parameters column to display a more
readable synopsis of the parameters.
Not Found Tab
The Not Found tab lists vulnerabilities that were detected by a previous scan in this project version, but
were not detected by the current scan. These vulnerabilities are not included in counts on the
Dashboard and are not represented in the Site view or the Sequence view of the navigation pane.
Right-clicking an item in the list presents the same options described above for the shortcut menu for a
vulnerability .
Information Tab
The Information tab lists information discovered during a Fortify WebInspect scan. These are not
considered vulnerabilities. They simply identify interesting points in the site or certain applications or
Web servers. When you click a listed URL, the related item in the navigation page is highlighted.
Right-clicking an item in the list presents the same options described above for the shortcut menu for a
vulnerability .
Best Practices Tab
The Best Practices tab lists issues detected by Fortify WebInspect that relate to commonly accepted
best practices for Web development. Items listed here are not vulnerabilities, but are indicators of overall
site quality and site development security practices (or lack thereof).
Right-clicking an item in the list presents the same options described above for the shortcut menu for a
vulnerability .
Scan Log Tab
Use the Scan Log tab to view information about activities that occurred during the scan. For instance,
the time at which certain audit methodologies are applied against your Web presence are listed here.
Server Information Tab
The Server Information tab lists items of interest pertaining to the server. Only one occurrence of an
item or event is listed per server.
Reports Tab
The Reports tab displays a list of reports that have been run or are running for the scan.
Buttons above the list of reports allow you to:
l Abort report generation for a report that has not been completed (that is, the State of the report is
Pending or Running).
l Save a completed report to a location you specify.
l Delete a completed report.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 156 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
One way to create a report is to click New Report in the toolbar, as described below.
Toolbar
Actions available from the toolbar at the top of the Scan Visualization window include the following:
Resume - Continue a scan after you paused the process.
Pause - Halt a scan. Click Resume to continue.
Stop - Terminate the scan; it cannot be resumed.
Repeat Scan - Rescan the target site using the same settings as the original scan.
Scan Again - Display settings used for this scan, allowing you to modify them before initiating
another scan.
l Retest Vulnerabilities - This type of scan examines only those portions of the target site in which
vulnerabilities were detected during the original scan. Fortify WebInspect Enterprise does not
conduct a new crawl of the site, but simply retraces the path of vulnerable sessions (as recorded in
the original scan) and attacks the resources using the same checks previously employed. The default
name of the scan is "Site Retest - <original scan name>"; for example, the retest of a site that originally
resulted in a scan named MySite would produce a scan named Site Retest - MySite. However, you can
specify a different name when launching the scan.
l
l
l
l
l
Important! HPE does not recommend retesting vulnerabilities in scans created using earlier
versions of Fortify WebInspect. While retesting scans from earlier versions may work in many
instances, it is not always reliable because individual checks may not flag the same vulnerability
during a retest. Failure of a check to flag the same vulnerability while retesting a scan from an
earlier version of Fortify WebInspect may not mean the vulnerability has been remediated.
l Export Scan - Export the selected scan (or settings for the selected scan) to a destination you select.
l Publish Scan to SSC - Send scan data to Fortify Software Security Center. For more information, see
"Publishing Scans to Fortify Software Security Center" on page 170.
l New Report - Create a new report from a scan you select and open. The reports available in Fortify
WebInspect Enterprise are a subset of the reports available in Fortify WebInspect.
The first time you create a report (or launch a Guided Scan) from Fortify WebInspect Enterprise or
Fortify Software Security Center, the Fortify WebInspect Enterprise Thin Client application:
l Runs a wizard that verifies your computer meets the prerequisites for installing the Thin Client.
l Downloads and installs itself on your computer, along with a Help system.
l Launches either reporting or Guided Scan, depending on which you selected.
For detailed information about creating a report, see the Thin Client download Help.
l Compare - Compare two scans. See "Comparing Scans" on page 163.
See Also
"Reviewing the Scan Dashboard" on the next page
"Reviewing the Scan List" on page 141
HPE Security Fortify WebInspect Enterprise (16.20)
Page 157 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Reviewing the Scan Dashboard
The Scan Dashboard is part of the scan visualization (see "Reviewing Scan Results" on page 146). It
displays a real-time summary of the scan results and a graphic representation of the scan progress if the
scan is under way. It can also display the results of a scan comparison (see "Comparing Scans" on
page 163).
In the following example, the scan has been completed and imported.
Progress Bars
Each bar represents the progress being made through that scanning phase. In the following example,
the scan that includes these progress bars is under way:
Progress Bar Descriptions
The following table describes the progress bars:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 158 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Progress Bar
Description
Crawled
Number of sessions crawled / total number of sessions to crawl.
Audited
Number of sessions audited / total number of sessions to audit.
The total number includes all checks except those pertaining to server type,
which are handled by smart audit.
Smart Audited
Number of sessions audited using smart audit / total number of sessions for
smart audit.
For smart audit, Fortify WebInspect detects the type of server on which the Web
application is hosted. Fortify WebInspect runs checks that are specific to the
server type and avoids checks that are not valid for the server type.
Verified
Number of persistent XSS vulnerable sessions verified / total number of
persistent XSS vulnerable sessions to verify.
When persistent XSS auditing is enabled, Fortify WebInspect sends a second
request to all vulnerable sessions and examines all responses for probes that
Fortify WebInspect previously made. When probes are located, Fortify
WebInspect will record links between those pages internally.
Reflection
Audited
Number of persistent XSS vulnerable linked sessions audited / total number of
persistent XSS vulnerable linked sessions to audit.
When persistent XSS auditing is enabled, this represents the work required for
auditing the linked sessions found in the verification step for persistent XSS.
Progress Bar Colors
1. Dark green indicates sessions that have been processed.
2. Light green indicates excluded, aborted, or rejected sessions (sessions that were considered for
processing, but were skipped due to settings or other reasons).
3. Light gray indicates the unprocessed sessions.
Activity Meters
Fortify WebInspect polls information about the activity occurring in the scan and displays the data in
Activity Meters. The data presents a real-time snapshot of the scan activity. This information can help
you to determine whether the scan is stalled or actively running.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 159 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The following table describes the Activity Meters:
Meter
Description
Network
The amount of data being sent and received by Fortify WebInspect.
The chart shows this data as B, KB, or MB sent/received over the last one
second.
Analysis
The amount of work being done per second by Fortify WebInspect in processing
all threads.
Scan Status
The Scan Status field under the progress bars describes the status of the scan. The status is Imported
in the example Scan Dashboard screenshot at the beginning of this topic.
Fortify WebInspect Agent Detected or Not Detected
Below the Scan Status field, the Scan Dashboard states either WebInspect Agent Detected or
WebInspect Agent Not Detected. For certain checks (such as SQL injection, command execution, and
cross-site scripting), Fortify WebInspect Agent intercepts Fortify WebInspect HTTP requests and
conducts runtime analysis on the target module. If this analysis confirms that a vulnerability exists,
Fortify WebInspect Agent appends the stack trace to the HTTP response. Developers can analyze this
stack trace to investigate areas that require remediation.
Vulnerabilities Graphics
The following table describes the vulnerabilities graphics:
Graphic
Description
Vulnerability
Graph
A bar chart showing the total number of issues identified for the scan per
severity level.
Attack Stats
Grid
Number of attacks made and issues found, categorized by attack type and audit
engine.
Statistics Panel - Scan Section
The following table describes the Scan Section of the Statistics Panel:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 160 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Item
Description
Client
The rendering engine or user agent specified for the scan. Options are:
l IE (Internet Explorer)
l FF (Firefox)
l iPhone
l iPad
l Android
l Windows Phone
l Windows RT
Duration
Length of time scan has been running (can be incorrect if the scan terminates
abnormally).
Policy
Name of the policy used for the scan. For a retest, the field contains a dash ("-"),
because the retest does not use the entire policy; see "Reviewing Vulnerabilities"
on page 171.
Deleted Items
The number of sessions and vulnerabilities removed by the user from the scan.
To remove a session, right-click a session in the Navigation pane and select
Remove Location from the shortcut menu.
To remove a vulnerability, right-click a vulnerability in the Summary pane and
select Remove Location from the shortcut menu.
To restore a session or vulnerability that has been deleted, click Deleted Items
in the Scan Info panel and select the session or vulnerability and click Recover.
For more information, see "Reviewing Scan Results" on page 146.
Publish Status
The status of the scan in regard to the scan being published to Fortify Software
Security Center.
Scan Type
Type of scan: Website, Service, or Site Retest.
Statistics Panel - Crawl Section
The following table describes the Crawl Section of the Statistics Panel:
Item
Description
Hosts
Number of hosts included in the scan.
Sessions
Total number of sessions (excluding AJAX requests, script and script frame
includes, and WSDL includes).
Statistics Panel - Audit Section
The following table describes the Audit Section of the Statistics Panel:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 161 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Item
Description
Attacks Sent
Total number of attacks sent.
Issues
Total number of issues found (all vulnerabilities, as well as best practices).
Statistics Panel - Network Section
The following table describes the Network Section of the Statistics Panel:
Item
Description
Total Requests
Total number of requests made.
Failed Requests
Total number of failed requests.
Script Includes
Total number of script includes.
Macro Requests
Total number of requests made as part of macro execution.
404 Probes
Number of file not found probes made to determine file not found status.
404 Check Redirects
Number of times a 404 probe resulted in a redirect.
Verify Requests
Requests made for detection of stored parameters.
Logouts
Number of times logout was detected and login macro executed.
Macro Playbacks
Number of times macros have been executed.
AJAX Requests
Total number of AJAX requests made.
Script Events
Total number of script events processed.
Kilobytes Sent
Total number of kilobytes sent.
Kilobytes Received
Total number of kilobytes received.
See Also
"Reviewing Scan Results" on page 146
Adding a Page or Directory
If you use manual inspection or other security analysis tools to detect resources that Fortify WebInspect
did not discover, you can add these locations manually and assign a vulnerability to them. Incorporating
the data into a Fortify WebInspect scan allows you to track vulnerabilities using Fortify WebInspect
features.
Note: When creating additions to the data hierarchy, you must manually add resources in a logical
sequence. For example, to create a subdirectory and page, you must create the subdirectory before
HPE Security Fortify WebInspect Enterprise (16.20)
Page 162 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
creating the page.
To add a page of directory:
1. While reviewing the scan results, right-click an icon in the Site View in the Navigation Pane where
you want to add the resource.
2. Select the type of resource you want to add from the context menu.
3. Replace the default Name of the page or directory with the name of the resource to be added.
4. If necessary, edit the HTTP Request and Response. Do not change the request path.
5. When finished, click OK.
Adding a Variation
If you use manual inspection or other security analysis tools to detect resources that Fortify WebInspect
did not discover, you can add these locations manually and assign a vulnerability to them. Incorporating
the data into a Fortify WebInspect scan allows you to track vulnerabilities using Fortify WebInspect
features.
What is a Variation?
A variation is a subnode of a location that lists particular attributes for that location. For example, the
login.asp location might have the variation:
(Post) uid=12345&Password=foo&Submit=Login
Variations, like any other location, can have vulnerabilities attached to them, as well as subnodes.
Procedure
To add a variation:
1. While reviewing the scan results, right-click an icon in the Site View in the Navigation Pane where
you want to add the resource.
2. Select Variation from the context menu.
3. In the Name field, replace the default "attribute=value" with the actual parameters to be sent (for
example, uid=9999&Password=kungfoo&Submit=Login).
4. Select either Post or Query.
5. If necessary, edit the HTTP Request and Response. Do not change the request path.
6. When finished, click OK.
Comparing Scans
You can compare the vulnerabilities revealed by two different scans of the same target and use this
information to:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 163 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Verify fixes: Compare vulnerabilities detected in the initial scan with those in a subsequent scan of a
site in which the vulnerabilities were supposedly fixed.
l Check on scan health: Change scan settings and verify that those changes expand the attack surface.
l Find new vulnerabilities: Determine if new vulnerabilities have been introduced in an updated version
of the site.
l Investigate Issues: Pursue anomalies such as false positives or missed vulnerabilities.
l Compare authorization access: Conduct scans using two different user accounts to discover
vulnerabilities that are unique or common to both accounts.
Note: Both of the scans to be compared (Scan A and Scan B) must be in the same Fortify Software
Security Center project version. When you select the first scan, only other scans in the same Fortify
Software Security Center project version are displayed for you to select as the second scan.
Note: You cannot conduct a comparison if either of the scans is currently running.
Note: Data from both scans must be stored in the same database type (SQL Server Express Edition
or SQL Server Standard/Enterprise Edition).
Effect of Scheme, Host, and Port Differences on Scan Comparison
Fortify WebInspect does not ignore the scheme, host, and port when comparing scans from two
duplicate sites that are hosted on different servers.
For example, the following site pairs would not be correlated in a scan comparison because of
differences in scheme, host, or port:
Scheme
l Site A - http://zero.webappsecurity.com/
l Site B - https://zero.webappsecurity.com
Host
l Site A - http://dev.foo.com/index.html?par1=123&amp;par2=123
l Site B - http://qa.foo.com/index.html?par1=123&amp;par2=123
Port
l Site A - http://zero.webappsecurity.com:80/
l Site B - http://zero.webappsecurity.com:8080/
Selecting Scans to Compare
To compare two scans:
1. Select and open a scan from the Scans page. This scan will be Scan A in the comparison.
2. In the toolbar at the top of the Scan Visualization window, click Compare.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 164 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
3. In the list of scans that appears, select a scan and click OK. This scan will be Scan B in the
comparison.
Only scans in the same Fortify Software Security Center project version are listed.
A warning message appears if the selected scans have different start URLs, used different scan
policies, or are of a different type (such as a Web Site Scan and a Web Service Scan). You can
choose to continue, or you can terminate the comparison.
The scan comparison is generated and displayed.
Following is an example scan comparison.
Reviewing the Scan Dashboard
The Scan Dashboard displays the scan comparison results.
Scan Descriptions
The following information appears in boxes for Scan A and Scan B:
l Scan A or Scan B: Name of the scan.
l Date: Date and time the scan was conducted.
l Policy: Policy used for the scan; see "Policies List" on page 126 for more information.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 165 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Issues: Total number of issues identified on the Vulnerabilities tab, the Information tab, and the
Best Practices tab.
l Unique/Total: Number of unique sessions created for this scan (that is, the number of sessions that
appear in this scan and not the other scan), compared to the total number of sessions for this scan .
l Coverage: Percentage of sessions that are common to both scans.
Venn Diagram
The Venn diagram between the scan description boxes depicts the session coverage of Scan A
(represented by a yellow circle) and the session coverage of Scan B (represented by a blue circle). The
intersection of the two sets is represented by the green overlap. (In prior releases, the Venn diagram
represented the overlap of vulnerabilities.)
The Venn diagram is scaled to reflect the actual relationship between the sets.
Several examples of session coverage overlap are illustrated below.
No Intersection
50% Intersection
A Encompasses
B
Most of A
Intersects B
Complete
Intersection
Vulnerabilities Bar Chart
In separate groupings for each vulnerability severity and for False Positives, the bottom of the Scan
Dashboard displays a set of bar charts that show the number of vulnerabilities found in Scan A, in Scan
B, and in their intersection (Intersect). The same color coding is used as in the Venn diagram. These bar
charts do not change based on the selected Compare Mode.
Note: When comparing scans, Fortify WebInspect ignores the host and port. Consider two
duplicate sites that are hosted on different servers. One site that is under development might be
hosted at http://dev.mysite.com while that same site might be undergoing testing at
http://QA.mysite.com. The host URL and port are not considered when comparing sessions
and vulnerabilities between scans. For example:
l Scan A: Session 1 is an http request to http://qa.mysite.com/stuff/page/info.asp. It
has a vulnerability.
l Scan B: Session 1 is an http request to
http://dev.mysite.com:8080/stuff/page/info.asp. It has the same vulnerability as
Scan A, session 1.
When comparing scans, session 1 will appear as "Intersect" (intersection of A and B).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 166 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Compare Modes
You can select one of the following options in the Compare Mode section to the left of the Scan
Dashboard to display different data in the Sequence area in the left pane (the data in the Scan
Dashboard is not affected):
l
l
l
l
Mutual Exclusion: Lists sessions that appear in Scan A or Scan B, but not in both scans
Only In A: Lists sessions that appear in only Scan A
Only in B: Lists sessions that appear in only Scan B
Union (the default): Lists sessions that appear in Scan A, Scan B, or both Scans A & B
Session Filtering
The Sequence pane lists each session that matches the selected Compare Mode. An icon to the left of
the URL indicates the severity of the vulnerability, if any, for that session. The severity icons are:
Critical
High
Medium
Low
At the top of the Sequence pane, you can specify a filter and click Filter to limit the set of displayed
sessions in the following ways:
l You can enter the URL with only its starting characters, as a "starts with" match. Your entry must
begin with the protocol (http:// or https://).
l You can search for an exact match by specifying the URL in quotes. Your entry must begin with the
quotes and protocol ("http:// or "https://)
l You can use an asterisk (*) as a wildcard character at the beginning or end of the string you enter.
l You can use asterisks (*) at both the beginning and end of the string you enter, which requires
matches to contain the string between the asterisks.
l You can enter a question mark (?) followed by a full query parameter string to find matches to that
query parameter.
Using the Session Info Panel
When you select a session in the Sequence pane, the Session Info panel opens below the Compare
Mode options. With a session selected, you can select an option in the Session Info panel to display
more details about that session, to the right of the Session Info panel. If the session contains data for
both scans, the data for some functions such as Web Browser, HTTP Request, and Steps are shown in
a split view with Scan A on the left side and Scan B on the right side. The Session Info panel has the
same options as a scan visualization except that the scan comparison does not include Attachments.
For more information about the Session Info panel, see "Reviewing Scan Results" on page 146.
Note: Note: The Steps option displays the path taken by Fortify WebInspect to arrive at the
session selected in the Sequence pane or the URL selected in the Summary pane. Beginning with
the parent session (at the top of the list), the sequence reveals the subsequent URLs visited and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 167 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
provides details about the scan methodology. In a scan comparison, if any of the steps for the
session are different between the scans, the In Both column is added to the Steps table (as the first
column). A value of Yes in the column for a particular step indicates that the step is the same for
that session for both scans A and B. A value of No in the column for a particular step indicates that
the step is different for that session between scans A and B.
Using the Summary Pane to Review Vulnerability Details
When comparing scans, the horizontal Summary pane at the bottom of the window provides a
centralized table of vulnerable resources and allows you to quickly access vulnerability information. You
can drag the horizontal divider above the table to show or hide more of the Summary pane.
The Vulnerabilities tab at the bottom of the page is selected by default. The Information, and Best
Practices tabs display analogous data.
The set of entries (rows) displayed in the table depends on the option selected for Compare Mode.
Possible values in the Link column reflect the selected Compare Mode.
See "Reviewing Scan Results" on page 146 for information about:
l
l
l
l
The meanings of the displayed columns, and changing which columns are displayed
Grouping the data in a hierarchy by clicking and dragging one or more column headings
Limiting which rows are displayed by creating filters for one or more of the columns
The following menu commands, which you can access by right-clicking an item in the Vulnerabilities,
Information, or Best Practices tab:
l Copy URL
l Copy Selected Item(s)
l Copy All Items
l Export
HPE Security Fortify WebInspect Enterprise (16.20)
Page 168 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l View in Browser
l Review Vulnerability
About Publishing Scans to Fortify Software Security Center
Fortify Software Security Center (SSC) is a suite of tightly integrated solutions for identifying,
prioritizing, and fixing security vulnerabilities in software. It uses HPE Security Fortify Static Code
Analyzer to conduct static analysis and Fortify WebInspect to conduct dynamic application security
testing.
Although Fortify WebInspect can export scan data directly to Fortify Software Security Center, Fortify
WebInspect Enterprise provides a central location for managing multiple Fortify WebInspect sensors
and correlating scan results that can be published to individual project versions within Fortify Software
Security Center.
Fortify WebInspect Enterprise maintains a history of all vulnerabilities for a particular project version,
allowing it to correlate information obtained from subsequent scans. For example, when a second scan
is introduced into Fortify WebInspect Enterprise for a specific project version, the program compares
vulnerabilities in the scan with those in the history and assigns a status to each Fortify Software
Security Center "issue" as follows:
SSC Status
Description
New
A previously unreported issue.
Existing
A vulnerability in the scan that is already in the history.
Not Found
A vulnerability in the history that is not found in the scan. This can occur
because (a) the vulnerability has been remediated and no longer exists, or (b)
because the latest scan used different settings, or scanned a different portion of
the site, or for some other reason did not discover the vulnerability. You must
decide whether the vulnerability still exists or whether it has been fixed.
Reintroduced
A vulnerability that appears in a current scan but was previously reported as
resolved.
To change the SSC status for an individual issue, open a scan in the Scan Visualization window, rightclick an item on the Vulnerability, Not Found, Information, or Best Practices tab and select Update
SSC Status.
The following example demonstrates a hypothetical series of scans for integrating vulnerabilities into
Fortify Software Security Center.
First Scan
1. Scan the target site. In this example, assume that only one vulnerability (Vuln A) is discovered.
2. Examine the results. You can add screenshots and comments to vulnerabilities or mark
vulnerabilities as false positive or ignored. You can also review, retest, and delete vulnerabilities.
3. Publish the scan.
Second Scan
HPE Security Fortify WebInspect Enterprise (16.20)
Page 169 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. The second scan again reveals Vuln A, but also discovers four more vulnerabilities (Vulns B, C, D,
and E).
2. Examine the results. If you added audit data (such as comments and screenshots) to Vuln A when
publishing the first scan, the data will be imported into the new scan.
3. Publish the scan to Fortify Software Security Center. Vuln A will be marked "Existing," Vulns B-E will
be marked "New," and five items will exist in the Fortify Software Security Center system.
Third Scan
1. The third scan discovers Vulns B, C, and D, but not Vuln A or Vuln E.
2. After retesting Vuln A, you determine that it does, in fact, exist. You change its pending status to
"Still an Issue."
3. After retesting Vuln E, you determine that it does not exist. You change its pending status to
"Resolved."
4. Publish the scan to Fortify Software Security Center. Vulns B, C, and D will be marked "Existing."
Five items will exist in the Fortify Software Security Center system.
Fourth Scan
1. The fourth scan does not find Vuln A or Vuln B. The scan does find Vulns C, D, E, and F.
2. Vuln E was previously declared to be resolved and so its status is set to “Reintroduced.”
3. You examine the vulnerabilities that were not found (A and B, in this example). If you determine
that the vulnerability still exists, update the pending status to “Still an Issue.” If a retest verifies that
the vulnerability does not exist, update the pending status to “Resolved.”
4. Publish the scan to Fortify Software Security Center. Vulns C and D will be marked "Existing."
See Also
"Publishing Scans to Fortify Software Security Center" below
Publishing Scans to Fortify Software Security Center
When a scan completes, it is automatically published to the associated project version in Fortify
Software Security Center (SSC) if that project version is in the Finished state. If the project version is
not finished, the scan is not published and an entry is written to the ManagerWS_trace log indicating
that the scan could not be published because the associated project version is not finished.
Note: Imported scans and scans that are uploaded from Fortify WebInspect are not automatically
published.
You can manually publish a scan to Fortify Software Security Center from the following locations:
l Project Version Details form, All Scans tab with a scan selected, Publish button
l Scans form with a scan selected, Publish button
l Scan Visualization, Publish Scan to SSC button
When you publish a scan, Fortify WebInspect Enterprise displays a dialog listing the number of
vulnerabilities to be published, categorized by status and severity. To determine the status, Fortify
WebInspect Enterprise compares previously submitted vulnerabilities (obtained by synchronizing with
HPE Security Fortify WebInspect Enterprise (16.20)
Page 170 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Fortify Software Security Center) with those reported in the current scan. If this is the first scan
submitted to a project version, all vulnerabilities will be “New.”
If a vulnerability was previously reported, but is not in the current scan, it is marked as “Not Found.” You
must determine if it was not found because it has been fixed or because the scan was configured
differently (for example, you may have used a different scan policy, or you scanned a different portion
of the site, or you terminated the scan prematurely). When examining the results, you can change the
“pending status” of individual vulnerabilities detected by all but the first scan (by right-clicking an item
in the summary pane). However, when publishing, you must specify how Fortify WebInspect should
handle any remaining “Not Found” vulnerabilities.
1. Under Default Status of “Not Found” Vulnerabilities, do one of the following:
l To retain these "Not Found" vulnerabilities in Fortify Software Security Center (indicating that
they still exist), select Retain: Assume all vulnerabilities still marked "Not Found" in the
scan are still present.
l To change the status from "Not Found" to "Resolved" (implying that they have been fixed),
select Resolve: Assume all vulnerabilities still marked "Not Found" in the scan are fixed.
Note: This section may not appear if there are no "Not Found" vulnerabilities.
2. If this scan satisfies a scan request issued from Fortify Software Security Center, select Associate
scan with an "In Progress" scan request for the current project version. See "Using Scan
Requests from Fortify Software Security Center" on page 115 for more information.
3. Click Publish.
See Also
"About Publishing Scans to Fortify Software Security Center" on page 169
Working with Vulnerabilities
The following pages describe how to review, edit, and add vulnerabilities, add notes and screenshots to
vulnerabilities, mark vulnerabilities as false positive, roll up vulnerabilities that share the same root
cause, and recover deleted items.
Reviewing Vulnerabilities
After you conduct a scan and report discovered vulnerabilities, developers may correct their code and
update the site. You can then open the original scan, select the once-vulnerable session (now
supposedly remediated), and select Review Vulnerability from the shortcut menu. Assuming that the
fundamental architecture of the site has not changed, you can verify that the threat no longer exists
without rescanning the entire site (which, in some cases, could require several hours or even days).
You can use this feature simply to double-check a reported vulnerability, even while the scan is still
running.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 171 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Do one of the following:
l Right-click a vulnerable session in the navigation pane and select Review Vulnerability.
l In the summary pane, select either the Vulnerability, Not Found, Information, or Best
Practices tab, right-click an item in the list, and select Review Vulnerability.
2. If multiple vulnerabilities are displayed, select one from the Vulnerability to Review list.
3. Use the tabs to display information about the original session (as selected in the Steps to
Reproduce pane under the URL column):
l Browser - The server’s response, as rendered in a browser.
Note: This tab may or may not be visible. Retesting a cross-site scripting vulnerability may cause
the script to loop infinitely on the Browser tab when using Microsoft Internet Explorer. Using
the Fortify WebInspect Enterprise Administrative Console, the organization administrator can
disable this tab.
l Request - The raw HTTP request message.
l Response - The raw HTTP response message.
l Vulnerability - A description of the vulnerability, its implications, and suggestions on how to fix
it.
l Attachments - Notes and screenshots associated with the vulnerability, which you may add,
view, edit, or delete.
Retesting the Session
To retest the session for the selected vulnerability:
1. Click Retest.
2. Select a sensor and click OK.
Results of the retest appear on the Status bar and in the lower pane in the Response Match Status
column. The remaining client area is split into two panes: the original session is represented in the left
pane, and the retested session appears in the right pane.
The status is reported as either "Vulnerability Detected" or "Vulnerability Not Detected."
Important! HPE does not recommend retesting vulnerabilities in scans created using earlier
versions of Fortify WebInspect. While retesting scans from earlier versions may work in many
instances, it is not always reliable because individual checks may not flag the same vulnerability
during a retest. Failure of a check to flag the same vulnerability while retesting a scan from an earlier
version of Fortify WebInspect may not mean the vulnerability has been remediated.
The reliability of the reported findings is mitigated by the Response Match Status, which may have the
following values:
l Match - The resource has not changed significantly; Fortify WebInspect Enterprise was able to access
the session via the same path used by the original scan.
l Inconclusive - Based on the HTTP response, the resource has changed in a manner that may or may
not substantiate the finding that a vulnerability has or has not been detected during the retest.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 172 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Different - The HTTP response is radically different from the response received during the original
scan, suggesting major changes to the resource.
If you think that Fortify WebInspect Enterprise has erroneously determined that the vulnerability exists,
you can remove the vulnerability by clicking Mark as and selecting False Positive from the drop-down
list. Alternatively, you can ignore the vulnerability by selecting Ignored.
Editing and Adding Vulnerabilities
After Fortify WebInspect Enterprise assesses your application’s vulnerabilities, you may want to edit
and save the results for a variety of reasons, including:
l Security - If an HTTP request or response contains passwords, account numbers, or other sensitive
data, you may want to delete or modify this information before making the scan results available to
other persons in your organization.
l Correction - Fortify WebInspect Enterprise occasionally reports a “false positive.” This occurs when
Fortify WebInspect Enterprise detects indications of a possible vulnerability, but further investigation
by a developer determines that the problem does not actually exist. You can delete the vulnerability
from the session or delete the entire session. Alternatively, you can designate it as a false positive; to
do so, right-click the session in either the Site or Sequence view and select Mark As False Positive.
l Severity Modification - If you disagree with Fortify WebInspect Enterprise’s ranking of a vulnerability,
you can assign a different level.
l Record Keeping - You can modify any of the text fields associated with an individual vulnerability
(Summary, Implication, Execution, Fix, and Reference Info). For example, you could add a paragraph
to the Fix section describing how you actually fixed the problem.
l Enhancement - If you discover a new vulnerability, you could define it and add it to a session as a
custom vulnerability
To Edit or Add a Vulnerability
Use the procedure below to edit or add a vulnerability.
1. Do one of the following:
l In the summary pane, right-click an item on any tab except Scan Log or Server Information,
and select Edit Vulnerability.
l In the navigation pane, right-click a session and select Edit Vulnerability or Add >
Vulnerability.
2. Select a vulnerability (if the session includes multiple vulnerabilities).
3. To add an existing vulnerability to the session (that is, one that exists in the database), click Add
Existing.
a. On the Add Existing Vulnerability window, enter part of a vulnerability name, or a complete
vulnerability ID number or type.
Note: The * and % characters can be used interchangeably as wildcards. However, a
wildcard is allowed only at the beginning, at the end, or at the beginning and end of a
string. If placed within a string (such as "mic*soft,"), these characters will not function as
HPE Security Fortify WebInspect Enterprise (16.20)
Page 173 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
wildcards.
4.
5.
6.
7.
b. Click Search.
c. Select one or more of the vulnerabilities returned by the search.
d. Click OK.
To add a custom vulnerability, click Add Custom. You can then edit the vulnerability as described in
Step 6.
To delete the vulnerability from the selected session, click Delete.
To edit the vulnerability, you can modify the check name, check type, severity, or probability.You
can also change the descriptions that appear on the Summary, Implication, Execution, Fix, and
Reference Info tabs.
Click OK to save the changes.
To Remove Edits
To remove any modifications you made to existing vulnerability descriptions, select a check name and
click Restore Defaults.
Adding a Vulnerability Note
To add a vulnerability note:
1. Open a scan in the Scan Visualization window. See "Reviewing Scan Results" on page 146.
2. Select a vulnerability:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL , or
l On the Navigation pane, right-click a vulnerable session or URL.
3. On the shortcut menu, click Attachments > Add Vulnerability Note.
4. If you selected a session with multiple vulnerabilities, select the check box next to one or more
vulnerabilities.
5. In the Comments section, enter a note related to the vulnerability (or vulnerabilities) you selected.
6. Click OK.
You can view notes and screenshots for a selected session by clicking Attachments on the Session Info
panel.
Adding a Vulnerability Screenshot
To add a vulnerability screenshot:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 174 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Open a scan in the Scan Visualization window. See "Reviewing Scan Results" on page 146.
2. Select a vulnerability:
l On the Vulnerabilities tab or the Information tab in the Summary pane, right-click a vulnerable
URL , or
l On the Navigation pane, right-click a vulnerable session or URL.
3. On the shortcut menu, click Attachments > Add Vulnerability Screenshot.
4. If you selected a session with multiple vulnerabilities, select the check box next to one or more
vulnerabilities.
5. Enter a name (40 characters max.) for the screenshot in the Name field.
6. Click the browse button
and choose a file using the standard file-selection window. You can
specify only one image file even if you have selected multiple vulnerabilities.
7. (Optional) In the Comments section, enter a note related to the vulnerability screenshot you
selected.
8. Click OK.
You can view notes and screenshots for a selected session by clicking Attachments on the Session Info
panel.
Marking a Vulnerability as a False Positive
If you think that Fortify WebInspect has erroneously determined that a session contains a vulnerability,
you can remove the vulnerability from the session.
1. In the Site view of the Scan Visualization window, right-click an item in the navigation pane and
select Mark as False Positive.
2. (Optional) Enter a comment.
3. Click OK.
Tip: To view a list of all sessions that have been marked as false positives, select False Positives
from the Scan Info panel.
Recovering Deleted Items
When you remove a session or when you ignore or delete a vulnerability, Fortify WebInspect Enterprise
deletes the item from the Navigation pane (in both the Site and Sequence views) and from the
Vulnerabilities tab in the Summary pane.
The number of deleted items is displayed on the Dashboard (under the Scan category).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 175 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
To recover removed sessions and ignored vulnerabilities:
1. On the Scan Info panel, click Deleted Items.
2. Click the drop-down list to toggle between Vulnerabilities and Sessions.
3. Select one or more items you want to recover.
4. Click Recover.
Recovered vulnerabilities reappear in the Navigation pane in both the Site and Sequence views (along
with their parent sessions) and also reappear in the Vulnerabilities tab in the summary pane.
Recovered sessions also reappear in the navigation pane along with any child sessions and their
vulnerabilities.
See Also
"Reviewing Scan Results" on page 146
About Vulnerability Rollup
Some sites contain a vulnerability class that is endemic throughout the site. For example, a cross-site
scripting vulnerability may exist in every POST and GET method for every parameter on an entire site
due to lack of input validation. This means that numerous cross-site scripting vulnerabilities will be listed
on the Vulnerabilities tab in the summary pane. To prevent overwhelming your development team, you
can roll up such vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in Fortify
WebInspect, Fortify WebInspect Enterprise, and reports.
What Happens to Rolled Up Vulnerabilities
When you select multiple vulnerabilities and use the rollup feature, all vulnerabilities except the first
selected vulnerability are marked as ignored. The first selected vulnerability remains visible and
represents the rollup. Although the rest of the selected vulnerabilities are marked as ignored, they do
not appear as ignored vulnerabilities in the Recover Deleted Items window.
Caution: Rolling up vulnerabilities indicates that they share the same root cause, and that fixing the
root cause will fix all rolled up vulnerabilities. Future scans will automatically ignore rolled up
vulnerabilities if found. If any of the rolled up vulnerabilities do not share the same root cause, they
will still be ignored.
Rollup Guidelines
The following guidelines apply to vulnerability rollup:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 176 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Scans that include vulnerability rollups can be rescanned and bulk retested.
l Only the visible vulnerability is retested during bulk retest. The rest of the vulnerabilities are ignored
and will not show up as rolled up on the retest.
l Rollup is local to a scan and is not propagated between scans.
l Rollup works only when you select multiple vulnerabilities that have not been rolled up. Inadvertently
selecting a currently rolled up vulnerability will prevent the Rollup Vulnerability option from
appearing in the shortcut menu.
l You can only undo a rollup if you single select a vulnerability that is currently rolled up.
Rolling Up Vulnerabilities
To rollup vulnerabilities:
1. On the Vulnerabilities tab in the summary pane, select several vulnerabilities to rollup.
2. Right click and select Rollup Vulnerabilities from the shortcut menu.
The following warning appears:
Rolling up these vulnerabilities indicates that they share the same root cause, and that fixing the
root cause will fix all rolled up vulnerabilities. Future scans will automatically ignore rolled up
vulnerabilities if found. If any of these vulnerabilities do not share the same root cause, they will still
be ignored. Do you wish to continue?
3. Do one of the following:
l Click OK to rollup the vulnerabilities.
l Click Cancel to leave the vulnerabilities as they are.
If you click OK, the selected vulnerabilities are rolled into a single instance and the check name is
prefixed with the tag “[Rollup]”, as shown below. Additionally, a note is added to the Attachments
on the Session Info panel detailing the URLs that were rolled up and affected by the same
vulnerability. For more information, see "Session Info Panel" on page 151.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 177 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Undoing Rollup
The rollup feature is reversible. To undo a rollup:
1. On the Vulnerabilities tab in the summary pane, right-click any vulnerability that has been rolled
up.
2. Select Unroll Vulnerabilities.
The rollup is reversed, and the vulnerabilities appear on the Vulnerabilities tab. Additionally, the
note detailing the rolled up vulnerabilities is removed from the Attachments on the Session Info
panel.
Note: If you undo a rollup in a scan that has been published to Fortify Software Security
Center, the note that was added to the Attachments on the Session Info panel detailing the
rollup will not be deleted from Fortify WebInspect Enterprise or Fortify Software Security
Center.
See Also
"Vulnerabilities Tab" on page 155
Advanced Settings
The following pages describe the advanced scan settings, including crawl and audit settings.
Scan: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan
Enter a name for the scan.
Scan URL
Select one of the following scan types.
Standard Scan
Fortify WebInspect performs an automated analysis, starting from the target URL. This is the normal
way to start a scan.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 178 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. In the URL field, type or select the complete URL or IP address of the site you want to examine.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, you will not
scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the
Allowed Hosts setting).
An invalid URL or IP address will result in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect supports both Internet Protocol version 4 (IPV4) and Internet Protocol version
6 (IPV6). IPV6 addresses must be enclosed in brackets.
2. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from the
drop-down list. The choices are:
l Directory only (self) - Fortify WebInspect will crawl and/or audit only the URL you specify. For
example, if you select this option and specify a URL of www.mycompany/one/two/, Fortify
WebInspect will assess only the "two" directory.
l Directory and subdirectories - Fortify WebInspect will begin crawling and/or auditing at the
URL you specify, but will not access any directory that is higher in the directory tree.
l Directory and parent directories - Fortify WebInspect will begin crawling and/or auditing at
the URL you specify, but will not access any directory that is lower in the directory tree.
List-Driven Scan
Perform a scan using a list of URLs to be scanned. Each URL must be fully qualified and must include
the protocol (for example, http:// or https://). You can use a text file, formatted as comma-separated list
or one URL per line, or the XML file generated by the FilesToURLs utility.
Click Browse to select a text file or XML file containing the list of URLs you want to scan.
Click View to view the contents of the selected file.
Workflow-Driven Scan
Fortify WebInspect audits only those URLs included in the macro that you previously recorded and
does not follow any hyperlinks encountered during the audit. A logout signature is not required. This
type of macro is used most often to focus on a particular subsection of the application. If you select
multiple macros, they will all be included in the same scan.
Click Browse and select a macro containing the URLs you want to scan.
Web Service Scan
When performing a Web Service scan, Fortify WebInspect crawls the WSDL site and submits a value for
each parameter in each operation it discovers. These values are extracted from a file that you must
create using the Web Service Test Designer. It then audits the site by attacking each parameter in an
attempt to detect vulnerabilities such as SQL injection.
Click Browse to select a Web Service Test Design (WSD) file that was previously created using the Web
Service Test Designer.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 179 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Priority
Select a priority from 1 (highest) to 5 (lowest). If a scheduling conflict occurs, the scan with the highest
priority will take precedence.
Sensor
Select which sensor should conduct the scan. You can choose a specific sensor or select the Run on Any
Available Sensor option.
A sensor can perform only one scan at a time. If it is conducting a scan when another scan is scheduled
to occur, then:
l If the currently running scan has a higher priority, the WebInspect Enterprise Manager will place the
pending scan in a queue until the first scan finishes or until another sensor becomes available.
l If the currently running scan has a lower priority, the WebInspect Enterprise Manager will suspend
that scan, assign the second scan to that sensor, and then reassign the suspended scan to the sensor
when the higher priority scan is complete.
Scans that are manually initiated have priority over any scheduled scan.
Scan Settings: Method
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Mode
Select one of the following modes:
l Crawl Only - This option completely maps a site's tree structure. After a crawl has been completed,
you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit - As Fortify WebInspect maps the site's hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
This option is most useful for extremely large sites where the content could change before the crawl
can be completed. This is described in the Crawl and Audit Mode section as the option to crawl and
audit Simultaneously.
l Audit Only - Fortify WebInspect applies the methodologies of the selected policy to determine
vulnerability risks, but does not crawl the Web site. No links on the site are followed or assessed.
Crawl and Audit Mode
If the selected scan mode is Crawl and Audit, choose one of the following:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 180 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Simultaneously - As Fortify WebInspect maps the site’s hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
This option is most useful for extremely large sites where the content could change before the crawl
can be completed.
l Sequentially - In this mode, Fortify WebInspect crawls the entire site, mapping the site’s hierarchical
data structure, and then conducts a sequential audit, beginning at the site’s root. If you select this
option, you can specify the order in which the crawl and audit should be conducted.
l Test each engine type per session (engine driven): Fortify WebInspect audits all sessions using
the first audit engine, then audits all sessions using the second audit engine, continuing in
sequence until all engine types have been deployed.
l Test each session per engine type (session driven): Fortify WebInspect runs all audit engines
against the first session, then runs all audit engines against the second session, continuing in
sequence until all sessions are audited.
Scan Behavior
You can select any of the following optional behaviors:
l Use a login macro for forms authentication - This type of macro is used primarily for Web form
authentication. It incorporates logic that will prevent Fortify WebInspect from terminating
prematurely if it inadvertently logs out of your application. The drop-down list contains the names of
all macros that have been uploaded to Fortify WebInspect Enterprise. Macros that are available in the
repository for the selected Project and Project Version are listed with “(Repository)” prepended to
the macro name. You can select one of these, or you can click Browse to locate a macro and upload it.
See "Working with the Macro Repository" on page 139 for more information.
If you specified login parameters when recording the macro, Fortify WebInspect will substitute these
credentials for those used in the macro when it scans a page containing the input control associated
with this entry.
l Use a startup macro - This type of macro is used most often to focus on a particular subsection of
the application. It specifies URLs that Fortify WebInspect will use to navigate to that area. It may also
include login information, but does not contain logic that will prevent Fortify WebInspect from
logging out of your application. Fortify WebInspect visits all URLs in the macro, collecting hyperlinks
and mapping the data hierarchy. It then calls the Start URL and begins a normal crawl (and,
optionally, audit). The drop-down list contains the names of all macros that have been uploaded to
Fortify WebInspect Enterprise. You can select one of these, or you can click Browse to locate a macro
and upload it.
Important! Do not use a login macro and a startup macro with the same name. The scan may
yield undesirable results.
l Auto-fill Web forms during crawl - If you select this option, Fortify WebInspect submits values for
input controls found on all HTML forms it encounters while scanning the target site. Fortify
WebInspect will extract the values from a prepackaged default file or from a file that you create using
the Web Form Editor. Use the Browse button to specify the file containing the values you want to
use. Alternatively, you can select Edit (to modify the currently selected file) or Create (to record new
Web form values).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 181 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Settings: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Details
You may choose the following options:
l Enable Path Truncation - Path truncation attacks are requests for known directories without file
names. This may cause directory listings to be displayed. Fortify WebInspect truncates paths, looking
for directory listings or unusual errors within each truncation. Example: If a link consists of
http://www.site.com/folder1/folder2/file.asp, then truncating the path to look for
http://www.site.com/folder1/folder2/ and http://www.site.com/folder1/ will cause the server to reveal
directory contents or will cause unhandled exceptions.
l Attach debug information in request header - If you select this option, Fortify WebInspect
includes a "Memo:" header in the request containing information that can be used by support
personnel to diagnose problems.
l Case-sensitive request and response handling - Select this option if the server at the target site is
case-sensitive to URLs.
l Compress response data - If you select this option, Fortify WebInspect saves disk space by storing
each HTTP response in a compressed format in the database.
l Maximum crawl-audit recursion depth - When an attack reveals a vulnerability, Fortify WebInspect
crawls that session and follows any link that may be revealed. If that crawl and audit reveals a link to
yet another resource, the depth level is incremented and the discovered resource is crawled and
audited. This process can be repeated until no other links are found. However, to avoid the possibility
of entering an endless loop, you may limit the number of recursions. The maximum value is 1,000.
Crawl Details
You may choose the following options:
l Crawler - Select either Depth First or Breadth First.
Depth-first crawling accommodates sites that enforce order-dependent navigation (where the
browser must visit page A before it can visit page B). This type of search progresses by expanding
the first child node (link) and crawling deeper and deeper until it reaches a node that has no children.
The search then backtracks, returning to the most recent node it hasn't finished exploring and drilling
down from there. The following illustration depicts the order in which linked pages are accessed
using a depth-first crawl. Node 1 has links to nodes 2, 7, and 8. Node 2 has links to nodes 3 and 6.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 182 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
By contrast, breadth-first crawling begins at the root node and explores all the neighboring nodes
(one level down). Then for each of those nearest nodes, it explores their unexplored neighbor nodes,
and so on, until all resources are identified. The following illustration depicts the order in which linked
pages are accessed using a breadth-first crawl. Node 1 has links to nodes 2, 3, and 4. Node 2 has links
to nodes 5 and 6.
l
l
l
l
When performing a depth-first crawl, Fortify WebInspect pursues links in a fashion that more closely
represents human interaction. While slower than breadth-first crawling, the depth-first method
accommodates applications that enforce ordering of requests (such as requiring the user to visit a
“shopping cart” page before accessing the “check-out” page).
Enable keyword search audit - A keyword search, as its name implies, uses an attack engine that
examines server responses and searches for certain text strings that typically indicate a vulnerability.
Normally, this engine is not used during a crawl-only scan, but you can enable it by selecting this
option.
Perform redundant page detection - Highly dynamic sites could create an infinite number of
resources (pages) that are virtually identical. If allowed to pursue each resource, Fortify WebInspect
would never be able to finish the scan. This option, however, allows Fortify WebInspect to identify
and exclude processing of redundant resources.
Limit maximum single URL hits to - Use this field to limit the number of times a single link will be
followed during a crawl. Sometimes, the configuration of a site will cause a crawl to loop endlessly
through the same URL.
Include parameters in hit count - If you select Limit maximum single URL hits to (above), a
counter is incremented each time the same URL is encountered. However, if you also select Include
parameters in hit count, then when parameters are appended to the URL specified in the HTTP
request, the crawler will crawl that resource up to the single URL limit. Any differing set of parameters
is treated as unique and has a separate count.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 183 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
For example, if this option is selected, then "page.aspx?a=1" and "page.apsx?b=1" will both be
counted as unique resources (meaning that the crawler has found two pages). If this option is not
selected, then "page1.aspx?a=1" and "page.aspx?b=1" will be treated as the same resource (meaning
that the crawler has found the same page twice).
l Limit maximum link traversal sequence to - This option restricts the number of hyperlinks that
can be sequentially accessed as Fortify WebInspect crawls the site. For example, if five resources are
linked as follows:
l Page A contains a hyperlink to Page B
l Page B contains a hyperlink to Page C
l Page C contains a hyperlink to Page D
l Page D contains a hyperlink to Page E
and if this option is set to "3," then Page E will not be crawled.
The default value is 15.
l Limit maximum crawl folder depth to - The Crawl Depth value determines how deeply Fortify
WebInspect traverses the hierarchical levels of your Web site. If set to 1, Fortify WebInspect drills
down one level; if set to 2, Fortify WebInspect drills down two levels; and so on. The maximum value
is 1000.
l Limit maximum crawl count to - This feature restricts the number of HTTP requests sent by the
crawler and should be used only if you experience problems completing a scan of a large site.
Note: The limit set here does not directly correlate to the Crawled progress bar that is displayed
during a scan. The maximum crawl count set here applies to links found by the Crawler during a crawl
of the application. The Crawled progress bar includes all sessions (requests and responses) that are
parsed for links during a crawl and audit, not just the links found by the Crawler during a crawl.
l Limit maximum Web form submissions to - Normally, when Fortify WebInspect encounters a
form that contains controls having multiple options (such as a list box), it extracts the first option
value from the list and submits the form; it then extracts the second option value and resubmits the
form, repeating this process until all option values in the list have been submitted. This ensures that
all possible links will be followed. There are occasions, however, when submitting the complete list of
values would be counterproductive. For example, if a list box named "State" contains one value for
each of the 50 states in the United States, there is probably no need to submit 50 instances of the
form. Use this setting to limit the total number of submissions that Fortify WebInspect will perform.
Audit Details
If you select a depth-first crawl, you can also elect to retrace the crawl path for each parameter attack, as
opposed to applying all attacks as the crawl progresses. This considerably increases the time required to
conduct a scan.
Scan Settings: Content Analyzers
Project Version
HPE Security Fortify WebInspect Enterprise (16.20)
Page 184 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Content Analyzers
JavaScript/VBScript - The JavaScript/VBScript analyzer is always enabled. It allows Fortify
WebInspect to crawl links defined by JavaScript or VisualBasic script, and to create and audit any
documents rendered by JavaScript. There are settings associated with the JavaScript/VBScript content
analyzer. Click the analyzer name (JavaScript/VBScript) and configure the settings described below.
Flash - If you enable the Flash analyzer, Fortify WebInspect analyzes Flash files, Adobe's vector
graphics-based resizable animation format. There are no associated settings.
Silverlight - If you enable the Silverlight analyzer, Fortify WebInspect analyzes the multimedia,
graphics, animation, and interactivity elements developed within Microsoft's Silverlight Web application
framework. There are no associated settings.
Parser Settings
There are settings associated with the JavaScript/VBScript analyzer. Click the analyzer name
(JavaScript/VBScript) and configure the settings described below.
l Crawl links found from script execution - If you select this option, the crawler will follow dynamic
links (that is, links generated during JavaScript or Visual Basic script).
l Reject script includes to offsite hosts - Pages downloaded from a server may contain scripts that
retrieve files and dynamically render their content. An example JavaScript "include file" request is
<script type="text/javascript" src="www.badsite.com/yourfile.htm"></script> . Fortify WebInspect will
download and parse such files, regardless of their origin or file type, unless you select the Reject
Script option. It will then download the files only if permitted by the parameters normally governing
file handling (such as session and attack exclusions, allowed hosts, etc.).
l Isolate script analysis (out-of-process execution) - Fortify WebInspect analyzes and executes
JavaScript and VBScript to discover links to other resources. Applications or Web sites containing an
inordinate number of links can sometimes exhaust the amount of memory allocated to this process. If
this occurs, you can assign this function to a separate (remote) process, which will accommodate an
infinite number of links. You may, however, notice a slight increase in the amount of time required to
scan the site.
l Create DOM sessions - Fortify WebInspect creates and saves a session for each change to the
Document Object Model (DOM).
l Verbose script parser debug logging - If you select this setting and if the Application setting for
logging level is set to Debug, Fortify WebInspect logs every method called on the DOM object. This
can easily create several gigabytes of data for medium and large sites.
l Log JavaScript errors - Fortify WebInspect logs JavaScript parsing errors from the script parsing
engine.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 185 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Maximum script events per page - Certain scripts endlessly execute the same events. You can limit
the number of events allowed on a single page to a value between 1 and 9999.
Scan Settings: Requestor
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Requestor Performance
Select one of the following options:
l Use a shared requestor - If you select this option, the crawler and the auditor use a common
requestor when scanning a site, and each thread uses the same state, which is also shared by both
modules. This replicates the technique used by previous versions of Fortify WebInspect and is
suitable for use when maintaining state is not a significant consideration. You also specify the
maximum number of threads (up to 75).
l Use separate requestors - If you select this option, the crawler and auditor use separate
requestors. Also, the auditor's requestor associates a state with each thread, rather than having all
threads use the same state. This method results in significantly faster scans.
When performing crawl and audit, you can specify the maximum number of threads that can be
created for each requestor. The Crawl requestor thread count can be configured to send up to 25
concurrent HTTP requests before waiting for an HTTP response to the first request; the default
setting is 5. The Audit requestor thread count can be set to a maximum of 50; the default setting is
10. Increasing the thread counts may increase the speed of a scan, but might also exhaust your
system resources as well as those of the server you are scanning.
Note: Depending on the capacity of the application being scanned, increasing thread counts may
increase request failures due to increased load on the server, causing some responses to exceed the
Request timeout setting. Request failures may reduce scan coverage because the responses that
failed may have exposed additional attack surface or revealed vulnerabilities. If you notice increased
request failures, you might reduce them by either increasing the Request timeout or reducing the
Crawl requestor thread count and Audit requestor thread count.
Also, depending on the nature of the application being scanned, increased crawl thread counts may
reduce consistency between subsequent scans of the same site due to differences in crawl request
ordering. By reducing the default Crawl requestor thread count setting to 1, consistency may be
increased.
Requestor Settings
You may select the following options:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 186 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Limit maximum response size to - Select this option to limit the size of accepted server responses
and then specify the maximum size (in kilobytes). The default is 1000 kilobytes. Note that Flash files
(.swf) and JavaScript "include" files are not subject to this limitation.
l Request retry count - Specify how many times Fortify WebInspect will resubmit an HTTP request
after receiving a "failed" response (which is defined as any socket error or request timeout). The value
must be greater than zero.
l Request timeout - Specify how long Fortify WebInspect will wait for an HTTP response from the
server. If this threshold is exceeded, Fortify WebInspect resubmits the request until reaching the retry
count. If Fortify WebInspect then receives no response, it logs the timeout and issues the first HTTP
request in the next attack series. The default value is 20 seconds.
Stop Scan if Loss of Connectivity Detected
There may be occasions during a scan when a Web server fails or becomes too busy to respond in a
timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the
number of timeouts.
Note: If these options are selected and the Request timeout setting (above) is reached, the scan
may stop when the server does not respond within the period set for the Request timeout. If the
server responds with the extended Request timeout period, then the extended period becomes the
new Request timeout for the current scan.
The following options are available:
l Consecutive "single host" retry failures to stop scan - Enter the number of consecutive timeouts
permitted from one specific server. The default value is 75.
l Consecutive "any host" retry failures to stop scan - Enter the total number of consecutive
timeouts permitted from all hosts. The default value is 150.
l Nonconsecutive "single host" retry failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from a single host. The default value is "unlimited."
l Nonconsecutive "any host" request failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from all hosts. The default value is 350.
l If first request fails, stop scan - Selecting this option will force Fortify WebInspect to terminate the
scan if the target server does not respond to Fortify WebInspect's first request.
l Response codes to stop scan if received - Enter the HTTP status codes that, if received, will force
Fortify WebInspect to terminate the scan. Use a comma to separate entries; use a hyphen to specify
an inclusive range of codes.
Scan Settings: Session Storage
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
HPE Security Fortify WebInspect Enterprise (16.20)
Page 187 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Log Rejected Session to Database
You can specify which rejected sessions should be saved to the database. This saved information can be
used for two purposes.
l If you pause a scan, change any of the settings associated with the Reject Reasons in this panel, and
then resume the scan, Fortify WebInspect retrieves the saved data and sends HTTP requests that
previously were suppressed.
l HPE Security Fortify Support personnel can extract the generated (but not sent) HTTP requests for
analysis. Sessions may be rejected for the reasons cited in the following table:
Reject Reason
Explanation
Invalid Host
Any host that is not specified as an Allowed Host.
Excluded File
Extension
Files having an extension that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected
File Extensions; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded or Rejected File Extensions; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected File
Extensions.
Excluded URL
URLs or hosts that are excluded by settings specified in Default (or Current)
Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded or Rejected URLs and Hosts; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts.
Outside Root
URL
If the Restrict to Folder option is selected when starting a scan, any resource
not qualified by the available options (Directory only (self) , Directory and
subdirectories, or Directory and parent directories).
Maximum Folder HTTP requests were not sent because the value specified by the Limit
Depth Exceeded maximum crawl folder depth to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
Maximum URL
Hits
HTTP requests were not sent because the value specified by the Limit
Maximum Single URL hits to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
404 Response
Code
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine File Not Found (FNF) using HTTP response codes is
selected and the response contains a code that matches the requirements.
Solicited File
Not Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Auto detect FNF page is selected and Fortify WebInspect
determined that the response constituted a "file not found" condition.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 188 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Reject Reason
Explanation
Custom File Not
Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine FNF from custom supplied signature is selected and
the response contains one of the specified phrases.
Rejected
Response
Files having a MIME type that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded MIME
Types; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded MIME Types; also Default (or Current) Scan Settings/Audit
Settings/Session Exclusions/Excluded MIME Types.
Session Storage
Fortify WebInspect normally saves only those attack sessions in which a vulnerability was discovered. To
save all attack sessions, select Save non-vulnerable attack sessions.
Scan Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Note: The following settings apply to both the crawl and audit phases of a scan. To specify
exclusions for only the crawl or only the audit, use the Crawl Settings - Session Exclusions or the
Audit Settings - Sessions Exclusions.
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
l Reject - Fortify WebInspect will not request files of the type you specify.
l Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will
not examine them for links to other resources.
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. For more
information, see "MIME Types" on page 191.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 189 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Excluded or Rejected URLs and Hosts
You can identify a URL or host (using a regular expression) and then specify whether you want to
exclude or reject it.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
You must use a regular expression to designate a host or URL.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following regular expression and select Reject.
Microsoft\.com
Note that the period (or dot) is preceded by a backslash, indicating that the next character is special
(that is, it is not the character used in regular expressions to match any single character except a newline
character).
Example 2
Enter a string such as logout. If that string is found in any portion of the URL, the URL will be excluded
or rejected (depending on which option you select). Using the logout example, Fortify WebInspect will
exclude or reject URLs such as logout.asp or applogout.jsp.
Example 3
If you enter /myApp /
then Fortify WebInspect will exclude or reject all resources in the myApp directory, such as:
http://www.test.me /myApp /filename.htm
If you enter /W3SVC[0-9]*/
then Fortify WebInspect will exclude or reject the following directories:
l http://www.test.me /W3SVC55/
l http://www.test.me /W3SVC5/
l http://www.test.me/W3SVC550/
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 190 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
MIME Types
Multipurpose Internet Mail Extensions (MIME) is a specification for formatting non-ASCII messages so
they can be sent over the Internet. The Content-Type header indicates the type and subtype of the
message content, for example Content-Type: text/plain. The combination of type and subtype is
generally called a MIME type (also known as Internet media type). Examples include:
l
l
l
l
l
l
l
text/html
image/jpeg
image/gif
audio/x-wave
audio/mpeg
video/mpeg
application/zip
Scan Settings: Allowed Hosts
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Allowable Hosts for Crawl and Audit
Use the Allowed Host settings to add domains that may be crawled and audited. If your Web presence
uses multiple domains, add those domains here. For example, if you were scanning "WIexample.com,"
you would need to add "WIexample2.com" and "WIexample3.com" here if those domains were part of
your Web presence and you wanted to include them in the crawl or audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 191 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l
l
l
l
l
l
l
l
www.myco.com:80
contact.myco.com:80
www1.myco.com
ethics.myco.com:80
contact.myco.com:443
wow.myco.com:80
mycocorp.com:80
www.interconnection.myco.com:80
Note: If you specify a port number, then the allowed host must be an exact match.
If you use a regular expression to specify a host, select Regex.
Scan Settings: HTTP Parsing
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
HTTP Parameters Used for State
If your application uses URL rewriting or post data techniques to maintain state within a Web site, you
must identify which parameters are used. For example, a PHP4 script can create a constant of the
session ID named SID, which is available inside a session. By appending this to the end of a URL, the
session ID becomes available to the next page. The actual URL might look something like the following:
.../page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
Because session IDs change with each connection, an HTTP request containing this URL would create
an error when you tried to replay it. However, if you identify the parameter (PHPSESSID in this
example), then Fortify WebInspect will replace its assigned value with the new session ID obtained from
the server each time the connection is made.
Similarly, some state management techniques use post data to pass information. For example, the
HTTP message content may include userid=slbhkelvbkl73dhj. In this case, "userid" is the parameter you
would identify.
Note: You need to identify parameters only when the application uses URL rewriting or posted
data to manage state. It is not necessary when using cookies.
Fortify WebInspect can identify potential parameters if they occur as posted data or if they exist within
the query string of a URL. However, if your application embeds session data in the URL as extended
HPE Security Fortify WebInspect Enterprise (16.20)
Page 192 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
path information, you must provide a regular expression to identify it. In the following example,
"1234567" is the session information:
http://www.onlinestore.com/bikes/(1234567)/index.html
The regular expression for identifying the parameter would be: /\([\w\d]+\)/
Determine State from URL Path
If your application determines state from certain components in the URL path, select this check box and
add one or more regular expressions that identify those components. Two default regular expressions
identify two ASP.NET cookieless session IDs. The third regular expression matches jsessionid cookie.
HTTP Parameters Used for Navigation
Some sites contain only one directly accessible resource, and then rely on query strings to deliver the
requested information, as in the following examples:
l http://www.anysite.com?Master.asp?Page=1
l http://www.anysite.com?Master.asp?Page=2;
l http://www.anysite.com?Master.asp?Page=13;Subpage=4
Ordinarily, Fortify WebInspect would assume that these three requests refer to identical resources and
would scan only one of them. Therefore, if your target Web site employs this type of architecture, you
must identify the specific resource parameters that are used.
The first and second examples contain one resource parameter: "Page." The third example contains two
parameters: "Page" and "Subpage."
To identify resource parameters:
1. Click Add.
2. Enter the parameter name and click Update.
The string you entered appears in the Parameter list.
3. Repeat this procedure for additional parameters.
Advanced HTTP Parsing
Most Web pages contain information that tells the browser what character set to use. This is
accomplished by using the Content-Type response header (or a META tag with an HTTP-EQUIV
attribute) in the HEAD section of the HTML document.
For pages that do not announce their character set, you can specify which language family (and implied
character set) Fortify WebInspect should use.
Scan Settings: Filters
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
HPE Security Fortify WebInspect Enterprise (16.20)
Page 193 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Using the Filter Settings
Use the Filters settings to add search-and-replace rules for HTTP requests and responses. This feature
is used most often to avoid the disclosure of sensitive data such as credit card numbers, employee
names, or social security numbers. It is a means of disguising information that you do not want to be
viewed by persons who use Fortify WebInspect or those who have access to the raw data. If the text
you specify is found, Fortify WebInspect reports it on the Information tab as a "Hidden Reference
Found" vulnerability.
Filter HTTP Request Content
Use this area to specify search-and-replace rules for HTTP requests.
Filter HTTP Response Content
Use this area to specify search-and-replace rules for HTTP responses.
Adding a Regular Expression Rule
To add a regular expression rule for finding or replacing keywords in requests or responses:
1. In either the Request Content or the Response Content group, click Add.
2. From the Section list, select an area to search.
3. In the Find Condition field, type (or paste) the string you want to locate (or enter a regular
expression that describes the string). You can also click the list button to insert regular expression
elements.
4. Type (or paste) the replacement string in the Replace field.
5. For case-sensitive searches, select the Case-Sensitive check box.
6. Click Update.
Scan Settings: Cookies/Headers
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Standard Header Parameters
You can elect to include referer and/or host headers in requests sent by Fortify WebInspect.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 194 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Include 'referer' in HTTP request headers - Select this check box to include referer headers in
HTTP requests. The Referer request-header field allows the client to specify, for the server's benefit,
the address (URI) of the resource from which the Request-URI was obtained.
l Include 'host' in HTTP request headers - Select this check box to include host headers with HTTP
requests. The Host request-header field specifies the Internet host and port number of the resource
being requested, as obtained from the original URI given by the user or referring resource (generally
an HTTP URL).
Append Custom Headers
Use this section to add, edit, or delete headers that will be included with each audit Fortify WebInspect
performs. For example, you could add a header such as "Alert: You are being attacked by Consultant
ABC" that would be included with every request sent to your company's server when Fortify
WebInspect is auditing that site. You can add multiple custom headers.
To add a custom header:
1. In the top box, enter the header using the format <name>: <value>.
2. Click Add.
The new header appears in the list of custom headers.
Append Custom Cookies
Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by
Fortify WebInspect to the server when conducting a scan.
To add a custom cookie:
1. In the top box, enter the header using the format <name>=<value>. For example, if you enter
CustomCookie=ScanEngine
then each HTTP-Request will contain the following header:
Cookie: CustomCookie=ScanEngine
2. Click Add.
The new cookie appears in the list of custom cookies.
Scan Settings: Proxy
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 195 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Proxy Settings
Select one of the following options:
l Direct Connection (proxy disabled) - Select this option if you are not using a proxy server.
l Automatically detect proxy settings - If you select this option, Fortify WebInspect will use the
Web Proxy Autodiscovery Protocol (WPAD) to automatically locate a proxy autoconfig file and use
this to configure the browser's web proxy settings.
l Use Internet Explorer proxy settings - Select this option to use the proxy server settings
configured for the Internet Explorer browser on the machine that will conduct the scan.
l Use Firefox proxy settings - Select this option to use the proxy server settings configured for the
Firefox browser on the machine that will conduct the scan.
Note: Using browser proxy settings does not guarantee that you will access the Internet through a
proxy server. If the Firefox browser connection settings are configured for “No proxy,” or if the
Internet Explorer setting “Use a proxy server for your LAN” is not selected, then a proxy server will
not be used.
l Configure a proxy using a PAC file URL - Select this option to load proxy settings from a Proxy
Automatic Configuration (PAC) file. Then specify the file location in the URL field.
l Explicitly configure proxy - Select this option to access the Internet through a proxy server, and
then enter the requested information. For proxy servers accepting https connections, select the
Specify Alternative Proxy for HTTPS check box and provide the requested information.
1. In the Server field, type the URL or IP address of your proxy server.
2. In the Port field. enter the port number (for example, 8080).
3. Select a protocol for handling TCP traffic through a proxy server: Standard, Socks4, or Socks5.
4. If your proxy server requires authentication, enter the qualifying user name and password.
5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing
sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate entries.
Scan Settings: Authentication
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Requires Network Authentication
Select this option if users must log on to your Web site or application. Then select an authentication
method and specify a user name and password.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 196 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Caution: Fortify WebInspect will crawl all servers granted access by this password (if the
sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your
administrative systems, do not use a user name and password that has administrative rights. If you
are unsure about your access rights, contact your System Administrator or internal security
professional, or contact HPE Security Fortify Support.
The authentication methods are:
Basic
A widely used, industry-standard method for collecting user name and password information. The Web
browser displays a dialog box for a user to enter a previously assigned user name and password and
then attempts to establish a connection to a server using the user's credentials. If the Web server verifies
that the user name and password correspond to a valid user account, a connection is established. Basic
authentication is not recommended unless you are confident that the connection between the user and
your Web server is secure.
NTLM
An authentication process that is used by all members of the Windows NT family of products. Like its
predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without
requiring that either a password or a hashed password be sent across the network. Use NTLM
authentication for servers running IIS. If NTLM authentication is enabled, and Fortify WebInspect has
to pass through a proxy server to submit its requests to the Web server, Fortify WebInspect may not be
able to crawl or audit that Web site. Use caution when configuring Fortify WebInspect for scans of sites
protected by NTLM. After scanning, you may want to disable the NTLM authentication settings to
prevent any potential problem.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a Key
Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS)
and a Ticket Granting Server (TGS). The client authenticates itself to AS, then demonstrates to the TGS
that it is authorized to receive a ticket for a service (and receives it). The client then demonstrates to a
Service Server that it has been approved to receive the service. This authentication method will be
successful only if the Web server has been configured to return a response header of “WWWAuthenticate: Kerberos” instead of “WWW-Authenticate: Negotiate.”
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system. Using
digest authentication, your password is never sent across the network in the clear, but is always
transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined
by sniffing network traffic.
Automatic
Allow Fortify WebInspect to determine the correct authentication type. Automatic detection slows the
scanning process. If you know and specify one of the other authentication methods, scanning
performance is noticeably improved.
Client Certificates
HPE Security Fortify WebInspect Enterprise (16.20)
Page 197 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Client certificate authentication allows users to present client certificates rather than entering a user
name and password.
To use client certificates:
1. Select Use Client Certificate.
2. Click Browse to choose a certificate.
Scan Settings: File Not Found
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Determine File Not Found (FNF) Using HTTP Response Codes
Select this option to rely on HTTP response codes to detect a file-not-found response from the server.
You can then identify the codes that fit the following two categories.
l Forced valid response codes (never an FNF): You can specify HTTP response codes that should
never be treated as a file-not-found response.
l Forced FNF response codes (always an FNF): Specify those HTTP response codes that will always
be treated as a file-not-found response. Fortify WebInspect will not process the response contents.
Enter a single response code or a range of response codes. For ranges, use a dash or hyphen to
separate the first and last code in the list (for example, 400-404). You can specify multiple codes or
ranges by separating each entry with a semicolon.
Determine File Not Found from Custom Supplied Signature
Use this area to add information about any custom 404 page notifications that your company uses. If
your company has configured a different page to display when a 404 error occurs, add the information
here. False positives can result from 404 pages that are unique to your site.
You can specify a signature using plain text, a regular expression, or, using the SPI Regex option,
Regular Expression Extensions. For information about the Regular Expression Editor tool, see the HPE
Security Fortify WebInspect Tools Guide.
Auto-Detect File Not Found Page
Some Web sites do not return a status "404 Not Found" when a client requests a resource that does not
exist. Instead, they may return a status "200 OK" but the response contains a message that the file
cannot be found. Select this check box if you want Fortify WebInspect to detect these "custom" file-notfound pages.
Fortify WebInspect attempts to detect custom file-not-found pages by sending requests for resources
that cannot possibly exist on the server. It then compares each response and measures the amount of
text that differs between the responses. For example, most messages of this type have the same
HPE Security Fortify WebInspect Enterprise (16.20)
Page 198 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
content (such as "Sorry, the page you requested was not found"), with the possible exception being the
name of the requested resource. If you select the Auto-Detect File Not Found Page check box, you
can specify what percentage of the response content must be the same. The default is 90 percent.
Scan Settings: Policy
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Policy
Select a policy. A policy is a collection of audit engines and attack agents that Fortify WebInspect uses
when auditing or crawling your Web application. Each component has a specific task, such as testing for
cross-site scripting susceptibility, building the site tree, probing for known server vulnerabilities, etc. For
policy descriptions, see "Policies List" on page 126.
Note: You cannot select a policy for a Web Service scan.
Crawl Settings: Link Parsing
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Link Parsing
Fortify WebInspect follows all hyperlinks defined by HTML (using the <a href> tag) and those defined
by scripts (JavaScript and VBScript). However, you may encounter other communications protocols that
use a different syntax for specifying links. To accommodate this possibility, you can use the Custom
Links feature to identify (using regular expressions) links that you want Fortify WebInspect to follow.
To add a specialized link identifier:
1.
2.
3.
4.
Click Add.
In the Custom Links field, enter a regular expression designed to identify the link.
(Optional) Enter a description of the link in the Comments field.
Click Update.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 199 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Crawl Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Note: All items specified in the Scan Settings - Session Exclusions are automatically replicated in
the Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in
gray (not black) text. If you do not want these objects to be excluded from the crawl, you must
remove them from the Scan Settings - Session Exclusions panel. This panel (Crawl Settings Session Exclusions) allows you to specify additional objects to be excluded from the crawl.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
Follow the steps below to add a file extension:
1.
2.
3.
4.
Click Add.
In the File Extension field, enter a file extension.
Select either Reject, Exclude, or both.
Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited.
Follow the steps below to add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the Web site, since
you don't want to log out of the application before the scan is completed. To check for broken links to
URLs that you don't want to process, select only the Exclude option.
Follow the steps below to add a URL or host:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 200 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host
l Exclude - Send request, but do not process response
5. Click Update.
Audit Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the Session
Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray (not black)
text. If you do not want these objects to be excluded from the audit, you must remove them from the
Scan Settings - Session Exclusions panel. This panel (Audit Settings - Session Exclusions) allows you to
specify additional objects to be excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
To add a file extension:
1. Click Add.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited. For more information, see "MIME
Types" on page 191.
To add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 201 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the site, since you
don't want to log out of the application before the scan is completed. To check for broken links to URLs
that you don't want to process, select only the Exclude option.
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
Audit Settings: Attack Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to
attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA
parameters.
To prevent certain parameters from being modified:
1. In the Excluded Parameters group, click Add.
2. In the Parameter field, enter the name of the parameter you want to exclude.
3. Choose the area in which the parameter may be found: HTTP query data or HTTP POST data. You
can select both areas, if necessary.
4. Click Update.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 202 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack
the Web site. This feature is used to avoid corrupting cookie values. This setting requires you to enter
the name of a cookie.
In the following example HTTP response, the name of the cookie is "FirstCookie."
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
To exclude certain cookies.
1. In the Excluded Cookies group, click Add.
2. In the Parameter field, type a cookie name or enter a regular expression that you believe will
match the cookies you want to exclude.
3. Click Update.
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to
attack the Web site. This feature is used to avoid corrupting header values.
To prevent certain headers from being modified, create a regular expression using the procedure
described below.
1. In the Excluded Headers group, click Add.
2. In the Parameter field, type a header name or enter a regular expression that you believe will
match the headers you want to exclude.
3. Click Update.
Audit Inputs Editor
Using the Audit Inputs Editor, you can create additional parameters for audit engines and checks that
require inputs.
To load inputs that you previously created using the editor, click the Browse button next to the Import
Audit Inputs button.
Audit Settings: Attack Expressions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 203 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Additional Regular Expression Languages
You may select one of the following language code-country code combinations (as used by the
CultureInfo class in the .NET Framework Class Library):
l ja-jp: Japanese - Japan
l ko-Kr: Korean - Korea
l zh-cn: Chinese - China
l zh-tw: Chinese - Taiwan
l es-mx: Spanish - Mexico
The CultureInfo class holds culture-specific information, such as the associated language, sublanguage,
country/region, calendar, and cultural conventions. This class also provides access to culture-specific
instances of DateTimeFormatInfo, NumberFormatInfo, CompareInfo, and TextInfo. These objects
contain the information required for culture-specific operations, such as casing, formatting dates and
numbers, and comparing strings.
Audit Settings: Vulnerability Filters
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Select Vulnerability Filters to Enable
By applying certain filters, you can limit the display of certain vulnerabilities reported during a scan. The
options are:
l Standard Vulnerability Definition - This filter sorts parameter names for determining equivalency
between similar requests. For example, if a SQL injection vulnerability is found in parameter "a" in
both http://x.y?a=x;b=y and http://x.y?b=y;a=x, it would be considered equivalent.
l Parameter Vulnerability Roll-Up - This filter consolidates multiple parameter manipulation and
parameter injection vulnerabilities discovered during a single session into one vulnerability.
l 403 Blocker - This filter revokes vulnerabilities when the status code of the vulnerable session is 403
(Forbidden).
l Response Inspection Dom Event Parent-Child - This filter disregards a keyword search
vulnerability found in JavaScript if the same vulnerability has already been detected in the parent
session.
To add a filter to your default settings, select a filter in the Available area and click >. The filter is
removed from the Available list and added to the Selected list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 204 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
To disable a filter, select a filter in the Selected list and click <. The filter is removed from the Selected
list and added to the Available list.
To add all available filters, click >>.
To remove all selected filters, click <<.
Audit Settings: Smart Scan
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Smart Scan
Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and
checks for known vulnerabilities against that specific server type. For example, if you are scanning a site
hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is
susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.
If you select Enable Smart Scan, you can choose one or both of the identification methods described
below.
l Use regular expressions on HTTP responses - This method searches the server response for
strings that match predefined regular expressions designed to identify specific servers.
l Use server analyzer fingerprinting and request sampling - This advanced method sends a series
of HTTP requests and then analyzes the responses to determine the server type.
Custom Server/Application Type Definitions (more accurate detection)
If you know the server type for a target domain, you can select it using the Custom server/application
type definitions (more accurate detection)section. This identification method overrides any other
selected method for the server you specify.
1.
2.
3.
4.
Click Add.
In the Host field, enter the domain name or host, or the server's IP address.
Select one or more entries from the Server/Application list.
Click OK.
Scan Behavior: Blackout Action
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 205 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Blackout Action
A blackout period is a block of time during which scans are not permitted.
If a blackout period begins while a scan is running, you may either stop the scan or suspend it. The
sensor will resume a suspended scan when the blackout period ends.
Export: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Export Scan Results
Select this option to export the scan results. Then provide the requested information.
l Export Path - Enter or select a destination for the exported scan. Because the Fortify WebInspect
Enterprise Manager service writes the output, the specified path must be writable by the Manager
service user. You should use a UNC pathname so that it will be accessible to both the Fortify
WebInspect Enterprise Manager and end users. You may alternatively specify a drive letter and path
(for example, C:\WIE\Output\), but the path will apply to the Fortify WebInspect Enterprise Manager
and may not be accessible to end users.
l Export Format - Select how you want the exported file to be formatted. Your choices are
WebInspect Scan File (.scan) or Extensible Markup Language (.xml).
l Automatically generate file name - If you select this option, the name of the file will be formatted
as <scan name> <date/time>.[xml or scan]. For example, if the scan name is "mysite" and the scan is
generated at 6:30 on April 5, the file name would be "mysite 04_05_2007 06_30.scan [or .xml]." This
is useful for recurring scans.
If you want to specify a name, clear the Automatically generate file name check box and then type
the name in the File Name field.
Scheduled Scan Settings
The following pages describe the scheduled scan settings, including crawl and audit settings.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 206 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Schedule: General
Enter or select the following settings. Then enter additional settings (as required) using the panels in
the left column. To schedule the scan, click Finish.
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Schedule Name
Enter a name that identifies this scheduled scan.
Start Time
Enter the date and time you want the scan to begin. You can select the date from a calendar popup and
the time from a clock popup.
Time Zone
The time zone for the location of the target server specified for the scheduled scan. The time zone
defaults to the zone in which you are working (as selected using the Configure Options window). If the
target server is in a different time zone, you should usually select the server’s time zone and specify the
Start Time using local time. For example, if you are in New York City, USA (UTC-05:00) and the target
server is in Rome, Italy (UTC+01:00), and you want to schedule a scan to begin at 8 a.m. Rome time, you
could do either of the following:
l Select the UTC+01:00 time zone (Rome) and specify a Start Time of 8 a.m.
l Select the UTC-05:00 time zone (New York City) and specify a Start Time of 2 a.m.
Next Scheduled Time
For a scan that is scheduled to recur, this read-only field displays the time and date of the next
scheduled scan.
Last Occurred On
For a scan that is scheduled to recur, this read-only field displays the time and date when a scan last
occurred.
Enter other settings as required using the panels in the left column.
Note: Even while the scan is under way, you can change the status of vulnerabilities that have
already been identified, add attachments to them, mark them as false positives, or mark them to be
ignored.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 207 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Schedule: Recurrence
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Recurring
To schedule a scan, a Smart Update, or a blackout on a recurring basis:
1. Select the Recurring check box.
Do NOT select this option if you want to schedule a one-time-only event.
2. Use the Pattern group to select the frequency of the event (daily or every x days, weekly, monthly,
or yearly) and then provide the appropriate information.
3. Using the Range group, specify the starting date and the ending date (or select Never if the event
is to run indefinitely). You can also limit the number of times the event should occur.
Scheduled Scan - Scan: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan URL
Select one of the following scan types.
Standard Scan
Fortify WebInspect performs an automated analysis, starting from the target URL. This is the normal
way to start a scan.
1. In the URL field, type or select the complete URL or IP address of the site you want to examine.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, you will not
scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the
Allowed Hosts setting).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 208 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
An invalid URL or IP address will result in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect supports both Internet Protocol version 4 (IPV4) and Internet Protocol version
6 (IPV6). IPV6 addresses must be enclosed in brackets.
2. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from the
drop-down list. The choices are:
l Directory only (self) - Fortify WebInspect will crawl and/or audit only the URL you specify. For
example, if you select this option and specify a URL of www.mycompany/one/two/, Fortify
WebInspect will assess only the "two" directory.
l Directory and subdirectories - Fortify WebInspect will begin crawling and/or auditing at the
URL you specify, but will not access any directory that is higher in the directory tree.
l Directory and parent directories - Fortify WebInspect will begin crawling and/or auditing at
the URL you specify, but will not access any directory that is lower in the directory tree.
List-Driven Scan
Perform a scan using a list of URLs to be scanned. Each URL must be fully qualified and must include
the protocol (for example, http:// or https://). You can use a text file, formatted as comma-separated list
or one URL per line, or the XML file generated by the FilesToURLs utility.
Click Browse to select a text file or XML file containing the list of URLs you want to scan.
Click View to view the contents of the selected file.
Workflow-Driven Scan
Fortify WebInspect audits only those URLs included in the macro that you previously recorded and
does not follow any hyperlinks encountered during the audit. A logout signature is not required. This
type of macro is used most often to focus on a particular subsection of the application. If you select
multiple macros, they will all be included in the same scan.
Click Browse and select a macro containing the URLs you want to scan.
Web Service Scan
When performing a Web Service scan, Fortify WebInspect crawls the WSDL site and submits a value for
each parameter in each operation it discovers. These values are extracted from a file that you must
create using the Web Service Test Designer. It then audits the site by attacking each parameter in an
attempt to detect vulnerabilities such as SQL injection.
Click Browse to select a Web Service Test Design (WSD) file that was previously created using the Web
Service Test Designer.
Priority
Select a priority from 1 (highest) to 5 (lowest). If a scheduling conflict occurs, the scan with the highest
priority will take precedence.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 209 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Sensor
Select which sensor should conduct the scan. You can choose a specific sensor or select the Any
Available option.
Important! A sensor can perform only one scan at a time. If it is conducting a scan when another
scan is scheduled to occur, then:
l If the currently running scan has a higher priority, the Fortify WebInspect Enterprise Manager
will place the second scan in a queue until the first scan finishes or until another sensor becomes
available.
l If the currently running scan has a lower priority, the Fortify WebInspect Enterprise Manager will
suspend that scan, assign the second scan to that sensor, and then reassign the suspended scan
to the sensor when the higher priority scan is complete.
Scans that are manually initiated have priority over any scheduled scan.
Scheduled Scan - Scan Settings: Method
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Mode
Select one of the following modes:
l Crawl Only - This option completely maps a site's tree structure. After a crawl has been completed,
you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit - As Fortify WebInspect maps the site's hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
This option is most useful for extremely large sites where the content could change before the crawl
can be completed. This is described in the Crawl and Audit Mode section as the option to crawl and
audit Simultaneously.
l Audit Only - Fortify WebInspect applies the methodologies of the selected policy to determine
vulnerability risks, but does not crawl the Web site. No links on the site are followed or assessed.
Crawl and Audit Mode
If the selected scan mode is Crawl and Audit, choose one of the following:
l Simultaneously - As Fortify WebInspect maps the site’s hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 210 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
This option is most useful for extremely large sites where the content could change before the crawl
can be completed.
l Sequentially - In this mode, Fortify WebInspect crawls the entire site, mapping the site’s hierarchical
data structure, and then conducts a sequential audit, beginning at the site’s root. If you select this
option, you can specify the order in which the crawl and audit should be conducted.
l Test each engine type per session (engine driven): Fortify WebInspect audits all sessions using
the first audit engine, then audits all sessions using the second audit engine, continuing in
sequence until all engine types have been deployed.
l Test each session per engine type (session driven): Fortify WebInspect runs all audit engines
against the first session, then runs all audit engines against the second session, continuing in
sequence until all sessions are audited.
Scan Behavior
You can select any of the following optional behaviors:
l Use a login macro for forms authentication - This type of macro is used primarily for Web form
authentication. It incorporates logic that will prevent Fortify WebInspect from terminating
prematurely if it inadvertently logs out of your application. The drop-down list contains the names of
all macros that have been uploaded to Fortify WebInspect Enterprise. Macros that are available in the
repository for the selected Project and Project Version are listed with “(Repository)” prepended to
the macro name. You can select one of these, or you can click Browse to locate a macro and upload it.
See "Working with the Macro Repository" on page 139 for more information.
If you specified login parameters when recording the macro, Fortify WebInspect will substitute these
credentials for those used in the macro when it scans a page containing the input control associated
with this entry.
l Use a startup macro - This type of macro is used most often to focus on a particular subsection of
the application. It specifies URLs that Fortify WebInspect will use to navigate to that area. It may also
include login information, but does not contain logic that will prevent Fortify WebInspect from
logging out of your application. Fortify WebInspect visits all URLs in the macro, collecting hyperlinks
and mapping the data hierarchy. It then calls the Start URL and begins a normal crawl (and,
optionally, audit). The drop-down list contains the names of all macros that have been uploaded to
Fortify WebInspect Enterprise. You can select one of these, or you can click Browse to locate a macro
and upload it.
Important! Do not use a login macro and a startup macro with the same name. The scan may
yield undesirable results.
l Auto-fill Web forms during crawl - If you select this option, Fortify WebInspect submits values for
input controls found on all HTML forms it encounters while scanning the target site. Fortify
WebInspect will extract the values from a prepackaged default file or from a file that you create using
the Web Form Editor. Use the Browse button to specify the file containing the values you want to
use. Alternatively, you can select Edit (to modify the currently selected file) or Create (to record new
Web form values).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 211 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Scan Settings: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Details
You may choose the following options:
l Enable Path Truncation - Path truncation attacks are requests for known directories without file
names. This may cause directory listings to be displayed. Fortify WebInspect truncates paths, looking
for directory listings or unusual errors within each truncation. Example: If a link consists of
http://www.site.com/folder1/folder2/file.asp, then truncating the path to look for
http://www.site.com/folder1/folder2/ and http://www.site.com/folder1/ will cause the server to reveal
directory contents or will cause unhandled exceptions.
l Attach debug information in request header - If you select this option, Fortify WebInspect
includes a "Memo:" header in the request containing information that can be used by support
personnel to diagnose problems.
l Case-sensitive request and response handling - Select this option if the server at the target site is
case-sensitive to URLs.
l Compress response data - If you select this option, Fortify WebInspect saves disk space by storing
each HTTP response in a compressed format in the database.
l Maximum crawl-audit recursion depth - When an attack reveals a vulnerability, Fortify WebInspect
crawls that session and follows any link that may be revealed. If that crawl and audit reveals a link to
yet another resource, the depth level is incremented and the discovered resource is crawled and
audited. This process can be repeated until no other links are found. However, to avoid the possibility
of entering an endless loop, you may limit the number of recursions. The maximum value is 1,000.
Crawl Details
You may choose the following options:
l Crawler - Select either Depth First or Breadth First.
Depth-first crawling accommodates sites that enforce order-dependent navigation (where the
browser must visit page A before it can visit page B). This type of search progresses by expanding
the first child node (link) and crawling deeper and deeper until it reaches a node that has no children.
The search then backtracks, returning to the most recent node it hasn't finished exploring and drilling
down from there. The following illustration depicts the order in which linked pages are accessed
using a depth-first crawl. Node 1 has links to nodes 2, 7, and 8. Node 2 has links to nodes 3 and 6.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 212 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
By contrast, breadth-first crawling begins at the root node and explores all the neighboring nodes
(one level down). Then for each of those nearest nodes, it explores their unexplored neighbor nodes,
and so on, until all resources are identified. The following illustration depicts the order in which linked
pages are accessed using a breadth-first crawl. Node 1 has links to nodes 2, 3, and 4. Node 2 has links
to nodes 5 and 6.
l
l
l
l
When performing a depth-first crawl, Fortify WebInspect pursues links in a fashion that more closely
represents human interaction. While slower than breadth-first crawling, the depth-first method
accommodates applications that enforce ordering of requests (such as requiring the user to visit a
“shopping cart” page before accessing the “check-out” page).
Enable keyword search audit - A keyword search, as its name implies, uses an attack engine that
examines server responses and searches for certain text strings that typically indicate a vulnerability.
Normally, this engine is not used during a crawl-only scan, but you can enable it by selecting this
option.
Perform redundant page detection - Highly dynamic sites could create an infinite number of
resources (pages) that are virtually identical. If allowed to pursue each resource, Fortify WebInspect
would never be able to finish the scan. This option, however, allows Fortify WebInspect to identify
and exclude processing of redundant resources.
Limit maximum single URL hits to - Use this field to limit the number of times a single link will be
followed during a crawl. Sometimes, the configuration of a site will cause a crawl to loop endlessly
through the same URL.
Include parameters in hit count - If you select Limit maximum single URL hits to (above), a
counter is incremented each time the same URL is encountered. However, if you also select Include
parameters in hit count, then when parameters are appended to the URL specified in the HTTP
request, the crawler will crawl that resource up to the single URL limit. Any differing set of parameters
is treated as unique and has a separate count.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 213 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
For example, if this option is selected, then "page.aspx?a=1" and "page.apsx?b=1" will both be
counted as unique resources (meaning that the crawler has found two pages). If this option is not
selected, then "page1.aspx?a=1" and "page.aspx?b=1" will be treated as the same resource (meaning
that the crawler has found the same page twice).
l Limit maximum link traversal sequence to - This option restricts the number of hyperlinks that
can be sequentially accessed as Fortify WebInspect crawls the site. For example, if five resources are
linked as follows:
l Page A contains a hyperlink to Page B
l Page B contains a hyperlink to Page C
l Page C contains a hyperlink to Page D
l Page D contains a hyperlink to Page E
and if this option is set to "3," then Page E will not be crawled.
The default value is 15.
l Limit maximum crawl folder depth to - The Crawl Depth value determines how deeply Fortify
WebInspect traverses the hierarchical levels of your Web site. If set to 1, Fortify WebInspect drills
down one level; if set to 2, Fortify WebInspect drills down two levels; and so on. The maximum value
is 1000.
l Limit maximum crawl count to - This feature restricts the number of HTTP requests sent by the
crawler and should be used only if you experience problems completing a scan of a large site.
Note: The limit set here does not directly correlate to the Crawled progress bar that is displayed
during a scan. The maximum crawl count set here applies to links found by the Crawler during a crawl
of the application. The Crawled progress bar includes all sessions (requests and responses) that are
parsed for links during a crawl and audit, not just the links found by the Crawler during a crawl.
l Limit maximum Web form submissions to - Normally, when Fortify WebInspect encounters a
form that contains controls having multiple options (such as a list box), it extracts the first option
value from the list and submits the form; it then extracts the second option value and resubmits the
form, repeating this process until all option values in the list have been submitted. This ensures that
all possible links will be followed. There are occasions, however, when submitting the complete list of
values would be counterproductive. For example, if a list box named "State" contains one value for
each of the 50 states in the United States, there is probably no need to submit 50 instances of the
form. Use this setting to limit the total number of submissions that Fortify WebInspect will perform.
Audit Details
If you select a depth-first crawl, you can also elect to retrace the crawl path for each parameter attack, as
opposed to applying all attacks as the crawl progresses. This considerably increases the time required to
conduct a scan.
Scheduled Scan - Scan Settings: Content Analyzers
Project Version
HPE Security Fortify WebInspect Enterprise (16.20)
Page 214 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Content Analyzers
JavaScript/VBScript - The JavaScript/VBScript analyzer is always enabled. It allows Fortify
WebInspect to crawl links defined by JavaScript or VisualBasic script, and to create and audit any
documents rendered by JavaScript. There are settings associated with the JavaScript/VBScript content
analyzer. Click the analyzer name (JavaScript/VBScript) and configure the settings described below.
Flash - If you enable the Flash analyzer, Fortify WebInspect analyzes Flash files, Adobe's vector
graphics-based resizable animation format. There are no associated settings.
Silverlight - If you enable the Silverlight analyzer, Fortify WebInspect analyzes the multimedia,
graphics, animation, and interactivity elements developed within Microsoft's Silverlight Web application
framework. There are no associated settings.
Parser Settings
There are settings associated with the JavaScript/VBScript analyzer. Click the analyzer name
(JavaScript/VBScript) and configure the settings described below.
l Crawl links found from script execution - If you select this option, the crawler will follow dynamic
links (that is, links generated during JavaScript or Visual Basic script).
l Reject script includes to offsite hosts - Pages downloaded from a server may contain scripts that
retrieve files and dynamically render their content. An example JavaScript "include file" request is
<script type="text/javascript" src="www.badsite.com/yourfile.htm"></script> . Fortify WebInspect will
download and parse such files, regardless of their origin or file type, unless you select the Reject
Script option. It will then download the files only if permitted by the parameters normally governing
file handling (such as session and attack exclusions, allowed hosts, etc.).
l Isolate script analysis (out-of-process execution) - Fortify WebInspect analyzes and executes
JavaScript and VBScript to discover links to other resources. Applications or Web sites containing an
inordinate number of links can sometimes exhaust the amount of memory allocated to this process. If
this occurs, you can assign this function to a separate (remote) process, which will accommodate an
infinite number of links. You may, however, notice a slight increase in the amount of time required to
scan the site.
l Create DOM sessions - Fortify WebInspect creates and saves a session for each change to the
Document Object Model (DOM).
l Verbose script parser debug logging - If you select this setting and if the Application setting for
logging level is set to Debug, Fortify WebInspect logs every method called on the DOM object. This
can easily create several gigabytes of data for medium and large sites.
l Log JavaScript errors - Fortify WebInspect logs JavaScript parsing errors from the script parsing
engine.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 215 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Maximum script events per page - Certain scripts endlessly execute the same events. You can limit
the number of events allowed on a single page to a value between 1 and 9999.
Scheduled Scan - Scan Settings: Requestor
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Requestor Performance
Select one of the following options:
l Use a shared requestor - If you select this option, the crawler and the auditor use a common
requestor when scanning a site, and each thread uses the same state, which is also shared by both
modules. This replicates the technique used by previous versions of Fortify WebInspect and is
suitable for use when maintaining state is not a significant consideration. You also specify the
maximum number of threads (up to 75).
l Use separate requestors - If you select this option, the crawler and auditor use separate
requestors. Also, the auditor's requestor associates a state with each thread, rather than having all
threads use the same state. This method results in significantly faster scans.
When performing crawl and audit, you can specify the maximum number of threads that can be
created for each requestor. The Crawl requestor thread count can be configured to send up to 25
concurrent HTTP requests before waiting for an HTTP response to the first request; the default
setting is 5. The Audit requestor thread count can be set to a maximum of 50; the default setting is
10. Increasing the thread counts may increase the speed of a scan, but might also exhaust your
system resources as well as those of the server you are scanning.
Note: Depending on the capacity of the application being scanned, increasing thread counts may
increase request failures due to increased load on the server, causing some responses to exceed the
Request timeout setting. Request failures may reduce scan coverage because the responses that
failed may have exposed additional attack surface or revealed vulnerabilities. If you notice increased
request failures, you might reduce them by either increasing the Request timeout or reducing the
Crawl requestor thread count and Audit requestor thread count.
Also, depending on the nature of the application being scanned, increased crawl thread counts may
reduce consistency between subsequent scans of the same site due to differences in crawl request
ordering. By reducing the default Crawl requestor thread count setting to 1, consistency may be
increased.
Requestor Settings
You may select the following options:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 216 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Limit maximum response size to - Select this option to limit the size of accepted server responses
and then specify the maximum size (in kilobytes). The default is 1000 kilobytes. Note that Flash files
(.swf) and JavaScript "include" files are not subject to this limitation.
l Request retry count - Specify how many times Fortify WebInspect will resubmit an HTTP request
after receiving a "failed" response (which is defined as any socket error or request timeout). The value
must be greater than zero.
l Request timeout - Specify how long Fortify WebInspect will wait for an HTTP response from the
server. If this threshold is exceeded, Fortify WebInspect resubmits the request until reaching the retry
count. If Fortify WebInspect then receives no response, it logs the timeout and issues the first HTTP
request in the next attack series. The default value is 20 seconds.
Stop Scan if Loss of Connectivity Detected
There may be occasions during a scan when a Web server fails or becomes too busy to respond in a
timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the
number of timeouts.
Note: If these options are selected and the Request timeout setting (above) is reached, the scan
may stop when the server does not respond within the period set for the Request timeout. If the
server responds with the extended Request timeout period, then the extended period becomes the
new Request timeout for the current scan.
The following options are available:
l Consecutive "single host" retry failures to stop scan - Enter the number of consecutive timeouts
permitted from one specific server. The default value is 75.
l Consecutive "any host" retry failures to stop scan - Enter the total number of consecutive
timeouts permitted from all hosts. The default value is 150.
l Nonconsecutive "single host" retry failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from a single host. The default value is "unlimited."
l Nonconsecutive "any host" request failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from all hosts. The default value is 350.
l If first request fails, stop scan - Selecting this option will force Fortify WebInspect to terminate the
scan if the target server does not respond to Fortify WebInspect's first request.
l Response codes to stop scan if received - Enter the HTTP status codes that, if received, will force
Fortify WebInspect to terminate the scan. Use a comma to separate entries; use a hyphen to specify
an inclusive range of codes.
Scheduled Scan - Scan Settings: Session Storage
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
HPE Security Fortify WebInspect Enterprise (16.20)
Page 217 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Log Rejected Session to Database
You can specify which rejected sessions should be saved to the database. This saved information can be
used for two purposes.
l If you pause a scan, change any of the settings associated with the Reject Reasons in this panel, and
then resume the scan, Fortify WebInspect retrieves the saved data and sends HTTP requests that
previously were suppressed.
l HPE Security Fortify Support personnel can extract the generated (but not sent) HTTP requests for
analysis. Sessions may be rejected for the reasons cited in the following table:
Reject Reason
Explanation
Invalid Host
Any host that is not specified as an Allowed Host.
Excluded File
Extension
Files having an extension that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected
File Extensions; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded or Rejected File Extensions; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected File
Extensions.
Excluded URL
URLs or hosts that are excluded by settings specified in Default (or Current)
Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded or Rejected URLs and Hosts; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts.
Outside Root
URL
If the Restrict to Folder option is selected when starting a scan, any resource
not qualified by the available options (Directory Only, Directory and
Subdirectories, or Directory and Parent Directories).
Maximum Folder HTTP requests were not sent because the value specified by the Limit
Depth Exceeded maximum crawl folder depth to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
Maximum URL
Hits
HTTP requests were not sent because the value specified by the Limit
Maximum Single URL hits to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
404 Response
Code
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine File Not Found (FNF) using HTTP response codes is
selected and the response contains a code that matches the requirements.
Solicited File
Not Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Auto detect FNF page is selected and Fortify WebInspect
determined that the response constituted a "file not found" condition.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 218 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Reject Reason
Explanation
Custom File Not
Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine FNF from custom supplied signature is selected and
the response contains one of the specified phrases.
Rejected
Response
Files having a MIME type that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded MIME
Types; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded MIME Types; also Default (or Current) Scan Settings/Audit
Settings/Session Exclusions/Excluded MIME Types.
Session Storage
Fortify WebInspect normally saves only those attack sessions in which a vulnerability was discovered. To
save all attack sessions, select Save non-vulnerable attack sessions.
Scheduled Scan - Scan Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Note: The following settings apply to both the crawl and audit phases of a scan. To specify
exclusions for only the crawl or only the audit, use the Crawl Settings - Session Exclusions or the
Audit Settings - Sessions Exclusions.
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
l Reject - Fortify WebInspect will not request files of the type you specify.
l Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will
not examine them for links to other resources.
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. For more
information, see "MIME Types" on page 191.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 219 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Excluded or Rejected URLs and Hosts
You can identify a URL or host (using a regular expression) and then specify whether you want to
exclude or reject it.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
You must use a regular expression to designate a host or URL.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following regular expression and select Reject.
Microsoft\.com
Note that the period (or dot) is preceded by a backslash, indicating that the next character is special
(that is, it is not the character used in regular expressions to match any single character except a newline
character).
Example 2
Enter a string such as logout. If that string is found in any portion of the URL, the URL will be excluded
or rejected (depending on which option you select). Using the logout example, Fortify WebInspect will
exclude or reject URLs such as logout.asp or applogout.jsp.
Example 3
If you enter /myApp /
then Fortify WebInspect will exclude or reject all resources in the myApp directory, such as:
http://www.test.me /myApp /filename.htm
If you enter /W3SVC[0-9]*/
then Fortify WebInspect will exclude or reject the following directories:
l http://www.test.me /W3SVC55/
l http://www.test.me /W3SVC5/
l http://www.test.me/W3SVC550/
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 220 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
Scheduled Scan - Scan Settings: Allowed Hosts
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Allowable Hosts for Crawl and Audit
Use the Allowed Host settings to add domains that may be crawled and audited. If your Web presence
uses multiple domains, add those domains here. For example, if you were scanning "WIexample.com,"
you would need to add "WIexample2.com" and "WIexample3.com" here if those domains were part of
your Web presence and you wanted to include them in the crawl or audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
l
l
l
l
l
l
l
l
www.myco.com:80
contact.myco.com:80
www1.myco.com
ethics.myco.com:80
contact.myco.com:443
wow.myco.com:80
mycocorp.com:80
www.interconnection.myco.com:80
Note: If you specify a port number, then the allowed host must be an exact match.
If you use a regular expression to specify a host, select Regex.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 221 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Scan Settings: HTTP Parsing
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
HTTP Parameters Used for State
If your application uses URL rewriting or post data techniques to maintain state within a Web site, you
must identify which parameters are used. For example, a PHP4 script can create a constant of the
session ID named SID, which is available inside a session. By appending this to the end of a URL, the
session ID becomes available to the next page. The actual URL might look something like the following:
.../page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
Because session IDs change with each connection, an HTTP request containing this URL would create
an error when you tried to replay it. However, if you identify the parameter (PHPSESSID in this
example), then Fortify WebInspect will replace its assigned value with the new session ID obtained from
the server each time the connection is made.
Similarly, some state management techniques use post data to pass information. For example, the
HTTP message content may include userid=slbhkelvbkl73dhj. In this case, "userid" is the parameter you
would identify.
Note: You need to identify parameters only when the application uses URL rewriting or posted
data to manage state. It is not necessary when using cookies.
Fortify WebInspect can identify potential parameters if they occur as posted data or if they exist within
the query string of a URL. However, if your application embeds session data in the URL as extended
path information, you must provide a regular expression to identify it. In the following example,
"1234567" is the session information:
http://www.onlinestore.com/bikes/(1234567)/index.html
The regular expression for identifying the parameter would be: /\([\w\d]+\)/
Determine State from URL Path
If your application determines state from certain components in the URL path, select this check box and
add one or more regular expressions that identify those components. Two default regular expressions
identify two ASP.NET cookieless session IDs. The third regular expression matches jsessionid cookie.
HTTP Parameters Used for Navigation
HPE Security Fortify WebInspect Enterprise (16.20)
Page 222 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Some sites contain only one directly accessible resource, and then rely on query strings to deliver the
requested information, as in the following examples:
l http://www.anysite.com?Master.asp?Page=1
l http://www.anysite.com?Master.asp?Page=2;
l http://www.anysite.com?Master.asp?Page=13;Subpage=4
Ordinarily, Fortify WebInspect would assume that these three requests refer to identical resources and
would scan only one of them. Therefore, if your target Web site employs this type of architecture, you
must identify the specific resource parameters that are used.
The first and second examples contain one resource parameter: "Page." The third example contains two
parameters: "Page" and "Subpage."
To identify resource parameters:
1. Click Add.
2. Enter the parameter name and click Update.
The string you entered appears in the Parameter list.
3. Repeat this procedure for additional parameters.
Advanced HTTP Parsing
Most Web pages contain information that tells the browser what character set to use. This is
accomplished by using the Content-Type response header (or a META tag with an HTTP-EQUIV
attribute) in the HEAD section of the HTML document.
For pages that do not announce their character set, you can specify which language family (and implied
character set) Fortify WebInspect should use.
Scheduled Scan - Scan Settings: Filters
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Using Filters
Use the Filters settings to add search-and-replace rules for HTTP requests and responses. This feature
is used most often to avoid the disclosure of sensitive data such as credit card numbers, employee
names, or social security numbers. It is a means of disguising information that you do not want to be
viewed by persons who use Fortify WebInspect or those who have access to the raw data. If the text
you specify is found, Fortify WebInspect reports it on the Information tab as a "Hidden Reference
Found" vulnerability.
Filter HTTP Request Content
HPE Security Fortify WebInspect Enterprise (16.20)
Page 223 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Use this area to specify search-and-replace rules for HTTP requests.
Filter HTTP Response Content
Use this area to specify search-and-replace rules for HTTP responses.
Adding a Regular Expression Rule
To add a regular expression rule for finding or replacing keywords in requests or responses:
1. In either the Request Content or the Response Content group, click Add.
2. From the Section list, select an area to search.
3. In the Find Condition field, type (or paste) the string you want to locate (or enter a regular
expression that describes the string). You can also click the list button to insert regular expression
elements.
4. Type (or paste) the replacement string in the Replace field.
5. For case-sensitive searches, select the Case-Sensitive check box.
6. Click Update.
Scheduled Scan - Scan Settings: Cookies/Headers
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Standard Header Parameters
You can elect to include referer and/or host headers in requests sent by Fortify WebInspect.
l Include 'referer' in HTTP request headers - Select this check box to include referer headers in
HTTP requests. The Referer request-header field allows the client to specify, for the server's benefit,
the address (URI) of the resource from which the Request-URI was obtained.
l Include 'host' in HTTP request headers - Select this check box to include host headers with HTTP
requests. The Host request-header field specifies the Internet host and port number of the resource
being requested, as obtained from the original URI given by the user or referring resource (generally
an HTTP URL).
Append Custom Headers
Use this section to add, edit, or delete headers that will be included with each audit Fortify WebInspect
performs. For example, you could add a header such as "Alert: You are being attacked by Consultant
ABC" that would be included with every request sent to your company's server when Fortify
WebInspect is auditing that site. You can add multiple custom headers.
To add a custom header:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 224 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. In the top box, enter the header using the format <name>: <value>.
2. Click Add.
The new header appears in the list of custom headers.
Append Custom Cookies
Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by
Fortify WebInspect to the server when conducting a scan.
To add a custom cookie:
1. In the top box, enter the header using the format <name>=<value>. For example, if you enter
CustomCookie=ScanEngine
then each HTTP-Request will contain the following header:
Cookie: CustomCookie=ScanEngine
2. Click Add.
The new cookie appears in the list of custom cookies.
Scheduled Scan - Scan Settings: Proxy
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Proxy Settings
Select one of the following options:
l Direct Connection (proxy disabled) - Select this option if you are not using a proxy server.
l Automatically detect proxy settings - If you select this option, Fortify WebInspect will use the
Web Proxy Autodiscovery Protocol (WPAD) to automatically locate a proxy autoconfig file and use
this to configure the browser's web proxy settings.
l Use Internet Explorer proxy settings - Select this option to use the proxy server settings
configured for the Internet Explorer browser on the machine that will conduct the scan.
l Use Firefox proxy settings - Select this option to use the proxy server settings configured for the
Firefox browser on the machine that will conduct the scan.
Note: Using browser proxy settings does not guarantee that you will access the Internet through a
proxy server. If the Firefox browser connection settings are configured for “No proxy,” or if the
Internet Explorer setting “Use a proxy server for your LAN” is not selected, then a proxy server will
not be used.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 225 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Configure a proxy using a PAC file URL - Select this option to load proxy settings from a Proxy
Automatic Configuration (PAC) file. Then specify the file location in the URL field.
l Explicitly configure proxy - Select this option to access the Internet through a proxy server, and
then enter the requested information. For proxy servers accepting https connections, select the
Specify Alternative Proxy for HTTPS check box and provide the requested information.
1. In the Server field, type the URL or IP address of your proxy server.
2. In the Port field. enter the port number (for example, 8080).
3. Select a protocol for handling TCP traffic through a proxy server: Standard, Socks4, or Socks5.
4. If your proxy server requires authentication, enter the qualifying user name and password.
5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing
sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate entries.
Scheduled Scan - Scan Settings: Authentication
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Scan Requires Network Authentication
Select this option if users must log on to your Web site or application. Then select an authentication
method and specify a user name and password.
Caution: Fortify WebInspect will crawl all servers granted access by this password (if the
sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your
administrative systems, do not use a user name and password that has administrative rights. If you
are unsure about your access rights, contact your System Administrator or internal security
professional, or contact HPE Security Fortify Support.
The authentication methods are:
Basic
A widely used, industry-standard method for collecting user name and password information. The Web
browser displays a dialog box for a user to enter a previously assigned user name and password and
then attempts to establish a connection to a server using the user's credentials. If the Web server verifies
that the user name and password correspond to a valid user account, a connection is established. Basic
authentication is not recommended unless you are confident that the connection between the user and
your Web server is secure.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 226 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
NTLM
An authentication process that is used by all members of the Windows NT family of products. Like its
predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without
requiring that either a password or a hashed password be sent across the network. Use NTLM
authentication for servers running IIS. If NTLM authentication is enabled, and Fortify WebInspect has
to pass through a proxy server to submit its requests to the Web server, Fortify WebInspect may not be
able to crawl or audit that Web site. Use caution when configuring Fortify WebInspect for scans of sites
protected by NTLM. After scanning, you may want to disable the NTLM authentication settings to
prevent any potential problem.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a Key
Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS)
and a Ticket Granting Server (TGS). The client authenticates itself to AS, then demonstrates to the TGS
that it is authorized to receive a ticket for a service (and receives it). The client then demonstrates to a
Service Server that it has been approved to receive the service. This authentication method will be
successful only if the Web server has been configured to return a response header of “WWWAuthenticate: Kerberos” instead of “WWW-Authenticate: Negotiate.”
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system. Using
digest authentication, your password is never sent across the network in the clear, but is always
transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined
by sniffing network traffic.
Automatic
Allow Fortify WebInspect to determine the correct authentication type. Automatic detection slows the
scanning process. If you know and specify one of the other authentication methods, scanning
performance is noticeably improved.
Client Certificates
Client certificate authentication allows users to present client certificates rather than entering a user
name and password.
To use client certificates:
1. Select Use Client Certificate.
2. Click Browse to choose a certificate.
Scheduled Scan - Scan Settings: File Not Found
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
HPE Security Fortify WebInspect Enterprise (16.20)
Page 227 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Determine File Not Found (FNF) Using HTTP Response Codes
Select this option to rely on HTTP response codes to detect a file-not-found response from the server.
You can then identify the codes that fit the following two categories.
l Forced valid response codes (never an FNF): You can specify HTTP response codes that should
never be treated as a file-not-found response.
l Forced FNF response codes (always an FNF): Specify those HTTP response codes that will always
be treated as a file-not-found response. Fortify WebInspect will not process the response contents.
Enter a single response code or a range of response codes. For ranges, use a dash or hyphen to
separate the first and last code in the list (for example, 400-404). You can specify multiple codes or
ranges by separating each entry with a semicolon.
Determine File Not Found from Custom Supplied Signature
Use this area to add information about any custom 404 page notifications that your company uses. If
your company has configured a different page to display when a 404 error occurs, add the information
here. False positives can result from 404 pages that are unique to your site.
You can specify a signature using plain text, a regular expression, or, using the SPI Regex option,
Regular Expression Extensions. For information about the Regular Expression Editor tool, see the HPE
Security Fortify WebInspect Tools Guide.
Auto-Detect File Not Found Page
Some Web sites do not return a status "404 Not Found" when a client requests a resource that does not
exist. Instead, they may return a status "200 OK" but the response contains a message that the file
cannot be found. Select this check box if you want Fortify WebInspect to detect these "custom" file-notfound pages.
Fortify WebInspect attempts to detect custom file-not-found pages by sending requests for resources
that cannot possibly exist on the server. It then compares each response and measures the amount of
text that differs between the responses. For example, most messages of this type have the same
content (such as "Sorry, the page you requested was not found"), with the possible exception being the
name of the requested resource. If you select the Auto-Detect File Not Found Page check box, you
can specify what percentage of the response content must be the same. The default is 90 percent.
Scheduled Scan - Scan Settings: Policy
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 228 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Policy
Select a policy. A policy is a collection of audit engines and attack agents that Fortify WebInspect uses
when auditing or crawling your Web application. Each component has a specific task, such as testing for
cross-site scripting susceptibility, building the site tree, probing for known server vulnerabilities, etc. For
policy descriptions, see "Policies List" on page 126.
Scheduled Scan - Crawl Settings: Link Parsing
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Link Parsing
Fortify WebInspect follows all hyperlinks defined by HTML (using the <a href> tag) and those defined
by scripts (JavaScript and VBScript). However, you may encounter other communications protocols that
use a different syntax for specifying links. To accommodate this possibility, you can use the Custom
Links feature to identify (using regular expressions) links that you want Fortify WebInspect to follow.
To add a specialized link identifier:
1.
2.
3.
4.
Click Add.
In the Custom Links field, enter a regular expression designed to identify the link.
(Optional) Enter a description of the link in the Comments field.
Click Update.
Scheduled Scan - Crawl Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Note: All items specified in the Scan Settings - Session Exclusions are automatically replicated in the
Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in
gray (not black) text. If you do not want these objects to be excluded from the crawl, you must
HPE Security Fortify WebInspect Enterprise (16.20)
Page 229 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
remove them from the Scan Settings - Session Exclusions panel. This panel (Crawl Settings Session Exclusions) allows you to specify additional objects to be excluded from the crawl.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
Follow the steps below to add a file extension:
1.
2.
3.
4.
Click Add.
In the File Extension field, enter a file extension.
Select either Reject, Exclude, or both.
Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited. For more information, see "MIME
Types" on page 191.
Follow the steps below to add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the site, since you
don't want to log out of the application before the scan is completed. To check for broken links to URLs
that you don't want to process, select only the Exclude option.
Follow the steps below to add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host
l Exclude - Send request, but do not process response
5. Click Update.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 230 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Audit Settings: Session Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the Session
Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray (not black)
text. If you do not want these objects to be excluded from the audit, you must remove them from the
Scan Settings - Session Exclusions panel. This panel (Audit Settings - Session Exclusions) allows you to
specify additional objects to be excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
To add a file extension:
1. Click Add.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited. For more information, see "MIME
Types" on page 191.
To add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the site, since you
don't want to log out of the application before the scan is completed. To check for broken links to URLs
that you don't want to process, select only the Exclude option.
To add a URL or host:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 231 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
Scheduled Scan - Audit Settings: Attack Exclusions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to
attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA
parameters.
To prevent certain parameters from being modified:
1. In the Excluded Parameters group, click Add.
2. In the Parameter field, enter the name of the parameter you want to exclude.
3. Choose the area in which the parameter may be found: HTTP query data or HTTP POST data. You
can select both areas, if necessary.
4. Click Update.
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack
the Web site. This feature is used to avoid corrupting cookie values. This setting requires you to enter
the name of a cookie.
In the following example HTTP response, the name of the cookie is "FirstCookie."
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
To exclude certain cookies.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 232 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
1. In the Excluded Cookies group, click Add.
2. In the Parameter field, type a cookie name or enter a regular expression that you believe will
match the cookies you want to exclude.
3. Click Update.
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to
attack the Web site. This feature is used to avoid corrupting header values.
To prevent certain headers from being modified, create a regular expression using the procedure
described below.
1. In the Excluded Headers group, click Add.
2. In the Parameter field, type a header name or enter a regular expression that you believe will
match the headers you want to exclude.
3. Click Update.
Audit Inputs Editor
Using the Audit Inputs Editor, you can create additional parameters for audit engines and checks that
require inputs.
To load inputs that you previously created using the editor, click the Browse button next to the Import
Audit Inputs button.
Scheduled Scan - Audit Settings: Attack Expressions
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Additional Regular Expression Languages
You may select one of the following language code-country code combinations (as used by the
CultureInfo class in the .NET Framework Class Library):
l
l
l
l
l
ja-jp: Japanese - Japan
ko-Kr: Korean - Korea
zh-cn: Chinese - China
zh-tw: Chinese - Taiwan
es-mx: Spanish - Mexico
HPE Security Fortify WebInspect Enterprise (16.20)
Page 233 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The CultureInfo class holds culture-specific information, such as the associated language, sublanguage,
country/region, calendar, and cultural conventions. This class also provides access to culture-specific
instances of DateTimeFormatInfo, NumberFormatInfo, CompareInfo, and TextInfo. These objects
contain the information required for culture-specific operations, such as casing, formatting dates and
numbers, and comparing strings.
Scheduled Scan - Audit Settings: Vulnerability Filters
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Select Vulnerability Filters to Enable
By applying certain filters, you can limit the display of certain vulnerabilities reported during a scan. The
options are:
l Standard Vulnerability Definition - This filter sorts parameter names for determining equivalency
between similar requests. For example, if a SQL injection vulnerability is found in parameter "a" in
both http://x.y?a=x;b=y and http://x.y?b=y;a=x, it would be considered equivalent.
l Parameter Vulnerability Roll-Up - This filter consolidates multiple parameter manipulation and
parameter injection vulnerabilities discovered during a single session into one vulnerability.
l 403 Blocker - This filter revokes vulnerabilities when the status code of the vulnerable session is 403
(Forbidden).
l Response Inspection Dom Event Parent-Child - This filter disregards a keyword search
vulnerability found in JavaScript if the same vulnerability has already been detected in the parent
session.
To add a filter to your default settings, select a filter in the Available area and click >. The filter is
removed from the Available list and added to the Selected list.
To disable a filter, select a filter in the Selected list and click <. The filter is removed from the Selected
list and added to the Available list.
To add all available filters, click >>.
To remove all selected filters, click <<.
Scheduled Scan - Audit Settings: Smart Scan
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
HPE Security Fortify WebInspect Enterprise (16.20)
Page 234 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Smart Scan
Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and
checks for known vulnerabilities against that specific server type. For example, if you are scanning a site
hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is
susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.
If you select Enable Smart Scan, you can choose one or both of the identification methods described
below.
l Use regular expressions on HTTP responses - This method searches the server response for
strings that match predefined regular expressions designed to identify specific servers.
l Use server analyzer fingerprinting and request sampling - This advanced method sends a series
of HTTP requests and then analyzes the responses to determine the server type.
Custom Server/Application Type Definitions (more accurate detection)
If you know the server type for a target domain, you can select it using the Custom server/application
type definitions (more accurate detection)section. This identification method overrides any other
selected method for the server you specify.
1.
2.
3.
4.
Click Add.
In the Host field, enter the domain name or host, or the server's IP address.
Select one or more entries from the Server/Application list.
Click OK.
Scheduled Scan - Scan Behavior: Blackout Action
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Blackout Action
A blackout period is a block of time during which scans are not permitted.
If a blackout period begins while a scan is running, you may either stop the scan or suspend it. The
sensor will resume a suspended scan when the blackout period ends.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 235 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scheduled Scan - Export: General
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Export Scan Results
Select this option to export the scan results. Then provide the requested information.
l Export Path - Select a destination for the exported scan. Export paths are designated using the
Fortify WebInspect Enterprise console. Contact your Fortify WebInspect Enterprise administrator if
no paths are available.
l Export Format - Select how you want the exported file to be formatted. Your choices are
WebInspect Scan File (.scan) or Extensible Markup Language (.xml).
l Automatically generate file name - If you select this option, the name of the file will be formatted
as <scan name> <date/time>.[xml or scan]. For example, if the scan name is "mysite" and the scan is
generated at 6:30 on April 5, the file name would be "mysite 04_05_2007 06_30.scan [or .xml]." This
is useful for recurring scans.
If you want to specify a name, clear the Automatically generate file name check box and then type
the name in the File Name field.
Scan Template Settings
The following pages describe the scan template settings, including crawl and audit settings.
Scan Template - Scan: General
When you click the Add button to add a scan template, the Configure Scan Template page opens with
the SCAN: General category selected and its form displayed. When you click the template name to view
or edit an existing scan template, the fields described below have already been specified (except where
noted).
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 236 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Because the global scan template can be associated with any project version, you do not have to specify
the URL if you choose a Standard Scan in the Scan URL section of the form. You can subsequently
select this global template as the scan template for any Web Site Scan.
Automatically Update Related Scheduled Scans
This option is available only while editing an existing scan template. Select the Update Scheduled
Scans check box to propagate the revised template to all scheduled scans that use the template. The
revised settings are propagated to the scheduled scans upon saving the template.
If you do not select the check box, the changes are saved only in the template.
Scan Template Created From
This is a read-only field indicating the source of the settings. If you started to create the template by
clicking Add, you are using default settings. If you started to create the template by clicking Import, you
are using settings optimized for the Import submenu option you selected—Oracle Settings or
Websphere Settings.
Scan Template Name
Enter a name for this template.
Scan URL
Select one of the following scan types.
Standard Scan
Fortify WebInspect performs an automated analysis, starting from the target URL. This is the normal
way to start a scan.
1. In the URL field, type or select the complete URL or IP address of the site you want to examine.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, you will not
scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the
Allowed Hosts setting).
An invalid URL or IP address will result in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect supports both Internet Protocol version 4 (IPV4) and Internet Protocol version
6 (IPV6). IPV6 addresses must be enclosed in brackets.
2. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from the
drop-down list. The choices are:
l Directory only (self) - Fortify WebInspect will crawl and/or audit only the URL you specify. For
example, if you select this option and specify a URL of www.mycompany/one/two/, Fortify
WebInspect will assess only the "two" directory.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 237 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Directory and subdirectories - Fortify WebInspect will begin crawling and/or auditing at the
URL you specify, but will not access any directory that is higher in the directory tree.
l Directory and parent directories - Fortify WebInspect will begin crawling and/or auditing at
the URL you specify, but will not access any directory that is lower in the directory tree.
List-Driven Scan
Perform a scan using a list of URLs to be scanned. Each URL must be fully qualified and must include
the protocol (for example, http:// or https://). You can use a text file, formatted as comma-separated list
or one URL per line, or the XML file generated by the FilesToURLs utility.
Click Browse to select a text file or XML file containing the list of URLs you want to scan.
Click View to view the contents of the selected file.
Workflow-Driven Scan
Fortify WebInspect audits only those URLs included in the macro that you previously recorded and
does not follow any hyperlinks encountered during the audit. A logout signature is not required. This
type of macro is used most often to focus on a particular subsection of the application. If you select
multiple macros, they will all be included in the same scan.
Click Browse and select a macro containing the URLs you want to scan.
Web Service Scan
When performing a Web Service scan, Fortify WebInspect crawls the WSDL site and submits a value for
each parameter in each operation it discovers. These values are extracted from a file that you must
create using the Web Service Test Designer. It then audits the site by attacking each parameter in an
attempt to detect vulnerabilities such as SQL injection.
Click Browse to select a Web Service Test Design (WSD) file that was previously created using the Web
Service Test Designer.
Scan Template - Scan Settings: Method
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Scan Mode
Select one of the following modes:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 238 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Crawl Only - This option completely maps a site's tree structure. After a crawl has been completed,
you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit - As Fortify WebInspect maps the site's hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
This option is most useful for extremely large sites where the content could change before the crawl
can be completed. This is described in the Crawl and Audit Mode section as the option to crawl and
audit Simultaneously.
l Audit Only - Fortify WebInspect applies the methodologies of the selected policy to determine
vulnerability risks, but does not crawl the Web site. No links on the site are followed or assessed.
Crawl and Audit Mode
If the selected scan mode is Crawl and Audit, choose one of the following:
l Simultaneously - As Fortify WebInspect maps the site’s hierarchical data structure, it audits each
resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit).
This option is most useful for extremely large sites where the content could change before the crawl
can be completed.
l Sequentially - In this mode, Fortify WebInspect crawls the entire site, mapping the site’s hierarchical
data structure, and then conducts a sequential audit, beginning at the site’s root. If you select this
option, you can specify the order in which the crawl and audit should be conducted.
l Test each engine type per session (engine driven): Fortify WebInspect audits all sessions using
the first audit engine, then audits all sessions using the second audit engine, continuing in
sequence until all engine types have been deployed.
l Test each session per engine type (session driven): Fortify WebInspect runs all audit engines
against the first session, then runs all audit engines against the second session, continuing in
sequence until all sessions are audited.
Scan Behavior
You can select any of the following optional behaviors:
l Use a login macro for forms authentication - This type of macro is used primarily for Web form
authentication. It incorporates logic that will prevent Fortify WebInspect from terminating
prematurely if it inadvertently logs out of your application. The drop-down list contains the names of
all macros that have been uploaded to Fortify WebInspect Enterprise. Macros that are available in the
repository for the selected Project and Project Version are listed with “(Repository)” prepended to
the macro name. You can select one of these, or you can click Browse to locate a macro and upload it.
See "Working with the Macro Repository" on page 139 for more information.
If you specified login parameters when recording the macro, Fortify WebInspect will substitute these
credentials for those used in the macro when it scans a page containing the input control associated
with this entry.
l Use a startup macro - This type of macro is used most often to focus on a particular subsection of
the application. It specifies URLs that Fortify WebInspect will use to navigate to that area. It may also
include login information, but does not contain logic that will prevent Fortify WebInspect from
logging out of your application. Fortify WebInspect visits all URLs in the macro, collecting hyperlinks
HPE Security Fortify WebInspect Enterprise (16.20)
Page 239 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
and mapping the data hierarchy. It then calls the Start URL and begins a normal crawl (and,
optionally, audit). The drop-down list contains the names of all macros that have been uploaded to
Fortify WebInspect Enterprise. You can select one of these, or you can click Browse to locate a macro
and upload it.
Important! Do not use a login macro and a startup macro with the same name. The scan may
yield undesirable results.
l Auto-fill Web forms during crawl - If you select this option, Fortify WebInspect submits values for
input controls found on all HTML forms it encounters while scanning the target site. Fortify
WebInspect will extract the values from a prepackaged default file or from a file that you create using
the Web Form Editor. Use the Browse button to specify the file containing the values you want to
use. Alternatively, you can select Edit (to modify the currently selected file) or Create (to record new
Web form values).
Scan Template - Scan Settings: General
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Scan Details
You may choose the following options:
l Enable Path Truncation - Path truncation attacks are requests for known directories without file
names. This may cause directory listings to be displayed. Fortify WebInspect truncates paths, looking
for directory listings or unusual errors within each truncation. Example: If a link consists of
http://www.site.com/folder1/folder2/file.asp, then truncating the path to look for
http://www.site.com/folder1/folder2/ and http://www.site.com/folder1/ will cause the server to reveal
directory contents or will cause unhandled exceptions.
l Attach debug information in request header - If you select this option, Fortify WebInspect
includes a "Memo:" header in the request containing information that can be used by support
personnel to diagnose problems.
l Case-sensitive request and response handling - Select this option if the server at the target site is
case-sensitive to URLs.
l Compress response data - If you select this option, Fortify WebInspect saves disk space by storing
each HTTP response in a compressed format in the database.
l Maximum crawl-audit recursion depth - When an attack reveals a vulnerability, Fortify WebInspect
crawls that session and follows any link that may be revealed. If that crawl and audit reveals a link to
yet another resource, the depth level is incremented and the discovered resource is crawled and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 240 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
audited. This process can be repeated until no other links are found. However, to avoid the possibility
of entering an endless loop, you may limit the number of recursions. The maximum value is 1,000.
Crawl Details
You may choose the following options:
l Crawler - Select either Depth First or Breadth First.
Depth-first crawling accommodates sites that enforce order-dependent navigation (where the
browser must visit page A before it can visit page B). This type of search progresses by expanding
the first child node (link) and crawling deeper and deeper until it reaches a node that has no children.
The search then backtracks, returning to the most recent node it hasn't finished exploring and drilling
down from there. The following illustration depicts the order in which linked pages are accessed
using a depth-first crawl. Node 1 has links to nodes 2, 7, and 8. Node 2 has links to nodes 3 and 6.
By contrast, breadth-first crawling begins at the root node and explores all the neighboring nodes
(one level down). Then for each of those nearest nodes, it explores their unexplored neighbor nodes,
and so on, until all resources are identified. The following illustration depicts the order in which linked
pages are accessed using a breadth-first crawl. Node 1 has links to nodes 2, 3, and 4. Node 2 has links
to nodes 5 and 6.
When performing a depth-first crawl, Fortify WebInspect pursues links in a fashion that more closely
represents human interaction. While slower than breadth-first crawling, the depth-first method
accommodates applications that enforce ordering of requests (such as requiring the user to visit a
“shopping cart” page before accessing the “check-out” page).
l Enable keyword search audit - A keyword search, as its name implies, uses an attack engine that
examines server responses and searches for certain text strings that typically indicate a vulnerability.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 241 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Normally, this engine is not used during a crawl-only scan, but you can enable it by selecting this
option.
l Perform redundant page detection - Highly dynamic sites could create an infinite number of
resources (pages) that are virtually identical. If allowed to pursue each resource, Fortify WebInspect
would never be able to finish the scan. This option, however, allows Fortify WebInspect to identify
and exclude processing of redundant resources.
l Limit maximum single URL hits to - Use this field to limit the number of times a single link will be
followed during a crawl. Sometimes, the configuration of a site will cause a crawl to loop endlessly
through the same URL.
l Include parameters in hit count - If you select Limit maximum single URL hits to (above), a
counter is incremented each time the same URL is encountered. However, if you also select Include
parameters in hit count, then when parameters are appended to the URL specified in the HTTP
request, the crawler will crawl that resource up to the single URL limit. Any differing set of parameters
is treated as unique and has a separate count.
For example, if this option is selected, then "page.aspx?a=1" and "page.apsx?b=1" will both be
counted as unique resources (meaning that the crawler has found two pages). If this option is not
selected, then "page1.aspx?a=1" and "page.aspx?b=1" will be treated as the same resource (meaning
that the crawler has found the same page twice).
l Limit maximum link traversal sequence to - This option restricts the number of hyperlinks that
can be sequentially accessed as Fortify WebInspect crawls the site. For example, if five resources are
linked as follows:
l Page A contains a hyperlink to Page B
l Page B contains a hyperlink to Page C
l Page C contains a hyperlink to Page D
l Page D contains a hyperlink to Page E
and if this option is set to "3," then Page E will not be crawled.
The default value is 15.
l Limit maximum crawl folder depth to - The Crawl Depth value determines how deeply Fortify
WebInspect traverses the hierarchical levels of your Web site. If set to 1, Fortify WebInspect drills
down one level; if set to 2, Fortify WebInspect drills down two levels; and so on. The maximum value
is 1000.
l Limit maximum crawl count to - This feature restricts the number of HTTP requests sent by the
crawler and should be used only if you experience problems completing a scan of a large site.
Note: The limit set here does not directly correlate to the Crawled progress bar that is displayed
during a scan. The maximum crawl count set here applies to links found by the Crawler during a crawl
of the application. The Crawled progress bar includes all sessions (requests and responses) that are
parsed for links during a crawl and audit, not just the links found by the Crawler during a crawl.
l Limit maximum Web form submissions to - Normally, when Fortify WebInspect encounters a
form that contains controls having multiple options (such as a list box), it extracts the first option
value from the list and submits the form; it then extracts the second option value and resubmits the
form, repeating this process until all option values in the list have been submitted. This ensures that
HPE Security Fortify WebInspect Enterprise (16.20)
Page 242 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
all possible links will be followed. There are occasions, however, when submitting the complete list of
values would be counterproductive. For example, if a list box named "State" contains one value for
each of the 50 states in the United States, there is probably no need to submit 50 instances of the
form. Use this setting to limit the total number of submissions that Fortify WebInspect will perform.
Audit Details
If you select a depth-first crawl, you can also elect to retrace the crawl path for each parameter attack, as
opposed to applying all attacks as the crawl progresses. This considerably increases the time required to
conduct a scan.
Scan Template - Scan Settings: Content Analyzers
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Content Analyzers
JavaScript/VBScript - The JavaScript/VBScript analyzer is always enabled. It allows Fortify
WebInspect to crawl links defined by JavaScript or VisualBasic script, and to create and audit any
documents rendered by JavaScript. There are settings associated with the JavaScript/VBScript content
analyzer. Click the analyzer name (JavaScript/VBScript) and configure the settings described below.
Flash - If you enable the Flash analyzer, Fortify WebInspect analyzes Flash files, Adobe's vector
graphics-based resizable animation format. There are no associated settings.
Silverlight - If you enable the Silverlight analyzer, Fortify WebInspect analyzes the multimedia,
graphics, animation, and interactivity elements developed within Microsoft's Silverlight Web application
framework. There are no associated settings.
Parser Settings
There are settings associated with the JavaScript/VBScript analyzer. Click the analyzer name
(JavaScript/VBScript) and configure the settings described below.
l Crawl links found from script execution - If you select this option, the crawler will follow dynamic
links (that is, links generated during JavaScript or Visual Basic script).
l Reject script includes to offsite hosts - Pages downloaded from a server may contain scripts that
retrieve files and dynamically render their content. An example JavaScript "include file" request is
<script type="text/javascript" src="www.badsite.com/yourfile.htm"></script> . Fortify WebInspect will
download and parse such files, regardless of their origin or file type, unless you select the Reject
HPE Security Fortify WebInspect Enterprise (16.20)
Page 243 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l
l
l
l
l
Script option. It will then download the files only if permitted by the parameters normally governing
file handling (such as session and attack exclusions, allowed hosts, etc.).
Isolate script analysis (out-of-process execution) - Fortify WebInspect analyzes and executes
JavaScript and VBScript to discover links to other resources. Applications or Web sites containing an
inordinate number of links can sometimes exhaust the amount of memory allocated to this process. If
this occurs, you can assign this function to a separate (remote) process, which will accommodate an
infinite number of links. You may, however, notice a slight increase in the amount of time required to
scan the site.
Create DOM sessions - Fortify WebInspect creates and saves a session for each change to the
Document Object Model (DOM).
Verbose script parser debug logging - If you select this setting and if the Application setting for
logging level is set to Debug, Fortify WebInspect logs every method called on the DOM object. This
can easily create several gigabytes of data for medium and large sites.
Log JavaScript errors - Fortify WebInspect logs JavaScript parsing errors from the script parsing
engine.
Maximum script events per page - Certain scripts endlessly execute the same events. You can limit
the number of events allowed on a single page to a value between 1 and 9999.
Scan Template - Scan Settings: Requestor
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Requestor Performance
Select one of the following options:
l Use a shared requestor - If you select this option, the crawler and the auditor use a common
requestor when scanning a site, and each thread uses the same state, which is also shared by both
modules. This replicates the technique used by previous versions of Fortify WebInspect and is
suitable for use when maintaining state is not a significant consideration. You also specify the
maximum number of threads (up to 75).
l Use separate requestors - If you select this option, the crawler and auditor use separate
requestors. Also, the auditor's requestor associates a state with each thread, rather than having all
threads use the same state. This method results in significantly faster scans.
When performing crawl and audit, you can specify the maximum number of threads that can be
created for each requestor. The Crawl requestor thread count can be configured to send up to 25
concurrent HTTP requests before waiting for an HTTP response to the first request; the default
HPE Security Fortify WebInspect Enterprise (16.20)
Page 244 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
setting is 5. The Audit requestor thread count can be set to a maximum of 50; the default setting is
10. Increasing the thread counts may increase the speed of a scan, but might also exhaust your
system resources as well as those of the server you are scanning.
Note: Depending on the capacity of the application being scanned, increasing thread counts may
increase request failures due to increased load on the server, causing some responses to exceed the
Request timeout setting. Request failures may reduce scan coverage because the responses that
failed may have exposed additional attack surface or revealed vulnerabilities. If you notice increased
request failures, you might reduce them by either increasing the Request timeout or reducing the
Crawl requestor thread count and Audit requestor thread count.
Also, depending on the nature of the application being scanned, increased crawl thread counts may
reduce consistency between subsequent scans of the same site due to differences in crawl request
ordering. By reducing the default Crawl requestor thread count setting to 1, consistency may be
increased.
Requestor Settings
You may select the following options:
l Limit maximum response size to - Select this option to limit the size of accepted server responses
and then specify the maximum size (in kilobytes). The default is 1000 kilobytes. Note that Flash files
(.swf) and JavaScript "include" files are not subject to this limitation.
l Request retry count - Specify how many times Fortify WebInspect will resubmit an HTTP request
after receiving a "failed" response (which is defined as any socket error or request timeout). The value
must be greater than zero.
l Request timeout - Specify how long Fortify WebInspect will wait for an HTTP response from the
server. If this threshold is exceeded, Fortify WebInspect resubmits the request until reaching the retry
count. If Fortify WebInspect then receives no response, it logs the timeout and issues the first HTTP
request in the next attack series. The default value is 20 seconds.
Stop Scan if Loss of Connectivity Detected
There may be occasions during a scan when a Web server fails or becomes too busy to respond in a
timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the
number of timeouts.
Note: If these options are selected and the Request timeout setting (above) is reached, the scan
may stop when the server does not respond within the period set for the Request timeout. If the
server responds with the extended Request timeout period, then the extended period becomes the
new Request timeout for the current scan.
The following options are available:
l Consecutive "single host" retry failures to stop scan - Enter the number of consecutive timeouts
permitted from one specific server. The default value is 75.
l Consecutive "any host" retry failures to stop scan - Enter the total number of consecutive
timeouts permitted from all hosts. The default value is 150.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 245 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Nonconsecutive "single host" retry failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from a single host. The default value is "unlimited."
l Nonconsecutive "any host" request failures to stop scan - Enter the total number of
nonconsecutive timeouts permitted from all hosts. The default value is 350.
l If first request fails, stop scan - Selecting this option will force Fortify WebInspect to terminate the
scan if the target server does not respond to Fortify WebInspect's first request.
l Response codes to stop scan if received - Enter the HTTP status codes that, if received, will force
Fortify WebInspect to terminate the scan. Use a comma to separate entries; use a hyphen to specify
an inclusive range of codes.
Scan Template - Scan Settings: Session Storage
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Log Rejected Session to Database
You can specify which rejected sessions should be saved to the database. This saved information can be
used for two purposes.
l If you pause a scan, change any of the settings associated with the Reject Reasons in this panel, and
then resume the scan, Fortify WebInspect retrieves the saved data and sends HTTP requests that
previously were suppressed.
l HPE Security Fortify Support personnel can extract the generated (but not sent) HTTP requests for
analysis. Sessions may be rejected for the reasons cited in the following table:
Reject Reason
Explanation
Invalid Host
Any host that is not specified as an Allowed Host.
Excluded File
Extension
Files having an extension that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected
File Extensions; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded or Rejected File Extensions; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected File
Extensions.
Excluded URL
URLs or hosts that are excluded by settings specified in Default (or Current)
Scan Settings/Scan Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts; also Default (or Current) Scan Settings/Crawl Settings/Session
HPE Security Fortify WebInspect Enterprise (16.20)
Page 246 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Reject Reason
Explanation
Exclusions/Excluded or Rejected URLs and Hosts; also Default (or Current) Scan
Settings/Audit Settings/Session Exclusions/Excluded or Rejected URLs and
Hosts.
Outside Root
URL
If the Restrict to Folder option is selected when starting a scan, any resource
not qualified by the available options (Directory Only, Directory and
Subdirectories, or Directory and Parent Directories).
Maximum Folder HTTP requests were not sent because the value specified by the Limit
Depth Exceeded maximum crawl folder depth to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
Maximum URL
Hits
HTTP requests were not sent because the value specified by the Limit
Maximum Single URL hits to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
404 Response
Code
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine File Not Found (FNF) using HTTP response codes is
selected and the response contains a code that matches the requirements.
Solicited File
Not Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Auto detect FNF page is selected and Fortify WebInspect
determined that the response constituted a "file not found" condition.
Custom File Not
Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine FNF from custom supplied signature is selected and
the response contains one of the specified phrases.
Rejected
Response
Files having a MIME type that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded MIME
Types; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded MIME Types; also Default (or Current) Scan Settings/Audit
Settings/Session Exclusions/Excluded MIME Types.
Custom File Not
Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found group,
the option Determine FNF from custom supplied signature is selected and
the response contains one of the specified phrases.
Rejected
Response
Files having a MIME type that is excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded MIME
Types; also Default (or Current) Scan Settings/Crawl Settings/Session
Exclusions/Excluded MIME Types; also Default (or Current) Scan Settings/Audit
Settings/Session Exclusions/Excluded MIME Types.
Session Storage
Fortify WebInspect normally saves only those attack sessions in which a vulnerability was discovered. To
save all attack sessions, select Save non-vulnerable attack sessions.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 247 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Template - Scan Settings: Session Exclusions
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Note: The following settings apply to both the crawl and audit phases of a scan. To specify
exclusions for only the crawl or only the audit, use the Crawl Settings - Session Exclusions or the
Audit Settings - Sessions Exclusions.
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
l Reject - Fortify WebInspect will not request files of the type you specify.
l Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will
not examine them for links to other resources.
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. For more
information, see "MIME Types" on page 191.
Excluded or Rejected URLs and Hosts
You can identify a URL or host (using a regular expression) and then specify whether you want to
exclude or reject it.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
You must use a regular expression to designate a host or URL.
Example 1
HPE Security Fortify WebInspect Enterprise (16.20)
Page 248 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following regular expression and select Reject.
Microsoft\.com
Note that the period (or dot) is preceded by a backslash, indicating that the next character is special
(that is, it is not the character used in regular expressions to match any single character except a newline
character).
Example 2
Enter a string such as logout. If that string is found in any portion of the URL, the URL will be excluded
or rejected (depending on which option you select). Using the logout example, Fortify WebInspect will
exclude or reject URLs such as logout.asp or applogout.jsp.
Example 3
If you enter /myApp /
then Fortify WebInspect will exclude or reject all resources in the myApp directory, such as:
http://www.test.me /myApp /filename.htm
If you enter /W3SVC[0-9]*/
then Fortify WebInspect will exclude or reject the following directories:
l http://www.test.me /W3SVC55/
l http://www.test.me /W3SVC5/
l http://www.test.me/W3SVC550/
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
Scan Template - Scan Settings: Allowed Hosts
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 249 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Allowable Hosts for Crawl and Audit
Use the Allowed Host settings to add domains that may be crawled and audited. If your Web presence
uses multiple domains, add those domains here. For example, if you were scanning "WIexample.com,"
you would need to add "WIexample2.com" and "WIexample3.com" here if those domains were part of
your Web presence and you wanted to include them in the crawl or audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
l
l
l
l
l
l
l
l
www.myco.com:80
contact.myco.com:80
www1.myco.com
ethics.myco.com:80
contact.myco.com:443
wow.myco.com:80
mycocorp.com:80
www.interconnection.myco.com:80
Note: If you specify a port number, then the allowed host must be an exact match.
If you use a regular expression to specify a host, select Regex.
Scan Template - Scan Settings: HTTP Parsing
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
HTTP Parameters Used for State
If your application uses URL rewriting or post data techniques to maintain state within a Web site, you
must identify which parameters are used. For example, a PHP4 script can create a constant of the
HPE Security Fortify WebInspect Enterprise (16.20)
Page 250 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
session ID named SID, which is available inside a session. By appending this to the end of a URL, the
session ID becomes available to the next page. The actual URL might look something like the following:
.../page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
Because session IDs change with each connection, an HTTP request containing this URL would create
an error when you tried to replay it. However, if you identify the parameter (PHPSESSID in this
example), then Fortify WebInspect will replace its assigned value with the new session ID obtained from
the server each time the connection is made.
Similarly, some state management techniques use post data to pass information. For example, the
HTTP message content may include userid=slbhkelvbkl73dhj. In this case, "userid" is the parameter you
would identify.
Note: You need to identify parameters only when the application uses URL rewriting or posted
data to manage state. It is not necessary when using cookies.
Fortify WebInspect can identify potential parameters if they occur as posted data or if they exist within
the query string of a URL. However, if your application embeds session data in the URL as extended
path information, you must provide a regular expression to identify it. In the following example,
"1234567" is the session information:
http://www.onlinestore.com/bikes/(1234567)/index.html
The regular expression for identifying the parameter would be: /\([\w\d]+\)/
Determine State from URL Path
If your application determines state from certain components in the URL path, select this check box and
add one or more regular expressions that identify those components. Two default regular expressions
identify two ASP.NET cookieless session IDs. The third regular expression matches jsessionid cookie.
HTTP Parameters Used for Navigation
Some sites contain only one directly accessible resource, and then rely on query strings to deliver the
requested information, as in the following examples:
l http://www.anysite.com?Master.asp?Page=1
l http://www.anysite.com?Master.asp?Page=2;
l http://www.anysite.com?Master.asp?Page=13;Subpage=4
Ordinarily, Fortify WebInspect would assume that these three requests refer to identical resources and
would scan only one of them. Therefore, if your target Web site employs this type of architecture, you
must identify the specific resource parameters that are used.
The first and second examples contain one resource parameter: "Page." The third example contains two
parameters: "Page" and "Subpage."
To identify resource parameters:
1. Click Add.
2. Enter the parameter name and click Update.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 251 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
The string you entered appears in the Parameter list.
3. Repeat this procedure for additional parameters.
Advanced HTTP Parsing
Most Web pages contain information that tells the browser what character set to use. This is
accomplished by using the Content-Type response header (or a META tag with an HTTP-EQUIV
attribute) in the HEAD section of the HTML document.
For pages that do not announce their character set, you can specify which language family (and implied
character set) Fortify WebInspect should use.
Scan Template - Scan Settings: Filters
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Filter HTTP Request Content
Use this area to specify search-and-replace rules for HTTP requests.
Filter HTTP Response Content
Use this area to specify search-and-replace rules for HTTP responses.
Adding a Regular Expression Rule
To add a regular expression rule for finding or replacing keywords in requests or responses:
1. In either the Request Content or the Response Content group, click Add.
2. From the Section list, select an area to search.
3. In the Find Condition field, type (or paste) the string you want to locate (or enter a regular
expression that describes the string). You can also click the list button to insert regular expression
elements.
4. Type (or paste) the replacement string in the Replace field.
5. For case-sensitive searches, select the Case-Sensitive check box.
6. Click Update.
Scan Template - Scan Settings: Cookies/Headers
Project Version
HPE Security Fortify WebInspect Enterprise (16.20)
Page 252 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Standard Header Parameters
You can elect to include referer and/or host headers in requests sent by Fortify WebInspect.
l Include 'referer' in HTTP request headers - Select this check box to include referer headers in
HTTP requests. The Referer request-header field allows the client to specify, for the server's benefit,
the address (URI) of the resource from which the Request-URI was obtained.
l Include 'host' in HTTP request headers - Select this check box to include host headers with HTTP
requests. The Host request-header field specifies the Internet host and port number of the resource
being requested, as obtained from the original URI given by the user or referring resource (generally
an HTTP URL).
Append Custom Headers
Use this section to add, edit, or delete headers that will be included with each audit Fortify WebInspect
performs. For example, you could add a header such as "Alert: You are being attacked by Consultant
ABC" that would be included with every request sent to your company's server when Fortify
WebInspect is auditing that site. You can add multiple custom headers.
To add a custom header:
1. In the top box, enter the header using the format <name>: <value>.
2. Click Add.
The new header appears in the list of custom headers.
Append Custom Cookies
Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by
Fortify WebInspect to the server when conducting a scan.
To add a custom cookie:
1. In the top box, enter the header using the format <name>=<value>. For example, if you enter
CustomCookie=ScanEngine
then each HTTP-Request will contain the following header:
Cookie: CustomCookie=ScanEngine
2. Click Add.
The new cookie appears in the list of custom cookies.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 253 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Template - Scan Settings: Proxy
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Proxy Settings
Select one of the following options:
l Direct Connection (proxy disabled) - Select this option if you are not using a proxy server.
l Automatically detect proxy settings - If you select this option, Fortify WebInspect will use the
Web Proxy Autodiscovery Protocol (WPAD) to automatically locate a proxy autoconfig file and use
this to configure the browser's web proxy settings.
l Use Internet Explorer proxy settings - Select this option to use the proxy server settings
configured for the Internet Explorer browser on the machine that will conduct the scan.
l Use Firefox proxy settings - Select this option to use the proxy server settings configured for the
Firefox browser on the machine that will conduct the scan.
Note: Using browser proxy settings does not guarantee that you will access the Internet through a
proxy server. If the Firefox browser connection settings are configured for “No proxy,” or if the
Internet Explorer setting “Use a proxy server for your LAN” is not selected, then a proxy server will
not be used.
l Configure a proxy using a PAC file URL - Select this option to load proxy settings from a Proxy
Automatic Configuration (PAC) file. Then specify the file location in the URL field.
l Explicitly configure proxy - Select this option to access the Internet through a proxy server, and
then enter the requested information. For proxy servers accepting https connections, select the
Specify Alternative Proxy for HTTPS check box and provide the requested information.
1. In the Server field, type the URL or IP address of your proxy server.
2. In the Port field. enter the port number (for example, 8080).
3. Select a protocol for handling TCP traffic through a proxy server: Standard, Socks4, or Socks5.
4. If your proxy server requires authentication, enter the qualifying user name and password.
5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing
sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate entries.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 254 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Scan Template - Scan Settings: Authentication
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Scan Requires Network Authentication
Select this option if users must log on to your Web site or application. Then select an authentication
method and specify a user name and password.
Caution: Fortify WebInspect will crawl all servers granted access by this password (if the
sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your
administrative systems, do not use a user name and password that has administrative rights. If you
are unsure about your access rights, contact your System Administrator or internal security
professional, or contact HPE Security Fortify Support.
The authentication methods are:
Basic
A widely used, industry-standard method for collecting user name and password information. The Web
browser displays a dialog box for a user to enter a previously assigned user name and password and
then attempts to establish a connection to a server using the user's credentials. If the Web server verifies
that the user name and password correspond to a valid user account, a connection is established. Basic
authentication is not recommended unless you are confident that the connection between the user and
your Web server is secure.
NTLM
An authentication process that is used by all members of the Windows NT family of products. Like its
predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without
requiring that either a password or a hashed password be sent across the network. Use NTLM
authentication for servers running IIS. If NTLM authentication is enabled, and Fortify WebInspect has
to pass through a proxy server to submit its requests to the Web server, Fortify WebInspect may not be
able to crawl or audit that Web site. Use caution when configuring Fortify WebInspect for scans of sites
protected by NTLM. After scanning, you may want to disable the NTLM authentication settings to
prevent any potential problem.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 255 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third party, termed a Key
Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS)
and a Ticket Granting Server (TGS). The client authenticates itself to AS, then demonstrates to the TGS
that it is authorized to receive a ticket for a service (and receives it). The client then demonstrates to a
Service Server that it has been approved to receive the service. This authentication method will be
successful only if the Web server has been configured to return a response header of “WWWAuthenticate: Kerberos” instead of “WWW-Authenticate: Negotiate.”
Digest
The Windows Server operating system implements the Digest Authentication protocol as a security
support provider (SSP), a dynamic-link library (DLL) that is supplied with the operating system. Using
digest authentication, your password is never sent across the network in the clear, but is always
transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined
by sniffing network traffic.
Automatic
Allow Fortify WebInspect to determine the correct authentication type. Automatic detection slows the
scanning process. If you know and specify one of the other authentication methods, scanning
performance is noticeably improved.
Client Certificates
Client certificate authentication allows users to present client certificates rather than entering a user
name and password.
To use client certificates:
1. Select Use Client Certificate.
2. Click Browse to choose a certificate.
Scan Template - Scan Settings: File Not Found
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Determine File Not Found (FNF) Using HTTP Response Codes
Select this option to rely on HTTP response codes to detect a file-not-found response from the server.
You can then identify the codes that fit the following two categories.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 256 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
l Forced valid response codes (never an FNF): You can specify HTTP response codes that should
never be treated as a file-not-found response.
l Forced FNF response codes (always an FNF): Specify those HTTP response codes that will always
be treated as a file-not-found response. Fortify WebInspect will not process the response contents.
Enter a single response code or a range of response codes. For ranges, use a dash or hyphen to
separate the first and last code in the list (for example, 400-404). You can specify multiple codes or
ranges by separating each entry with a semicolon.
Determine File Not Found from Custom Supplied Signature
Use this area to add information about any custom 404 page notifications that your company uses. If
your company has configured a different page to display when a 404 error occurs, add the information
here. False positives can result from 404 pages that are unique to your site.
You can specify a signature using plain text, a regular expression, or, using the SPI Regex option,
Regular Expression Extensions. For information about the Regular Expression Editor tool, see the HPE
Security Fortify WebInspect Tools Guide.
Auto-Detect File Not Found Page
Some Web sites do not return a status "404 Not Found" when a client requests a resource that does not
exist. Instead, they may return a status "200 OK" but the response contains a message that the file
cannot be found. Select this check box if you want Fortify WebInspect to detect these "custom" file-notfound pages.
Fortify WebInspect attempts to detect custom file-not-found pages by sending requests for resources
that cannot possibly exist on the server. It then compares each response and measures the amount of
text that differs between the responses. For example, most messages of this type have the same
content (such as "Sorry, the page you requested was not found"), with the possible exception being the
name of the requested resource. If you select the Auto-Detect File Not Found Page check box, you
can specify what percentage of the response content must be the same. The default is 90 percent.
Scan Template - Scan Settings: Policy
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Scan Policy
Select which policy will be used by this template. A policy is a collection of audit engines and attack
agents that Fortify WebInspect uses when auditing or crawling your Web application. Each component
HPE Security Fortify WebInspect Enterprise (16.20)
Page 257 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
has a specific task, such as testing for cross-site scripting susceptibility, building the site tree, probing
for known server vulnerabilities, etc. For policy descriptions, see "Policies List" on page 126.
Scan Template - Crawl Settings: Link Parsing
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Link Parsing
Fortify WebInspect follows all hyperlinks defined by HTML (using the <a href> tag) and those defined
by scripts (JavaScript and VBScript). However, you may encounter other communications protocols that
use a different syntax for specifying links. To accommodate this possibility, you can use the Custom
Links feature to identify (using regular expressions) links that you want Fortify WebInspect to follow.
To add a specialized link identifier:
1.
2.
3.
4.
Click Add.
In the Custom Links field, enter a regular expression designed to identify the link.
(Optional) Enter a description of the link in the Comments field.
Click Update.
Scan Template - Crawl Settings: Session Exclusions
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Session Exclusions Note: All items specified in the Scan Settings - Session Exclusions are automatically
replicated in the Session Exclusions for both the Crawl Settings and the Audit Settings. These items are
listed in gray (not black) text. If you do not want these objects to be excluded from the crawl, you must
remove them from the Scan Settings - Session Exclusions panel. This panel (Crawl Settings - Session
Exclusions) allows you to specify additional objects to be excluded from the crawl.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 258 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
To add a file extension:
1. Click Add.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited. For more information, see "MIME
Types" on page 191.
To add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the site, since you
don't want to log out of the application before the scan is completed. To check for broken links to URLs
that you don't want to process, select only the Exclude option.
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host
l Exclude - Send request, but do not process response
5. Click Update.
Scan Template - Audit Settings: Session Exclusions
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 259 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the Session
Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray (not black)
text. If you do not want these objects to be excluded from the audit, you must remove them from the
Scan Settings - Session Exclusions panel. This panel (Audit Settings - Session Exclusions) allows you to
specify additional objects to be excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested. If you select Exclude, files
having the specified extension will be requested, but will not be audited.
To add a file extension:
1. Click Add.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click Update.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited. For more information, see "MIME
Types" on page 191.
To add a MIME Type:
1. Click Add.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click Update.
Excluded or Rejected URLs and Hosts
The URLs or hosts you specify will not be accessed if you select the Reject option. However, you may
want to access the URL or host (do not select Reject), but not process the HTTP response (select
Exclude). For example, you should usually reject any URL that deals with logging off the site, since you
don't want to log out of the application before the scan is completed. To check for broken links to URLs
that you don't want to process, select only the Exclude option.
To add a URL or host:
1. Click Add.
2. From the Type list, select either Host or URL.
3. In the URLs and Hosts field, enter a URL or fully qualified host name, or a regular expression
designed to match the targeted URL or host.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 260 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
4. Select one or both of the following:
l Reject - Do not send request to targeted URL or host.
l Exclude - Send request, but do not process response.
5. Click Update.
Scan Template - Audit Settings: Attack Exclusions
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to
attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA
parameters.
To prevent certain parameters from being modified:
1. In the Excluded Parameters group, click Add.
2. In the Parameter field, enter the name of the parameter you want to exclude.
3. Choose the area in which the parameter may be found: HTTP query data or HTTP POST data. You
can select both areas, if necessary.
4. Click Update.
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack
the Web site. This feature is used to avoid corrupting cookie values. This setting requires you to enter
the name of a cookie.
In the following example HTTP response, the name of the cookie is "FirstCookie."
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
To exclude certain cookies.
1. In the Excluded Cookies group, click Add.
2. In the Parameter field, type a cookie name or enter a regular expression that you believe will
match the cookies you want to exclude.
3. Click Update.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 261 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to
attack the Web site. This feature is used to avoid corrupting header values.
To prevent certain headers from being modified, create a regular expression using the procedure
described below.
1. In the Excluded Headers group, click Add.
2. In the Parameter field, type a header name or enter a regular expression that you believe will
match the headers you want to exclude.
3. Click Update.
Audit Inputs Editor
Using the Audit Inputs Editor, you can create additional parameters for audit engines and checks that
require inputs.
To load inputs that you previously created using the editor, click the Browse button next to the Import
Audit Inputs button.
Scan Template - Audit Settings: Attack Expressions
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Additional Regular Expression Languages
You may select one of the following language code-country code combinations (as used by the
CultureInfo class in the .NET Framework Class Library):
l ja-jp: Japanese - Japan
l ko-Kr: Korean - Korea
l zh-cn: Chinese - China
l zh-tw: Chinese - Taiwan
l es-mx: Spanish - Mexico
The CultureInfo class holds culture-specific information, such as the associated language, sublanguage,
country/region, calendar, and cultural conventions. This class also provides access to culture-specific
instances of DateTimeFormatInfo, NumberFormatInfo, CompareInfo, and TextInfo. These objects
HPE Security Fortify WebInspect Enterprise (16.20)
Page 262 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
contain the information required for culture-specific operations, such as casing, formatting dates and
numbers, and comparing strings.
Scan Template - Audit Settings: Vulnerability Filters
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Select Vulnerability Filters to Enable
By applying certain filters, you can limit the display of certain vulnerabilities reported during a scan. The
options are:
l Standard Vulnerability Definition - This filter sorts parameter names for determining equivalency
between similar requests. For example, if a SQL injection vulnerability is found in parameter "a" in
both http://x.y?a=x;b=y and http://x.y?b=y;a=x, it would be considered equivalent.
l Parameter Vulnerability Roll-Up - This filter consolidates multiple parameter manipulation and
parameter injection vulnerabilities discovered during a single session into one vulnerability.
l 403 Blocker - This filter revokes vulnerabilities when the status code of the vulnerable session is 403
(Forbidden).
l Response Inspection Dom Event Parent-Child - This filter disregards a keyword search
vulnerability found in JavaScript if the same vulnerability has already been detected in the parent
session.
To add a filter to your default settings, select a filter in the Available area and click >. The filter is
removed from the Available list and added to the Selected list.
To disable a filter, select a filter in the Selected list and click <. The filter is removed from the Selected
list and added to the Available list.
To add all available filters, click >>.
To remove all selected filters, click <<.
Scan Template - Audit Settings: Smart Scan
Project Version
From the drop-down lists, you can select a Project and Project Version with which this template will be
associated.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 263 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Alternatively, if you select the Global Template check box, then instead of specifying a project and
project version, you must select an organization and group from a drop-down list.
If you select Global Template, all the other forms you can select in the left column also display the
Global Template option as selected as well as the organization and group you selected, rather than the
project and project version.
Smart Scan
Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and
checks for known vulnerabilities against that specific server type. For example, if you are scanning a site
hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is
susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.
If you select Enable Smart Scan, you can choose one or both of the identification methods described
below.
l Use regular expressions on HTTP responses - This method searches the server response for
strings that match predefined regular expressions designed to identify specific servers.
l Use server analyzer fingerprinting and request sampling - This advanced method sends a series
of HTTP requests and then analyzes the responses to determine the server type.
Custom Server/Application Type Definitions (more accurate detection)
If you know the server type for a target domain, you can select it using the Custom server/application
type definitions (more accurate detection)section. This identification method overrides any other
selected method for the server you specify.
1.
2.
3.
4.
Click Add.
In the Host field, enter the domain name or host, or the server's IP address.
Select one or more entries from the Server/Application list.
Click OK.
Blackout Settings
The following pages describe blackout settings, including general settings and settings for recurring
blackouts.
Blackout: General
A blackout period is a block of time during which scans are not permitted. You can also create a partial
ban by specifying that scans should not be conducted on specific hosts (identified by URL or IP
address) during the time period you specify.
You may alternatively assign a contrary definition to the blackout, specifying that scans may occur only
during this time period. In effect, this creates a blackout period covering all but the period of time you
specify.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 264 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Creating a Blackout Period
To create a blackout period, provide the following information:
Item
Description
Project Version
Select a project from the Projects list and then select a version from the Project
Versions list.
Name
Enter a unique identifier for this blackout period.
Address
The URL or IP address (or range of IP addresses) that are affected by this
blackout period. The value can be a single URL or IP address, or a range of IP
addresses. If you need to exclude multiple ranges, you must create additional
(overlapping) blackout periods. To specify a range, separate the beginning
address and ending address with a hyphen. You can use the asterisk ( * ) as a
wild card. The default setting (an asterisk) means all addresses. Wildcards in IP
addresses must be at the end of the address as shown, but wildcards for host
names must be at the beginning.
Examples:
l 192.16.12.1-192.16.12.210
l 192.16.12.*
l *.domain.com
Start Time
The date and time at which the blackout period begins.
End Time
The date and time at which the blackout period expires.
Time Zone
Select the time zone for the location of the target server that is affected by the
blackout. The time zone defaults to the zone in which you are working (see
"Configuring Toolbar Options" on page 102). If the target server is in a different
time zone, you should usually select the server's time zone and specify the
blackout period using local time.
For example, if you are in New York City, USA (UTC-05) and the Fortify
WebInspect Enterprise server is in Rome, Italy (UTC+01), and you want to
schedule a blackout to begin at 8 a.m. Rome time, you could do either of the
following:
l Select the UTC+01 time zone (Rome) and specify a Start time of 8 a.m.
l Select the UTC-05 time zone (New York City) and specify a Start time of 2
a.m.
Duration
The length of time during which the blackout is in effect. This value is calculated
automatically after you specify the Start Time and End Time. Alternatively, if you
specify the Start Time and the Duration, the End Time is calculated. If you edit
the Duration, the End Time is recalculated.
The format is:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 265 of 362
User Guide
Chapter 4: WebInspect Enterprise Web Console
Item
Description
d.hh.mm
where
d = the number of days
hh = the number of hours
mm = the number of minutes
Blackout Type
Select one of the following:
l Allow scans during this period: Scans of the specified targets are allowed
only during the specified time period.
l Deny scans during this period: Scans of the specified targets are prohibited
during the specified time period.
Allow and deny work very much like allow and deny for permissions. Deny
always takes precedence over allow, so a scan can occur only at a particular time
if there are no blackout periods that deny that time. An allow blackout period
means deny scans UNLESS you are in the allowed range, as opposed to allow
scans ONLY if you are in the allowed range. If you configure two separate "allow"
blackout periods, a scan will be allowed only during the union of those periods.
For example, if period A allows scans from 1 p.m. to 3 p.m. and period B allows
scans from 2 p.m. to 6 p.m., then scans will be allowed only from 2 p.m. to 3 p.m.
Blackout: Recurrence
Project Version
Select a project from the Projects list and then select a version from the Project Versions list.
Scan Template
Instead of specifying each individual setting every time you conduct a scan, you can create templates
that contain different settings and then simply select a template from the Use Scan Template list. You
are not required to use a template.
Recurring
To schedule a scan, a Smart Update, or a blackout on a recurring basis:
1. Select the Recurring check box.
Do NOT select this option if you want to schedule a one-time-only event.
2. Use the Pattern group to select the frequency of the event (daily or every x days, weekly, monthly,
or yearly) and then provide the appropriate information.
3. Using the Range group, specify the starting date and the ending date (or select Never if the event
is to run indefinitely). You can also limit the number of times the event should occur.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 266 of 362
Chapter 5: WebInspect Enterprise Thin Client
The WebInspect Enterprise Thin Client provides Guided Scan functionality and report generation.
About the Thin Client Download
The Fortify WebInspect Enterprise Thin Client download provides the following capabilities:
l Guided Scans for Web sites and mobile devices, as introduced in this topic.
l Reports, as described in "Generating a Report" on the next page.
Note: To use any of the Thin Client capabilities while using the Mozilla Firefox browser, you must
download and install the Firefox add-on for the .NET Framework Assistant. To obtain it, click Addons on the Mozilla Firefox Start Page in the Firefox browser and search .NET.
The first time you launch Guided Scan (or create a report) from Fortify WebInspect Enterprise or Fortify
Software Security Center, the Fortify WebInspect Enterprise Thin Client application:
l Runs a wizard that verifies your computer meets the prerequisites for installing the Thin Client.
l Downloads and installs itself on your computer, along with the help.
l Launches either Guided Scan or reporting, depending on which you selected.
Guided Scan directs you through the best steps to configure a scan that is tailored to your application,
and it is the preferred method for performing a scan.
Launching a Guided Scan
You can launch a Guided Scan in the following ways:
l In the Fortify WebInspect Enterprise Web Console, click Actions > Guided Scan.
l In Fortify Software Security Center, on the Projects tab select a project and project version, and click
Guided Scan in the Quick Links.
l In Fortify Software Security Center, open a particular project version in the Projects tab, click the
Scans tab for that project version, and click Guided Scan.
The first step in the Guided Scan is to select the type of scan you want to run, from three types of web
site scans using predefined templates and two types of scans using mobile templates. In summary, you
can click one of the following links to see the Help topic for the type of scan you plan to run:
l "Configuring Web Site Scans Using a Predefined Template" on page 270, for information about
scanning a web site if you select a Standard Scan, a Quick Scan, or a Thorough Scan.
l "Configuring Mobile Web Site Scans Using a Mobile Template" on page 284, for information about
scanning a mobile web site from the machine where your instance of Fortify WebInspect or Fortify
WebInspect Enterprise is installed. Click Mobile Scan to start this type of scan.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 267 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l "Configuring Native Scans Using a Mobile Template" on page 298, for information about manually
crawling a native mobile application and capturing the web traffic as a workflow macro. Click Native
Scan to start this type of scan.
The following paragraphs provide more information to help you select the type of scan to run and
cross-references to related topics..
Selecting the Type of Guided Scan to Run
Predefined Templates for Scanning Web Sites
For a Standard Scan, a Quick Scan, or a Thorough Scan, see "Configuring Web Site Scans Using a
Predefined Template" on page 270. The only difference among these web site scans created using the
predefined templates is the default extent of crawl coverage, which you can change:
l Click Standard Scan to use scan settings that (by default) focus on coverage rather than
performance. Large sites could take days to crawl with these settings.
l Click Quick Scan to use scan settings that (by default) focus on breadth and performance rather
than digging deep. It is especially good for very large sites.
l Click Thorough Scan to use scan settings that (by default) perform an exhaustive crawl of your site.
HPE recommends that you split your site into parts and only scan smaller chunks of your site with
these settings. It is not recommended for large sites.
Mobile Templates for Scanning Mobile Sites or Recording Back-End Traffic
l Click Mobile Scan to scan a mobile web site from the machine where your instance of Fortify
WebInspect or Fortify WebInspect Enterprise is installed. Fortify WebInspect or Fortify WebInspect
Enterprise emulates a mobile browser to access the mobile version of the site. See "Configuring
Mobile Web Site Scans Using a Mobile Template" on page 284.
l Click Native Scan to manually crawl a native mobile application and capture the web traffic as a
workflow macro. You generate the traffic on an Android, Windows, or iOS device or a software
emulator running a mobile application. See "Configuring Native Scans Using a Mobile Template" on
page 298.
Note: The Guided Scan wizard includes a tutorial that runs the first time you select a type of Guided
Scan. You can close the tutorial at any time and return to it later by clicking the Tutorial button at
the top right of the display.
Generating a Report
The first time you create a report (or launch a Guided Scan) from Fortify WebInspect Enterprise or
Fortify Software Security Center, the Fortify WebInspect Enterprise Thin Client application:
l Runs a wizard that verifies your computer meets the prerequisites for installing the Thin Client.
l Is downloaded and installed on your computer, along with the help.
l Launches either reporting or Guided Scan, depending on which you selected.
Note: To use any of the Thin Client capabilities while using the Mozilla Firefox browser, you must
download and install the Firefox add-on for the .NET Framework Assistant. To obtain it, click AddHPE Security Fortify WebInspect Enterprise (16.20)
Page 268 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
ons on the Mozilla Firefox Start Page in the Firefox browser and search .NET.
Create a new report from the scan you select and open. The reports available in Fortify WebInspect
Enterprise are a subset of the reports available in Fortify WebInspect. You can generate a report in the
following ways:
l Click New Report in the toolbar at the top of the Scan Visualization window for the selected scan.
l Click Create Report in the Scans form with a scan selected.
l In Fortify Software Security Center, click Create Scan Report for the selected scan on the Scans tab
for a project version's details.
In the Generate a Report dialog, select the desired reports and complete the associated fields that
appear for each one in the right pane. You can click the drop-down button for the Favorites field to
select an existing favorite set of reports, organize existing favorites, or add the set of reports you
selected as a new favorite.
Click the Advanced button to display the Advanced Report Options dialog and optionally specify the
following for the report:
l A title for the cover page. This title appears below the report title.
l A company name for the cover page. This name appears above the report title.
l An image that appears at the top right of the cover page.
l An image that appears in the footer on each page after the cover page.
To start the report creation, click Finish. On the Reports tab in the Summary pane, you can see the
report generation status (Pending, Running, or Complete) as it changes. You can save a completed
report to a location you specify. If you selected multiple reports in the Generate a Report dialog, they
are generated as one PDF file.
To control who can manage reports, in the Administrative Console, the Administration group, Roles
and Permissions shortcut, Roles tab, Organization level includes a Reports category with the options
Can Create, Can View, Can Update, and Can Delete. You must be allowed to view the scans for which
you want to create reports.
Configuring a Guided Scan
The Guided Scan three types of web site scans using predefined templates and two types of scans using
mobile templates.
Predefined Templates for Scanning Web Sites
For a Standard Scan, a Quick Scan, or a Thorough Scan, see "Configuring Web Site Scans Using a
Predefined Template" on the next page. The only difference among these web site scans created using
the predefined templates is the default extent of crawl coverage, which you can change:
l Click Standard Scan to use scan settings that (by default) focus on coverage rather than
performance. Large sites could take days to crawl with these settings.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 269 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Click Quick Scan to use scan settings that (by default) focus on breadth and performance rather
than digging deep. It is especially good for very large sites.
l Click Thorough Scan to use scan settings that (by default) perform an exhaustive crawl of your site.
HPE recommends that you split your site into parts and only scan smaller chunks of your site with
these settings. It is not recommended for large sites.
Mobile Templates for Scanning Mobile Sites or Recording BackEnd Traffic
l Click Mobile Scan to scan a mobile web site from the machine where your instance of Fortify
WebInspect or Fortify WebInspect Enterprise is installed. Fortify WebInspect or Fortify WebInspect
Enterprise emulates a mobile browser to access the mobile version of the site. See "Configuring
Mobile Web Site Scans Using a Mobile Template" on page 284.
l Click Native Scan to manually crawl a native mobile application and capture the Web traffic as a
workflow macro. You generate the traffic on an Android, Windows, or iOS device or a software
emulator running a mobile application. See "Configuring Native Scans Using a Mobile Template" on
page 298.
Note: The Guided Scan wizard includes a tutorial that runs the first time you select a type of Guided
Scan. You can close the tutorial at any time and return to it later by clicking the Tutorial button at
the top right of the display.
Configuring Web Site Scans Using a Predefined Template
Guided Scan directs you through the best steps to configure a scan that is tailored to your application,
and it is the preferred method for performing a scan. This topic describes use of the "predefined
templates" for scanning websites. The only difference among the predefined templates—Standard
Scan, Quick Scan, and Thorough Scan—is the default extent of crawl coverage, which you can change.
For general information about Guided Scan, including launching Guided Scan, see "About the Thin
Client Download" on page 267.
Toolbar Buttons
Using the predefined templates, the following toolbar buttons (in the indicated toolbar groups) at the
top of Guided Scan are available at various times as may be necessary or useful for the scan:
l Scan Now (in Scan group) - Skip the remaining Guided Scan steps and go to the Guided Scan Settings - Final Review - Validate Settings and Start Scan page. See Settings in this chapter.
l Open (in Settings group) - Open scan settings from a file you select, from your own configured
default settings, or from the original HPE "factory" default settings.
l Save (in Settings group) - Save the current scan settings in a file you specify.
l Advanced (in Settings group) - Open Advanced Scan Settings.
l Rendering engine (in Verify Web Site group) - Specify the browser to use to open your target site:
Firefox (recommended) or Internet Explorer.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 270 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l New (in Record/Edit Login Macro group) - Record a new macro. For more information, see the
"Unified Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
l Import (in Record/Edit Login Macro group) - Import an existing macro. For more information, see
the "Unified Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
l Export (in Record/Edit Login Macro group) - Save a macro. For more information, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
l Logout Conditions (in Record/Edit Login Macro group) - Open the Logout Condition Editor to
manually specify logout conditions when recording or editing a macro. For more information, see
"Unified Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
l Rendering engine (in Record/Edit Login Macro group) - Specify the browser to use to record or edit
a macro: Firefox (recommended) or Internet Explorer. For more information, see "Unified Web Macro
Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
l Import Locations (in Enhance Coverage of Your Web Site group) - Import a file of key locations that
were covered and saved when enhanced coverage of your website was performed.
l Export Locations (in Enhance Coverage of Your Web Site group) - Export to a new file the key
locations you have specified when enhancing coverage of your website.
l Allowed Hosts (in Enhance Coverage of Your Web Site group) - List of allowed hosts identified thus
far. Each can be enabled or disabled, as long as at least one remains enabled.
l Rendering engine (in Enhance Coverage of Your Web Site group) - Specify the browser to use when
enhancing coverage of your website: Firefox (recommended) or Internet Explorer.
l Import (in Web Forms group) - Import an existing set of web form values that were entered when
your website was previously explored.
l Export (in Web Forms group) - Export to a new file the web form values you have entered when
exploring your website.
l New Global (in Web Forms group) - Add a new global Web form field, that is, a field whose value will
be submitted for any input control having the specified name, regardless of the URL at which Fortify
WebInspect encounters it.
l Show Globals (toggle button in Web Forms group) - In the Web Form Values step, add a list of all
global web form values that were used in verifying the site.
l Show All (toggle button in Web Forms group) - In the Web Form Values step, add lists of all nonglobal web form values that were used in verifying the site.
Overview of Guided Scan Stages and Steps
The tree in the left pane of the Guided Scan display allows you to see your progress as you specify
settings in the right pane for the various pages of your scan. "Guided Scan -" and the current stage and
steps comprise the name of the wizard page in the title bar. The initial page is Guided Scan - Site - Start
Parameters - Verify Web Site, where Site is the stage and Start Parameters and the 1. Verify Web
Site step are highlighted in the left pane. Details for you to complete are displayed in the right pane of
each page.
Following is an outline of the stage, steps, and substeps you will perform, as they appear in the tree in
the left pane:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 271 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Site - Specify the Web site to scan and verify you can access it.
l Start Parameters
o 1. Verify Web Site - Specify the Web site to scan and verify you can access it.
o 2. Choose Scan Type - Select Standard scan or, if you are using pre-recorded macros,
Workflows scan; select scan method (crawl, crawl and audit, or audit); and select scan policy.
l Login - Specify authentication settings for login.
l Network Authentication
o Configure Network Authentication - Specify the network authentication method and/or
client certificate.
l Application Authentication
o Use a Login Macro - Specify whether to use one or more login macros for this site and
whether to select, create, or edit a macro. A login macro is a recording of the activity that is
required to access and log in to your application, typically by entering a user name and
password.
l Workflows- Specify workflows (appears only when the selected Scan Type is Workflows).
l Workflows
o 1. Manage Workflows - Specify whether to select, create, or edit a workflow macro.
o 2. Record/Edit Workflow - Record or edit a workflow macro.
l Active Learning - Allow Guided Scan to profile your site and recommend optimized scan settings
accordingly, and navigate to key site locations.
l Optimization Tasks
o Profile your site for optimal settings - Run the Profiler and review what it recommends.
o Enhance coverage of your site - Navigate to key locations in your site to ensure that they are
well covered.
o Web Form Values - Optionally modify any web form values that Guided Scan recorded while
you configured the scan.
l Settings - Address configuration errors, optionally save scan settings, specify the project version to
scan, and start the scan.
l Final Review
o Validate Settings and Start Scan - Address any errors detected by the wizard, optionally
save scan settings for reuse later if desired, specify the project and project version, and begin
the scan.
The top of the right pane often includes a yellow instruction bar that guides you through particular
steps.
Use the procedure in the following sections to follow along with the product interface and configure the
Guided Scan. Headings in the following sections are named and listed in the same order as in the Guided
Scan tree in the left pane.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 272 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Site
During the Site stage, you will:
l Verify the Web site you want to scan
l Choose a scan type
Start Parameters
1. Verify Web Site
1. In the Start URL field, type or select the complete URL or IP address of the site to scan.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify
WebInspect will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify
alternatives in the Allowed Hosts setting.
An invalid URL or IP address results in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect and Fortify WebInspect Enterprise support both Internet Protocol version 4
(IPv4) and Internet Protocol version 6 (IPv6). IPv6 addresses must be enclosed in brackets.
Examples:
l http://[::1] — Fortify WebInspect scans "localhost."
l http://[fe80::20c6:29ff:fe32:bae1]/subfolder/ — Fortify WebInspect scans the host at the
specified address starting in the "subfolder" directory.
l http://[fe80::20c6:29ff:fe32:bae1]:8080/subfolder/ — Fortify WebInspect scans a server
running on port 8080 starting in "subfolder."
2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and
then select one of the following options from the list:
l Directory only (self) - Fortify WebInspect or Fortify WebInspect Enterprise will crawl and/or
audit only the URL you specify. For example, if you select this option and specify a URL of
www.mycompany/one/two/, Fortify WebInspect will assess only the "two" directory.
l Directory and subdirectories - Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is higher
in the directory tree.
l Directory and parent directories - Fortify WebInspect or Fortify WebInspect Enterprise will
begin crawling and/or auditing at the URL you specify, but will not access any directory that is
lower in the directory tree.
3. If you must access the target site through a proxy server, click Proxy in the lower left of the right
pane and then select one of the following options from the Proxy Settings list:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 273 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Direct Connection (proxy disabled)
l Auto detect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a
proxy autoconfig file and use this to configure the browser's Web proxy settings.
l Use Internet Explorer proxy settings: Import your proxy server information from Internet
Explorer.
l Use Firefox proxy settings: Import your proxy server information from Firefox.
l Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic
Configuration (PAC) file. Enter the location (URL) of the PAC.
l Explicitly configure proxy settings: Specify proxy server settings as indicated.
Note: Using browser proxy settings does not guarantee that you will access the Internet
through a proxy server. If the Firefox browser connection settings are configured for "No
proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server is not used.
4. Click Verify and follow the instructions in the yellow instruction bar.
When the Web site or directory structure appears, you have successfully verified your connection
to the Start URL.
5. Click the Next icon, which is always available at the top right of the left pane.
The Guided Scan - Site - Start Parameters - Choose Scan Type page appears, and under the Site
stage in the left pane, Start Parameters and the 2. Choose Scan Type step are highlighted.
2. Choose Scan Type
To complete the scan type and other fields in the Choose Scan Type window:
1. (Optional) You can change the default scan name in the Scan Name text box.
2. Select one of the following scan types:
l Standard: Fortify WebInspect performs an automated analysis, starting from the target URL.
This is the normal way to start a scan.
l Workflows: If you select this option, an additional Workflows stage appears in the left pane. Its
use is described later in this procedure. You can continue through the Guided Scan wizard's
default sequence and later complete the workflow scan settings when the Workflows stage
becomes selected using the default sequence. This procedure assumes that you use the default
sequence.
3. In the Scan Method area, select one of the following scan methods:
l Crawl Only: This option completely maps a site's hierarchical data structure. After a crawl has
been completed, you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit: Fortify WebInspect or Fortify WebInspect Enterprise maps the site's
hierarchical data structure and audits each resource (page). Depending on the default settings
you select, the audit can be conducted as each resource is discovered or after the entire site is
crawled. For information regarding simultaneous vs. sequential crawl and audit, see the Fortify
WebInspect Enterprise Web Console Help system.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 274 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Audit Only: Fortify WebInspect or Fortify WebInspect Enterprise applies the methodologies of
the selected policy to determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
4. In the Policy area, select a policy from the drop-down list. For information about policies, see the
Fortify WebInspect Enterprise Web Console Help system.
5. Adjust the slider to select a value for Crawl Coverage — Quick, Moderate, Default, or Thorough.
Use the guidance provided on screen for each option.
l If you initially clicked Standard Scan after you chose a Guided Scan, the Default option is
selected by default.
l If you initially clicked Quick Scan after you chose a Guided Scan, the Quick option is selected by
default.
l If you initially clicked Thorough Scan after you chose a Guided Scan, the Thorough option is
selected by default.
6. Click the Next icon at the top of the left pane.
By default, the Guided Scan - Login - Application Authentication - Select Login Macro page
appears, and under the Login stage in the left pane, Application Authentication and the 1.
Select Login Macro step are highlighted.
Login
During the Login stage, if the application you need to scan requires network authentication, a client
certificate, and/or application-level authentication, you can configure them here. You can also create or
assign a login macro.
l If you do not need to perform network authentication or use a client certificate, go to Application
Authentication in this procedure.
l If you do not need to perform network authentication but you do need to use a client certificate, go
to Configuring Client Authentication.
l If you do need to perform network authentication, click Network Authentication under the Login
stage in the left pane. The Guided Scan - Login - Network Authentication - Configure Network
Authentication page appears, and under the Login stage, Network Authentication and the
Configure Network Authentication step are highlighted. In this case, proceed to Configuring
Network Authentication.
Configuring Network Authentication
If your site requires network authentication:
1. Select the Network Authentication check box.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
are:
l Basic. A widely used, industry-standard method for collecting user name and password
information. The Web browser displays a window for a user to enter a user name and password.
The Web browser then attempts to establish a connection to a server using the user's
credentials. If the credentials are rejected, the browser displays an authentication window to re-
HPE Security Fortify WebInspect Enterprise (16.20)
Page 275 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
enter the user's credentials. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established. The advantage of Basic
authentication is that it is part of the HTTP specification and is supported by most browsers.
l NTLM. NTLM (NT LanMan) is an authentication process that is used by all members of the
Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response
process to prove the client's identity without requiring that either a password or a hashed
password be sent across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and
Fortify WebInspect has to pass through a proxy server to submit its requests to the Web server,
Fortify WebInspect may not be able to crawl or audit that Web site. Use caution when
configuring Fortify WebInspect for scans of sites protected by NTLM. After scanning, you may
want to disable the NTLM authentication settings to prevent any potential problem.
l Digest. The Windows Server operating system implements the Digest Authentication protocol
as a security support provider (SSP), a dynamic-link library (DLL) that is supplied with the
operating system. Using digest authentication, your password is never sent across the network
in the clear, but is always transmitted as an MD5 digest of the user's password. In this way, the
password cannot be determined by sniffing network traffic.
l Automatic. Allow Fortify WebInspect to determine the correct authentication type.
l Kerberos. Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third
party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an
Authentication Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to
AS, then demonstrates to the TGS that it is authorized to receive a ticket for a service (and
receives it). The client then demonstrates to a Service Server that it has been approved to
receive the service.
l Negotiate. The Negotiate authentication protocol begins with the option to negotiate for an
authentication protocol. When the client requests access to a service, the server replies with a list
of authentication protocols that it can support and an authentication challenge based on the
protocol that is its first choice. For example, the server might list Kerberos and NTLM, and send
a Kerberos challenge. The client examines the contents of the reply and checks to determine
whether it supports any of the specified protocols. If the client supports the preferred protocol,
authentication proceeds. If the client does not support the preferred protocol, but does support
one of the other protocols listed by the server, the client lets the server know which
authentication protocol it supports, and the authentication proceeds. If the client does not
support any of the listed protocols, the authentication exchange fails.
3. Complete the User Name and Password fields.
Configuring Client Authentication
If you need to use a client certificate for network authentication:
1. Select the Client Certificate check box.
2. In the Certificate Store area, select one of the following:
l Local Machine - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate on the
local machine based on your selection in the Certificate area.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 276 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Current User - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate for the
current user based on your selection in the Certificate area.
3. Select either My or Root from the drop-down list.
4. To view certificate details in the Certificate Information area, select a certificate in the Certificate
area.
5. Click the Next icon.
Application Authentication Step
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
The following options are available for login macros:
l Using a Login Macro without Privilege Escalation
l Using Login Macros for Privilege Escalation
l Using a Selenium Macro
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
3. Click the Next button.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 309. To use login macros:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 277 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see About
Privilege Escalation Scans.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
l To perform the scan in unauthenticated mode, click No. For more information, see About
Privilege Escalation Scans.
The Application Authentication Step is complete. Proceed to After Creating or Selecting the
Login Macro(s).
4. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 278 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
5. After recording or selecting the second macro, click the Next button.
Using a Selenium Macro
Fortify WebInspect products support integration with Selenium browser automation. When you click
the import button and select a Selenium macro to import, Fortify WebInspect detects that a Selenium
macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must include a
logout condition. If a logout condition does not exist, you can add one using the Logout Conditions
Editor just as with any other macro. However, all other edits must be done in the Selenium IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium macros do not have a specific file extension and can be any type of text file,
including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the current settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To...
Then...
Specify a logout condition
a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
b. Add a logout condition and click OK.
Export the Selenium script to use
elsewhere
a. Click Export.
The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 279 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
To...
Then...
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
After Creating or Selecting the Login Macro(s)
l If you selected a Standard scan, then the Optimization Tasks page appears. In this case, go to Active
Learning.
l If you selected a Workflows scan, then the Manage Workflows page appears. In this case, proceed to
Workflows.
Workflows
The Workflows stage appears only if you selected Workflows as the Scan Type in the Site stage; if
you chose Standard, the Workflows stage does not appear.
You can create a workflow macro to ensure Fortify WebInspect Enterprise audits the pages you specify
in the macro. Fortify WebInspect Enterprise audits only those URLs included in the macro that you
previously recorded and does not follow any hyperlinks encountered during the audit.
You can create multiple workflow macros, one for each use case on your site. You do not need to specify
a logout condition. This type of macro is used most often to focus on a particular subsection of the
application. If you select multiple macros, they will all be included in the same scan. In addition, you can
import Burp Proxy captures and add them to your scan.
1. Manage Workflows
1. If you selected the Workflows scan option, optionally select a workflow in the Workflows table, if
any, and click any of the following if available:
l Record opens the Web Macro Recorder, allowing you to create a macro. The Record/Edit
Workflow page appears, Workflows and the 2. Record/Edit Workflow step are highlighted in
the left pane, and the Web Macro Recorder opens. Go to step 2. Record/Edit Workflows.
l Edit opens the Web Macro Recorder and loads the selected macro. The Record/Edit Workflow
page appears, and Workflows and the 2. Record/Edit Workflow step are highlighted in the
left pane, and the Web Macro Recorder opens. Go to step 2. Record/Edit Workflows.
l Delete removes the selected macro from the Workflows table (but does not delete it from your
disk).
l Import opens a standard file-selection window, allowing you to select a previously recorded
HPE Security Fortify WebInspect Enterprise (16.20)
Page 280 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
.webmacro file, Burp Proxy captures, or a Selenium macro. If using a Selenium macro, you will
need to click Verify for Fortify WebInspect to play the macro. If the macro does not play
successfully, the Import Selenium Script window displays an error. You will need to debug and
correct the error in Selenium, and return to this procedure to try the import again. For more
information about Burp Proxy captures, see Importing Burp Proxy Results at the end of this
topic.
Important! If you use a login macro in conjunction with a workflow macro or startup macro
or both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or
all Selenium macros. You cannot use different types of macros in the same scan.
l Export opens a standard file-selection window, allowing you to save a recorded macro to a
*.webmacro file.
Note: If you have installed HPE Unified Functional Testing (UFT) on your computer, then
Fortify WebInspect detects this automatically and displays an option to import a UFT (.usr) file.
See Importing HPE Unified Functional Testing Scripts.
For information about the Web Macro Recorder tool, see the "Unified Web Macro Recorder"
chapter in the HPE Security Fortify WebInspect Tools Guide.
2. After you specify and play a workflow macro, it appears in the Workflows table and its Allowed
Hosts are added to the Guided Scan - Workflows - Workflows - Manage Workflows page. You can
enable or disable access to particular hosts.
3. When you have finished managing your workflows, click the Next icon. If you did not record or edit
a macro, the Guided Scan - Active Learning - Optimization Tasks - Profile site for optimal settings
page appears, and under the Active Learning stage, Optimization Tasks and the Profile site for
optimal settings step are highlighted in the left pane. In this case, go to Active Learning.
2. Record/Edit Workflows
1. Follow the instructions in the yellow instruction bar of the Web Macro Recorder to create or edit a
workflow macro. For information, see the "Unified Web Macro Recorder" chapter in the HPE
Security Fortify WebInspect Tools Guide.
2. When you complete this step, click the Next icon. The Guided Scan - Active Learning Optimization Tasks - Profile site for optimal settings page appears, and under the Active Learning
stage, Optimization Tasks and the Profile site for optimal settings step are highlighted under
the Active Learning stage in the left pane.
Active Learning
During the Active Learning stage:
l The Profiler runs and determines whether any settings need to be modified.
l You set the scan optimization option if necessary.
l You can navigate to key locations in your site that should be fully exercised.
Optimization Tasks – Profile site for optimal settings
HPE Security Fortify WebInspect Enterprise (16.20)
Page 281 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
In this step, the Profiler conducts a preliminary examination of your target Web site. Based on its
findings, the Profiler returns a list of suggested changes to particular scan settings in the Settings
section. You can accept or reject each recommendation.
For example, the Profiler might detect that authorization is required to enter the site, but you have not
specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Profiler's suggestion to configure the required
information before continuing.
Similarly, your settings might specify that Fortify WebInspect or Fortify WebInspect Enterprise should
not conduct "file-not-found" detection. This process is useful for Web sites that do not return a status
"404 Not Found" when a client requests a resource that does not exist (they may instead return a status
"200 OK," but the response contains a message that the file cannot be found). If the Profiler determines
that such a scheme has been implemented in the target site, it suggests that you modify the Fortify
WebInspect or Fortify WebInspect Enterprise setting to accommodate this feature.
To run the Profiler:
1. Click Profile.
Results appear in the Settings area.
2. Accept or reject the suggested settings. To reject, clear the associated check box.
3. If necessary, provide the requested information.
4. Click the Next icon.
Several options may be presented even if you do not run the Profiler, as follows:
l Auto-fill Web forms during crawl
Select this option if you want Fortify WebInspect or Fortify WebInspect Enterprise to submit values
for input controls on forms it encounters while scanning the target site. Fortify WebInspect or Fortify
WebInspect Enterprise will extract the values from a prepackaged default file or from a file that you
create using the Web Form Editor. See the "Web Form Editor" chapter in the HPE Security Fortify
WebInspect Tools Guide or the Web Form Editor Help for detailed information about using the Web
Form Editor tool. You may:
l Click the browse button to locate and load a file.
l Click Edit to edit the selected file (or the default values) using the Web Form Editor.
l Click Create to open the Web Form Editor and create a file.
l Add allowed hosts
Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. See the Fortify WebInspect Enterprise Web Console Help
system for more information.
To add allowed domains:
a. Click Add.
b. On the Specify Allowed Host page, enter a URL (or a regular expression representing a URL) and
click OK.
l Apply sample macro
HPE Security Fortify WebInspect Enterprise (16.20)
Page 282 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login.
If you scan this site, select Apply sample macro to run the prepackaged macro containing the login
script.
If the Profiler does not recommend changes, the Scan Wizard displays the message: "No settings
changes are recommended; the profiler could not find any necessary optimizations for this site."
When you click the Next icon, the Guided Scan - Active Learning - Optimization Tasks - Enhance
coverage of your web site page appears, and Optimization Tasks and the Enhance coverage of your
web site step are highlighted in the left pane.
Optimization Tasks – Enhance coverage of your web site
To enhance coverage of your application, navigate to its key locations.
Note: When using the Enhance Coverage of Your Web Site feature in Guided Scan in conjunction
with the Privilege Escalation policy, the explored locations are collected while authenticated with
the high-privilege login macro.
See the "Unified Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide for
detailed information about using the Web Macro Recorder tool to navigate key locations in your
application, for Guided Scan to use during the scan.
See the Guided Scan Tutorial for more information about how to use this page of the Guided Scan
wizard. To launch the tutorial, click Tutorial in the upper right corner of the page.
At any time you can click Explored Locations at the bottom left of the page to see a list of the excluded
URL's, directories, or pages, and the Method, Status, and URL of each location you have accessed. For
a row (location), change the value of None in the Excluded column to Url, Directory, or Page to add
that type of exclusion rule. The exclusion rule will apply to any requests made by a scan that uses this
scan configuration. The Excluded column also displays, read only, the causes of any exclusions for
requests—Custom, Disallowed Host, or, if Restrict to folder was selected at the start of configuring
the scan, Outside Root.
When you complete the Enhance coverage of your web site step, click the Next icon. If any web form
values were recorded, the Guided Scan - Active Learning - Optimization Tasks - Web Form Values page
appears, and Optimization Tasks and the Web Form Values step are highlighted in the left pane.
Proceed to Optimization Tasks – Web Form Values.
If there are no web form values, the Guided Scan - Settings - Final Review - Validate Settings and Start
Scan page appears, and Final Review and Validate Settings and Start Scan are highlighted in the
left pane. Go to Settings.
Optimization Tasks – Web Form Values
Guided Scan recorded all of the web form values that you entered while you explored your Web site to
enhance coverage. Here you can review and modify the values, which are part of the scan settings that
are saved with the scan. In the Web Forms group in the toolbar, you can click Export to save the values
to a separate file or click Import to use an existing set of values. The scan settings, including the web
form values, serve as defaults that you can modify in future scans.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 283 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Click the Next icon.
In the Settings stage, Final Review and the Validate Settings and Start Scan step are
highlighted.
Settings
During the Settings stage, you can set a number of options that affect how the collected traffic is
audited. The available options vary, based on the selections you have made.
Final Review – Validate Settings and Start Scan
In the Validate Settings and Start Scan step, you can:
l Save your scan settings
l Select the project and project version
l Start a scan
To complete this step:
1. Review any errors and warnings to see whether there are any final tasks to perform or corrections
to make. Make changes as needed.
2. The Scan Now section has a summary of your scan settings. Click the Click here to save settings
link in the Save Settings section if you want to save your scan settings for future use.
3. Specify a Project and Project Version.
4. Click the Start Scan button to launch the scan.
The wizard closes and the Scan Dashboard opens.
Importing Burp Proxy Results
If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a
workflow macro, reducing the time it would otherwise take to retest the same areas.
To add Burp Proxy results to a workflow macro:
1. If you are not on the Workflows screen, click the 1. Manage Workflows step under the
Workflows stage in the Guided Scan tree.
2. Click the Import button.
The Import Macro file selector appears.
3. Change the file type in the drop-down menu from Web Macro (*.webmacro) to Burp Proxy (*.*).
4. Navigate to your Burp Proxy files and select the desired file.
5. Click Open.
Configuring Mobile Web Site Scans Using a Mobile Template
Guided Scan directs you through the best steps to configure a scan that is tailored to your application,
and it is the preferred method for performing a scan. This topic describes use of the Mobile Scan
template to scan a mobile web site.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 284 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
For general information about Guided Scan, including launching Guided Scan, see "About the Thin
Client Download" on page 267.
About Mobile Web Site Scans
Using the Mobile Scan template to create a mobile web site scan allows you to scan the mobile version
of a web site using the desktop version of your browser from within Fortify WebInspect or Fortify
WebInspect Enterprise.
A Mobile Scan for a mobile web site is nearly identical to a Web Site Scan and it mirrors the settings
options you see when using one of the Predefined templates to perform a Standard scan, a Thorough
scan, or a Quick scan. The only difference is that you need to select a user agent header to allow your
browser to emulate a mobile browser.
Fortify WebInspect and Fortify WebInspect Enterprise come with several mobile user agent options, and
you can create a custom option and create a user agent for another version of Android device, Windows
device, or other mobile device. For information about creating a user agent header, see Creating a
Custom User Agent Header.
The Guided Scan wizard will guide you through the stages and steps that are required to scan your
application. The tree in the left pane, shown below, tracks your progress. If you need to return to a
previous step or stage, click the Back navigation button, or click the step in the Guided Scan tree to go
there directly.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 285 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
This Guided Scan consists of the following four or potentially five stages, each of which has one or more
steps:
Site: where you verify the site you want to scan and select the type of scan you want to run.
Login: where you define the type of authorization your site requires.
Workflows: appears only if the Scan Type selected in the Site stage is Workflows.
Active Learning: where you run the Profiler to conduct a preliminary examination of the target Web
site to determine if particular settings should be modified.
l Settings: where you review and validate your choices and run the scan.
The Guided Scan wizard includes a tutorial that runs the first time you launch a Guided Scan. You can
close the tutorial at any time and reopen it later by clicking the Tutorial button at the top right of the
display.
l
l
l
l
Creating a Mobile Web Site Scan
To create a mobile web site scan:
1. Log into Fortify WebInspect Enterprise.
2. From the Web Console, click Guided Scan under Actions to start a Guided Scan.
3. Click Mobile Scan in the Mobile Templates section.
The Guided Scan wizard displays the first step in the Site stage: Verify Web Site.
4. To configure the rendering engine and user agent you want to use:
a. Click the Mobile Client icon in the toolbar.
b. Select the Rendering engine you want to use.
c. Select the User Agent that represents the agent string you want your rendering engine to
present to the site.
If you created your own user agent header string, it will appear as Custom.
If the user agent you need is not listed, you can create a custom user agent. See Creating a
Custom User Agent Header.
d. When you have selected the rendering engine and user agent as needed, go to About the Site
Stage.
Creating a Custom User Agent Header
Fortify WebInspect and Fortify WebInspect Enterprise includes user agents for Android, Windows, and
iOS devices. If you are using one of these options, you do not need to create a custom user agent
header. If you want your Web browser to identify itself as a different mobile device or a specific OS
version, create a custom user agent header as follows:
1. Click the Advanced icon in the Guided Scan toolbar.
The Scan Settings window appears.
2. In the Scan Settings column, select Cookies/Headers.
3. In the Append Custom Headers section, double-click the User-Agent string.
The Specify Custom Header dialog appears.
4. Type in User-Agent: followed by the user agent header string for the desired device.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 286 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
5. Click OK.
The new custom user agent will now be available to select as your Mobile Client.
About the Site Stage
During the Site stage, you will:
l Verify the web site you want to scan.
l Choose a scan type.
Verifying the Web Site
To verify your Web site:
1. In the Start URL field, type or select the complete URL or IP address of the site to scan.
If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify
WebInspect or Fortify WebInspect Enterprise will not scan WWW.MYCOMPANY.COM or any other
variation (unless you specify alternatives in the Allowed Hosts setting).
An invalid URL or IP address results in an error. If you want to scan from a certain point in your
hierarchical tree, append a starting point for the scan, such as
http://www.myserver.com/myapplication/.
Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative
paths).
Fortify WebInspect and Fortify WebInspect Enterprise support both Internet Protocol version 4
(IPv4) and Internet Protocol version 6 (IPv6). IPv6 addresses must be enclosed in brackets.
Examples:
l http://[::1] - Scans "localhost."
l http://[fe80::20c6:29ff:fe32:bae1]/subfolder/ - Scans the host at the specified address starting
in the "subfolder" directory.
l http://[fe80::20c6:29ff:fe32:bae1]:8080/subfolder/ - Scans a server running on port 8080
starting in "subfolder."
2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and
then select one of the following options from the list:
l Directory only (self) - Fortify WebInspect or Fortify WebInspect Enterprise will crawl and/or
audit only the URL you specify. For example, if you select this option and specify a URL of
www.mycompany/one/two/, Fortify WebInspect or Fortify WebInspect Enterprise will assess
only the "two" directory.
l Directory and subdirectories - Fortify WebInspect or Fortify WebInspect Enterprise will begin
crawling and/or auditing at the URL you specify, but will not access any directory that is higher
in the directory tree.
l Directory and parent directories - Fortify WebInspect or Fortify WebInspect Enterprise will
begin crawling and/or auditing at the URL you specify, but will not access any directory that is
lower in the directory tree.
3. If you must access the target site through a proxy server, click Proxy in the lower left of the right
HPE Security Fortify WebInspect Enterprise (16.20)
Page 287 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
pane to display the Proxy Settings area, and then select an option from the Proxy Settings list:
l Direct Connection (proxy disabled)
l Auto detect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a
proxy autoconfig file and use this to configure the browser's Web proxy settings.
l Use Internet Explorer proxy settings: Import your proxy server information from Internet
Explorer.
l Use Firefox proxy settings: Import your proxy server information from Firefox.
l Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic
Configuration (PAC) file. Enter the location (URL) of the PAC.
l Explicitly configure proxy settings: Specify proxy server settings as indicated.
Note: Using browser proxy settings does not guarantee that you will access the Internet
through a proxy server. If the Firefox browser connection settings are configured for "No
proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected,
then a proxy server is not used.
4. Click Verify.
When the Web site or directory structure appears, you have successfully verified your connection
to the Start URL.
5. Click the Next button.
The Choose Scan Type window appears.
Choosing the Scan Type
To complete the scan type and other fields in the Choose Scan Type window:
1. Type a name for your scan in the Scan Name field.
2. Select one of the following scan types:
l Standard: Fortify WebInspect or Fortify WebInspect Enterprise performs an automated
analysis, starting from the target URL. This is the normal way to start a scan.
l Workflows: If you select this option, an additional Workflows stage is added to the Guided
Scan.
3. In the Scan Method area, select one of the following scan methods:
l Crawl Only: This option completely maps a site's hierarchical data structure. After a crawl has
been completed, you can click Audit to assess an application’s vulnerabilities.
l Crawl and Audit: Fortify WebInspect or Fortify WebInspect Enterprise maps the site's
hierarchical data structure and audits each resource (page). Depending on the default settings
you select, the audit can be conducted as each resource is discovered or after the entire site is
crawled. For information regarding simultaneous vs. sequential crawl and audit, see the Fortify
WebInspect Enterprise Web Console Help system.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 288 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Audit Only: Fortify WebInspect or Fortify WebInspect Enterprise applies the methodologies of
the selected policy to determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
4. In the Policy area, select a policy from the Policy list. For information about policies, see the Fortify
WebInspect Enterprise Web Console Help system.
5. Adjust the slider to select a value for Crawl Coverage — Quick, Moderate, Default, or Thorough.
Use the guidance provided on screen for each option.
6. Click the Next button.
The Login stage appears with Application Authentication highlighted in the left pane.
About the Login Stage
During the Login stage, if the application you need to scan requires network authentication, a client
certificate, and/or application-level authentication, you can configure them here. You can also create or
assign a login macro.
l If you do not need to perform network authentication or use a client certificate, go to Application
Authentication Step in this procedure.
l If you do not need to perform network authentication but you do need to use a client certificate, go
to Configuring Client Authentication in this procedure.
l If you do need to perform network authentication, click Network Authentication under the Login
stage in the left pane. The Guided Scan - Login - Network Authentication - Configure Network
Authentication page appears, and under the Login stage, Network Authentication and the
Configure Network Authentication step are highlighted. In this case, proceed to Configuring
Network Authentication.
Configuring Network Authentication
If your site requires network authentication:
1. Select the Network Authentication check box.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
are:
l Basic. A widely used, industry-standard method for collecting user name and password
information. The Web browser displays a window for a user to enter a user name and password.
The Web browser then attempts to establish a connection to a server using the user's
credentials. If the credentials are rejected, the browser displays an authentication window to reenter the user's credentials. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established. The advantage of Basic
authentication is that it is part of the HTTP specification and is supported by most browsers.
l NTLM. NTLM (NT LanMan) is an authentication process that is used by all members of the
Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response
process to prove the client's identity without requiring that either a password or a hashed
password be sent across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and
Fortify WebInspect has to pass through a proxy server to submit its requests to the Web server,
HPE Security Fortify WebInspect Enterprise (16.20)
Page 289 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Fortify WebInspect may not be able to crawl or audit that Web site. Use caution when
configuring Fortify WebInspect for scans of sites protected by NTLM. After scanning, you may
want to disable the NTLM authentication settings to prevent any potential problem.
l Digest. The Windows Server operating system implements the Digest Authentication protocol
as a security support provider (SSP), a dynamic-link library (DLL) that is supplied with the
operating system. Using digest authentication, your password is never sent across the network
in the clear, but is always transmitted as an MD5 digest of the user's password. In this way, the
password cannot be determined by sniffing network traffic.
l Automatic. Allow Fortify WebInspect to determine the correct authentication type.
l Kerberos. Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third
party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an
Authentication Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to
AS, then demonstrates to the TGS that it is authorized to receive a ticket for a service (and
receives it). The client then demonstrates to a Service Server that it has been approved to
receive the service.
l Negotiate. The Negotiate authentication protocol begins with the option to negotiate for an
authentication protocol. When the client requests access to a service, the server replies with a list
of authentication protocols that it can support and an authentication challenge based on the
protocol that is its first choice. For example, the server might list Kerberos and NTLM, and send
a Kerberos challenge. The client examines the contents of the reply and checks to determine
whether it supports any of the specified protocols. If the client supports the preferred protocol,
authentication proceeds. If the client does not support the preferred protocol, but does support
one of the other protocols listed by the server, the client lets the server know which
authentication protocol it supports, and the authentication proceeds. If the client does not
support any of the listed protocols, the authentication exchange fails.
3. Complete the User Name and Password fields.
Configuring Client Authentication
If you need to use a client certificate for network authentication:
1. Select the Client Certificate check box.
2. In the Certificate Store area, select one of the following:
l Local Machine - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate on the
local machine based on your selection in the Certificate area.
l Current User - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate for the
current user based on your selection in the Certificate area.
3. Select either My or Root from the drop-down list.
4. To view certificate details in the Certificate Information area, select a certificate in the Certificate
area.
5. Click the Next icon.
The Application Authentication page appears.
Application Authentication Step
HPE Security Fortify WebInspect Enterprise (16.20)
Page 290 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
The following options are available for login macros:
l Using a Login Macro without Privilege Escalation
l Using Login Macros for Privilege Escalation
l Using a Selenium Macro
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
3. Click the Next button.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 309. To use login macros:
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 291 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see About
Privilege Escalation Scans.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
l To perform the scan in unauthenticated mode, click No. For more information, see About
Privilege Escalation Scans.
The Application Authentication Step is complete. Proceed to After Creating or Selecting the
Login Macro(s).
4. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
5. After recording or selecting the second macro, click the Next button.
Using a Selenium Macro
Fortify WebInspect products support integration with Selenium browser automation. When you click
the import button and select a Selenium macro to import, Fortify WebInspect detects that a Selenium
macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must include a
HPE Security Fortify WebInspect Enterprise (16.20)
Page 292 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
logout condition. If a logout condition does not exist, you can add one using the Logout Conditions
Editor just as with any other macro. However, all other edits must be done in the Selenium IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium macros do not have a specific file extension and can be any type of text file,
including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the current settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To...
Then...
Specify a logout condition
a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
b. Add a logout condition and click OK.
Export the Selenium script to use
elsewhere
a. Click Export.
The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 293 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
After Creating or Selecting the Login Macro(s)
l If you selected a Standard scan, then the Optimization Tasks page appears. In this case, go to Active
Learning.
l If you selected a Workflows scan, then the Manage Workflows page appears. In this case, proceed to
Workflows.
About the Workflows Stage
The Workflows stage appears only if you selected Workflows as the Scan Type in the Site stage; if
you chose Standard, the Workflows stage does not appear.
You can create a workflow macro to ensure Fortify WebInspect Enterprise audits the pages you specify
in the macro. Fortify WebInspect Enterprise audits only those URLs included in the macro that you
previously recorded and does not follow any hyperlinks encountered during the audit.
You can create multiple workflow macros, one for each use case on your site. You do not need to specify
a logout condition. This type of macro is used most often to focus on a particular subsection of the
application. If you select multiple macros, they will all be included in the same scan. In addition, you can
import Burp Proxy captures and add them to your scan.
To complete the Workflows settings, click any of the following in the Workflows table:
l
l
l
l
Record. Opens the Unified Web Macro Recorder, allowing you to create a macro.
Edit. Opens the Unified Web Macro Recorder and loads the selected macro.
Delete. Removes the selected macro (but does not delete it from your disk).
Import. Opens a standard file-selection window, allowing you to select a previously recorded
.webmacro file, Burp Proxy captures, or a Selenium macro. If using a Selenium macro, you will need to
click Verify for Fortify WebInspect to play the macro. If the macro does not play successfully, the
Import Selenium Script window displays an error. You will need to debug and correct the error in
Selenium, and return to this procedure to try the import again. For more information about Burp
Proxy captures, see Importing Burp Proxy Results at the end of this topic.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or
both, all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all
Selenium macros. You cannot use different types of macros in the same scan.
l Export. Opens a standard file-selection window, allowing you to save a recorded macro. After a
macro is selected or recorded, you may optionally specify allowed hosts.
Note: If you have installed HPE Unified Functional Testing (UFT) on your computer, then Fortify
WebInspect or Fortify WebInspect Enterprise detects this automatically and displays an option to
import a UFT .usr file. See Importing HPE Unified Functional Testing Scripts.
For information about the Web Macro Recorder tool, see "Unified Web Macro Recorder" chapter
of the HPE Security Fortify WebInspect Tools Guide.
After you specify and play a workflow macro, it appears in the Workflows table and its Allowed Hosts
are added to the Guided Scan - Workflows - Workflows - Manage Workflows page. You can enable or
disable access to particular hosts.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 294 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
About the Active Learning Stage
During the Active Learning stage:
l The Profiler runs and determines whether any settings need to be modified.
l You set the scan optimization option if necessary.
l You can navigate to key locations in your site that should be fully exercised.
Optimization Tasks – Profiling site for optimal settings
In this step, the Profiler conducts a preliminary examination of your target Web site. Based on its
findings, the Profiler returns a list of suggested changes to particular scan settings in the Settings
section. You can accept or reject each recommendation.
For example, the Profiler might detect that authorization is required to enter the site, but you have not
specified a valid user name and password. Rather than proceed with a scan that would return
significantly diminished results, you could follow the Profiler’s suggestion to configure the required
information before continuing.
Similarly, your settings might specify that Fortify WebInspect or Fortify WebInspect Enterprise should
not conduct "file-not-found" detection. This process is useful for Web sites that do not return a status
"404 Not Found" when a client requests a resource that does not exist (they may instead return a status
"200 OK," but the response contains a message that the file cannot be found). If the Profiler determines
that such a scheme has been implemented in the target site, it would suggest that you modify the
Fortify WebInspect or Fortify WebInspect Enterprise setting to accommodate this feature.
To run the Profiler:
1. Click Profile.
Results appear in the Settings area.
2. Accept or reject the suggested settings. To reject, clear the associated check box.
3. If necessary, provide the requested information.
4. Click the Next icon.
Several options may be presented even if you do not run the Profiler, as follows:
l Auto-fill Web forms during crawl
Select this option if you want Fortify WebInspect or Fortify WebInspect Enterprise to submit values
for input controls on forms it encounters while scanning the target site. Fortify WebInspect or Fortify
WebInspect Enterprise will extract the values from a prepackaged default file or from a file that you
create using the Web Form Editor. See the "Web Form Editor" chapter in the HPE Security Fortify
WebInspect Tools Guide or the Web Form Editor Help for detailed information about using the Web
Form Editor tool. You may:
l Click the browse button to locate and load a file.
l Click Edit to edit the selected file (or the default values) using the Web Form Editor.
l Click Create to open the Web Form Editor and create a file.
l Add allowed hosts
HPE Security Fortify WebInspect Enterprise (16.20)
Page 295 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. See the Fortify WebInspect Enterprise Web Console Help
system for more information.
To add allowed domains:
a. Click Add.
b. On the Specify Allowed Host page, enter a URL (or a regular expression representing a URL) and
click OK.
l Apply sample macro
Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login.
If you scan this site, select Apply sample macro to run the prepackaged macro containing the login
script.
If the Profiler does not recommend changes, the Scan Wizard displays the message: "No settings
changes are recommended; the Profiler could not find any necessary optimizations for this site."
When you click the Next icon, the Guided Scan - Active Learning - Optimization Tasks - Enhance
coverage of your web site page appears, and Optimization Tasks and the Enhance coverage of your
web site step are highlighted in the left pane.
Optimization Tasks – Enhancing coverage of your web site
To enhance coverage of your application, navigate to its key locations.
Note: When using the Enhance Coverage of Your Web Site feature in Guided Scan in conjunction
with the Privilege Escalation policy, the explored locations are collected while authenticated with
the high-privilege login macro.
See the "Unified Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide for
detailed information about using the Web Macro Recorder tool to navigate key locations in your
application, for Guided Scan to use during the scan.
See the Guided Scan Tutorial for more information about how to use this page of the Guided Scan
wizard. To launch the tutorial, click Tutorial in the upper right corner of the page.
At any time you can click Explored Locations at the bottom left of the page to see a list of the excluded
URL's, directories, or pages, and the Method, Status, and URL of each location you have accessed. For
a row (location), change the value of None in the Excluded column to Url, Directory, or Page to add
that type of exclusion rule. The exclusion rule will apply to any requests made by a scan that uses this
scan configuration. The Excluded column also displays, read only, the causes of any exclusions for
requests—Custom, Disallowed Host, or, if Restrict to folder was selected at the start of configuring
the scan, Outside Root.
When you complete the Enhance coverage of your web site step, click the Next icon. If any web form
values were recorded, the Guided Scan - Active Learning - Optimization Tasks - Web Form Values page
appears, and Optimization Tasks and the Web Form Values step are highlighted in the left pane.
Proceed to Optimization Tasks – Web Form Values.
If there are no web form values, the Guided Scan - Settings - Final Review - Validate Settings and Start
Scan page appears, and Final Review and Validate Settings and Start Scan are highlighted in the
left pane. Go to About the Settings Stage.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 296 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Optimization Tasks – Web Form Values
Guided Scan recorded all of the web form values that you entered while you explored your Web site to
enhance coverage. Here you can review and modify the values, which are part of the scan settings that
are saved with the scan. In the Web Forms group in the toolbar, you can click Export to save the values
to a separate file or click Import to use an existing set of values. The scan settings, including the web
form values, serve as defaults that you can modify in future scans.
l Click the Next icon.
In the Settings stage, Final Review and the Validate Settings and Start Scan step are
highlighted.
About the Settings Stage
During the Settings stage, you can set a number of options that affect how the collected traffic is
audited. The available options vary, based on the selections you have made.
Final Review Step
Validate Settings and Start Scan
In the Validate Settings and Start Scan step, you can:
l Save your scan settings
l Select the project and project version
l Start a scan
To complete this step:
1. Review any errors and warnings to see whether there are any final tasks to perform or corrections
to make. Make changes as needed.
2. The Scan Now section has a summary of your scan settings. Click the Click here to save settings
link in the Save Settings section if you want to save your scan settings for future use.
3. Specify a Project and Project Version.
4. Click the Start Scan button to launch the scan.
The wizard closes and the Scan Dashboard opens.
Importing Burp Proxy Results
If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a
workflow macro, reducing the time it would otherwise take to retest the same areas.
To add Burp Proxy results to a workflow macro:
1. If you are not on the Workflows screen, click the 1. Manage Workflows step under the
Workflows stage in the Guided Scan tree.
2. Click the Import button.
The Import Macro file selector appears.
3. Change the file type in the drop-down menu from Web Macro (*.webmacro) to Burp Proxy (*.*).
4. Navigate to your Burp Proxy files and select the desired file.
5. Click Open.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 297 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Configuring Native Scans Using a Mobile Template
To skip to information in this topic about configuring the proxy for the selected profile, see "Setting the
Mobile Device/Emulator Proxy Address" on page 300.
To skip to information in this topic about installing the client certificate for the selected profile, see
"Adding a Trusted Certificate" on page 301.
Guided Scan directs you through the best steps to configure a scan that is tailored to your application,
and it is the preferred method for performing a scan. This topic describes use of the Native Scan
template.
For general information about Guided Scan, including launching Guided Scan, see "About the Thin
Client Download" on page 267.
Note: Most of the information in this topic is iOS-specific, but it equally relates to Android and
Windows devices and emulator usage. Please consult your OS documentation if you have questions
on setting up proxies, installing certificates, or other OS-specific tasks.
About Native Scans
You use a Native Scan to manually crawl a native mobile application and capture the Web traffic as a
workflow macro. You generate the traffic on an Android, Windows, or iOS device or a software emulator
running a mobile application.
The Guided Scan wizard will guide you through the stages and steps that are required to record and
scan your application traffic. The tree in the left pane, shown below, tracks your progress. If you need to
return to a previous step or stage, click the Back navigation button, or click the step in the Guided Scan
tree to go there directly.
This Guided Scan consists of the following four stages, each of which has one or more steps:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 298 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l Native Mobile: where you choose a device or emulator, configure device/emulator proxy, and select
the type of scan you want to run.
l Login: where you define the type of authentication if the back-end of your mobile application
requires it.
l Application: where you run your application, record web traffic, and identify the hosts and RESTful
endpoints to include in your scan.
l Settings: where you review and validate your choices and run the scan.
The Guided Scan wizard includes a tutorial that runs the first time you launch a Guided Scan. You can
close the tutorial at any time and reopen it later by clicking the Tutorial button at the top right of the
display. This tutorial is unique to the Native Scan.
Supported Devices
Fortify WebInspect and Fortify WebInspect Enterprise support scanning the back-end traffic on
Android, Windows, and iOS devices.
Android Device Support
Any Android device, such as an Android-based phone or tablet.
Windows Device Support
Any Windows device, such as a Windows phone or Surface tablet.
iOS Device Support
Any iOS device, such as an iPhone or iPad, running the latest version of iOS.
Supported Development Emulators
In addition to support for Android and iOS devices, you can run your application through your Android
or iOS emulator in your development environment. When scanning traffic generated via your device
emulator, you must ensure that the development machine is on the same network as Fortify WebInspect
Enterprise and that you have set up a proxy between Fortify WebInspect Enterprise and your
development machine.
Creating a Native Scan
To create a Native Scan, you will need to make sure your device or emulator is on the same network as
Fortify WebInspect Enterprise. In addition, you need to have authorization and access to the ports on
the machine where you are running Fortify WebInspect Enterprise in order to successfully create a
proxy connection.
To create a Native Scan:
1. Open Fortify WebInspect Enterprise.
2. From the Web Console, click Guided Scan under Actions to start a Guided Scan.
3. Click Native Scan in the Mobile Templates section.
The Guided Scan wizard displays the first step in the Native Mobile stage: Choose
Device/Emulator Type.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 299 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
About the Native Mobile Stage
The first stage in the process is the Native Mobile stage. In this stage you will:
l Set up the device or emulator to use a proxy connection
l Log the device or emulator on to the same network as your instance of Fortify WebInspect Enterprise
l Install a client certificate on your device or emulator
l Name the scan for future reference
l Select a scan method
l Select a scan policy
l Select the crawl coverage amount
Choosing the Device/Emulator Type
After launching the Guided Scan, you will be provided with the following options:
Option
Description
Profile
The type of device or emulator you want to scan. Select a type from the dropdown menu. For more information, see "Selecting a Profile" below.
Mobile
The IP address and port number for the proxy that Fortify WebInspect Enterprise
Device/Emulator creates for listening to the traffic between your device or emulator and the Web
Proxy
service or application being tested. Unless the IP address and/or port are reserved
for the other activities, use the default strings. For more information, see "Setting
the Mobile Device/Emulator Proxy Address" below.
Trusted
Certificate
The port and URL to acquire a client certificate for your device or emulator. To
download and install the certificate on your device or emulator, see "Adding a
Trusted Certificate" on the next page.
Selecting a Profile
To set the device profile, select one of the following from the Profile drop-down text box:
Option
Description
iOS Device
An iPad or iPhone running the latest version of iOS.
iOS Simulator
The iOS emulator that is part of the iOS SDK.
Android Device
A phone or tablet running the Android operating system.
Android Emulator The Android emulator that is part of the Android SDK.
Windows Device
A Windows mobile device.
Setting the Mobile Device/Emulator Proxy Address
The Mobile Device/Emulator Proxy section lists the Host IP address and the Port number that will be
used to establish a proxy connection between your device or emulator and Fortify WebInspect
HPE Security Fortify WebInspect Enterprise (16.20)
Page 300 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Enterprise. Use the suggested settings unless the IP address and/or port number are unavailable on
your system.
Note: If you are unable to connect to the server or access the Internet after setting your proxy, you
may need to open up or change the port on your firewall specified in the Native Mobile stage. If it
still does not work, you might need to select the IP address of the active network adapter. The IP
address presented in the Fortify WebInspect Enterprise interface allows you to click the address
and select an alternate from a drop-down list.
To set up a proxy on an iOS device or iOS emulator:
1.
2.
3.
4.
Run the Settings application.
Select Wi-Fi.
Select the Wi-Fi network you are using to connect to Fortify WebInspect Enterprise.
Scroll down to the HTTP Proxy section and select Manual.
The screen displays the network configuration options for the network your device is connected to.
5. Scroll down further and type in the Server IP address and the Port number provided by Fortify
WebInspect Enterprise. If you do not have this information, see "Choosing the Device/Emulator
Type" on the previous page.
6. In Fortify WebInspect Enterprise, click the Verify button in the Trusted Certificate section to
verify the connection is working properly.
The Verify activity progress bar appears.
7. Launch the default browser on your device and visit any site to verify that Fortify WebInspect
Enterprise is able to see the back-end traffic.
If everything is configured properly, after a few moments, the Verify activity progress bar will state
that the traffic has been successfully verified.
8. Click OK to dismiss the verification progress bar and then click the Next button to select a scan
type.
To set up a proxy on an Android device, a Windows device, or your PC, consult your operator’s
instructions.
Adding a Trusted Certificate
If your site requires a secure connection (https), each time you configure a scan, Fortify WebInspect
Enterprise generates a unique client certificate for your device. You will need to install the certificate
into the device’s certificate repository.
There are three ways to add a certificate:
l Scan the QR code from the Trusted Certificate section of Guided Scan (requires QR reader
software)
l Type the address into the built-in browser on your device or device emulator.
l Copy the certificate to your system clipboard for applying later (used when scanning with a device
emulator).
Choose the option that best suits your needs.
Note: After completing the scan, you should remove the certificate from the repository on your
HPE Security Fortify WebInspect Enterprise (16.20)
Page 301 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
device. See Post Scan Steps.
To add a certificate to an iOS device:
1. After scanning the QR code or typing the provided URL into your browser, the Install Profile page
appears.
Note: The HPE WebInspect Root certificate status will display as Not Trusted until you add it
to your root chain.
2. Tap the Install button.
A warning screen will appear stating that the certificate is not trusted. Once you add the certificate
to the certificate repository on your device or emulator, the warning will go away.
3. Tap Install on the Warning screen.
The display changes to that of the current network your device or emulator is connected to. Make
sure it is connected to the same network as Fortify WebInspect Enterprise.
Choosing the Scan Type
After setting up your device or emulator to work with Fortify WebInspect Enterprise during the first
part of the Native Mobile stage, you will need to select the type of scan you would like to run. See the
following options.
Option
Description
Scan
Name
Type a name for the scan so that later you can identify the scan on the Manage Scans
page.
Scan
Method
Choose the type of scan your want from the following list:
Policy
l Crawl Only: maps the attack surface of the specified workflow(s)
l Crawl and Audit: maps the attack surface of the specified workflow(s) and scans for
vulnerabilities
l Audit Only: attack only the specified workflows
Select a policy for the scan from the drop-down menu. For information on creating and
editing policies, see the "Policy Manager" chapter in the HPE Security Fortify WebInspect
Tools Guide.
Crawl
Adjust the slider to select a value — Quick, Moderate, Default, or Thorough. Use the
Coverage guidance provided on screen for each option.
About the Login Stage
During the Login stage, if the application you need to scan requires network authentication, a client
certificate, and/or application-level authentication, you can configure them here. You can also create or
assign a login macro.
l If you do not need to perform network authentication or use a client certificate, go to Application
Authentication Step in this procedure.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 302 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l If you do not need to perform network authentication but you do need to use a client certificate, go
to Configuring Client Authentication in this procedure.
l If you do need to perform network authentication, click Network Authentication under the Login
stage in the left pane. The Guided Scan - Login - Network Authentication - Configure Network
Authentication page appears, and under the Login stage, Network Authentication and the
Configure Network Authentication step are highlighted. In this case, proceed to Network
Authentication Step.
Configuring Network Authentication
If your site requires network authentication:
1. Select the Network Authentication check box.
2. Select a Method from the drop-down list of authentication methods. The authentication methods
are:
l Basic. A widely used, industry-standard method for collecting user name and password
information. The Web browser displays a window for a user to enter a user name and password.
The Web browser then attempts to establish a connection to a server using the user's
credentials. If the credentials are rejected, the browser displays an authentication window to reenter the user's credentials. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established. The advantage of Basic
authentication is that it is part of the HTTP specification and is supported by most browsers.
l NTLM. NTLM (NT LanMan) is an authentication process that is used by all members of the
Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response
process to prove the client's identity without requiring that either a password or a hashed
password be sent across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication is enabled, and
Fortify WebInspect has to pass through a proxy server to submit its requests to the Web server,
Fortify WebInspect may not be able to crawl or audit that Web site. Use caution when
configuring Fortify WebInspect for scans of sites protected by NTLM. After scanning, you may
want to disable the NTLM authentication settings to prevent any potential problem.
l Digest. The Windows Server operating system implements the Digest Authentication protocol
as a security support provider (SSP), a dynamic-link library (DLL) that is supplied with the
operating system. Using digest authentication, your password is never sent across the network
in the clear, but is always transmitted as an MD5 digest of the user's password. In this way, the
password cannot be determined by sniffing network traffic.
l Automatic. Allow Fortify WebInspect to determine the correct authentication type.
l Kerberos. Kerberos uses the Needham-Schroeder protocol as its basis. It uses a trusted third
party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an
Authentication Server (AS) and a Ticket Granting Server (TGS). The client authenticates itself to
AS, then demonstrates to the TGS that it is authorized to receive a ticket for a service (and
receives it). The client then demonstrates to a Service Server that it has been approved to
receive the service.
l Negotiate. The Negotiate authentication protocol begins with the option to negotiate for an
authentication protocol. When the client requests access to a service, the server replies with a list
HPE Security Fortify WebInspect Enterprise (16.20)
Page 303 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
of authentication protocols that it can support and an authentication challenge based on the
protocol that is its first choice. For example, the server might list Kerberos and NTLM, and send
a Kerberos challenge. The client examines the contents of the reply and checks to determine
whether it supports any of the specified protocols. If the client supports the preferred protocol,
authentication proceeds. If the client does not support the preferred protocol, but does support
one of the other protocols listed by the server, the client lets the server know which
authentication protocol it supports, and the authentication proceeds. If the client does not
support any of the listed protocols, the authentication exchange fails.
3. Complete the User Name and Password fields.
Configuring Client Authentication
If you need to use a client certificate for network authentication:
1. Select the Client Certificate check box.
2. In the Certificate Store area, select one of the following:
l Local Machine - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate on the
local machine based on your selection in the Certificate area.
l Current User - Fortify WebInspect or Fortify WebInspect Enterprise uses a certificate for the
current user based on your selection in the Certificate area.
3. Select either My or Root from the drop-down list.
4. To view certificate details in the Certificate Information area, select a certificate in the Certificate
area.
5. Click the Next icon.
The Application Authentication page appears.
Application Authentication Step
If your site requires authentication, you can use this step to create, select, or edit a login macro to
automate the login process and increase the coverage of your site. A login macro is a recording of the
activity that is required to access and log in to your application, typically by entering a user name and
password and clicking a button such as Log In or Log On.
The following options are available for login macros:
l Using a Login Macro without Privilege Escalation
l Using Login Macros for Privilege Escalation
l Using a Selenium Macro
Using a Login Macro without Privilege Escalation
To use a login macro:
1. Select the Use a login macro for this site check box.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 304 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
3. Click the Next button.
Using Login Macros for Privilege Escalation
If you selected the Privilege Escalation policy or another policy that includes enabled Privilege
Escalation checks, at least one login macro for a high-privilege user account is required. For more
information, see "About Privilege Escalation Scans" on page 309. To use login macros:
1. Select the High-Privilege User Account Login Macro check box. This login macro is for the
higher-privilege user account, such as a Site Administrator or Moderator account.
2. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege
Login Macro" prompt appears.
3. Do one of the following:
l To perform the scan in authenticated mode, click Yes. For more information, see About
Privilege Escalation Scans.
Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege
login macro. Continue to Step 4.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 305 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l To perform the scan in unauthenticated mode, click No. For more information, see About
Privilege Escalation Scans.
The Application Authentication Step is complete. Proceed to the Application Stage to run your
application.
4. Do one of the following:
l To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro. If
you are using a Selenium macro, see Using a Selenium Macro.
l To edit an existing login macro shown in the Login Macro field, click Edit.
l To record a new macro, click Create.
l To use a macro from the macro repository:
i. Click Download.
The Download a Macro from WebInspect Enterprise window appears.
ii. Select the Project and Project Version from the drop-down lists.
iii. Select a repository macro from the Macro drop-down list.
iv. Click OK.
For details about recording a new login macro or using an existing login macro, see the "Unified
Web Macro Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
5. After recording or selecting the second macro, click the Next button.
Using a Selenium Macro
Fortify WebInspect products support integration with Selenium browser automation. When you click
the import button and select a Selenium macro to import, Fortify WebInspect detects that a Selenium
macro is being used. Fortify WebInspect opens Selenium and plays the macro. The macro must include a
logout condition. If a logout condition does not exist, you can add one using the Logout Conditions
Editor just as with any other macro. However, all other edits must be done in the Selenium IDE.
1. Select the Use a login macro for this site check box.
2. Click the ellipsis button (...) to browse for a saved Selenium macro.
The Import Macro window appears.
3. Select Selenium IDE Test Case (*.*) from the file type drop-down list.
Note: Selenium macros do not have a specific file extension and can be any type of text file,
including XML.
4. Locate and select the file, and then click Open.
The Import Selenium Script window appears.
5. (Optional) To view and/or adjust how Selenium behaves during macro replay, click the Settings
plus (+) sign.
The Settings area expands and the current settings become visible. Make changes as necessary.
6. Click Verify.
Fortify WebInspect plays the macro, displaying the verification progress and status in the Import
Selenium Script window.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 306 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
7. Did the macro play successfully?
l If yes, the message "Successfully verified macro" appears. Continue with Step 8.
l If no, an error message appears. Use the error message to debug and correct the error in
Selenium, and return to Step 2 of this procedure to try the import again.
8. Continue according to the following table.
To...
Then...
Specify a logout condition
a. Click Edit logout conditions.
The Logout Conditions Editor appears. Currently,
only Regex is supported.
b. Add a logout condition and click OK.
Export the Selenium script to use
elsewhere
a. Click Export.
The Selenium script import window opens.
b. Navigate to the desired directory and type a File
name for the script.
c. Select the Save as Type.
Note: If you changed the settings in the Import
Selenium Script window, they will not be saved
when exporting the file as a Selenium Import
(*.*) file. However, if you export the file as a
Fortify WebInspect Selenium macro
(*.webmacro) file, the settings will be saved.
d. Click Save.
About the Application Stage
The Application stage is where you run your application. During the Application stage:
l Run the mobile application to generate and collect Web traffic.
l Identify the hosts and RESTful endpoints you want to include.
Run Application Step
To run the application and generate and collect Web traffic:
1. Click the Record button.
2. Exercise the application, navigating through the interface as your customers will.
3. When you have generated enough traffic, click the Stop button.
4. Click Play to verify your workflow.
After running the application and collecting Web traffic, a list will be generated of the Allowed Hosts
and potential RESTful Endpoints.
Finalize Allowed Hosts Step
HPE Security Fortify WebInspect Enterprise (16.20)
Page 307 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
To select the allowed hosts to include in your audit, click the check boxes in the Enabled column of the
Allowed Hosts table.
The list of RESTful endpoints is generated by listing every possible combination that could be a
RESTful endpoint. Select the actual RESTful endpoints from the list by selecting their Enabled check
boxes. To reduce the list to a more likely subset, click the Detect button. Heuristics are applied, filtering
out some of the less likely results. Select the Enabled check boxes from the resulting list.
If Fortify WebInspect Enterprise did not find all of the RESTful endpoints, you can add them manually.
To set up a new RESTful endpoint rule:
1. Click the New Rule button.
A new rule input box appears in the RESTful Endpoints table.
2. Following the sample format in the input box, type in a RESTful endpoint.
To import a list of RESTful endpoints:
1. Click the Import button.
A file selector appears.
2. Select a Web Application Description Language (.wadl) file.
3. Click OK.
Back to top
About the Settings Stage
During the Settings stage, you can set a number of options that affect how the collected traffic is
audited. The available options vary, based on the selections you have made.
Final Review – Validate Settings and Start Scan
In the Validate Settings and Start Scan step, you can:
l Save your scan settings
l Select the project and project version
l Start a scan
To complete this step:
1. Review any errors and warnings to see whether there are any final tasks to perform or corrections
to make. Make changes as needed.
2. The Scan Now section has a summary of your scan settings. Click the Click here to save settings
link in the Save Settings section if you want to save your scan settings for future use.
3. Specify a Project and Project Version.
4. Click the Start Scan button to launch the scan.
The wizard closes and the Scan Dashboard opens.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 308 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Post Scan Steps
After you have completed your scan and run Fortify WebInspect Enterprise, you will need to reset your
Android device, Windows device, iOS device, or emulator to its former state. The following steps show
how to reset an iOS device to the way it was before you began. Steps for other devices and for
emulators are similar, but they depend on the version of the OS you are running.
To remove the HPE Certificate on an iOS device:
1. Run the Settings application.
2. Select General from the Settings column.
3. Scroll down to the bottom of the list and select Profile HPE WebInspect Root.
4. Tap the Remove button.
To remove the Proxy Settings on an iOS device:
1.
2.
3.
4.
Run the Settings application.
Select Wi-Fi from the Settings column.
Tap the Network name.
Delete the Server IP address and the Port number.
About Privilege Escalation Scans
Privilege escalation vulnerabilities result from programming errors or design flaws that grant an attacker
elevated access to an application and its data. Fortify WebInspect can detect privilege escalation
vulnerabilities by conducting either a low-privilege or unauthenticated crawl followed by a highprivilege crawl and audit in the same scan. Fortify WebInspect includes a Privilege Escalation policy as
well as privilege escalation checks that can be enabled in other policies, including custom policies. In
Guided Scan, Fortify WebInspect automatically detects when you have selected a policy with privilege
escalation checks enabled, and prompts you for the required login macro(s).
Two Modes of Privilege Escalation Scans
Fortify WebInspect can perform privilege escalation scans in two modes, determined by the number of
login macros you use:
l Authenticated Mode – This mode uses two login macros: one for low-privilege access and one for
high-privilege access. In this mode, a low-privilege crawl is followed by a high-privilege crawl and
audit. You can perform this type of scan using Guided Scan.
Note: When using the Enhance Coverage of Your Web Site feature in Guided Scan in
conjunction with the Privilege Escalation policy, the explored locations are collected while
authenticated with the high-privilege login macro.
l Unauthenticated Mode – This mode uses only a high-privilege login macro. In this mode, the lowprivilege crawl is actually an unauthenticated crawl. Any privilege escalation detected during this scan
is moving from unauthenticated to high privilege. You can perform this type of scan using Guided
Scan and providing only a high-privilege login macro.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 309 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Note: Fortify WebInspect Enterprise does not support privilege escalation scans using the Scan
Configuration wizard.
What to Expect During the Scan
When conducting a scan with privilege escalation checks enabled, Fortify WebInspect first performs a
low-privilege crawl of the site. During this crawl, the Site view is not populated with the hierarchical
structure of the Web site. Nor are vulnerabilities populated in the Summary pane. However, you can
confirm that the scan is actively working by clicking the Scan Log tab in the Summary pane. You will see
messages in the log indicating the "Scan Start" time and the "LowPrivilegeCrawlStart" time. When the
low-privilege crawl of the site is complete, the high-privilege crawl and audit phase of the scan occurs.
During this phase, the Site view will be populated and any vulnerabilities found will appear in the
Summary pane.
See Also
"Configuring Web Site Scans Using a Predefined Template" on page 270
"Configuring Mobile Web Site Scans Using a Mobile Template" on page 284
"Configuring Native Scans Using a Mobile Template" on page 298
Advanced Guided Scan Settings
The following pages describe the advanced Guided Scan settings, including crawl and audit settings.
Scan Settings: Method
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Method.
Scan Mode
The following options are available:
Option
Description
Crawl Only
This option completely maps a site's tree structure. After a crawl has been
completed, you can click Audit to assess an application’s vulnerabilities.
Crawl & Audit
As Fortify WebInspect maps the site's hierarchical data structure, it audits
each resource (page) as it is discovered (rather than crawling the entire site
and then conducting an audit). This option is most useful for extremely
large sites where the content could change before the crawl can be
completed. This is described in the Crawl and Audit Mode section as the
HPE Security Fortify WebInspect Enterprise (16.20)
Page 310 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
option to crawl and audit Simultaneously.
Audit Only
Fortify WebInspect applies the methodologies of the selected policy to
determine vulnerability risks, but does not crawl the Web site. No links on
the site are followed or assessed.
Crawl and Audit Mode
The following options are available:
Option
Description
Simultaneously
As Fortify WebInspect maps the site's hierarchical data structure, it audits
each resource (page) as it is discovered (rather than crawling the entire site
and then conducting an audit). This option is most useful for extremely
large sites where the content could change before the crawl can be
completed.
Sequentially
In this mode, Fortify WebInspect crawls the entire site, mapping the site's
hierarchical data structure, and then conducts a sequential audit, beginning
at the site's root.
If you select Sequentially, you can specify the order in which the crawl and
audit should be conducted:
l Test each engine type per session (engine driven): Fortify
WebInspect audits all sessions using the first audit engine, then audits all
sessions using the second audit engine, continuing in sequence until all
engine types have been deployed.
l Test each session per engine type (session driven): Fortify
WebInspect runs all audit engines against the first session, then runs all
audit engines against the second session, continuing in sequence until
all sessions are audited.
Crawl and Audit Details
Option
Description
Include search probes
(send search attacks)
If you select this option, Fortify WebInspect will send requests for files and
directories that might or might not exist on the server, even if those files
are not found by crawling the site.
This option is selected by default only when the Scan Mode is set to Crawl
& Audit. The option is cleared(unchecked) by default when the Scan Mode
is set to Crawl Only or Audit Only.
Crawl links on File Not
Found responses
If you select this option, Fortify WebInspect will look for and crawl links on
responses that are marked as “file not found.”
HPE Security Fortify WebInspect Enterprise (16.20)
Page 311 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
This option is selected by default when the Scan Mode is set to Crawl Only
or Crawl & Audit. The option is not available when the Scan Mode is set to
Audit Only.
Navigation
The following options are available:
Option
Description
Auto-fill Web forms
during crawl
If you select this option, Fortify WebInspect submits values for input
controls found on all forms. The values are extracted from a file you create
using the Web form editor. Use the browse button to specify the file
containing the values you want to use. Alternatively, you can select the
Edit button
button
(to modify the currently selected file) or the Create
(to create a Web form file).
Caution: Do not rely on this feature for authentication. If the crawler
and the auditor are configured to share state, and if Fortify
WebInspect never inadvertently logs out of the site, then using values
extracted by the Web Form Editor for a login form may work. However,
if the audit or the crawl triggers a logout after the initial login, then
Fortify WebInspect will not be able to log in again and the auditing will
be unauthenticated. To prevent Fortify WebInspect from terminating
prematurely if it inadvertently logs out of your application, go to "Scan
Settings: Authentication" on page 338 and select Use a login macro
for forms authentication.
Prompt for Web form
values during scan
(interactive mode)
If you select this option, Fortify WebInspect pauses the scan when it
encounters an HTTP or JavaScript form and displays a window that allows
you to enter values for input controls within the form. However, if you also
select Only prompt for tagged inputs, Fortify WebInspect will not pause
for user input unless a specific input control has been designated Mark as
Interactive Input (using the Web Form Editor). This pausing for input is
termed "interactive mode" and you can cancel it at any time during the scan.
Use Web Service
Design
This option applies only to Web Service scans.
When performing a Web service scan, Fortify WebInspect crawls the WSDL
site and submits a value for each parameter in each operation. These values
are contained in a file that you create using the Web Service Test Designer
tool. Fortify WebInspect then audits the site by attacking each parameter in
an attempt to detect vulnerabilities such as SQL injection.
Use the browse button to specify the file containing the values you want to
use. Alternatively, you can select the Edit button
HPE Security Fortify WebInspect Enterprise (16.20)
(to modify the
Page 312 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
currently selected file) or the Create button
file).
(to create a SOAP values
SSL/TLS Protocols
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols provide secure HTTP
(HTTPS) connections for Internet transactions between Web browsers and Web servers. SSL/TLS
protocols enable server authentication, client authentication, data encryption, and data integrity for
Web applications.
Select the SSL/TLS protocol(s) used by your Web server. The following options are available:
l Use SSL 2.0
l Use SSL 3.0
l Use TLS 1.0
l Use TLS 1.1
l Use TLS 1.2
If you do not configure the SSL/TLS protocol to match your Web server, Fortify WebInspect will still
connect to the site, though there may be a performance impact.
For example, if the setting in Fortify WebInspect is configured to Use SSL 3.0 only, but the Web server is
configured to accept TLS 1.2 connections only, Fortify WebInspect will first try to connect with SSL 3.0,
but will fail. Fortify WebInspect will then implement each protocol until it discovers that TLS 1.2 is
supported. The connection will then succeed, although more time will have been spent in the effort. The
correct setting (Use TLS 1.2) in Fortify WebInspect would have succeeded on the first try.
Scan Settings: General
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click General.
Scan Details
The Scan Details options are described in the following table:
Option
Description
Enable Path
Truncation
Path truncation attacks are requests for known directories without file
names. This may cause directory listings to be displayed. Fortify
WebInspect truncates paths, looking for directory listings or unusual errors
within each truncation.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 313 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Example: If a link consists of
http://www.site.com/folder1/folder2/file.asp, then truncating the path
to look for http://www.site.com/folder1/folder2/ and
http://www.site.com/folder1/ may cause the server to reveal directory
contents or may cause unhandled exceptions.
Case-sensitive request
and response handling
Select this option if the server at the target site is case-sensitive to URLs.
Recalculate correlation
data
This option is used only for comparing scans. The setting should be
changed only upon the advice of HPE Security Technical Support
personnel. Fortify WebInspect Enterprise automatically generates its own
correlation data using its own correlation provider.
Compress response
data
If you select this option, Fortify WebInspect saves disk space by storing
each HTTP response in a compressed format in the database.
Enable Traffic Monitor
Logging
During a Web Site Scan, Fortify WebInspect Enterprise displays in the
navigation pane only those sessions that reveal the hierarchical structure
of the Web site plus those sessions in which a vulnerability was discovered.
However, if you select the Traffic Monitor option, Fortify WebInspect adds
the Traffic Monitor button to the Scan Info panel, allowing you to display
and review every single HTTP request sent by Fortify WebInspect and the
associated HTTP response received from the server.
Encrypt Traffic
Monitor File
All sessions are normally recorded in the traffic monitor file as clear text. If
you are concerned about storing sensitive information such as passwords
on your computer, you can elect to encrypt the file.
Encrypted files cannot be compressed. Selecting this option will
significantly increase the size of exported scans containing log files.
Note: The Traffic Viewer introduced in Fortify WebInspect version
10.50 does not support the encryption of traffic files. The Encrypt
Traffic Monitor File option is reserved for use under special
circumstances with legacy traffic files only.
Maximum crawl-audit
recursion depth
When an attack reveals a vulnerability, Fortify WebInspect crawls that
session and follows any link that may be revealed. If that crawl and audit
reveals a link to yet another resource, the depth level is incremented and
the discovered resource is crawled and audited. This process can be
repeated until no other links are found. However, to avoid the possibility of
entering an endless loop, you may limit the number of recursions. The
default value is 2. The maximum recursion level is 1,000.
Crawl Details
The Crawl Details options are described in the following table:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 314 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Crawler
Fortify WebInspect can crawl a site in two different ways, depending on
which option you select.
Depth First
Depth-first crawling accommodates sites that enforce order-dependent
navigation (where the browser must visit page A before it can visit page B).
This type of search progresses by expanding the first child node (link) and
crawling deeper and deeper until it reaches a node that has no children.
The search then backtracks, returning to the most recent node it hasn't
finished exploring and drilling down from there. The following illustration
depicts the order in which linked pages are accessed using a depth-first
crawl. Node 1 has links to nodes 2, 7, and 8. Node 2 has links to nodes 3
and 6.
Breadth First
By contrast, breadth-first crawling begins at the root node and explores all
the neighboring nodes (one level down). Then for each of those nearest
nodes, it explores their unexplored neighbor nodes, and so on, until all
resources are identified. The following illustration depicts the order in
which linked pages are accessed using a breadth-first crawl. Node 1 has
links to nodes 2, 3, and 4. Node 2 has links to nodes 5 and 6.
Enable keyword search
audit (only available
during a 'crawl only')
A keyword search, as its name implies, uses an attack engine that examines
server responses and searches for certain text strings that typically indicate
a vulnerability. Normally, this engine is not used during a crawl-only scan,
but you can enable it by selecting this option.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 315 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Perform redundant
page detection
Highly dynamic sites could create an infinite number of resources (pages)
that are virtually identical. If allowed to pursue each resource, Fortify
WebInspect would never be able to finish the scan. This option, however,
allows Fortify WebInspect to identify and exclude processing of redundant
resources.
Limit maximum single
URL hits to
Sometimes, the configuration of a site will cause a crawl to loop endlessly
through the same URL. Use this field to limit the number of times a single
URL will be crawled. The default value is 5.
Include parameters in
hit count
If you select Limit maximum single URL hits to (above), a counter is
incremented each time the same URL is encountered. However, if you also
select Include parameters in hit count, then when parameters are
appended to the URL specified in the HTTP request, the crawler will crawl
that resource up to the single URL limit. Any differing set of parameters is
treated as unique and has a separate count.
For example, if this option is selected, then "page.aspx?a=1" and
"page.apsx?b=1" will both be counted as unique resources (meaning that
the crawler has found two pages).
If this option is not selected, then "page1.aspx?a=1" and "page.aspx?b=1"
will be treated as the same resource (meaning that the crawler has found
the same page twice).
Note: This setting applies to both GET and POST parameters.
Limit maximum link
traversal sequence to
This option restricts the number of hyperlinks that can be sequentially
accessed as Fortify WebInspect crawls the site. For example, if five
resources are linked as follows:
l Page A contains a hyperlink to Page B
l Page B contains a hyperlink to Page C
l Page C contains a hyperlink to Page D
l Page D contains a hyperlink to Page E
and if this option is set to "3," then Page E will not be crawled. The default
value is 15.
Limit maximum crawl
folder depth to
This option limits the number of directories that may be included in a single
request. The default value is 15.
For example, if the URL is
http://www.mysite.com/Dir1/Dir2/Dir3/Dir4/Dir5/Dir6/Dir7
and this option is set to "4," then the contents of directories 5, 6, and 7 will
not be crawled.
Limit maximum crawl
count to
This feature restricts the number of HTTP requests sent by the crawler and
should be used only if you experience problems completing a scan of a
large site.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 316 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Limit maximum Web
form submission to
Normally, when Fortify WebInspect encounters a form that contains
controls having multiple options (such as a list box), it extracts the first
option value from the list and submits the form; it then extracts the second
option value and resubmits the form, repeating this process until all option
values in the list have been submitted. This ensures that all possible links
will be followed.
There are occasions, however, when submitting the complete list of values
would be counterproductive. For example, if a list box named "State"
contains one value for each of the 50 states in the United States, there is
probably no need to submit 50 instances of the form.
Use this setting to limit the total number of submissions that Fortify
WebInspect will perform. The default value is 3.
Suppress Repeated
Path Segments
Many sites have text that resembles relative paths that become unusable
URLs after Fortify WebInspect parses them and appends them to the URL
being crawled. These occurrences can result in a runaway scan if paths are
continuously appended, such as /foo/bar/foo/bar/. This setting helps
reduce such occurrences and is enabled by default.
With the setting enabled, the options are:
1 – Detect a single sub-folder repeated anywhere in the URL and reject the
URL if there is a match. For example, /foo/baz/bar/foo/ will match
because “/foo/” is repeated. The repeat does not have to occur adjacently.
2 – Detect two (or more) pairs of adjacent sub-folders and reject the URL if
there is a match. For example, /foo/bar/baz/foo/bar/ will match
because “/foo/bar/” is repeated.
3 – Detect two (or more) sets of three adjacent sub-folders and reject the
URL if there is a match.
4 – Detect two (or more) sets of four adjacent sub-folders and reject the
URL if there is a match.
5 – Detect two (or more) sets of five adjacent sub-folders and reject the
URL if there is a match.
If the setting is disabled, repeating sub-folders are not detected and no
URLs are rejected due to matches.
Audit Details
If you select a depth-first crawl, you can also elect to retrace the crawl path for each parameter attack, as
opposed to applying all attacks as the crawl progresses. This considerably increases the time required to
conduct a scan.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 317 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Scan Settings: Content Analyzers
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Content Analyzers.
Flash
If you enable the Flash analyzer, Fortify WebInspect analyzes Flash files, Adobe's vector graphics-based
resizable animation format.
JavaScript/VBScript
The JavaScript/VBScript analyzer is always enabled. It allows Fortify WebInspect to crawl links defined
by JavaScript or Visual Basic script, and to create and audit any documents rendered by JavaScript.
Tip: To increase the speed at which Fortify WebInspect conducts a crawl while analyzing script,
change your browser options so that images/pictures are not displayed.
Configure the settings in the lower pane of the window, as described below.
Option
Description
Crawl links found from script execution
If you select this option, the crawler will follow dynamic
links (i.e., links generated during JavaScript execution).
Reject script include file requests to
offsite hosts
Pages downloaded from a server may contain scripts that
retrieve files and dynamically render their content. An
example JavaScript "include file" request is:
<script type="text/javascript"
src="www.badsite.com/yourfile.htm"></script>
Fortify WebInspect will download and parse such files,
regardless of their origin or file type, unless you select the
Reject Script option. It will then download the files only if
permitted by the parameters normally governing file
handling (such as session and attack exclusions, allowed
hosts, etc.).
Create script event sessions
Fortify WebInspect creates and saves a session for each
change to the Document Object Model (DOM).
Verbose script parser debug logging
If you select this setting and if the Application setting for
logging level is set to Debug, Fortify WebInspect logs
every method called on the DOM object. This can easily
create several gigabytes of data for medium and large
HPE Security Fortify WebInspect Enterprise (16.20)
Page 318 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
sites.
Log JavaScript errors
Fortify WebInspect logs JavaScript parsing errors from the
script parsing engine.
Enable JS Framework UI Exclusions
If you select this option, the Fortify WebInspect JavaScript
parser ignores common JQuery and Ext JS user interface
components, such as a calendar control or a ribbon bar.
These items are then excluded from JavaScript execution
during the scan.
Max script events per page
Certain scripts endlessly execute the same events. You can
limit the number of events allowed on a single page to a
value between 1 and 9999. The default value is 1000.
Enable classic script engine
The script engine first provided in Fortify WebInspect
10.00 operates more like a browser and supports more
web applications than did the script engine used in
previous Fortify WebInspect versions. You can select this
option to use the previous script engine instead.
Enable Advanced JS Framework
Support
When this option is selected, Fortify WebInspect can
recognize certain JavaScript frameworks and more
intelligently execute script by recognizing patterns that
these frameworks use. This option is available only for the
new script engine of Fortify WebInspect 10.00 or later and
is disabled if you select the Enable classic script engine
option.
Enable Site-Wide Event Reduction
When this option is selected, the crawler and JavaScript
engine recognize common functional areas that appear
among different parts of the website, such as common
menus or page footers. This eliminates the need to find
within HTML content the dynamic links and forms that
have already been crawled, resulting in quicker scans. This
option is enabled by default and should not normally be
disabled.
Silverlight
If you enable the Silverlight analyzer, Fortify WebInspect analyzes Silverlight applications, which
provide functionalities similar to those in Adobe Flash, integrating multimedia, graphics, animations and
interactivity into a single runtime environment.
Scan Settings: Requestor
A requestor is the software module that handles HTTP requests and responses.
To access this feature from a Guided Scan:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 319 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Requestor.
Requestor Performance
The following options are available:
Option
Description
Use a shared requestor If you select this option, the crawler and the auditor use a common
requestor when scanning a site, and each thread uses the same state, which
is also shared by both modules. This replicates the technique used by
previous versions of Fortify WebInspect and is suitable for use when
maintaining state is not a significant consideration. You also specify the
maximum number of threads (up to 75).
Use separate
requestors
If you select this option, the crawler and auditor use separate requestors.
Also, the auditor's requestor associates a state with each thread, rather
than having all threads use the same state. This method results in
significantly faster scans.
When performing crawl and audit, you can specify the maximum number of
threads that can be created for each requestor. The Crawl requestor
thread count can be configured to send up to 25 concurrent HTTP
requests before waiting for an HTTP response to the first request; the
default setting is 5. The Audit requestor thread count can be set to a
maximum of 50; the default setting is 10. Increasing the thread counts may
increase the speed of a scan, but might also exhaust your system resources
as well as those of the server you are scanning.
Note: Depending on the capacity of the application being scanned,
increasing thread counts may increase request failures due to
increased load on the server, causing some responses to exceed the
Request timeout setting. Request failures may reduce scan coverage
because the responses that failed may have exposed additional attack
surface or revealed vulnerabilities. If you notice increased request
failures, you might reduce them by either increasing the Request
timeout or reducing the Crawl requestor thread count and Audit
requestor thread count.
Also, depending on the nature of the application being scanned,
increased crawl thread counts may reduce consistency between
subsequent scans of the same site due to differences in crawl request
ordering. By reducing the default Crawl requestor thread count
setting to 1, consistency may be increased.
Requestor Settings
The following options are available:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 320 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Limit maximum
response size to
Select this option to limit the size of accepted server responses, and then
specify the maximum size (in kilobytes). The default is 1000 kilobytes. Note
that Flash files (.swf) and JavaScript "include" files are not subject to this
limitation.
Request retry count
Specify how many times Fortify WebInspect will resubmit an HTTP request
after receiving a "failed" response (which is defined as any socket error or
request timeout). The value must be greater than zero.
Request timeout
Specify how long Fortify WebInspect will wait for an HTTP response from
the server. If this threshold is exceeded, Fortify WebInspect resubmits the
request until reaching the retry count. If it then receives no response,
Fortify WebInspect logs the timeout and issues the first HTTP request in
the next attack series. The default value is 20 seconds.
Note: The first time a timeout occurs, Fortify WebInspect will extend
the timeout period to confirm that the server is unresponsive. If the
server responds within the extended Request timeout period, then the
extended period becomes the new Request timeout for the current
scan.
Stop Scan if Loss of Connectivity Detected
There may be occasions during a scan when a Web server fails or becomes too busy to respond in a
timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the
number of timeouts.
The following options are available:
Option
Description
Consecutive 'single
host' retry failures to
stop scan
Enter the number of consecutive timeouts permitted from one specific
server. The default value is 75.
Consecutive 'any host'
retry failures to stop
scan
Enter the total number of consecutive timeouts permitted from all hosts.
The default value is 150.
Nonconsecutive 'single
host' retry failures to
stop scan
Enter the total number of nonconsecutive timeouts permitted from a single
host. The default value is "unlimited."
Nonconsecutive 'any
host' request failures
to stop scan
Enter the total number of nonconsecutive timeouts permitted from all
hosts. The default value is 350.
If first request fails,
stop scan
Selecting this option will force Fortify WebInspect to terminate the scan if
the target server does not respond to Fortify WebInspect's first request.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 321 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Response codes to
stop scan if received
Enter the HTTP status codes that, if received, will force Fortify WebInspect
to terminate the scan. Use a comma to separate entries; use a hyphen to
specify an inclusive range of codes.
Scan Settings: Session Storage
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Session Storage.
Log Rejected Session to Database
You can specify which rejected sessions should be saved to the Fortify WebInspect database. This saved
information can be used for two purposes.
l If you pause a scan, change any of the settings associated with the Reject Reasons in this panel, and
then resume the scan, Fortify WebInspect retrieves the saved data and sends HTTP requests that
previously were suppressed.
l HPE Security Fortify Support personnel can extract the generated (but not sent) HTTP requests for
analysis.
Sessions may be rejected for the reasons cited in the following table:
Reject Reason
Explanation
Invalid Host
Any host that is not specified in Default (or Current) Scan Settings/Scan
Settings/Allowed Hosts.
Excluded File
Extension
Files having an extension that is excluded by settings specified in Default
(or Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or
Rejected File Extensions; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded or Rejected File Extensions; also
Default (or Current) Scan Settings/Audit Settings/Session
Exclusions/Excluded or Rejected File Extensions.
Excluded URL
URLs or hosts that are excluded by settings specified in Default (or
Current) Scan Settings/Scan Settings/Session Exclusions/Excluded or
Rejected URLs and Hosts; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded or Rejected URLs and Hosts; also
Default (or Current) Scan Settings/Audit Settings/Session
Exclusions/Excluded or Rejected URLs and Hosts.
Outside Root URL
If the Restrict to Folder option is selected when starting a scan, any
resource not qualified by the available options (Directory Only, Directory
and Subdirectories, or Directory and Parent Directories).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 322 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Reject Reason
Explanation
Maximum Folder
Depth Exceeded
HTTP requests were not sent because the value specified by the Limit
maximum crawl folder depth to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
Maximum URL Hits
HTTP requests were not sent because the value specified by the Limit
Maximum Single URL hits to option in Default (or Current) Scan
Settings/Scan Settings/General has been exceeded.
404 Response Code
In the Default (or Current) Scan Settings/Scan Settings/File Not Found
group, the option Determine File Not Found (FNF) using HTTP
response codes is selected and the response contains a code that matches
the requirements.
Solicited File Not
Found
In the Default (or Current) Scan Settings/Scan Settings/File Not Found
group, the option Auto detect FNF page is selected and Fortify
WebInspect determined that the response constituted a "file not found"
condition.
Custom File Not Found In the Default (or Current) Scan Settings/Scan Settings/File Not Found
group, the option Determine FNF from custom supplied signature is
selected and the response contains one of the specified phrases.
Rejected Response
Files having a MIME type that is excluded by settings specified in Default
(or Current) Scan Settings/Scan Settings/Session Exclusions/Excluded
MIME Types; also Default (or Current) Scan Settings/Crawl
Settings/Session Exclusions/Excluded MIME Types; also Default (or
Current) Scan Settings/Audit Settings/Session Exclusions/Excluded MIME
Types.
Session Storage
Fortify WebInspect normally saves only those attack sessions in which a vulnerability was discovered. To
save all attack sessions, select Save non-vulnerable attack sessions.
Scan Settings: Session Exclusions
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Session Exclusions.
These settings apply to both the crawl and audit phases of a Fortify WebInspect vulnerability scan. To
specify exclusions for only the crawl or only the audit, use the Crawl Settings: Session Exclusions page
or the Audit Settings: Session Exclusions page.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 323 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
l Reject - Fortify WebInspect will not request files of the type you specify.
l Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will
not examine them for links to other resources.
By default, most image, drawing, media, audio, video, and compressed file types are rejected.
To add a file extension:
1. Click Add.
The Exclusion Extension window opens.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click OK.
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. By default, image,
audio, and video types are excluded.
To add a MIME Type:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-Type field, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component:
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing Criteria
To edit the default criteria:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 324 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host or URL field, enter a URL or fully qualified host name, or a regular expression designed
to match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Adding Criteria
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
3. If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l matches regex - Matches the regular expression you specify in the Match String field.
l matches regex extension - Matches a syntax available from HPE's regular expression
extensions you specify in the Match String field. For information about the Regular Expression
Editor, see the "Regular Expression Editor" chapter in the HPE Security Fortify WebInspect
Tools Guide.
l matches - Matches the text string you specify in the Match String field.
l contains - Contains the text string you specify in the Match String field.
5. In the Match String field, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click
(or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 325 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Target Target Name Match Type Match String
URL
N/A
contains
Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL
N/A
contains
logout
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target
Target Name Match Type Match String
Query parameter username
matches
John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type
URL
N/A
Match String
matches regex /W3SVC[0-9]*/
Scan Settings: Allowed Hosts
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Allowed Hosts.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 326 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Using the Allowed Host Setting
Use the Allowed Host setting to add domains to be crawled and audited. If your Web presence uses
multiple domains, add those domains here. For example, if you were scanning "WIexample.com," you
would need to add "WIexample2.com" and "WIexample3.com" here if those domains were part of your
Web presence and you wanted to include them in the crawl and audit.
You can also use this feature to scan any domain whose name contains the text you specify. For
example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed
host. As Fortify WebInspect scans the target site, if it encounters a link to any URL containing "myco," it
will pursue that link and scan that site's server, repeating the process until all linked sites are scanned.
For this hypothetical example, Fortify WebInspect would scan the following domains:
l
l
l
l
l
l
l
l
www.myco.com:80
contact.myco.com:80
www1.myco.com
ethics.myco.com:80
contact.myco.com:443
wow.myco.com:80
mycocorp.com:80
www.interconnection.myco.com:80
Adding Allowed Domains
To add allowed domains:
1. Click Add.
2. On the Specify Allowed Host window, enter a URL (or a regular expression representing a URL)
and click OK.
Note: When specifying the URL, do not include the protocol designator (such as http:// or
https://).
Editing or Removing Domains
To edit or remove an allowed domain:
1. Select a domain from the Allowed Hosts list.
2. Click Edit or Remove.
Scan Settings: HTTP Parsing
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 327 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
2. In the Scan Settings group in the left pane, click HTTP Parsing.
Options
The HTTP Parsing options are described in the following table:
Option
Description
HTTP Parameters
Used for State
If your application uses URL rewriting or post data techniques to maintain
state within a Web site, you must identify which parameters are used. For
example, a PHP4 script can create a constant of the session ID named SID,
which is available inside a session. By appending this to the end of a URL,
the session ID becomes available to the next page. The actual URL might
look something like the following:
.../page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
Because session IDs change with each connection, an HTTP request
containing this URL would create an error when you tried to replay it.
However, if you identify the parameter (PHPSESSID in this example), then
Fortify WebInspect will replace its assigned value with the new session ID
obtained from the server each time the connection is made.
Similarly, some state management techniques use post data to pass
information. For example, the HTTP message content may include
userid=slbhkelvbkl73dhj. In this case, "userid" is the parameter you would
identify.
Note: You need to identify parameters only when the application uses
URL rewriting or posted data to manage state. It is not necessary when
using cookies.
Fortify WebInspect can identify potential parameters if they occur as
posted data or if they exist within the query string of a URL. However, if
your application embeds session data in the URL as extended path
information, you must provide a regular expression to identify it. In the
following example, "1234567" is the session information:
http://www.onlinestore.com/bikes/(1234567)/index.html
The regular expression for identifying the parameter would be: /\
([\w\d]+\)/
Enable CSRF
The Enable CSRF option should only be selected if the site you are
scanning includes Cross-Site Request Forgery (CSRF) tokens as it adds
overhead to the process. For more information, see CSRF.
Determine State from
URL Path
If your application determines state from certain components in the URL
path, select this check box and add one or more regular expressions that
identify those components. Two default regular expressions identify two
ASP.NET cookieless session IDs. The third regular expression matches
jsessionid cookie.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 328 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
HTTP Parameters
Used for Navigation
Some sites contain only one directly accessible resource, and then rely on
query strings to deliver the requested information, as in the following
examples:
l http://www.anysite.com?Master.asp?Page=1
l http://www.anysite.com?Master.asp?Page=2;
l http://www.anysite.com?Master.asp?Page=13;Subpage=4
Ordinarily, Fortify WebInspect would assume that these three requests
refer to identical resources and would conduct a vulnerability scan on only
one of them. Therefore, if your target Web site employs this type of
architecture, you must identify the specific resource parameters that are
used.
The first two examples contain one resource parameter: "Page." The third
example contains two parameters: "Page" and "Subpage."
To identify resource parameters:
1. Click Add.
2. On the HTTP Parameter window, enter the parameter name and click
OK.
The string you entered appears in the Parameter list.
3. Repeat this procedure for additional parameters.
Advanced HTTP
Parsing
Most Web pages contain information that tells the browser what character
set to use. This is accomplished by using the Content-Type response
header (or a META tag with an HTTP-EQUIV attribute) in the HEAD
section of the HTML document.
For pages that do not announce their character set, you can use the
Assumed 'charset' encoding field to specify which language family (and
implied character set) Fortify WebInspect should use.
The Treat query parameter value as parameter name when only
value is present check box determines how Fortify WebInspect interprets
query parameters without values. For example:
http://somehost?param
If this check box is selected, Fortify WebInspect will interpret “param” to be
a parameter named “param” with an empty value.
If this check box is not selected, Fortify WebInspect will interpret “param”
to be a nameless parameter with the value “param”.
This setting can influence the way Fortify WebInspect calculates the hit
count (see the Limit maximum single URL hits to setting under "Scan
Settings: General" on page 313). This setting is useful for scenarios in
which a URL contains an anti-caching parameter. These often take the
form of a numeric counter or time stamp. For example, the following
parameters are numeric counters:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 329 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
l http://somehost?1234567
l http://somehost?1234568
In such cases, the value is changing for each request. If the value is treated
as the parameter name, and the “Include parameters in hit count” setting is
selected, the crawl count may inflate artificially, thus increasing the scan
time. In these cases, clearing the Treat query parameter value as
parameter name when only value is present check box will prevent
these counters from contributing to the hit count and produce a more
reasonable scan time.
Scan Settings: Custom Parameters
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Custom Parameters.
Custom Parameters are used to accommodate sites that use URL rewriting techniques and/or
Representation State Transfer (REST) web services technologies. You can write rules for these custom
parameters, or you can import rules from a common configuration file written in Web Application
Description Language (WADL). In addition to applying these rules that you discretely define or import,
Fortify WebInspect will attempt (during a scan) to identify custom parameters and create rules to
accommodate them.
URL Rewriting
Many dynamic sites use URL rewriting because static URLs are easier for users to remember and are
easier for search engines to index the site. For example, an HTTP request such as
http://www.pets.com/ShowProduct/7
is sent to the server's rewrite module, which converts the URL to the following:
http://www.pets.com/ShowProduct.php?product_id=7
In this example, the URL causes the server to execute the php script "ShowProduct" and display the
information for product number 7.
When Fortify WebInspect scans a page, it must be able to determine which elements are variables so
that its attack agents can thoroughly check for vulnerabilities. To enable this, you must define rules that
identify these elements. You can do so using a proprietary Fortify WebInspect syntax.
Examples:
l HTML: <a href="someDetails/user1/">User 1 details</a>
Rule: /someDetails/{username}/
HPE Security Fortify WebInspect Enterprise (16.20)
Page 330 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l HTML: <a href="TwoParameters/Details/user1/Value2">User 1 details</a>
Rule: /TwoParameters/Details/{username}/{parameter2}
l HTML: <a href="/Value2/PreFixParameter/Details/user1">User 1 details</a>
Rule: /{parameter2}/PreFixParameter/Details/{username}
RESTful Services
A RESTful web service (also called a RESTful web API) is a simple Web service implemented using HTTP
and the principles of REST. It has gained widespread acceptance across the Web as a simpler alternative
to web services based on SOAP and Web Services Description Language (WSDL).
The following request adds a name to a file using an HTTP query string:
GET /adduser?name=Robert HTTP/1.1
This same function could be achieved by using the following method with a Web service. Note that the
parameter names and values have been moved from the request URI and now appear as XML tags in
the request body.
POST /users HTTP/1.1 Host: myserver
Content-Type: application/xml
<?xml version="1.0"?>
<user>
<name>Robert</name>
</user>
In the case of both URL rewriting and RESTful web services, you must create rules that instruct Fortify
WebInspect how to create the appropriate requests.
Creating a Rule
To create a rule:
1. Click New Rule.
2. In the Expression column, enter a rule. See Path Matrix Parameters for guidelines and examples.
The Enabled check box is selected by default. Fortify WebInspect examines the rule and, if it is valid,
removes the red X.
Deleting a Rule
To delete a rule:
1. Select a rule from the Custom Parameters Rules list.
2. Click Delete.
Disabling a Rule
To disable a rule without deleting it:
1. Select a rule.
2. Clear the check mark in the Enabled column.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 331 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Importing Rules
To import a file containing rules:
1. Click
.
2. Using a standard file-selection dialog, select the type of file (.wadl or .txt) containing the custom
rules you want to apply.
3. Locate the file and click Open.
Enable automatic seeding of rules that were not used during scan
The most reliable rules for custom parameters are those deduced from a WADL file or created by
developers of the Web site. If a rule is not invoked during a scan (because the rule doesn't match any
URL), then Fortify WebInspect can programmatically assume that a valid portion of the site has not
been attacked. Therefore, if you select this option, Fortify WebInspect will create sessions to exercise
these unused rules in an effort to expand the attack surface.
Double Encode URL Parameters
Double-encoding is an attack technique that encodes user request parameters twice in hexadecimal
format in an attempt to bypass security controls or cause unexpected behavior from the application. For
example, a cross-site scripting (XSS) attack might normally appear as:
<script>alert('FOO')</script>
This malicious code could be inserted into a vulnerable application, resulting in an alert window with the
message “FOO.” However, the web application can have a filter that prohibits characters such as < (less
than) > (greater than) and / (forward slash), since they are used to perform Web application attacks.
The attacker could attempt to circumvent this safeguard by using a "double encoding" technique to
exploit the client’s session. The encoding process for this JavaScript is:
Char
Hex encode
Encoded % Sign
Double encoded result
<
%3C
%25
%253C
/
%2F
%25
%252F
>
%3E
%25
%253E
Finally, the malicious code, double-encoded, is:
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
If you select this option, Fortify WebInspect will create double-encoded URL parameters (instead of
single-encoded parameters) and submit them as part of the attack sequence. This is recommended
when the Web server uses, for example, Apache mod-rewrite plus PHP or Java URL Rewrite Filter 3.2.0.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 332 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Scan Settings: Filters
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Filters.
Use the Filters settings to add search-and-replace rules for HTTP requests and responses. This feature
is used most often to avoid the disclosure of sensitive data such as credit card numbers, employee
names, or social security numbers. It is a means of disguising information that you do not want to be
viewed by persons who use Fortify WebInspect or those who have access to the raw data or generated
reports.
If the text you specify is found, Fortify WebInspect reports it on the Information tab as a "Hidden
Reference Found" vulnerability.
Options
The Filter options are described in the following table:
Option
Description
Filter HTTP Request
Content
Use this area to specify search-and-replace rules for HTTP requests.
Filter HTTP Response
Content
Use this area to specify search-and-replace rules for HTTP responses.
Adding Rules for Finding and Replacing Keywords
To add a regular expression rule for finding or replacing keywords in requests or responses:
1. In either the Request Content or the Response Content group, click Add.
The Add Request/Response Data Filter Criteria window opens.
2. In the Search For Text field, type (or paste) the string you want to locate (or enter a regular
expression that describes the string).
Click to insert regular expression notations or to launch the Regular Expression Editor (which
facilitates the creation and testing of an expression).
3. In the Search For Text In field, select an area to search:
l For Requests: select All, Headers, or Postdata.
l For Responses: select All, Headers, or Body (that is, the code of the page itself)
4. Type (or paste) the replacement string in the Replacesearch text with field.
Click
for assistance with regular expressions.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 333 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
5. For case-sensitive searches, select the Case-Sensitive Match check box.
6. Click OK.
Scan Settings: Cookies/Headers
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Cookies/Headers.
Standard Header Parameters
This section includes the following options:
Option
Description
Include 'referer' in
HTTP request headers
Select this check box to include referer headers in Fortify WebInspect
HTTP requests. The Referer request-header field allows the client to
specify, for the server's benefit, the address (URI) of the resource from
which the Request-URI was obtained.
Include 'host' in HTTP
request headers
Select this check box to include host headers with Fortify WebInspect
HTTP requests. The Host request-header field specifies the Internet host
and port number of the resource being requested, as obtained from the
original URI given by the user or referring resource (generally an HTTP
URL).
Append Custom Headers
Use this section to add, edit, or delete headers that will be included with each audit Fortify WebInspect
performs. For example, you could add a header such as "Alert: You are being attacked by Consultant
ABC" that would be included with every request sent to your company's server when Fortify
WebInspect is auditing that site. You can add multiple custom headers.
The default custom headers are:
Header
Description
Accept: */*
Any encoding or file type is acceptable to the crawler.
Pragma: no-cache
This forces a fresh response; cached or proxied data is not acceptable.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 334 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Adding a Custom Header
To add a custom header:
1. Click Add.
The Specify Custom Header window opens.
2. In the Custom Header field, enter the header using the format <name>: <value>.
3. Click OK.
Append Custom Cookies
Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by
Fortify WebInspect to the server when conducting a vulnerability scan.
The default custom cookie is
CustomCookie=WebInspect;path=/
which is used simply to flag the scan traffic.
Adding a Custom Cookie
To add a custom cookie:
1. Click Add.
The Specify Custom Cookie window opens.
2. In the Custom Cookie field, enter the cookie using the format <name>=<value>.
For example, if you enter
CustomCookie=ScanEngine
then each HTTP-Request will contain the following header:
Cookie: CustomCookie=ScanEngine
3. Click OK.
Scan Settings: Proxy
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Proxy.
Options
The Proxy options are described in the following table:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 335 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
Direct Connection
(proxy disabled)
Select this option if you are not using a proxy server.
Auto detect proxy
settings
Use the Web Proxy Autodiscovery (WPAD) protocol to locate a proxy
autoconfig file and configure the browser's Web proxy settings.
Use Internet Explorer
proxy settings
Import your proxy server information from Internet Explorer.
Use Firefox proxy
settings
Import your proxy server information from Firefox.
Configure proxy using
a PAC file URL
Load proxy settings from a Proxy Automatic Configuration (PAC) file in
the location you specify in the URL field.
Explicitly configure
proxy
Configure a proxy by entering the requested information:
Note: Using browser proxy settings does not guarantee that you will
access the Internet through a proxy server. If the Firefox browser
connection settings are configured for "No proxy," or if the Internet
Explorer setting "Use a proxy server for your LAN" is not selected, then
a proxy server will not be used.
1. In the Server field, type the URL or IP address of your proxy server,
followed (in the Port field) by the port number (for example, 8080).
2. Select a protocol for handling TCP traffic through a proxy server:
SOCKS4, SOCKS5, or standard.
3. If authentication is required, select a type from the Authentication
list:
Automatic
Allow Fortify WebInspect to determine the correct authentication
type.
Note: Automatic detection slows the scanning process. If you
know and specify one of the other authentication methods,
scanning performance is noticeably improved.
Digest
The Windows Server operating system implements the Digest
Authentication protocol as a security support provider (SSP), a
dynamic-link library (DLL) that is supplied with the operating system.
Using digest authentication, your password is never sent across the
network in the clear, but is always transmitted as an MD5 digest of the
user's password. In this way, the password cannot be determined by
sniffing network traffic.
Basic
A widely used, industry-standard method for collecting user name and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 336 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
password information.
a. The Web browser displays a window for a user to enter a
previously assigned user name and password, also known as
credentials.
b. The Web browser then attempts to establish a connection to a
server using the user's credentials.
c. If a user's credentials are rejected, the browser displays an
authentication window to re-enter the user's credentials. Internet
Explorer allows the user three connection attempts before failing
the connection and reporting an error to the user.
d. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established.
The advantage of Basic authentication is that it is part of the HTTP
specification and is supported by most browsers. The disadvantage is
that Web browsers using Basic authentication transmit passwords in
an unencrypted form. By monitoring communications on your
network, an attacker can easily intercept and decode these passwords
using publicly available tools. Therefore, Basic authentication is not
recommended unless you are confident that the connection between
the user and your Web server is secure.
NT LAN Manager (NTLM)
NTLM (NT LanMan) is an authentication process that is used by all
members of the Windows NT family of products. Like its predecessor
LanMan, NTLM uses a challenge/response process to prove the
client’s identity without requiring that either a password or a hashed
password be sent across the network.
Use NTLM authentication for servers running IIS. If NTLM
authentication is enabled, and Fortify WebInspect has to pass through
a proxy server to submit its requests to the Web server, Fortify
WebInspect may not be able to crawl or audit that Web site. Use
caution when configuring Fortify WebInspect for scans of sites
protected by NTLM. After scanning, you may want to disable the
NTLM authentication settings to prevent any potential problem.
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a
trusted third party, termed a Key Distribution Center (KDC), which
consists of two logically separate parts: an Authentication Server (AS)
and a Ticket Granting Server (TGS). The client authenticates itself to
AS, then demonstrates to the TGS that it is authorized to receive a
ticket for a service (and receives it). The client then demonstrates to a
Service Server that it has been approved to receive the service.
Negotiate
HPE Security Fortify WebInspect Enterprise (16.20)
Page 337 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
The Negotiate authentication protocol begins with the option to
negotiate for an authentication protocol. When the client requests
access to a service, the server replies with a list of authentication
protocols that it can support and an authentication challenge based
on the protocol that is its first choice. For example, the server might list
Kerberos and NTLM, and send a Kerberos challenge. The client
examines the contents of the reply and checks to determine whether it
supports any of the specified protocols. If the client supports the
preferred protocol, authentication proceeds. If the client does not
support the preferred protocol, but does support one of the other
protocols listed by the server, the client lets the server know which
authentication protocol it supports, and the authentication proceeds.
If the client does not support any of the listed protocols, the
authentication exchange fails.
4. If your proxy server requires authentication, enter the qualifying user
name and password.
5. If you do not need to use a proxy server to access certain IP addresses
(such as internal testing sites), enter the addresses or URLs in the
Bypass Proxy For field. Use commas to separate entries.
Specify Alternative
Proxy for HTTPS
For proxy servers accepting HTTPS connections, select Specify
Alternative Proxy for HTTPS and provide the requested information.
Scan Settings: Authentication
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Authentication.
Authentication is the verification of identity as a security measure. Passwords and digital signatures are
forms of authentication. You can configure automatic authentication so that a user name and password
will be entered whenever Fortify WebInspect encounters a server or form that requires authentication.
Otherwise, a crawl might be prematurely halted for lack of logon information.
Network Authentication
Select the Scan requires network authentication check box if users must log on to your Web site or
application.
Authentication Method
If authentication is required, select the authentication method as described in the following table:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 338 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Authentication
Method
Description
Automatic
Allow Fortify WebInspect to determine the correct authentication type.
Automatic detection slows the scanning process. If you know and specify
one of the other authentication methods, scanning performance is
noticeably improved.
Basic
A widely used, industry-standard method for collecting user name and
password information.
1. The Web browser displays a window for a user to enter a previously
assigned user name and password, also known as credentials.
2. The Web browser then attempts to establish a connection to a server
using the user's credentials.
3. If a user's credentials are rejected, the browser displays an
authentication window to re-enter the user's credentials. Internet
Explorer allows the user three connection attempts before failing the
connection and reporting an error to the user.
4. If the Web server verifies that the user name and password
correspond to a valid user account, a connection is established.
The advantage of Basic authentication is that it is part of the HTTP
specification and is supported by most browsers. The disadvantage is that
Web browsers using Basic authentication transmit passwords in an
unencrypted form. By monitoring communications on your network, an
attacker can easily intercept and decode these passwords using publicly
available tools. Therefore, Basic authentication is not recommended unless
you are confident that the connection between the user and your Web
server is secure.
NT LAN Manager
(NTLM)
NTLM (NT LanMan) is an authentication process that is used by all
members of the Windows NT family of products. Like its predecessor
LanMan, NTLM uses a challenge/response process to prove the client’s
identity without requiring that either a password or a hashed password be
sent across the network.
Use NTLM authentication for servers running IIS. If NTLM authentication
is enabled, and Fortify WebInspect has to pass through a proxy server to
submit its requests to the Web server, Fortify WebInspect may not be able
to crawl or audit that Web site. Use caution when configuring Fortify
WebInspect for scans of sites protected by NTLM. After scanning, you may
want to disable the NTLM authentication settings to prevent any potential
problem.
Digest
The Windows Server operating system implements the Digest
Authentication protocol as a security support provider (SSP), a dynamiclink library (DLL) that is supplied with the operating system. Using digest
authentication, your password is never sent across the network in the clear,
but is always transmitted as an MD5 digest of the user's password. In this
way, the password cannot be determined by sniffing network traffic.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 339 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Authentication
Method
Description
Kerberos
Kerberos uses the Needham-Schroeder protocol as its basis. It uses a
trusted third party, termed a Key Distribution Center (KDC), which consists
of two logically separate parts: an Authentication Server (AS) and a Ticket
Granting Server (TGS). The client authenticates itself to AS, then
demonstrates to the TGS that it is authorized to receive a ticket for a
service (and receives it). The client then demonstrates to a Service Server
that it has been approved to receive the service.
Negotiate
The Negotiate authentication protocol begins with the option to negotiate
for an authentication protocol. When the client requests access to a service,
the server replies with a list of authentication protocols that it can support
and an authentication challenge based on the protocol that is its first
choice. For example, the server might list Kerberos and NTLM, and send a
Kerberos challenge. The client examines the contents of the reply and
checks to determine whether it supports any of the specified protocols. If
the client supports the preferred protocol, authentication proceeds. If the
client does not support the preferred protocol, but does support one of
the other protocols listed by the server, the client lets the server know
which authentication protocol it supports, and the authentication
proceeds. If the client does not support any of the listed protocols, the
authentication exchange fails.
Authentication Credentials
Type a user ID in the User name field and the user's password in the Password field. To guard against
mistyping, repeat the password in the Confirm Password field.
Caution: Fortify WebInspect will crawl all servers granted access by this password (if the
sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your
administrative systems, do not use a user name and password that has administrative rights. If you
are unsure about your access rights, contact your System Administrator or internal security
professional, or contact HPE Security Fortify Support.
Client Certificate
Client certificate authentication allows users to present client certificates rather than entering a user
name and password. You can select a certificate from the local machine or a certificate assigned to a
current user.
To use client certificates:
1.
2.
3.
4.
Select Enable in the Client Certificates group.
Click Select to open the Client Certificates window.
Choose a certificate.
Click OK.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 340 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
When using tools that incorporate a proxy (specifically Web Macro Recorder, Web Proxy, Web Brute,
and Web Form Editor), you may encounter servers that do not ask for a client certificate even though a
certificate is required. To accommodate this situation, you must edit the SPI.Net.Proxy.Config file using
the following procedure.
Task 1: Find your certificate's serial number
1.
2.
3.
4.
5.
6.
Open Microsoft Internet Explorer.
From the Tools menu, click Internet Options.
On the Internet Options window, select the Content tab and click Certificates.
On the Certificates window, select a certificate and click View.
On the Certificate window, click the Details tab.
Click the Serial Number field and copy the serial number that appears in the lower pane (highlight
the number and press Ctrl + C).
7. Close all windows.
Task 2: Create an entry in the SPI.Net.Proxy.Config file
1. Open the SPI.Net.Proxy.Config file for editing. The default location is C:\Program
Files\HP\HP WebInspect.
2. In the ClientCertificateOverrides section, add the following entry:
<ClientCertificateOverride HostRegex="<RegularExpression>"
CertificateSerialNumber="Number" />
where:
<RegularExpression> is a regular expression matching the host URL (example: .*austin\.hp\.com).
Number is the serial number obtained in Task 1.
3. Save the edited file.
Use a Login Macro for Forms Authentication
This type of macro is used primarily for Web form authentication. It incorporates logic that will prevent
Fortify WebInspect from terminating prematurely if it inadvertently logs out of your application. When
recording this type of macro, be sure to specify the application's log-out signature. Click the ellipsis
button
to locate the macro. Click Record to record a macro.
Login Macro Parameters
This section appears only if you have selected Use a login macro for forms authentication and the
macro you have chosen or created contains fields that are designated as Smart Credentials (if you used
the session-based or event-based Web Macro Recorder) or username and password parameters (if you
used the Web Macro Recorder).
If you start a scan using a macro that includes Smart Credentials (or parameters for user name and
password), then when you scan the page containing the input elements associated with these entries,
Fortify WebInspect substitutes the user name and password specified here. This allows you to create
HPE Security Fortify WebInspect Enterprise (16.20)
Page 341 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
the macro using your own user name and password, yet when other persons run the scan using this
macro, they can substitute their own user name and password.
For information about creating parameters using the Web Macro Recorder, see the "Unified Web Macro
Recorder" chapter in the HPE Security Fortify WebInspect Tools Guide.
Use a Startup Macro
This type of macro is used most often to focus on a particular subsection of the application. It specifies
URLs that Fortify WebInspect will use to navigate to that area. It may also include login information, but
does not contain logic that will prevent Fortify WebInspect from logging out of your application. Fortify
WebInspect visits all URLs in the macro, collecting hyperlinks and mapping the data hierarchy. It then
calls the Start URL and begins a normal crawl (and, optionally, audit). Click the ellipsis button
to
locate the macro. Click Record to record a macro.
Important! If you use a login macro in conjunction with a workflow macro or startup macro or both,
all macros must be of the same type: all .webmacro files, all Burp Proxy captures, or all Selenium
macros. You cannot use different types of macros in the same scan.
Scan Settings: File Not Found
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click File Not Found.
Options
The File Not Found options are described in the following table:
Option
Description
Determine File Not
Found (FNF) using
HTTP response codes
Select this option to rely on HTTP response codes to detect a file-notfound response from the server. You can then identify the codes that fit
the following two categories.
l Forced valid response codes (never a FNF): You can specify HTTP
response codes that should never be treated as a file-not-found
response.
l Forced FNF response codes (always a FNF): Specify those HTTP
response codes that will always be treated as a file-not-found response.
Fortify WebInspect will not process the response contents.
Enter a single response code or a range of response codes. For ranges, use
a dash or hyphen to separate the first and last code in the list (for example,
400-404). You can specify multiple codes or ranges by separating each
entry with a comma.
Determine FNF from
Use this area to add information about any custom 404 page notifications
HPE Security Fortify WebInspect Enterprise (16.20)
Page 342 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Option
Description
custom supplied
signature
that your company uses. If your company has configured a different page
to display when a 404 error occurs, add the information here. False
positives can result in Fortify WebInspect from 404 pages that are unique
to your site.
You can specify a signature using plain text, a regular expression, or, using
the SPI Regex option, regular expression extensions (see the Web Console
Help for more information). For information about the Regular Expression
Editor tool, see the HPE Security Fortify WebInspect Tools Guide.
Auto detect FNF page
Some Web sites do not return a status "404 Not Found" when a client
requests a resource that does not exist. Instead, they may return a status
"200 OK" but the response contains a message that the file cannot be
found, or they might redirect to a home page or login page. Select this
check box if you want Fortify WebInspect to detect these "custom" file-notfound pages.
Fortify WebInspect attempts to detect custom file-not-found pages by
sending requests for resources that cannot possibly exist on the server. It
then compares each response and measures the amount of text that differs
between the responses. For example, most messages of this type have the
same content (such as "Sorry, the page you requested was not found"),
with the possible exception being the name of the requested resource. If
you select the Auto detect FNF page check box, you can specify what
percentage of the response content must be the same. The default is 90
percent.
Scan Settings: Policy
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Scan Settings group in the left pane, click Policy.
You can change to a different policy when starting a scan through the Scan Wizard, but the policy you
select here will be used if you do not select an alternate.
You can also create, import, or delete policies.
Creating a Policy
To create a policy:
1. Click Create.
The Policy Manager tool opens.
2. Select New from the File menu (or click the New Policy icon).
HPE Security Fortify WebInspect Enterprise (16.20)
Page 343 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
3. Select the policy on which you will model a new one.
4. Refer to the Policy Manager online Help for additional instructions.
Editing a Policy
To edit a policy:
1. Select a custom policy. Only custom policies may be edited.
2. Click Edit.
The Policy Manager tool opens.
3. Refer to the Policy Manager online Help for additional instructions.
Importing a Policy
To import a policy:
1. Click Import.
2. On the Import Custom Policy window, click the ellipses button .
3. Using the Files Of Type list on the standard file-selection window, choose a policy type:
l Policy Files (*.policy): Policy files designed and created for versions of Fortify WebInspect
beginning with release 7.0.
l Old Policy Files (*.apc): Policy files designed and created for versions of Fortify WebInspect
prior to release 7.0.
l All Files (*.*): Files of any type, including non-policy files.
4. (Optional) Edit the policy name.
5. Click OK.
A copy of the policy is created in the Policies folder (the default location is C:\ProgramData\HP\HP
WebInspect\Policies\). The policy and all of its enabled checks are imported into SecureBase using
the specified policy name. Custom agents are not imported.
Note: When importing policy files created for earlier versions of Fortify WebInspect, any custom
check associated with that policy will be imported only if it can be found in the CustomAgents.xml
file used by Fortify WebInspect 6.5 or earlier.
Deleting a Policy
To delete a policy:
1. Select a custom policy. Only custom policies may be deleted.
2. Click Delete.
Crawl Settings: Link Parsing
To access this feature from a Guided Scan:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 344 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Crawl Settings group in the left pane, click Link Parsing.
Fortify WebInspect follows all hyperlinks defined by HTML (using the <a href> tag) and those defined
by scripts (JavaScript and VBScript). However, you may encounter other communications protocols that
use a different syntax for specifying links. To accommodate this possibility, you can use the Custom
Links feature and regular expressions to identify links that you want Fortify WebInspect to follow.
These are called special link identifiers.
Adding a Specialized Link Identifier
To add a specialized link identifier:
1. Click Add.
The Specialized Link Entry window opens.
2. In the Specialized Link Pattern field, enter a regular expression designed to identify the link.
3. (Optional) Enter a description of the link in the Comment field.
4. Click OK.
Crawl Settings: Link Sources
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Crawl Settings group in the left pane, click Link Sources.
What is Link Parsing?
The Fortify WebInspect crawler sends a request to a start URL and recursively parses links (URLs) from
the response content. These links are added to a work queue and the crawler iterates through the
queue until it is empty. The techniques used to extract the link information from the HTTP responses
are collectively referred to as ‘link parsing.’ There are two choices for how the crawler performs link
parsing: Pattern-based and DOM-based.
Pattern-based Parsing
Pattern-based link parsing uses a combination of text searching and pattern matching to find URLs.
These URLs include the ordinary content that is rendered by a browser, such as <A> elements, as well as
invisible text that may reveal additional site structure.
This option matches the default behavior of Fortify WebInspect 10.40 and earlier versions. This is a
more aggressive approach to crawling the website and can increase the amount of time it takes to
conduct a scan. The aggressive behavior can cause the crawler to create many extra links which are not
representative of actual site content. For these situations, DOM-based parsing should expose the site’s
URL content with fewer false positives.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 345 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Note: All of the DOM-based Parsing techniques for finding links are used when Pattern-based
Parsing is selected.
DOM-based Parsing
The Document Object Model (DOM) is a programming concept that provides a logical structure for
defining and building HTML and XML documents, navigating their structure, and editing their elements
and content.
A graphical representation of an HTML page rendered as DOM would resemble an upside-down tree:
starting with the HTML node, then branching out in a tree structure to include the tags, sub-tags, and
content. This structure is called a DOM tree.
Using DOM-based parsing, Fortify WebInspect parses HTML pages into a DOM tree and uses the
detailed parsed structure to identify the sources of hyperlinks with higher fidelity and greater
confidence. DOM-based parsing can reduce false positives and may also reduce the degree of
‘aggressive link discovery.’
On some sites, the crawler iteratively requests bad links and the resulting responses echo those links
back in the response content, sometimes adding extra text that compounds the problem. These
repeated cycles of ‘bad links in and bad links out’ can cause scans to run for a long time or, in rare cases,
forever. DOM-based parsing and careful selection of link sources provide a mechanism for limiting this
runaway scan behavior. Web applications vary in structure and content, and some experimentation may
be required to get optimal link source configurations.
To refine DOM-based Parsing, select the techniques you want to use for finding links. Clearing
techniques that may not be a concern for your site may decrease the amount of time it takes to
complete the scan. For a more thorough scan, however, select all techniques or use Pattern-based
Parsing. The DOM-based Parsing techniques are described in the following table. For more information,
see "Limitations of Link Source Settings" on page 350.
Technique
Description
Include
Comment
Links
(Aggressi
ve)
Programmers may leave notes to themselves that include links inside HTML comments
that are not visible on the site, but may be discovered by an attacker. Use this option to
find links inside HTML comments. Fortify WebInspect will find more links, but these
may not always be valid URLs, causing the crawler to try to access content that does
not exist. Also, the same link can be on every page and those links can be relative, which
can exponentially increase the URL count and lengthen the scan time.
Include
Condition
al
Comment
Links
A conditional comment link occurs when the HTML on the page is conditionally
included or excluded depending on the user agent (browser type and version) making
the request.
Regular comment example:
<!—hidden.txt -->
Conditional comment example:
<!--[if lt IE9]>
<script
src="//www.somesite.com/static/v/all/js/html5sh.js"></script>
HPE Security Fortify WebInspect Enterprise (16.20)
Page 346 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
<link rel="stylesheet" type"text/css"
href='//www.somesite.com/static/v/fn-hp/css/IE8.css'>
<![endif]-->
Fortify WebInspect emulates browser behaviors in evaluating HTML code and
processes the DOM differently depending on the user agent. A link found in a
comment by one user agent is a normal HTML link for other user agents.
Use this option to find conditional links that are inside HTML commands, such as those
commented out based on browser version. These conditional statements may also
contain script includes that need to be executed when script parsing is enabled.
Crawling these links will be more thorough, but can increase the scan time. Additionally,
such comments may be out of date and pointless to crawl.
Include
Plain text in a .txt file or a paragraph inside HTML code can be formatted as a URL,
Plain Text such as http://www.something.com/mypage.html. However, because this is only
Links
text and not a true link, the browser would not render it as a link, and the text would
not be functionally part of the page. For example, the content may be part of a page
that describes how to code in HTML using fake syntax that is not meant to be clicked
by users. Use this option for Fortify WebInspect to parse these text links and queue
them for a crawl.
Also, using smart pattern matches, Fortify WebInspect can identify common file
extensions, such as .css, .js, .bmp, .png, .jpg, .html, etc., and add these files to the crawl
queue. Auditing these files that are referenced in plain text can produce false positives.
Include
Links in
Static
Script
blocks
Use this option for Fortify WebInspect to examine inside the opening and closing script
tags for text that looks like links. Valid links may be found inside these script blocks, but
developers may also leave comments that include text resembling links inside the
opening and closing script tags. For example:
<script type="text/javascript">
// go to http://www.foo.com/blah.html for help
var url = "http:www.foo.com/xyz/" + path + "?help"
</script>
Additionally, javascript code inside these tags can be handled by the javascript
execution engine during the scan. However, searching for static links in a line of code
that sets a variable, such as the “var url” in the example above, can create problems
when those partial paths are added to the queue for crawling. If the variable includes a
relative link with a common extension, such as “foo.html”, the crawler will append the
extension to the end of every page that includes the line of code. This can produces
unusable URLs and may create false positives.
Parse
URLs
Embedded
in URLs
Use this option for Fortify WebInspect to parse any text that is inside an href attribute
and add it to the crawl queue. The following is an example of a URL embedded in a
URL:
<a
href="http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz.c
om%2Fblah" />
On some sites, however, file not found pages return the URL in a form action tag and
HPE Security Fortify WebInspect Enterprise (16.20)
Page 347 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
append the URL to the original URL as follows:
<form
action="http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz
.com%2Fblah?
http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz.com%2Fb
lah" />
Fortify WebInspect will then request the form action, and receive another file not found
response, again with the URL appended in a form action, as shown below:
<form
action="http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz
.com%2Fblah?
http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz.com%2Fb
lah?
http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz.com%2Fb
lah?
http://www.foo.com/xyz/bar.html?url=http%3A%2F%2Fwww.zzzz.com%2Fb
lah" />
On such a site, these URLs will continue to produce file not found responses that add
more URLs to the crawl queue, creating an infinite crawl loop. To avoid adding this type
of URL to the crawl queue, do not use this option.
Allow Unrooted
URLs (for
the above
items)
This option modifies the behavior of the previous five options. Some links do not
include the specific scheme, such as http, and are not fully qualified domain names.
These links, which may resemble “xyz.html”, are considered unanchored or “un-rooted.”
A relative link, such as “/xyz.html”, is not considered to be un-rooted because it is
relative to the homepage and the link can be resolved. Use this option to treat unrooted URLs as links when parsing. If this option is selected, the scan will be more
thorough and more aggressive, but may take considerably longer to complete.
Form Actions, Script Includes, and Stylesheets
Some link types—such as form actions, script includes, and stylesheets—are special and are treated
differently than other links. On some sites, it may not be necessary to crawl and parse these links.
However, if you want an aggressive scan that attempts to crawl and parse everything, the following
options will help accomplish this goal. For more information, see "Limitations of Link Source Settings" on
page 350.
Note: You can also allow un-rooted URLs for each of these options. See “Allow Un-rooted URLs”
above.
Option
Description
Crawl Form Action
Links
When Fortify WebInspect encounters HTML forms during the crawl, it
creates variations on the inputs that a user can make and submits the
forms as requests to solicit more site content. For example, for forms with a
POST method, Fortify WebInspect can use a GET instead and possibly
HPE Security Fortify WebInspect Enterprise (16.20)
Page 348 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
reveal information. In addition to this type of crawling, use this option for
Fortify WebInspect to treat form targets as normal links.
Crawl Script Include
Links
A script include imports javascript from a .js file and processes it on the
current page. Use this option for Fortify WebInspect to crawl the .js file as a
link.
Crawl Stylesheet
Links
A stylesheet link imports the style definitions from a .css file and renders
them on the current page. Use this option for Fortify WebInspect to crawl
the .css file as a link.
Miscellaneous Options
The following additional options may help improve link parsing for your site. For more information, see
"Limitations of Link Source Settings" on the next page.
Option
Description
Crawl Links on FNF
Pages
If you select this option, Fortify WebInspect will look for and crawl links on
responses that are marked as “file not found.”
This option is selected by default when the Scan Mode is set to Crawl Only
or Crawl & Audit. The option is not available when the Scan Mode is set to
Audit Only.
Suppress URLs with
Repeated Path
Segments
Many sites have text that resembles relative paths that become unusable
URLs after Fortify WebInspect parses them and appends them to the URL
being crawled. These occurrences can result in a runaway scan if paths are
continuously appended, such as /foo/bar/foo/bar/. This setting helps
reduce such occurrences and is enabled by default.
With the setting enabled, the options are:
1 – Detect a single sub-folder repeated anywhere in the URL and reject the
URL if there is a match. For example, /foo/baz/bar/foo/ will match
because “/foo/” is repeated. The repeat does not have to occur adjacently.
2 – Detect two (or more) pairs of adjacent sub-folders and reject the URL if
there is a match. For example, /foo/bar/baz/foo/bar/ will match
because “/foo/bar/” is repeated.
3 – Detect two (or more) sets of three adjacent sub-folders and reject the
URL if there is a match.
4 – Detect two (or more) sets of four adjacent sub-folders and reject the
URL if there is a match.
5 – Detect two (or more) sets of five adjacent sub-folders and reject the
URL if there is a match.
If the setting is disabled, repeating sub-folders are not detected and no
URLs are rejected due to matches.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 349 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Limitations of Link Source Settings
Clearing a link source check box prevents the crawler from processing that specific kind of link when it is
found using static parsing. However, these links can be found in many other ways. For example, clearing
the Crawl Stylesheet Links option does not control path truncation nor suppress .css file requests
made by the script engine. Clearing this setting only prevents static link parsing of the .css response
from the server. Similarly, clearing the Crawl Script Include Links option does not suppress .js, AJAX,
frameIncludes, or any other file request made by the script engine. Therefore, clearing a link source
check box is not a universal filter for that type of link source.
The goal for clearing a check box is to prevent potentially large volumes of bad links from cluttering the
crawl and resulting in extremely long scan times.
Crawl Settings: Session Exclusions
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Crawl Settings group in the left pane, click Session Exclusions.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the
Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray
(not black) text. If you do not want these objects to be excluded from the crawl, you must remove them
from the Scan Settings - Session Exclusions panel.
This panel (Crawl Settings - Session Exclusions) allows you to specify additional objects to be
excluded from the crawl.
Excluded or Rejected File Extensions
If you select Reject, files having the specified extension will not be requested.
If you select Exclude, files having the specified extension will be requested, but will not be audited.
Adding a File Extension to Exclude/Reject
To add a file extension:
1. Click Add.
The Exclusion Extension window opens.
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click OK.
Excluded MIME Types
Files associated with the MIME types you specify will not be audited.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 350 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Adding a MIME Type to Exclude
To add a MIME Type:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-type field, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing the Default Criteria
To edit the default criteria:
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host or URL field, enter a URL or fully qualified host name, or a regular expression designed
to match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Adding Exclusion/Rejection Criteria
To add exclusion/rejection criteria:
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
3. If you selected Query parameter or Post parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 351 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
l matches regex - Matches the regular expression you specify in the Match String field.
l matches regex extension - Matches a syntax available from HPE's regular expression
extensions you specify in the Match String field. For information about the Regular Expression
Editor, see the "Regular Expression Editor" chapter in the HPE Security Fortify WebInspect
Tools Guide.
l matches - Matches the text string you specify in the Match String field.
l contains - Contains the text string you specify in the Match String field.
5. In the Match String field, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click
(or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL
N/A
contains
Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL
N/A
contains
logout
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
HPE Security Fortify WebInspect Enterprise (16.20)
Page 352 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Target
Target Name Match Type Match String
Query parameter username
matches
John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type
URL
N/A
Match String
matches regex /W3SVC[0-9]*/
Audit Settings: Session Exclusions
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Audit Settings group in the left pane, click Session Exclusions.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the
Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray
(not black) text. If you do not want these objects to be excluded from the audit, you must remove them
from the Scan Settings - Session Exclusions panel.
This panel (Audit Settings - Session Exclusions) allows you to specify additional objects to be
excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, Fortify WebInspect will not request files having the specified extension.
If you select Exclude, Fortify WebInspect will request files having the specified extension, but will not
audit them.
Adding a File Extension to Exclude/Reject
To add a file extension:
1. Click Add.
The Exclusion Extension window opens.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 353 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
2. In the File Extension field, enter a file extension.
3. Select either Reject, Exclude, or both.
4. Click OK.
Excluded MIME Types
Fortify WebInspect will not audit files associated with the MIME types you specify.
Adding a MIME Type to Exclude
To add a MIME type:
1. Click Add.
The Provide a Mime-type to Exclude window opens.
2. In the Exclude Mime-Type field, enter a MIME type.
3. Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to
exclude or reject a session that contains that component.
l Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For
example, you should usually reject any URL that deals with logging off the site, since you don't want
to log out of the application before the scan is completed.
l Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to
other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified
host or URL. If you want to access the URL or host without processing the HTTP response, select the
Exclude option, but do not select Reject. For example, to check for broken links on URLs that you
don't want to process, select only the Exclude option.
Editing the Default Criteria
To edit the default criteria:
1. Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
2. Select either Host or URL.
3. In the Host or URL field, enter a URL or fully qualified host name, or a regular expression designed
to match the targeted URL or host.
4. Select either Reject, Exclude, or both.
5. Click OK.
Adding Exclusion/Rejection Criteria
To add exclusion/rejection criteria:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 354 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
2. Select an item from the Target list.
3. If you selected Query parameter or Post parameter as the target, enter the Target Name.
4. From the Match Type list, select the method to be used for matching text in the target:
l matches regex - Matches the regular expression you specify in the Match String field.
l matches regex extension - Matches a syntax available from HPE's regular expression
extensions you specify in the Match String field. For information about the Regular
Expressions Editor, see the "Regular Expression Editor" chapter in the HPE Security Fortify
WebInspect Tools Guide.
l matches - Matches the text string you specify in the Match String field.
l contains - Contains the text string you specify in the Match String field.
5. In the Match String field, enter the string or regular expression for which the target will be
searched. Alternatively, if you selected a regular expression option in the Match Type, you can click
the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
6. Click
(or press Enter).
7. (Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
8. If you are working in Current Settings, you can click Test to process the exclusions on the current
scan. Any sessions from that scan that would have been filtered by the criteria will appear in the
test screen, allowing you to modify your settings if required.
9. Click OK.
10. When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject,
Exclude, or both.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the
following exclusion and select Reject.
Target Target Name Match Type Match String
URL
N/A
contains
Microsoft.com
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be
excluded or rejected (depending on which option you select). Using the "logout" example, Fortify
WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
Target Target Name Match Type Match String
URL
N/A
contains
logout
HPE Security Fortify WebInspect Enterprise (16.20)
Page 355 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Example 3
The following example rejects or excludes a session containing a query where the query parameter
"username" equals "John."
Target
Target Name Match Type Match String
Query parameter username
matches
John
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
Target Target Name Match Type
URL
N/A
Match String
matches regex /W3SVC[0-9]*/
Audit Settings: Attack Exclusions
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Audit Settings group in the left pane, click Attack Exclusions.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to
attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA
parameters.
Adding Parameters to Exclude
To prevent certain parameters from being modified:
1. In the Excluded Parameters group, click Add.
The Specify HTTP Exclusion window opens.
2. In the HTTP Parameter field, enter the name of the parameter you want to exclude.
Click to insert regular expression notations.
3. Choose the area(s) in which the parameter may be found: HTTP query data, HTTP post data,
and/or HTTP custom data.
4. Click OK.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 356 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack
the Web site. This feature is used to avoid corrupting cookie values.
This setting requires you to enter the name of a cookie. In the following example HTTP response ...
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
... the name of the cookie is "FirstCookie."
Excluding Certain Cookies
To exclude certain cookies:
1. In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a cookie using either a text string or a regular expression.
2. To enter a text string:
a. In the Expression field, type a cookie name.
b. Click OK.
3. To enter a regular expression:
a. In the Expression field, type or paste a regular expression that you believe will match the text
for which you are searching.
b.
c.
d.
e.
f.
Click to insert regular expression notations.
In the Search Text field, type or paste the text that is known to contain the string you want to
find (as specified in the Expression field).
To find only those occurrences matching the case of the expression, select the Match Case
check box.
If you want to replace the string identified by the regular expression, select the Replace check
box and then type or select a string from the Replace field.
Click Test to search the Search Text for strings that match the regular expression. Matches will
be highlighted in red.
Did your regular expression identify the string?
o If yes, click OK.
o If no, verify that the Search Text contains the string you want to identify or modify the
regular expression.
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to
attack the Web site. This feature is used to avoid corrupting header values.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 357 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Excluding Certain Headers
To prevent certain headers from being modified, create a regular expression using the procedure
described below.
1. In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a header using either a text string or a regular expression.
2. To enter a text string:
a. In the Expression field, type a header name.
b. Click OK.
3. To enter a regular expression:
a. In the Expression field, type or paste a regular expression that you believe will match the text
for which you are searching.
b.
c.
d.
e.
f.
Click to insert regular expression notations.
In the Search Text field, type or paste the text that is known to contain the string you want to
find (as specified in the Expression field).
To find only those occurrences matching the case of the expression, select the Match Case
check box.
If you want to replace the string identified by the regular expression, select the Replace check
box and then type or select a string from the Replace field.
Click Test to search the Search Text for strings that match the regular expression. Matches will
be highlighted in red.
Did your regular expression identify the string?
o If yes, click OK.
o If no, verify that the Search Text contains the string you want to identify or modify the
regular expression.
Audit Inputs Editor
Using the Audit Inputs Editor, you can create or modify parameters for audit engines and checks that
require inputs.
l To launch the tool, click Audit Inputs Editor.
l To load inputs that you previously created using the editor, click Import Audit Inputs.
For detailed instructions on using the Audit Inputs Editor, see the "Audit Inputs Editor" chapter of the
HPE Security Fortify WebInspect Tools Guide.
Audit Settings: Attack Expressions
To access this feature from a Guided Scan:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 358 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Audit Settings group in the left pane, click Attack Expressions.
Additional Regular Expression Languages
You may select one of the following language code-country code combinations (as used by the
CultureInfo class in the .NET Framework Class Library):
l ja-jp: Japanese - Japan
l ko-kr: Korean - Korea
l zh-cn: Chinese - China
l zh-tw: Chinese - Taiwan
l es-mx: Spanish - Mexico
The CultureInfo class holds culture-specific information, such as the associated language, sublanguage,
country/region, calendar, and cultural conventions. This class also provides access to culture-specific
instances of DateTimeFormatInfo, NumberFormatInfo, CompareInfo, and TextInfo. These objects
contain the information required for culture-specific operations, such as casing, formatting dates and
numbers, and comparing strings.
Audit Settings: Vulnerability Filtering
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Audit Settings group in the left pane, click Vulnerability Filtering.
By applying certain filters, you can limit the display of certain vulnerabilities reported during a scan. The
options are:
l Standard Vulnerability Definition - This filter sorts parameter names for determining equivalency
between similar requests. For example, if a SQL injection vulnerability is found in parameter "a" in
both http://x.y?a=x;b=y and http://x.y?b=y;a=x, it would be considered equivalent.
l Parameter Vulnerability Roll-Up - This filter consolidates multiple parameter manipulation and
parameter injection vulnerabilities discovered during a single session into one vulnerability.
l 403 Blocker - This filter revokes vulnerabilities when the status code of the vulnerable session is 403
(Forbidden).
l Response Inspection Dom Event Parent-Child - This filter disregards a keyword search
vulnerability found in JavaScript if the same vulnerability has already been detected in the parent
session.
Adding a Vulnerability Filter
All available filters are listed in either the Disabled Filters list or the Enabled Filters list.
To enable one or more filters:
HPE Security Fortify WebInspect Enterprise (16.20)
Page 359 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
1. Select the desired filters in the Disabled Filters list.
2. Click Add.
The filters are moved to the Enabled Filters list.
To disable one or more filters:
1. Select the desired filters in the Enabled Filters list.
2. Click Remove.
The filters are moved to the Disabled Filters list.
Audit Settings: Smart Scan
To access this feature from a Guided Scan:
1. Click the Advanced button in the toolbar Settings group.
The Scan Settings dialog opens.
2. In the Audit Settings group in the left pane, click Smart Scan.
Enable Smart Scan
Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and
checks for known vulnerabilities against that specific server type. For example, if you are scanning a site
hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is
susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.
If you select the Enable Smart Scan option, you can choose one or more of the identification methods
described below.
Use regular expressions on HTTP responses to identify server/application types
This method, employed by previous releases of Fortify WebInspect, searches the server response for
strings that match predefined regular expressions designed to identify specific servers.
Use server analyzer fingerprinting and request sampling to identify server/application types
This advanced method sends a series of HTTP requests and then analyzes the responses to determine
the server/application type.
Custom server/application type definitions (more accurate detection)
If you know the server type for a target domain, you can select it using the Custom server/application
type definitions (more accurate detection) section. This identification method overrides any other
selected method for the server you specify.
1. Click Add.
The Server/Application Type Entry window opens.
2. In the Host field, enter the domain name or host, or the server's IP address.
3. (Optional) Click Identify.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 360 of 362
User Guide
Chapter 5: WebInspect Enterprise Thin Client
Fortify WebInspect contacts the server and uses the server analyzer fingerprinting method to
determine the server type. If successful, it selects the corresponding check box in the
Server/Application Type list.
Note: Alternatively, if you select the Use Regular Expressions option, enter a regular
expression designed to identify a server. Click to insert regular expression notations or to
launch the Regular Expression Editor (which facilitates the creation and testing of an
expression).
4. Select one or more entries from the Server/Application Type list.
5. Click OK.
HPE Security Fortify WebInspect Enterprise (16.20)
Page 361 of 362
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this computer, click the link above and an email window opens with the
following information in the subject line:
Feedback on User Guide (HPE Security Fortify WebInspect Enterprise 16.20)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to HPFortifyTechPubs@hpe.com.
We appreciate your feedback!
HPE Security Fortify WebInspect Enterprise (16.20)
Page 362 of 362