WebInspect scan on Dynamics 365

Hello. I am new to using Fortify WebInspect and need some guidance (if available) on conducting a basic scan of an application in Dynamics 365.

I can't get the login macro to record properly (and WebInspect won't allow me to use the good macro recorded with the Web Proxy tool). The macro still saves and the scan continues. But the scan never stops (runs for 10 hour until I force it to stop).

I have tried running both a Basic Scan and a Guided Scan with no success. Are there any special settings I can or should set to get the scan to stop looping through the site tree in Dynamics 365?

Any advice is greatly appreciated. Thanks!
  • Verified Answer

     take a look at the following resources for additional information/assistance:

    • https://community.microfocus.com/t5/Fortify-User-Discussions/WebInspect-Scan-Configuration-Tricks-and-Best-Practices/m-p/1587049
    • Sessions Exclusions:
      • Example 1:
        • To prevent identical, dynamic folders from being added to the scan length, yet include some variants (1 through 13) in the scan for security coverage. If directories are all of the form: "/psp/ps_1/", "/psp/ps_2/", "/psp/ps_44/", et al.
        • excluded URL = /psp/ps_([1][4-9])|([2-9][0-9])/
        • version for also excluding 3-digit folders = /psp/ps_(([1][4-9])|([2-9][0-9])|(/d/d/d))/
      • Example 2:
        • Regex = \/products\/(?!\wa)\w\w\/
        • Scenario: This is specific to these this /products/ folder structure. It will cause all of them to be omitted by WebInspect, except for those folder names with the letter "a" in the second position. I chose "a" arbitrarily, but you could alter this easily by replacing the "a" character in the regex with your desired character.
    • Inclusive Exclusions as mentioned in this KB - https://softwaresupport.softwaregrp.com/doc/KM03228261

    Also, make sure you have the following configured:

    • Perform redundant page detection - Edit > Current or Default Scan Settings > General
  •  I checked the box for "Perform redundant page detection" and that made a significant difference in the scan time. The scan was able to completely finish. Thank you very much for the tip!

  • Awesome news. If you would, go ahead and accept the above as the solution to your issue.