Application password changes in between WebInspect scan

Dear All 

I am using WebInspect 10.50. 

Recently, I faced this situation- 

An application scan was initiated in WebInspect. It was an authenticated scan for which login macro was recorded. 

Once the scan got completed, my team started validating the findings. We found that each and every issue was found to be false positive. Then we realised that the application team had changed the password. 

Then the credentials of the application were updated. After making the changes in the login macro, we still found that all the findings were found to be false positive while retesting the vulnerability in WI. Manual retest proved that the issue was a genuine one. 

My question is - Does the tool incorporate the new credentials while the scan is going on ? What is the best way to deal in such scenario ?

Tags:

  • WebInspect expects to be able to stay logged in with a valid account.  It will not brute force the login and it will not change the credentials it is using in mid-scan.

    It sounds as if the scanner is coming across an administrative page during the scan and changing the logon credentials, e.g. User Account Sel-Management screen.  If this is the case, you will want to define a Session Exclusion scan setting to have WebInspect avoid that page altogether.  This might be a straight-forward URL exclusion such as {URL} {matches} {"/foo/foo2/ChangePasword.do"}, or you might try other available options such as Request or Parameter exclusions.

    If the issue is that the Login Macro has one set of credentials, but someone is changing the credentials between scans, then you may want to investigate the Parameters option in the Login Macro Recorder.  You can set any input (Username, Password, Host Name, et al) as a Parameter.  When using such a Login Macro, the WebInspect scan wizard will display the Input Parameter names you designed, permitting the scanner user to input the credentials-of-the-day for this scan.  If the user leaves those scan wizard fields empty, then the originally recorded credentials of the Login Macro will be used.