Login macro recorder fails to display page with IE rendering

Situation: Recently updated WebInspect to  The application to be scanned requires IE. Login macro recorder successfully displays site, allows me to record a macro and complete the login process.  During playback, however, the page is never displayed.  I can see the http requests and responses in the lower right pane, but nothing in the upper pane that should show browser rendering.  The macro stops on a page that it says is "protected", which I understand is due to WebInspect having identified that as the page where it will look for a logout condition.  When it asks if the macro played correctly, there's no real way for me to proceed.  If I choose "Yes" it can't find a logout condition and I can't see anything to select as a candidate.  In short, no way to proceed or get the macro to save.

I appreciate any insights.

  • Mel:

    As always the first item that always comes to mind is have you contacted HP WebInspect Technical Assistance Team?  Now having asked that I can say I have not personally seen this, and it does make me say "hmmm".

    When I teach the HP WebInspect training for HP, I always ask my students have they attempted the MACRO Recording using both the IE and the Firefox renderings?  I do understand the need for you to preform this within the IE version, but by attempting to do the same with Firefox, you are able to see if there are differences.  If you get the same issue then it could be a bug.

    Additionally are you using the Login Record independent of the scan or as part of establishing a scan?  This also can play an affect in the outcome.

    Hope these items give more thought to the problem.

    Joel E. Natt CISSP, CRISC
    Hewlett-Packard Enterprise Software Education
    Exam Development Lead – Hewlett-Packard Enterprise Software

    Trainer – HP Software Education – Fortify, TippingPoint


    Get Training: http://www.hpenterprisesecurity.com/university

    Get Certified: http://h10120.www1.hp.com/ExpertOne/certification_program_overview.html

  • Unfortunately, Firefox is a complete non-starter for this app.  Even attempting to reach the start page, the server returns the message that "Netscape" is unsupported and it goes no further.  And I do get the same behavior whether the login macro recorder runs from within the setup for a guided scan or standalone; no difference.

    I did get a scan going, though this is not a full solution to the problem.  On the page the login macro recorder declared "protected", I manually entered a logout condition with a regex that just says "logout", which is the keyword that actually does appear at the top of the page.  When playing back the macro, I still can't see the page, but it does say it detected a valid logout condition.  I am unable to explore any links to broaden the scope of the scan.  But I just went ahead and launched the scan and it is, indeed, exploring on its own and finding things.  This is still a messed up situation, but minimally functional.

  • Mel;

    I agree with Joel and would switch to using the standalone Login Macro Recorder in the IE rending mode for this.  Trying to trouble-shoot this inside of the Scan Wizard might be messy.  Better to have the artifact ready when entering the Scan Wizard.

    Once you have gotten it recorded to the Logged In screen, click one or two additional pages.  The Replay may be failing to get to that last page, so this may give it more to proceed to.  I believe the tool's setting permit you to run this through the Web Proxy tool or your favored intercept proxy, should you wish to monitor this.

    Separately, you could use IE and the Web Proxy to get the macro recorded.  You would want to proceed from the first page through to being logged in, and then one or two pages internally.  Stop the Web Proxy, trim out any extraneous Sessions, then use the File menu > Create Macro.  In the resulting dialogue, select Login Macro, and provide it a simple Regex such as "STATUSCODE[302] AND [HEADERS]login.aspx".  There had been a defect here where you could not put in complex regex that included OR.  Change the file's expected name from Sessions.webmacro to something that makes sense for you and save it.  Locate that file in Explorer and double-click it, and the Login Macro Recorder will open with the IE rendering engine selected.  Now you can inspect the recordings more, Replay it, and even adjust the Logout Condition as needed.

    You noted that your Logout Condition was the Logout button, but that sounds wrong.  The Logout Condition is supposed to be the unique text that may be found in the HTTP Response as the application is logging you out.  Traditionally this would be a redirect to the login page, but it can be all manner of things, thus the freedom to define multiple Logout Conditions (all used with Boolean OR).  Any one of those would trigger the scanner to rerun its Login Macro.

    Additionally, if you suspect custom state-keeping variables on the authentication/site, you will want to check that inside of the Macro.  For the IE rendering engine, select one of the sessions below and then switch to the State tab on the right side.  This will show all the parameters recorded, and session-related items such as Cookies will have a check mark.  You will want to add the check mark for any other forms that are state-keeping, so the Replay of the macro understands not to use the original value but to instead update in real-time.

      Similarly, you will need to manually Add this same parameter(s) to the scan's settings, under the HTTP Parsing settings panel > top field for state-Keeping.  this action declares to the scanner as a whole that it should manage the values provided for this special parameter throughout the live scan.  Items declared here will also not be Audited as heavily as "normal" parameters encountered, although they still will have some minor probes.  Usually, a state-keeping parameter will just drop session state if fuzzed, so really testing it can just waste time!

    Besides all this pre-work, the scanner itself may identify itself as Firefox via the User-Agent header.  To modify this, you must open the Default Scan Settings > Cookies/Headers panel, and Add your own customer header, e.g. "User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

       Ref:  UserAgentString.com - List of Internet Explorer User Agent Strings

  • Thanks, Hans; very helpful.  I still can't see any site rendering in the guided scan setup.  But I can import locations captured through the proxy.  Strange behavior; I'd call it a bug.  But this is better.


  • If you enable the Traffic Monitor scan setting or run the scan through Web Proxy, you can verify the sessions played during the actual scan.  Below is the order of the sessions you should encounter.

    1. Handful of initial dummy WebInspect probes. (FNF, minor DDoS, Bad option)
    2. Any Login Macro defined.
    3. Any workflow or Start Macros defined/imported.
    4. Actual scan.

    With any Pause/Resume of the scan, you will see the Login Macro (if defined) and then the resumption of the scan sessions.

    Both the Traffic Monitor and Web Proxy can be enabled in in the Scan Wizard, or even mid-scan as follows.

    1. Pause the scan.
    2. Open the Edit menu > Current Scan Settings.
    3. Make the modification.  (Web Proxy is a separate program to open and start.)
    4. Resume the scan.

    Reverse this process when you tire of having the monitoring function in use.