Scan using Google Chrome Browser

Hi Team,

 

As per the requirement, we have to perform scan using Google Chrome. When I have started the Manual Scan, by default IE is getting opened and unable to create a login macro using Chrome.

 

Could anyone please advice on how to conduct the scan using Chrome Browser and what kind of settings are required.

Tags:

  • For the Manual Step-Mode crawl, you must understand that WebInspect defaults to running a localhost Web Proxy on a dynamic port.  It spawns an instance of MSIE pre-configured automatically for that dynamic port on localhost.  You will not be able to tell what port this is, and so you will not be able to manually configure your alternative browser (Chrome, Firefox, et al) to use it.

     

    This default behavior can be changed.  In WebInspect, open the Edit menu > Application Settings > Step-Mode panel.    Remove the check box for "Automatically Assign Port", and then set a specific Port number you feel will not have any conflicts on your localhost, e.g. 8081.  Click the OK button to save this configuration.

      From now on (or until you reset the Application Settings to Factory Defaults), whenever you launch a Manual Step-Mode scan, the Web Proxy port that will be running will be on that static port you assigned (e.g. 8081).  So long as you leave the spawned MSIE window open and minimized, the Step-Mode scan will still be "Recording" mode.  You then launch Chrome and manually set its Proxy to 127.0.0.1:8081 (assuming the example above), and you can now scan with WebInspect using Chrome.  When finished with the manual phase, close the MSIE window and in the WebInspect UI click the Finish button shown at the top of the Site Tree pane.

     

    You could always go back into Manual Step-Mode mode later by selecting the Step-Mode button found below the Site Tree pane.

     

     

    One additional setting I omitted in discussing the Application Settings for Step-Mode was its "Default Audit Mode".  Normally this is set to "Manual Audit", or you could set it to "Audit as you browse".  Due to dynamic session management, I find it generally best to leave it as the default and only manually trigger the Audit phase after I have Finished the Manual Step-Mode phase, using the Audit button found at the toolbar area of WebInspect's UI.

     

    From the Help guide:

    • Audit as you browse: While you are navigating a target Web site, WebInspect concurrently audits the pages you visit.
    • Manual Audit: This option allows you to pause the Step Mode scan and return to WebInspect, where you can select a specific session and audit it.

     

     

     

    When I first read your post's title, I thought you wanted to run an automated scan of a site with the Chrome browser.  Let me answer that item separately for those readers who are looking for that.

     

    WebInspect identifies itself using a User-Agent header.  To change the WebInspect "browser", simply edit your User-Agent header to the desired value.  This is found under the Edit menu > Default Scan Settings > Cookies/Headers panel > User-Agent header.  You will need to look-up and paste in the user-agent string for your desired browser, as they are not listed in WebInspect.  To some extent WebInspect will also pantomime the browser identified, to get around scripted probes that test more than just the header, but this may have limitations.

     

    This User-Agent trick can be very interesting for web applications that provide a mobile browser interface, as the results of scanning the mobile site may be drastically different than scanning the normal, "more secured" site.  Since WebInspect can only handle a single User-Agent per-scan, you could run two scans with separate User-Agents set and then combine or contrast their results using the Reports engine (Aggregate, Trend, Scan Difference), or the Scan Compare feature in the WebInspect toolbar.


  • I have attemped to use both methods as described in this thread but seem to be unable to scan a web site optimized for google chrome.

    I have attempted a number of User-Agent strings but they seem to fail.  I have used the same strings in Fire with success.

    The goal is to use webinspect to analyze the site with user credentials however I am unable to get to the login as any connection attemp results in an usupported browser message.

  • In this case it may be that the target application is testing something in the background to re-verify the offered User-Agent, and WebInspect is not responding appropriately.  By studying the background activity (Chrome with Web Proxy) you may be able to identify what this is and devise a work-around within WebInspect's scan settings.  Otherwise, you may want to have our Development/Support team assist you with this investigation.

     

     

    How to contact Fortify Support:   http://h30499.www3.hp.com/t5/WebInspect/How-to-contact-HP-ASC-Customer-Support/m-p/2394765#M141