Dear Sir or Madam;
We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:
PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.
With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)
In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.
I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?
Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.
Is there a more thorough documentation available for the API than that included inside the API?
Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)
Any input would be highly appreciated ; Thank you very much for your kind help in advance,