Kerberos Auth using wi.exe and http-calls for starting a scan-routine in command-line mode.

Dear Sir or Madam;

We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:

PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.

With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)

In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.

I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?

Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing  needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.

Is there a more thorough documentation available for the API than that included inside the API?

Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)

Any input would be highly appreciated ; Thank you very much for your kind help in advance,

kind regards
HUBI-DUBI

  • HUBI-DUBI;

    I had inquired with our internal support team and only received the following response.  I doubt this scenario is currently covered out-of-the-box in WebInspect 16.10, but you might find a work around by taking it to Fortify Support (support.fortify.com), where you can provide full details on the communication and proxy traffic involved for your target.

    <<It sounds like the issue that they need to be able to configure the proxy that they are creating via the REST API to be able to authenticate to the webserver via Kerberos. There is currently no mechanism to configure proxy authentication via the REST API, which does seem like a good new feature to add.>>