WebInspect REST API considered harmful

Scans started with pure REST API calls run wild to easilty, they scan domains outside of the predefined domains and there is no way they can be tamed robustly. This is why I consider using the WebInspect REST API realy risky now, and I would like to see changes that make it robustly impossible to reach domains outside the predefined whitelist of domains.

The documentation and naming of parameters add to the risk here :

- StartUrl : this is not the start url but a hostname with portnumber and http protocol, so no url path should be here.
- ScopedPaths :  only used when ScopedPath is Children, no error if used when ScopedPath is not Children
- AllowedHosts : this list does not keep the scan in check in case there are extra domains in the webmacro; webmacro's cannot be inspected via the REST API, because they are encrypted.

Solution for now : add all allowed hosts to the windows HOSTS file on the server with WebInspect so that they resolve to the right IP address, and all other domains to localhost, so the scan won't touch domains outside the allowed hosts list. Please advise.

Please correct me if i am wrong here or we overlook some setting that robustly blocks out of scope HTTP requests, I am not a WebInpsect expert, just a developer using the REST interface.


Parents Reply Children
  • The duration of a scan is not necessarily an indication that it reached outside of its intended scope.  Some sites require special attention when it comes to recognizing that custom file-not-found signatures are needed (maybe the scan kept digging down paths that don't really exist in the application), or redundant page detection may need to be enabled if the site is a CMS, for example. 

    If  the scan truly did crawl a completely separate website then I'd suggest opening a support case by sending an email to fortifytechsupport@hpe.com, because that would indeed suggest a defect that the team would most definitely want to address.