Scans started with pure REST API calls run wild to easilty, they scan domains outside of the predefined domains and there is no way they can be tamed robustly. This is why I consider using the WebInspect REST API realy risky now, and I would like to see changes that make it robustly impossible to reach domains outside the predefined whitelist of domains.
The documentation and naming of parameters add to the risk here :
- StartUrl : this is not the start url but a hostname with portnumber and http protocol, so no url path should be here.
- ScopedPaths : only used when ScopedPath is Children, no error if used when ScopedPath is not Children
- AllowedHosts : this list does not keep the scan in check in case there are extra domains in the webmacro; webmacro's cannot be inspected via the REST API, because they are encrypted.
Solution for now : add all allowed hosts to the windows HOSTS file on the server with WebInspect so that they resolve to the right IP address, and all other domains to localhost, so the scan won't touch domains outside the allowed hosts list. Please advise.
Please correct me if i am wrong here or we overlook some setting that robustly blocks out of scope HTTP requests, I am not a WebInpsect expert, just a developer using the REST interface.