Salesforce Webinspect Scan

Is it possible to scan a Salesforce web application with Webinspect? Is there a particular way the scan should be set up or is it the same as a normal scan?

Parents
  • The potential issue with such an application is the massive redundancy. 

    The WebInspect scan settings include a "perform redundant page detection" option which is disabled by default so definitely check that, however the logic behind that may not be able to sufficiently tell whether the content of one post or contact details or what have you is essentially the same as another, so your best option in a case like this would be to first run a crawl only to map the attack surface - basically see what's what. 

    Take a look at what you get - and you may need tp stop the scan if it seems the crawler is running down a black hole somewhere - and build exclusions to tell WebInspect what to skip on your next iteration (which must be a new scan, btw, not a continuation of the current scan).  Another thing to look for is whether the application responds with a 200 to requests for non-existent pages, in which case you will definitely wish to craft a custom File Not Found signature to allow WebInspect to detect them at scan time.

    It's an iterative process that will take some time andf effort to complete, but the results in terms of performance of the final scan will be worthwhile.

Reply
  • The potential issue with such an application is the massive redundancy. 

    The WebInspect scan settings include a "perform redundant page detection" option which is disabled by default so definitely check that, however the logic behind that may not be able to sufficiently tell whether the content of one post or contact details or what have you is essentially the same as another, so your best option in a case like this would be to first run a crawl only to map the attack surface - basically see what's what. 

    Take a look at what you get - and you may need tp stop the scan if it seems the crawler is running down a black hole somewhere - and build exclusions to tell WebInspect what to skip on your next iteration (which must be a new scan, btw, not a continuation of the current scan).  Another thing to look for is whether the application responds with a 200 to requests for non-existent pages, in which case you will definitely wish to craft a custom File Not Found signature to allow WebInspect to detect them at scan time.

    It's an iterative process that will take some time andf effort to complete, but the results in terms of performance of the final scan will be worthwhile.

Children
No Data