Learner_7 Respected Contributor.
Respected Contributor.

Application password changes in between WebInspect scan

Dear All 

I am using WebInspect 10.50. 

Recently, I faced this situation- 

An application scan was initiated in WebInspect. It was an authenticated scan for which login macro was recorded. 

Once the scan got completed, my team started validating the findings. We found that each and every issue was found to be false positive. Then we realised that the application team had changed the password. 

Then the credentials of the application were updated. After making the changes in the login macro, we still found that all the findings were found to be false positive while retesting the vulnerability in WI. Manual retest proved that the issue was a genuine one. 

My question is - Does the tool incorporate the new credentials while the scan is going on ? What is the best way to deal in such scenario ?

Labels (2)
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: Application password changes in between WebInspect scan

WebInspect expects to be able to stay logged in with a valid account.  It will not brute force the login and it will not change the credentials it is using in mid-scan.

It sounds as if the scanner is coming across an administrative page during the scan and changing the logon credentials, e.g. User Account Sel-Management screen.  If this is the case, you will want to define a Session Exclusion scan setting to have WebInspect avoid that page altogether.  This might be a straight-forward URL exclusion such as {URL}+{matches}+{"/foo/foo2/ChangePasword.do"}, or you might try other available options such as Request or Parameter exclusions.

If the issue is that the Login Macro has one set of credentials, but someone is changing the credentials between scans, then you may want to investigate the Parameters option in the Login Macro Recorder.  You can set any input (Username, Password, Host Name, et al) as a Parameter.  When using such a Login Macro, the WebInspect scan wizard will display the Input Parameter names you designed, permitting the scanner user to input the credentials-of-the-day for this scan.  If the user leaves those scan wizard fields empty, then the originally recorded credentials of the Login Macro will be used.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.