New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
6490 views

CAPTCHA in website

my frist page is a login name + password & a CAPTCHA .


How can I do a scan on this ?


Any doc or step I can follow ?


Thanks


DC

0 Likes
5 Replies
Highlighted
Absent Member.
Absent Member.

You have a few options:


1) Record Web Form Values and mark the CAPTCHA input as 'interactive' and use that WebFormValuesFile for your scan, that way you'll be prompted for the value when it's necessary. Means you need to "baby-sit" the scan.


2) Check the 'Prompt for web form values during scan (interactive mode)' checkbox and NOT use a WebFormValuesFile for your scan, that was you'll be prompted to input a value (or skip the form) for any forms encountered during the scan. When scanning in Interactive Mode, if you get a blank screen in the Web Form Value Input Dialog, press the skip button.


4) Have developers turn off/bypass CAPTCHA functionality for the IP you are scanning from. Pretty crude way to deal with it, but this is often done for performance testing. Of course, you won't be testing the CAPTCHA functionality in terms of security by doing this.


 


In terms of reading material, you could Read The Manual, read official training course material, and search this forum for 'CAPTCHA'.

0 Likes
Highlighted
Ensign
Ensign

I tried with options mentioned, made field interactive, and read from a file.  But script never stopped or did not ask the captcha to enter interactively, any other setting needs to be updated ?

 

I have trial license

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Make sure the field name is correct as mentioned in the user guide - https://www.microfocus.com/documentation/fortify-webinspect/2010/WI_Help_20.1.0/index.htm#InteractiveScans.htm

There is another workaround that may help if this one does note - https://softwaresupport.softwaregrp.com/doc/KM03693372

0 Likes
Highlighted
Ensign
Ensign

For captcha I don't have file,  I made field has interactive, and selected that field as interactive.  application UI never showed up.   My settings seems to be correct as described or suggested in community response.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

In order to set up the Interactive Mode for a WebInspect scan, you must record or enter the input field's name and a dummy value into a web forms input file.  That field must also be marked as "Interactive".  Once generated, that file must be specified in the Scan Settings Method panel, under the Navigation block.  And you must then also enable the two bullet/checkboxes below to enable the Interactive Mode.  This is detailed in the User Guide at this page, https://www.microfocus.com/documentation/fortify-webinspect/2010/WI_Help_20.1.0/index.htm#InteractiveScans.htm

Overall, you will end up with a "mostly automated" scan you need to "babysit".  If and when that tagged input field is encountered, a browser window will be opened, asking for your human input.  Once you submit that, the scan will proceed.  Technically only the single Thread that encountered that tagged field will be Paused waiting on your input.  the other Requestor Threads operate with their own session state (default configuration) and they will continue scanning in the background, unabated, until or unless they also encounter that tagged input field.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.