3026 views

Can I update URL and Login Credentials in existing ScanSettings.xml to be used for WebInspect scan?

Note1: I deploy my application on different DNS.

Note2: I have to execute WI scan with CLI.

Query: Can I reuse a scan setting xml file that has been created with DNS1 to run on DNS2(with different login credentials)?

Current Trials:

I am trying to rename all the occurences of DNS1 with DNS2 using notepad and using -ls option for userId:pwd update.

Observation:

  1.  It seems like replacing DNS doesn't work and maybe in encoded part also in scan settings xml file, there is reference to DNS that can not be replaced.
  2. -ls option throws error as not valid IE session

Should I use -lt option for credentials to solve point#2?

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

1)  Since you are parsing the XML directly, you should be able to locate the various "URL" fields within and perform a text replacement prior to running the scan.  I believe there is "StartURL" that shows up in one location, if not also another instance of the Starting URL you provided.  The Default Scan Settings file will not be as useful to study as an existing saved scan settings file, since that second option will provide you the actual hostname to search for.  Once you know the pace or places the Start URL is present in the saved XML files, then you have your guide to auto-updating the raw XML for running scans.

 

2)  The {-ls} option for dynamically replacing the Smart Credentials only works if the Login Macro specified has those fields set as Smart Credentials.  "Smart Credential" is an older term that still appears in the Login Macro Recorder tool, but only for the IE-based rendering version of the Recorder.  You must mark the username and password fields as "Smart Credentials", and then the {-ls} option should work in the CLI when specifying that Login Macro.

If instead you are using the more common Firefox-based rendering engine to create your Login Macro, where such dynamic inputs are termed "Parameters" or "Parameterized Logins",  then the CLI option you will need is {-lt}.  the Parameters can be defined for most any part of the web traffic, not only usernames and passwords, and so this {-lt} option provides additional details on how to specify them properly.

++++++++++++++++++++++++++++++++++++

Macro --------------------------------------------------

-macro {macro path} web macro authentication

Login Macro Parameters --------------------------------------------------

-ls "userid:pwd" smart credentials
-lt "name0:value0;name1:value1;...nameN:valueN" TruClient macro parameters

++++++++++++++++++++++++++++++++++++

 

 

As an alternative for both 1) and 2) above for the pure CLI, you might investigate the WebInspect API.  It runs at http://localhost:8083/webinspect/api, when enabled with default values, and offers samples on how to use the endpoints.  This API endpoint offers numerous Overrides when configuring a new scan, and also works great with Parameterized Logins for Login Macros.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.