Absent Member.
Absent Member.
9772 views

Difficulty Level of HP Webinspect

Jump to solution

Hi all,

 

I am new to Webinspect, I just have a quick question. How difficult ruuning this tools is? I mean easy or hard?

 

And one more question what should we keep in mind when we are testing any web app in Webinspect in perspective of experienced person using webinspect tool ?

 

Please Kindly response to my questions

 

Thanks

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Dipen1;

 

I have been told that there are easier tools to use, but that WebInspect offers the most options for controlling and handling the weird live systems you will find in the wild, and it goes deeper into the analysis.  That being said, it is not hard to simply fire off a new scan.  The hard part is identifying if the site has special needs (change scan settings and repeat), if the entire application was fully tested (your knowledge of the target site versus scan settings), and in reviewing the results before signing off on them (being the expert),  The vulnerability descriptions (also accessible within the Policy Manager tool) will help you better understand whatever issues you come across.  Sometimes I find having network administration experience is more useful in running the tool than having developer training, but everything can apply at different times.

 

There is an article in the Help Guide under Getting Started called Preparing Your System For Audit.  Read that, since it warns of the dangers of shooting from the hip on a Production site.  In my experience, it is not the Audit Engines that cause trouble but the Crawler.  Its job is to exercise everything found everywhere, and that includes things like the Factory Reset button, E-mail the Helpdesk, and ChangePassword.do!  You best option against a Production site is to start small and build up.  Our Fortify On Demand team does this every day, but only with proper preparation and communication with the site owner.

 

  1. Crawl-Only with forms submission disabled is the lightest touch.
  2. Crawl-Only with forms enabled.
  3. Crawl-and-Audit with a light scan Policy such as Safe or Quick.
  4. CnA with heavier Policy such as Developer or others.
  5. CnA with one of the Best Practices Policies such as Standard or OWASP.
  • (extra credit) CnA with a Hazardous Policy such as Assault or All Checks.  Note that All Checks takes the longest to complete and enables obsolete checks that may cause you False Positives and noise compared to our other Policies.

Additional thoughts to try:

  • Enable the Traffic Monitor or Web Proxy options in the scan wizard, and watch the scan in real-time.
  • Review the Web Form Editor tool and see if your organization has favored testing/dummy values you would want to add/edit in there and then apply your saved input file to your Default Scan Settings.  This can aid the attack surface exposure.
  • Go thorugh the Login Macro Recorder tool and its Help to learn the trick possible there and how to record effective login processes that can include parameterized inputs or even Challenge-Response questions.

 

For really thorough scans consider these extras:

  • Enabling the DOM Event Script Parsing under Scan Settings > Content Analyzers > Javascript.  May want to tune down the Max Events Per Page from 1,000 to200 or 250 at the same time.  Will Lenghten the scan!
  • Download the HP Fortify Runtime installer (Java or IIS .NET) and install its WebInspect Agent option on your next target server.  This causes WebInspect to dig deeper via our IAST options (automatic), termed "WebInspect Real-Time" or "WIRT".

 

 

I would start by browsing the Default Scan Settings to understand what is available, although mostly I would expect only about 20% of those settings to pertain to any particular environment or needs.  The on-line Help Guide (F1) should be reactive to the screen you are looking at, so it actually is helpful!  Next I would browse and Search the Policy Manager tool to understand the Attack Groups available and perhaps review the different Policies there.  OWASP and WASC are excellent 3rd party resources to learn even more regarding app security issues.  You may want to jump into the Tools menu as well, especially if you have used BURP Suite before and wish to try alternatives.

 

 

 

Since you are new to HP Fortify, you will probably want to be aware of these additional resources.

 

 

HP ESP (Fortify) – www.hpenterprisesecurity.com

HP Fortify Security Public User Forums – https://h30499.www3.hp.com/t5/Application-Security/ct-p/sws-AS

HP Fortify Customers-Only Forums – protect724.hp.com/community/fortify

HP Fortify Support – https://support.fortify.com & www.hp.com/go/fortifysupport

HP Downloads – http://softwaresupport.hp.com (formerly SSO http://support.openview.hp.com)

HP ESP Training – www.hpenterprisesecurity.com/university


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

2 Replies
Micro Focus Expert
Micro Focus Expert

Dipen1;

 

I have been told that there are easier tools to use, but that WebInspect offers the most options for controlling and handling the weird live systems you will find in the wild, and it goes deeper into the analysis.  That being said, it is not hard to simply fire off a new scan.  The hard part is identifying if the site has special needs (change scan settings and repeat), if the entire application was fully tested (your knowledge of the target site versus scan settings), and in reviewing the results before signing off on them (being the expert),  The vulnerability descriptions (also accessible within the Policy Manager tool) will help you better understand whatever issues you come across.  Sometimes I find having network administration experience is more useful in running the tool than having developer training, but everything can apply at different times.

 

There is an article in the Help Guide under Getting Started called Preparing Your System For Audit.  Read that, since it warns of the dangers of shooting from the hip on a Production site.  In my experience, it is not the Audit Engines that cause trouble but the Crawler.  Its job is to exercise everything found everywhere, and that includes things like the Factory Reset button, E-mail the Helpdesk, and ChangePassword.do!  You best option against a Production site is to start small and build up.  Our Fortify On Demand team does this every day, but only with proper preparation and communication with the site owner.

 

  1. Crawl-Only with forms submission disabled is the lightest touch.
  2. Crawl-Only with forms enabled.
  3. Crawl-and-Audit with a light scan Policy such as Safe or Quick.
  4. CnA with heavier Policy such as Developer or others.
  5. CnA with one of the Best Practices Policies such as Standard or OWASP.
  • (extra credit) CnA with a Hazardous Policy such as Assault or All Checks.  Note that All Checks takes the longest to complete and enables obsolete checks that may cause you False Positives and noise compared to our other Policies.

Additional thoughts to try:

  • Enable the Traffic Monitor or Web Proxy options in the scan wizard, and watch the scan in real-time.
  • Review the Web Form Editor tool and see if your organization has favored testing/dummy values you would want to add/edit in there and then apply your saved input file to your Default Scan Settings.  This can aid the attack surface exposure.
  • Go thorugh the Login Macro Recorder tool and its Help to learn the trick possible there and how to record effective login processes that can include parameterized inputs or even Challenge-Response questions.

 

For really thorough scans consider these extras:

  • Enabling the DOM Event Script Parsing under Scan Settings > Content Analyzers > Javascript.  May want to tune down the Max Events Per Page from 1,000 to200 or 250 at the same time.  Will Lenghten the scan!
  • Download the HP Fortify Runtime installer (Java or IIS .NET) and install its WebInspect Agent option on your next target server.  This causes WebInspect to dig deeper via our IAST options (automatic), termed "WebInspect Real-Time" or "WIRT".

 

 

I would start by browsing the Default Scan Settings to understand what is available, although mostly I would expect only about 20% of those settings to pertain to any particular environment or needs.  The on-line Help Guide (F1) should be reactive to the screen you are looking at, so it actually is helpful!  Next I would browse and Search the Policy Manager tool to understand the Attack Groups available and perhaps review the different Policies there.  OWASP and WASC are excellent 3rd party resources to learn even more regarding app security issues.  You may want to jump into the Tools menu as well, especially if you have used BURP Suite before and wish to try alternatives.

 

 

 

Since you are new to HP Fortify, you will probably want to be aware of these additional resources.

 

 

HP ESP (Fortify) – www.hpenterprisesecurity.com

HP Fortify Security Public User Forums – https://h30499.www3.hp.com/t5/Application-Security/ct-p/sws-AS

HP Fortify Customers-Only Forums – protect724.hp.com/community/fortify

HP Fortify Support – https://support.fortify.com & www.hp.com/go/fortifysupport

HP Downloads – http://softwaresupport.hp.com (formerly SSO http://support.openview.hp.com)

HP ESP Training – www.hpenterprisesecurity.com/university


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

Absent Member.
Absent Member.

Thanks !

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.