Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
HUBI-DUBI Absent Member.
Absent Member.
4917 views

Kerberos Auth using wi.exe and http-calls for starting a scan-routine in command-line mode.

Dear Sir or Madam;

We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:

PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.

With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)

In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.

I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?

Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing  needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.

Is there a more thorough documentation available for the API than that included inside the API?

Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)

Any input would be highly appreciated ; Thank you very much for your kind help in advance,

kind regards
HUBI-DUBI

Labels (3)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: Kerberos Auth using wi.exe and http-calls for starting a scan-routine in command-line mode.

HUBI-DUBI;

I had inquired with our internal support team and only received the following response.  I doubt this scenario is currently covered out-of-the-box in WebInspect 16.10, but you might find a work around by taking it to Fortify Support (support.fortify.com), where you can provide full details on the communication and proxy traffic involved for your target.

<<It sounds like the issue that they need to be able to configure the proxy that they are creating via the REST API to be able to authenticate to the webserver via Kerberos. There is currently no mechanism to configure proxy authentication via the REST API, which does seem like a good new feature to add.>>


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.