Highlighted
acriswell1 Absent Member.
Absent Member.
10884 views

Looking for API documentation

Jump to solution

Is there documentation for the WebInspect core scan engine API?

Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Looking for API documentation

Jump to solution

The Help guide in WebInspect seems to be all the documentation.  It details the endpoints and offers some examples of using cURL to touch the API.

While article Tags are not in heavy use yet, the Tag "webinspect_api" may help locate other discussions on this Protect724 site:  https://protect724.hp.com/tags#/?tags=webinspect api

Here is the Help copy taken from WebInspect 10.30.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WebInspect API

This topic provides information on the WebInspect API.

About the WebInspect API

The WebInspect API provides an interface between your systems and WebInspect. It runs as a lightweight Windows service (WebInspect API) that is installed automatically when you install WebInspect. You configure, start, and stop the service using the HP Fortify Monitor tool. You can use the WebInspect API to add security audit capabilities to your existing automation scripts.

WebInspect API provides a RESTful interface for remotely controlling the proxy and scanner.

Configuring the WebInspect API

Before you can use the WebInspect API, you must configure it.

  1.   From the Windows Start menu, click All Programs > HP > HP WebInspect > HP Fortify Monitor.The HP Fortify Monitor icon appears in the system tray.
  2.   Right-click the HP Fortify Monitor icon.
  3. From the right-click menu, select Configure WebInspect API . The Configure WebInspect API dialog box appears.
  4. Configure the API Server settings.
    Settings  Value 
    Host Both WebInspect and the WebInspect API must reside on the same machine. The default setting, +, is a wild card that tells the WebInspect API to intercept all request on the port identified in the Port field. If you have another service running on the same port and want to define a specific hostname just for the API service, this value can be changed.
    Port Use the provided value or change it using the up/down arrows to an available port number.
    Authentication Choose None, Windows, or Basic from the Authentication drop-down selector. If you chose Basic as the authentication type, you will need to provide user name(s) and password(s). Click the Edit access tokens button and select a text editor. The wircserver.keys file will open in the text editor. Add a username and password, separated by a colon, for each user to be authenticated. There should be only one username and password per line. Save the file.
    Log Level Choose the level of log information you want to collect.
    Use HTTP Select this checkbox if you want to access the server over an HTTPS connection. To run the server over HTTPS, you will need to create a server certificate and bind it to the API service using the following command:  netsh http add sslcert ipport=0.0.0.0:<port>certhash=<thumbprint>aappid={160e1003-0b46-47c2-a2bc-01ea1e49b9dc}
  5. Use the provided Listener Address in the Proxy Service Configuration section, or change it to the network address of the API server.
  6. Click the Start button to start the WebInspect API service.

About Automating WebInspect

You can use the WebInspect API to add WebInspect to your to your existing automation scripts. As long as the user agent can access the Service Router, the scripts can live in an entirely different environment from WebInspect.

About the WebInspect API Service Providers

The WebInspect API comes with two service providers: Proxy and Scanner.

Proxy

The proxy service provider provides a control mechanism for the proxies in use.

Method  URI  Path params  Request params  Description 

DELETE

/webinspect/proxy/<instanceID>

instanceID (required)

None

Completely deletes a proxy instance and any data it contains. Any subsequent GET to that instanceID will return a 404.

GET

/webinspect/proxy/

None

None

Retrieves the list of all running proxies.

GET

/webinspect/proxy/<instanceID>.<extension>

instanceID (required)

extension

(required)--valid values for extension are psf, webmacro, and xml.

None

Gets the proxy results in the format specified by the extension. For example, a request for /12345.psf will get the proxy results in psf format.

GET

/webinspect/proxy/<instanceID>

instanceID (required)

None

Gets host and port for a specific instance.

POST

/webinspect/proxy/

None

instanceID

(optional) – user can specify an instanceID, or system will generate if blank

port

(optional) – user can specify

Creates a new proxy instance. Returns instanceID, port, and proxy IP address.

PUT

/webinspect/proxy/<instanceID>

instanceID (required) – instanceID to be updated

action (required)

action=reset will clear the proxy traffic without deleting the proxy instance.

PUT

/webinspect/proxy/<instanceID>.<extension>

instanceID (required)

extension

(required) -- valid values for extension are psf, webmacro, and xml.

action (required)

action=save will save the proxy results to the WebInspect settings directory on the server. This saves the round trip of having to download the proxy results and then reupload them."

Scanner

The scanner service provider allows remote access to start, stop, and query scans. The following RESTful API covers all v1.0 supported functionality:

Method  URI  Path params  Request paramsDescription 

GET

/webinspect/scanner/settings/

None

None

Gets a list of scan settings file names from WebInspect’s default scan settings directory.

Note: All settings must be in this directory to be used with the remote scanner.

GET

/webinspect/scanner/scans/

None

query (options) -- a JSON serialized list of constraints for scans to be returned. Accepted values are: Name, Status, StartsAfter, and EndsBefore. All query terms are ANDed together.

Gets a list of known scan information in JSON with the following fields for each scan: ID (as GUID), Name, StartTime and Status. These results can be filtered by sending the optional "query" parameter.

Note: Currently, if you are using SQL Express to store your scans, only scans created with the WebInspect API will be returned.

GET

/webinspect/scanner/<scanId>

scanId: The ID of the scan represented as a GUID.

action WaitForStatusChange will block until the status of the scan changes.

action GetCurrentStatus will immediately return the current scan status.

Retrieves the status of the specified scan. A request with action waitforstatuschange will block until the status of the scan changes (i.e. waiting for a scan to stop). If the scan has already been stopped, the request will return immediately. A request with action getcurrentstatus with the current status of the scan. The scan status is returned in the body of the response.

GET

/webinspect/scanner/<scanId>.scan

scanId: The ID of the scan represented as a GUID.

None

Exports the specified scan. Returns a binary scan file in the body of the response.

Note: Currently only scans created via the Webinspect API will have the scan logs exported along with it. Scans not created via the API can be exported via theAPI but the scan logs will be absent.

GET

/webinspect/scanner/<scanId>.details

scanId: The ID of the scan represented as a GUID.

detailType: The type of scan detail to export. Currently supported detail types: Full, Comments, HiddenFields, Script, SetCookies, WebForms, Urls, Requests, Sessions, Emails, Parameters, OffsiteLinks, Vulnerabilities.

Exports the ‘detail’ of the specified scan in XML format. The ‘detail’ of a scan consists of individual parts of a scan (i.e. a list of the URLs discovered, or a list of the emails found).

GET/webinspect/scanner/policiesNoneNoneReturns a list of policy names and IDs.

POST

/webinspect/scanner/ 

None

settingsName -- The name (lacking ext) of the settings file to use. The named file is expected to have the .xml extension and is expected to be in the default WebInspect settings directory.

overrides (optional) -- A JSON serialized list of settings overrides to be applied to the scan settings selected. The following settings overrides are supported:

ScanName -- The name of the scan.

StartURL -- The URL of the site to scan.

CrawlAuditMode -- Accepted values are auditonly, crawlonly, and crawlandaudit.

StartOption -- Accepted values are macro and URL. If using the macros start option you can supply a workflow macro.

LoginMacro -- The name of the macro. Macro files are currently looked for in the scan settings directory. All hosts in the given macro will be added to allowed hosts.

WorkflowMacros -- A list of workflow macro file names for use within the scan. StartOption should be set to macro.

AllowedHosts -- A list of host names allowed to be scanned.

PolicyID -- The ID of the policy to use for the audit.

ScanScope -- A folder restriction rule. Accepted values are unrestricted, self, children, and ancestors.

ScopedPaths -- For use in conjunction with the ScanScope value children. This is a whitelist of child folders that are allowed to be scanned.

Creates a new scan with settings referred to by the provided settings file name. The scan will be started.

Note: The HTTP request will be blocked until after the scan has been started and the scan ID (represented as a GUID) is returned in the response body.

PUT

/webinspect/scanner/<scanId>

scanId: The ID of the scan represented as a GUID.

action: The action to take on a particular scan.

Currently supported actions:

Stop: Stops currently running scan.

Continue: Continues a previiously paused or interrupted scan.

Performs the specified action on the specified scan (i.e. stop’s the scan with ID of scanId).

PUT

/webinspect/scanner/settings   

None

None

Send the raw file contents in the request body.

PUT/webinspect/scanner/<scanId>  scanId: The ID of the scan represented as a GUID.

The API expects an array of json objects with the following format:

host: string

port: number

protocol: string (usually http or https)

requestBase64: string (base64 encoded request data, including headers and body)

responseBase64: string (base64 encoded response data, including headers and body)

issues: array of objects with the following format (or null to indicate no vulnerabilities):

name: string (the issue name)

severity: number (0=None, 1=Low, 2=Medium, 3=High, 4=Critical)

probability: number (0=None, 1=Low, 2=Possible, 3=Certain, 4=Confirmed)

summary: string (report information)

execution: string (report information)

fix: string (report information)

referenceInfo: string (report information)

Add a new session (or sessions) to the scan with an optional list of issues.

Example Proxy Automation Script Using cURL

The following script is an example Proxy Server automation script.

#!/bin/bas
#example automation script using curl to drive webinspect's proxy
API_SCHEME="http"
API_HOST="10.10.203.20"
API_PORT="80"
API_ENDPOINT="$API_SCHEME://$API_HOST:$API_PORT/webinspect/proxy"
echo $API_ENDPOINT#Create a new proxy with a specific id on a specific port.
#Send an empty POST body and a new proxy will be created with random instance id on first available port.
#The instance id and port are returned in the response.
curl -d "instanceId=12345&port=8123" $API_ENDPOINT
#Get a list of all running proxies.
curl $API_ENDPOINT
#Get information about a specific proxy.
curl $API_ENDPOINT/12345
#Send some traffic through the proxy (note that this is not the same endpoint as the WIRC command server).
curl -x http://10.10.203.20:8123 http://zero.webappsecurity.com
#Send a HEAD request (-I option) to get information about proxy capture as psf (content length is the most useful).
curl -I $API_ENDPOINT/12345.psf
#Get proxy capture as psf (WebInspect native proxy capture).
curl -o ./12345.psf $API_ENDPOINT/12345.psf
#Get proxy capture as webmacro.
curl -o ./12345.webmacro $API_ENDPOINT/12345.webmacro
#Get proxy capture as scan settings (scan setting is configured as an audit only workflow scan using the proxy traffic as the workflow macro).
curl -o ./12345.xml $API_ENDPOINT/12345.xml
#Save the proxy as a settings file to the WI machine without needing to download it locally.
curl -X PUT -d "action=save" $API_ENDPOINT/12345.xml
#If you want to reuse the proxy, don't do a DELETE. Instead, send PUT action=reset and its results will be cleared out and ready for a new run.
curl -X PUT -d "action=reset" $API_ENDPOINT/12345
#Completely shutdown the proxy (the WIRC server continues to run, these commands only affect proxy instances).
curl -X DELETE $API_ENDPOINT/12345

Example Scanner Automation Script Using cURL

The following script is an example Scanner automation script.

#!/bin/bash 
#example automation script using curl to drive webinspect's scanner
API_SCHEME="http"
API_HOST="10.10.203.20"
API_PORT="80"
API_ENDPOINT="$API_SCHEME://$API_HOST:$API_PORT/webinspect/scanner"
echo $API_ENDPOINT
#Get a list of scan setting
curl $API_ENDPOINT/settings
#Upload a settings file, it will be placed in the WebInspect settings directory as defined by your WebInspect application setting
curl -X PUT -F "file=@/local/path/to/settings.xml" $API_ENDPOINT/settings
#Start a scan specifying a settings file to use
curl -d "settingsName=Default" $API_ENDPOINT
#Start a scan specifying a settings file to use and additional overrides. Overrides are optional, you can use any or all or none.
#Full list of overrides (field names and values are case sensitive):
#ScanName - any string, does not need to be unique
#StartUrl - a valid, fully qualified url with scheme host and port (http://zero.webappsecurity.com:80)
#CrawlAuditMode - one of: CrawlOnly, AuditOnly, CrawlAndAudit
#StartOption one of: Url, Macro
#LoginMacro: name of webmacro file, this file must exist in the settings directory on the webinspect machine
#WorkflowMacros: an array of webmacro names to be used as workflow macros, these files must exist in the settings directory on the webinspect machine
#AllowedHosts: array of allowed hosts
#PolicyId: an integer representing the policy id
curl -d "settingsName=Default&overrides={\"ScanName\":\"testing\",\"StartUrl\":\"http://zero.webappsecurity.com:80\",\"CrawlAuditMode\":\"CrawlOnly\",\"StartOption\":\"Url\",\"LoginMacro\":\"test.webmacro\",\"AllowedHosts\":[\"http://zero.webappsecurity.com:80\"],\"PolicyId\":1000}" $API_ENDPOINT
#stop a running scan
curl -X PUT -d "action=stop" $API_ENDPOINT/<scan_id>
#continue a stopped scan
curl -X PUT -d "action=continue" $API_ENDPOINT/<scan_id>
#get a list of all scans
curl $API_ENDPOINT/scans
#get a list of all scans with the filter specified by "query" applied
#query is a json blob, all fields are optional
#{
# Name: <regex that will match on scan name>,
# Status: <one of: Running, NotRunning, Interrupted, Complete, Amp>,
# StartsAfter: <date>,
# EndsBefore: <date>
#}
curl -G $API_ENDPOINT/scans --data-urlencode "query={\"Name\":\"zero\",\"Status\":\"Complete\"}" 
#get status of a specific scan (returns one of Running/NotRunning/Complete/Interrupted)
curl $API_ENDPOINT/<scan_id>?action=getcurrentstatus
#get specific scan as a WebInspect .scan file (full xml scan report)
curl $API_ENDPOINT/<scan_id>.scan
#get specific scan as .fpr file (Fortify SSC format)
curl $API_ENDPOINT/<scan_id>.fpr
#get specific scan as a WebInspect simplified export (same report as File...Export Details..Vulnerabilities from UI)
curl $API_ENDPOINT/<scan_id>.details?detailType=Vulnerabilities
#get scan settings used for specific scan
curl $API_ENDPOINT/<scan_id>.settings

WebInspect API Server Logs

If you need to troubleshoot the WebInspect API Server, you can use the Windows’ Event Viewer to review the WebInspect API log.

To check the status of the server, from a browser, log on to http(s)://hostname:port/webinspect.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
2 Replies
Micro Focus Expert
Micro Focus Expert

Re: Looking for API documentation

Jump to solution

The Help guide in WebInspect seems to be all the documentation.  It details the endpoints and offers some examples of using cURL to touch the API.

While article Tags are not in heavy use yet, the Tag "webinspect_api" may help locate other discussions on this Protect724 site:  https://protect724.hp.com/tags#/?tags=webinspect api

Here is the Help copy taken from WebInspect 10.30.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WebInspect API

This topic provides information on the WebInspect API.

About the WebInspect API

The WebInspect API provides an interface between your systems and WebInspect. It runs as a lightweight Windows service (WebInspect API) that is installed automatically when you install WebInspect. You configure, start, and stop the service using the HP Fortify Monitor tool. You can use the WebInspect API to add security audit capabilities to your existing automation scripts.

WebInspect API provides a RESTful interface for remotely controlling the proxy and scanner.

Configuring the WebInspect API

Before you can use the WebInspect API, you must configure it.

  1.   From the Windows Start menu, click All Programs > HP > HP WebInspect > HP Fortify Monitor.The HP Fortify Monitor icon appears in the system tray.
  2.   Right-click the HP Fortify Monitor icon.
  3. From the right-click menu, select Configure WebInspect API . The Configure WebInspect API dialog box appears.
  4. Configure the API Server settings.
    Settings  Value 
    Host Both WebInspect and the WebInspect API must reside on the same machine. The default setting, +, is a wild card that tells the WebInspect API to intercept all request on the port identified in the Port field. If you have another service running on the same port and want to define a specific hostname just for the API service, this value can be changed.
    Port Use the provided value or change it using the up/down arrows to an available port number.
    Authentication Choose None, Windows, or Basic from the Authentication drop-down selector. If you chose Basic as the authentication type, you will need to provide user name(s) and password(s). Click the Edit access tokens button and select a text editor. The wircserver.keys file will open in the text editor. Add a username and password, separated by a colon, for each user to be authenticated. There should be only one username and password per line. Save the file.
    Log Level Choose the level of log information you want to collect.
    Use HTTP Select this checkbox if you want to access the server over an HTTPS connection. To run the server over HTTPS, you will need to create a server certificate and bind it to the API service using the following command:  netsh http add sslcert ipport=0.0.0.0:<port>certhash=<thumbprint>aappid={160e1003-0b46-47c2-a2bc-01ea1e49b9dc}
  5. Use the provided Listener Address in the Proxy Service Configuration section, or change it to the network address of the API server.
  6. Click the Start button to start the WebInspect API service.

About Automating WebInspect

You can use the WebInspect API to add WebInspect to your to your existing automation scripts. As long as the user agent can access the Service Router, the scripts can live in an entirely different environment from WebInspect.

About the WebInspect API Service Providers

The WebInspect API comes with two service providers: Proxy and Scanner.

Proxy

The proxy service provider provides a control mechanism for the proxies in use.

Method  URI  Path params  Request params  Description 

DELETE

/webinspect/proxy/<instanceID>

instanceID (required)

None

Completely deletes a proxy instance and any data it contains. Any subsequent GET to that instanceID will return a 404.

GET

/webinspect/proxy/

None

None

Retrieves the list of all running proxies.

GET

/webinspect/proxy/<instanceID>.<extension>

instanceID (required)

extension

(required)--valid values for extension are psf, webmacro, and xml.

None

Gets the proxy results in the format specified by the extension. For example, a request for /12345.psf will get the proxy results in psf format.

GET

/webinspect/proxy/<instanceID>

instanceID (required)

None

Gets host and port for a specific instance.

POST

/webinspect/proxy/

None

instanceID

(optional) – user can specify an instanceID, or system will generate if blank

port

(optional) – user can specify

Creates a new proxy instance. Returns instanceID, port, and proxy IP address.

PUT

/webinspect/proxy/<instanceID>

instanceID (required) – instanceID to be updated

action (required)

action=reset will clear the proxy traffic without deleting the proxy instance.

PUT

/webinspect/proxy/<instanceID>.<extension>

instanceID (required)

extension

(required) -- valid values for extension are psf, webmacro, and xml.

action (required)

action=save will save the proxy results to the WebInspect settings directory on the server. This saves the round trip of having to download the proxy results and then reupload them."

Scanner

The scanner service provider allows remote access to start, stop, and query scans. The following RESTful API covers all v1.0 supported functionality:

Method  URI  Path params  Request paramsDescription 

GET

/webinspect/scanner/settings/

None

None

Gets a list of scan settings file names from WebInspect’s default scan settings directory.

Note: All settings must be in this directory to be used with the remote scanner.

GET

/webinspect/scanner/scans/

None

query (options) -- a JSON serialized list of constraints for scans to be returned. Accepted values are: Name, Status, StartsAfter, and EndsBefore. All query terms are ANDed together.

Gets a list of known scan information in JSON with the following fields for each scan: ID (as GUID), Name, StartTime and Status. These results can be filtered by sending the optional "query" parameter.

Note: Currently, if you are using SQL Express to store your scans, only scans created with the WebInspect API will be returned.

GET

/webinspect/scanner/<scanId>

scanId: The ID of the scan represented as a GUID.

action WaitForStatusChange will block until the status of the scan changes.

action GetCurrentStatus will immediately return the current scan status.

Retrieves the status of the specified scan. A request with action waitforstatuschange will block until the status of the scan changes (i.e. waiting for a scan to stop). If the scan has already been stopped, the request will return immediately. A request with action getcurrentstatus with the current status of the scan. The scan status is returned in the body of the response.

GET

/webinspect/scanner/<scanId>.scan

scanId: The ID of the scan represented as a GUID.

None

Exports the specified scan. Returns a binary scan file in the body of the response.

Note: Currently only scans created via the Webinspect API will have the scan logs exported along with it. Scans not created via the API can be exported via theAPI but the scan logs will be absent.

GET

/webinspect/scanner/<scanId>.details

scanId: The ID of the scan represented as a GUID.

detailType: The type of scan detail to export. Currently supported detail types: Full, Comments, HiddenFields, Script, SetCookies, WebForms, Urls, Requests, Sessions, Emails, Parameters, OffsiteLinks, Vulnerabilities.

Exports the ‘detail’ of the specified scan in XML format. The ‘detail’ of a scan consists of individual parts of a scan (i.e. a list of the URLs discovered, or a list of the emails found).

GET/webinspect/scanner/policiesNoneNoneReturns a list of policy names and IDs.

POST

/webinspect/scanner/ 

None

settingsName -- The name (lacking ext) of the settings file to use. The named file is expected to have the .xml extension and is expected to be in the default WebInspect settings directory.

overrides (optional) -- A JSON serialized list of settings overrides to be applied to the scan settings selected. The following settings overrides are supported:

ScanName -- The name of the scan.

StartURL -- The URL of the site to scan.

CrawlAuditMode -- Accepted values are auditonly, crawlonly, and crawlandaudit.

StartOption -- Accepted values are macro and URL. If using the macros start option you can supply a workflow macro.

LoginMacro -- The name of the macro. Macro files are currently looked for in the scan settings directory. All hosts in the given macro will be added to allowed hosts.

WorkflowMacros -- A list of workflow macro file names for use within the scan. StartOption should be set to macro.

AllowedHosts -- A list of host names allowed to be scanned.

PolicyID -- The ID of the policy to use for the audit.

ScanScope -- A folder restriction rule. Accepted values are unrestricted, self, children, and ancestors.

ScopedPaths -- For use in conjunction with the ScanScope value children. This is a whitelist of child folders that are allowed to be scanned.

Creates a new scan with settings referred to by the provided settings file name. The scan will be started.

Note: The HTTP request will be blocked until after the scan has been started and the scan ID (represented as a GUID) is returned in the response body.

PUT

/webinspect/scanner/<scanId>

scanId: The ID of the scan represented as a GUID.

action: The action to take on a particular scan.

Currently supported actions:

Stop: Stops currently running scan.

Continue: Continues a previiously paused or interrupted scan.

Performs the specified action on the specified scan (i.e. stop’s the scan with ID of scanId).

PUT

/webinspect/scanner/settings   

None

None

Send the raw file contents in the request body.

PUT/webinspect/scanner/<scanId>  scanId: The ID of the scan represented as a GUID.

The API expects an array of json objects with the following format:

host: string

port: number

protocol: string (usually http or https)

requestBase64: string (base64 encoded request data, including headers and body)

responseBase64: string (base64 encoded response data, including headers and body)

issues: array of objects with the following format (or null to indicate no vulnerabilities):

name: string (the issue name)

severity: number (0=None, 1=Low, 2=Medium, 3=High, 4=Critical)

probability: number (0=None, 1=Low, 2=Possible, 3=Certain, 4=Confirmed)

summary: string (report information)

execution: string (report information)

fix: string (report information)

referenceInfo: string (report information)

Add a new session (or sessions) to the scan with an optional list of issues.

Example Proxy Automation Script Using cURL

The following script is an example Proxy Server automation script.

#!/bin/bas
#example automation script using curl to drive webinspect's proxy
API_SCHEME="http"
API_HOST="10.10.203.20"
API_PORT="80"
API_ENDPOINT="$API_SCHEME://$API_HOST:$API_PORT/webinspect/proxy"
echo $API_ENDPOINT#Create a new proxy with a specific id on a specific port.
#Send an empty POST body and a new proxy will be created with random instance id on first available port.
#The instance id and port are returned in the response.
curl -d "instanceId=12345&port=8123" $API_ENDPOINT
#Get a list of all running proxies.
curl $API_ENDPOINT
#Get information about a specific proxy.
curl $API_ENDPOINT/12345
#Send some traffic through the proxy (note that this is not the same endpoint as the WIRC command server).
curl -x http://10.10.203.20:8123 http://zero.webappsecurity.com
#Send a HEAD request (-I option) to get information about proxy capture as psf (content length is the most useful).
curl -I $API_ENDPOINT/12345.psf
#Get proxy capture as psf (WebInspect native proxy capture).
curl -o ./12345.psf $API_ENDPOINT/12345.psf
#Get proxy capture as webmacro.
curl -o ./12345.webmacro $API_ENDPOINT/12345.webmacro
#Get proxy capture as scan settings (scan setting is configured as an audit only workflow scan using the proxy traffic as the workflow macro).
curl -o ./12345.xml $API_ENDPOINT/12345.xml
#Save the proxy as a settings file to the WI machine without needing to download it locally.
curl -X PUT -d "action=save" $API_ENDPOINT/12345.xml
#If you want to reuse the proxy, don't do a DELETE. Instead, send PUT action=reset and its results will be cleared out and ready for a new run.
curl -X PUT -d "action=reset" $API_ENDPOINT/12345
#Completely shutdown the proxy (the WIRC server continues to run, these commands only affect proxy instances).
curl -X DELETE $API_ENDPOINT/12345

Example Scanner Automation Script Using cURL

The following script is an example Scanner automation script.

#!/bin/bash 
#example automation script using curl to drive webinspect's scanner
API_SCHEME="http"
API_HOST="10.10.203.20"
API_PORT="80"
API_ENDPOINT="$API_SCHEME://$API_HOST:$API_PORT/webinspect/scanner"
echo $API_ENDPOINT
#Get a list of scan setting
curl $API_ENDPOINT/settings
#Upload a settings file, it will be placed in the WebInspect settings directory as defined by your WebInspect application setting
curl -X PUT -F "file=@/local/path/to/settings.xml" $API_ENDPOINT/settings
#Start a scan specifying a settings file to use
curl -d "settingsName=Default" $API_ENDPOINT
#Start a scan specifying a settings file to use and additional overrides. Overrides are optional, you can use any or all or none.
#Full list of overrides (field names and values are case sensitive):
#ScanName - any string, does not need to be unique
#StartUrl - a valid, fully qualified url with scheme host and port (http://zero.webappsecurity.com:80)
#CrawlAuditMode - one of: CrawlOnly, AuditOnly, CrawlAndAudit
#StartOption one of: Url, Macro
#LoginMacro: name of webmacro file, this file must exist in the settings directory on the webinspect machine
#WorkflowMacros: an array of webmacro names to be used as workflow macros, these files must exist in the settings directory on the webinspect machine
#AllowedHosts: array of allowed hosts
#PolicyId: an integer representing the policy id
curl -d "settingsName=Default&overrides={\"ScanName\":\"testing\",\"StartUrl\":\"http://zero.webappsecurity.com:80\",\"CrawlAuditMode\":\"CrawlOnly\",\"StartOption\":\"Url\",\"LoginMacro\":\"test.webmacro\",\"AllowedHosts\":[\"http://zero.webappsecurity.com:80\"],\"PolicyId\":1000}" $API_ENDPOINT
#stop a running scan
curl -X PUT -d "action=stop" $API_ENDPOINT/<scan_id>
#continue a stopped scan
curl -X PUT -d "action=continue" $API_ENDPOINT/<scan_id>
#get a list of all scans
curl $API_ENDPOINT/scans
#get a list of all scans with the filter specified by "query" applied
#query is a json blob, all fields are optional
#{
# Name: <regex that will match on scan name>,
# Status: <one of: Running, NotRunning, Interrupted, Complete, Amp>,
# StartsAfter: <date>,
# EndsBefore: <date>
#}
curl -G $API_ENDPOINT/scans --data-urlencode "query={\"Name\":\"zero\",\"Status\":\"Complete\"}" 
#get status of a specific scan (returns one of Running/NotRunning/Complete/Interrupted)
curl $API_ENDPOINT/<scan_id>?action=getcurrentstatus
#get specific scan as a WebInspect .scan file (full xml scan report)
curl $API_ENDPOINT/<scan_id>.scan
#get specific scan as .fpr file (Fortify SSC format)
curl $API_ENDPOINT/<scan_id>.fpr
#get specific scan as a WebInspect simplified export (same report as File...Export Details..Vulnerabilities from UI)
curl $API_ENDPOINT/<scan_id>.details?detailType=Vulnerabilities
#get scan settings used for specific scan
curl $API_ENDPOINT/<scan_id>.settings

WebInspect API Server Logs

If you need to troubleshoot the WebInspect API Server, you can use the Windows’ Event Viewer to review the WebInspect API log.

To check the status of the server, from a browser, log on to http(s)://hostname:port/webinspect.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Micro Focus Expert
Micro Focus Expert

Re: Looking for API documentation

Jump to solution

Much of this information has changed and been expanded upon since the first post.  Today (WebInspect currently at 17.10), the majority of the configuration and use documentation is stored within the API itself, Swagger-based.  The user needs to configure and run the WebInspect API, and then browse to it at http://localhost:8083/webinspect/API   Samples are provided as well.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.