Absent Member.. probey Absent Member..
Absent Member..
5301 views

Manual scan cannot reach https environment

I started a manual scan on a https environment, but once IE was launched, I immediately got a 404 page not found error. Manually enter the URL again didn't work. I launched another IE, tried the URL and it worked. Also tried the login macro, it worked perfectly in playback mode.

 

All tests I have performed indicated that the IE launched by WebInspect cannot work with https URL. What's the difference between the IE window launched by WebInspect and the IE window that I manually launched?

 

Anyone has this issue before? And how you guys workaround it?

 

Thanks,

Barry

Labels (1)
0 Likes
7 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Manual scan cannot reach https environment

When starting WebInspect's Manual Step-Mode, what occurs is that we spawn a hidden instance of Web Proxy on a dynamic port and spawn an instance of IE auto-configured to utilize that localhost proxy port.  It also assumes that the proxy settings from WebInspect's Default Scan Settings are to be used for any network proxy connection outbound.  If you have not configured the proxy settings in WebInspect beforehand, that could cause this issue.  Additionally, if the network proxy requires explicit settings and/or NTLM credentials, you must configure those in WebInspect's scan settings rather than leave it at the default proxy setting of "Use IE settings".  Additionally, some machines have protective systems that take affront to this real-time action of directly hooking into IE (it is similar to some virus activity) and they then reverse the proxy setting in real-time.

 

To begin with, verify the proxy settings used in WebInspect with some short automated scans, perhaps of our demo server http://zero.webappsecurity.com.  Once those work, retry the Step-Mode.

 

If Step-Mode is still causing you trouble, take IE out of the mix.  Go into WebInspect's Application Settings and alter the Step-Mode setting from using a dynamic port to using a specific port, e.g. 8081.  Now when you launch Step-Mode you will know exactly which port the WebInspect listener is on, e.g. 127.0.0.1:8081.  Leave the spawned IE window open or minimized, and open an alternative browser that you manually configured for that specified localhost port.  When successful, you should see pages browsed in your alternative browser appearing inside the WebInspect UI > Site Tree pane.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Tags (1)
0 Likes
Absent Member.. BYH Absent Member..
Absent Member..

Re: Manual scan cannot reach https environment

Hi Barry,

I am having the same problem that you described on 10/26/12.  Did you find a resolution?

0 Likes
Absent Member.. probey Absent Member..
Absent Member..

Re: Manual scan cannot reach https environment

Hi BYH,

I tried the solution suggested by Hans, have WebInspect set to use IE proxy. Now when step mode is launched, I can see the application login page (https URL used).

However, WebInspect is still not recording anything. I also tried to set Firefox proxy to 127.0.0.1:8081 and found that navigation of the same application done under Firefox is recorded. Though not everything was recorded, but at least I have something.

With the current results that I have, I can't help but think that the problem might be on the IE side, that's something I am trying to find out.
0 Likes
Absent Member.. BYH Absent Member..
Absent Member..

Re: Manual scan cannot reach https environment

Thanks Probey.  Hopefully one of us will find a resolution soon.

0 Likes
Absent Member.. zrick Absent Member..
Absent Member..

Re: Manual scan cannot reach https environment

For issues with manual scans of HTTPS sites, check your system for Microsoft patch KB2661254 or KB2661254-v2. These patches enforce 1024bit certificates. Uninstall the patch, restart the machine, and try your manual scan again. You should have success. 

0 Likes
Absent Member.. BYH Absent Member..
Absent Member..

Re: Manual scan cannot reach https environment

Yes, I learned of this resolution  late last week and have tested that it does fix the manual scan.  Thanks.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Manual scan cannot reach https environment

I recently heard the same advice from HP Fortify Support. The trouble is that the Web Proxy utilizes our "SPI cert" and it does not meet the minimum 1024-bit RSA certificate length dictated by that Microsoft KB. This means that Manual Mode, the WMR tool, and other WI tools that may use the Web Proxy technology can be affected when dealing with HTTPS sites.

The current workaround is to remove that KB. Plans are in the works to replace the SPI cert in the product with a longer one (2048-bit?) so that this KB will not affect you further.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.