Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 3rd Class
Cadet 3rd Class
4795 views

Salesforce Webinspect Scan

Is it possible to scan a Salesforce web application with Webinspect? Is there a particular way the scan should be set up or is it the same as a normal scan?

Labels (1)
Tags (1)
0 Likes
1 Reply
Admiral Admiral
Admiral

The potential issue with such an application is the massive redundancy. 

The WebInspect scan settings include a "perform redundant page detection" option which is disabled by default so definitely check that, however the logic behind that may not be able to sufficiently tell whether the content of one post or contact details or what have you is essentially the same as another, so your best option in a case like this would be to first run a crawl only to map the attack surface - basically see what's what. 

Take a look at what you get - and you may need tp stop the scan if it seems the crawler is running down a black hole somewhere - and build exclusions to tell WebInspect what to skip on your next iteration (which must be a new scan, btw, not a continuation of the current scan).  Another thing to look for is whether the application responds with a 200 to requests for non-existent pages, in which case you will definitely wish to craft a custom File Not Found signature to allow WebInspect to detect them at scan time.

It's an iterative process that will take some time andf effort to complete, but the results in terms of performance of the final scan will be worthwhile.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.