Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
goldfish Trusted Contributor.
Trusted Contributor.
2100 views

Scan json using Webinspect 18.10

Jump to solution

Please suggest procees or steps  for performing JSON API scan using Webinspect 18.10 .

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Scan json using Webinspect 18.10

Jump to solution

You would use the included WISwag.exe CLI tool to preview all of the JSON endpoints, and output a WebInspect saved scan settings file (XML).  This tool can be run against a hosted JSON file or a JSON file on your hard drive.  The resulting XML file would then be used as the scan settings used in either a Guided Scan Wizard or a Basic Scan Wizard, and it would run a Workflow-driven scan.

WISwag should be included in your WebInspect installation folder, but you can also download it from the Fortify Marketplace and install a separate copy elsewhere on your machine.  WISwag is also available as an endpoint in the WebInspect API, in case you wanted to add this step into an automation script.

 

 

C:\CLI\WISwag 18.1>wiswag -?
__ __.___ _________
/ \ / \ |/ _____/_ _ _______ ____
\ \/\/ / |\_____ \\ \/ \/ /\__ \ / ___\
\ /| |/ \\ / / __ \_/ /_/ >
\__/\ / |___/_______ / \/\_/ (____ /\___ /
\/ \/ \//_____/
The WebInspect Simple Web API Grokking tool

Command line arguments (default values are in [brackets]):
-i|-input (required) []
Either the URL or file location of a supported REST API definition (currently supported: Swagger v2, OData v1-v4)
OR a configuration file with the following example structure:
{
apiDefinition : 'http://petstore.swagger.io/v2/swagger.json', /* can also be a local file (ex. C:/myapi.json) */
host : 'localhost:8080', /* replace the host in every generated request */
schemes : ['https', 'http'], /* generate output for both of these schemes */
servicePath : '/', /* specify the base path of the API */
preferredContentType : 'application/json', /* if given a choice, prefer json */
excludeOperations : [ 'logoutUser', 'deleteUser' ], /* generate no output for these operations */
parameterRules :
[
{
name : 'userId',
value : 42,
location : 'path',
type : 'number',
includeOperations : ['createNewUser', 'getUser'] /* only apply this rule to these operations */
},
{
name : 'file',
value : 'my file payload',
filename : 'myfile.txt',
location : 'body',
type : 'file'
},
{
name : 'Authorization',
value : 'Basic QWxhZGRpbjpPcGVuU2VzYW1l',
location : 'header',
inject : true /* add this header to every generated request */
}
]
}

Where
'apiDefinition' Required.
The URL or file location of a supported REST API definition (currently supported: Swagger v2).

'host' Optional.
Overrides the host in the REST API definition (ex. localhost:8080).

'schemes' Optional.
An array of schemes (ex. ['http','https']). Overrides the schemes defined in the REST API definition.
If defined, a series of requests will be generated for each scheme.
Otherwise, a series of requests will only be generated for the first scheme listed in the REST API definition.

'preferredContentType' Optional.
Sets the preferred content type of the request payload.
If preferredContentType is in the list of supported content types for an operation, the generated request payload will be of that type.
Otherwise, the first content type listed in an operation will be used.

'excludeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
Defines a black-list of operation IDs that should be excluded from the output.

'includeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
Defines a white-list of operation IDs that should be included in the output.

'excludeHTTPMethods' Optional.
An array of HTTP methods (ex. [ 'PUT', 'DELETE' ]).
Defines a black-list of HTTP methods that should be excluded from the output.

'parameterRules' Optional.
An array of objects with the following structure:
{
'name' Required.
The parameter name to match.

'value' Required.
The parameter value to substitute or inject.

'location' Optional.
One of('body', 'header', 'path', 'query', 'any'), default 'any'.
The parameter location to match (any will match all locations).

'type' Optional.
One of('number', 'boolean', 'string', 'file', 'date', 'any'), default 'any'.
The parameter type to match (any will match all types).

'filename' Optional and type specific.
The 'filename' property is only used if the 'type' property is 'file'.
The value of the 'filename' property is used to replace the filename attribute of a multipart/form file entry that matches this rule.

'inject' Optional.
One of(true, false), default false.
If false, only replace parameter values that match the specified name, location and type.
If true, inject the parameter in the specified location regardless of whether a matching name or type is found.

'base64Decode' Optional.
One of (true, false), default false.
If true, 'value' is assumed to be base64 encoded binary data and will be decoded into a byte array when inserted into a generated HTTP request.

'includeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
If specified, ONLY apply this rule to the operation IDs in the list.

'excludeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
If specified, DO NOT apply this rule to the operation IDs in the list.
}

-ice|-ignoreCertErr (optional) [False]
Ignore SSL/TLS certificate validation errors (often caused by self-signed certificates). The default is false.

-it|-inputType (optional) []
Specify the type of input. Valid values are swagger or odata

-h|-httpOutput (optional) []
Generate a series of HTTP requests to the specified file. This can be useful for debugging.

-c|-cprOutput (optional) []
Generate custom parameter rules to the specified file. This can be useful for debugging.

-m|-wmOutput (optional) []
Generate WebInspect macro to the specified file. This can be useful for debugging.

-a|-apiOutput (optional) []
Generate information about the parsed API definition. This can be useful for debugging.

-s|-wiOutput (optional) []
Generate WebInspect settings to the specified file (audit only with embedded workflow and custom parameter rules derived from the API definition). The API definition along with any configuration overrides are added to the settings file. This is the recommended option when scanning a REST API.

-? (optional) [False]
Displays this help information.

-ma|-metadataAuth (optional) [False]
Apply the auth header to the metadata request as supplied in the parameter override rules.

C:\CLI\WISwag 18.1>


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: Scan json using Webinspect 18.10

Jump to solution

You would use the included WISwag.exe CLI tool to preview all of the JSON endpoints, and output a WebInspect saved scan settings file (XML).  This tool can be run against a hosted JSON file or a JSON file on your hard drive.  The resulting XML file would then be used as the scan settings used in either a Guided Scan Wizard or a Basic Scan Wizard, and it would run a Workflow-driven scan.

WISwag should be included in your WebInspect installation folder, but you can also download it from the Fortify Marketplace and install a separate copy elsewhere on your machine.  WISwag is also available as an endpoint in the WebInspect API, in case you wanted to add this step into an automation script.

 

 

C:\CLI\WISwag 18.1>wiswag -?
__ __.___ _________
/ \ / \ |/ _____/_ _ _______ ____
\ \/\/ / |\_____ \\ \/ \/ /\__ \ / ___\
\ /| |/ \\ / / __ \_/ /_/ >
\__/\ / |___/_______ / \/\_/ (____ /\___ /
\/ \/ \//_____/
The WebInspect Simple Web API Grokking tool

Command line arguments (default values are in [brackets]):
-i|-input (required) []
Either the URL or file location of a supported REST API definition (currently supported: Swagger v2, OData v1-v4)
OR a configuration file with the following example structure:
{
apiDefinition : 'http://petstore.swagger.io/v2/swagger.json', /* can also be a local file (ex. C:/myapi.json) */
host : 'localhost:8080', /* replace the host in every generated request */
schemes : ['https', 'http'], /* generate output for both of these schemes */
servicePath : '/', /* specify the base path of the API */
preferredContentType : 'application/json', /* if given a choice, prefer json */
excludeOperations : [ 'logoutUser', 'deleteUser' ], /* generate no output for these operations */
parameterRules :
[
{
name : 'userId',
value : 42,
location : 'path',
type : 'number',
includeOperations : ['createNewUser', 'getUser'] /* only apply this rule to these operations */
},
{
name : 'file',
value : 'my file payload',
filename : 'myfile.txt',
location : 'body',
type : 'file'
},
{
name : 'Authorization',
value : 'Basic QWxhZGRpbjpPcGVuU2VzYW1l',
location : 'header',
inject : true /* add this header to every generated request */
}
]
}

Where
'apiDefinition' Required.
The URL or file location of a supported REST API definition (currently supported: Swagger v2).

'host' Optional.
Overrides the host in the REST API definition (ex. localhost:8080).

'schemes' Optional.
An array of schemes (ex. ['http','https']). Overrides the schemes defined in the REST API definition.
If defined, a series of requests will be generated for each scheme.
Otherwise, a series of requests will only be generated for the first scheme listed in the REST API definition.

'preferredContentType' Optional.
Sets the preferred content type of the request payload.
If preferredContentType is in the list of supported content types for an operation, the generated request payload will be of that type.
Otherwise, the first content type listed in an operation will be used.

'excludeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
Defines a black-list of operation IDs that should be excluded from the output.

'includeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
Defines a white-list of operation IDs that should be included in the output.

'excludeHTTPMethods' Optional.
An array of HTTP methods (ex. [ 'PUT', 'DELETE' ]).
Defines a black-list of HTTP methods that should be excluded from the output.

'parameterRules' Optional.
An array of objects with the following structure:
{
'name' Required.
The parameter name to match.

'value' Required.
The parameter value to substitute or inject.

'location' Optional.
One of('body', 'header', 'path', 'query', 'any'), default 'any'.
The parameter location to match (any will match all locations).

'type' Optional.
One of('number', 'boolean', 'string', 'file', 'date', 'any'), default 'any'.
The parameter type to match (any will match all types).

'filename' Optional and type specific.
The 'filename' property is only used if the 'type' property is 'file'.
The value of the 'filename' property is used to replace the filename attribute of a multipart/form file entry that matches this rule.

'inject' Optional.
One of(true, false), default false.
If false, only replace parameter values that match the specified name, location and type.
If true, inject the parameter in the specified location regardless of whether a matching name or type is found.

'base64Decode' Optional.
One of (true, false), default false.
If true, 'value' is assumed to be base64 encoded binary data and will be decoded into a byte array when inserted into a generated HTTP request.

'includeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
If specified, ONLY apply this rule to the operation IDs in the list.

'excludeOperations' Optional.
An array of operation IDs (ex. [ 'operation1', 'operation2', 'operationN' ]).
If specified, DO NOT apply this rule to the operation IDs in the list.
}

-ice|-ignoreCertErr (optional) [False]
Ignore SSL/TLS certificate validation errors (often caused by self-signed certificates). The default is false.

-it|-inputType (optional) []
Specify the type of input. Valid values are swagger or odata

-h|-httpOutput (optional) []
Generate a series of HTTP requests to the specified file. This can be useful for debugging.

-c|-cprOutput (optional) []
Generate custom parameter rules to the specified file. This can be useful for debugging.

-m|-wmOutput (optional) []
Generate WebInspect macro to the specified file. This can be useful for debugging.

-a|-apiOutput (optional) []
Generate information about the parsed API definition. This can be useful for debugging.

-s|-wiOutput (optional) []
Generate WebInspect settings to the specified file (audit only with embedded workflow and custom parameter rules derived from the API definition). The API definition along with any configuration overrides are added to the settings file. This is the recommended option when scanning a REST API.

-? (optional) [False]
Displays this help information.

-ma|-metadataAuth (optional) [False]
Apply the auth header to the metadata request as supplied in the parameter override rules.

C:\CLI\WISwag 18.1>


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.