Scanning an application using STRUTS 1
There is an application that is using STRUTS 1. While reviewing the Apache Struts policy I noticed a lot of STRUTS 2 vulnerabilities, but not much for STRUTS 1. I'm going to assume I'll need to write a custom policy for any STRUTS 1 vulnerabilities of which there are 5. What signatures do you suggest I should add to the existing Struts Apache policy to include the STRUTS 1 vulnerabilities?
You could open a copy of the Standard Policy with the Policy Manager and enable any checks that have "struts" in their Name, using the Search feature.
There are also the Custom Checks (wizard, simple checks) and the Custom Agents features to manually augment the attack policy with your own checks.
Be aware that for Custom Agents you will need to take the SDK extension (vsix) from the WebInspect folders and install it to Visual Studio 2017. Your VS developer will then have access to Samples and once they have your desired attack functioning, then you can push it into WebInspect per the SDK extension documentation.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify