Respected Contributor.. Mark_Egloff Respected Contributor..
Respected Contributor..
3538 views

Use Webinspect directly as a proxy to record URLs which can later be attacked?

Is there a DIRECT way to use Webinspect (similar as Burp or ZAP) to act as a Proxy which first simple records all the URLs in a sequrence which later than can be attacked or audited?

Reason, we have quite some tests / workflows already written in selenium and other tools which we don't like to import in Webinspect as web macros. We don't like to maintain these twice at different places with different tools.

Labels (1)
Tags (1)
0 Likes
6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

Yes, WebInspect includes a Web Proxy that allows you to capture a sequence and then save it as a Macro to which you can then run an audit against.

You have other options as well:

  • List-Driven Scan where you can perform a scan using a list of URLs
  • Workflow Drive Scan where you can record a macro to navigate the site or application.

Being you mentioned Burp, we also integrate with Burp or you can add Burp Proxy results. If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a Workflow macro, reducing the time it would otherwise take to rescan the same areas.

To add Burp Proxy results to a workflow macro:

  1. If you are not on the Workflowsscreen, click on the Manage Workflows step in the Guided Scan
    tree.
  2. Click the Import button.
    The Import Macro file selector appears.
  3. Change the file type box filter from Web Macro (*.webmacro) to Burp Proxy (*.*).
  4. Navigate to your Burp Proxy files and select the desired file.
  5. Click Open.
Tags (2)
0 Likes
Respected Contributor.. Mark_Egloff Respected Contributor..
Respected Contributor..

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

Thank you, this means I always need first to convert it as a "Macro", there is no direct proxy  recording support?

regards
Mark

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

If you want direct-direct, use the Manual Step-mode (not mom) scan found in the Basic Scan Wizard. It will spawn a dynamic listener port and either MSIE or Firefox. for optimal scripting use, you will likely want to force that to use a known listener port in advance, found under the Edit menu > Application Settings > Step-mode panel. In the past you had to leave the spawned browser open to keep the listener port open, but maybe not with these WebInspect releases.  Still, I would just minimize that browser rather than close it. Now that the listener is open, you can run anything through WebInspect, and it is shown in the Site Tree. You can re-use this capture with the various Rescan options later.  the Workflow Macro option described earlier is best for repeated tests, and to ensure full coverage, but Manual Step-Mode might offer what you want here.


There is also the Proxy endpoint within the WebInspect API, or the Standalone Web Proxy API tool, but you already indicated you did not want to record Workflow Macros.  These endpoints are often used by functional test scripts in the following manner.

  1. Start test script
  2. Script calls Proxy endpoint to open a listener
  3. Script runs tests through proxy
  4. Script directs Proxy to save captured data to Macro
  5. Script kills Proxy
  6. Script calls New Scan endpoint > runs a Workflow-driven scan with the traffic that was just captured.

Using a script name as a variable, you could use that name for the Proxy listener, and the Workflow Macro saved, and the scan's name, and also any scan export you trigger later.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
KSKrug Trusted Contributor.
Trusted Contributor.

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

Hans,

Is there any plan for WebInspect Enterprise to support manual scanning mode in upcoming releases?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

No, WebInspect Enterprise deals with remote users and remote scanners, so it would be prohibitive to spawn proxies on those endpoints.  The Standalone WebInspect Toolkit provides a Web Proxy UI, the WIE Console (thick client) also provides a Web Proxy UI, and the new Standalone Web Proxy API Tool provides a free alternative your team might be able to use, or they could use BURP for their Workflow Macro recordings.

 

Some customers use both WI API and WIE API to feed their CI pipelines, here is how.

  1. Use WI API to run Proxy endpoint and capture traffic as Macro.
  2. Use WI API to issue new Workflow-driven scan, with desired Overrides, but use the Do Not Scan option, to generate a saved scan setting.
  3. Use the WIE API to upload the saved scan setting, and then issue a command for a Sensor scan using that uploaded file as the scan configuration.  You could also opt to convert the uploaded file to be a new WIE Scan Template, but that is not required for this sort of fast testing.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Use Webinspect directly as a proxy to record URLs which can later be attacked?

The plan is for WebInspect 19.2.0 to allow the use of Selenium WebDriver scripts.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.