Absent Member.
Absent Member.

WCF and WebAPI Scan using WebInspect

Hi there ,

we are using the  WebInspect 10.4 version. we don't see any option to scan the WCF/Web API services. we can only see the option for WebServcies (.asmx?wsdl). Is it possible to scan the WCF/WebAPI servcies using the WebInspect tool.

Thanks, Raju

Labels (1)
1 Reply
Micro Focus Expert
Micro Focus Expert


You should be able to scan it with the standard Web Site scan wizards (Guided and/or Basic), as the Web Servcie Scan Wizard is specific to SAOP and WSDL web services.  We also use the standard web site scans for RESTful and JSON services.  Of course the limitation with WCF is that it must be using the HTTP/HTTPS WCF Transport Protocols, since those are the only ones WebInspect is built to scan.

However, it might even work to review the WCF service with the Web Service Design tool in WebInspect.  You might add ".wsdl" to the end of its URL and have success parsing the inputs.  From there you would set all the appropriate values for exercising the WCF service.  Save the Web Service Design data and use it as input in the Web Service scan wizard.  This might be of particular value if WS-* protocols are in use, as WebInspect supports WS-SecureConversation, WS-Trust, WS-ReliableMessaging, MTOM, DIME, WCF - TCP Transport, and WCF - Binary Encoding.


If you need to use the standard web site scan options, the exact scan configuration will depend on how the WCF is expressed for the scanner/browser.  Are you required to use a client of some sort, or is there a web-based front-end, or are you dealing with a pure service?


  • client of some sort - Connect the client through Web Proxy, exercise the app manually, then save the captured Proxy traffic as a webmacro file.  Use that *.webmacro file as a Workflow in your next WebInspect scan.  OR, set the Application Settings for Step-Mode scans to a static, known port, launch WebInspect's Basic Scan Wizard and select the Manual Step-Mode option, then configure the client to use that static listener port, exercise the app manually, and then click the Audit button inside WebInspect to have it audit all the captured sessions.  I find the saved webmacro to be more repeatable and useful.


  • web-based front-end - scan the front-end and it should take care of testing the WCF behind it, assuming all the necessary components are exposed and available via the front-end.


  • pure service - Build your own HTML front-end to call all the WCF components, then scan that page with WebInspect.  OR, link your browser through Web Proxy and manually exercise the app, saving the captured Proxy traffic as a webmacro to use in a subsequent Workflow-driven scan.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.