Lieutenant Commander
Lieutenant Commander
456 views

WIE 20.1 Workflow Scan Method

Hi experts,

I have two questions regarding workflow scan method in WIE 20.1 and hope to get the clarifications from Micro Focus experts here:

 

1. We are assessing an E-commerce site, which required credential logon only can view all the pages.

We used workflow scan method, without providing the login macro, and record the workflow after the login page. Will WIE able to audit the pages without credential provided?

2. When using workflow scan method, will WIE access any directory that is lower in the directory? For example: https://www.uat.amway.co.kr/quickOrder this URL was recorded in the workflow, but there are still a lot of sub-url under this “quickOrder” (e.g. https://www.uat.amway.co.kr/quickOrder/checkout).Will WIE access the “checkout” directory too?

 

Thanks.

0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

By definition a Workflow-Drive Scan "should not" crawl:

workflow-definition.png

In order to make this function as designed, you will need to ensure that the Audit Only radial button is chosen during the Basic Scan Wizard:

workflow-audit-only.png

The next sentence after the highlight (above) is a logout signature is not required. The inverse of this is that if you are including authentication in the workflow-macro then a login macro is not needed. If you want to ensure we have the correct authentication then you may want to include a login macro.

Regarding question #2, by definition it should not; however, if you choose Crawl & Audit (or leave it as default) we will Crawl, but you have not control over it as you would with a Standard Scan where you can choose the restrict to folder functionality. Also, even though it may crawl those without a login macro we not be able to successfully audit those "extra" pages.

This goes back to what are you trying to accomplish and is a Workflow Macro the best option or should you use a Standard Scan inconjunct ion with a Startup Macro?

What is your concern with using a Standard Scan? Many that scan e-commerce sites are concerned about the size of the scan and time taken to complete. In WebInspect 20.2, we have introduced our new 

Redundant Page Detection

Applications with lots of redundant content, such as content management systems and catalog sites, can cause unnecessarily long-running scans. With WebInspect 20.2.0, you can use an advanced redundant page detection algorithm to reduce these scan times.

 

**UPDATE** there has been some internal discussion on the definition of a workflow-driven scan versus the functionality it provides. Based on this, I wanted to provide an update. Even though the definition is correct, it is only partially correct. A workflow macro can be used to Crawl, Crawl & Audit or Audit only based on the option chosen for the scan type.

0 Likes
Lieutenant Commander
Lieutenant Commander

Hi eBell,

Thanks for your detailed explaination, it helps to clear my doubts. Yes, our main concerned when scanning e-commerce site is about the size of the scan and time taken to complete. It always takes days to complete.

If version 20.2 could help with our concern, we will consider to upgrade it. (we have just upgraded to 20.1 2 weeks ago.)

 

Regards,

Peiny

0 Likes
Micro Focus Expert
Micro Focus Expert

When you mentioned the eCommerce site my assumption was this was what you were trying to do. Before the release of WebInspect 20.2 the options for limiting scans in these types of scenarios were somewhat "cumbersome", it can be done though.

As you mentioned, a workflow macro is one choice the other is what we call Inclusive Exclusions and can be found in the following KB article - https://softwaresupport.softwaregrp.com/doc/KM03228261

However, with the release of 20.2, this should no longer be needed due to to the new Redundant Page Detection settings:

Perform redundant page detection

Highly dynamic sites could create an infinite number of resources (pages) that are virtually identical. If allowed to pursue each resource, Fortify WebInspect would never be able to finish the scan. This option compares page structure to determine the level of similarity, allowing Fortify WebInspect to identify and exclude processing of redundant resources.

Important! Redundant page detection works in the crawl portion of the scan. If the audit introduces a session that would be redundant, the session will not be excluded from the scan.

You can configure the following settings for redundant page detection:

  • Page Similarity Threshold – indicates how similar two pages must be to be considered redundant. Enter a percentage from 0 to 100, where 100 is an exact match. The default setting is 95 percent.

  • Tag attributes to include - identifies the tag attributes to include in the page structure. Typically, tag attributes and their values are dropped when determining structure. Identifying tag attributes in this field in a comma-separated list adds those attributes and their values in the page structure. By default, "id,class" tag attributes are included.

    Tip: Certain sites may be primarily composed of one type of tag, such as <div>. Including these attributes creates a more rigid page match. Excluding these attributes creates a less strict match.

0 Likes
Micro Focus Expert
Micro Focus Expert

I should also mention there were some other exciting features included in WebInspect 20.2.0 as well:

  • Automatic Detection of Single-page Applications
    Fortify continues to improve usability with time-saving features that eliminate manual configuration of scans. WebInspect 20.2.0 detects when applications use modern frameworks such as Angular and React, and automatically adjusts its configuration to provide the best coverage.

  • Redundant Page Detection
    Applications with lots of redundant content, such as content management systems and catalog sites, can cause unnecessarily long-running scans. With WebInspect 20.2.0, you can use an advanced redundant page detection algorithm to reduce these scan times.

  • ADFS CBT Support
    Per advice from Microsoft, many organizations are implementing a channel binding token (CBT) to secure Active Directory Federation Services (ADFS) authentication. WebInspect 20.2.0 now supports this extended protection mechanism. Look at Scan Settings under Network Authentication > Method > ADFS CBT to use this new feature, and reference the Help topic for details.

  • Engine 5.1 Updates
    Fortify continues to evolve its engines to improve coverage and performance. WebInspect 20.2.0 provides a faster crawl and audit, and better application support from the web macro recorder. Finally, as a sneak peak of things to come in 2021, the Web Macro Recorder with Macro Engine 5.1 now attempts to detect and display client-side frameworks that are used in the target application.

  • OpenSSL Technical Preview
    WebInspect 20.2.0 introduces a technical preview of our OpenSSL integration. This integration provides support for TLS 1.3, and provides an option for customers whose system’s administrators may be restricting the Microsoft SCHANNEL stack. The setting may be enabled in the UI at Edit > Application Settings > General.

  • ScanCentral DAST
    Fortify is excited to release a new DAST orchestration and automation platform integrated right into Software Security Center 20.2.0! For more information, watch our “Introduction to ScanCentral DAST” video on the Fortify Unplugged YouTube channel.

0 Likes
Lieutenant Commander
Lieutenant Commander

Hi eBell,

Thanks again for your info and it's indeed helpful. We will plan for the 20.2 upgrade soon. 🙂 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.