Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
emalillos Absent Member.
Absent Member.
5855 views

WebInspect 9.30 and Restful Services

Hi, WebInspect supports Restful Services since 9.20. I've been reading the help but was not successful in scanning my rest services. I've been successful though in scanning my webservices with wsdl. My restful services needs to send headers and parameters. Should I use the WebSite Scan? Can someone guide me how to scan restful services? Thanks!

Labels (1)
0 Likes
6 Replies
Micro Focus Expert
Micro Focus Expert

Re: WebInspect 9.30 and Restful Services

emalillos;

 

The Web Service scan option is only for SOAP-based web services  (Ref:  http://zero.webappsecurity.com/customeraccounts/).

 

For RESTful web services you would use the standard Web Site scan option, and apparently this fact needs to be advertised more.  :-(

 

If you are lucky enough to have the WADL file for this REST service, you will want to open the scan settings > Custom Parameters panel and import that WADL.  This will help WebInspect preplan for the scan and the odd parameters this service will offer.

 

If you are unlucky, you have run headlong into REST without the client or developer warning you about it, and now you will have to "figure it out".  Start by running a partial or full scan (Crawl-Only is probably adequate), and then open and review the Recommendations panel found in the vertical navigational control in the center of the WebInspect UI.  The Recommendations should have identified relevant Custom Parameters for you based on its post-scan analysis.  Update the scan settings from this interface, then click the Rescan button found in the upper toolbar to initiate a fresh scan with these new Custom Parameters.  You may also be able to visibly identify other necessary Custom Parameters and input them yourself prior to this Rescan.

 

Depending on how much of the interface was scanned earlier, you may be completely successful on this second scan, or you may be facing a situation of "rinse-and-repeat".  Check the post-scan analysis in the Recommendations panel again, see if there are more Custom Parameters suggested, add them to the scan settings, and then Rescan.  And even if you had imported the WADL earlier, it is good practice to review the Recommendations panel after each scan.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
emalillos Absent Member.
Absent Member.

Re: WebInspect 9.30 and Restful Services

Hi HansEnders, 

 

Thanks for the reply. Unfortunately, there're no WADLfiles associated with the Restful Services, so I have to figure out the headers and parameters manually. Your reply is very helpful.

0 Likes
anilkumar2214 Absent Member.
Absent Member.

Re: WebInspect 9.30 and Restful Services

Hi,I am doing Restful Service Scans with WADL files by following procedure in webinspect tool: Edit->Default Scan Settings->Custom Parameters-> Importing WADL files . Starting the basic scan-> crawl&audit->scan. The problem isQuote ,scan running continuously and it is not completing.is it correct procedure to run a restful scans?,could you please let me where i am doing wrong?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: WebInspect 9.30 and Restful Services

anilkumar2214;

 

It sounds like you have done the proper method to preset all the needed Custom Parameters in your scan.  The WADL file should have populated your Custom Parameters scan settings screen with the rules necessary to parse the RESTful service.

 

Assuming that the Custom Parameters were populated and your Current Scan Settings do show those rules, i.e. you did not accidentally use a different scan setting configuration, then your issue with a long scan may be due to other items.

 

 

 

Common causes of long scans include the following situations, each of which may require separate configurations.

 

Friendly site never provides a true 404

If the Site Tree is polluted with many non-existent pages, then this may be your situation.  Add some unique text from that "custom 404" HTTP Response to the File Not Found scan settings, and run a new scan.

 

Search or Calendar has "black-holed" the Crawler

It may be that the Crawler is fuzzing every entry in a Search box or a Calendar.  You may need to add a Session Exclusion to avoid that structure and run a fresh scan.

 

Static Catalog is taking up time

If the site contains a static catalog of content, you will want to enable the Redundant Page Detection feature in the scan settings and start a fresh scan.  this RPD feature can add load to the CPU utilization, which is why it is disabled by default.

 

Login Macro is bad

Check the Logout Count shown in the Dashboard's statistics section.  Thousands of logouts can indicate the Login Macro is bad.  It may not be truly logging in the user, the account may have become locked, or other complications.  You may want to review the login, and Replay of the Login MAcro.  You may need to kick off a Crawl-Only with that Login MAcro, using either the Traffic Monitor or Web Proxy to monitor the test scan and ensure the Login Macro is indeed operating properly.

 

Thread Count too low

Sometimes the server's response is slow during the scan wizard's Server Profiler, and so the wizard suggests lowering the thread count.  I always ignore this advice, but if you accept it your threads will probably have been changed form 5 Crawl and 10 Audit to just 1 and , making for a much slower scan.  You would want to reset those Requestor scan settings on your next scan.

  If the site's session state is complicated and requires the Single Shared Requestor setting, then that is the slowest possible scan, and you may have to suffer through it.  If the app permits, you might be able to increase the threads used by Single Shared Requestor, but if the site is that draconian with session state you will just have to accept it.

 

Custom state-keeping variable not declared to WebInspect

Check the Attack Exclusions scan settings to understand which known state-keeping parameters WebInspect does not fuzz.  If your site has something else, your long scan may be due to WebInspect fuzzing this and losing session state over and over.  To correct this, in your next scan you would add the parameter's name to the HTTP PArsing scan settings panel.  That will inform WebInspect to manage that variable properly, but it will still perform some minor fuzzing.  If you need to prevent any and all such fuzzing, then you must also add that parameter's name to the Attack Exclusions scan settings.

 

Dynamically-named directories being created

You may have folders being generated on-the-fly.  A Session Exclusion with a regex that omits most all of those structures yet permits a few of them will shorten your Crawl time.  An Exclusive Inclusion regex will permit just a few to be tested, and Fortify Support can help you understand and write this.  The assumption would be that those few folders you permit will have all the same auditable inputs as if all of them were crawled and audited.

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
anilkumar2214 Absent Member.
Absent Member.

Re: WebInspect 9.30 and Restful Services

Hi HansEnders,

Thank you so much for your reply. I am getting one more problem in Restful Service scans. While doing these scans to the URL's with WADL files, the vulnerabilities which do not belong to this scope are raising. How do I have to stop these vulnerabilities which are raising out of the scope? Could you please let me know, if there are any links to refer regarding Restuful Service scans and Soap Services .

Thank you. 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: WebInspect 9.30 and Restful Services

I suspect what you are seeing are "Passive Checks" on those out-of-scope hosts.  If WebInspect browses off-site script inlcudes (permitted by the Content Analyzers scan settings) or they are included in your Workflow/Login macros, the passive checks might trigger on them.  While WebInspect does not have formal categories of attacks, but there is a collection of them that only trigger on the HTTP Response traffic seen during a scan.  These are simple items such as CC#/SSN#/Internal IP Address found, TLS/SSL certificate or strength issues, and cookie lifespan issues.

 

We do not currently have a RESTful web services tutorial or testing resource.

For SOAP/WSDL-based web services testing, we do have a tutorial and testing resource for users at the old demo site:  http://legacy.webappsecurity.com/customeraccounts/

 

The newer form of that demo site offers similar resources, but very little in terms of tutorials.

 http://zero.webappsecurity.com/web-services/


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.