WebInspect Agent - Test Applications and Documents
I'm trying to understand how does WebInspect agent work for both Java and .Net. Are there any applications provided to test these? Also any reference documents would be very helpful.
First the Agent which is available in the HP WebInspect Group is the 4.2 version. Previously has comment about the API documentation and configuration to help use for both JAVA and .NET configuration. With both you would install the agent in specific locations and load a custom configuration file specific for your environment.
His previous comments can be found in the these forum threads.
Hope these help some.
Joel E. Natt CISSP, CRISC
Hewlett-Packard Enterprise Software Education
Exam Development Lead – Hewlett-Packard Enterprise Software
Trainer – HP Software Education – Fortify, TippingPoint
Get Training: http://www.hpenterprisesecurity.com/university
Global Exam/Certification Development Manager – Hewlett Packard Enterprise Software Education
The WebInspect Agent is based on the Fortify Runtime framework and integrates directly with the web server hosting the site such as Apache Tomcat or Windows IIS. The WebInspect Agent uses specific rules to identify application behavior at the runtime level that is indicative of vulnerabilities being exploited and then send this information back to WebInspect using the same port as the web application so that firewall rules do not need to be opened. Using it's location directly inside of the application while running, the WebInspect Agent also sends back information around the attack surface and which part of the application a given attack is going to exercise. Using this information WebInspect can avoid retesting certain functions that might appear on several pages of the website, decreasing the overall scan time.
As for applications to test it against I would recommend using some of the popular intentionally vulnerable applications like HackMeBank. Hacme Bank v2.0 | McAfee Free Tools