Absent Member.. Absent Member..
Absent Member..

WebInspect::Check for TomCat Default Username Password

Hi All,


Is there a way to tweak WebInspect that when its doing a crawl on the a particular site it will do a check for the default username/password when it encounters the log-in page for the TomCat Management Portal.


Thank you.



Labels (1)
1 Reply
Micro Focus Expert
Micro Focus Expert

Is the goal to break into the site, to test it's security, or to alert you if someone left the key in the door?




1. Break in directly:



Consider using the Web Brute tool , perhaps augmenting or shortening the username and password dictionaries.




2. Test the site's security:



Provide the default credentials to WebInspect and scan the site.




3. Have WebInspect break in and alert me:



This is tricky, because I would assume you are already scanning the site with some other user Authentication configured.  And if you did send the default credentials, how do we train WebInspect to identify that it has been logged in?  First thought might be the Web Form Editor, to provide the credentials in there for the expected form names, but that would not alert you if it logged in.


The Custom Check feature found in the Policy Manager tool is likewise possibly not sophisticated for this purpose.  It has numerous checks for Administration Application  They could probably be used as a Search check to let you know if /manager was located, but not have the ability to log into it.


I think you may need to design a Custom Agent for this.  See the Policy Manager tools Help on this, as well as the WebInspect Help on Custom Agents and the supporting Visual Studio Extension required.  I have extracted one of the Help files from that WebInspect Extension to give you an idea of that effort needed.



You might also be interested in the Support-driven and customer-only user forums at Protect724:  https://protect724.hp.com/community/fortify




-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.