WebInspect::Check for TomCat Default Username Password
Is there a way to tweak WebInspect that when its doing a crawl on the a particular site it will do a check for the default username/password when it encounters the log-in page for the TomCat Management Portal.
Is the goal to break into the site, to test it's security, or to alert you if someone left the key in the door?
1. Break in directly:
Consider using the Web Brute tool , perhaps augmenting or shortening the username and password dictionaries.
2. Test the site's security:
Provide the default credentials to WebInspect and scan the site.
3. Have WebInspect break in and alert me:
This is tricky, because I would assume you are already scanning the site with some other user Authentication configured. And if you did send the default credentials, how do we train WebInspect to identify that it has been logged in? First thought might be the Web Form Editor, to provide the credentials in there for the expected form names, but that would not alert you if it logged in.
The Custom Check feature found in the Policy Manager tool is likewise possibly not sophisticated for this purpose. It has numerous checks for Administration Application They could probably be used as a Search check to let you know if /manager was located, but not have the ability to log into it.
I think you may need to design a Custom Agent for this. See the Policy Manager tools Help on this, as well as the WebInspect Help on Custom Agents and the supporting Visual Studio Extension required. I have extracted one of the Help files from that WebInspect Extension to give you an idea of that effort needed.
You might also be interested in the Support-driven and customer-only user forums at Protect724: https://protect724.hp.com/community/fortify
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify