
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
WebInspect Rest API not working - Not able to create scans
Hi,
I am trying to start scans via webinspect API on the development server (using curl commands), but it seems to error out. I get message "An error has occured."
Few points:
1. The webinspect API is a licensed version for some websites like zero.webappsecurity.com.
2. SQL server version is 2008.
3. I have attached a log file also with the debug information.
4. Is there some prerequisites for the settings file. I started a basic scan using the GUI and then saved it and used the same settings file for the api. Is that the right way?
4. Here is my curl command:
curl -d "settingsName=Default&overrides={\"ScanName\":\"testing11\",\"StartUrl\":\"http://zero.webappsecurity.com:80\",\"CrawlAuditMode\":\"CrawlAndAudit\",\"StartOption\":\"Url\",\"AllowedHosts\":[\"http://zero.webappsecurity.com:80\"],\"PolicyId\":1}" "http://<hostname>/webinspect/scanner/"
Any help is appreciated.
Thanks,
Tarveen

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Your log file showed as few errors stating, "Product is not licensed." I do not know if you failed to activate the WebInspect product, or if there was a problem with the installation. I would take this to Fortify Support (see support.fortify.com).
Additionally, the final entry in your command URL was:
,\"PolicyId\":1%7D
I cannot tell if that was due to the pasting into this forum's (safe) HTTP panes, or if that was your actual command. The sample in the WebInspect Help shows essentially the same command, but ending with this PolicyID.
,\"PolicyId\":1000
There are ways to Query the Securebase.sdf file to identify the various canned and customized PolicyIds, but they canned ones are listed in the WebInspect Help under "Command LineExecution". I do not know why "1000" was used in the example, because I do not see one with that particular Policy ID. You can also read the PolicyIds (<id> tags) from this URL when the WebInspect API is running: http://127.0.0.1:8083/webinspect/securebase/policy
Command Line Execution <script type="text/javascript">// function _HP_CHM_banner_setText() { var feedbackVariables = document.getElementById("hp-feedback-variables"); var line1 = feedbackVariables.getAttribute('skinline1'); var line2 = feedbackVariables.getAttribute('skinline2'); var innerbannertext = document.getElementById('innerbannertext'); if (line2.length == 0) { innerbannertext.className = "innerbannertext1"; innerbannertext.replaceChild(document.createTextNode(line1), innerbannertext.firstChild); } else { innerbannertext.className = "innerbannertext2"; innerbannertext.replaceChild(document.createTextNode(line1), innerbannertext.firstChild); innerbannertext.appendChild(document.createElement('BR')); innerbannertext.appendChild(document.createTextNode(line2)); } } // </script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/jquery.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapGlobal.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapSlideshow.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapMerging.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapAliasFile.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapUtilities.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapBody.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapHighlighter.js" type="text/javascript"></script>
Values for policy id are:
1 = Standard
2 = Assault
3 = SOAP
4 = Quick
5 = Safe
6 = Development
7 = Blank
16 = QA
17 = Application
18 = Platform
1001 = SQL Injection
1002 = Cross-Site Scripting
1003 = OWASP Top 10 Application Security Risks 2007
1004 = All Checks
1005 = Passive
1008 = Critical and High Vulnerabilities
1009 = OWASP Top 10 Application Security Risks 2010
1010 = Aggressive SQL Injection
1011 = NoSQL and Node.js
1012 = OWASP Top 10 Application Security Risks 2013
1013 = Mobile
1014 = OpenSSL Heartbleed
1015 = Apache Struts
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify