Highlighted
tarveen
tarveen Absent Member.
Absent Member.
‎2015-04-30 15:42
6172 views

WebInspect Rest API not working - Not able to create scans

 

Hi,

 

I am trying to start scans via webinspect API on the development server (using curl commands), but it seems to error out. I get message "An error has occured."

 

Few points:

 

1. The webinspect API is a licensed version for some websites like zero.webappsecurity.com.

2. SQL server version is 2008.

3. I have attached a log file also with the debug information.

4. Is there some prerequisites for the settings file. I started a basic scan using the GUI and then saved it and used the same settings file for the api. Is that the right way?

4. Here is my curl command:

 


curl -d "settingsName=Default&overrides={\"ScanName\":\"testing11\",\"StartUrl\":\"http://zero.webappsecurity.com:80\",\"CrawlAuditMode\":\"CrawlAndAudit\",\"StartOption\":\"Url\",\"AllowedHosts\":[\"http://zero.webappsecurity.com:80\"],\"PolicyId\":1}" "http://<hostname>/webinspect/scanner/"

 

Any help is appreciated.

 

Thanks,

Tarveen

Labels (2)
Labels
0 Likes
Reply
1 Reply
HansEnders
Micro Focus Expert
Micro Focus Expert
‎2015-05-06 15:36

Re: WebInspect Rest API not working - Not able to create scans

Your log file showed as few errors stating, "Product is not licensed."  I do not know if you failed to activate the WebInspect product, or if there was a problem with the installation.  I would take this to Fortify Support (see support.fortify.com).

 

 

 

Additionally, the final entry in your command URL was:

 

,\"PolicyId\":1%7D

 

I cannot tell if that was due to the pasting into this forum's (safe) HTTP panes, or if that was your actual command.  The sample in the WebInspect Help shows essentially the same command, but ending with this PolicyID.

 

,\"PolicyId\":1000

 

 

 

There are ways to Query the Securebase.sdf file to identify the various canned and customized PolicyIds, but they canned ones are listed in the WebInspect Help under "Command LineExecution".  I do not know why "1000" was used in the example, because I do not see one with that particular Policy ID.  You can also read the PolicyIds (<id> tags) from this URL when the WebInspect API is running:   http://127.0.0.1:8083/webinspect/securebase/policy

 

Command Line Execution <script type="text/javascript">// function _HP_CHM_banner_setText() { var feedbackVariables = document.getElementById("hp-feedback-variables"); var line1 = feedbackVariables.getAttribute('skinline1'); var line2 = feedbackVariables.getAttribute('skinline2'); var innerbannertext = document.getElementById('innerbannertext'); if (line2.length == 0) { innerbannertext.className = "innerbannertext1"; innerbannertext.replaceChild(document.createTextNode(line1), innerbannertext.firstChild); } else { innerbannertext.className = "innerbannertext2"; innerbannertext.replaceChild(document.createTextNode(line1), innerbannertext.firstChild); innerbannertext.appendChild(document.createElement('BR')); innerbannertext.appendChild(document.createTextNode(line2)); } } // </script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/jquery.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapGlobal.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapSlideshow.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapMerging.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapAliasFile.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapUtilities.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapBody.js" type="text/javascript"></script> <script src="/t5/forums/replypage/board-id/sws-20/message-id/SkinSupport/MadCapHighlighter.js" type="text/javascript"></script>

Values for policy id are:
1 = Standard
2 = Assault
3 = SOAP
4 = Quick
5 = Safe
6 = Development
7 = Blank
16 = QA
17 = Application
18 = Platform
1001 = SQL Injection
1002 = Cross-Site Scripting
1003 = OWASP Top 10 Application Security Risks 2007
1004 = All Checks
1005 = Passive
1008 = Critical and High Vulnerabilities
1009 = OWASP Top 10 Application Security Risks 2010
1010 = Aggressive SQL Injection
1011 = NoSQL and Node.js
1012 = OWASP Top 10 Application Security Risks 2013
1013 = Mobile
1014 = OpenSSL Heartbleed
1015 = Apache Struts

 

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.