WebInspect Standard scan using macro: CLI crawls lesser links and finds lesser vulnerabilities
I am using Webinspect v17.10. The scans using WI CLI is automated. Authentication is performed using macros.
Ihave recorded the login, click of various options and logout in the macro. In the script, I use Traffic Viewer running at port 8081 (Changed the proxy details in Application settings to manual and entered the port number 8081 there) for crawling through the web traffic..
I tried running a manual scan (Basic) using the WebInspect GUI using the same macros (did not modify any settings except providing macro file). Observed that the scan initiated via GUI using the same macro recording takes 20 minutes to complete and finds 130 vulnerabilities. But the one run using the script (WI.exe cli) takes hardly 3 minutes to complete and finds only 54 vulnerabilities.
I compared the scan data of both the scans. Found that the number of requests and attacks sent in the GUI scan is very high when compared to that of the CLI run. Around 21000 attacks sent in GUI and around 7000 requests sent in CLI. Around 15000 attacks sent in GUI and around 6000 attacks sent in CLI. Number pof links crawled is 632 in case of CLI and 832 in case of GUI. The scan parameters mentioned in CLI command are only the URL, scan policy and report to be generated. In both GUI and CLI runs, Standard policy was used.
As there is no visible difference between the settings used or options selected in both the scans as both the scans use same scan and application settings.
Is there any difference in the way that CLI handles the data available in macro vs the way that WebInspect GUI handles it?
Could you please help me with the possible reasons for the difference in links crawled, attacks/requests count and vulnerabilities found in both the cases?
Resolving this is very critical for the project that I am in. Please help.
You might consider taking this to Fortify Customer Support (support.fortify.com) for a deeper, personal review.
<<I have recorded the login, click of various options and logout in the macro.>>
This first statement was of most concern to me. To record a Login Macro, you must record the process of logging in, and then stop. You should NOT include the logoff steps. The Login Macro runs at the start of the scan to establish your session state, and also anytime you have used Pause/Resume. Throughout the scan it watches the HTTP Responses for its defined Logout Condition(s). If any of the Logout Condition(s) defined are met, then the Login Macro re-runs to reestablish session state. The scanner then repeats the HTTP Requests it was attempting when the Logout Condition was met, and then proceeds through the rest of the site. If you record yourself LOGGING IN AND OUT, then your scan may consist of nothing more than a long series of that cycle.
You say you are using the same scan settings for each of these tests, but you did not detail how. All scans via UI, API, or CLI should be equivalent when they shared the exact same scan settings, and the target system did not go offline or other interruptions occurred during the scan, such as login/credential changes.
- Could you display your CLI command here? Are you using a saved scan setting for the CLI?
- How did you apply that same saved scan setting file to your UI scan? Could you share the XML file here, perhaps removing the StartURL entry for privacy first?
- <<I tried running a manual scan (Basic) using the WebInspect GUI>>: A Manual Step-Mode Scan is much different than any of the automated scans. You should run a normal Crawl-and-Audit in the UI to properly compare to the CLI scan, unless both were Workflow-driven scans.
- How do the Scan Logs for these scans compare?
- Did you at any time edit your Login Macro, but fail to re-select it inside of your saved scan setting file? The XML file will not be auto-updated if the named Macro is updated, as the Macro was "swallowed" within the XML file at the time you selected it for Authentication. You would have to Edit the XML file and re-select the Macro, even if it still has the same file name,, in order to update the Login Macro within the saved scan setting file.
- Have you extracted the Current Scan Settings from each finished scan and performed a differential analysis between them to ensure they had the same scan settings? This is done by saving the Current Scan Settings to XML, then opening both text files in any diff tool, e.g. Notepad++, DiffMerge, et al.
- <<In the script, I use Traffic Viewer running at port 8081 ...>>: The Traffic Monitor tool is generally not as useful (little more challenging) for recording Login Macros as using the Login Macro Recorder tool. Can you further explain this section of actions?
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify