if have wsdl file location then only can run web service scan?
couple of site have been built on Service stack webservice frame work and ASP .net web api framework so these doesnt contain wsdl file, in this case how we should proceed with the scan?
WebInspect expects a SOAP web service to offer a WSDL, either as a downloaded file or as a web URL. Sometimes you can simply add "?wsdl" to the end of the service's URL. The typical process is to open the WSDL with the Web Service Design tool and pre-populate the normal test values to exercise the service fully before attacking it. The saved output (*.WSD) from that tool is used as input in the WebInspect Web Service scan wizard.
If your SOAP service truly has no WSDL, then you may need to use alternate testing methods. It might be possible to run a standard Web Site scan using WebInspect, but the steps and inputs may be poor. A better option may be to run the Manual Step-Mode scan (available in the Basic Scan Wizard). This requires you to manually browse the app, and then have WebInspect automatically Audit what you browsed. If you think session state may be lost during that automated portion, consider adding a Login Macro in the Scan Settings, despite the fact that you will manually log in in the manual portion of the scan.
Yet another method would be to build a test framework such as a HTML page that has links to call out each of the SOAP actions of the application, and you would then scan that page with WebInspect's standard web site scan wizard (Guided or Basic).
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify