UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
8705 views

list driven scan Vs. crawl + audit scan

Hi,

Q1) Since a total crawl+audit scan was running into months,  i turned to a list driven scan, it was lightening quick, auditing all pages in a single day!!!!

However, there were differences in findings, the most notable of them was a XSS.

In a particular page, few items were listed, Ajax was being used and a compare parameter was initialized only when a few items were selected(selecting items added them to a compare box). This compare parameter had a reflected XSS vulnerability.

This was detected during a total crawl+audit scan but it was not detected by a list driven audit only scan.

Q1a)Does that imply that in a list driven scan pages are audited simply as per the content present on them and no link/ other functionality present on the pages like ajax  is cliked/analyzed?

Q1b)What is the difference between the two(crawl+audit Vs. list driven using a notepad of URLs) that decreased the scan time from months to a single day?

Q1c)Would it be safe to say that whatever issue is detected by a complete crawl+audit scan is also detected by a list driven scan using a notepad of URLs?

 

Q2) The above mentioned Crawl+audit scan has reached a size of 3.6GB and the tool crashes very frequently now, sometimes even the scan is not loaded, and if it loads it takes a lot of time to load(around 20 mins). Is it because i am using the default 4GB database, how can i increase its size? i am using Webinspect 9.10

 

Seeking your guidance on the above.

Labels (1)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

For your List-Driven scan, which method are you using, Crawl-and-Audit or Audit-Only?

 

 

 

Regarding your 4GB storage, this is a factor of your chosen MS SQL scan repository.  SQL Server 2005 Express and early releases of SQL Server 2008 Express have a natural limit of 4GB per scan.  Our recommendation is to use SQL Server 2008 Express R2, as it affords up to 10GB of storage per scan.  It is still free and runs locally, just as with the earlier Express.

 

 

 

To upgrade your WebInspect scan repository, you will want to use the following steps.  I have also attached a screen shot series of the standard installation process to use 2008 Express R2 for WebInspect.

 

* Review the ScanData entry under WebInspect's Edit menu > Application Settings > Directories panel.  This path is where your WebInspect scans are stored.

* Back-up your machine, or just the ScanData and the Logs paths listed, at a minimum.

* Uninstall SQL Server Express form the Add/Remove Programs Control Panel.

* Reboot.

* Install SQL Server 2008 Express R2.

* Reboot.

* Open WebInspect and verify the scans are all still listed in the Manage Scans arena.

 

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Tags (1)
0 Likes
Absent Member.
Absent Member.

Thanks for the reply.

I am using audit only mode witha list driven scan, I use a notepad with a URL in every line.

0 Likes
Absent Member.
Absent Member.

Thanks for the doc.

 

About the first query- I use audit only mode with a notepad list of URLs, considering this,  please guide me on the query:

 

Q1) Since a total crawl+audit scan was running into months,  i turned to a list driven scan, it was lightening quick, auditing all pages in a single day!!!!

However, there were differences in findings, the most notable of them was a XSS.

In a particular page, few items were listed, Ajax was being used and a compare parameter was initialized only when a few items were selected(selecting items added them to a compare box). This compare parameter had a reflected XSS vulnerability.

This was detected during a total crawl+audit scan but it was not detected by a list driven audit only scan.

Q1a)Does that imply that in a list driven scan pages are audited simply as per the content present on them and no link/ other functionality present on the pages like ajax  is cliked/analyzed?

Q1b)What is the difference between the two(crawl+audit Vs. list driven using a notepad of URLs) that decreased the scan time from months to a single day?

Q1c)Would it be safe to say that whatever issue is detected by a complete crawl+audit scan is also detected by a list driven scan using a notepad of URLs?

0 Likes
Micro Focus Expert
Micro Focus Expert

Q1a)  Yes, the List-Driven Assessment when coupled with the Audit-Only method will only attack the pages/sessions described in your list.

 

Q1b) See Q1a above.  The standard Crawl+Audit will run Discovery over all links everywhere throughout the site.  The List-Driven scan with Audit-Only will not roam.

 

Q1c)  No.  The only findings that would match between a Crawl+Audit and your List-Driven Audit-Only would be those select pages provided in your input list.

 

The aim of the List-Driven (and Workflow-Driven) Assessment is to control precisely where the scanner begins its work.  If that work is an Audit-Only, then it will not perform a Discovery/Crawl, it will only Attack/Audit the pages provided.  If that work is a Crawl+Audit, then you will have provided a list of known pages to kick-start the Crawl/Discovery, but this will be akin to a standard Crawl+Audit.

 

As a visual, the standard scan is like jumping off the boat and swimming down to depth to scuba dive a coral reef.  The List-Driven or Workflow-Driven scan still involves swimming, but you are dropping down to depth in a diving bell and then swimming out from there to the coral reef, saving yourself the effort of swimming down from the surface.

 

Back to your primary complaint of long scans, you need to work with Customer Support (2nd or 3rd tier, not 1st level) to determine what scan settings you are missing that would make your particular scans more efficient.  They will need to review your live, finished scans in order to understand where WebInspect's time is being spent and understand how the site is constructed.  The default scan settings are a good balance between thoroughness and speed, but custom apps require custom settings in order to crawl efficiently.

 

Here is a reminder on how to reach HP Fortify's Customer Support:  http://h30499.www3.hp.com/t5/WebInspect/How-to-contact-HP-ASC-Customer-Support/m-p/2394766


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.