I scanned my site with WebInspect 16 and checked the produced results. WebInspect detedt Cross-Site Scripting (reflected) in my site, but when I send WebInspect XSS request to my site, I don't give the request that show to me.
Also, in web browser mode, I can not see any reflected thing.
How I can ensure that this is a real XSS and it is not a false positive?
It seems that our configuration must be wrong somehow. I have a single license in use, but want all users who logon to the computer using domain credentials to have access to it. It's still only one use at a time, right? So how do I do that?
I met an issue:
double click the webinspect icon, it can not be launched.
also tried run as administrator.
check windows event viewer, get below message:
Faulting application name: WebInspect.exe, version: 16.10.463.10, time stamp: 0x5706acad
Faulting module name: KERNELBASE.dll, version: 6.3.9600.16408, time stamp: 0x523d557d
Exception code: 0xe0434352
Fault offset: 0x000000000000ab78
Faulting process id: 0x2710
Faulting application start time: 0x01d2116896ae8fd7
Faulting application path: C:\Program Files\HP\HP WebInspect\WebInspect.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.WriteCore(Byte, Int32, Int32)
Is it possible to test my server for DoS vulnerability with WebInspect?
If not, kindly suggest me a tool.
I use a lot of licensed software with licenses that need to be renewed periodically, and I'm writing a script that checks all my licenses to warn me when I need to renew one soon, but I can't find a way to do this with WebInspect.
Is there a way to programmatically find my license expiration date? A hidden remote API function? A registry setting I can read?
I tried to use WebInspect Enterprise web console using IE 11 in Windows 10. When performing a guided scan, it opened another Firefox window. But it can't verify the URL, it just keep loading. When I tried to visit the URL in the opened Firefox, it said "the address isn't valid".
From the outside, I can get access to the URL both by IE and Firefox.
When I choose rendering engine as IE, it can verify the URL. But it will have problems when recording a login macro.
So I'm asking for help to fix this problme. Thank you all.
Dear Sir or Madam;
We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:
PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.
With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)
In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.
I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?
Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.
Is there a more thorough documentation available for the API than that included inside the API?
Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)
Any input would be highly appreciated ; Thank you very much for your kind help in advance,
I'm trying to use the 15 day Trial licence for latest WebInspect 16.10.
The trial licence only allows me to scan the http://zero.webappsecurity.com/
website. << This site does not seem to work,
however I can browse any other website.
I need to test or learn how to use this software, I need it for work, please help!
I am running SQL Server 2008. I reached 60 present of my scan. I have to finish the scan. How can I extand the db limit to continue this scan?
I'm using the command line to run WebInspect via bamboo.
I can run scans and they complete fine showing no vulnerabilities etc, however when I export as a scan log just to ensure it works (I know the tests should show vulnerabilities) it shows the following errors:
Error:Crawler error, session:C8BA8F00DB4CECE36559FE4AFC7CE3B1, error:Failed to launch browser:
The scan then runs but as I said finds no vulnerbilities etc - this would be obvious considering the crawler has an error.
Any ideas what the issue is and how it can be fixed?
I have WebInspect enterprise with multiple sensors. I would like to implement continuous monitoring of my applications, of which there are a large number, by placing them in a queue and having the sensors go through a list of pre-defined/templated scans. Each application in the list will be scanned by the next available sensor. When WIE reaches the bottom of the list, I would like it to go back to the top and start over.
I know I can schedule recurring scans, but this depends on me knowing how long the previous scans will take, so that I can ensure a sensor will be available at that time. Ideally, I would like the sensors constanly scanning. I don't want a sensor to be sitting idle.
Is this possible using WIE? I was not able to figure out how. Maybe this is a task better suited for the WIE API?
Dear Sir or Madam;
We do a have a problem with our license-server I would like to ask for help:
We have 5 concurrent licenses and 5 concurrent WI-Systems which are used for scanning our Webprograms in various locations.
Even if no Webinspect Program is running, we do often run into blocked licenses which may sooner or later lead to a message: There is no license available.
We do use:
16.10 WebInspect, patched to current level for the Scanning Servers
I cannot tell which Version of Patchlevel we are using for the license server, as this was more or less an inherited piece.
We often need to kick licenses manually, which tends to get a little anoying over time.
Any help would be highly apreciated. Thank you very much in advance for your kind help,
Dear Sir or Madam;
Right now, I am using Webinspect in following configuration:
- WebInspect Server (a VM) acts as Proxy-Server, while the Website is beeing surfed from a browser via WebInspect Proxy. When surfing, the Webinspect server listens in a manual step-mode crawl for the URLs I surf.
Afterwards, after having surfed each and every mask of the web, I run Audit as the second step.
When using the Fat Gui, everything works fine. Now I try to alter scanning a little bit (sorry, beeing a Linux-guy I wanna use command line as much as possible... ;-) )
I am looking for a way to setup a scan with the following parameters:
- wi.exe needs to be called from a command line
- the Webinspect Server needs to act as Proxy-Server as before.
No, I am searching for the parameter to start the manual Step-Mode Crawl via command line.
The help for wi.exe -? diplays:
... -o audit only (requires policy -p)
-c crawl only
which - at least to my humble opinion calls only for an automated Crawl or only for an automated audit.
Do I have any option which allows me just to run a manual Crawl in step mode from command-line?
Any help help would be appreciated. Thank you very much in advance.
I have been scheduling scans using Web Inspect Enterprise. As scans for a particular project/application complete and are uploaded to Software Security Center (SSC), I want to be able to access a scan that took place at a particular point in time and generate/view a detailed report for it only. Is this possible?
When I attempt to generate a report in SSC, I just get an aggregate of all the scans for the particular project/application I specify, and the report SSC generates lacks the granuality and detail I get when I generate a report from within Web Inspect (details about the vulnerable sessions, request and response, etc).
On certain occasions, I find find that the scan is encountering warnings and error. I want to know if there is a help section to resolve such issues.
Here are some of the errors the scans have faced occasionaly.
SPI.Scanners.Web.Audit.Engines.CrossSiteScripting WebInspectWCFService.LaunchTCException: Failed to launch browser
Error SPI.Net.StateRequestor.EWMRHostServiceManager System.Exception: The browser pid is invalid:30016
Error SPI.Parsers.Script.Remoting.ScriptExecWrapper System.Runtime.Remoting.RemotingException: Failed to read from an IPC Port: The pipe has been ended.
Error SPI.Net.StateRequestor.IEMacroPlayerProxy System.ObjectDisposedException: Cannot access a disposed object.
Please guide how to resolve such issues.
Im having some trouble with multiple layers of site authentication and wanted to know if anyone may have a solution for this issue.
I am utilizing the WI Macro for the initial splash page login which I am able to do succesfully. However there is another mini application that is accessbile through the application that automatically launches in a new tab in the browser and requires additional authentication. In the Macro, the new tab launches but never loads and I am unable to authenticated at the second level .
I am able to authenticate to both levels within my browser outside of webinspect, but not through the Macro. Has anyone had success trying to go through multilple levels of authentication?
I am using WebInspect 10.50.
Recently, I faced this situation-
An application scan was initiated in WebInspect. It was an authenticated scan for which login macro was recorded.
Once the scan got completed, my team started validating the findings. We found that each and every issue was found to be false positive. Then we realised that the application team had changed the password.
Then the credentials of the application were updated. After making the changes in the login macro, we still found that all the findings were found to be false positive while retesting the vulnerability in WI. Manual retest proved that the issue was a genuine one.
My question is - Does the tool incorporate the new credentials while the scan is going on ? What is the best way to deal in such scenario ?
I am new to Webinspect and I am running into a problem Scanning where Authentication is required. I setup the Macro correctly and it works. The Problem that I am running into is when I pull out my Smart Card the Scanner runs into problems and eventually stops after a certain amount of trys. It is military issued CAC which doesnt have a username or password. How would I go about solving this as some scans need to run outside of office hours and i cant leave my CAC plugged in. Thanks
Anyone know whether it's possible to disable SSL for webinspect enterprise 16.10 installation? We don't want to use SSL for our test environments.
I am using WebInspect 10.50.
I have observed that the when a scan is opened from the manage scan tab, the dashboard opens up promptly. However, the data loading takes a lot of time. The status shows "Processing Sessions"
Is there a solution to reduce this delay ?