- About Vivit
- LUGs & SIGs
- Vivit Blogs
- News & Events
- Knowledge Base
|HPE Software Products: WebInspect|
Has anyone used the new feature in WebInspect for CAC authentication into an application? How did you get it to work?
I am scanning RESTful WebServices and it is secured by OAuth2 (Spring Security OAuth). These webservices are not accessible from the website, only accessed by other applications as server to server API calls.
Each application requests for the token (POST call) and receives access token, refresh token, expiry duration in response. Every further request sends an unique correlation id, access token as request headers.
I was planning to use web proxy to record the requests, convert to web macro and use workflow driven scan. But since the token expires and correlation id needs to be unique, requests sent from webinspect fail. Is there a way to replace the token , correlation id in the macro prescan or dynamically during the scan?
Can anybody please provide suggestions for fixing medium severity XFS vulnerability, found by HP Web Inspect Tool ?
I have used below code snippet, but not fixed, again reported it....
var externallyFramed = false;
Please make time to provide your valuable suggestions...
Bunch of Thanks Advanced...
I have started a scan for an application and I have used a login macro for it. A day after the scan when I checked, Login macro was not working and scan has paused/stoppeed. I confirmed that credential for the application has been changed.
I want to resume the scan where I had left. What I need to do?
Your help is highly appreciated. Thanks
How do I determine how many concurrent licenses I will need?
Does webinspect tool have a capability to break an application? If so to what extent?
I have seen posts about this before, and I already understand that varying the software, server or the scan settings can vary results. We use settings files and the command line WI.exe called from batch files, so the settings are the same. Assume that the environment is the same, with the one exception of the fixes we put in for the vulnerabilities, and application changes that may have occurred between scans. There is nothing we can do about that.
Thanks for any help,
Having an issue moving a project from one Security Group to another. The issue comes when I'm at the Object Dependencies part of the move. The only dependency is the report that was run against the scan.
I get here and I cannot move the project because of this report. I've deleted the report from the project in WIE. Do I need to also delete the report in SSC as well? If so, how do I do that?
Since in the report, I found the column "tested" in some itmes show "no" like the attached file. I like to know in what situation will cause the column "tested" shows "no"? Thanks a lot!!!
1) What are the pre-requisite required for scanning Mobile apps
2) How to perform the scan for Mobile apps using WebInspect
3) Are there any specific security attacks w.r.t. to mobile apps
I trying to congigure REST based post requets in web inspect enterprise version 10 and there doesnt seem to be a way to do the same, Could anyone please help me out with that
The webinspect i have installed on my PC runs on CPU that is dual core, 200 GB disk space and 8GB ram with the license for two instances at once. Could someone please tell me what is the minimum system requirement ? I am not sure if system is causing the issue or it's being caused due to Default settings that are not right.
Getting a lot of Unpatched Application errors for Apache (WebInspect code 3375). However, we run RHEL 6, which is Apache 2.2.15, which makes it a false positive. Is there a patch or future support for running the imbedded Apache instead of the native blends that WebInspect checks for?
I scanned my site with WebInspect 16 and checked the produced results. WebInspect detedt Cross-Site Scripting (reflected) in my site, but when I send WebInspect XSS request to my site, I don't give the request that show to me.
Also, in web browser mode, I can not see any reflected thing.
How I can ensure that this is a real XSS and it is not a false positive?
It seems that our configuration must be wrong somehow. I have a single license in use, but want all users who logon to the computer using domain credentials to have access to it. It's still only one use at a time, right? So how do I do that?
I met an issue:
double click the webinspect icon, it can not be launched.
also tried run as administrator.
check windows event viewer, get below message:
Faulting application name: WebInspect.exe, version: 16.10.463.10, time stamp: 0x5706acad
Faulting module name: KERNELBASE.dll, version: 6.3.9600.16408, time stamp: 0x523d557d
Exception code: 0xe0434352
Fault offset: 0x000000000000ab78
Faulting process id: 0x2710
Faulting application start time: 0x01d2116896ae8fd7
Faulting application path: C:\Program Files\HP\HP WebInspect\WebInspect.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.WriteCore(Byte, Int32, Int32)
Is it possible to test my server for DoS vulnerability with WebInspect?
If not, kindly suggest me a tool.
I use a lot of licensed software with licenses that need to be renewed periodically, and I'm writing a script that checks all my licenses to warn me when I need to renew one soon, but I can't find a way to do this with WebInspect.
Is there a way to programmatically find my license expiration date? A hidden remote API function? A registry setting I can read?
I tried to use WebInspect Enterprise web console using IE 11 in Windows 10. When performing a guided scan, it opened another Firefox window. But it can't verify the URL, it just keep loading. When I tried to visit the URL in the opened Firefox, it said "the address isn't valid".
From the outside, I can get access to the URL both by IE and Firefox.
When I choose rendering engine as IE, it can verify the URL. But it will have problems when recording a login macro.
So I'm asking for help to fix this problme. Thank you all.
Dear Sir or Madam;
We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.
With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?
Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing needs to run under user-Credentials of the testing user.
Is there a more thorough documentation available for the API than that included inside the API?
Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Any input would be highly appreciated ; Thank you very much for your kind help in advance,