HPE Software Products: WebInspect
Share |

WebInspect with CAC Enabled applicationOpen in a New Window

Has anyone used the new feature in WebInspect for CAC authentication into an application? How did you get it to work?


Scanning RESTful WebServices with OAuth TokenOpen in a New Window

I am scanning RESTful WebServices and it is secured by OAuth2 (Spring Security OAuth). These webservices are not accessible from the website, only accessed by other applications as server to server API calls.

Each application requests for the token (POST call) and receives access token, refresh token, expiry duration in response. Every further request sends an unique correlation id, access token as request headers.

I was planning to use web proxy to record the requests, convert to web macro and use workflow driven scan. But since the token expires and correlation id needs to be unique, requests sent from webinspect fail. Is there a way to replace the token , correlation id in the macro prescan or dynamically during the scan?




Fix Request for Medium Severity Cross-Frame Scripting Vulnerability reported by HP Web Inspect ToolOpen in a New Window


Can anybody please provide suggestions for fixing medium severity XFS vulnerability, found by HP Web Inspect Tool ?

I have used below code snippet, but not fixed, again reported it....


    var externallyFramed = false;
    try {
        externallyFramed = top.location.host != location.host;
    catch(err) {
        externallyFramed = true;
    if(externallyFramed) {
        top.location = location;


Please make time to provide your valuable suggestions...


Bunch of Thanks Advanced...




If login macro is not working tomorrowOpen in a New Window

I have started a scan for an application and I have used a login macro for it.  A day after the scan when I checked, Login macro was not working and scan has paused/stoppeed. I confirmed that credential for the application has been changed. 

I want to resume the scan where I had left. What I need to do?


Your help is highly appreciated. Thanks 


HP WebinspectOpen in a New Window

How do I determine how many concurrent licenses I will need?


Can WebInspect scan break an applicationOpen in a New Window

Does webinspect tool have a capability to break an application? If so to what extent?


How to get WebInspect scan consistency to close out vulnerability bugsOpen in a New Window

I have seen posts about this before, and I already understand that varying the software, server or the scan settings can vary results. We use settings files and the command line WI.exe called from batch files, so the settings are the same. Assume that the environment is the same, with the one exception of the fixes we put in for the vulnerabilities, and application changes that may have occurred between scans. There is nothing we can do about that.

  1. First does anyone know -- for a fact -- that WebInspect would yeild the same results for a crawl/audit if the environment is 100% identical? I realize maybe it "should", but does it really? 
  2. If it will not scan exactly the same each time, what is the best strategy for a scan/fix/confirm cycle? Is it to:
    A) Right-click on the original scan and Retest Vulnerabilities. I have found this sometimes does not find the original vulnerabilities that we didn't even touch, so I'm not sure I trust this 100%.
    B) Do the whole scan over with the same settings? Unfortunately this almost always shows new vulnerabilities, so we end up in a potentially endless cycle of scan/fix/close.
    C) Some other option, like mabye doing/saving a crawl and doing a re-test of using only audit?

Thanks for any help,



Moving Projects to Different Security Group in WIE ConsoleOpen in a New Window

Having an issue moving a project from one Security Group to another. The issue comes when I'm at the Object Dependencies part of the move. The only dependency is the report that was run against the scan.Capture.JPG

I get here and I cannot move the project because of this report. I've deleted the report from the project in WIE. Do I need to also delete the report in SSC as well? If so, how do I do that?



What is the column "tested" mean in the report type "Compliance => OWASP Top 10 2013"?Open in a New Window

Since in the report, I found the column "tested" in some itmes show "no" like the attached file.  I like to know in what situation will cause the column "tested" shows "no"? Thanks a lot!!!



Scanning mobile Applicaitons using WebInspectOpen in a New Window

1) What are the pre-requisite required for scanning Mobile apps

2) How to perform the scan for Mobile apps using WebInspect

3) Are there any specific security attacks w.r.t. to mobile apps



Testing REST based POST requests in Web Inspect Enterprise 10Open in a New Window

I trying to congigure REST based post requets in web inspect enterprise version 10 and there doesnt seem to be a way to do the same, Could anyone please help me out with that


HP webinspect is painfully slow. What is the minimum requirement to install HP on your PC?Open in a New Window

The webinspect i have installed on my PC runs on CPU that is dual core, 200 GB disk space and 8GB ram with the license for two instances at once. Could someone please tell me what is the minimum system requirement ? I am not sure if system is causing the issue or it's being caused due to Default settings that are not right. 


Unpatched Application (3375) Errors - False PositivesOpen in a New Window


Getting a lot of Unpatched Application errors for Apache (WebInspect code 3375).  However, we run RHEL 6, which is Apache 2.2.15, which makes it a false positive.  Is there a patch or future support for running the imbedded Apache instead of the native blends that WebInspect checks for?





Manual test of WebInspect XSSOpen in a New Window


I scanned my site with WebInspect 16 and checked the produced results. WebInspect detedt Cross-Site Scripting (reflected) in my site, but when I send WebInspect XSS request to my site, I don't give the request that show to me.

Also, in web browser mode, I can not see any reflected thing.

How I can ensure that this is a real XSS and it is not a false positive?


One license, one laptopOpen in a New Window


It seems that our configuration must be wrong somehow.  I have a single license in use, but want all users who logon to the computer using domain credentials to have access to it.  It's still only one use at a time, right?  So how do I do that?


webinspect can not be launched.Open in a New Window

I met an issue:

double click the webinspect icon, it can not be launched.

also tried run as administrator.

check windows event viewer, get below message:

Faulting application name: WebInspect.exe, version: 16.10.463.10, time stamp: 0x5706acad

Faulting module name: KERNELBASE.dll, version: 6.3.9600.16408, time stamp: 0x523d557d

Exception code: 0xe0434352

Fault offset: 0x000000000000ab78

Faulting process id: 0x2710

Faulting application start time: 0x01d2116896ae8fd7

Faulting application path: C:\Program Files\HP\HP WebInspect\WebInspect.exe

Faulting module path: C:\Windows\system32\KERNELBASE.dll

and this:

Application: WebInspect.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.IO.IOException


at System.IO.__Error.WinIOError(Int32, System.String)

at System.IO.FileStream.WriteCore(Byte[], Int32, Int32)

at System.IO.FileStream.FlushWrite(Boolean)

at System.IO.FileStream.Dispose(Boolean)

at System.IO.FileStream.Finalize()




Can i use WebInspect to detect DoS vulnerability?Open in a New Window


Is it possible to test my server for DoS vulnerability with WebInspect?

If not, kindly suggest me a tool.





Any way to programmatically find my license expiration date?Open in a New Window

I use a lot of licensed software with licenses that need to be renewed periodically, and I'm writing a script that checks all my licenses to warn me when I need to renew one soon, but I can't find a way to do this with WebInspect.

Is there a way to programmatically find my license expiration date?  A hidden remote API function?  A registry setting I can read?


WebInspect Enterprise 16.10 fail to verify URL with rendering engine FirefoxOpen in a New Window

I tried to use WebInspect Enterprise web console using IE 11 in Windows 10. When performing a guided scan, it opened another Firefox window. But it can't verify the URL, it just keep loading. When I tried to visit the URL in the opened Firefox, it said "the address isn't valid".

From the outside, I can get access to the URL both by IE and Firefox.

When I choose rendering engine as IE, it can verify the URL. But it will have problems when recording a login macro.

So I'm asking for help to fix this problme. Thank you all.


Kerberos Auth using wi.exe and http-calls for starting a scan-routine in command-line mode.Open in a New Window

Dear Sir or Madam;

We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:

PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.

With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)

In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.

I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?

Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing  needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.

Is there a more thorough documentation available for the API than that included inside the API?

Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)

Any input would be highly appreciated ; Thank you very much for your kind help in advance,

kind regards

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org


Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.