Having an issue moving a project from one Security Group to another. The issue comes when I'm at the Object Dependencies part of the move. The only dependency is the report that was run against the scan.
I get here and I cannot move the project because of this report. I've deleted the report from the project in WIE. Do I need to also delete the report in SSC as well? If so, how do I do that?
Since in the report, I found the column "tested" in some itmes show "no" like the attached file. I like to know in what situation will cause the column "tested" shows "no"? Thanks a lot!!!
1) What are the pre-requisite required for scanning Mobile apps
2) How to perform the scan for Mobile apps using WebInspect
3) Are there any specific security attacks w.r.t. to mobile apps
I trying to congigure REST based post requets in web inspect enterprise version 10 and there doesnt seem to be a way to do the same, Could anyone please help me out with that
The webinspect i have installed on my PC runs on CPU that is dual core, 200 GB disk space and 8GB ram with the license for two instances at once. Could someone please tell me what is the minimum system requirement ? I am not sure if system is causing the issue or it's being caused due to Default settings that are not right.
Getting a lot of Unpatched Application errors for Apache (WebInspect code 3375). However, we run RHEL 6, which is Apache 2.2.15, which makes it a false positive. Is there a patch or future support for running the imbedded Apache instead of the native blends that WebInspect checks for?
I scanned my site with WebInspect 16 and checked the produced results. WebInspect detedt Cross-Site Scripting (reflected) in my site, but when I send WebInspect XSS request to my site, I don't give the request that show to me.
Also, in web browser mode, I can not see any reflected thing.
How I can ensure that this is a real XSS and it is not a false positive?
It seems that our configuration must be wrong somehow. I have a single license in use, but want all users who logon to the computer using domain credentials to have access to it. It's still only one use at a time, right? So how do I do that?
I met an issue:
double click the webinspect icon, it can not be launched.
also tried run as administrator.
check windows event viewer, get below message:
Faulting application name: WebInspect.exe, version: 16.10.463.10, time stamp: 0x5706acad
Faulting module name: KERNELBASE.dll, version: 6.3.9600.16408, time stamp: 0x523d557d
Exception code: 0xe0434352
Fault offset: 0x000000000000ab78
Faulting process id: 0x2710
Faulting application start time: 0x01d2116896ae8fd7
Faulting application path: C:\Program Files\HP\HP WebInspect\WebInspect.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.WriteCore(Byte, Int32, Int32)
Is it possible to test my server for DoS vulnerability with WebInspect?
If not, kindly suggest me a tool.
I use a lot of licensed software with licenses that need to be renewed periodically, and I'm writing a script that checks all my licenses to warn me when I need to renew one soon, but I can't find a way to do this with WebInspect.
Is there a way to programmatically find my license expiration date? A hidden remote API function? A registry setting I can read?
I tried to use WebInspect Enterprise web console using IE 11 in Windows 10. When performing a guided scan, it opened another Firefox window. But it can't verify the URL, it just keep loading. When I tried to visit the URL in the opened Firefox, it said "the address isn't valid".
From the outside, I can get access to the URL both by IE and Firefox.
When I choose rendering engine as IE, it can verify the URL. But it will have problems when recording a login macro.
So I'm asking for help to fix this problme. Thank you all.
Dear Sir or Madam;
We do testing in a manual step-mode way, since our applications are way too complex to perform automated crawl&audit routines.
We want to automate the setup of scans by allowing our testusers to set up their tests on their own.
Therefore, we want to realise the following setup:
PC of Testuser --> Webserverportal (PHP-coded page constructing the call for setting up Proxy and starting Scan) --> Webinspect-Server running the API.
With regards to the Kerberos Auth, the Webserver is enabled to delegate the Kerberos auth,
so that the Webserver hands over the Kerberos ticket on behalf of the users PC to the WI-Server.
(for detailled information on Kerberos double-hop authentication,
pls. refer to: https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)
In the need of scanning, the user calls the webportal-page which then constructs the calls for the scanner and copies a browser to a directory.
The Browser is a portable app. The portable Browser is configured to use the Webinspect-Server as proxy. After the scan has been started, the User tests the
application in step mode and WI records all data.
We use Kerberos for authentication purpose throughout the whole system end-to-end.
I know, that according to the documentation, the GUI can handle Kerberos Authentication - but can the wi.exe or the http-call handle Kerberos auth?
Testing the web will be done using the GPO-Objects the user who performs the test is granted. The analyze routing needs to run under user-Credentials of the testing user.
at the time beeing, I run the analyze routine with my credentials, but I am granted full access to everything since I am granted Admin-Rights, but we want to automate this as well.
Is there a more thorough documentation available for the API than that included inside the API?
Which service can I enable in my AD-Settings for beeing allowed to use Kerberos double-hop authentication?
Is the Webinspect API the right one (if I am not mistaken, the WI-API acts as service?)
Any input would be highly appreciated ; Thank you very much for your kind help in advance,
I'm trying to use the 15 day Trial licence for latest WebInspect 16.10.
The trial licence only allows me to scan the http://zero.webappsecurity.com/
website. << This site does not seem to work,
however I can browse any other website.
I need to test or learn how to use this software, I need it for work, please help!
I am running SQL Server 2008. I reached 60 present of my scan. I have to finish the scan. How can I extand the db limit to continue this scan?
I'm using the command line to run WebInspect via bamboo.
I can run scans and they complete fine showing no vulnerabilities etc, however when I export as a scan log just to ensure it works (I know the tests should show vulnerabilities) it shows the following errors:
Error:Crawler error, session:C8BA8F00DB4CECE36559FE4AFC7CE3B1, error:Failed to launch browser:
The scan then runs but as I said finds no vulnerbilities etc - this would be obvious considering the crawler has an error.
Any ideas what the issue is and how it can be fixed?
I have WebInspect enterprise with multiple sensors. I would like to implement continuous monitoring of my applications, of which there are a large number, by placing them in a queue and having the sensors go through a list of pre-defined/templated scans. Each application in the list will be scanned by the next available sensor. When WIE reaches the bottom of the list, I would like it to go back to the top and start over.
I know I can schedule recurring scans, but this depends on me knowing how long the previous scans will take, so that I can ensure a sensor will be available at that time. Ideally, I would like the sensors constanly scanning. I don't want a sensor to be sitting idle.
Is this possible using WIE? I was not able to figure out how. Maybe this is a task better suited for the WIE API?
Dear Sir or Madam;
We do a have a problem with our license-server I would like to ask for help:
We have 5 concurrent licenses and 5 concurrent WI-Systems which are used for scanning our Webprograms in various locations.
Even if no Webinspect Program is running, we do often run into blocked licenses which may sooner or later lead to a message: There is no license available.
We do use:
16.10 WebInspect, patched to current level for the Scanning Servers
I cannot tell which Version of Patchlevel we are using for the license server, as this was more or less an inherited piece.
We often need to kick licenses manually, which tends to get a little anoying over time.
Any help would be highly apreciated. Thank you very much in advance for your kind help,
Dear Sir or Madam;
Right now, I am using Webinspect in following configuration:
- WebInspect Server (a VM) acts as Proxy-Server, while the Website is beeing surfed from a browser via WebInspect Proxy. When surfing, the Webinspect server listens in a manual step-mode crawl for the URLs I surf.
Afterwards, after having surfed each and every mask of the web, I run Audit as the second step.
When using the Fat Gui, everything works fine. Now I try to alter scanning a little bit (sorry, beeing a Linux-guy I wanna use command line as much as possible... ;-) )
I am looking for a way to setup a scan with the following parameters:
- wi.exe needs to be called from a command line
- the Webinspect Server needs to act as Proxy-Server as before.
No, I am searching for the parameter to start the manual Step-Mode Crawl via command line.
The help for wi.exe -? diplays:
... -o audit only (requires policy -p)
-c crawl only
which - at least to my humble opinion calls only for an automated Crawl or only for an automated audit.
Do I have any option which allows me just to run a manual Crawl in step mode from command-line?
Any help help would be appreciated. Thank you very much in advance.
I have been scheduling scans using Web Inspect Enterprise. As scans for a particular project/application complete and are uploaded to Software Security Center (SSC), I want to be able to access a scan that took place at a particular point in time and generate/view a detailed report for it only. Is this possible?
When I attempt to generate a report in SSC, I just get an aggregate of all the scans for the particular project/application I specify, and the report SSC generates lacks the granuality and detail I get when I generate a report from within Web Inspect (details about the vulnerable sessions, request and response, etc).