Micro Focus

Fortify ScanCentral DAST

Software Version: 22.2.0

Windows®

Configuration and Usage Guide

Document Release Date: November 2022

Software Release Date: November 2022

Configuration and Usage Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on November 14, 2022. To check for recent updates or to verify that you are using the most

recent edition of a document, go to:

https://www.microfocus.com/support/documentation

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 2 of 338

Configuration and Usage Guide

Contents

Preface

21

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

22

Chapter 1: Introduction

32

What is ScanCentral DAST?

Software Security Center

Scan Central DAST API

ScanCentral DAST Util ity Service

ScanCentral DAST Global Service

ScanCentral DAST Database

WebInspect Sensor

ScanCentral DAST with Two-factor Authentication

DAST 2FA Server

34

35

Installation Recom mendation

2FA Server Versions

Permissions in Fortify Software Security Center

Tasks Requiring Admin Permissions

35

37

Related Documents

This topic describes documents that provide information about Micro Focus Fortify software

products.

Note: You can find the Micro Focus Fortify Product Documentation at

https://www.microfocus.com/support/documentation. Most guides are available in both PDF and

HTML formats. Product help is available within the Fortify LIM product and the Fortify

WebInspect products.

All Products

The following documents provide general information for all products. Unless otherwise noted, these

documents are available on the Micro Focus Product Documentation website.

Document / File Name

Description

About Micro Focus Fortify Product

Software Documentation

This paper provides information about how to access

Micro Focus Fortify product documentation.

About_Fortify_Docs_<version>.pdf

Note: This document is included only with the

product download.

Micro Focus Fortify License and

Infrastructure Manager Installation

and Usage Guide

This document describes how to install, configure, and use

the Fortify License and Infrastructure Manager (LIM),

which is available for installation on a local Windows

server and as a container image on the Docker platform.

LIM_Guide_<version>.pdf

Micro Focus Fortify Software System This document provides the details about the

Requirements

environments and products supported for this version of

Fortify Software.

Fortify_Sys_Reqs_<version>.pdf

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 37 of 338

Configuration and Usage Guide

Chapter 1: Introduction

Document / File Name

Description

Micro Focus Fortify Software Release This document provides an overview of the changes made

Notes

to Fortify Software for this release and important

information not included elsewhere in the product

documentation.

FortifySW_RN_<version>.pdf

What’s New in Micro Focus Fortify

Software <version>

This document describes the new features in Fortify

Software products.

Fortify_Whats_New_<version>.pdf

Micro Focus Fortify ScanCentral DAST

The following document provides information about Fortify ScanCentral DAST. Unless otherwise

noted, these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-ScanCentral-DAST.

Document / File Name

Description

Micro Focus Fortify ScanCentral

This document provides information about how to

DAST Configuration and Usage Guide configure and use Fortify ScanCentral DAST to conduct

dynamic scans of Web applications.

SC_DAST_Guide_<version>.pdf

Micro Focus Fortify Software Security Center

The following document provides information about Fortify Software Security Center. Unless

otherwise noted, these documents are available on the Micro Focus Product Documentation website

at https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name

Description

Micro Focus Fortify Software

Security Center User Guide

This document provides Fortify Software Security Center

users with detailed information about how to deploy and use

Software Security Center. It provides all of the information

you need to acquire, install, configure, and use Software

Security Center.

SSC_Guide_<version>.pdf

It is intended for use by system and instance administrators,

database administrators (DBAs), enterprise security leads,

development team managers, and developers. Software

Security Center provides security team leads with a high-level

overview of the history and current status of a project.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 38 of 338

Configuration and Usage Guide

Chapter 1: Introduction

Micro Focus Fortify WebInspect

The following documents provide information about Fortify WebInspect. Unless otherwise noted,

these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-webinspect.

Document / File Name

Description

Micro Focus Fortify WebInspect

Installation Guide

This document provides an overview of Fortify

WebInspect and instructions for installing Fortify

WebInspect and activating the product license.

WI_Install_<version>.pdf

Micro Focus Fortify WebInspect User

Guide

This document describes how to configure and use

Fortify WebInspect to scan and analyze Web

applications and Web services.

WI_Guide_<version>.pdf

Note: This document is a PDF version of the Fortify

WebInspect help. This PDF file is provided so you

can easily print multiple topics from the help

information or read the help in PDF format. Because

this content was originally created to be viewed as

help in a web browser, some topics may not be

formatted properly. Additionally, some interactive

topics and linked content may not be present in this

PDF version.

Micro Focus Fortify WebInspect and

OAST on Docker User Guide

This document describes how to download, configure,

and use Fortify WebInspect and Fortify OAST that are

available as container images on the Docker platform.

The Fortify WebInspect image is intended to be used in

automated processes as a headless sensor configured by

way of the command line interface (CLI) or the

WI_Docker_Guide_<version>.pdf

application programming interface (API). It can also be

run as a Fortify ScanCentral DAST sensor and used in

conjunction with Fortify Software Security Center.

Fortify OAST is an out-of-band application security

testing (OAST) server that provides DNS service for the

detection of OAST vulnerabilities.

Micro Focus Fortify WebInspect Tools

Guide

This document describes how to use the Fortify

WebInspect diagnostic and penetration testing tools and

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 39 of 338

Configuration and Usage Guide

Chapter 1: Introduction

Document / File Name

Description

WI_Tools_Guide_<version>.pdf

configuration utilities packaged with Fortify WebInspect

and Fortify WebInspect Enterprise.

Micro Focus Fortify WebInspect Agent This document describes how to install the Fortify

Installation Guide

WebInspect Agent for applications running under a

supported Java Runtime Environment (JRE) on a

supported application server or service and applications

running under a supported .NET Framework on a

supported version of IIS.

WI_Agent_Install_<version>.pdf

Micro Focus Fortify WebInspect Agent This document describes the detection capabilities of

Rulepack Kit Guide

Fortify WebInspect Agent Rulepack Kit. Fortify

WebInspect Agent Rulepack Kit runs atop the Fortify

WebInspect Agent, allowing it to monitor your code for

software security vulnerabilities as it runs. Fortify

WebInspect Agent Rulepack Kit provides the runtime

technology to help connect your dynamic results to your

static ones.

WI_Agent_Rulepack_Guide_

<version>.pdf

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 40 of 338

Chapter 2: Configuring the ScanCentral DAST

Environment

This chapter provides the information you need to install and subsequently manage a ScanCentral

DAST environment.

Optional Helm Deployment Available

This document contains processes and procedures for manually configuring the ScanCentral DAST

components without using Helm or with minimal integration with Kubernetes for scan scaling. To use

Kubernetes for complete ScanCentral DAST container orchestration, Helm deployment is available on

GitHub at https://github.com/fortify/helm3-charts.

Important! When using Helm deployment, ensure that the TTL-after-finished feature is enabled

(TTLAfterFinished=true) in your Kubernetes cluster. This feature provides automatic clean-

up of finished jobs. If this feature is not enabled, Kubernetes cluster jobs and pods lists can

quickly become cluttered.

Installation Requirement

You must install and manage the DAST API, DAST Global Service, and DAST Utility Service containers

on a VM, and each Fortify WebInspect sensor service on its own, separate VM.

Installation Recommendations

Docker container configuration is complex and each environment is unique. Fortify makes the

following recommendations as a best practice:

l

Run the LIM on a host or VM that is separate from any other ScanCentral DAST component—DAST

API, DAST Global Service, DAST Utility Service, or DAST sensor.

l

Run the 2FA Server on a host or VM that is separate from any other ScanCentral DAST

component—DAST API, DAST Global Service, DAST Utility Service, or DAST sensor.

Important Information about SSL

You can deploy both Fortify Software Security Center and ScanCentral DAST without SSL. However,

Fortify recommends that you deploy both Fortify Software Security Center and ScanCentral DAST

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 41 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

with SSL.

You cannot deploy Fortify Software Security Center with a certificate authority (CA) certificate and

ScanCentral DAST without a certificate and vice versa. Mixing secure and non-secure content is not

supported.

You cannot use a CA certificate for Fortify Software Security Center and a self-signed certificate for

ScanCentral DAST. Mixing self-signed and trusted CA certificates is not supported.

Requesting Access to Fortify Docker Repository

Access to the Fortify Docker repository requires credentials and is granted through your Docker ID.

To access the Fortify Docker repository, email your Docker ID to fortifydocker@microfocus.com.

Before You Begin

Ensure that you have met the following prerequisites before you begin configuring your Fortify

ScanCentral DAST components:

l

You must have a Fortify License and Infrastructure Manager (LIM) container downloaded,

configured, and running in your environment or have a LIM installed on an IIS server.

l

The LIM must be accessible to the network where your VMs will be running Fortify ScanCentral

DAST components.

l

You must know the LIM URL and LIM user credentials to configure licensing for Fortify

ScanCentral DAST.

l

You must know the Fortify Software Security Center URL and user credentials to connect Fortify

ScanCentral DAST to Fortify Software Security Center.

l

You must have a database installed and accessible to the VMs on which you install your Fortify

ScanCentral DAST environment and to your instance of Fortify Software Security Center.

Understanding the Installation Process

The following table describes the process you must use to install and configure the Fortify

ScanCentral DAST environment.

Stage

Description

1.

Receive the following licenses from Micro Focus:

l

Fortify ScanCentral DAST Server License (server-type license)

l

Fortify WebInspect Concurrent License

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 42 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage

Description

2.

Do the following:

1. Install a License and Infrastructure Manager (LIM) from the Docker Hub or by using

the MSI.

2. Add the licenses received in Stage 1 to the LIM.

For information about how to install the LIM and add licenses, see the Micro Focus

Fortify License and Infrastructure Manager Installation and Usage Guide.

3.

Do the following:

1. Download and deploy Fortify Software Security Center 22.2.0 from the Micro Focus

Software License and Downloads (SLD) portal.

2. Create user accounts for users who will access Fortify ScanCentral DAST.

For information about how to install and configure Fortify Software Security Center, see

the Micro Focus Fortify Software Security Center User Guide.

4.

Set up Docker on the host that will run the core ScanCentral DAST containers

(DAST API, DAST Global Service, and DAST Utility Service). For more information, see

"Setting Up Docker" on page 47.

5.

6.

Download the ScanCentral DAST 22.2.0 package from the Micro Focus SLD portal.

Create a JSON or YAML DAST configuration settings file.

For more information, see "Creating and Using a Settings File" on page 47.

7.

Use the ScanCentral DAST Configuration Tool CLI to do the following:

l

Configure and initialize the ScanCentral DAST database.

l

Configure the settings that are used by the ScanCentral DAST API, DAST Global

Service, and DAST Utility Service, and then generate a compose file or PowerShell

script.

For more information, see "Using the Configuration Tool CLI" on page 73.

8.

9.

Use the compose file or PowerShell script to pull and launch the core ScanCentral DAST

22.2.0 containers (DAST API, DAST Global Service, and DAST Utility Service).

For more information, see "Understanding the Launch Artifacts" on page 84.

Log in to Fortify Software Security Center and enable ScanCentral DAST in the

ADMINISTRATION view.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 43 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage

Description

Important! You must provide the ScanCentral DAST server URL to the Fortify

Software Security Center administrator. The URL should be similar to the following:

https://<DAST_API_Hostname>:<Port>/api/

https://<DAST_API_IP_Address>:<Port>/api/

Make sure that you include the trailing /api/ in the URL.

The URL can use the http protocol instead.

For more information, see the Micro Focus Fortify Software Security Center User Guide.

10.

Deploy the Fortify WebInspect on Docker container or deploy classic Fortify WebInspect

with the sensor service.

For more information, see "Using Fortify WebInspect on Docker" on page 90 or "Using

Fortify WebInspect with t he Sensor Service" on page 90 .

Tip: If you plan to conduct scans using two-factor authentication, see "Working with Two-factor

Authentication" on page 284 for information about getting and configuring the 2FA Server

Docker image.

Upgrading ScanCentral DAST

After initial installation and configuration of the Fortify ScanCentral DAST environment, you may

need to upgrade the environment. The upgrade process is similar to the installation process. As part

of the installation process, however, you will already have received licenses and setup LIM, Fortify

Software Security Center, and Docker.

The following table describes the upgrade process.

Stage

Description

1.

Download the ScanCentral DAST 22.2.0 package from the Micro Focus Software License

and Downloads (SLD) portal.

2.

3.

Edit your JSON or YAML DAST configuration settings file with necessary changes.

For more information, see "Creating and Using a Settings File" on page 47.

Use the ScanCentral DAST Configuration Tool CLI 22.2.0 to do the following:

l

Configure the ScanCentral DAST database with the latest database schema, if

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 44 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage

Description

applicable

l

Configure the settings that are used by the ScanCentral DAST API, DAST Global

Service, and DAST Utility Service, and then generate a compose file or PowerShell

script

4.

Use the compose file or PowerShell script to pull and launch the core ScanCentral DAST

22.2.0 containers (DAST API, DAST Global Service, and DAST Utility Service).

For more information, see "Understanding the Launch Artifacts" on page 84.

Requirements for Upgrading

When upgrading your ScanCentral DAST environment, follow these requirements:

l

Use the ScanCentral DAST Configuration Tool CLI that is packaged with the version of ScanCentral

DAST software that you downloaded. Do not use a previous version of the tool.

l

Upgrade your Fortify Software Security Center to the current compatible version. For version

compatibility, see "Software Integrations for Fortify ScanCentral DAST" in the Micro Focus Fortify

Software System Requirements.

l

Upgrade all ScanCentral DAST components, including the DAST database, DAST API container,

DAST Global Service container, DAST Utility Service container, and the Fortify WebInspect on

Docker image or the classic Fortify WebInspect installation with the Fortify ScanCentral DAST

sensor service.

Recommendation for Upgrading

Fortify recommends that you stop all ScanCentral DAST containers and services before upgrading

your environment. Many settings that you configure in the ScanCentral DAST Configuration Tool CLI

are applied immediately to the database when the configureEnvironment command is run. These

changes, however, are not recognized by containers that have not been upgraded. If stopping

containers and services is not possible because scans are running, then you must upgrade those

containers later for any database changes to be recognized.

Effect of Upgrades on Scheduled Scans

When upgrading your DAST environment, you cannot upgrade existing containers. You can only

create new containers based on updated images.

When you create a new Fortify WebInspect sensor container with an updated Fortify WebInspect on

Docker image, any scheduled scans that were assigned to the sensor and configured with the Use

this sensor only option will not start on the new container. You must edit the scheduled scan settings

to use the new sensor container.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 45 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Order of Orchestration

For proper operation of the ScanCentral DAST environment, some of the components must be started

in a specific order or with specific prerequisites. Limited functionality can result when prerequisite

components are not running and accessible. The following paragraphs describe these prerequisites.

ScanCentral DAST Database

The ScanCentral DAST database must be up and running, and the ScanCentral DAST Configuration

Tool CLI must have been run prior to any other containers being started.

Tip: You may use an init container—a specialized container that runs before application

containers in Kubernetes—to ensure that the database is up and running. Init containers contain

utilities or setup scripts that are not included in an application image.

ScanCentral DAST API

The ScanCentral DAST database must be available to start the ScanCentral DAST API container. If no

database is available, then the API service will stop.

If Fortify Software Security Center is not running, then you cannot use the DAST API even though the

container is running. ScanCentral DAST must get an authentication token, validate permissions,

validate application access, and so forth from Fortify Software Security Center.

If the ScanCentral DAST Utility Service is not running, then the following features will not work in the

DAST API:

l

Validating Postman collections

l

Importing scans

l

Converting .burp and .har files to .webmacro files

ScanCentral DAST Utility Service

The ScanCentral DAST database must be available to start the ScanCentral DAST Utility Service

container. If no database is available, then the Utility Service will stop.

Postman validation is initiated by the DAST API. If the DAST API is not running, then the DAST Utility

Service will not receive a request for validation.

Scan import is initiated by way of the DAST user interface or DAST API, and the DAST API is required

to complete the import process. If the DAST API is not available after a scan import begins, then the

scan import will fail.

Converting a .burp or .har file to a .webmacro file is initiated in the DAST user interface (which

calls the DAST API) or in the DAST API directly. After the file is converted, it is returned to the DAST

API. If the DAST API is not running, this process cannot be started.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 46 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

ScanCentral DAST Global Service

The ScanCentral DAST database must be available to start the ScanCentral DAST Global Service

container. If no database is available, then the Global Service will stop.

If Fortify Software Security Center is not running, then certain backend process will fail and prevent

syncing data with Fortify Software Security Center.

ScanCentral DAST Sensor Service

The ScanCentral DAST API must be running and available to start the Sensor Service. If the DAST API

is not available during start up, then the Sensor Service will try to connect every 10 seconds until it is

able to connect.

Setting Up Docker

Before you can run Docker containers, you must set up Docker on the host that will run the

containers. Set up Docker according to the process described in the following table.

Stage Description

1.

2.

Download and install the appropriate Docker version on the host machine.

Note: Follow Docker recommendations for the Docker engine version to use for

Windows and Red Hat Enterprise Linux (RHEL) 8.x x86_64 host operating systems.

Optionally, if you plan to use a compose file to pull and run the core ScanCentral DAST

containers (DAST API, DAST Global Service, and DAST Utility Service), download and

install Docker Compose (for Windows) or Compose on Linux.

3.

4.

Configure your machine for Docker containers.

Register and start the Docker service.

For Docker documentation, see https://docs.docker.com/.

Creating and Using a Settings File

You can use the Configuration Tool CLI to generate a settings file from an existing ScanCentral

DAST environment. For more information, see "Exporting an Existing Settings File" on page 77. You

can also create a settings file or edit an existing settings file by hand, and then use the file with the

Configuration Tool CLI to create or maintain an environment.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 47 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

For the new, upgrade, and autodeploy modes, you must provide all of the settings in the settings

file. For the manage mode, you must provide only the setting or settings that you are managing. For

example, if you want to change your Fortify Software Security Center URL, then you need to provide

only the SSC settings. For more information about these modes, see "Configuring the Environment" on

page 79.

Note: The settings contents in this section appear in the order in which the settings appear by

default in the sample settings file.

Database Settings

Use the database settings to configure connections to an existing database or create a new database

with the information you provide.

Important! To avoid automatically upgrading the database schema when you are managing an

existing DAST environment, the Configuration Tool CLI checks to see if the database schema is

up to date. If the schema is not up to date, the Configuration Tool CLI stops executing and writes

a warning to the log file.

Configuring a DBO-level Account

You must configure a connection to the database using an existing database owner (DBO) server-

level account that has full access to the database. DBO access is required to create the schema on the

database server. Ensure that the following permissions requirements are met:

l

If you are creating a new database, the DBO account must have the CREATE ANY DATABASE

server-level permission.

l

If you are managing or updating an existing database, the DBO account must be a member of the

db_owner database-level role.

l

If available, the DBO account may use the dbcreator server-level role in lieu of the previously

mentioned permission and role.

Note: The dbcreator role is not available in the Amazon Relational Database Service

(Amazon RDS).

l

If you are creating a login, the DBO account must have the ALTER ANY LOGIN permission, which is

part of the securityadmin server-level role. To give the new login access to a database, the

account must have the ALTER ANY USER permission.

Configuring a Standard Account

You must configure a standard user account for everyday use, preferably with non-DBO credentials.

This account must have one of the following sets of permissions:

l

Both the db_datareader and db_datawriter database-level roles

l

All of the SELECT, INSERT, UPDATE, and DELETE privileges on the database

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 48 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

JSON Example

The following example shows the database settings in a JSON file.

"DatabaseSettings":{

"DatabaseProvider": "<database_type>",

"Server": "<ip_address>,<port>",

"Database": "<database_name>",

"DboLevelDatabaseAccount":{

"Username": "<string>",

"Password": "<string>",

"UseWindowsAuthentication": false

"AdditionalConnectionProperties": null

},

"StandardDatabaseAccount":{

"Username": "<string>",

"Password": "<string>",

"CreateLogin": false,

"AdditionalConnectionProperties": null

}

YAML Example

The following example shows the database settings in a YAML file.

databaseSettings:

databaseProvider: <database_type>

server: <ip_address>,<port>

database: <database_name>

dboLevelDatabaseAccount:

username: <string>

password: <string>

useWindowsAuthentication: false

additionalConnectionProperties: null

standardDatabaseAccount:

username: <string>

password: <string>

createLogin: false

additionalConnectionProperties: null

Parameter Descriptions

The following table describes the parameters for the database settings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 49 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Identifies the type of SQL database being used. Valid

providers are:

DatabaseProvider

l

SQLServer

l

PostgreSQL

l

AzureSQLServer

l

AzurePostgreSQL

l

AmazonRdsSQLServer

l

AmazonRdsPostgreSQL

Specifies the database server name or the server IP

address.

Server

Important! If SQL Server Browser is not running

and you are using a port other than 1433, then you

must also specify the port. Use the following

format:

<server_name>,<port>

<ip_address>,<port>

Note that a comma separates the values.

Specifies the name of the database.

Database

If you are upgrading or managing an existing DAST

environment, then you must use an existing database.

Caution! An existing database might be upgraded

during this process. Be sure to create a backup of

the existing database before proceeding.

Specifies the database owner (DBO) server-level

account that has full access to the database. You must

provide the following parameters:

DboLevelDatabaseAccount

l

Username – Indicates the DBO account user name

l

Password – Indicates the DBO account password

l

UseWindowsAuthentication – Uses the

credentials of the user who is currently logged into

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 50 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Windows

Options are true or false. If set to true, then

Username and Password are not required.

Specifies the standard user account for everyday use,

preferably with non-DBO credentials. This account

should have select, insert, update, and delete functions,

but should not be able to create tables and so forth.

StandardDatabaseAccount

Tip: You may use the same credentials as the

DBO-level account. However, it is generally

considered a safer option to provide limited access

for general use after the schema has been created.

You must provide the following parameters:

l

Username – Indicates the database account user

name

l

Password – Indicates the database account

password

l

CreateLogin – Creates a login for the standard

user to connect to the database

Options are true or false. If set to false, no

changes will be made to the login or user account.

Optionally, specifies any additional connection

properties for the database, such as

AdditionalConnectionProperties

trustServerCertificate.

For more information on additional connection

properties, refer to your SQL database documentation.

Miscellaneous DAST Settings

You can specify ScanCentral DAST settings for licensing and SmartUpdate, as well as other

miscellaneous settings.

JSON Example

The following example shows these settings in a JSON file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 51 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

{

"RetainCompletedScans": true,

"DisableAdvancedScanPrioritization": false,

"EnableRestrictedScanSettings": false,

"ServiceToken": "<string>",

"SmartUpdateSettings": {

"SmartUpdateUrl": "https://smartupdate.fortify.microfocus.com/",

"LicensingUrl": "https://licenseservice.fortify.microfocus.com/"

},

YAML Example

The following example shows these settings in a YAML file.

retainCompletedScans: true

disableAdvancedScanPrioritization: false

enableRestrictedScanSettings: false

serviceToken: <string>

smartUpdateSettings:

smartUpdateUrl: https://smartupdate.fortify.microfocus.com/

licensingUrl: https://licenseservice.fortify.microfocus.com/

Parameter Descriptions

The following table describes the parameters for the miscellaneous settings.

Parameter

Description

Prevents or allows the Global Service to move a scan to a

different sensor, depending on the scan priority and other

settings. By default, advanced scan prioritization is allowed.

DisableAdvancedScan

Prioritization

Options are true or false.

For more information, see "Understanding Advanced Scan

Prioritization" on page 159 .

Specifies whether to save scans in the sensor container. By

default, scans are not saved in the sensor container after

the sensor completes the scan and uploads the data to the

DAST database.

RetainCompletedScans

Options are true or false.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 52 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Enables or disables global restrictions.

Options are true or false.

EnableRestrictedScanSettings

For more information, see "Working with Global

Restrictions" on page 303.

Specifies a shared secret for all of your sensors to use to

authenticate with the ScanCentral DAST API. The setting is

a string with a minimum of 10 characters. The value is

encrypted.

ServiceToken

Indicates the URL for the SmartUpdate service. This setting

SmartUpdateUrl

is an element of SmartUpdateSettings.

The default URL is

https://smartupdate.fortify.microfocus.com/.

Indicates the URL for the licensing service. This setting is

LicensingUrl

an element of SmartUpdateSettings.

The default URL is

https://licenseservice.fortify.microfocus.co

m/.

SSC Settings

You can use the SSC settings to configure the connection between Fortify ScanCentral DAST and

Fortify Software Security Center.

JSON Example

The following example shows the SSC settings in a JSON file.

"SSCSettings": {

"SSCRootUrl": "http://<ip_address>:<port>/ssc",

"ServiceAccountUserName": "<username>",

"ServiceAccountPassword": "<password>"

},

YAML Example

The following example shows the SSC settings in a YAML file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 53 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

sSCSettings:

sSCRootUrl: http://<hostname>:<port>/ssc

serviceAccountUserName: <username>

serviceAccountPassword: <password>

Parameter Descriptions

The following table describes the parameters for the SSC settings.

Parameter

Description

The URL for your Fortify Software Security Center application.

SSCRootUrl

Important! You cannot use localhost for the Software

Security Center URL. You must use a routable IP address or

hostname.

The user name under which Fortify ScanCentral DAST will

communicate with Fortify Software Security Center.

ServiceAccountUserName

Important! This account must be an Admin account that can

perform service-level functions. Individual users who log into

Fortify Software Security Center in a browser to use Fortify

ScanCentral DAST are restricted based on the permissions

designated by their user role in Fortify Software Security

Center. For more information, see "Permissions in Fortify

Software Security Center" on page 35 .

The password for the service account.

ServiceAccountPassword

Tip: Fortify recommends using an encrypted password. You

can encrypt the password with the encrypt command. For

more information, see "Encrypting Values" on page 80.

DAST API Settings

You can use the DAST API settings to configure the URL for the DAST API and configure cross-origin

resource sharing (CORS) settings.

JSON Example

The following example shows the DAST API settings in a JSON file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 54 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

"DASTApiSettings": {

"RootUrl": "http://<hostname>:<port>",

"DisableCorsOrigins": true,

"CorsOrigins": [

"http://<hostname>:<port>",

"http://<ip_address>:<port>"

]

"ContainerListenIPAddress": "<ip_address>",

"ContainerListenPort": <port>

},

YAML Example

The following example shows the DAST API settings in a YAML file.

dASTApiSettings:

rootUrl: http://<ip_address>:<port>

disableCorsOrigins: true

corsOrigins:

- http://<hostname>:<port>

- http://<ip_address>:<port>

containerListenIPAddress: <ip_address>

containerListenPort: <port>

Parameter Descriptions

The following table describes the parameters for the DAST API settings.

Parameter

Description

Specifies the URL and port where the DAST API service will

run.

RootUrl

Important! You cannot use localhost in the URL. You must

use a routable IP address or hostname as shown in the

following examples:

https://<DAST_API_hostname>:<port>

https://<DAST_API_ip_address>:<port>

The URL can use the http protocol instead.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 55 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Make note of this URL. It is required to enable Fortify

ScanCentral DAST in Fortify Software Security Center.

DisableCorsOrigins

By default, disable all origins for CORS policy is set to true.

The Fortify Software Security Center URL is the only one that

is automatically allowed. Options are:

l

true – Restricts traffic to the specified corsOrigins list

l

false – Allows traffic from all URLs

Specifies the allowed CORS origins list of URLs .

CorsOrigins

When disableCorsOrigins is set to true, then you must

add the allowed URLs.

Specifies the container's internal IP address on which the DAST

service will listen.

ContainerListenIPAddress

ContainerListenPort

The default value is "0.0.0.0".

Specifies the container's internal port on which the DAST

service will listen.

For RootUrls starting with https, the default value is 443.

Otherwise, it is 80.

LIM Settings

You can use the LIM settings to configure a LIM and LIM pool to associate with the default sensor

pool for licensing.

JSON Example

The following example shows the LIM settings in a JSON file.

"LIMSettings": {

"LimUrl": "https://<ip_address>/LIM.Service",

"ServiceAccountUserName": "<string>",

"ServiceAccountPassword": "<string>",

"DefaultLimPoolName": "<string>",

"DefaultLimPoolPassword": "<string>",

"UseLimRestApi": false

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 56 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

},

YAML Example

The following example shows the LIM settings in a YAML file.

lIMSettings:

limUrl: https://<ip_address>/LIM.Service

serviceAccountUserName: <string>

serviceAccountPassword: <string>

defaultLimPoolName: <string>

defaultLimPoolPassword: <string>

useLimRestApi: false

Parameter Descriptions

The following table describes the parameters for the LIM settings.

Parameter

Description

Identifies the LIM service URL.

LimUrl

If you are using a LIM version 21.2.0 or later, then type the

LIM REST API URL, which uses the following format:

https://<server_url>/<rest-directory>

where server_url is the root web site and rest-directory is the API

virtual directory name. The default virtual directory name is

LIM.API.

Important! If using the LIM REST API, you must set

useLimRestApi to true.

If you are using a LIM version 21.1.0 or earlier, then type the

SOAP service URL, which uses the following format:

https://<server_url>/<service-directory>

where server_url is the root web site and service-directory is the

service virtual directory name. The default virtual directory name

is LIM.Service.

Important! If using the SOAP service URL, you must set

useLimRestApi to false.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 57 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Specifies the LIM account username to be used for licensing.

Specifies the password for the account.

Tip: Fortify recommends using an encrypted password. You

ServiceAccountUserName

ServiceAccountPassword

can encrypt the password with the encrypt command. For

more information, see "Encrypting Values" on page 80.

Specifies the LIM pool name to associate with the default sensor

pool for licensing.

DefaultLimPoolName

Specifies the password for the LIM pool.

DefaultLimPoolPassword

Tip: Fortify recommends using an encrypted password. You

can encrypt the password with the encrypt command. For

more information, see "Encrypting Values" on page 80.

Indicates whether to use the LIM REST API for the licensing

service. Follow these guidelines for setting the value:

UseLimRestApi

l

If you are using a LIM version 21.2.0 or later with the

LIM REST API URL as LimUrl, then set the value to true.

l

If you are using a LIM version 21.1.0 or earlier with the SOAP

service URL as LimUrl, then set the value to false.

Utility Service Settings

Use the Utility Service settings to configure the URL and port where the DAST Utility Service will run.

Important! You cannot use localhost in the URL. You must use a routable IP address or

hostname as shown in the following examples:

https://<DAST_Utility_hostname>:<port>

https://<DAST_Utility_ip_address>:<port>

The URL can use the http protocol instead.

JSON Example

The following example shows the Utility Service settings in a JSON file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 58 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

"UtilityWorkerServiceSettings": {

"RootUrl": "https://<ip_address>:<port>/"

"ContainerListenIPAddress": "<ip_address>",

"ContainerListenPort": <port>

},

YAML Example

The following example shows the Utility Service settings in a YAML file.

utilityWorkerServiceSettings:

rootUrl: https://<hostname>:<port>/

containerListenIPAddress: <ip_address>

containerListenPort: <port>

Parameter Descriptions

The following table describes the parameters for the Utility Service settings.

Parameter

Description

Specifies the URL for the DAST Utility Service.

RootUrl

Specifies the container's internal IP address on which the Utility

Service will listen.

ContainerListenIPAddress

The default value is "0.0.0.0".

Specifies the container's internal port on which the Utility

Service will listen.

ContainerListenPort

For RootUrls starting with https, the default value is 5001.

Otherwise, it is 5000.

DAST API SSL Settings

You can use the DAST API SSL settings to configure whether to use encrypted communication for the

DAST API service. If you use encrypted communication, you can generate a certificate or use an

existing certificate for this service.

About the Certificate Path

Generating a certificate or using an existing certificate requires you to specify a certificate path. It is

not necessary to install the certificate on your local machine, but the certificate path must be

accessible from the computer where you run the Docker compose file or PowerShell scripts to pull and

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 59 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

start the ScanCentral DAST containers. The certificate is passed to the Docker container when you

run the compose file or the PowerShell scripts.

JSON Example

The following example shows DAST API SSL settings that generate a self-signed certificate in a

JSON file.

"DastApiSSLSettings": {

"SSLPreferenceType": "GenerateCertificate",

"GenerateCertificateModel": {

"CertificateDirectory": "<directory_path>",

"Host": "<ip_address | hostname>",

"Password": "<string>",

"Validity": 1000,

"Location": "",

"Email": ""

},

"ExistingCertificateModel": {

"CertificateFullPath": "",

"Password": ""

}

},

YAML Example

The following example shows the DAST API SSL settings that use an existing certificate in a

YAML file.

dastApiSSLSettings:

sSLPreferenceType: UseExistingCertificate

generateCertificateModel:

certificateDirectory:

host:

password:

validity:

location:

email:

existingCertificateModel:

certificateFullPath: '<directory_path>'

password: '<string>'

Parameter Descriptions

The following table describes the parameters for the DAST API SSL settings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 60 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Indicates whether to use encrypted communication for the

DAST API service. Options are:

SSLPreferenceType

l

1 or GenerateCertificate

l

2 or UseExistingCertificate

l

3 or NoSSL

Important! Encrypted communication for the DAST API

service is not required, but Fortify highly recommends it.

Generates a self-signed certificate.

GenerateCertificateModel

If SSLPreferenceType is set to 1 or GenerateCertificate,

then you must also provide the following parameters:

l

CertificateDirectory – Specifies the directory path

where you will place the certificate on the host computer

that will run the API container

l

Host – Specifies the IP address of the machine running the

DAST API service container

l

Password – Specifies the password for the private key

Tip: Fortify recommends using an encrypted password.

You can encrypt the password with the encrypt

command. For more information, see "Encrypting

Values" on page 80.

l

Validity – Indicates the number of days the certificate will

be valid

Note: The default is 1000.

l

Location – Optionally, indicates your city

l

Email – Optionally, indicates your email address

Uses an existing certificate.

ExistingCertificateModel

If SSLPreferenceType is set to 2 or

UseExistingCertificate, then you must also provide the

following parameters:

l

CertificateFullPath – Specifies the directory path to

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 61 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

the existing certificate

l

Password – Specifies the password for the private key

Tip: Fortify recommends using an encrypted password.

You can encrypt the password with the encrypt

command. For more information, see "Encrypting

Values" on page 80.

Important! Ensure that you enter the correct password for

the certificate. The Configuration Tool CLI does not

validate certificate passwords.

Utility Service SSL Settings

You can use the Utility Service SSL settings to configure whether to use encrypted communication for

the DAST Utility Service. If you use encrypted communication, you can generate a certificate or use an

existing certificate for this service.

About the Certificate Path

Generating a certificate or using an existing certificate requires you to specify a certificate path. It is

not necessary to install the certificate on your local machine, but the certificate path must be

accessible from the computer where you run the Docker compose file or PowerShell scripts to pull and

start the ScanCentral DAST containers. The certificate is passed to the Docker container when you

run the compose file or the PowerShell scripts.

JSON Example

The following example shows the Utility Service SSL settings that generate a self-signed certificate in

a JSON file.

"UtilityWorkerServiceSSLSettings": {

"SSLPreferenceType": "GenerateCertificate",

"GenerateCertificateModel": {

"CertificateDirectory": "<directory_path>",

"Host": "<ip_address>",

"Password": "<string>",

"Validity": 1000,

"Location": "",

"Email": ""

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 62 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

},

"ExistingCertificateModel": {

"CertificateFullPath": "",

"Password": ""

}

},

YAML Example

The following example shows the Utility Service SSL settings that use an existing certificate in a

YAML file.

utilityWorkerServiceSSLSettings:

sSLPreferenceType: UseExistingCertificate

generateCertificateModel:

certificateDirectory:

host:

password:

validity: 1000

location:

email:

existingCertificateModel:

certificateFullPath: '<directory_path>'

password: '<string>'

Parameter Descriptions

The following table describes the parameters for the Utility Service SSL settings.

Parameter

Description

Indicates whether to use encrypted communication for the

Utility Service. Options are:

SSLPreferenceType

l

1 or GenerateCertificate

l

2 or UseExistingCertificate

l

3 or NoSSL

Important! Encrypted communication for the DAST Utility

Service is not required, but Fortify highly recommends it.

Generates a self-signed certificate.

GenerateCertificateModel

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 63 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

If SSLPreferenceType is set to 1 or GenerateCertificate,

then you must also provide the following parameters:

l

CertificateDirectory – Specifies the directory path

where you will place the certificate on the host computer

that will run the Utility Service container

l

Host – Specifies the IP address of the machine running the

Utility Service container

l

Password – Specifies the password for the private key

Tip: Fortify recommends using an encrypted password.

You can encrypt the password with the encrypt

command. For more information, see "Encrypting

Values" on page 80.

l

Validity – Indicates the number of days the certificate will

be valid

Note: The default is 1000.

l

Location – Optionally, indicates your city

l

Email – Optionally, indicates your email address

Uses an existing certificate.

ExistingCertificateModel

If SSLPreferenceType is set to 2 or

UseExistingCertificate, then you must also provide the

following parameters:

l

CertificateFullPath – Specifies the directory path to

the existing certificate

l

Password – Specifies the password for the private key

Tip: Fortify recommends using an encrypted password.

You can encrypt the password with the encrypt

command. For more information, see "Encrypting

Values" on page 80.

Important! Ensure that you enter the correct password for

the certificate. The Configuration Tool CLI does not

validate certificate passwords.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 64 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Environment Settings

You can use the environment settings to configure proxy settings and allow untrusted certificates.

Using a Proxy

The proxy settings configured here, including the exclusions, are used for internal communications

between ScanCentral DAST components. The settings also apply when communicating with Fortify

Software Security Center, LIM, SmartUpdate, DAST API, DAST Utility Service, and OpenAPI and

OData definition URLs.

JSON Example

The following example shows the environment settings in a JSON file.

"EnvironmentSettings": {

"AllowNonTrustedServerCertificate": true,

"ProxySettings": {

"UseProxy": false,

"ProxyAddress": "<ip_address>",

"ProxyPassword": "<string>",

"ProxyUserName": "<string>",

"ProxyBypassList": "<hostname>,<ip_address>"

}

},

YAML Example

The following example shows the environment settings in a YAML file.

environmentSettings:

allowNonTrustedServerCertificate: true

proxySettings:

useProxy: false

proxyAddress: '<ip_address>'

proxyPassword: '<string>'

proxyUserName: '<string>'

proxyBypassList: <hostname>,<ip_address>

Parameter Descriptions

The following table describes the parameters for the environment settings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 65 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Specifies whether Fortify ScanCentral DAST

AllowNontrustedServerCertificates

components can accept self-signed (untrusted)

certificates when communicating with other Fortify

products.

Options are true or false.

Specifies whether to use a proxy for

communications in your ScanCentral DAST

environment.

UseProxy

Options are true or false.

If set to true, then you must also provide the

following parameters:

l

ProxyAddress – Identifies the URL or IP

address and port number of your proxy server

l

ProxyPassword – If your proxy server requires

authentication, specifies the qualifying password

Tip: Fortify recommends using an encrypted

password. You can encrypt the password

with the encrypt command. For more

information, see "Encrypting Values" on

page 80.

l

ProxyUserName – If your proxy server requires

authentication, specifies the qualifying user

name

l

ProxyBypassList – Lists addresses or URLs

that do not need to use a proxy server for

access, such as internal testing sites

Tip: You can use a comma separated list of

regular expressions. For example:

localhost,[a-z]+\.myestore\.net$

Important! If you want to bypass the proxy

when connecting to the LIM, enter the

LIM IP address. You cannot enter the host

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 66 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

name, machine name, or container name for

the LIM.

Known Issue with Host Name, Machine Name, and Container Name

Configuring a proxy in the environment settings and then bypassing the proxy for communications

with Fortify Software Security Center and the LIM may cause issues when using the host name,

machine name, or container name for these products.

If you want to use the host name, machine name, or container name for Fortify Software Security

Center and the LIM without a proxy, then set UseProxy to false and configure HTTP_PROXY and

NO_PROXY environment variables instead. Additionally, add the host names, machine names, or

container names for Fortify Software Security Center and the LIM to the NO_PROXY variable as a

comma-separated list.

Refer to your OS documentation and change these environment variables.

You must also add these variables to the Docker containers' run commands as shown in the following

example:

-e "HTTP_PROXY=http://<proxy_address>" -e "NO_PROXY=localhost,<ssc_

machine>,<lim_machine>"

SecureBase Settings

When initializing the database, you can use the default SecureBase ZIP file that is packaged with

ScanCentral DAST or you can use a local version of SecureBase content to seed the database.

Updating SecureBase

If you use the upgrade or autodeploy mode for an existing DAST environment, then you must

update your SecureBase. If you use the manage mode for an existing DAST environment, then

updating SecureBase is optional. For more information about these modes, see "Understanding the

configureEnvironment Command" on page 79.

JSON Example

The following JSON example shows SecureBase settings that use the default ZIP file to seed the

database.

"ApplySecureBase": true,

"SecureBasePath": "<drive>:\\<directory_path>\\DefaultData.zip",

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 67 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

YAML Example

The following YAML example shows SecureBase settings that do not update the database.

applySecureBase: false

secureBasePath: <drive>:\<path_to_securebase_data>\DefaultData.zip

Parameter Descriptions

The following table describes the parameters for the SecureBase settings.

Parameter

Description

Specifies whether to update SecureBase. Options are:

ApplySecureBase

l

true – Update SecureBase

l

false – Do not update SecureBase

SecureBasePath

If applySecureBase is set to true, specifies the location of the

SecureBase ZIP file to use for seeding the database.

JSON Sample File

After you have configured the various settings in your JSON file, they should resemble the following

sample.

{

"DatabaseSettings":{

"DatabaseProvider": "<database_type>",

"Server": "<ip_address>,<port>",

"Database": "<database_name>",

"DboLevelDatabaseAccount": {

"Username": "<string>",

"Password": "<string>",

"UseWindowsAuthentication": false

"AdditionalConnectionProperties": null

},

"StandardDatabaseAccount": {

"Username": "<string>",

"Password": "<string>",

"CreateLogin": false,

"AdditionalConnectionProperties": null

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 68 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

}

},

"RetainCompletedScans": true,

"DisableAdvancedScanPrioritization": false,

"EnableRestrictedScanSettings": false,

"ServiceToken": "<string>",

"SmartUpdateSettings": {

"SmartUpdateUrl": "https://smartupdate.fortify.microfocus.com/",

"LicensingUrl": "https://licenseservice.fortify.microfocus.com/"

},

"SSCSettings": {

"SSCRootUrl": "http://<ip_address>:<port>/ssc",

"ServiceAccountUserName": "<username>",

"ServiceAccountPassword": "<password>"

},

"DASTApiSettings": {

"RootUrl": "http://<hostname>:<port>",

"DisableCorsOrigins": true,

"CorsOrigins": [

"http://<hostname>:<port>",

"http://<ip_address>:<port>"

]

"ContainerListenIPAddress": "<ip_address>",

"ContainerListenPort": <port>

},

"LIMSettings": {

"LimUrl": "https://<ip_address>/LIM.Service",

"ServiceAccountUserName": "<string>",

"ServiceAccountPassword": "<string>",

"DefaultLimPoolName": "<string>",

"DefaultLimPoolPassword": "<string>",

"UseLimRestApi": false

},

"UtilityWorkerServiceSettings": {

"RootUrl": "https://<ip_address>:<port>/"

"ContainerListenIPAddress": "<ip_address>",

"ContainerListenPort": <port>

},

"DastApiSSLSettings": {

"SSLPreferenceType": "GenerateCertificate",

"generateCertificateModel": {

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 69 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

"certificateDirectory": "<directory_path>",

"host": "<ip_address>",

"password": "<string>",

"validity": 1000,

"location": "",

"email": ""

},

"existingCertificateModel": {

"certificateFullPath": "",

"password": ""

}

},

"UtilityWorkerServiceSSLSettings": {

"SSLPreferenceType": "GenerateCertificate",

"GenerateCertificateModel": {

"CertificateDirectory": "<directory_path>",

"Host": "<ip_address>",

"Password": "<string>",

"Validity": 1000,

"Location": "",

"Email": ""

},

"ExistingCertificateModel": {

"CertificateFullPath": "",

"Password": ""

}

},

"EnvironmentSettings": {

"AllowNonTrustedServerCertificate": true,

"ProxySettings": {

"UseProxy": false,

"ProxyAddress": "<ip_address>",

"ProxyPassword": "<string>",

"ProxyUserName": "<string>",

"ProxyBypassList": "<hostname>,<ip_address>"

}

},

"ApplySecureBase": true,

"SecureBasePath": "<drive>:\\<path_to_securebase_data>\\DefaultData.zip",

}

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 70 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

YAML Sample File

After you have configured the various settings in your YAML file, they should resemble the following

sample.

databaseSettings:

databaseProvider: <database_type>

server: <ip_address>,<port>

database: <database_name>

dboLevelDatabaseAccount:

username: <string>

password: <string>

useWindowsAuthentication: false

additionalConnectionProperties: null

standardDatabaseAccount:

username: <string>

password: <string>

createLogin: false

additionalConnectionProperties: null

retainCompletedScans: true

disableAdvancedScanPrioritization: false

enableRestrictedScanSettings: false

serviceToken: <string>

smartUpdateSettings:

smartUpdateUrl: https://smartupdate.fortify.microfocus.com/

licensingUrl: https://licenseservice.fortify.microfocus.com/

sSCSettings:

sSCRootUrl: http://<hostname>:<port>/ssc

serviceAccountUserName: <username>

serviceAccountPassword: <password>

dASTApiSettings:

rootUrl: http://<ip_address>:<port>

disableCorsOrigins: true

corsOrigins:

- http://<hostname>:<port>

- http://<ip_address>:<port>

containerListenIPAddress: <ip_address>

containerListenPort: <port>

lIMSettings:

limUrl: https://<ip_address>/LIM.Service

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 71 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

serviceAccountUserName: <string>

serviceAccountPassword: <string>

defaultLimPoolName: <string>

defaultLimPoolPassword: <string>

useLimRestApi: false

utilityWorkerServiceSettings:

rootUrl: https://<hostname>:<port>/

containerListenIPAddress: <ip_address>

containerListenPort: <port>

dastApiSSLSettings:

sSLPreferenceType: UseExistingCertificate

generateCertificateModel:

certificateDirectory:

host:

password:

validity: 1000

location:

email:

existingCertificateModel:

certificateFullPath: '<directory_path>'

password: '<string>'

utilityWorkerServiceSSLSettings:

sSLPreferenceType: UseExistingCertificate

generateCertificateModel:

certificateDirectory:

host:

password:

validity: 1000

location:

email:

existingCertificateModel:

certificateFullPath: '<directory_path>'

password: '<string>'

environmentSettings:

allowNonTrustedServerCertificate: true

proxySettings:

useProxy: false

proxyAddress: '<ip_address>'

proxyPassword: '<string>'

proxyUserName: '<string>'

proxyBypassList: <hostname>,<ip_address>

applySecureBase: true

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 72 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

secureBasePath: <drive>:\<path_to_securebase_data>\DefaultData.zip

Using the Configuration Tool CLI

To assist you in setting up and maintaining the Fortify ScanCentral DAST components, Fortify

engineers have created the ScanCentral DAST Configuration Tool CLI. The tool uses command line

parameters and a configuration file to configure the ScanCentral DAST environment. The tool allows

you to perform the following tasks:

l

Create and configure a new ScanCentral DAST environment

l

Upgrade all ScanCentral DAST components from one version to another

l

Change ScanCentral DAST settings, such as a proxy or database account information, or uploading

new SecureBase content, without upgrading the version

Upgrade Limitations for Linux

If you are upgrading from ScanCentral DAST version 22.1.0 or earlier, then you must run the

Configuration Tool CLI on a Windows OS. If you are creating a new environment, then you may run

the Configuration Tool CLI on a Windows OS or a Linux distribution.

Versions Available

The Configuration Tool CLI is available as an executable file and as a Docker image.

Using the Configuration Tool CLI Executable

The following paragraphs describe where to find the EXE file and how to use the program.

Locating the EXE File

The DAST.ConfigurationToolCLI.exe file is included in the Fortify ScanCentral DAST software

download package (a ZIP file).

Note: The Fortify ScanCentral DAST software download package also includes the

scancentral-dast-config.tar file, which contains the DAST.ConfigurationToolCLI.exe

file and a copy of SecureBase.

Launching the CLI

To launch the command-line interface (CLI):

l

Right-click the Windows Command Prompt (cmd.exe) application, and select Run as

administrator.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 73 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

The Administrator: Command Prompt window appears.

Important! At the command prompt, use the cd command to change the current working

directory to the directory where the Configuration Tool CLI application resides.

Using the Configuration Tool CLI

To use the Configuration Tool CLI:

l

At the command prompt, use the following syntax:

DAST.ConfigurationToolCLI.exe <CLI_Command>

For more information on the CLI commands, see the following:

l

"Exporting an Existing Settings File" on page 77

l

"Configuring the Environment" on page 79

l

"Using Environment Variables" on page 80

l

"Encrypting Values" on page 80

l

"Generating a Migration Script" on page 81

l

"Generating a Connection String" on page 82

Accessing the Help

To view the Configuration Tool CLI help:

l

At the command prompt, type DAST.ConfigurationToolCLI.exe -h.

Using the Configuration Tool CLI Docker Image

The Configuration Tool CLI Docker image is used in the Helm chart for Kubernetes. However, you can

also use the image to configure your ScanCentral DAST environment outside of Kubernetes.

Note: The Configuration Tool CLI includes two sample settings files:

SampleSettingsFile.json and SampleSettingsFile.yaml.

The procedures in this topic use these file names. For convenience, you can edit these files with

settings that are specific for your environment, and use them in the Docker run command.

Versions Available

Two versions of the Configuration Tool CLI Docker image are available: one as a TAR file with

SecureBase and one on DockerHub without SecureBase.

About the TAR File

The Configuration Tool CLI Docker image with SecureBase is available as a TAR file in the

ScanCentral DAST software download package. The file name is scancentral-dast-config.tar.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 74 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Loading the Image from the TAR File

To load the Fortify Configuration Tool CLI image from the TAR file:

l

In PowerShell, enter the following command:

docker load --input scancentral-dast-config.tar

The image is extracted with the name dast-config-sb.

Continue with "Running the Container" below.

About the Image on DockerHub

The Configuration Tool CLI Docker image without SecureBase is available in the Fortify Docker

repository on DockerHub. The following paragraphs provide information about getting this version of

the image and running the container.

The Fortify Docker repository uses the following naming convention for the Fortify Configuration

Tool CLI image:

fortifydocker/scancentral-dast-config:<version>

The latest image version that is available as of this writing is:

fortifydocker/scancentral-dast-config:22.2

Getting the Image from DockerHub

To pull the current version of the Fortify Configuration Tool CLI image:

l

In PowerShell, enter the following command:

docker pull fortifydocker/scancentral-dast-config:22.2

Continue with "Running the Container" below.

Running the Container

The following procedure describes how to attach the configuration file and a SecureBase file to the

container as a volume.

To run the container:

1. In PowerShell, enter the following command to create a directory to store the configuration and

SecureBase files:

mkdir C:\config

Important! Make sure that this directory can be read by all users. Otherwise, the container

user might not be able to read the directory contents.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 75 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

2. Enter the following commands to copy the configuration file, the SecureBase file, and any other

file to be shared with the container to the directory you created in step 1:

cp SampleSettingsFile.yaml C:\config\

cp DefaultData.zip C:\config\

Important! If you are using scancentral-dast-config.tar, the DefaultData.zip file

is included. Only copy the file if you are using a version other than the one included in the

TAR file.

3.

Edit the SampleSettingsFile.yaml file to specify the location of the DefaultData.zip file in

the container.

Tip: Look for the "secureBasePath:" entry and do one of the following:

l

If you are using the image from DockerHub, enter "secureBasePath:

C:\config\DefaultData.zip".

l

If you are using scancentral-dast-config.tar, enter "secureBasePath:

C:\\App\\DefaultData.zip"

4. Continue according to the following table.

To run this

image

Use the following syntax in the Docker run command

dast-config-

sb

docker run --rm -v <Config_Dir_Full_Path>:C:\app\logs

dast-config-sb <CLI_Commands>

scancentral-

dast-

config:22.2

docker run --rm -v <Config_Dir_Full_Path>:C:\app\logs

fortifydocker/scancentral-dast-config:22.2 <CLI_

Commands>

Note: Mapping the volume to the C:\app\logs directory on the host system in the Docker

run command exposes the log file to your workstation.

When using the Docker image, you must add CLI commands to the end of the Docker run

command. The following example shows the configureEnvironment command with the --

mode and --settingsFile parameters:

docker run --rm -v C:\config:C:\app\logs fortifydocker/scancentral-

dast-config:22.2 configureEnvironment --mode autodeploy

--settingsFile C:\app\logs\SampleSettingsFile.yaml

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 76 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

You must pass in command parameters by way of environment variables before the image name

reference, as shown in the following example:

docker run --rm -v <Config_Dir_Full_Path>:C:\config\ -e

"<environmentVariableName>=<value>" fortifydocker/scancentral-dast-

config:22.2 <CLI_Commands>

For more information on the CLI commands, see the following:

l

"Exporting an Existing Settings File" below

l

"Configuring the Environment" on page 79

l

"Using Environment Variables" on page 80

l

"Encrypting Values" on page 80

l

"Generating a Migration Script" on page 81

l

"Generating a Connection String" on page 82

Understanding the Docker CLI Options

The following table describes the Docker CLI options used in "Running the Container" on page 75.

Option

--rm

-v

Description

Automatically removes the container when it exits.

Maps the volume (or folder) from the container to a folder on the host system.

Separate multiple folder names with a colon.

Exporting an Existing Settings File

If you have an existing ScanCentral DAST environment, you can use the createSettingsFile

command to export a settings file that contains the current settings for the existing environment.

Understanding the createSettingsFile Command

The createSettingsFile command includes the parameters shown in the following syntax sample.

DAST.ConfigurationToolCLI.exe createSettingsFile

--dbProvider <SQLServer | PostgreSQL | AzureSQLServer |

AzurePostgreSQL | AmazonRdsSQLServer | AmazonRdsPostgreSQL>

--server <string> --database <string> --username <string>

--password <string> --useWindowsAuthentication

--additionalConnectionProperties <string>

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 77 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

--settingsFileType <yaml | json> --outputDirectory <string>

The following table describes the createSettingsFile parameters.

Parameter

Description

Identifies the type of SQL database being used. Valid providers are:

--dbProvider

l

SQLServer

l

PostgreSQL

l

AzureSQLServer

l

AzurePostgreSQL

l

AmazonRdsSQLServer

l

AmazonRdsPostgreSQL

Specifies the database server name or the server IP address.

--server

Important! If SQL Server Browser is not running and you are using a

port other than 1433, then you must also specify the port. Use the

following format:

<server_name>,<port>

<ip_address>,<port>

Note that a comma separates the values.

Specifies the name of the database.

--database

--username

Indicates the database account user name.

Note: With an existing database, you can use the non-DBO

credentials.

Indicates the database account password.

--password

--

Specifies the file type for the settings file. Options are json or yaml.

settingsFileType

Specifies the directory path where the settings file will be written.

--outputDirectory

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 78 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Configuring the Environment

After you configure your settings file, you can use the Configuration Tool CLI to generate the Docker

compose file or PowerShell script to pull and launch the core ScanCentral DAST 22.2.0 containers

(DAST API, DAST Global Service, and DAST Utility Service).

Before You Begin

All ScanCentral DAST components must be offline (not running) when using the CLI tool.

Understanding the configureEnvironment Command

The configureEnvironment command includes the parameters shown in the following syntax

sample.

DAST.ConfigurationToolCLI.exe configureEnvironment

--mode <new | upgrade | manage | autodeploy>

--settingsFile <string> --outputDirectory <string>

The following table describes the configureEnvironment parameters.

Parameter

Description

Indicates the intended function of the settings file. Options are:

--mode

l

new – Creates and configures a new ScanCentral DAST environment

l

upgrade – Upgrades all ScanCentral DAST components from one

version to another

l

manage – Changes ScanCentral DAST settings, such as a proxy or

database account information, or uploads new SecureBase content,

without upgrading the version

l

autodeploy – Detects whether the database exists. If no, then the new

function is performed. Otherwise, the database is updated or managed.

Specifies the directory path and name of the settings file to use for

creating, managing, or upgrading a ScanCentral DAST environment. The

file can be either JSON or YML file type.

--settingsFile

Optionally, indicates the directory path where the artifacts file is written.

The artifacts are saved to a ZIP file.

--

outputDirectory

If you do not provide an --outputDirectory setting, then the ZIP file is

written to the directory where the DAST.ConfigurationToolCLI.exe

file is located.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 79 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Using Environment Variables

The Configuration Tool CLI allows you to replace placeholders in a settings file with environment

variables. This feature protects your sensitive data and supports the use of Kubernetes secrets. For

more information on Kubernetes secrets, refer to your Kubernetes configuration documentation.

How Replacement Works

Each environment variable placeholder in the settings file is replaced with an environment variable

value. If no environment variable value is available, then the value will not be replaced.

The replacement values are not written to the source settings file. Instead, the Configuration Tool CLI

creates a temporary copy of the settings file that contains the values to be used.

Format and Usage

The format of the placeholder in the settings file is as follows:

${environment variable name}

The following sample shows an environment variable with the name my_secret_password in a

YAML settings file.

databaseSettings:

databaseProvider: SQLServer

server: .

database: DAST

dboLevelDatabaseAccount:

username: myusername

password : ${my_secret_password}

useWindowsAuthentication: false

additionalConnectionProperties:

Encrypting Values

The Configuration Tool CLI provides the encrypt command that encrypts a value. This feature allows

you to encrypt sensitive data, such as passwords, to use in a settings file.

If the value to be encrypted contains spaces, then the value must be enclosed in double quotation

marks (").

The encrypt command is shown in the following sample.

DAST.ConfigurationToolCLI.exe encrypt "<string>"

The encrypted value is logged to the console as "encrypt result: {encrypted value}".

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 80 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Generating a Migration Script

The Configuration Tool CLI provides the generateMigrationScript command that generates a

migration script that you can run on the database server. This feature is useful in environments where

policies do not allow applications to change database schema and require a manual script to run.

All non-optional parameters are required and are validated upon execution. If any parameter fails

validation, a message is written to the log file and the application exits with a -1.

Migration Script Name

The generated migration script is named: DAST-Migration-MMddyyyyHHmmss.sql. The time stamp

in the name is composed of the following:

l

MM – Month, with a leading 0

l

dd – Day, with a leading 0

l

yyyy – 4-digit year

l

HH – 24-hour clock hour, with a leading 0

l

mm – Minutes, with a leading zero

l

ss – Seconds, with a leading zero

Understanding the generateMigrationScript Command

The generateMigrationScript command includes the parameters shown in the following sample.

DAST.ConfigurationToolCLI.exe generateMigrationScript

--dbProvider <SQLServer | PostgreSQL | AzureSQLServer |

AzurePostgreSQL | AmazonRdsSQLServer | AmazonRdsPostgreSQL>

--server <string> --database <string> --username <string>

--password <string> --useWindowsAuthentication

--additionalConnectionProperties <string> --outputDirectory <string>

The following table describes the parameters for the generateMigrationScript command.

Parameter

Description

Identifies the type of SQL database being used. Valid

providers are:

--dbProvider

l

SQLServer

l

PostgreSQL

l

AzureSQLServer

l

AzurePostgreSQL

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 81 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

l

AmazonRdsSQLServer

l

AmazonRdsPostgreSQL

Specifies the database server name or IP address.

Specifies the database name.

--server

--database

--username

Indicates the database account user name to connect

to the database.

This parameter is not required if -

useWindowsAuthentication is used.

Indicates the database account password to connect to

the database.

--password

This parameter is not required if -

useWindowsAuthentication is used.

Indicates that the connection should use Windows

authentication.

--useWindowsAuthentication

Optionally, specifies any additional connection

properties for the database, such as

--

additionalConnectionProperties

trustServerCertificate.

For more information about additional connection

properties, refer to your SQL database documentation.

Optionally, indicates the directory path where the

migration script will be saved. If not specified, the script

will be saved in the current working directory.

--outputDirectory

Note: If the specified directory does not exist, it

will be created.

Generating a Connection String

The Configuration Tool CLI can generate a connection string for connecting to your ScanCentral

DAST database. All non-optional parameters are required and are validated upon execution. If a

parameter fails validation, a message is written to the log file and the application exits with a -1.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 82 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Understanding the generateConnectionString Command

The generateConnectionString command includes the parameters shown in the following sample.

DAST.ConfigurationToolCLI.exe generateConnectionString --dbProvider

<SQLServer | PostgreSQL | AzureSQLServer | AzurePostgreSQL |

AmazonRdsSQLServer | AmazonRdsPostgreSQL> --server <string>

--database <string> --username <string> --password <string>

--useWindowsAuthentication --additionalConnectionProperties <string>

--encrypt

The following table describes the parameters for the generateConnectionString command.

Parameter

Description

Identifies the type of SQL database being used. Valid

providers are:

--dbProvider

l

SQLServer

l

PostgreSQL

l

AzureSQLServer

l

AzurePostgreSQL

l

AmazonRdsSQLServer

l

AmazonRdsPostgreSQL

Specifies the database server name or IP address.

Specifies the database name.

--server

--database

--username

Indicates the database account user name to connect

to the database.

This parameter is not required if --

useWindowsAuthentication is used.

Indicates the database account password to connect to

the database.

--password

This parameter is not required if --

useWindowsAuthentication is used.

Indicates that the connection should use Windows

authentication.

--useWindowsAuthentication

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 83 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Optionally, specifies any additional connection

properties for the database, such as

--

additionalConnectionProperties

trustServerCertificate.

For more information about additional connection

properties, refer to your SQL database documentation.

Encrypts the results.

--encrypt

Understanding the Launch Artifacts

The Configuration Tool CLI creates scripts for Windows and Linux containers. The dast-windows-

start.zip file contains scripts for starting Windows containers. The dast-linux-start.tar.gz

file contains scripts for starting Linux containers.

If you provide an --outputDirectory setting in the configureEnvironment command, then these

files will be written to the directory you specify. If you do not provide an --outputDirectory

setting, then these files will be written to the directory where the

DAST.ConfigurationToolCLI.exe file is located.

For more information about the DAST components mentioned here, see "What is ScanCentral DAST?"

on page 32 and "ScanCentral DAST with Two-factor Authentication" on page 34 .

The following table provides details about these files.

File

Description

Configures the sensor service. Use this file to run the

Fortify ScanCentral DAST Sensor Service and a Fortify

WebInspect sensor.

appsettings.json

If you generated a certificate for the DAST API service

using the Configuration Tool CLI, this certificate file must

be on the host computer where the DAST API container

will be running.

DAST-api.pfx

Note: This file is not downloaded if you use a

certificate provided by a certificate authority (CA) or

use an existing certificate.

If you generated a certificate for the DAST Utility service

using the Configuration Tool CLI, this certificate file must

DAST-utilityservice.pfx

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 84 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

File

Description

be on the host computer where the DAST Utility service

container will be running.

Note: This file is not downloaded if you use a

certificate provided by a certificate authority (CA) or

use an existing certificate.

Pulls the Fortify WebInspect Linux scanner, database,

WebInspect script engine (WISE), and 2FA server images

from Docker Hub, and then starts the containers as a

DAST sensor.

docker-compose.scancentral-

dast-sensor.yaml

(Linux only)

Pulls the Fortify WebInspect Linux scanner image and

database from Docker Hub, and then starts the containers

as the DAST Utility Service.

docker-compose.scancentral-

dast-utilityservice.yaml

(Linux only)

Pulls images and starts containers for the DAST API,

DAST Global Service, and DAST Utility Service.

docker-compose.yml

Pulls the DAST API, DAST Global Service, and

DAST Utility Service images from Docker Hub, and then

starts the containers.

pull-and-start-containers.ps1

pull-and-start-containers.sh

Pulls the Fortify WebInspect Windows image or the

scanner Linux image from Docker Hub, and then starts the

container.

pull-and-start-sensor-

container.ps1

pull-and-start-sensor-

container.sh

Pulls the 2FA Server image from Docker Hub, and then

starts the container.

pull-and-start-twofactorauth-

container.ps1

pull-and-start-twofactorauth-

container.sh

For instructions on using the PowerShell script, see "Using

PowerShell Scripts for the 2FA Server" on page 288 . For

information about executing the bash script, refer to your

Linux distribution documentation.

Pulls the DAST API, DAST Global Service, and

DAST Utility Service images from Docker Hub, but does

not start the containers.

pull-images.ps1

pull-images.sh

Pulls the Fortify WebInspect Windows image or the

pull-sensor-image.ps1

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 85 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

File

Description

scanner Linux image from Docker Hub, but does not start

the container.

pull-sensor-image.sh

Pulls the 2FA Server image from Docker Hub, but does not

start the container.

pull-twofactorauth-image.ps1

pull-twofactorauth-image.sh

For instructions on using the PowerShell script, see "Using

PowerShell Scripts for the 2FA Server" on page 288 . For

information about executing the bash script, refer to your

Linux distribution documentation.

Contains the shared secret that all your DAST sensors

must use to authenticate with the DAST API.

service-token.txt

Starts the DAST API, DAST Global Service, and

DAST Utility Service containers, but does not pull the

images.

start-containers.ps1

start-containers.sh

Starts the Fortify WebInspect container, but does not pull

the image.

start-sensor-container.ps1

start-sensor-container.sh

Starts the 2FA Server container, but does not pull the

image.

start-twofactorauth-

container.ps1

start-twofactorauth-

container.sh

For instructions on using the PowerShell script, see "Using

PowerShell Scripts for the 2FA Server" on page 288 . For

information about executing the bash script, refer to your

Linux distribution documentation.

What's Next?

You can use the launch artifacts to pull the DAST API, DAST Global Service, DAST Utility Service, and

Fortify WebInspect images from Docker Hub and start the containers. You can accomplish this task in

one of the following ways:

l

"Using the Compose File" on the next page

l

"Using PowerShell Scripts" on page 88

l

Using Bash Scripts (For more information, refer to your Red Hat documentation.)

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 86 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Using the Compose File

The docker-compose.yml file contains the various service settings required to pull images of the

DAST API, DAST Global Service, and DAST Utility Service, and then start the containers. You use the

compose file on the host where you want to run these containers.

Using the Compose File on Windows

Important! To use the compose file, you must first download and install Docker Compose on the

host machine. For more information, see "Setting Up Docker" on page 47.

Use the following process to use the compose file on Windows.

Stage Description

1.

Copy the following files to the host where you want to run the DAST API, DAST Global

Service, and DAST Utility Service containers:

l

DAST-api.pfx (Required only if generated by the Configuration Tool)

l

DAST-utilityservice.pfx (Required only if generated by the Configuration Tool)

l

docker-compose.yml

2.

3.

On this same host, start Windows PowerShell as Administrator. For more information

about PowerShell, refer to your Windows documentation.

At the prompt, type docker-compose up, and press Enter.

The DAST API, DAST Global Service, and DAST Utility Service images are pulled and the

containers are started.

Using the Compose File on Linux

Important! To use the compose file, you must first download and install Docker Compose on

Linux on the host machine. For more information, see "Setting Up Docker" on page 47.

Use the following process to use the compose file on Linux.

Stage Description

1.

Copy the following files to the Linux host where you want to run the DAST API,

DAST Global Service, and DAST Utility Service containers:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 87 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage Description

l

DAST-api.pfx (Required only if generated by the Configuration Tool)

l

DAST-utilityservice.pfx (Required only if generated by the Configuration Tool)

l

docker-compose.yml

2.

At the terminal prompt, type docker-compose up, and press Enter.

The DAST API, DAST Global Service, and DAST Utility Service images are pulled and the

containers are started.

Using PowerShell Scripts

The Configuration Tool CLI creates and downloads PowerShell scripts for the core ScanCentral

DAST containers. These scripts offer the following options:

l

Use one script to pull images of the DAST API, DAST Global Service, and DAST Utility Service, and

then start the containers.

l

Use two scripts: one to pull the images, and then another to start the containers.

You use the script or scripts on the host where you want to run the DAST API, DAST Global Service,

and DAST Utility Service containers.

For information on how to use the PowerShell scripts to pull a Windows version of the Fortify

WebInspect on Docker image and start the container as a DAST sensor, see the Micro Focus Fortify

WebInspect on Docker User Guide.

Using One Script

Use the following process to use a single PowerShell script to pull images and start the containers.

Stage Description

1.

Copy the following files to the host where you want to run the DAST API, DAST Global

Service, and DAST Utility Service containers:

l

DAST-api.pfx (Required only if generated by the Configuration Tool CLI)

l

DAST-utilityservice.pfx (Required only if generated by the Configuration Tool

CLI)

l

pull-and-start-containers.ps1

2.

On this same host, start Windows PowerShell ISE as Administrator. For more information

about using PowerShell, refer to your Windows PowerShell documentation.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 88 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage Description

3.

To avoid errors regarding non-digitally signed scripts, run the contents of the pull-

and-start-containers.ps1 script as follows:

1.

Copy the contents from the pull-and-start-containers.ps1 script.

2. Paste the contents in the PowerShell ISE script pane.

3. Click the Run Selection icon.

Note: Alternatively, you can set the execution policy to allow all scripts, and then

run the script as follows:

& "<drive>:<path_to_script>\pull-and-start-containers.ps1"

For more information about setting the execution policy, refer to your Windows

PowerShell documentation.

The DAST API, DAST Global Service, and DAST Utility Service images are pulled and the

containers are started.

Using Two Scripts

Use the following process to use separate pull and start PowerShell scripts.

Stage Description

1.

Copy the following files to the host where you want to run the DAST API, DAST Global

Service, and DAST Utility Service containers:

l

DAST-api.pfx (Required only if generated by the Configuration Tool CLI)

l

DAST-utilityservice.pfx (Required only if generated by the Configuration Tool

CLI)

l

pull-images.ps1

l

start-containers.ps1

2.

3.

On this same host, start Windows PowerShell ISE as Administrator. For more information

about using PowerShell, refer to your Windows PowerShell documentation.

Pull the images.

To avoid errors regarding non-digitally signed scripts, run the contents of the pull-

images.ps1 script as follows:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 89 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Stage Description

1.

Copy the contents from the pull-images.ps1 script.

2. Paste the contents in the PowerShell ISE script pane.

3. Click the Run Selection icon.

Note: Alternatively, you can set the execution policy to allow all scripts, and then

run the script as follows:

& "<drive>:<path_to_script>\pull-images.ps1"

For more information about setting the execution policy, refer to your Windows

PowerShell documentation.

The DAST API, DAST Global Service, and DAST Utility Service images are pulled.

Start the containers.

4.

To avoid errors regarding non-digitally signed scripts, run the contents of the start-

containers.ps1 script as follows:

1.

Copy the contents from the start-containers.ps1 script.

2. Paste the contents in the PowerShell ISE script pane.

3. Click the Run Selection icon.

Note: Alternatively, if you set the execution policy to allow all scripts as described in

Stage 3, you can run the script as follows:

& "<drive>:<path_to_script>\start-containers.ps1"

The DAST API, DAST Global Service, and DAST Utility Service containers are started.

Using Fortify WebInspect on Docker

Windows and Linux images of Fortify WebInspect on Docker are available for download on the Docker

container platform. For more information about these images, see "WebInspect Sensor" on page 34.

For information on how to use the launch artifacts to pull one of these images and start the container

as a DAST sensor, see the Micro Focus Fortify WebInspect on Docker User Guide.

Using Fortify WebInspect with the Sensor Service

You can use a classic Fortify WebInspect installation with the Fortify ScanCentral DAST sensor

service. To do so, you must first configure and start the WebInspect REST API, and then install and

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 90 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

configure the DAST sensor service.

Before You Begin

If you use encrypted communication for the DAST API service, then you must copy the API SSL

certificate from the Configuration Tool artifacts and add it to the Trusted Store on the machine where

the DAST sensor service will run.

Important Information About Licenses

When running a scan using ScanCentral DAST with the sensor service and a Fortify WebInspect

installation, the license that is configured in the Fortify WebInspect user interface is overridden to use

a LIM license. When the ScanCentral DAST scan is complete, the LIM license is released. The next time

you open the Fortify WebInspect user interface, it will be unlicensed.

As a workaround, reactivate the installed version of Fortify WebInspect using the previous license in

the Fortify WebInspect UI.

Important Prerequisite

Before installing the DAST sensor service, you must first install the full .NET SDK or ASP.NET Core

Runtime 6.0. Otherwise, the following error occurs:

A fatal error occurred. The required library hostfxr.dll could not be

found.

If this is a self-contained application, that library should exist in

[C:\ScannerService\].

If this is a framework-dependent application, install the runtime in

the global location [C:\Program Files\dotnet] or use the DOTNET_ROOT

environment variable to specify the runtime location or register the

runtime location in [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\

x64\InstallLocation].

Configuring the Fortify WebInspect REST API

On the machine where Fortify WebInspect is installed, configure the Fortify WebInspect REST API as

follows:

1. From the Windows Start menu, click All Programs > Fortify > Fortify WebInspect > Micro

Focus Fortify Monitor.

The Micro Focus Fortify Monitor icon appears in the system tray.

2. Right-click the Micro Focus Fortify Monitor icon, and select Configure WebInspect API.

The Configure WebInspect API dialog box appears.

3. Configure the API Server settings as described in the following table.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 91 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Setting

Value

Host

Both Fortify WebInspect and the Fortify WebInspect REST API must reside

on the same machine. The default setting, +, is a wild card that tells the

Fortify WebInspect REST API to intercept all request on the port identified

in the Port field. If you have another service running on the same port and

want to define a specific hostname just for the API service, this value can

be changed.

Port

Use the provided value or change it using the up/down arrows to an

available port number.

Authentication

Choose None, Windows, Basic, or Client Certificate from the

Authentication drop-down list.

If you choose Basic for authentication, you must provide user name(s) and

password(s). To do this:

a. Click the Edit passwords button and select a text editor.

The wircserver.keys file opens in the text editor. The file includes

sample user name and password entries:

username1:password1

username2:password2

b. Replace the samples with user credentials for access to your server. If

additional credentials are needed, add a user name and password,

separated by a colon, for each user to be authenticated. There should

be only one user name and password per line.

c. Save the file.

If you choose Client Certificate for authentication, you must first generate

a client certificate based on your root SSL certificate issued by a trusted

certificate authority (CA), and then install it on the client machine.

Tip: You can use a tool, such as the MakeCert utility in the Windows

Software Development Kit (SDK), to create your client certificate.

Use HTTPS

Select this check box to access the server over an HTTPS connection.

To run the server over HTTPS, you must create a server certificate and

bind it to the API service. To quickly create a self-signed certificate to test

the API over HTTPS, run the following script in an Administrator

PowerShell console:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 92 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Setting

Value

$rootcertID = (New-SelfSignedCertificate -DnsName "DO NOT

TRUST - WIRC Test Root CA","localhost",

"$($env:computername)" -CertStoreLocation

"cert:\LocalMachine\My").Thumbprint

$rootcert = (Get-Item -Path

"cert:\LocalMachine\My\$($rootcertID)")

$trustedRootStore = (Get-Item -Path

"cert:\LocalMachine\Root")

$trustedRootStore.open("ReadWrite")

$trustedRootStore.add($rootcert)

$trustedRootStore.close()

netsh http add sslcert ipport=0.0.0.0:8443

certhash=$($rootcertID) appid="{160e1003-0b46-47c2-a2bc-

01ea1e49b9dc}"

The preceding script creates a certificate for the local host and the

computer name, puts the certificate in the Personal Store and Trusted

Root, and binds the certificate to port 8443. If you use a different port,

specify the port you use in the script.

Important! Use the self-signed certificate created by the preceding

script for testing only. The certificate works only on your local machine

and does not provide the security of a certificate from a certificate

authority. For production, use a certificate that is generated by a

certificate authority.

Log Level

Choose the level of log information you want to collect.

4. Do one of the following:

l

To start the Fortify WebInspect REST API service and test the API configuration, click Test

API.

The service starts, and a browser opens and navigates to the Fortify WebInspect REST API

Swagger UI page.

l

To start the Fortify WebInspect REST API service without testing the API configuration, click

Start.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 93 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Installing and Configuring the DAST Sensor Service

Important! To install and run the DAST sensor service, you must run the service with the

appsettings.json file that the ScanCentral DAST Configuration Tool created. Make sure you

have access to this file. For more information, see "Understanding the Launch Artifacts" on

page 84.

On the machine where Fortify WebInspect is installed, install and run the DAST sensor service as

follows:

1.

Download the ScannerService<version>.zip file from the Fortify ScanCentral DAST

software download package.

Tip: The software download package is the file that you downloaded after your purchase .

2.

3.

Extract the ScannerService<version>.zip file to any directory, such as the following:

c:\ScannerService

Place the appsettings.json file that the ScanCentral DAST Configuration Tool created in the

same directory, replacing the existing file.

Important! If Fortify WebInspect is not installed in the default location or the datapath has

changed, you must update entries in the appsettings.json file accordingly.

For example, when the ScanCentral DAST Sensor service is installed on a Fortify WebInspect

instance where FIPS is enabled, DAST is not able to locate the Logs, Policies, or Settings files.

In this installation, these files are located under C:\ProgramData\HP\HP

WebInspect\FIPS\. Therefore, you must edit the following lines in the appsettings.json

file:

"WebInspectLogsDirectory": "C:\\ProgramData\\hp\\HP

WebInspect\\Schedule\\logs”,

"WebInspectSettingsPath": "C:\\ProgramData\\hp\\HP

WebInspect\\Settings",

"WebInspectPoliciesDirectory": "C:\\ProgramData\\HP\\HP

WebInspect\\Policies",

With the following changes:

"WebInspectLogsDirectory": "C:\\ProgramData\\hp\\HP

WebInspect\\FIPS\\Schedule\\logs",

"WebInspectSettingsPath": "C:\\ProgramData\\hp\\HP

WebInspect\\FIPS\\Settings",

"WebInspectPoliciesDirectory": "C:\\PrograrmData\\HP\\HP

WebInspect\\FIPS\\Policies",

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 94 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

4. Run the Command Prompt as Administrator, and then enter the following command:

sc create ScannerWorkerService binpath= "<PathToScannerService>

\DAST.ScannerWorkerService.exe" start= auto depend= "WebInspect API"

displayname= "WebInspect DAST Scanner Worker Service"

The following sample uses the c:\ScannerService directory in the path:

sc create ScannerWorkerService binpath= "C:\ScannerService

\DAST.ScannerWorkerService.exe" start= auto depend= "WebInspect API"

displayname= "WebInspect DAST Scanner Worker Service"

The ScannerWorkerService is created and automatically starts each time the computer is

restarted. Additional options provide the following benefits:

l

depend= "WebInspect API" – Starts the Fortify WebInspect API service if it has stopped. It

also stops the ScannerWorkerService if the Fortify WebInspect API service is stopped for any

reason.

l

displayname= "WebInspect DAST Scanner Worker Service" - Groups the services

together in Windows Service Manager, which may help with troubleshooting.

5.

Open Windows Services Manager (services.msc). For more information, refer to your Windows

documentation.

6. In Windows Services Manager, configure the scanner worker service as follows:

a. Right-click the newly created ScannerWorkerService.

b. Configure the user account and password under which the service should run.

Note: You can use credentials for any user account that has access to log in to the

Windows OS.

c. Apply the changes.

Note: You might need to manually start the service the first time.

The service starts and polls the Fortify WebInspect API for instructions.

Integrating with Kubernetes for Scan Scaling

You can integrate Fortify ScanCentral DAST with Kubernetes to create a scalable cloud architecture

that provides scan scaling functionality, resulting in faster scans of your applications.

During a scan, script engines replay TruClient macros and run scripts to reveal the Document Object

Model (DOM) of the application and events on the page. Scan scaling involves automatically creating

multiple pools of these script engines in Kubernetes. In essence, it distributes the work of performing

the scan across multiple script engines, thereby reducing the amount of time it takes to conduct the

scan.

Scan scaling might be beneficial for applications that generally have long-running scans.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 95 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

The following diagram illustrates the integration of ScanCentral DAST with Kubernetes.

DNS Requirement

Your Domain Name System (DNS) can use Azure Private DNS zones. However, you must add a record

into the DNS for the WebInspect script engine (WISE) ingress host name and the Kubernetes ingress

controller IP address.

Sensor Installation Requirement

You must use one of the following options to install the Fortify WebInspect sensor for integration with

Kubernetes:

l

Install the Fortify WebInspect sensor on a machine that is located in the same subnet that is used

by the Kubernetes cluster.

l

If the Kubernetes cluster supports both Windows and Linux nodes on the same subnet, then you

can install the Fortify WebInspect sensor into the Kubernetes cluster using the WebInspect Helm

Charts. For more information, see "Installing the Sensor into the Kubernetes Cluster" on page 106.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 96 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Tip: Make note of the sensors that you install for integration with Kubernetes. You will need to

add one or more of these sensors to the sensor pool(s) that you create for scan scaling.

Implementing Scan Scaling with Kubernetes

You must configure the machine(s) where the remote script engines will run and the Kubernetes node

that will manage them. You must also configure at least one sensor pool for scan scaling and then

enable scaling in your scan. The following table describes this process.

Stage Description

1.

2.

3.

Download and configure kubectl and Helm software. For more information, see

"Downloading kubectl and Helm" below.

Deploy the HAProxy ingress Kubernetes controller. For more information, see

"Deploying HAProxy in Kubernetes" on page 99.

Deploy the Kubernetes Metrics Server to handle horizontal auto scaling for the

Kubernetes WISE pods. For more information, "Deploying the Kubernetes Metrics

Server" on page 100.

4.

5.

6.

Deploy the WebInspect Script Engine (WISE) cluster in Kubernetes. For more

information, see "Deploying WISE in Kubernetes" on page 101.

Optionally, install the Fortify WebInspect sensor into the Kubernetes cluster. For more

information, see "Installing the Sensor into the Kubernetes Cluster" on page 106.

Configure one or more sensor pools for scan scaling. For more information, see "Creating

a DAST Sensor Pool" on page 214.

Note: Not all pools need to use scan scaling. You may only need one or two pools

configured for scan scaling. You can then add your applications with long-running

scans to the sensor pools that are configured for scan scaling.

7.

Configure scan scaling in scan settings. For more information, see "Enabling Scan

Scaling" on page 168.

Downloading kubectl and Helm

Integrating ScanCentral DAST with Kubernetes requires use of the following software:

l

kubectl - the command line tool used to control Kubernetes clusters. For more information about

kubectl, refer to your Kubernetes documentation.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 97 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

l

Helm - the package manager for Kubernetes. For more information about Helm, refer to the Helm

documentation at https://helm.sh/docs/.

The Helm CLI tool uses kubectl for all its interactions with Kubernetes clusters, so download and

install these two software packages on the same machine.

Downloading in Windows PowerShell

To download kubectl and Helm in Windows:

1. In PowerShell, enter the following to download kubectl for Windows and add it to $PATH:

mkdir C:\docker\tools

cd C:\docker\tools Invoke-WebRequest `

-Uri https://dl.k8s.io/release/v1.20.0/bin/windows/amd64/kubectl.exe `

-OutFile .\kubectl.exe;

$env:Path += ";C:\docker\tools"

[Environment]::SetEnvironmentVariable("Path", $env:Path,

[EnvironmentVariableTarget]::Machine)

[Environment]::SetEnvironmentVariable("Path", $env:Path,

[EnvironmentVariableTarget]::User)

2. Enter the following to download and install Helm for windows:

Invoke-WebRequest `

-Uri https://get.helm.sh/helm-v3.5.1-windows-amd64.zip `

-OutFile .\helm-v3.5.1-windows-amd64.zip;

Unzip and copy helm.exe into: C:\docker\tools

rm .\helm-v3.5.1-windows-amd64.zip;

3. Enter the following to determine if the kubeconfig file points to the correct cluster:

kubectl cluster-info

Tip: You can change the default cluster by way of the kubectl config set-context

command.

If you are using the Azure command-line interface (CLI), then you can use the following

command:

az aks get-credentials --resource-group <resource-group-name>

--name <Kubernetes-cluster-name>

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 98 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Downloading in Linux

To download kubectl and Helm in Linux:

1. Enter the following to download and install kubectl in Linux:

curl -LO "https://dl.k8s.io/release/$(curl -L -s

https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

2. Enter the following to download and install Helm in Linux:

wget https://get.helm.sh/helm-v3.5.0-linux-amd64.tar.gz

tar -xzf helm-v3.5.0-linux-amd64.tar.gz

cd ./<helm-tar-dir>

sudo install -o root -g root -m 0755 helm /usr/local/bin/helm

Deploying HAProxy in Kubernetes

The HAProxy Kubernetes ingress controller provides a way to route traffic into your Kubernetes

cluster while providing load balancing and other features.

Important! Fortify recommends that the HAProxy ingress controller be deployed only by users

who have experience configuring and managing Kubernetes clusters.

For more information, refer to your Kubernetes documentation.

Before You Begin

Ensure that you have downloaded and configured the prerequisite software. For more information,

see "Downloading kubectl and Helm" on page 97.

Guideline for Configuring HAProxy in Azure

ScanCentral DAST integration with Kubernetes does not require an external or public IP address. Use

caution with your ingress controller configuration to ensure that you do not expose the ingress

controller into the Internet. This exposure will not happen in local Kubernetes clusters. However, an

Azure ingress controller could be exposed to the Internet using a public IP address.

To prevent using a public IP address in Azure, use the following command for HAProxy Helm install:

--set-string

controller.service.annotations.'service\.beta\.kubernetes\.io/azure-load-

balancer-internal'=true"

For details about using an ingress controller with restricted public access in Azure, refer to Microsoft

documentation.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 99 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Deploying HAProxy Ingress Controller

To deploy the HAProxy ingress controller:

l

On the machine where the kubectl client and Helm are installed, enter the following in PowerShell:

kubectl label node <node-name> role=ingress-controller

helm repo add haproxy-ingress https://haproxy-ingress.github.io/charts

helm install haproxy-ingress haproxy-ingress/haproxy-ingress `

--create-namespace --namespace=ingress-controller `

--set controller.hostNetwork=true `

--set controller.nodeSelector.role=ingress-controller `

--set controller.service.type=LoadBalancer `

--set-string controller.service.annotations.'service\.beta\.

kubernetes\.io/azure-load-balancer-internal'=true

To confirm that the HAProxy ingress has started:

l

Enter the following in PowerShell:

kubectl --namespace ingress-controller get services haproxy-ingress -o

wide

You should see a response similar to the following:

NAME

TYPE

CLUSTER-IP

AGE

EXTERNAL-IP

PORT(S)

haproxy-ingress

LoadBalancer

<ip_address> <Pending>

80:31255/TCP,443:30766/TCP

34s

Deploying the Kubernetes Metrics Server

Before you can deploy the WebInspect script engine (WISE) Docker container, you must deploy the

Kubernetes Metrics Server to handle horizontal auto scaling for the Kubernetes WISE pods. The

Metrics Server measures resource allocations, such as CPU and RAM, for nodes and pods. It provides

information for Kubernetes Wise pods horizontal auto scaling to increase the number of pods during

loading or decrease the number to the wise.replicas.min setting when there is no loading. For

more information, see "Understanding the Parameters for WISE Deployment" on page 104.

Before You Begin

Ensure that you have downloaded and configured the prerequisite software. For more information,

see "Downloading kubectl and Helm" on page 97.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 100 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Deploying the Metrics Server

For Azure Kubernetes, the Metrics Server is installed by default. For local Kubernetes cluster

installation, however, this component may need to be installed manually.

To deploy the Metrics Server to Kubernetes:

l

On the machine where the kubectl client and Helm are installed, enter the following in PowerShell:

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/

releases/latest/download/components.yaml

Confirming the Metrics Server Installation

To confirm that the Metrics Server exists and is working:

1. Enter the following in PowerShell:

kubectl top nodes

You should see a response similar to the following:

NAME

CPU(cores)

141m

CPU%

3%

MEMORY(bytes)

1550Mi

MEMORY%

19%

rbp-main

rbp-node1

rbp-node2

45m

0%

1476Mi

9%

47m

0%

1519Mi

9%

2. Enter the following:

kubectl top po

You should see a response similar to the following:

NAME

CPU(cores)

MEMORY(bytes)

96Mi

wise-cluster-deployment-7747bb68b5-7q8m7

wise-cluster-deployment-7747bb68b5-wl79m

2m

99Mi

Note: You can use the kubectl top po command to return the CPU and memory metrics for

the WISE pods after WISE has been installed as described in "Deploying WISE in Kubernetes"

below.

Deploying WISE in Kubernetes

The WebInspect script engine (WISE) is a Docker container that provides a remote script server client

for the Fortify WebInspect sensor.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 101 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Important! Fortify recommends that the WISE cluster be deployed only by users who have

experience configuring and managing Kubernetes clusters.

Before You Begin

Ensure that you have downloaded and configured the prerequisite software. For more information,

see "Downloading kubectl and Helm" on page 97.

The wise-cluster-22.2.tgz file that you use to install WISE is included in the Fortify Software

Security Center download package. It is packaged in a ZIP file named Dynamic_Addons.zip. You can

find this ZIP file in the directory where you downloaded the Fortify Software Security Center

installation package.

Additionally, ensure that you have deployed the Kubernetes Metrics Server to handle horizontal auto

scaling for the Kubernetes WISE pods. For more information, see "Deploying the Kubernetes Metrics

Server" on page 100.

Using the Default Parameters

To deploy the WISE cluster in Kubernetes using the default parameters:

l

On the machine where the kubectl client and Helm are installed, enter the following in PowerShell:

helm install wi-script-engine wise-cluster-22.2.tgz

Viewing the Default Parameters

To view the default parameters in the TGZ file:

l

Enter the following in PowerShell:

helm show values wise-cluster-22.2.tgz

You should see a response similar to the following:

# Default values for wise-cluster.

# This is a YAML-formatted file.

# Declare variables to be passed into wise-cluster templates.

wise:

authtoken: ""

nodeSelector: ""

replicas:

min: 2

max: 10

autoscale: true

cpu:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 102 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

cores: "4"

ingress:

host: "wise-cluster"

image:

repository: "fortifydocker/wise"

tag: "22.2.ubuntu.1804"

pull:

policy: IfNotPresent

secret: wise-regcred

registry: "https://index.docker.io/v1/"

username: ""

password: ""

Overriding the Default Parameters

To override any of the default values, use the --set command with the parameter name and desired

value for each parameter to override as shown in the following example:

helm install wi-script-engine wise-cluster-22.2.tgz `

--set wise.image.pull.registry=<container_registry> `

--set wise.image.repository=fortifydocker/wise `

--set wise.image.pull.username=<username> `

--set wise.image.pull.password=<password> `

--set wise.image.tag=<tagname> `

--set wise.replicas.min=2 `

--set wise.ingress.host=<hostname> `

--set wise.authtoken=<token>

Tip: For Helm in PowerShell, the backtick character (`) at the end of each line is the new line

character. For Helm in Linux, the backslash character (\) is the new line character.

Installing WISE Into a Kubernetes Namespace

By default, the helm install wi-script-engine... command installs WISE into the Kubernetes

default namespace. If your organization uses Kubernetes namespaces, you can create a new

namespace and install WISE into it, or install WISE into an existing namespace.

Important! If you install WISE into a specific namespace, then all kubectl and Helm commands for

managing the WISE installation must contain --namespace=<wise_namespace>. For example:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 103 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

helm ls --namespace=<wise_namespace>

kubectl get po --namespace=<wise_namespace>

To create a namespace and install WISE:

l

Add the following command to the helm install... command, either before or after the --set

commands:

--create-namespace --namespace=<wise_namespace> `

The namespace is created and WISE is installed into it.

You can also view a list of your existing namespaces and choose a namespace for your WISE

installation.

To view existing namespaces:

l

Enter the following in PowerShell:

kubectl get ns

You should see a response similar to the following:

NAME

STATUS

Active

AGE

54d

default

ingress-controller

kube-node-lease

kube-public

kube-system

To install WISE into an existing namespace:

l

Add the following command to the helm install... command, either before or after the --set

commands:

--namespace=<wise_namespace> `

Understanding the Parameters for WISE Deployment

The following table describes the parameters that are used to deploy the WISE cluster.

Parameter

Description

Optionally, specifies the Docker registry for a private

wise.image.pull.registry

repository. For example, if you use Azure and have created an

Azure container registry to keep images that will be used in

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 104 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

your Azure Kubernetes installation, you might specify

something similar to

.

myreg.azurecr.io

Identifies the Docker repository username used to pull the

WISE image.

wise.image.pull.username

wise.image.pull.password

wise.image.repository

Identifies the Docker repository password used to pull the

WISE image.

Specifies the Fortify Docker repository from which to pull the

WISE image. This is fortifydocker/wise.

Note: If you use a private repository, you might specify

something similar to myreg.azurecr.io/wise.

Specifies the WISE Docker image build and the operating

system on which it was built.

wise.image.tag

Indicates the minimal number of WISE Kubernetes pods that

will be started.

wise.replicas.min

Consider the following facts when configuring this parameter:

l

If the wise.replicas.min setting is higher than

Kubernetes cluster hardware resources can handle, then

Kubernetes will not start all pods and their state will be set

to "Pending." Kubernetes horizontal pods auto-scaler will not

reduce the number of WISE pods lower than the configured

wise.replicas.min setting.

l

If the wise.replicas.min setting is too low and

Kubernetes cluster still has free resources during WISE

cluster loading, then Kubernetes horizontal pods auto-scaler

will increase the number of replicas.

Specifies the ingress virtual wise cluster hostname.

wise.ingress.host

Important! You can use any hostname value, but you must

configure your DNS server or the hostfile on your Fortify

WebInspect sensor client box to associate it with the IP

address of the Kubernetes node that runs the HAProxy

ingress.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 105 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Optionally, specifies authentication for the WISE cluster. If the

authtoken is configured, then Fortify WebInspect sensor clients

will be required to provide an authtoken.

wise.authtoken

Tip: Make note of this token. You must enter it when

configuring your sensor pools for scan scaling.

Uninstalling WISE

To uninstall WISE:

l

Enter the following in PowerShell:

helm uninstall wi-script-engine

Installing the Sensor into the Kubernetes Cluster

If you are integrating ScanCentral DAST with Kubernetes, and the Kubernetes cluster supports both

Windows and Linux nodes on the same subnet, then you can install the Fortify WebInspect sensor

into the Kubernetes cluster using WebInspect Helm Charts. For more information, see "Integrating

with Kubernetes for Scan Scaling" on page 95.

Before You Begin

Ensure that you have downloaded and configured the prerequisite software. For more information,

see "Downloading kubectl and Helm" on page 97.

The wi-22.2.0.tgz file that you use to install the sensor is included in the Fortify Software Security

Center download package. It is packaged in a ZIP file named Dynamic_Addons.zip. You can find this

ZIP file in the directory where you downloaded the Fortify Software Security Center installation

package.

Installing the Sensor

To install the Fortify WebInspect sensor into the Kubernetes cluster:

1. On the machine where the kubectl client and Helm are installed, enter the following in

PowerShell:

helm install webinspect wi-22.2.0.tgz `

--set wi.mode=3 `

--set wi.image.pull.registry=<container-registry>`

--set wi.image.pull.username=<username> `

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 106 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

--set wi.image.pull.password=<password> `

--set wi.image.repository=fortifydocker/webinspect `

--set wi.image.tag=<tagname> `

--set wi.lim.url=http://<server-url>/<service-directory>/ `

--set wi.lim.pool=<PoolName> `

--set wi.lim.pswd=<PoolPassword> `

--set wi.ingress.host=wi-api `

--set dast.api.url="http://<dast_api_url>/api"

--set dast.api.token="<dast_api_service_token>"

--set dast.api.cert.validation="false"

Tip: For Helm in PowerShell, the backtick character (`) at the end of each line is the new line

character. For Helm in Linux, the backslash character (\) is the new line character.

For descriptions of the parameters used in this Step, see "Understanding the Helm Parameters"

below.

2. To verify that Helm installed WebInspect correctly, enter the following:

helm ls

You should see a response similar to the following:

NAME

NAMESPACE

default

STATUS

CHART

APP VERSION

2x.x.x

webinspect

deployed

wi-2x.x

3. To verify that Kubernetes was able to pull the WebInspect image and start the pod, enter the

following:

kubectl get po

You should see a response similar to the following:

NAME

READY

1/1

STATUS

RESTARTS

0

AGE

31s

wi-deployment-b78f55f7-5n284

Running

Tip: To troubleshoot a response that shows the deployment is not running, enter the following:

kubectl describe po <Pod_Name>

You should see error details regarding why the pod failed to start in the event logs that are

returned.

Understanding the Helm Parameters

The following table describes the parameters that are used to install the sensor.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 107 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Tip: To view all configurable parameters and their default values, use the helm show values

.\ command.

Parameter

Description

Specifies the operation mode for the Docker image. Supported

modes for ScanCentral DAST are:

wi.mode

l

2 - WebInspect API mode

l

3 - ScanCentral DAST mode

Optionally, specifies the Docker registry for a private

repository. For example, if you use Azure and have created an

Azure container registry to keep images that will be used in

your Azure Kubernetes installation, you might specify

wi.image.pull.registry

something similar to myreg.azurecr.io.

Note: This is not needed if you use the default

fortifydocker/webinspect repository on Docker Hub.

Identifies the Docker repository username used to pull the

WebInspect image.

wi.image.pull.username

wi.image.pull.password

wi.image.repository

Identifies the Docker repository password used to pull the

WebInspect image.

Specifies the Fortify Docker repository from which to pull the

WebInspect image. This is fortifydocker/webinspect.

Note: If you use a private repository, you might specify

something similar to myreg.azurecr.io/webinspect.

Specifies the WebInspect Docker image tag.

wi.image.tag

wi.lim.url

Specifies the site from which Fortify WebInspect will get a

license. The default <service-directory> is LimService.

Specifies the LIM pool name.

wi.lim.pool

Specifies the LIM Pool password.

wi.lim.pswd

Allows the WebInspect sensor to be exposed by way of the

Kubernetes ingress using any host name that can be resolved

to the Kubernetes ingress node IP.

wi.ingress.host

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 108 of 338

Configuration and Usage Guide

Chapter 2: Configuring the ScanCentral DAST Environment

Parameter

Description

Allows Kubernetes to restrict deployment of the WebInspect

pod to specific nodes. Example:

wi.nodeSelector

--set wi.nodeSelector="agentpool: wipool"

dast.api.url

Specifies the DAST API URL. This is required for mode 3.

Specifies the required DAST API service token.

dast.api.token

Important! This is the Authorization Token you will use

to authenticate to the DAST API when configuring Scan

Scaling for a sensor pool.

Optionally, indicates if the DAST API uses a self-signed

dast.api.cert.validation

certificate for testing. Values are true or false.

Uninstalling the Sensor from the Kubernetes Cluster

To uninstall the sensor:

l

Enter the following in PowerShell:

helm uninstall webinspect

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 109 of 338

Chapter 3: Understanding the User Interface

After you configure your Fortify ScanCentral DAST environment and enable DAST in the

ADMINISTRATION view in Fortify Software Security Center, you can work with the following items

directly in Fortify Software Security Center:

l

DAST scans

l

Sensors

l

Sensor pools

l

Settings

l

Scan schedules

Depending on your permissions in Fortify Software Security Center, you may also be able to work with

the following global settings:

l

Deny intervals

l

Custom policies

l

Base settings

l

Application settings

l

Two-factor authentication

l

Global restrictions

l

Auto Scale Job Templates

Global settings are those that apply or may apply to all of your applications, scans, scan schedules,

sensors, or sensor pools.

ScanCentral DAST User Interface

The following image shows the Fortify ScanCentral DAST user interface in Fortify Software Security

Center.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 110 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

The following table describes the areas called out in the previous image.

Item

Description

1

The left panel allows you to navigate to the Fortify ScanCentral DAST pages that are

available in Fortify Software Security Center.

2

The detail panel displays additional information about the item selected in the list.

Scan Visualization

When you open a scan, the scan appears on a new tab in your browser. The following image shows the

default view for an open scan.

The following table describes the display areas of the default view for an open scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 111 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Item

1

Description

Site Tree (see "Working with the Site Tree" on page 199)

Findings, Traffic, and SPA Coverage tabs

2

Note: The SPA Coverage tab is available only for scans that include SPA events.

3

4

Findings, Traffic, and SPA Coverage table views

(See "Understanding the Findings Table" on page 200, "Understanding the Traffic Table"

on p age 203 , and "Understanding SPA Coverage" on p age 206 )

Steps tab

(See "Working with Findings" on page 202 and "Working with Traffic" on page 205)

5

6

Vulnerability Description, HTTP, and Parameter tabs

Vulnerability Description, HTTP, and Parameter detail views

(See "Working with Findings" on page 202 and "Working with Traffic" on page 205)

Resizing the Display Areas

You can resize the Site Tree, the Findings, Traffic, and SPA Coverage view, and the Vulnerability

Description, HTTP, and Parameter view.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 112 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

To resize an area:

l

Drag the display area border either right or left to the width you want.

Hiding and Showing a Display Area

By default, the Site Tree and the Vulnerability Description, HTTP, and Parameter view are visible

when you open a scan. You can hide the Site Tree and the Vulnerability Description, HTTP, and

Parameter view.

To hide an area:

l

To hide the Site Tree, click the collapse icon ( ).

l

To hide the Vulnerability Description, HTTP, and Parameter view, click the collapse icon ( ).

To show an area:

l

To show the Site Tree, click the expand icon ( ).

l

To show the Vulnerability Description, HTTP, and Parameter view, click the expand icon ( ).

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 113 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Working with Tables

Much of the data available in ScanCentral DAST is presented in tables. You can customize those

tables and then save the customized views. Table preferences are saved per user.

The factory default view is named DEFAULT. You can edit the default view or use the default view to

create custom views.

Customizing Table Views

You can edit existing views or create new views in the table preferences panel.

The table preferences panel allows you to customize the following:

l

Filtering (see "Understanding Basic Filters in Tables" on page 117 and "Understanding Advanced

Filters in Tabl es" on page 120 )

l

Sorting (see "Sorting Data in Columns" on page 123)

l

Items Per Page (see "Viewing Content on Multiple Pages" on page 125)

l

Columns to Display (see "Managing Columns in Tables" on the next page)

Note: Not all preference options are available for all tables. Some tables include only a subset of

the preferences.

Updating or Creating a View

After making changes to an existing view, you can either update the existing view or create a new

view.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 114 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

To update the original view with the new settings:

l

In the table preferences panel, click UPDATE <VIEW NAME>.

To create a new view using the new settings:

1. In the table preferences panel, click CREATE VIEW.

The CREATE VIEW dialog box opens.

2. In the View name box, type a name for the new view.

3. (Optional) To make the new view the default view, select Make default.

4. Click OK.

Selecting a Different View

To select an existing view:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the VIEWS list, select a view.

Note: If you have unsaved changes in the current view and attempt to switch views, you will

be prompted that the changes will be lost.

3. Click OK.

Managing Columns in Tables

You can customize the order in which columns appear in tables, as well as change the columns to

display in tables.

Rearranging the Columns

You can rearrange the order in which the columns appear in the table.

To move a column:

1. Click the column heading that you want to move.

2. Drag the column right or left and drop it into its new position.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 115 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Note: You cannot move the column of check boxes or columns containing icons, such as the

download ( ) and publish ( ) icons.

Adding and Removing Columns

You can use the table preferences panel to select which columns of data you want visible in the table.

To add or remove displayed columns:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the COLUMNS TO DISPLAY area, do the following:

l

Select the column checkbox to display the column.

l

Clear the column checkbox to hide the column.

3. Click OK.

When New Columns Are Available

If you have customized a table view, such as added or removed columns, rearranged the order of

columns, changed the sort order, and so forth, then when new columns of data are added to the table,

you will not see them by default. Instead, the following message will appear near the top of the page:

New columns are available for the <table_name> table.

To view the new columns:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 116 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

l

Click the table preferences icon ( ).

The table preferences panel opens.

To clear the message:

l

Click OK.

The message is cleared and will not appear again for the selected table unless new columns are

added in a future update.

Understanding Basic Filters in Tables

Basic filtering allows you to filter on certain columns of data in the Scans and Settings List tables.

You can filter data in the Scans table by application, version, name, or URL. You can also filter by scan

start date, end date, date range, scan status, or a combination thereof.

You can filter data in the Settings List table by name, application, or version. You can also filter by

scan start date, end date, date range, scan type, or a combination thereof.

Additionally, you can combine filtering by Application, Version, Name, or URL with Date, Scan Status,

or Scan Type.

Guidelines

The following guidelines apply to basic filtering:

l

You can use partial words for filtering. For example, using the filter criteria "che" includes the

application named "OnlineParcheesi" and scans named "Allchecks" in the filter results.

l

You cannot use wildcard characters, such as the asterisk (*), as placeholders.

l

You cannot use regular expressions.

Using Basic Filters in Tables

This topic describes how to access the basic filter user interface, specify filter criteria, and clear filters.

Accessing the Basic Filter Feature

You can access the basic filter feature in the table preferences panel for the Scans table and the

Settings List table.

To access the basic filter feature:

l

In the Scans or Settings List table view, click the table preferences icon ( ).

The table preferences panel opens.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 117 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Specify the filter criteria in the FILTER area as described in "Filtering by Application, Version, Name,

or URL" below and "Filtering by Date, Scan Status, or Scan Type" below .

Filtering by Application, Version, Name, or URL

You can use filter criteria to filter across the Application, Version, Name, and URL columns of data in

the Scans table. For example, if you use the filter criteria "OurEstore," then all applications named

"OurEstore" and all scans named "OurEstore" will be included in the filtered data. Similarly, you can

filter across the Name, Application, and Version columns in the Settings List table. This procedure

illustrates filtering in the Scans table, but it also works in the Settings List table.

To filter by application, version, name, or URL:

1. In the FILTER area, type the filter criteria into the Filter box.

Note: Type only one application, one version, one name, or one URL. Do not combine filter

criteria in the Filter box.

2. Click OK.

The table displays the data matching the filter criteria in any of the four columns.

Tip: To combine filtering by Application, Version, Name, or URL with Date, Scan Status, or Scan

Type, proceed to "Filtering by Date, Scan Status, or Scan Type" below before you click OK.

Filtering by Date, Scan Status, or Scan Type

You can filter by date range, specific date, scan status, or a combination of date and scan status in the

Scans table. Similarly, you can filter by date range, specific date, scan type, or a combination of date

and scan type in the Settings List table. However, when you filter on a date in the Settings List table,

you are filtering on the Modified date column. This procedure describes filtering in either the

Scans table or the Settings List table.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 118 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

To filter by date or Scan Status or Scan Type:

1. In the FILTER area, continue according to the following table.

To filter by...

Then...

A date range

Select a range from the Date Range list. Options are This week,

This month, Last year, and Custom Range.

If you select Custom Range, type dates for the range in the Start

date and End date fields.

Tip: Click the calendar icon ( ) to select dates from a

calendar.

Scan status in the Scans

list

Select a scan status from the Scan Status list.

A date range and scan

status in the Scans list

Select a range from the Date Range list and a scan status from

the Scan Status list.

Scan type in the

Settings List

Select a scan type from the Scan Type list.

A date range and scan

type in the Settings List

Select a range from the Date Range list and a scan status from

the Scan Status list.

2. Click OK.

Clearing the Filter

Active filters appear as tiles at the top of the table. For basic filters, the filter value is listed in each

filter tile.

To clear a filter:

l

Click the remove filter icon ( ) on the filter tile.

To clear all filters:

l

Click the clear filters icon ( ).

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 119 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Important! Making changes outside of the table preferences panel adds a save table preferences

icon ( ) to the left of the table preferences icon. Clicking the save table preferences icon saves

the changes to the current view.

Understanding Advanced Filters in Tables

Advanced filtering allows you to construct filters using fields, operators, and conditions. The Findings

and Traffic tables of a completed scan offer advanced filtering.

Important! Bear in mind that selecting a resource in the Site Tree filters data to that resource in

the Findings and Traffic tables. Advanced filters are then applied to the data that is already

filtered.

Understanding the Operators

The following table describes the operators that are available for each type of data in advanced

filtering.

Data Type

1

Operator

String

Numeric

Date/Time

Enum

Equal

x

Not Equal

x

Less Than

Less Than or Equal

Greater Than

Greater Than or Equal

Between

Contains

x

Starts With

Ends With

1

Enumerator data consists of a key-value pair and is always presented as a list for filtering.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 120 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Understanding Conditions and Field Filters

Field filters are treated as AND filters. For example, creating a field filter for a Severity of "High" and a

field filter for a Method of "GET" filters in all records with a Severity of High AND a Method of GET.

For each field filter, you can add conditions. These conditions are treated as OR. For example, creating

a field filter for a Severity of "High" and adding a condition for a Severity of "Medium" filters in all

records with either a Severity of High or of Medium.

Using Advanced Filters in Tables

This topic describes how to access the advanced filter user interface, construct filters, and clear filters.

Accessing the Advance Filter Feature

You can access the advanced filter feature in the table preferences panel for the Findings table and

the Traffic table.

To access the advance filter feature:

1. In the Findings or Traffic table of an open scan, click the table preferences ( ) icon.

The table preferences panel opens.

2. In the FILTER area, click ADD FILTER.

The ADVANCED FILTER dialog box opens.

Creating an Advanced Filter

You can create an advanced filter by specifying a field, an operator, and one or more values.

To create an advanced filter in the ADVANCED FILTER dialog box:

1. In the Field list, select a field to filter.

2. In the Operator box, select an operator. For more information, see the "Understanding the

Operators" on the previous page.

3. In the box to the right of the operator, select a value from the list or type a text string.

4. Do you want to add another condition to the current filter?

l

If yes, click ADD CONDITION, and repeat steps 2 and 3.

Note: Each condition is treated as an "OR" condition. For more information, see

"Understanding Conditions and Field Filters" above.

l

If no, go to step 5.

5. Click OK.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 121 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Editing an Advanced Filter Condition

You can edit the conditions for an advanced filter.

To edit a condition:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the FIELD FILTERS area, click the edit filter icon for the condition you want to edit.

The ADVANCED FILTER dialog box opens.

3. Make edits as needed.

4. Click OK.

Removing an Advanced Filter Condition

You can remove a condition for an advanced filter.

To remove a condition:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the FIELD FILTERS area, click the edit filter icon.

The ADVANCED FILTER dialog box opens.

3. In the ADVANCED FILTER dialog box, click the remove condition icon ( ) next to condition to

delete.

The condition is removed.

4. Click OK.

Clearing Filters

Active filters appear as tiles at the top of the table. For advanced filters, the field name is listed in

each filter tile.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 122 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

To clear a filter:

l

Click the remove filter icon ( ) on the filter tile.

To clear all filters:

l

Click the clear filters icon ( ).

Important! Making changes outside of the table preferences panel adds a save table preferences

icon ( ) to the left of the table preferences icon. Clicking the save table preferences icon saves

the changes to the current view.

To clear a filter from the table preferences:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the FIELD FILTERS area, click the delete filter icon.

The filter is deleted.

3. Click OK.

Sorting Data in Columns

By default, columns of text in tables are listed in alphabetical order, columns of dates are in

chronological order, and columns of numerical data are in numerical order. You can change the sorting

directly in the table or in the table preferences panel.

Important! Making changes outside of the table preferences panel adds a save table preferences

icon ( ) to the left of the table preferences icon. Clicking the save table preferences icon saves

the changes to the current view.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 123 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Known Issue with Sorting

In some columns, ascending and descending sorting sorts on a numeric value in the database, rather

than on the alphabetical order of the text displayed. Therefore, sorting order may not appear as

expected. For example, when sorting the sensor Status column in ascending order, one would expect

to see the following alphabetical order:

l

Offline

l

Online

However, the sort order is based on the numeric values of 1 and 2 in the DAST database, rendering

the following sort order:

l

Online (represented by 1 in the database)

l

Offline (represented by 2 in the database)

Sorting Directly in the Table

To change the sort order on any column of data:

l

Click the column name.

The arrow next to the column name indicates the new sort order.

To reverse the current sort order:

l

Click the column name again.

The arrow next to the column name indicates the reverse sort order.

To clear the sorting:

l

Click the column name a third time.

The arrow next to the column name disappears.

Sorting in the Table Preferences Panel

To sort table data in the table preferences panel:

1. Click the table preferences icon ( ).

The table preferences panel opens.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 124 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

2. In the default sort list of the CURRENT SORT area, select a column to sort.

Note: If a column is hidden in the current view, you cannot select the column for sorting.

3. In the default sort direction list, do one of the following:

l

Select asc for ascending sort order.

l

Select desc for descending sort order.

4. Click OK.

Searching in Input Boxes

When search is available for an input box, a search tip appears in the box as shown below.

To search:

l

Type the search criteria in the input box, and then click the search icon ( ).

Clearing Data from Input Boxes

For any input box in which you entered search criteria or for which you selected recently used data,

such as recently used options from a drop-down list box, you can quickly clear the data without

manually deleting it.

To clear data from an input box:

l

Click the Clear ( ) icon.

Viewing Content on Multiple Pages

If you have multiple pages of content, you can use the page navigation options to change the number

of items displayed per page and navigate through the pages.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 125 of 338

Configuration and Usage Guide

Chapter 3: Understanding the User Interface

Changing the Number of Items Displayed

The default number of items displayed per page is 100. You can change the number to 5, 10, 25, or

50.

To change the number of items displayed:

l

Select a number from the Items per page drop-down list.

Important! Making changes outside of the table preferences panel adds a save table

preferences icon ( ) to the left of the table preferences icon. Clicking the save table

preferences icon saves the changes to the current view.

Navigating Multiple Pages

When the number of items you are viewing spans multiple pages, you can navigate through the pages

using the page navigation icons.

To view the next page of items:

l

Click the Next page ( ) icon.

To view the previous page of items:

l

Click the Previous page ( ) icon.

Changing the Number of Items Displayed in the Table

Preferences Panel

To change the number of items listed per page in the table preferences panel:

1. Click the table preferences icon ( ).

The table preferences panel opens.

2. In the default items per page list in the ITEMS PER PAGE area, select the number of items to

view.

3. Click OK.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 126 of 338

Chapter 4: Configuring a Scan

Use the Settings Configuration wizard to configure a Fortify ScanCentral DAST scan of your Web

application, API, and Web services to assess potential security flaws. A ScanCentral DAST scan is an

automated scan of your Web application and Web services, rather than a scan of your code. It is

designed to apply attack algorithms to locate vulnerabilities, determine their severity, and provide the

information you need to fix them.

What is a Scan?

The ScanCentral DAST sensor, which is a Fortify WebInspect sensor, uses two basic modes for

determining the security weaknesses of your Web application and Web services:

l

Crawl - The process by which the sensor identifies the structure of the target Web site. In essence,

a crawl runs until no more links on the URL can be followed.

l

Audit - The actual vulnerability assessment.

A scan can combine the application crawl and audit phases into a single fluid process, or it can be a

crawl-only or an audit-only scan. The scan is refined based on real-time audit findings, resulting in a

comprehensive view of an entire Web application’s attack surface.

Important Consideration About API Definition Files

The WebInspect sensor attempts to generate the definition from the URL provided in the settings. It

assumes that the API endpoint is the same URL, but without the definition file name. If your service is

at the same location as your definition file, which is generally the case for GraphQL, then providing a

URL will work. However, the definition may be in a different location for SOAP and gRPC.

Important Information About gRPC Proto Files

All gRPC proto files must be self-contained. Any imports must be to internally recognized resources

and not to user-generated files. The WebInspect sensor cannot identify file paths from imported proto

files. If such files are used, the scan will fail to generate the client and will be interrupted. If additional

imports are needed, they must be combined with the primary proto file into a "master" proto file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 127 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Known Limitations of gRPC Scans

Be aware of the following known limitations associated with gRPC scans:

l

A Fortify WebInspect sensor installed on Windows 11 or a Linux version of the sensor is required

for conducting scans of gRPC APIs.

l

You must use a Linux version of the Fortify WebInspect sensor to conduct a scan of a gRPC API

running on a server with unencrypted HTTP/2 (H2C).

Preparing Your System for Audit

The Fortify WebInspect sensor is an aggressive web application analyzer that rigorously inspects your

entire website for real and potential security vulnerabilities. This procedure is intrusive to varying

degrees. Depending on which Fortify ScanCentral DAST policy you apply and the options you select,

it can affect server and application throughput and efficiency. When using the most aggressive

policies, Fortify recommends that you perform this analysis in a controlled environment while

monitoring your servers.

Sensitive Data

The WebInspect sensor captures and displays all application data sent between the application and

server. It might even discover sensitive data in your application that you are not aware of. Fortify

recommends that you follow one of these best practices regarding sensitive data:

l

Do not use potentially sensitive data, such as real user names and passwords, while testing with the

WebInspect sensor.

l

Do not allow ScanCentral DAST scans, related artifacts, and data stores to be accessed by anyone

unauthorized to access potentially sensitive data.

Network authentication credentials are not displayed in ScanCentral DAST and are encrypted when

stored in settings.

Firewalls, Anti-virus Software, and Intrusion Detection Systems

The WebInspect sensor sends attacks to servers, and then analyzes and stores the results. Web

application firewalls (WAF), anti-virus software, firewalls, and intrusion detection/prevention systems

(IDS/IPS) are in place to prevent these activities. Therefore, these tools can be problematic when

conducting a scan for vulnerabilities.

First, these tools can interfere with the WebInspect sensor's scanning of a server. An attack that the

WebInspect sensor sends to the server can be intercepted, resulting in a failed request to the server. If

the server is vulnerable to that attack, then a false negative is possible.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 128 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Second, results or attacks that are in the ScanCentral DAST product, cached on disk locally, or in the

database can be identified and quarantined by these tools. When working files used by the

WebInspect sensor or data in the database are quarantined, the sensor can produce inconsistent

results. Such quarantined files and data can also cause unexpected behavior.

These types of issues are environmentally specific, though McAfee IPS is known to cause both types

of problems, and any WAF will cause the first problem. Fortify has seen other issues related to these

tools as well.

If such issues arise while conducting a scan, Fortify recommends that you disable WAF, anti-virus

software, firewall, and IDS/IPS tools for the duration of the scan. Doing so is the only way to be sure

you are getting reliable scan results.

Effects to Consider

During an audit of any type, the WebInspect sensor submits a large number of HTTP requests, many

of which have "invalid" parameters. On slower systems, the volume of requests may degrade or deny

access to the system by other users. Additionally, if you are using an intrusion detection system, it will

identify numerous illegal access attempts.

To conduct a thorough scan, the WebInspect sensor attempts to identify every page, form, file, and

folder in your application. If the option to submit forms during a crawl of your site is selected, the

sensor will complete and submit all forms it encounters. Although this enables the sensor to navigate

seamlessly through your application, it may also produce the following consequences:

l

If, when a user normally submits a form, the application creates and sends e-mails or bulletin board

postings (to a product support or sales group, for example), the WebInspect sensor will also

generate these messages as part of its probe.

l

If normal form submission causes records to be added to a database, then the forms that the

WebInspect sensor submits will create spurious records.

During the audit phase of a scan, the WebInspect sensor resubmits forms many times, manipulating

every possible parameter to reveal problems in the applications. This greatly increases the number of

messages and database records created.

Helpful Hints

l

For systems that write records to a back-end server (database, LDAP, and so on) based on forms

submitted by clients, some ScanCentral DAST users, before auditing their production system,

backup their database, and then reinstall it after the audit is complete. If this is not feasible, you can

query your servers after the audit to search for and delete records that contain one or more of the

form values submitted by the WebInspect sensor. You can determine these values by opening the

Web Form Editor.

l

If your system generates e-mail messages in response to user-submitted forms, consider disabling

your mail server. Alternatively, you could redirect all e-mails to a queue and then, following the

audit, manually review and delete those e-mails that were generated in response to forms

submitted by the WebInspect sensor.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 129 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

l

The WebInspect sensor can be configured to send up to 75 concurrent HTTP requests before it

waits for an HTTP response to the first request. The default thread count setting is 5 for a crawl

and 10 for an audit (if using separate requestors). In some environments, you may need to specify

a lower number to avoid application or server failure. For more information, see Scan Settings:

Requestor in the Micro Focus Fortify WebInspect User Guide.

l

If, for any reason, you do not want the WebInspect sensor to crawl and attack certain directories,

you must specify those directories in the Basic Exclusions list when configuring your scan. For more

information, see "Creating and Managing Exclusions" on page 163 or "Creating and Managing

Exclusions in Ba se Settings" on page 272 .

l

By default, the WebInspect sensor is configured to ignore many binary files (images, documents,

and so on) that are commonly found in web applications. These documents cannot be crawled or

attacked, so there is no value in auditing them. Bypassing these documents greatly increases the

audit speed. If proprietary documents are in use, determine the file extensions of the documents

and exclude them within the sensor's default settings. For more information, see Scan Settings:

Session Exclusions and Crawl Settings: Session Exclusions in the Micro Focus Fortify WebInspect

User Guide. If, during a crawl, the sensor becomes extremely slow or stops, it may be because it

attempted to download a binary document.

l

For form submission, the WebInspect sensor submits data extracted from a prepackaged file. If you

require specific values (such as user names and passwords), you must create a file with Fortify’s

Web Form Editor and identify that file to the WebInspect sensor. For more information, see the

Micro Focus Fortify WebInspect Tools Guide.

l

The WebInspect sensor tests for certain vulnerabilities by attempting to upload files to your server.

If your server allows this, the sensor will record this susceptibility in its scan report and attempt to

delete the file. Sometimes, however, the server prevents file deletion. For this reason, search for

and delete files with names that start with "CreatedByHP" as a routine part of your post-scan

maintenance.

Accessing Settings Configuration from Software

Security Center

You can access the Settings Configuration wizard and configure a ScanCentral DAST scan from

Fortify Software Security Center.

Accessing from the DAST Scans List

To access the Settings Configuration wizard from the ScanCentral DAST Scans list:

1. Select SCANCENTRAL > DAST.

The scans list appears.

2. On the Scans list, click + NEW SCAN.

The Settings Configuration wizard opens.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 130 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Accessing from the Settings List

To access the Settings Configuration wizard from the ScanCentral DAST Settings List page:

1. Select SCANCENTRAL > DAST.

The scans list appears.

2. In the left panel, select Settings List.

3. Click + NEW SETTINGS.

The Settings Configuration wizard opens.

Restricting or Allowing Edits

If you have permissions to manage restricted scan settings, then you can restrict the editing of

settings. If a setting is already restricted, you can allow editing.

To restrict editing:

l

Click the restrict <setting name> icon ( ).

To allow editing:

l

Click the allow <setting name> icon ( ).

If you do not have permissions to manage restricted scan settings, then you cannot edit any settings

with the restricted icon ( ).

For more information, see "Permissions in Fortify Software Security Center" on page 35.

What's Next?

Proceed with "Getting Started" below.

Getting Started

To configure a ScanCentral DAST scan:

1. In the APPLICATIONS area, select an application from the application Name list.

Tip: To search for an application, type the application name in the Application box, and then

click the search icon ( ).

The APPLICATION VERSIONS area appears.

2. In the APPLICATION VERSIONS area, select a version from the application version Name list.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 131 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Tip: To search for an application version, type the application version name in the

Application version box, and then click the search icon ( ).

The GETTING STARTED area appears with a START list that provides options for creating new

settings or editing existing settings. A RECENT list also appears, displaying recently-opened scan

settings for the specified application and version.

3. Continue according to the following table.

If you want to...

Then...

Configure scan settings for a new scan

Select New settings from the START list.

View and edit existing scan settings from a

template in Fortify Software Security Center

a. Select Open from SSC from the

START list.

A Template list appears.

b. Select the existing settings from the

Template list.

View and edit existing scan settings from

your local machine

a. Select Open file from the START list.

An OPEN button appears.

b. Click OPEN and use the standard

Windows Open dialog box to locate and

open the settings file.

Note: If you import Fortify WebInspect

settings, you will not be able to edit any

settings that are not displayed in the

Settings Configuration wizard. However,

the settings will be used during the scan.

Any settings that you change in the

wizard override the values in the settings

you upload.

View and edit scan settings from base

settings

a. Select Base Settings from the START list.

A Base Settings list appears.

For more information, see "Working with Base

Settings" on page 243.

b. Select the existing settings from the Base

Settings list.

View and edit recently-opened scan settings

for the specified application and version

Select the settings from the RECENT list.

4. Click NEXT.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 132 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

What's Next?

Do one of the following:

l

To configure a standard scan, proceed with "Configuring a Standard Scan" below.

l

To configure a workflow-driven scan, proceed with "Configuring a Workflow-driven Scan" on

page 135.

l

To configure an API scan, proceed with "Configuring an API Scan" on page 137.

Configuring a Standard Scan

A standard scan performs an automated analysis, beginning from the start URL.

To configure a standard scan:

1. On the Target page, click STANDARD SCAN.

2. Select one of the following scan modes:

l

Crawl Only: Maps the hierarchical data structure of the site.

l

Crawl and Audit: Maps the hierarchical data structure of the site and audits each resource

(page).

l

Audit Only: Applies the methodologies of the selected policy to determine vulnerability risks,

but does not crawl the website. This scan mode does not follow or assess links on the site.

3. Type the complete URL or IP address in the Url field.

If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, the sensor

will not scan WWW.MYCOMPANY.COM or any other variation unless you specify alternatives in

the Allowed Hosts setting. For more information, see "Adding and Managing Allowed Hosts" on

page 157.

An invalid URL or IP address will result in an error. If you want to scan from a certain point in your

hierarchical tree, append a starting point for the scan, such as

http://www.myserver.com/myapplication/.

Important! If the URL resolves to an IP address that is not in the valid range for scanning,

then a warning appears. If you start the scan with an IP address that is not in the valid range,

then the scan will stop and a reason will be provided.

Scans by IP address will not follow links that use fully qualified URLs (as opposed to relative

paths).

Note: The sensor supports both Internet Protocol version 4 (IPV4) and Internet Protocol

version 6 (IPV6). You must enclose IPV6 addresses in brackets.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 133 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

4. (Optional) To limit the scope of the scan to a specified area, select Restrict to folder, and from

the list, select one of the following options:

l

Directory only – The sensor crawls and/or audits only the URL that you specify. For example,

if you select this option and specify the URL www.mycompany/one/two/, the sensor will

assess only the "two" directory.

l

Directory and subdirectories – The sensor begins crawling and/or auditing at the URL you

specify, but does not access any directory that is higher in the directory tree.

l

Directory and parent directories – The sensor begins crawling and/or auditing at the URL

you specify, but does not access any directory that is lower in the directory tree.

5. (Optional) To submit the completed scan for triage in Fortify Software Security Center, select

Submit for triage.

Note: Submitting for triage allows you to perform audit analysis of the findings so that you

can assign a user and an analysis value to the findings.

6. Under Audit Depth (Policy), do one of the following:

l

Select a policy from the Policy list.

l

Begin typing the policy name in the Policy list box to filter the list of policy names that begin

with the text that you enter.

Note: The default policies are stored in SecureBase tables in the ScanCentral DAST

database. For more information about the list of default policies, see "Policies" on page 329.

Custom policies are assigned to specific applications and are stored in the ScanCentral DAST

database. Only those custom policies that are assigned to the selected application appear in

the Policy list.

7. Do one of the following:

l

To use a standard user agent, select it from the User Agent list.

Note: Default uses the user agent that is defined in Fortify WebInspect.

l

To use a custom user agent, select Custom from the User Agent list, and then type the user-

agent string in the Custom User Agent box.

Tip: User-agent strings generally use the following format:

<browser>/<version> (<system and browser information>) <platform> (<platform

details>) <extensions>

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 134 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

What’s Next?

Do one of the following:

l

To configure proxy settings for the scan, proceed with "Configuring Proxy Settings" on page 142.

l

To configure authentication for the scan, click NEXT and proceed with "Configuring Authentication

for Standard and Workflow-driven Scans" on page 144.

Configuring a Workflow-driven Scan

A workflow-driven scan audits only those URLs included in a macro that you previously recorded. It

does not follow any hyperlinks encountered during the audit. A logout signature is not required. This

type of macro is used most often to focus on a particular subsection of the application. If you select

multiple macros, all of them will be included in the same scan.

Types of Macros Supported

You can use .webmacro files, HTTP archive (.har) files, or Burp Proxy captures.

Important! If you use a login macro in conjunction with a workflow macro or startup macro or

both, all macros must be of the same type: all .webmacro files, all .har files, or all Burp Proxy

captures. You cannot use different types of macros in the same scan. Likewise, .webmacro login

and workflow files must have been created using the same version of Web Macro Recorder. You

cannot use a login file that was recorded in the Web Macro Recorder with Macro Engine 7.1 and a

workflow file that was recorded in the Session-based Web Macro Recorder.

Configuring a Workflow-driven Scan

To configure a workflow-driven scan:

1. On the Target page, click WORKFLOW-DRIVEN SCAN.

2. Select one of the following scan modes:

l

Crawl Only: Maps the hierarchical data structure of the site.

l

Crawl and Audit: Maps the hierarchical data structure of the site and audits each resource

(page).

l

Audit Only: Applies the methodologies of the selected policy to determine vulnerability risks,

but does not crawl the website. This scan mode does not follow or assess links on the site.

3. Continue according to the following table.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 135 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To...

Then...

Record a workflow macro

Click Open Workflow Macro Recorder 7.1.

Tip: If you have not already downloaded and

installed the Macro Recorder tool, the Open

Workflow Macro Recorder 7.1 link will not open the

tool. You must first download the tool and install it

on your local machine.

Add a macro to the scan settings

a. Click MANAGE.

b. Type a name for the macro in the Name field.

c. Click IMPORT and browse to locate the workflow to

add to the scan settings.

d. Click OK.

e. Repeat steps a through d to add another macro to

the scan settings.

Remove a macro from the list of

macros

a. Select the macro in the macro list.

b. Click REMOVE.

Tip: If a macro contains parameters, a param button appears to the right of the macro name.

Click the button to open the TRU CLIENT PARAMETERS dialog box and enter values to use

during the scan.

4. (Optional) To submit the completed scan for triage in Fortify Software Security Center, select

Submit for triage.

Note: Submitting for triage allows you to perform audit analysis of the findings so that you

can assign a user and an analysis value to the findings.

5. Under Audit Depth (Policy), do one of the following:

l

Select a policy from the Policy list.

l

Begin typing the policy name in the Policy list box to filter the list of policy names that begin

with the text that you enter.

Note: The default policies are stored in SecureBase tables in the ScanCentral DAST

database. For more information about the list of default policies, see "Policies" on page 329.

Custom policies are assigned to specific applications and are stored in the ScanCentral DAST

database. Only those custom policies that are assigned to the selected application appear in

the Policy list.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 136 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

6. Do one of the following:

l

To use a standard user agent, select it from the User Agent list.

Note: Default uses the user agent that is defined in Fortify WebInspect.

l

To use a custom user agent, select Custom from the User Agent list, and then type the user-

agent string in the Custom User Agent box.

Tip: User-agent strings generally use the following format:

<browser>/<version> (<system and browser information>) <platform> (<platform

details>) <extensions>

What’s Next?

Do one of the following:

l

To configure proxy settings for the scan, proceed with "Configuring Proxy Settings" on page 142.

l

To configure authentication for the scan, click NEXT and proceed with "Configuring Authentication

for Standard and Workflow-driven Scans" on page 144.

Configuring an API Scan

For Open API, OData, and Postman scans, the WebInspect sensor creates a macro from the

REST API definition, and then performs an automated analysis. For GraphQL, gRPC, and SOAP scans,

a more traditional scanning method is used.

Important! The DAST Utility Service container must be up and running to configure and run a

Postman scan. Also, if the Postman scan requires a proxy, you must configure the proxy settings

before you validate the Postman collection file(s). For more information, see "Configuring Proxy

Settings" on page 142.

To configure an API scan:

1. On the Target page, click API SCAN.

2. In the Type list, select the API type to be scanned. The options are:

l

GraphQL

l

GRPC

l

OData

l

Open API (also known as Swagger)

l

Postman

l

SOAP

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 137 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Important! If you are configuring a Postman scan while using a classic Fortify WebInspect

installation with the Fortify ScanCentral DAST sensor service, you must install prerequisite

software on the sensor machine. For more information about this and other aspects of using

Postman collection files, including configuring dynamic authentication using dynamic tokens,

see "Scanning with a Postman Collection" on page 322.

3. Continue according to the following table.

For this

API type...

Do this...

GraphQL

GRPC

To use a file:

a. In the Definition list, select File.

b. Click IMPORT and import the definition file.

OData

Open API

Tip: Alternatively, you can paste in the full path to a definition file

that is saved on your local machine.

To use a URL:

a. In the Definition list, select URL.

b. Provide the URL to the API definition file, as shown in the following

examples:

http://172.16.81.36/v1

http://myapi/protos/client.proto

http://myapi/graphql/

c. If HTTP authorization credentials are needed to access the API

definition, enter them in the Authentication Header box, as shown in

the following example:

Basic YWxhZGRpbjpvcGVuc2VzYW1l

Important! This authentication header is used only for accessing

the API definition. It is not carried forward to the Authentication

page of the Settings Configuration wizard. You must configure

network authentication for the scan on the Authentication page.

d. Click VALIDATE to verify that the DAST API can access the definition

file and ensure that it is valid.

Postman

a. Do one of the following:

o

To import a workflow collection, select IMPORT and then import

the Postman collection file.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 138 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

For this

API type...

Do this...

o

To import an authentication collection, select Authentication from

the IMPORT drop-down list, and then import the Postman

collection file.

o

To import an environment file, select Environment from the

IMPORT drop-down list, and then import the Postman environment

file.

The file is added to the list of collection files. Repeat this Step to import

additional files.

Important! You can import only one authentication collection and

one environment file.

b. Click VALIDATE to validate the collection file(s).

Upon successful validation, the POSTMAN VALIDATION dialog box

opens, displaying a list of sessions contained in the collection file(s). If

authentication sessions are identified, they are preselected as Auth

sessions. All other sessions are preselected as Audit sessions.

Additionally, the Postman Authentication Results area displays the

type of authentication detected as None, Static, or Dynamic.

Note: Auth sessions will be used for authentication for the scan.

Audit sessions will be audited in the scan.

c. (Optional) Select the Auth or Audit check box for a session to change

its type as needed.

d. (Optional) Make changes to the Postman Authentication Results as

follows:

o

For Static authentication, enter a token in the Custom Header

Token box.

o

For Dynamic authentication, do the following:

l

Select the Regex (Custom) option to the right of the Response

Token Name box, and then enter a custom regular expression in

the Response Token Name box.

l

Select the Regex (Custom) option to the right of the Request

Token Name box, and then enter a custom regular expression in

the Request Token Name box.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 139 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

For this

API type...

Do this...

l

Clear the Use Auto Detect option to the right of the Logout

Condition box, and then enter a new logout condition string in

the Logout Condition box.

e. Did you make changes to the Postman Authentication Results?

o

If yes, click VALIDATE to validate the new authentication settings,

and then click OK.

o

If no, click OK.

SOAP

To use a file:

a. In the Definition list, select File.

b. Click IMPORT and import the definition file.

Tip: Alternatively, you can paste in the full path to a definition file

that is saved on your local machine.

c. In the Version list, select a version to allow filtering of operations by

the specific version. Options are as follows:

o

Legacy – filters against the lowest supported version.

o

Mixed – uses a combination of Legacy and Newest, depending on

what is available.

o

Newest – the default setting, filters against the latest version.

To use a URL:

a. In the Definition list, select URL.

b. Provide the URL to the API definition file, as shown in the following

example:

http://172.16.81.36/web-services/infoService?wsdl

c. In the Version list, select a version to allow filtering of operations by

the specific version. Options are as follows:

o

Legacy – filters against the lowest supported version.

o

Mixed – uses a combination of Legacy and Newest, depending on

what is available.

o

Newest – the default setting, filters against the latest version.

d. If HTTP authorization credentials are needed to access the API

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 140 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

For this

API type...

Do this...

definition, enter them in the Authentication Header box, as shown in

the following example:

Basic YWxhZGRpbjpvcGVuc2VzYW1l

Important! This authentication header is used only for accessing

the API definition. It is not carried forward to the Authentication

page of the Settings Configuration wizard. You must configure

network authentication for the scan on the Authentication page.

e. Click VALIDATE to verify that the DAST API can access the definition

file and ensure that it is valid.

4. If you imported a definition file, the API location is different from API definition location

option is selected. Specify the following:

a. In the API Scheme Type list, select a type. Options are HTTP, HTTPS, and HTTP/HTTPS.

b. In the API Host box, type the URL or hostname.

c. In the API Service Path box, type the directory path for the API service.

Note: The GraphQL service location is always the same as the definition location. For SOAP, if

the query string "?wsdl" value is removed, then the SOAP service location may or may not be

the same as the definition location. The gRPC service location is always different from the

definition location.

Note: If the service path is not defined for an Open API scan, then the sensor will use the

basePath that is defined in the Open API definition contents. For Open API scans, select API

location is different from API definition location unless your service is explicitly run at the

same location as the docs folder for Open API. Optionally, you may choose to define a service

path if it differs from the basePath.

5. (Optional) To submit the completed scan for triage in Fortify Software Security Center, select

Submit for triage.

Note: Submitting for triage allows you to perform audit analysis of the findings so that you

can assign a user and an analysis value to the findings.

6. Under Audit Depth (Policy), do one of the following:

l

Select a policy from the Policy list.

l

Begin typing the policy name in the Policy list box to filter the list of policy names that begin

with the text that you enter.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 141 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Note: The default policies are stored in SecureBase tables in the ScanCentral DAST

database. For more information about the list of default policies, see "Policies" on page 329.

Custom policies are assigned to specific applications and are stored in the ScanCentral DAST

database. Only those custom policies that are assigned to the selected application appear in

the Policy list.

Tip: The API policy is the default policy for API scan settings in the Settings Configuration

wizard. However, you can choose another policy if needed.

7. Do one of the following:

l

To use a standard user agent, select it from the User Agent list.

Note: Default uses the user agent that is defined in Fortify WebInspect.

l

To use a custom user agent, select Custom from the User Agent list, and then type the user-

agent string in the Custom User Agent box.

Tip: User-agent strings generally use the following format:

<browser>/<version> (<system and browser information>) <platform> (<platform

details>) <extensions>

What’s Next?

Do one of the following:

l

To configure proxy settings for the scan, proceed with "Configuring Proxy Settings" below.

l

To configure authentication for the scan, click NEXT and proceed with "Configuring Authentication

for API Scans" on page 146.

Configuring Proxy Settings

To configure proxy settings:

1. On the Target page, click PROXY SETTINGS.

The PROXY CONFIGURATION dialog box opens.

2. Select the Use Proxy Server option.

The settings become available for you to configure.

3. Configure the settings according to the following table.

To...

Then...

Use the Web Proxy Autodiscovery Protocol

Select Auto detect proxy settings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 142 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To...

Then...

(WPAD) to locate and use a proxy autoconfig

file to configure the web proxy settings

Import your proxy server information from

Firefox

Select Use Firefox proxy settings.

Note: Using browser proxy settings does

not guarantee that you can access the

Internet through a proxy server. If the

Firefox browser connection settings are

configured for "No proxy," then a proxy

will not be used.

Load proxy settings from a Proxy Automatic

Configuration (PAC) file

a. Select Configure proxy settings using a

PAC file.

b. In the URL box, type the URL location for

the PAC file.

Access the Internet through a proxy server

a. Select Explicitly configure proxy

settings.

b. In the Server box, enter the URL or IP

address of your proxy server.

c. In the Port box, enter the port number

(for example, 8080).

d. From the Type list, select the protocol

type for handling TCP traffic through the

proxy server. The options are: Standard,

SOCKS4, or SOCKS5.

e. If authentication is required, select a type

from the Authentication list. The options

are: None, Basic, NTLM, Digest,

Automatic, Kerberos, or Negotiate.

f. If your proxy server requires

authentication, enter the qualifying user

name in the User Name field and the

qualifying password in the Password

field.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 143 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To...

Then...

g. If you do not need to use a proxy server

to access certain IP addresses (such as

internal testing sites), enter the addresses

or URLs in the Bypass field. Use commas

to separate entries.

4. Click OK.

The proxy settings are saved and the PROXY CONFIGURATION dialog box closes.

What's Next?

To configure authentication for the scan, click NEXT and proceed with "Configuring Authentication

for Standard and Workflow-driven Scans" below or "Configuring Authe ntication for API Scans" on

page 146 .

Configuring Authentication for Standard and

Workflow-driven Scans

If your site or network or both require authentication, you can configure it on the Authentication

page.

Configuring Site Authentication

You can use a recorded login macro containing one or more usernames and passwords that allow you

to log in to the target site. The macro must also contain a "logout condition," which indicates when an

inadvertent logout has occurred so that the sensor can rerun the macro to log in again.

To configure site authentication:

1. Select Site Authentication.

2. Do one of the following:

l

To import an existing login macro, click IMPORT, and then locate and select the file to import.

Tip: If a macro contains parameters, a param button appears to the right of the macro

name. Click the button to open the TRU CLIENT PARAMETERS dialog box and enter

values to use during the scan.

l

To record a login macro, click Open Macro Recorder 7.1.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 144 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Tip: If you have not already downloaded and installed the Macro Recorder tool, the Open

Macro Recorder 7.1 link will not open the tool. You must first download the tool and install

it on your local machine as described in "Downloading the Macro Recorder Tool" below.

Downloading the Macro Recorder Tool

You can download the Macro Recorder with Macro Engine 7.1 tool from the ScanCentral DAST REST

API container.

Important! The Web Macro Recorder with Macro Engine 7.1 is a Windows-based application. You

cannot use the Web Macro Recorder with Macro Engine 7.1 on Linux operating systems.

To download the Macro Recorder tool:

l

Under Site Authentication, click Download Macro Recorder 7.1.

The MacroRecorder64Setup.exe file is downloaded to the default download directory that is

specified in your browser settings. Navigate to the download directory and install the EXE file as

usual.

Tip: After installation, you can launch the Macro Recorder tool from the Windows Start menu

under Fortify ScanCentral DAST.

Using a Client Certificate

Client certificate authentication allows users to present client certificates rather than entering a user

name and password. You can enable the use of a certificate and then import the certificate to the scan

settings.

To use a client certificate:

1. Select Use Client Certificate.

2. Click IMPORT.

A standard Windows file selection dialog box opens.

3. Locate and select the certificate file, and then click Open.

The certificate file is added to the Client certificate box.

4. If the certificate requires a password, do the following:

a. Select Requires password.

b. Enter the password in the Client certificate password box.

5. Optionally, click VALIDATE to perform basic validation of the certificate.

Note: Basic validation only confirms that the file is a certificate, verifies the password if

applicable, and checks for a private key. If the certificate is not valid, the scan will fail upon

startup.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 145 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Configuring Network Authentication

If server authentication is required, you can configure authentication using network credentials.

To configure network authentication:

1. Select Network Authentication.

2. Select an Authentication Type. Options are as follows:

l

ADFS CBT

l

Automatic

l

Basic

l

Digest

l

Kerberos

l

NT LAN Manager (NTLM)

3. Type the authentication username in the Username box.

4. Type the authentication password in the Password box.

Caution! The sensor crawls all servers granted access by this password (if the sites/servers are

included in the Allowed Hosts setting). To avoid potential damage to your administrative

systems, do not use credentials that have administrative rights. If you are unsure about your

access rights, contact your System Administrator or internal security professional.

What's Next?

To configure details for the scan, click NEXT and proceed with "Configuring Scan Details" on

page 152.

Configuring Authentication for API Scans

If your site or network or both require authentication, you can configure it on the Authentication

page.

Options for configuring authentication include the following:

l

"Using a Client Certificate" on the next page

l

"Configuring Network Authentication" on the next page

l

"Using Custom Headers" on page 149

l

"Configuring SOAP Settings" on page 150

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 146 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Using a Client Certificate

Client certificate authentication allows users to present client certificates rather than entering a user

name and password. You can enable the use of a certificate and then import the certificate to the scan

settings.

Note: Client certificates do not apply to OData or Open API definition types.

To use a client certificate:

1. Select Use API Client Certificate.

2. Click IMPORT.

A standard Windows file selection dialog box opens.

3. Locate and select the certificate file, and then click Open.

The certificate file is added to the Client certificate box.

4. If the certificate requires a password, do the following:

a. Select Requires password.

b. Enter the password in the Client certificate password box.

5. Optionally, click VALIDATE to perform basic validation of the certificate.

Note: Basic validation only confirms that the file is a certificate, verifies the password if

applicable, and checks for a private key. If the certificate is not valid, the scan will fail upon

startup.

Configuring Network Authentication

If server authentication is required, you can configure authentication using network credentials.

To configure network authentication:

1. Select Use API Network Authentication.

2. Select an Authentication Type. The API Type determines the available authentication types.

The complete list of authentication types is:

l

ADFS CBT

l

Automatic

l

Basic

l

Bearer

l

Custom

l

Digest

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 147 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

l

Kerberos

l

NT LAN Manager (NTLM)

3. Continue according to the following table.

For this

authentication

type...

Do this...

ADFS CBT

Automatic

Basic

a. Type the authentication username in the Username box.

b. Type the authentication password in the Password box.

Digest

Kerberos

NTLM

Bearer

Optionally, type the JSON token, generally from a response to a login

form, in the Token Value box.

When using Bearer, you can fetch a token that is generated from a

response to a workflow macro, and then use the token to apply state. For

more information, see "Fetching a Token Value" below.

Custom

a. Type the token name in the Scheme box.

b. Optionally, type the token value in the Parameter box.

When using Custom, you can fetch a token that is generated from a

response to a workflow macro, and then use the token to apply state. For

more information, see "Fetching a Token Value" below.

Fetching a Token Value

You can use a custom regular expression to fetch the token value from a login or workflow macro. If a

match to the regular expression occurs in the response, then the value is fetched and used as a bearer

token. If the regular expression contains parentheses, then the value inside the parentheses will be

extracted and used as a bearer token. Only the first value inside parentheses will be used.

Note: Fetching a token value does not apply to OData or Open API definition types.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 148 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To fetch a token value:

1. Select Use Fetch Token.

2. Do one of the following:

l

To import an existing macro, click IMPORT, and then locate and select the file to import.

Tip: If a macro contains parameters, a param button appears to the right of the macro

name. Click the button to open the TRU CLIENT PARAMETERS dialog box and enter

values to use during the scan.

l

To record a macro, click Open Macro Recorder 7.1.

Tip: If you have not already downloaded and installed the Macro Recorder tool, the Open

Macro Recorder 7.1 link will not open the tool. You must first download the tool and install

it on your local machine as described in "Downloading the Macro Recorder Tool" below.

3. Type a regular expression for pattern matching in the Search Pattern box.

4. Do one of the following:

l

To have each scan thread run its own fetch macro playback and apply the bearer token value

to the thread, select the Isolate state check box.

l

To have only one fetch macro playback run for all scan threads and the single shared bearer

token value apply to all threads, clear the Isolate state check box.

Downloading the Macro Recorder Tool

You can download the Macro Recorder with Macro Engine 7.1 tool from the ScanCentral DAST REST

API container.

Important! The Web Macro Recorder with Macro Engine 7.1 is a Windows-based application. You

cannot use the Web Macro Recorder with Macro Engine 7.1 on Linux operating systems.

To download the Macro Recorder tool:

l

Under Site Authentication, click Download Macro Recorder 7.1.

The MacroRecorder64Setup.exe file is downloaded to the default download directory that is

specified in your browser settings. Navigate to the download directory and install the EXE file as

usual.

Tip: After installation, you can launch the Macro Recorder tool from the Windows Start menu

under Fortify ScanCentral DAST.

Using Custom Headers

You can configure multiple custom headers.

Important! Fortify recommends that you do not configure more than one custom header using

the same HTTP header name.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 149 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To add a custom header:

1. Select Use Custom Headers.

2. Click the add icon ( ).

3.

In the header name box, type the custom HTTP header name. For example, X-MyCustomAuth.

Important! The header must be unique and cannot be Authorization.

4.

In the header scheme box, type the header value prefix name. For example, CustomToken.

5. In the header value box, type the custom header value.

6. Click the check icon ( ).

The custom header is added to the list.

To edit a custom header:

l

Click the edit icon ( ) for the custom header you want to edit.

To remove a custom header:

l

Click the delete icon ( ) for the custom header you want to delete.

Configuring SOAP Settings

You can configure message-based authentication for SOAP scans.

To configure SOAP authentication settings:

1. Select Use SOAP Configuration.

2. Select that authentication method to use from the SOAP Method list. Options are Username

Token and Certificate Pair.

3. Continue according to the following table.

For this

authentication

method...

Do this...

Username

Token

a. In the Username box, type the user name whose credentials are used

to access the SOAP service.

b. In the Password box, type the password for the user name.

c. In the Username Token Type list, select the type of token. Options

are Text and Hash.

d. In the Timestamp list, select an option for when the Username Token

was created and when it expires. Options are Created, Full, and None.

e. If nonce is enabled for the token, select Includes nonce.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 150 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

For this

authentication

method...

Do this...

Important! Nonce is required for hash tokens because it helps the

server to recalculate the hash and compare it to the data the

client sent.

Certificate Pair

a. Click IMPORT to the right of the Client Certificate box.

A standard Windows file selection dialog box opens.

b. Locate and select the certificate file, and then click Open.

The certificate file is added to the Client Certificate box.

c. In the Client Certificate Password box, type the password.

d. Click IMPORT to the right of the Server Certificate box.

A standard Windows file selection dialog box opens.

e. Locate and select the certificate file, and then click Open.

The certificate file is added to the Server Certificate box.

f. If the server certificate requires a password, select Requires

password and type the password in the Server Certificate Password

box.

4. Optionally, to identify the Web Services Addressing (WS-Addressing) schema version used by

the SOAP service, select Use WS Addressing and continue as follows:

a. In the Schema Version list, select the version. Options are NONE, WSA0408, and WSA0508.

b. In the WSA: To box, enter the URL override for the Web service host.

Note: SOAP services may be exposed by way of a load balancer or reverse proxy. This

configuration may prevent the sensor from getting the correct information for the

internal Web service host name. The "WSA: To" URL override provides the correct

address into WS Addressing.

The URL override uses the following format:

https://<host_name><service_path>/<port_name>

What's Next?

To configure details for the scan, click NEXT and proceed with "Configuring Scan Details" on the next

page.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 151 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Configuring Scan Details

You can configure the following settings on the Details page:

l

API Content and filters (API scans only. For more information, see "Configuring API Content and

Filters" below.)

l

Allowed hosts (For more information, see "Adding and Managing Allowed Hosts" on page 157.)

l

Scan priority (For more information, see "Configuring Scan Priority" on page 159.)

l

Data retention (For more information, see "Configuring Data Retention" on page 161.)

l

Single-page application (SPA) support (Standard and Workflow-driven scans only. For more

information, see "Scanning Single-page Applications" on page 161.)

l

Traffic Monitor (For more information, see "Using Traffic Viewer (Traffic Monitor)" on page 162.)

l

Exclusions (For more information, see "Creating and Managing Exclusions" on page 163.)

l

Redundant page detection (Standard and Workflow-driven scans only. For more information, see

"Configuring Redundant Page Detection" on page 167.)

l

Scan scaling (For more information, see "Enabling Scan Scaling" on page 168.)

What's Next?

After you configure the scan details, click NEXT and proceed with "Reviewing Scan Settings" on

page 169.

Configuring API Content and Filters

When configuring API scans, you can use the Content and Filters page to configure the preferred

content type, as well as operations and parameter names and types to include or exclude during the

scan.

Specifying the Preferred Content Type

The preferred content type setting specifies the preferred content type of the request payload. If the

preferred content type is in the list of supported content types for an operation, then the generated

request payload will be of that type. Otherwise, the first content type listed in an operation will be

used. By default, the preferred content type is application/json.

To change the preferred type:

l

Type the preferred content type in the Preferred Content Type box.

Defining Specific Operations to Include

The Include feature defines an allow list of operation IDs that should be included in the output.

To define a specific operation to include:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 152 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

1. Select Specific Operations.

2. Select Include.

3. Click the add icon ( ).

4. In the Operation to add box, type the operation ID.

5. Click the check icon ( ).

The operation ID is added to the allow list.

Defining Specific Operations to Exclude

The Exclude feature defines a deny list of operation IDs that should be excluded from the output.

To define a specific operation to exclude:

1. Select Specific Operations.

2. Select Exclude.

3. Click the add icon ( ).

4. In the Operation to add box, type the operation ID.

5. Click the check icon ( ).

The operation ID is added to the deny list.

Editing Specific Operations

To edit a specific operation in the allow or deny list:

1. Do one of the following:

l

To edit an operation in the allow list, select Include.

l

To edit an operation in the deny list, select Exclude.

2. Click the edit icon ( ) for the operation ID you want to edit.

Removing Specific Operations

To remove a specific operation from the allow or deny list:

1. Do one of the following:

l

To remove an operation from the allow list, select Include.

l

To remove an operation from the deny list, select Exclude.

2. Click the delete icon ( ) for the operation ID you want to remove.

Defining Parameter Rules

Parameter rules define a default value to use for a parameter when the parameter name and type are

encountered. You can also specify operations to determine whether a specific parameter rule should

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 153 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

or should not apply to those operations.

Important! If you configure a parameter rule and then change the API definition type for which

the parameter rule type becomes invalid, the invalid parameter rule type will be changed to Any.

The invalid parameter rule will be highlighted in the Parameter Rules list, and a warning message

will be displayed below the list.

To add a parameter rule:

1. Select Parameter Rules.

2. Click Add.

The PARAMETER RULE dialog box appears.

3. In the Parameter Rule Name box, type a name for the rule.

4. In the Parameter Rule Type list, select a type. Available options depend on the API type and

may include the following:

l

Any

l

Boolean

l

Date

l

File

l

Guid

l

Number

l

String

For more information on the Parameter Rule Types and their equivalents based on API type, see

"Understanding Parameter Type Matches" on page 156.

5. Continue according to the following table:

For this Rule Type...

Do this...

Any

In the Value box, type any value.

In the Boolean Value list, select true or false.

To enter any string value as the date:

Boolean

Date

l

Type the string in the Date box.

Note: You may enter a duration, time span, formatted

date, or formatted time in the Date box.

To select a date/time format and use a calendar and clock to

generate a formatted string:

a. Click GENERATE DATE.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 154 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

For this Rule Type...

Do this...

The GENERATE DATE STRING dialog box opens.

b. From the Date Type list, select a format. Options are Date

and time, Date, and Time.

c. In the Date box, enter a date using the preferred format

defined in your Fortify Software Security Center.

Tip: To select a date from the calendar, click the calendar

icon ( ).

d. In the Time box, enter a time using the preferred format

defined in your Fortify Software Security Center.

Tip: To select a date from the calendar, click the clock

icon ( ).

e. Click OK.

File

a. Click IMPORT and browse to locate the file to add to the scan

settings.

b. Click Open.

Guid

In the Value box, enter a GUID.

In the Number Value box, enter a numerical value.

In the Value box, type any value.

Number

String

6. For Open API scans, in the Parameter Rule Location list, select a location where the parameter

is found in the request. Options are:

l

Any

l

Body

l

Header

l

Path

l

Query

7. Optionally, select Inject Parameter to include the defined parameter in the request.

Important! The Inject Parameter option does not work with schema-based APIs, such as

SOAP, gRPC, and Postman. Those API types do not accept forced parameters. For GraphQL,

Inject Parameter only works with the query operation if the property is in the query schema.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 155 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

8. Optionally, to specify operations to which this parameter rule should or should not apply, select

Specific Operations and perform steps 2-5 of "Defining Specific Operations to Include" on

page 152 or "Defining Specific Operations to E xclude" on page 153 .

9. Click OK.

The rule is added to the Parameter Rules list.

Editing a Parameter Rule

To edit a rule in the Parameter Rules list:

l

Select the check box for the rule to edit, and then click EDIT.

The PARAMETER RULE dialog box appears. For more information about using this dialog box, see

"Defining Parameter Rules" on page 153.

Removing a Parameter Rule

To remove a rule from the Parameter Rules list:

l

Select the check box for the rule to remove, and then click REMOVE.

Understanding Parameter Type Matches

The following table describes the parameter rule type equivalents by API type.

Equivalent

ScanCentral DAST

Parameter Rule Type

Open API

(Swagger)

OData

GraphQL

All

gRPC

All

SOAP

All

Any

All

Boolean

Date

boolean

Edm.Boolean

boolean

N/A

bool

N/A

boolean

date

Edm.Date

(OpenAPI 2.0) Edm.DateTime

Edm.DateTimeOffset

Edm.Duration

string

(OpenAPI

Edm.Time

1

3.0)

Edm.TimeOfDay

File

file (OpenAPI Edm.Binary

N/A

bytes

N/A

2

2.0)

GUID

N/A

Edm.Guid

1

OpenAPI 3.0 implementation is qualified by date string format.

2

OpenAPI 3.0 implementation is qualified by binary or byte string formats.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 156 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Equivalent

ScanCentral DAST

Parameter Rule Type

Open API

(Swagger)

OData

GraphQL

gRPC

SOAP

Number

number

integer

Edm.Byte

int

float

double

enum

fixed32

fixed64

float

base64Binary

byte

decimal

double

float

hexBinary

hexint

int

integer

long

signedInt

short

unsignedByte

unsignedInt

unsignedLong

unsignedShort

Edm.Decimal

Edm.Double

Edm.Int16

Edm.Int32

Edm.Int64

Edm.SByte

Edm.Single

int32

int64

sfixed32

sfixed64

sint32

sint64

uint32

uint64

String

string

Edm.GeographyCollection

Edm.GeographyLineString

Edm.GeographyMultiLineString

Edm.GeographyMultiPoint

Edm.GeographyMultiPolygon

Edm.GeographyPoint

id

string

Edm.GeographyPolygon

Edm.GeometryCollection

Edm.GeometryLineString

Edm.GeometryMultiLineString

Edm.GeometryMultiPoint

Edm.GeometryMultiPolygon

Edm.GeometryPoint

Edm.GeometryPolygon

Edm.String

Adding and Managing Allowed Hosts

Use the Allowed Hosts setting to add and manage domains to crawl and audit. If your Web

application uses multiple domains, add those domains here. For example, if you were scanning

"WIexample.com," you would need to add "WIexample2.com" and "WIexample3.com" here if those

domains were part of your Web presence and you wanted to include them in the scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 157 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

You can also use this feature to scan any domain whose name contains the text you specify. For

example, suppose you specify www.myco.com as the scan target and you enter "myco" as an allowed

host. As the sensor scans the target site, if it encounters a link to any URL containing "myco," it will

pursue that link and scan that site's server, repeating the process until all linked sites are scanned. For

this hypothetical example, the sensor would scan the following domains:

l

www.myco.com:80

l

contact.myco.com:80

l

www1.myco.com

l

ethics.myco.com:80

l

contact.myco.com:443

l

wow.myco.com:80

l

mycocorp.com:80

l

www.interconnection.myco.com:80

Adding Allowed Hosts

To add allowed hosts:

1. Click MANAGE.

2. In the SPECIFY ALLOWED HOST dialog box, type a URL in the Name box.

Important! When you specify the URL, do not include the protocol designator (such as

http:// or https://).

3. (Optional) To use a regular expression to represent a URL, select Use Regular Expression.

4. Do one of the following:

l

To save the allowed host to the list, click the check mark icon ( ).

The URL is added to the allowed hosts list. To add another allowed host, return to Step 2.

l

To clear the fields and start over, click the retry icon ( ) and return to Step 2.

5. When the list of allowed hosts is complete, click OK.

Editing or Removing Hosts

To edit or remove an allowed host:

1. Select a host from the Allowed Hosts list.

2. Do one of the following:

l

To edit the host name or regular expression, click MANAGE.

The SPECIFY ALLOWED HOST dialog box opens. For more information about using this

dialog box, see "Adding Allowed Hosts" above.

l

To remove the host from the allowed hosts list, click REMOVE.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 158 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Configuring Scan Priority

Scans are run using a priority ranking from 0 to 10, where 0 is the lowest priority and 10 is the

highest. Before starting a scan, the Global Service determines if there is a higher-priority scan that

needs to be started. If there is, the lower-priority scan will remain in the queue. Additionally, a lower-

priority scan that is running will be paused for a higher-priority scan if no other sensor is available.

If Advanced Scan Prioritization is enabled, the Global Service may move scans to other sensors,

depending on scan priority and other settings. For more information about Advanced Scan

Prioritization, see "Understanding Advanced Scan Prioritization" below.

Note: Applications are configured with a default priority level in the application settings. For

more information, see "Understanding the Application Settings List" on page 280.

Changing the Priority

To select a priority other than the default setting for the scan:

l

Select a priority from 0 to 10 in the Priority list.

Note: If you set a priority that differs from the Application Settings, the lower of the two

settings will be used.

Tip: You cannot disable scan priority. However, you can set all applications and scans to the same

priority to accomplish something similar.

Understanding Advanced Scan Prioritization

Advanced scan prioritization allows the Global Service to move a scan to a different sensor,

depending on the scan priority and other settings as described in the following paragraphs.

Priority and Sensor Pools

For prioritization, scans are grouped by the sensor pool to which the scan belongs. Grouping scans by

pool ensures that a higher-priority scan in sensor pool 1 will not pause a lower priority scan in sensor

pool 2.

Priority and Scan Status

Scans with the following statuses are processed first from the highest to lowest scan priority and then

from the oldest to newest:

l

Queued

l

Resume Scan Queued

l

Resume Scan Queued Scan Priority

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 159 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

l

License Unavailable

l

Paused Scan Priority

The following table provides examples using five scans with various statuses, priorities, and creation

times.

When Started

Scan Status

Priority

Created On Date/Time

11/8/2022 08:00 AM

11/8/2022 08:15 AM

11/8/2022 09:00 AM

11/8/2022 11:26 AM

11/8/2022 12:01 PM

or Resumed

Paused Scan Priority

Resume Scan Queued

Resume Scan Queued Scan Priority

Queued

0

Fifth

5

Second

Third

5

Fourth

First

Queued

10

Priority and Sensors

When configuring a scan, you can select a specific sensor in the Run Scan or Schedule Scan dialog

boxes. You can also select the Use this sensor only option. The following table describes how these

options affect advanced scan prioritization.

Selected Sensor

Options

What Happens

A specific sensor is

selected with the Use

this sensor only

option

If the sensor is available, then the scan starts on the sensor.

If the sensor is not available and there is a lower-priority scan that is

running on that sensor, then the lower-priority scan is paused and the

higher-priority scan is started on the sensor.

A specific sensor is

selected without the

Use this sensor only

option

If the sensor is available, then the scan starts on the sensor.

If the sensor is not available, the Global Service attempts to find any other

available sensor in the sensor pool. If an available sensor is found, the

scan starts on that sensor. If no sensor is available, the Global Service

checks whether a lower-priority scan is running. If a lower-priority scan is

running, then the lower-priority scan is paused and the higher-priority

scan is started on that sensor.

Any Available sensor If a sensor is available in the sensor pool, then the scan is started on the

is selected sensor.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 160 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Selected Sensor

Options

What Happens

If no sensor is available in the sensor pool, the Global Service checks

whether a lower-priority scan is running. If a lower-priority scan is

running, then the lower-priority scan is paused and the higher-priority

scan is started on that sensor.

When Advanced Scan Prioritization is Disabled

If the Disable Advanced Scan Prioritization option was selected in the ScanCentral DAST

Configuration Tool, then when a lower-priority scan is paused for a higher-priority scan to run, the

lower-priority scan resumes only on the sensor on which it was originally running, regardless to

whether another sensor is available in the sensor pool. Partial scan results are uploaded to the

ScanCentral DAST database, but the paused scan remains on the sensor. If the scan is resumed, but

the scan no longer exists on the sensor for any reason, the Global Service downloads and imports the

partial results prior to resuming the scan.

For more information, see "Configuring Scan Priority" on page 159.

Configuring Data Retention

If data retention is enabled for the application being scanned, then a default number of days for scan

retention is configured in the application settings. In such cases, the default number of days for scan

retention is displayed in the Details page. For more information, see "Working with Application

Settings" on page 279.

To set a number of days other than the default setting for the scan:

l

Enter the number of days in the Data Retention box.

Note: If you set a number of days that differs from the Application Settings, the lower of the two

settings will be used.

Scanning Single-page Applications

This topic describes single-page application (SPA) support for crawling and auditing the Document

Object Model (DOM) of an application.

The Challenge of Single-page Applications

Developers use JavaScript frameworks such as Angular, Ext JS, and Ember.js to build SPAs. These

frameworks make it easier for developers to build applications, but more difficult for security testers

to scan those applications for security vulnerabilities.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 161 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Traditional sites use simple back-end server rendering, which involves constructing the complete

HTML web page on the server side. SPAs and other Web 2.0 sites use front-end DOM rendering, or a

mix of front-end and back-end DOM rendering. With SPAs, if the user selects a menu item, the entire

page can be erased and recreated with new content. However, the event of selecting the menu item

does not generate a request for a new page from the server. The content update occurs without

reloading the page from the server.

With traditional vulnerability testing, the event that triggered the new content might destroy other

events that were previously collected on the SPA for audit. Through its SPA support, the dynamic

sensor offers a solution to the challenge of vulnerability testing on SPAs.

Configuring SPA Support

When SPA support is enabled, the DOM script engine finds JavaScript includes, frame and iframe

includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by

those events.

To configure SPA support:

l

Under Single-Page Applications on the Details page, select one of the following options:

l

Automatic - If the sensor detects a SPA framework, it automatically switches to SPA-support

mode.

l

Disabled - Indicates that SPA frameworks are not used in the target application.

l

Enabled - Indicates that SPA frameworks are used in the target application.

Caution! Enable SPA support for single-page applications only. Enabling SPA support to

scan a non-SPA website results in a slow scan.

Using Traffic Viewer (Traffic Monitor)

The site tree of a scan normally displays only the hierarchical structure of the website or web service,

plus those sessions in which a vulnerability was discovered. The Traffic Viewer (or Traffic Monitor)

allows you to display and review every HTTP request sent by the sensor and the associated HTTP

response received from the web server.

Proxy Server Included

The Traffic Viewer includes a self-contained proxy server that you can configure and run on your

desktop. With it, you can monitor traffic from your browser as it submits HTTP requests and receives

responses from a web server. The Traffic Viewer proxy is a tool for debugging and penetration

assessment; you can see every request and server response while browsing a site.

Option Must be Enabled

To use the Traffic Viewer, you must enable Traffic Monitor logging in the scan settings. Otherwise,

the Traffic Viewer is not available for a scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 162 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Enabling Traffic Viewer (or Traffic Monitor)

To enable the Traffic Viewer (or Traffic Monitor):

l

Under Traffic Analysis on the Details page, select Enable Traffic Monitor.

Creating and Managing Exclusions

You can exclude URLs and sessions—based on criteria in their requests or responses—from being

crawled and audited. Excluding URLs means that the sensor will not examine the specified URL or

host for links to other resources. Excluding sessions means that sensor will not process the sessions

that meet the exclusion criteria.

To exclude these items from your scan, you must create a list of Basic Exclusions. Each exclusion in

the list identifies one or more targets in which the criteria for exclusion is found.

Note: You can add multiple targets to each entry in the Basic Exclusions list.

Creating Exclusions

To create one or more exclusions:

1. Under Basic Exclusions on the Details page, click CREATE.

The MANAGE EXCLUSIONS dialog box opens.

2. Type a name for the exclusion in the Name box.

3. From the Target list, select one of the following target types to configure for exclusion:

l

Extension - Excludes file extensions that match the exclusion criteria

l

Host - Excludes hosts that match the exclusion criteria

l

Post parameter - Excludes sessions with a POST request parameter that matches the

exclusion criteria

l

Query parameter - Excludes sessions with a query parameter in the URL that matches the

exclusion criteria

l

Request – Excludes sessions with a request that matches the exclusion criteria

l

Response – Excludes sessions with a response that matches the exclusion criteria

l

Response header - Excludes sessions with a response header that matches the exclusion

criteria

l

Status code - Excludes sessions with a response status code that match the exclusion criteria

l

URL – Excludes URLs that match the exclusion criteria

4. Type a name for the target in the Name box.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 163 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

5. Select one of the following types of exclusion for the target from the Type list:

l

Matches Regex – Matches the regular expression you specify in the String box

l

Matches Regex extension – Matches the regular expression extension you specify in the

String box

l

Matches - Matches the specified criteria in the String box

l

Contains – Contains the text string you specify in the String box

6. Type the string to match in the String box.

For examples of Target, Type, and String settings, see "Exclusion Examples" below.

7. Do one of the following:

l

To save the exclusion to the list, click the check mark icon ( ).

The exclusion is added to the list. To create another exclusion, return to Step 2.

l

To clear the fields and start over, click the retry icon ( ) and return to Step 2.

8. When the list of exclusions is complete, click OK.

Exclusion Examples

The following table provides examples of exclusions.

To...

Create the following exclusion...

Ensure that you never send requests to any

resource at Microsoft.com

URL contains Microsoft.com

Exclude the following directories:

URL matches regex /W3SVC[0-9]*/

Response contains Not Found

http://www.test.com/W3SVC55/

http://www.test.com/W3SVC5/

http://www.test.com/W3SVC550/

Ensure that you never process session

responses with 404 Not Found

For more information about creating exclusions, see "Understanding and Creating Inclusive

Exclusions" on the next page.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 164 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Editing or Removing Exclusions

To edit or remove an entry in the Basic Exclusions list:

1. Select an entry from the Basic Exclusions list.

2. Do one of the following:

l

To edit the exclusion settings, click MANAGE.

The MANAGE EXCLUSIONS dialog box opens. For more information about using this dialog

box, see "Creating Exclusions" on page 163.

l

To remove the host from the allowed hosts list, click REMOVE.

Understanding and Creating Inclusive Exclusions

When a site contains many pages that are essentially redundant, it makes sense to scan only a

selection of such pages and exclude the rest. To accomplish this, we need to specify what to include

by excluding everything else. Such exclusions are called "inclusive exclusions."

You can create regular expressions that exclude everything including the sessions you want to scan,

and then add the inclusion regular expression within the negative look ahead construct.

Understanding Inclusive Exclusion Regular Expressions

Suppose you have the following URLs:

http://site.tld/sub/sub1

http://site.tld/sub/sub2

http://site.tld/sub/sub3

http://site.tld/sub/sub4

http://site.tld/sub/sub5

...

http://site.tld/sub/sub9999

And you want to include sub1 in the scan but not sub2 through sub9999.

A regular expression to match and exclude everything is:

\/sub/sub[0-9]+

Adding the negative look ahead to include sub1 results in this regular expression:

\/sub/sub(?!1)[0-9]+

This regular expression matches and excludes everything in the previous list of URLs that does not

include sub1.

Important! If the regular expression includes the host name, then it must also include the port as

shown here:

site\.tld:80/sub/sub[0-9]+

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 165 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

site\.tld:80/sub/sub(?!1)[0-9]+

The following paragraphs provide additional examples of various inclusive exclusions.

Example One

Suppose you want to scan only the contents of folders where the folder name starts with the

combination "N13" and omit the others in the following list:

http://10.0.6.124:22000/cssbundle/1666793387/bundles/service.css

http://10.0.6.124:22000/cssbundle/N1375383199/bundles/service.css

http://10.0.6.124:22000/jsbundle/1337374041/bundles/catalogs.js

http://10.0.6.124:22000/jsbundle/1337374041/bundles/general.js

http://10.0.6.124:22000/jsbundle/335652056/bundles/search.js

http://10.0.6.124:22000/jsbundle/N1222120407/bundles/

http://10.0.6.124:22000/jsbundle/N1408948977/bundles/

http://10.0.6.124:22000/jsbundle/N1982198842/bundles/

http://10.0.6.124:22000/jsbundle/N273479010/bundles/

A regular expression to match and exclude all folder names that begin with letter "N" is:

\/N[\d]+\/

Adding the negative look ahead to include (?!13) results in this regular expression:

\/N(?!13)[\d]+\/

Using this regular expression as a session exclusion causes Fortify WebInspect to omit all of the paths

except for those where the folder name starts with the combination "N13":

http://10.0.6.124:22000/cssbundle/N1375383199/bundles/service.css

Note: The number "13" is arbitrary. You could easily replace the "13" character set in the regular

expression with your desired character set.

Example Two

Suppose you want to omit most of My Awesome Store's catalog while still permitting URLs that

include keywords "awesome" or "core" in the following list:

http://my.awesome.store.com/dotcom/14k-gold-plated-ring/cat.jump

http://my.awesome.store.com/dotcom/2-panel-jewelry-box/prod.jump

http://my.awesome.store.com/dotcom/core-short-sleeve-top/prod.jump

http://my.awesome.store.com/dotcom/core-graphic-tee/prod.jump

http://my.awesome.store.com/dotcom/core-pro-striped-shorts/prod.jump

http://my.awesome.store.com/dotcom/awesome-brand-pro-striped-shorts/prod.jump

http://my.awesome.store.com/dotcom/core-pro-striped-shorts/prod.jump

http://my.awesome.store.com/dotcom/shoes/sandals-flip-flops/low-mid-

heel/cat.jump

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 166 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

http://my.awesome.store.com/dotcom/shoes/sandals-flip-flops/wedge-

sandals/cat.jump

http://my.awesome.store.com/dotcom/shoes/sandals-flip-flops/flat-

sandals/cat.jump

http://my.awesome.store.com/dotcom/shows/all-mens-shoes/slippers/cat.jump

http://my.awesome.store.com/dotcom/men/shorts/bermuda-core-beige/prod.jump

http://my.awesome.store.com/dotcom/men/shorts/pleated-core-beige/prod.jump

http://my.awesome.store.com/dotcom/men/shorts/bermuda-awesome-brand-

beige/prod.jump

http://my.awesome.store.com/dotcom/core-proportioned-pants/prod.jump

http://my.awesome.store.com/dotcom/awesome-brand-slender-jean---plus/prod.jump

http://my.awesome.store.com/dotcom/awesome-brand/half-zip-jacket/prod.jump

http://my.awesome.store.com/dotcom/toys/categories/costumes-dress-

up/boys/cat.jump

http://my.awesome.store.com/dotcom/shoes/kids-shoes/boys-shoes/cat.jump

http://my.awesome.store.com/dotcom/toys/gender/boys/cat.jump

http://my.awesome.store.com/dotcom/shoes/boots/ankle-boots-booties/cat.jump

http://my.awesome.store.com/dotcom/shoes/all-womens-shoes/view-all/cat.jump

http://my.awesome.store.com/dotcom/women/awesome-brand/tops-sweaters/cat.jump

http://my.awesome.store.com/dotcom/men/wallets-accessories/backpacks-

bags/cat.jump

http://my.awesome.store.com/dotcom/women/wear-to-work/skirts/cat.jump

A regular expression to include "awesome" or "core" keywords is:

\/dotcom\/((?!awesome|core)[\w-%\/])+(?:cat|prod)\.jump

Configuring Redundant Page Detection

Highly dynamic sites could create an infinite number of resources (pages) that are virtually identical.

If allowed to pursue each resource, the sensor would never be able to finish the scan. The Perform

redundant page detection option compares page structure to determine the level of similarity,

allowing the sensor to identify and exclude processing of redundant resources.

Important! Redundant page detection works in the crawl portion of the scan. If the audit

introduces a session that would be redundant, the session will not be excluded from the scan.

To configure redundant page detection:

1. Select the Perform redundant page detection check box.

2. Configure settings as described in the following table.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 167 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Setting

Description

Page Similarity Indicates how similar two pages must be to be considered redundant. Enter

Threshold (%)

a percentage from 1 to 100, where 100 is an exact match. The default

setting is 95 percent.

Tag attributes Identifies the tag attributes to include in the page structure. Typically, tag

to include

attributes and their values are dropped when determining structure.

Identifying tag attributes in this list adds those attributes and their values

in the page structure. By default, id and class tag attributes are included.

To add tag attributes:

a. Type the attribute name in the Tag item box. Do not include tag

brackets (< and >).

b. Click ADD.

The tag attribute is added to the Tag attributes to include list.

Tip: Certain sites may be primarily composed of one type of tag, such

as <div>. Including these attributes creates a more rigid page match.

Excluding these attributes creates a less strict match.

Enabling SAST Correlation

SAST correlation correlates the static and dynamic findings for your web application in Fortify

Software Security Center. Correlation allows you to see the static findings that were also found in a

dynamic scan. It can help you to prioritize which issues to fix and help verify that those issues are not

false positives.

To enable SAST correlation:

l

Select Enable SAST Correlation.

Enabling Scan Scaling

If the application is configured in a sensor pool that has scan scaling enabled, then the Scan Scaling

check box is available on the Details page.

During a scan, script engines replay TruClient macros and run scripts to reveal the Document Object

Model (DOM) of the application and events on the page. Scan scaling involves automatically creating

multiple pools of these script engines in Kubernetes. In essence, it distributes the work of performing

the scan across multiple script engines, thereby reducing the amount of time it takes to conduct the

scan.

Scan scaling might be beneficial for applications that generally have long-running scans.

For more information, see "Integrating with Kubernetes for Scan Scaling" on page 95.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 168 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

If you enable scan scaling, then the scan inherits the scan scaling settings that are configured in the

sensor pool. Scan scaling adjusts the number of script engine pools to equal the number of crawl and

audit threads in the scan or to the maximum number specified in the sensor pool settings, whichever

is lower. For more information, see "Creating a DAST Sensor Pool" on page 214.

To enable scan scaling:

l

In the Scan Scaling area, select Use scan scaling.

Reviewing Scan Settings

You can review the settings you configured for the scan on the Review page.

After you review the settings, do one of the following:

l

If the settings are correct, type a name for the settings in the Name box.

l

If changes are needed, click the page name in the navigation pane, and then make corrections.

Tip: The names of pages that contain missing information or errors are displayed in red text in

the navigation pane.

When the settings are correct, do one of the following:

l

Save the settings to Fortify Software Security Center (For instructions, see "Saving the Settings to

Software Security Center" below.)

l

Schedule a scan (For instructions, see "Scheduling a Scan" below.)

l

Run a scan (For instructions, see "Running a Scan" on page 171.)

l

Use the settings in the API (For instructions, see "Using the Scan Settings in the DAST API" on

page 171.)

Saving the Settings to Software Security Center

You can save the settings as a template to Fortify Software Security Center. The settings are stored in

XML format along with a JSON object with setting overrides.

To save as a template:

l

Click SAVE.

The file is saved to Fortify Software Security Center.

Scheduling a Scan

You can use the settings for a scheduled scan to be run later.

To schedule a scan:

1. Click SCHEDULE.

The SCAN SCHEDULE dialog box opens.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 169 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

2. Type a name for the scheduled scan in the Name box.

3. Enter a date for the scan to run in the Start Date box.

Tip: To select a date from the calendar, click the calendar icon ( ).

4. Enter a time for the scan to start in the Start Time box.

Note: The schedule uses the time zone from your browser.

5. To schedule a recurring scan, in the Pattern section specify how often to run the scan according

to the following table.

To run...

Then...

Daily

a. Select DAILY.

b. Select a recurrence in the Occur every ___ day box.

Weekly

a. Select WEEKLY.

b. Select a recurrence in the Occur every ___ week box.

c. Select the days to run each week.

Monthly

a. Select MONTHLY.

b. Select a recurrence in the Occur every ___ month box.

c. Do one of the following:

o

Select Occur on day and enter a date in the box.

o

Select Occur on the, and then select an interval from the Interval list

and a day from the Day list.

Note: Interval options are First, Second, Third, Fourth, and Last.

Yearly

a. Select YEARLY.

b. Do one of the following:

o

Select Occur on, and then select a month from the Month list and enter

a date in the Day box.

o

Select Occur on the, and then select an interval from the Interval list, a

day from the Day list, and a month from the Month list.

Note: Interval options are First, Second, Third, Fourth, and Last.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 170 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

6. Under Range, do one of the following:

l

To leave the recurrence open ended, select Never ends.

l

To set an end date, select Ends by, and then enter an end date in the End Date box or enter

the number of occurrences after which to end in the occurrence box.

Note: Entering data into the End Date box automatically updates the occurrence box,

and conversely.

7. Select a dynamic sensor from the Sensor list.

The list of sensors comes from the Fortify Software Security Center sensor pools. Any Available

is the default.

8. (Optional) If you select a sensor that is currently unavailable, another sensor may conduct the

scan instead. To ensure that the selected sensor conducts the scan, select Use this sensor only.

9. Click OK.

The scan schedule is added to the ScanCentral DAST database.

Running a Scan

You can use the settings to run a scan immediately. To run a scan:

1. Click RUN.

The RUN SCAN dialog box opens.

Note: The name you gave to the settings appears in the Name field. You can type a different

name in the field if needed.

2. Select a ScanCentral DAST sensor from the Sensor list.

The list of sensors comes from the Fortify Software Security Center sensor pools. Any Available

is the default.

3. (Optional) If you select a sensor, but it is currently unavailable, another sensor may conduct the

scan instead. To ensure that the selected sensor conducts the scan, select Use this sensor only.

4. Click RUN.

The scan is queued to run.

Using the Scan Settings in the DAST API

You can use the scan settings to conduct a scan from the DAST API.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 171 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

After saving the settings, the GUID in the Settings Identifier field provides a unique identifier for the

settings. You can copy a cURL sample that includes this GUID to use in the API.

Note: This GUID is also known as the CICD Identifier.

If you copy the settings before saving, a placeholder is used for the settings ID. You must manually

update the sample with the settings ID.

To copy the cURL sample:

l

Click the copy to clipboard ( ) icon.

Accessing the DAST API Swagger UI

Complete documentation—including detailed schema, parameter information, sample code, and

functionality for testing endpoints—is included in the DAST API Swagger UI.

To access this information:

l

In your browser, navigate to the DAST API URL using the following format:

http://<ScanCentral_DAST_API_URL>:<Port>/swagger/index.html

Using the Swagger UI

To use the Swagger UI:

1. On the Swagger UI page, click an endpoint category.

2. Click the endpoint method to use.

Detailed schema, parameter information, sample code, and functionality for testing the endpoint

appear.

3. (Optionally) To view a previous version of the DAST API, select the version from the Select a

definition list.

Important! The latest version of the DAST API includes newer functionality than older

versions. For this reason, Fortify recommends that you use the most recent version of the

DAST API.

Using Advanced Settings in Scan Settings

You can edit advanced settings in the Scan Settings Configuration wizard.

Accessing Advanced Settings

At any time while configuring scan settings, you can access the advanced settings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 172 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

To access the advanced settings:

l

Click Advanced Settings in the bottom left navigation.

The ADVANCED SETTINGS panel opens.

Editing Advanced Settings

The following settings are available for editing:

l

"Advanced Settings: Crawl and Audit Mode" below

l

"Advanced Setting: Requestor Performance" below

When you have finished editing the advanced settings, click the hide icon ( ) to close the

ADVANCED SETTINGS panel.

Advanced Settings: Crawl and Audit Mode

The crawl and audit mode advanced setting is available only if the SCAN MODE is set to Crawl and

Audit.

Tip: If you selected Crawl Only or Audit Only on the Target page in the Scan Settings wizard,

you can change it in the advanced settings to enable the crawl and audit mode advanced setting.

To change the crawl and audit mode advanced setting:

l

In the CRAWL AND AUDIT MODE area, select one of the options described in the following table.

Option

Description

Simultaneously

As the sensor maps the site's hierarchical data structure, it audits each

resource (page) as it is discovered, rather than crawling the entire site and

then conducting an audit. This option is most useful for extremely large sites

where the content could change before the crawl can be completed.

Note: This is the default setting.

Sequentially

The sensor crawls the entire site, mapping the site's hierarchical data

structure, and then conducts a sequential audit, beginning at the site's root.

Advanced Setting: Requestor Performance

The requestor performance advanced setting allows you to configure shared or separate requestors,

as well as the maximum number of threads per requestor.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 173 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Using a Shared Requestor

With this option, the crawler and the auditor use a common requestor when scanning a site, and each

thread uses the same state, which is also shared by both modules. This option is suitable for use when

maintaining state is not a significant consideration.

To use a shared requestor:

1. In the REQUESTOR PERFORMANCE area, select Shared from the Requestor Performance

Type drop-down list.

2. In the Requestor thread count box, enter the maximum number of threads (up to 75).

Using Separate Requestors

With this option, the crawler and auditor use separate requestors. Also, the auditor's requestor

associates a state with each thread, rather than having all threads use the same state. This method

results in significantly faster scans.

When performing crawl and audit, you can specify the maximum number of threads that can be

created for each requestor. The Crawl Requestor Thread Count can be configured to send up to 25

concurrent HTTP requests before waiting for an HTTP response to the first request; the default

setting is 5.

The Audit Requestor Thread Count can be set to a maximum of 50; the default setting is 10.

Increasing the thread counts may increase the speed of a scan, but might also exhaust your system

resources as well as those of the server you are scanning.

To use separate requestors:

1. In the REQUESTOR PERFORMANCE area, select Separate from the Requestor Performance

Type drop-down list.

2. In the Crawl Requestor Thread Count box, enter the maximum number of threads (up to 25).

3. In the Audit Requestor Thread Count box, enter the maximum number of threads (up to 50).

Conducting an Automated Scan with FAST

Functional Application Security Testing (FAST) is a lightweight proxy that integrates with Fortify

ScanCentral DAST. FAST provides a way to capture traffic from functional test scripts, such as those

of Selenium, Cucumber, Curl, Postman, Unified Functional Test (UFT), and others. FAST turns the

captured traffic into a workflow macro and sends it to ScanCentral DAST, which uses the macro and

an existing scan settings identifier to conduct a scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 174 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Automation Overview

The automation scenario involves three stages:

1. Start the FAST proxy using a CLI command (or commands).

2. Run functional tests though the FAST proxy.

3. Stop the FAST proxy using a CLI command.

FAST Versions Available

FAST is available in two versions:

l

Windows MSI installer (For more information, see "Using the FAST Windows Version" below.)

l

Linux Docker image (For more information, see "Using the FAST Linux Version" on page 178.)

Using the FAST Windows Version

The following paragraphs describe how to install and use the Windows version of FAST.

Installation Recommendation

Important! Do not install the FAST proxy on the same machine as Fortify WebInspect, a Fortify

WebInspect installation running the sensor service in a DAST environment, or a Fortify

WebInspect sensor being used with Fortify WebInspect Enterprise.

Fortify recommends that you install the FAST proxy on the machine that runs your functional tests,

and then control the FAST proxy using the command line interface (CLI). This installation method

allows you to integrate FAST CLI scripts into your functional testing automation pipeline.

Before You Begin

You will need to following items to conduct an automated scan with FAST:

l

The WIRCServerSetup64-ProxyOnly.msi installer

l

An authentication token from Fortify Software Security Center

l

A settings identifier, or GUID, for scan settings in ScanCentral DAST

l

The ScanCentral DAST API URL

Process Overview

The following table describes the process for conducting an automated scan with FAST.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 175 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Stage Description

1.

Download and install the WIRCServerSetup64-ProxyOnly.msi. For more information,

see "Downloading the FAST Installer" on the next page.

2.

Obtain an authentication token of type CIToken from Fortify Software Security Center.

For more information, see the Micro Focus Fortify Software Security Center User Guide.

Tip: This token is passed as the value for the CIToken in the FAST command.

3.

4.

Obtain a settings identifier from a scan settings file in ScanCentral DAST. For more

information, see "Understanding the Scan Settings Detail Panel" on page 223.

Tip: This token is passed as the value for the CICDToken in the FAST command.

On the machine where you installed the FAST proxy, open the command prompt and

start the FAST proxy.

Tip: The default installation directory for the FAST proxy is C:\Program

Files\Micro Focus WIRC Server\Fast.exe.

The following is an example of the command to start the proxy:

Fast.exe -p <ListeningPort> -u http://<host|ip>:<port>/api/

-CIToken <Base64_encoded_token> -CICDToken <Guid>

You should see a response similar to the following:

0.0.0.0:<ListeningPort>

Listening

For descriptions of these and other FAST command options, see "Understanding the

FAST Options for Windows" on the next page.

5.

6.

Run the traffic from your functional tests through the FAST proxy IP address and port

specified in the start command.

Note: If your functional tests run on the same machine where you installed the

FAST proxy, then you can use 127.0.0.1 for proxy address.

After traffic has been captured, stop the FAST proxy. The following is an example of the

command to stop the proxy:

Fast.exe -p <ListeningPort> -s

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 176 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Stage Description

7.

The ScanCentral DAST instance specified in the <DAST_API_HOST|IP>/api/ option

automatically runs the scan with workflow overrides applied to the settings.

Downloading the FAST Installer

The FAST installer, named WIRCServerSetup64-ProxyOnly.msi, is included in the ScanCentral

DAST download package. It is packaged in a ZIP file named Dynamic_Addons.zip.

Understanding the FAST Options for Windows

The following table describes the FAST options used in the Windows command.

Option

Description

Displays the help.

-h

-p

Specifies the listening port for the FAST proxy.

Example:

-p <port>

Identifies the scan name that will appear in ScanCentral DAST.

For example:

-n

-u

-c

-n <FAST_scan_name>

Specifies the ScanCentral DAST URL.

Example:

-u https://<DAST_API_HOST|IP>:<port>/api/

Optionally, exports the FAST proxy root CA certificate. If your https

application performs certificate validation, you can use this option alone

to install the certificate on your client application to avoid an untrusted

certificate error.

Example:

-c c:\fast_proxy_ca.crt

Optionally when starting the proxy, specifies a regular expression for the

-f

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 177 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Option

Description

allowed hosts for proxy capture.

Example:

-f ".*\.<hostname>\.com"

Optionally when starting the proxy, configures an external proxy server

when the target application does not have direct access from the machine

where the FAST proxy is installed.

-ps

Example:

-ps <host|ip>:<port>

Stops listening.

Example:

-s

-q

-s -p <port>

Runs the FAST proxy in quiet mode. This mode does not display

messages.

Keeps local traffic files after capture.

-k

Specifies the Guid for the scan settings in ScanCentral DAST.

-CICDToken

-CIToken

Specifies the Base64-encoded authentication token from Fortify Software

Security Center.

Using the FAST Linux Version

The following paragraphs describe how to configure and use the Linux Docker image version of FAST.

Options for Accessing Your Functional Tests

To create a macro from your functional tests, the FAST proxy must have access to those tests.

Consider the following options for accessing your functional tests with the Linux Docker image

version of FAST:

1. Run Docker on the machine that runs your functional tests.

2. Run the FAST proxy on a remote Docker host by using a run command similar to the following:

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 178 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

docker -H=your-remote-docker:2375 run

3. Use remote Docker by way of the Docker REST API.

For Docker documentation, see https://docs.docker.com/.

For options 2 and 3, the functional tests can be on any machine with network access to the Docker

host where FAST is running.

Regardless of the option you choose, the Docker host where FAST is running must have network

access to the DAST API to upload the macro.

Process Overview

The following table describes the process of configuring and using the Linux version of FAST.

Stage Description

1.

2.

3.

4.

Prepare a Linux VM machine with Ubuntu 20.04, 18.04, 16.04 LTS x64. This machine

will be the host for the FAST image.

Install Docker Engine on Ubuntu for Linux on the Linux VM machine. For more

information, see https://docs.docker.com/engine/install/ubuntu/.

Pull the FAST Docker image. For more information, see "Pulling the FAST Image" on the

next page.

Obtain an authentication token of type CIToken from Fortify Software Security Center.

For more information, see the Micro Focus Fortify Software Security Center User Guide.

Tip: This token is passed as the value for the CIToken in the FAST command.

5.

Obtain a settings identifier from a scan settings file in ScanCentral DAST. For more

information, see "Understanding the Scan Settings Detail Panel" on page 223.

Tip: This token is passed as the value for the CICDToken in the FAST command.

6.

7.

8.

Run the FAST Docker container. For more information, see "Running the FAST

Container" on the next page.

Run the traffic from your functional tests through the FAST proxy IP address and port

specified in the run command.

After traffic has been captured, stop the FAST proxy. For more information, see

"Stopping the Container" on page 181.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 179 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Stage Description

9.

The ScanCentral DAST instance specified in the <DAST_API_HOST|IP>/api/ option

automatically runs the scan with workflow overrides applied to the settings.

Pulling the FAST Image

After installing the Docker Engine on Ubuntu for Linux and starting the Docker service, you can pull

an image of Fortify FAST from the Fortify Docker repository.

To pull the current version of the Fortify FAST image:

l

At the terminal prompt on the Ubuntu Linux Docker host machine, enter the following commands:

docker pull fortifydocker/fortify-fast:22.2.ubuntu.2004

Running the FAST Container

After you have pulled the image, you can run a container to capture traffic from your functional test

scripts.

To run the container:

l

At the terminal prompt, enter the following commands:

CONTAINER_NAME="fortify-fast"

IMAGE_NAME="fortifydocker/fortify-fast:22.2.ubuntu.2004"

mkdir -p "$HOME/.fast/certs"

docker run --name $CONTAINER_NAME \

-p <port>:<port> \

-v "$HOME/.fast/certs:/etc/fast/certs" \

--rm \

$IMAGE_NAME \

-p <port> \

-u http://<host|ip>:<port>/api/ \

-CIToken <Base64_encoded_token> \

-CICDToken <Guid>

You should see a response similar to the following:

0.0.0.0:<ListeningPort>

Listening

For descriptions of these run command options, see "Understanding the Run Command Options" on

the next page.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 180 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Stopping the Container

After you have captured the traffic, you can stop the container and upload the results to ScanCentral

DAST.

To stop the container:

l

At the terminal prompt, enter the following command:

docker exec $CONTAINER_NAME fast -p <port> -s

Understanding the Run Command Options

The following table describes the options used in the run command.

Option

Description

Specifies the name of your Fortify FAST

--name

container. Any string is valid. In the sample code,

the name is taken from the CONTAINER_

NAME="fortify-fast" command.

Publishes the container's main TCP ingress port

to the host.

-p <port>:<port>

For example:

-p 8087:8087

Adds a volume for a Fortify FAST auto-

generated certificates directory. This directory

safeguards the certificates in case the Fortify

FAST container needs to be removed or

upgraded.

-v

"$HOME/.fast/certs:/etc/fast/certs"

\

Automatically removes the container when it

exits.

--rm

Specifies the listening port for the FAST proxy.

For example:

$IMAGE_NAME \

-p <port>

-p 8087

Specifies the ScanCentral DAST URL.

-u http://<host|ip>:<port>/api/

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 181 of 338

Configuration and Usage Guide

Chapter 4: Configuring a Scan

Option

Description

For example:

-u https://dast-web-api:64814/api/

Specifies the Guid for the scan settings in

ScanCentral DAST.

-CICDToken

-CIToken

-s

Specifies the Base64-encoded authentication

token from Fortify Software Security Center.

Stops listening.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 182 of 338

Chapter 5: Working with Scans

You can view the scans that are available in the ScanCentral DAST database in the Scans list. You can

also start a new scan, refresh the scan list, delete scans, and download scans, settings, and logs. You

can pause, stop, and resume scans that are currently running, and re-import completed scans that

failed to import. You can view details about each scan in the scan detail panel.

Accessing DAST Scans in Software Security Center

After you configure your Fortify ScanCentral DAST environment and enable DAST in the

ADMINISTRATION view in Fortify Software Security Center, you can work with DAST scans directly in

Fortify Software Security Center.

To access DAST scans in Fortify Software Security Center:

l

Select SCANCENTRAL > DAST.

The scans list appears.

User Role Determines Capabilities

Your user role and permissions in Fortify Software Security Center determine which tasks you can

perform on applications and DAST scans, sensors, sensor pools, settings, and scan schedules. For

more information, see "Permissions in Fortify Software Security Center" on page 35.

Understanding the Scans List

The Scans list table displays the scans that are available in the ScanCentral DAST database.

You can select the information you want to display, as well as customize other aspects of the table.

For more information, see "Working with Tables" on page 114.

The following table describes the columns of information that are available for each scan.

Column

Scan Id

Description

Indicates the integer ID in the ScanCentral DAST database for the scan.

Note: Each scan is assigned an integer ID when it is added to the

ScanCentral DAST database.

Application

Indicates the application that was selected when the scan was configured.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 183 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

Version

Description

Indicates the version that was selected when the scan was configured.

Tip: The versions listed in this column are links. You can click a link to

open the Application Version Overview in a new tab in Fortify Software

Security Center.

Name

Url

Indicates the name of the scan. This is the name that was assigned in the scan

settings.

Identifies the target URL for the scan.

Critical

High

Indicates the number of findings for each severity category in the scan. For

more information, see "Understanding Vulnerability Severity" on page 201.

Medium

Low

Started On

Indicates the date and time that the scan started. The start time is stored in

the dynamic scan database as UTC time and is converted to the local machine's

system time when displayed in the user interface.

Status

Indicates the current status of the scan. Possible statuses are as follows:

l

Queued – The scan has been submitted and is waiting for an available

sensor.

l

Pending – The scan has been accepted by a sensor but is waiting for the

sensor to acknowledge that it has accepted and started the scan.

l

License Unavailable - No license is available for a sensor to start the scan.

The scan remains in the queue until a license is available for use.

Note: If the Use this sensor only option was not selected when the

scan was submitted, the scan will use any available sensor in the

assigned pool.

l

Paused – The sensor might have accepted the scan but not yet started it, or

the user might have paused the scan so that it is not in a running state.

l

Running – The sensor is actively conducting the scan.

l

Complete – The sensor has finished the scan and results are available. If the

Submit for triage option was selected during scan configuration, then the

scan has been published to Fortify Software Security Center, where you can

perform audit analysis of the findings.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 184 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

Description

l

Interrupted – Something went wrong with the sensor that was conducting

the scan. For example, the sensor heartbeat has expired.

l

Unknown – The scan failed to complete for an unknown reason.

l

Importing – The scan is being imported from the ScanCentral DAST

database and published to Fortify Software Security Center.

l

Import Failed – Something went wrong while importing a .fpr or .scan

file from the sensor to the ScanCentral DAST database.

l

Import Scan File Queued – The .scan file has been uploaded to

ScanCentral DAST and is being saved to the database so that it can be

processed by the Utility Service.

l

Pending Scan File Import – The .scan file was successfully saved to the

database and is waiting to be processed by the Utility Service.

l

Importing Scan File – The Utility Service is importing the .scan file.

l

Failed to Import Scan File – Something went wrong while uploading and

saving the .scan file to the database or during processing of the file.

l

Failed to Start – A sensor accepted the scan, but the scan failed to start.

Possible reasons include:

l

The Fortify Software Security Center DAST API is not running.

l

The connection to the ScanCentral DAST database has been lost.

l

Communication with the sensor has been lost.

l

The sensor failed to start.

l

The scan settings contain errors or invalid settings.

l

Pausing – The user has paused the scan, which now displays this

transitional state before changing to Not Running.

l

Resuming – The user has resumed the scan, which now displays this

transitional state before changing to Running.

l

Completing Scan – The user has paused the scan and subsequently clicked

Complete, which stops the scan at that point and processes it as an

incomplete scan.

Tip: You can perform the same analysis and operations on an

incomplete scan as you can a completed scan.

l

Resume Scan Queued – The user resumed a paused scan and the scan is

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 185 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

Description

waiting for the sensor to become available.

l

Forced Complete – The user paused a scan and subsequently clicked

Complete. The scan completed with partial results.

Status Reason

Indicates the reason for Paused, Pausing, Resuming, Resume Scan Queued,

Running, and Forced Complete statuses. Possible reasons are Deny Interval,

Scan Priority, and Deny Interval User Paused. For more information, see

"Working with Deny Intervals" on page 232, "Understanding Advanced Scan

Prioritization" on page 159 , and "Configurin g Scan Priority" on page 159 .

The following paragraphs describe the combined status and status reasons:

l

Paused / Deny Interval – The scan was running when a deny interval

started. The scan is now paused until the deny interval ends.

l

Paused / Deny Interval User Paused – The scan was paused by a user, but

has since entered a deny interval.

l

Paused / Scan Priority – The scan was running when a higher-priority scan

started. The scan is now paused until the higher-priority scan completes or

another sensor accepts the scan.

l

Pausing / Deny Interval – The scan was running when a deny interval

started. The scan now displays this transitional state before changing to

Paused Deny Interval.

l

Pausing / Scan Priority – The scan was running when a higher-priority

scan started. The scan now displays this transitional state before changing

to Paused Scan Priority.

l

Resuming / Deny Interval – The scan was paused for a deny interval, but

the deny interval has ended. The scan now displays this transitional state

before changing to Running.

l

Resuming / Scan Priority – The scan was paused for a higher-priority scan.

The scan now displays this transitional state before changing to Running

Scan Priority.

l

Resume Scan Queued / Deny Interval – The scan was paused due to a

deny interval which has ended, so the scan is queued to be resumed.

l

Resume Scan Queued / Scan Priority - The scan was paused for a higher-

priority scan which has completed, so the scan is queued to be resumed.

l

Running / Deny Interval – The scan was paused for a deny interval. The

deny interval has ended and the sensor is actively conducting the scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 186 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

Description

l

Running / Scan Priority – The scan was paused for a higher-priority scan.

The higher-priority scan has completed or another sensor has accepted the

scan and is actively conducting it.

l

Forced Complete / Deny Interval – The scan was running when a deny

interval started. The scan stopped and completed with partial results.

Duration

Requests

Indicates how long the scan ran before completion. For scans that are not

completed, the column displays the last known duration that was received from

the sensor.

Indicates the total number of requests sent during the scan.

Macro Playbacks Indicates the number of times that macros have been played during the scan.

Priority

Indicates the scan priority from 0 through 10. For more information, see

"Configuring Scan Priority" on page 159.

Purge date

If data retention is enabled, indicates the date when the scan will be purged

from the database. The number in parentheses indicates the number of days

until the purge date.

Publish Status

Indicates whether the scan has been published to Fortify Software Security

Center. Possible statuses are as follows:

l

Not Published – The .fpr file has not been published.

l

Published – The .fpr file has been published.

l

Failed to Publish – ScanCentral DAST attempted to publish the .fpr file,

but it failed. Fortify Software Security Center might be down or there might

be a network issue.

Publish Status

Reason

Indicates why the .fpr file was not published to Fortify Software Security

Center. Only applicable when the Publish Status is Not Published or Failed to

Publish.

Possible reason is Artifact is too large.

Important! The files you upload to Fortify Software Security Center must

not exceed 2GB.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 187 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Understanding the Scan Detail Panel

When you click a scan in the Scans list, the scan detail panel appears to the right. The scan detail

panel provides options to view, rescan, download, and publish completed scans. For more information,

see the following:

l

"Viewing Scan Results" on page 199

l

"Rescanning an Application" on page 195

l

"Downloading a File" on page 198

l

"Publishing to Fortify Software Security Center" on page 193

In addition to these options, the scan detail panel provides information about the scan, as described in

the following paragraphs.

Findings by Severity

The number of findings for each severity category in the scan appears at the top of the panel. From

left to right, the severity categories are: Critical, High, Medium, and Low.

Additional Scan Details

The detail panel displays the same information that is displayed in the Scans list for the selected scan,

as well as the information described in the following table.

Item

Description

Created On

Indicates the date and time that the scan was created in the dynamic scan

database and queued to be run.

Scan Type

Indicates the type of scan selected during scan configuration: Standard Scan,

Workflow-Driven Scan, or API Scan.

Status Update

Indicates the date and time that the sensor last reported its status.

Has Site

Indicates whether site authentication was used to conduct the scan. Possible

Authentication

values are Yes and No.

Has Network

Indicates whether network authentication was used to conduct the scan.

Authentication

Possible values are Yes and No.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 188 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Item

Description

Has API Auth

Credentials

For API scans, indicates whether authentication was used to conduct the scan.

Possible values are Yes and No.

Failed Requests Shows the number of failed requests that occurred during the scan.

KB Sent / KB

Received

Shows the total number of kilobytes sent and received during the scan.

Pool

Identifies the pool to which the sensor belongs in Fortify Software Security

Center.

Use Scan Scaling Indicates whether scan scaling was enabled. Possible values are Yes and No.

Policy Identifies the dynamic policy that was used to conduct the scan.

Completed Date Indicates the date and time that the scan finished. Available only for scans

with a "Complete" status. For more information, see "Understanding the Scans

List" on page 183.

Sensor

Indicates the name of the dynamic sensor that conducted the scan.

Publish Status

Update

Indicates the date and time that the scan was published to Fortify Software

Security Center.

Scan Schedule

Purge date

If the scan is the result of a schedule, indicates the name of the schedule.

If data retention is enabled, indicates the date when the scan will be purged

from the database. The number in parentheses indicates the number of days

until the purge date.

Working with Active Scans

You can pause, stop, resume, and re-import active scans in the Scans list. The actions that you can

take depend on the current status of the scan. Active scans are those that do not show a status of

Complete.

Pausing a Scan

You can pause a scan that has a status of Running.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 189 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

To pause a scan, do one of the following:

l

In the scans list, click the pause icon ( ) for the scan you want to pause.

l

In the scan detail panel for a selected scan, click the pause icon ( ).

The scan is paused.

Stopping a Scan

You can stop a scan that has a status of Not Running, Interrupted, Unknown, or Queued.

To stop a scan, do one of the following:

l

In the scans list, click the stop icon ( ) for the scan you want to stop.

l

In the scan detail panel for a selected scan, click the stop icon ( ).

The scan is stopped.

Resuming a Scan

You can resume a scan that has a status of Not Running or Interrupted.

To resume a scan, do one of the following:

l

In the scans list, click the start icon ( ) for the scan you want to resume.

l

In the scan detail panel for a selected scan, click the start icon ( ).

The scan is resumed.

Re-importing a Scan

If the "Submit for triage" option was selected during scan configuration, the scan is imported to Fortify

Software Security Center upon completion. Importing a scan could take some time, during which the

status in the scans list is "Importing." The status changes to "Import Failed" if unsuccessful. You can

attempt to re-import a scan with the "Import Failed" status.

To re-import a scan, do one of the following:

l

In the scans list, click the retry icon ( ) for the scan you want to re-import.

l

In the scan detail panel for a selected scan, click the retry icon ( ).

Another attempt is made to import the scan.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 190 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Working with Alerts

Alerts occur when situations arise that could adversely affect scan performance or results. Alerts

dealing with scan settings may provide you with suggested settings changes to improve performance

of future scans. Other alerts may provide actionable information to help with a scan that is currently

running.

Tip: The alerts feature includes sample intervals and active intervals. Sample interval alerts may

occur as often as once per minute on the ALERTS tab. Although these alerts may not indicate a

functional issue with the scan, if the number of alerts received becomes problematic, contact

Fortify Customer Support for assistance in disabling the alerts feature. For more information, see

"Preface" on page 21.

Accessing Alerts

If a scan has an active and unacknowledged alert, it will be highlighted in orange in the Scans list.

When you click the scan, the detail panel appears to the right with an ALERTS tab. The number of

unacknowledged alerts appears in a red circle next to the ALERTS tab.

Note: Alerts are written to the scan log in near real time. However, you must refresh the page to

view updates to the ALERTS tab.

To access the alerts:

1. Click the highlighted scan in the Scans list.

The scan detail panel, now with an ALERTS tab, appears to the right.

2. Click the ALERTS tab.

The alerts that the scan triggered are listed.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 191 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Understanding the ALERTS Tab

The ALERTS tab displays the following categories of alerts:

l

NEW – Lists the alerts that are active and have not yet been acknowledged. The number of alerts

listed in this category should match the number displayed in the red circle.

l

ACTIVE – Lists the alerts that are active and have been acknowledged. These alerts are still

affecting the scan.

l

HISTORY – Lists alerts that are no longer active, but that occurred during the scan. These alerts

are no longer affecting the scan.

Note: After the scan has completed or been forced to complete, all alerts become historical alerts.

Acknowledging New Alerts

To acknowledge an alert in the NEW category:

1. On the ALERTS tab, click the alert.

A check mark appears next to the alert, indicating that the alert is selected.

2. Click MARK AS ACKNOWLEDGED.

The alert is moved to the ACTIVE category.

Important! Acknowledging an alert does not resolve the issue that caused the alert. You must

perform troubleshooting to determine the cause and resolve it. For more information, see

"Troubleshooting Alerts" on page 317.

Managing the DAST Scans List

You can configure and submit a new scan, refresh the scans list, publish scans to Fortify Software

Security Center, and delete scans from the scans list on the Scans page. You can also import .scan

files. For more information, see "Importing a Scan" on page 194.

Starting a New Scan

You can configure new settings or use existing settings, and then run a scan, which queues the scan in

the scans list.

To configure settings or use existing settings for a new scan:

l

Click + NEW SCAN.

The SETTINGS CONFIGURATION wizard opens.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 192 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Refreshing the Scans List

You must manually refresh the scans list to see new scans that have been queued or scan statuses

that have changed.

To view an updated list of scans:

l

Click REFRESH.

Publishing to Fortify Software Security Center

You can publish FPR artifacts to Fortify Software Security Center.

Note: If a scan does not have FPR artifacts, the publish icon is not available.

To publish FPR artifacts for a scan:

l

Do one of the following:

l

In the scans list, click the publish icon ( ) for the scan whose FPR artifacts you want to publish.

l

In the scan detail panel for a selected scan, click the publish icon ( ).

The FPR artifacts are published to the Fortify Software Security Center database.

Deleting a Scan

The scans displayed in the scans list come from the ScanCentral DAST database. You can delete

scans from the database that you no longer need, depending on the scan status. Deleting scans from

the database has no effect on scans that have already been published to Fortify Software Security

Center.

You can delete scans that have a status of Complete, Queued, Pending, Failed to Start, Import Failed,

Interrupted, Not Running, and Unknown.

To delete a scan, do one of the following:

l

Select one or more check boxes for scans in the scans list, and then click DELETE at the bottom of

the list.

l

Select a scan to view the scan details, and then click DELETE at the bottom of the scan details

panel.

Using the Force Delete Option

In some cases, scans may not be deleted from the ScanCentral DAST database after you click the

delete button. When this occurs, a user with administrator-level privileges can force the deletion of

the scan. For more information, see "Permissions in Fortify Software Security Center" on page 35.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 193 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

To force delete a scan:

1. Select one or more check boxes for scans in the scans list, and then click DELETE at the bottom

of the list.

The Delete Scans dialog opens.

2. Select Force delete, and then click OK.

Note: The Force delete option is available only for users with administrator-level privileges.

Importing a Scan

You can import a .scan file that was created by Fortify WebInspect or another ScanCentral

DAST sensor. Afterward, the imported scan settings, scan results, scan logs, site tree, and FPR are

available for download or for publishing to Fortify Software Security Center.

Important! The Utility Service starts the import process, and the Global Service completes the

import process. Hence, both services must be running to import a scan.

To import a scan:

1. On the Scans page, click the + NEW SCAN drop-down arrow and select Import scan.

The SCAN IMPORT dialog box opens.

2. In the APPLICATION area, select an application to associate with the scan being imported.

Tip: You can search for the application and application version. For more information about

searching, see "Searching in Input Boxes" on page 125.

3. In the APPLICATION VERSION area, select a version to associate with the scan being imported.

4. In the IMPORT SCAN area, click IMPORT.

A standard Windows Open dialog box appears.

5.

Locate and select the .scan file to import, and then click Open.

6. If the scan already exists in the ScanCentral DAST database, you are prompted with the following

options:

l

CANCEL – Stops the import

l

CREATE – Creates a new scan with a new Fortify WebInspect scan ID

l

REPLACE – Replaces the existing scan with the contents of the scan being imported

l

OPEN – Opens the existing scan

7. (Optional) To submit the completed scan for triage in Fortify Software Security Center, select

Submit for triage. Submitting for triage allows you to perform audit analysis of the findings so

that you can assign a user and an analysis value to the findings.

A FILE UPLOAD dialog box shows the progress.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 194 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Important! It might take some time for large scans to complete the import process. After the

initial phase, the dialog box shows the "parsing" phase. Fortify recommends that you do not

cancel the import during the parsing phase. Doing so will cause the scan to be queued for

import. However, the scan will not import, and you will need to delete the scan.

For information about scan statuses related to importing a scan, see "Understanding the Scans List"

on page 183.

Tip: If the import fails, check the Global Service and Utility Service log files. For more information,

see "Locating Log Files" on page 307.

Rescanning an Application

The rescan feature allows you to easily rescan an application from an existing scan. This feature is

useful for conducting an identical scan of an updated site (using the same settings that were used for

the original scan) to determine if previously discovered vulnerabilities have been fixed and if new

ones have been introduced.

To rescan an application:

1. Do one of the following:

l

In the scans list, click the rescan icon ( ) for the scan whose application you want to rescan.

l

In the scan detail panel for a selected scan, click the rescan icon ( ).

The RUN SCAN dialog box opens.

2. (Optional) in the Name box, enter a name for the scan.

Tip: The original scan name is prepopulated in the Name box. Prepending the original name

with "Rescan_" might help you to identify scan results for rescanned applications in your

scans list.

3. Select a ScanCentral DAST sensor from the Sensor list.

The list of sensors comes from the Fortify Software Security Center sensor pools. Any Available

is the default.

4. (Optional) If you select a sensor, but it is currently unavailable, another sensor may conduct the

scan instead. To ensure that the selected sensor conducts the scan, select Use this sensor only.

5. Click RUN.

The scan is queued to run.

Downloading DAST Scans, Settings, and Logs

You can download a scan settings file (.xml format) from the ScanCentral DAST database to your

local machine for any scan in the Scans list, except certain scans with the License Unavailable status.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 195 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

(For more information, see "License Unavailable Scan Status" below.) Depending on the status of the

associated scan, you can also download a log file, the site tree (.csv format), or the scan results

(.scan or .fpr format).

Note: You must have Fortify WebInspect, Log Viewer, Site Explorer, Traffic Viewer, or another

Fortify WebInspect tool on your local machine to work with the log file or scan results.

Important! While downloading a file, you must keep the browser open. Closing the browser will

end the download prematurely.

Important Information about Settings

Settings that do not exist in Fortify WebInspect, such as Scan Priority, Submit for Triage, Enable SAST

Correlation, and so forth, will not be exported when exporting ScanCentral DAST settings. If you have

multiple ScanCentral DAST environments, and you export settings from one environment to another,

settings that do not exist in Fortify WebInspect will be dropped. However, when performing an

upgrade from the previous version of ScanCentral DAST to the current version, these settings are

successfully migrated.

Paused Scans

Anytime a scan is paused—by a user, due to scan priority, or due to deny interval—the partial scan

results are uploaded to the ScanCentral DAST database and are available for download. After the

partial results have been uploaded, the scan is deleted from the sensor.

ScanCentral DAST does not send the results to Fortify Software Security Center until the scan is

complete or forced complete.

License Unavailable Scan Status

If a scan has not started because a license is unavailable, then scan settings are not created.

Therefore, no file types are available for download for these scans with the License Unavailable

status.

However, if a scan is paused and then resumed, but no license is available, then scan settings, scan

results, site tree, and scan log files are available for download for these scans with the License

Unavailable status.

File Types Available

The following table describes the file types that are available for download for each scan status.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 196 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

File Types Available for Download

Scan Result /

Site Tree /

Scan Status / Status Reason

Complete

Scan Settings

FPR

Scan Logs

x

Completing Scan

Failed to Start

1

x

Forced Complete

x

Forced Complete / Deny Interval

2

x

Import Scan File Queued

Pending Scan File Import

Importing Scan File

Failed to Import Scan File

Importing

x

Import Failed

Interrupted

x

Not Running

3

x

Paused

Paused / Deny Interval

Paused / Deny Interval User Paused

Paused / Scan Priority

Pausing

Pausing / Deny Interval

Pausing / Scan Priority

x

Pending

1

Scans with a Forced Complete status might not have scan results or a site tree, depending on when

the scan was stopped. For this reason, Scan Result and Site Tree might not be available file types to

download.

2

Only Scan Results are available for these import statuses.

3

Scans with a Paused status do not include an FPR and cannot be published to Fortify Software

Security Center.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 197 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

File Types Available for Download

Scan Result /

Site Tree /

Scan Status / Status Reason

Scan Settings

FPR

Scan Logs

Queued

x

Resume Scan Queued

Resume Scan Queued / Deny Interval

Resume Scan Queued / Scan Priority

Resuming

Resuming / Deny Interval

Resuming / Scan Priority

x

Running

Running / Deny Interval

Running / Scan Priority

Unknown

For more information about the scan statuses, see "Understanding the Scans List" on page 183.

Downloading a File

To download a file for a scan:

1. Do one of the following:

l

In the scans list, click the download icon ( ) for the scan whose file you want to download.

l

In the scan detail panel for a selected scan, click the download icon ( ).

The DOWNLOAD dialog box opens.

2. Select the file type to download from the list.

Tip: To view the scan results in Site Explorer, you must select Scan Result.

Note: The available file types to download depend on the scan status. For details, see "File

Types Available" on page 196.

3. Click DOWNLOAD.

By default, the file is downloaded to the folder on your local machine that is specified in your

browser settings for downloads.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 198 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Viewing Scan Results

You can examine the scan results for scans with a status of Complete or Forced Complete. For more

information about scan statuses, see "Understanding the Scans List" on page 183.

To view scan results:

1. In the Scans list, click the scan that you want to view.

The scan detail panel appears to the right.

2. Click VIEW SCAN.

The scan opens in a new tab with the scan name displayed.

Tip: If you run a scan in ScanCentral DAST, the findings are automatically imported. If the

completed scan fails to import or if the completed scan was not conducted in ScanCentral

DAST, the button will be labeled IMPORT FINDINGS. When this occurs, you must import the

findings before you can view the scan.

Working with the Site Tree

By default, the Site Tree displays an unfiltered tree view of all traffic that was generated during the

scan. The tree includes a list of hosts and all sub-directories within those hosts. In this view, you can

select a top-level host and expand the sub-directories to examine the requests and responses that

occurred at each level. To display the requests that were made to a resource, select the resource in

the Site Tree.

Site Tree Icons

The following table identifies the icons that appear in the Site Tree.

Icon

Name

Represents

Server/host

The top level of your site's tree structure

Note: You might have multiple server/host icons in your

site tree representing different protocols and ports.

/

Folder

Page

A directory

A file

Using Breadcrumbs

When you select a resource in the Site Tree, breadcrumbs appear at the top of the Findings and

Traffic tables, similar to the sample shown here.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 199 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Breadcrumbs provide a visual aid that indicates the location of the resource within the website’s

hierarchy. You can click a breadcrumb in the path to view findings or traffic for that resource.

To filter the findings or traffic for a specific resource listed in the breadcrumbs:

l

Click the resource in the breadcrumbs.

For example, if you want to view all findings or traffic for the extjs folder shown in the previous

image, click extjs.

The selected resource becomes the final breadcrumb and the Findings and Traffic tables are

updated to show only data for the selected resource.

To remove the filter completely:

l

Click the clear breadcrumbs icon ( ) at the end of the breadcrumbs.

The breadcrumbs are removed and the findings and traffic data are no longer filtered.

Understanding the Findings Table

The Findings table lists information about each vulnerability discovered during an audit of your web

presence. Each row (or session) in the Findings table represents a single finding.

You can select the information you want to display, as well as customize other aspects of the table.

For more information, see "Working with Tables" on page 114.

Available Columns

The following table describes the available columns.

Column

Description

Severity

A relative assessment of the vulnerability, ranging from low to critical. For

more information, see "Understanding Vulnerability Severity" on the next page.

Check ID

Name

The identification number of a Fortify WebInspect probe that checks for the

existence of a specific vulnerability. For example, Check ID 742 tests for

database server error messages.

A Fortify WebInspect probe for a specific vulnerability, such as Cross-site

Scripting, Unencrypted Log-in Form, and so on.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 200 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

URL

Description

The hierarchical path to the resource along with parameters.

The name of the vulnerable parameter.

Parameter

Name

Parameter

Value

The value assigned to the vulnerable parameter.

CWE

The Common Weakness Enumeration identifier(s) associated with the

vulnerability.

Method

The HTTP request method used for the attack.

Kingdom

The vulnerability category from the Seven Pernicious Kingdoms taxonomy for

ordering and organizing vulnerabilities. For more information, see

https://vulncat.fortify.com/.

Session ID

The unique session ID for the request and response in the DAST database.

Understanding Vulnerability Severity

Every check in Fortify's SecureBase includes a severity. The severity is determined and assigned by

Fortify Security Researchers.

Severity Descriptions

Severity descriptions are as follows:

l

Low – Interesting issues, or issues that could potentially become more severe.

l

Medium – Non-HTML errors or issues that could be sensitive.

l

High – Generally, the ability to view source code, files out of the Web root, and sensitive error

messages.

l

Critical – An attacker might have the ability to execute commands on the server or retrieve and

modify private information.

How Severity is Determined

When assigning a severity, Fortify Security Researchers consider the real world impact of the

vulnerability, including the following aspects:

l

The maximum damage that could result if the vulnerability were exploited

l

The conditions of the issue that the check can detect

l

Any related Common Vulnerabilities and Exposures (CVEs)

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 201 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

The Research Team then debates to reach consensus and assigns a number as described in the

following table.

Assigned Number

0 - 9

Severity

1

Normal

2

10

Information

Low

11 - 25

26 - 50

Medium

High

51 - 75

76 - 100

Critical

1

2

This severity is not displayed in ScanCentral DAST findings.

Working with Findings

You can view the vulnerabilities discovered during the scan on the Findings tab, which includes the

Findings table and the Vulnerability Description, HTTP, and Steps tabs.

Tip: Remember that selecting a resource in the Site Tree filters the data to that resource in the

Findings table. For more information, see "Working with the Site Tree" on page 199.

Viewing the Vulnerability Description

The Vulnerability Description tab displays content from SecureBase related to the selected

vulnerability. In addition to a detailed description of the vulnerability, the SecureBase content might

include information on how to verify the issue, possible implications if the issue is not fixed,

remediation information, and links to additional references.

To view the Vulnerability Description:

l

Select a finding in the FINDINGS table.

The VULNERABILITY DESCRIPTION tab displays information about the vulnerability.

Viewing the Request and Response

The HTTP tab includes the request and response session details for the selected vulnerability.

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 202 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

To view the request and response:

1. Select a finding in the FINDINGS table.

2. Click the HTTP tab.

In the REQUEST area, the attack is highlighted. In the RESPONSE area, the vulnerability is

highlighted.

Viewing Steps

The Steps tab displays the route taken by the sensor to arrive at the session selected in the Findings

table. Beginning with the parent session (at the top of the list), the sequence reveals the subsequent

URLs visited and provides details about the scan methodology.

To view the steps:

1. Select a finding in the FINDINGS table.

2. Click the Steps tab.

The STEPS table displays the route taken by the sensor to arrive at the session selected.

To close the Steps tab, do one of the following:

l

Press the ESC key.

l

Click the Steps tab again.

Understanding the Traffic Table

The Traffic table displays all traffic generated during the scan, enabling you to explore the traffic for

the entire scan.

You can select the information you want to display, as well as customize other aspects of the table.

For more information, see "Working with Tables" on page 114.

Available Columns

The following table describes the available columns.

Column

Request Start

Request End

Host

Description

The date and time the sensor started sending the request.

The date and time the sensor finished sending the request.

The top-level URL of the target web site.

Port

The port number over which the requests were sent.

The hierarchical path to the resource on the web server.

Path

Micro Focus Fortify ScanCentral DAST (22.2.0)

Page 203 of 338

Configuration and Usage Guide

Chapter 5: Working with Scans

Column

Method

Status

Description

The HTTP request method used, such as GET, POST, and PUT.

The HTTP status code returned from the host. For more

information, see "HTTP Status Codes" on page 334.