Micro Focus

Fortify WebInspect

Software Version: 22.2.0

Windows® operating systems

Tools Guide

Document Release Date: November 2022

Software Release Date: November 2022

Tools Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on November 14, 2022. To check for recent updates or to verify that you are using the most

recent edition of a document, go to:

https://www.microfocus.com/support/documentation

About this PDF Version of Online Help

This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the help

information or read the online help in PDF format. Because this content was originally created to be viewed as online help in a

web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF version. Those

topics can be successfully printed from within the online help.

Micro Focus Fortify WebInspect (22.2.0)

Page 2 of 364

Tools Guide

Contents

Preface

22

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

23

Chapter 1: Welcome to Micro Focus Fortify WebInspect Tools

About Fortify WebInspect Tools

26

Using Tools with a Proxy

See Also

"Engine Inputs" below

Engine Inputs

To create or modify inputs to audit engines:

1. Click the Engine Inputs tab.

2. Click the drop-down arrow.

a. To apply your modifications to all audit engines, select <Default>. The Default parameters

are extracted from the default Fortify WebInspect Audit Settings - Attack Exclusions.

b. To modify inputs for a specific audit engine, select one from the list.

3. Select an engine input.

4. If you selected one of the following:

l

Excluded Query Parameters

l

Excluded Post Parameters

l

Excluded Cookies

l

Excluded Headers

l

Root Directories

then do the following:

l

To add an item to the list, click Add.

l

To edit an item, select an item and click Edit.

l

To delete an item, select the item and click Remove.

l

If you selected a specific engine (rather than Defaults), select one of the following options:

o

Merge with defaults - The parameters you specified are added to the Defaults list, which

apply to all engines.

o

Replace defaults - The engine will use the parameters you specified instead of those in the

Defaults list.

Note: If you specify a Root Directory, then the engine will attack the object in the directory

you specify, rather than the actual root. For example, if an engine normally attacks

filename.txt in the default root directory rootdir (/rootdir/filename.txt), then if you specify a

root directory of /foobar/, the engine will attack /foobar/filename.txt.

Micro Focus Fortify WebInspect (22.2.0)

Page 32 of 364

Tools Guide

Chapter 2: Audit Inputs Editor

5. If you selected one of the following:

l

Header Audit Rules

l

Cookie Audit Rules

then do the following:

a. Clear the Use value from defaults check box.

b. Select an option from the drop-down list. Options are as follows:

Header Audit Rules

o

Attack All Every Time - Attack the header in every request.

o

Attack Once Per Directory - Attack each named header in every directory only once the

first time it is encountered.

o

Attack Only Once - Attack the header only once per host the first time it is encountered

during the scan.

Cookie Audit Rules

o

Attack All - Attack all cookies that are encountered in every request during the scan.

o

Attack Only Cookies In Children Set In Parent - Attack the inherited cookie in every

child session in which it is encountered.

For example, if the parent session request sets the following cookie with JSESSION ID:

GET /auth/link.page; HTTP/1.1

Referer: http://zero.webappsecurity.com/auth/security-check.html

…

Cookie:

CustomCookie=WebInspect83644ZX632F0EE21C7249358BE159C67CEE9085YCE5

1;

JSESSIONID=2DC913EA;username=username;password=password

And the child session includes the inherited cookie:

GET /auth/link.page HTTP/1.1

Referer: http://zero.webappsecurity.com/auth/link.page;

…

Cookie:

CustomCookie=WebInspect83644ZX632F0EE21C7249358BE159C67CEE9085YCE5

1;

JSESSIONID=2DC913EA;username=username;password=password

Then the cookie will be attacked in the child session.

A child session might have multiple cookies, but only the one that was set in the parent

session will be attacked.

o

Attack Each Cookie Once - Attack each unique cookie only once per host the first time it

is encountered during the scan.

Micro Focus Fortify WebInspect (22.2.0)

Page 33 of 364

Tools Guide

Chapter 2: Audit Inputs Editor

6. Click OK if you launched the Audit Inputs Editor from Default or Current Settings, or click File >

Save or File > Save As if you launched the Audit Inputs Editor from the Policy Manager.

See Also

"Check Inputs" on page 31

Micro Focus Fortify WebInspect (22.2.0)

Page 34 of 364

Chapter 3: Compliance Manager (Fortify

WebInspect Only)

Fortify WebInspect employs an extensive arsenal of attack agents designed to detect security flaws in

web-based applications. It probes your system with thousands of HTTP requests and evaluate each

individual response. This session-based assessment reports each vulnerability, pinpoints its location

in the application, and recommends corrective actions you should take. It is, basically, a quantitative

analysis of your system.

Fortify WebInspect can also perform a qualitative analysis by grading how well your application

complies with certain government-mandated regulations or corporate-defined guidelines. For

example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare

providers using web-based applications to provide "procedures for creating, changing, and

safeguarding passwords." With Fortify WebInspect, you can assess your application and then generate

a Compliance Report that measures how well your application satisfies this HIPAA rule.

How It Works

You create a compliance template that associates requirements with one or more attack agents or

vulnerabilities. For example, you might include the statement (or question) "The application will not

use any 'hidden' fields." The attack agent that tests for compliance to this requirement is Hidden Form

Value, ID #4727 (which is one of the agents in the "General Text Searching Group" on page 41).

Compliance templates are completely flexible. You can enable or disable individual requirements. You

can also modify requirements by adding or removing attack agents or "Threat Classes" on page 41.

For maximum flexibility, you can even create your own agents and associate them with a user-defined

requirement.

Fortify WebInspect includes sample compliance templates that you can edit to fit your company's

specific requirements.

For step-by-step instructions for creating a policy, see "Creating a Compliance Template" on the next

page.

To test your website for compliance:

1. If necessary, create or modify a compliance template.

2. Scan your website.

3. On the Fortify WebInspect Start page, click Generate a Report.

The Generate a Report window opens.

4. If the scan data is stored in a different database, click Change DB and then select a database.

5. Select a scan (designated by name, URL, or IP address).

6. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 35 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

7. Select Compliance.

8. If you want to produce individual reports on separate tabs (rather than combining all reports on

one tab), select Open Reports in Separate Tabs.

9. Select either Adobe PDF or HTML as the report format.

Adobe Reader 7 or later is required to read reports in portable data format (PDF).

10. Specify a compliance template. You can select a default template from the list, click the browse

button to browse for templates you have created, or open the Compliance Manager and create a

custom template.

11. Click Finished.

12. After Fortify WebInspect generates the report and displays it on a tab, you can save a report by

clicking the Save Report icon on the toolbar.

See Also

"Creating a Compliance Template" below

Creating a Compliance Template

To create a compliance template:

1. On the Fortify WebInspect menu bar, click Tools > Compliance Manager.

The Compliance Manager window opens, displaying the outline of a new template.

2. Click the phrase "New Compliance Template."

The Compliance Manager creates an editing area in the lower half of the window.

Micro Focus Fortify WebInspect (22.2.0)

Page 36 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

3. In the editing area, replace the phrase "New Compliance Template" with a description of the

template you are creating ("HIPAA" in this example).

4. Click the phrase "<Click here to add a new category...>."

Micro Focus Fortify WebInspect (22.2.0)

Page 37 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

5. In the editing area, enter the name and description of the new category. In this example, the

name is "Password Protection" and the description is "Maintain security during entry and

transmission of passwords."

6. Click the plus sign to expand the node labeled Password Protection.

7. Click the phrase "<Click here to add a new question...>."

8. Click the phrase "New Question."

The editing area displays tabs allowing you to create a question related to the category

"Password Protection."

Micro Focus Fortify WebInspect (22.2.0)

Page 38 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

9. In the Question area, type a question related to the category. This example asks the question, "Is

each character of entered password displayed as an asterisk?"

10. You can associate this question with threat classes, vulnerabilities defined by Micro Focus, or a

custom check or agent that you previously created. For this example, click the Vulnerabilities

tab and then click Add By ID.

Note: You can also select a vulnerability or a threat class and click to include it in the

Selected Vulnerabilities or Selected Threat Classes section for this question.

11. On the Add Check By ID window, enter 4724 and click OK. 4724 is the ID number of the

"Password Field Masked" check.

Note: You can add multiple IDs (one per line).

Micro Focus Fortify WebInspect (22.2.0)

Page 39 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

The check you specified appears in the Selected Vulnerabilities area.

12. The Selected Vulnerabilities area contains two check boxes:

l

Pass If Detected - Select this option if the check is designed to confirm an attribute that

contributes to application security. You might use this if, for example, you develop a custom

check that checks for the existence of a file (such as Privacy Policy.html) that is part of your

compliance program.

l

Exclude - Select this option if you add a group of checks, but want to exclude specific ones.

In this example, do not select either check box.

13. To view a list of broken links in the compliance report, select the Include Broken Links check

box.

If you select the check box, then when you run a compliance report, any broken links found will be

listed at the end of the report. If broken links are associated with a question in the template, then

that question will be marked as failed.

14. Continue adding threat classes, vulnerabilities, or custom checks until you have included all that

sufficiently test your application for the compliance question.

15. Create additional questions and categories using the above procedures until the compliance

template is complete.

16. Click Save.

Micro Focus Fortify WebInspect (22.2.0)

Page 40 of 364

Tools Guide

Chapter 3: Compliance Manager (Fortify WebInspect Only)

Usage Notes

l

To rearrange categories or items, select an item and click Move Up or Move Down.

l

To insert categories or items, you can alternatively right-click a category/question and select

Insert from the shortcut menu. The item will be inserted above the selected item.

l

You can add an HTML link to any description or question, as depicted in the following illustration.

General Text Searching Group

This group of agents, used mainly by the Directory Enumeration engine, follows all known and

unknown paths located on your site. Individual checks are grouped alphabetically from A (which

begins with the search for a directory named Accounting) to Z (which ends with the search for a

directory named Zips). This group also includes checks for other types of commonly occurring

directories, such as those associated with Microsoft FrontPage and Microsoft Internet Information

Server log files (W3SVCnn).

For detailed information about all the possible agents, start the Policy Manager in Standard view,

expand the General Text Searching node and click on any agent.

Threat Classes

The Web Application Security Consortium has developed industry-standard terminology to clarify

and organize threats to the security of a web site. These are listed on the Threat Classes tab.

To determine if a scan revealed a susceptibility to these threats:

1. Select a threat class (or one of its components).

2. Click to include it in the Selected Threat Classes for this question.

Micro Focus Fortify WebInspect (22.2.0)

Page 41 of 364

Chapter 4: Encoders/Decoders

This tool allows you to encode and decode values using Base 64, hexadecimal, MD5, and other

schemes. You can also encode a string into a Unicode string and use special characters in URL

construction.

During the analysis of your scan results, when you encounter a string that you suspect is in an

encoded or encrypted format, you can simply copy the string, paste it into the Encoders/Decoders

tool, and then click Decode.

Encoding a String

To encode a string:

1. Type (or paste) a string in the Text area, or load the contents of a file by selecting File > Open

from the menu.

2. Select an encoding character set using either the Character Set Name or the Display Name.

3. Select a cipher type from the Encoding list. For more information, see "Encoding Types" on

page 44.

Micro Focus Fortify WebInspect (22.2.0)

Page 42 of 364

Tools Guide

Chapter 4: Encoders/Decoders

4. If necessary, type a key in the Key field. When a valid key is entered, the Encode and Decode

buttons become enabled.

5. Click Encode.

The Text area displays the encoded string. The Hex Display area displays the hexadecimal value

of each character in the encoded string (formatted in the character set that you select).

If you select Prefixed, "0x" is added to the beginning of the hexadecimal numbers. C and

languages with a similar syntax (such as C++, C#, Java and JavaScript) prefix hexadecimal

numerals with “0x” (for example, 0x5A3). The leading zero allows the parser to recognize a

number, and the “x” stands for hexadecimal.

Decoding a String

To decode a string:

1. Type (or paste) a string in the Text area, or load the contents of a file by selecting File > Open

from the menu.

2. Select a cipher type from the Encoding list.

3. If necessary, type a key in the Key field.

4. Click Decode.

You can also use Fortify WebInspect's encoding and decoding capabilities in the HTTP Editor. Right-

click while editing a session to access encoding and decoding options.

Manipulating Encoded Strings

The encoded form of a string may contain characters that are non-printable. This often occurs when

using a hash-based encoding scheme or any encoding scheme that requires a key. Since non-

printable characters cannot be copied to the Windows clipboard, you cannot simply copy from or

paste into the Encoder/Decoder. However, there are two methods you can use to work around this

limitation:

l

Save the encoded string to a file and, when you want to decode it, select File > Open from the

menu to load it into the Encoder tool. Then decode it using the original method and (if applicable)

key.

l

Also, after encoding the string using the chosen encoding method and key, you can encode the

resulting string using the base 64 method; then copy the string to the clipboard, paste the

clipboard contents, decode using base 64, and decode again using the original method and (if

applicable) key.

Micro Focus Fortify WebInspect (22.2.0)

Page 43 of 364

Tools Guide

Chapter 4: Encoders/Decoders

Encoding Types

The Encoder/Decoder allows you to select the encoding types described in the following table.

Encoding

Type

Definition

3DES

Triple DES; a mode of the DES encryption algorithm that encrypts data three times

(the string is encrypted, then the encryption is encrypted, and the resulting cipher

text is encrypted a third time). The key must be 128 or 192 bits (16 or 24

characters).

Base64

Encodes and decodes triplets of 8-bit octets as groups of four characters, each

representing 6 bits of the source 24 bits. Only characters present in all variants of

ASCII and EBCDIC are used, avoiding incompatibilities in other forms of encoding.

Blowfish

DES

An encryption algorithm that can be used as a replacement for the DES algorithm.

Data Encryption Standard. A widely used method of data encryption that can use

more than 72 quadrillion different private (and secret) encryption keys. Both the

sender and the user must use the same private key.

Hex

MD5

RC2

Hexadecimal.

Produces a 128-bit "fingerprint" or "message digest" of whatever data you enter.

A variable key-size block cipher designed by Ronald Rivest. It has a block size of 64

bits and is about two to three times faster than DES in software.

RC4

A stream cipher designed by Ronald Rivest. It is a variable key-size stream cipher

with byte-oriented operations. Used for file encryption in products such as RSA

SecurPC and also used for secure communications, as in the encryption of traffic to

and from secure web sites using the SSL protocol.

ROT13

SHA1

A simple Caesar cipher used for obscuring text by replacing each letter with the

letter thirteen places down the alphabet.

Secure Hash Algorithm. A one-way hash function developed by NIST and defined in

standard FIPS 180. SHA-1 is a revision published in 1994; it is also described in

ANSI standard X9.30 (part 2).

SHA256

Secure Hash Algorithm that uses 256-bit encryption.

Micro Focus Fortify WebInspect (22.2.0)

Page 44 of 364

Tools Guide

Chapter 4: Encoders/Decoders

Encoding

Type

Definition

SHA384

SHA512

ToLower

ToUpper

TwoFish

Unicode

Secure Hash Algorithm that uses 384-bit encryption.

Secure Hash Algorithm that uses 512-bit encryption.

Changes uppercase letters to lowercase.

Changes lowercase letters to uppercase.

An encryption algorithm based on an earlier Blowfish.

Provides a unique number for every character, regardless of the platform, program,

or language.

URL

Creates values that can be used for URL-encoding non-standard letters and

characters for display in browsers and plug-ins that support them.

XHTML

XOR

Encapsulates the entered data with text tags: <text>data</text>

XOR performs an Exclusive OR operation. You must provide a key. If the length of

the key string is only one character, that character is ORed against each character in

the encode/decode string.

Micro Focus Fortify WebInspect (22.2.0)

Page 45 of 364

Chapter 5: HTTP Editor

Use the HTTP Editor to create or edit requests, send them to a server, and view the response either in

raw HTML or as rendered in a browser. The HTTP Editor is a manual hacking tool, and requires a

working knowledge of HTML, HTTP, and request methods.

To set proxy and authorization parameters, if necessary, select Edit > Settings.

Request Viewer

The Request Viewer contains the HTTP request message, which you can view in four different

formats using the following tabs:

l

Raw - Depicts the line-by-line textual format of the request message.

l

Details - Displays the header names and field values in a table format.

Micro Focus Fortify WebInspect (22.2.0)

Page 46 of 364

Tools Guide

Chapter 5: HTTP Editor

l

Hex - Displays the hexadecimal and ASCII representation of the message.

l

XML - Displays any XML content in the message body. (This tab appears only if the request

contains XML-formatted data.)

Response Viewer

The Response Viewer contains the HTTP response message, which you can also view in four different

formats using the following tabs:

l

Raw - Depicts the line-by-line textual format of the response message.

l

Browser - Displays the response message as rendered in a browser.

l

Hex - Displays the hexadecimal and ASCII representation of the response message.

l

XML - Displays any XML content in the message body. (This tab appears only if the response

contains XML-formatted data.)

HTTP Editor Menus

File Menu

The File menu contains the following options:

l

New Request - Deletes all information from previous sessions and resets the Location URL.

l

Open Request - Allows you to load a file containing an HTTP request saved during a previous

session.

l

Save Request - Allows you to save an HTTP request.

l

Save Request As - Allows you to save an HTTP request.

l

URL Synchronization - When selected, any characters you type into the Address combo box are

added to the Request-URI of the HTTP request line.

l

Send As Is - If you select this option, the HTTP Editor will not modify the request, regardless of

any other settings you may select. This allows you to send a purposely malformed message.

Authentication and proxy settings are disabled when using this option.

Note: You may manually edit the request to go through a proxy, but many standard HTTP

proxy servers cannot process non-compliant HTTP requests.

l

Exit - Closes the HTTP Editor.

Edit Menu

The Edit menu contains the following options:

l

Cut - Deletes selected text and saves it to the clipboard.

l

Copy - Saves the selected text to the clipboard.

l

Paste - Inserts text from the clipboard

Micro Focus Fortify WebInspect (22.2.0)

Page 47 of 364

Tools Guide

Chapter 5: HTTP Editor

l

Find - Displays a dialog box that allows you to search for text that you specify.

l

Settings - Allows you to configure request, authentication, and proxy parameters for the HTTP

Editor.

View Menu

The View menu contains the following options:

l

Show History - Displays a pane listing all HTTP requests sent.

l

Word Wrap - Causes all text to fit within the defined margins.

Help Menu

The Help menu contains the following commands:

HTTP Editor Help - Opens the Help file with the Contents tab active.

Index - Opens the Help file with the Index tab active.

Search - Opens the Help file with the Search tab active.

About HTTP Editor - Displays information about the HTTP Editor.

Request Actions

The following options are available from the Request Action list in the Request Viewer pane.

PUT File Upload

The PUT method requests that the enclosed entity be stored under the supplied Request-URI.

To write a file to a server:

1. Select PUT File Upload from the drop-down list on the Request Viewer pane.

2. In the text box that appears to the right of the list, type the full path to a file

- or -

Click the Open Folder icon and select the file you want to upload.

3. Click Apply. This will also recalculate the content length.

Change Content-Length

In normal mode, if you edit the message body of the request, the HTTP Editor recalculates the

content length and substitutes the appropriate value in the Content-length header. However, when

using the Send As Is option, the HTTP Editor does not modify the content length. You can force this

recalculation before sending the request by selecting Change Content-Length and clicking Apply.

Micro Focus Fortify WebInspect (22.2.0)

Page 48 of 364

Tools Guide

Chapter 5: HTTP Editor

URL Encode/Decode Param Values

The specification for URLs (RFC 1738, Dec . '94) limits the use of characters in URLs to a subset of

the US-ASCII character set. HTML, on the other hand, allows the entire range of the ISO-8859-1 (ISO-

Latin) character set to be used in documents, and HTML4 expands the allowable range to include the

complete Unicode character set as well. To circumvent this limitation, you can encode non-standard

letters and characters for display in browsers and plug-ins that support them.

URL encoding of a character consists of a "%" symbol, followed by the two-digit hexadecimal

representation of the ISO-Latin code point for the character. For example:

l

The asterisk symbol ( * ) = 42 decimal in the ISO-Latin set

l

42 decimal = 2A hexadecimal

l

URL code for asterisk = %2A

You can use URL encoding to bypass an intruder detection system (IDS) that inspects request

messages for certain keywords using only the ISO-Latin character set. For example, the IDS may

search for "login" (in ISO-Latin), but not "%4C%4F%47%49%4E" (the URL-encoded equivalent).

To substitute URL code for parameters throughout the entire message, select URL Encode Param

Values and click Apply.

To translate URL-encoded parameters to ISO-Latin, select URL Decode Param Values and click

Apply.

Unicode Encode/Decode Request

The Unicode Worldwide Character Standard includes letters, digits, diacritics, punctuation marks, and

technical symbols for all the world's principal written languages, using a uniform encoding scheme.

Incorporating Unicode into client-server applications and websites offers significant cost savings over

the use of legacy character sets. Unicode enables a single software product or a single website to be

targeted across multiple platforms, languages and countries without re-engineering. It allows data to

be transported through many different systems without corruption.

To translate the entire request message into Unicode, select Unicode Encode Request and click

Apply.

To translate the entire request message from Unicode into ISO-Latin, select Unicode Decode

Request and click Apply.

Create MultiPart Post

The POST method is used to request that the origin server accept the entity enclosed in the request

as a new subordinate of the resource identified by the Request-URI in the Request-Line. You can

attempt to upload data by manipulating a POST request message.

To insert data from a file:

1. Select Create MultiPart Post from the Action drop-down list on the Request Viewer pane.

2. In the text box to the right of the Action list, type the full path to a file

- or -

Micro Focus Fortify WebInspect (22.2.0)

Page 49 of 364

Tools Guide

Chapter 5: HTTP Editor

Click the Open Folder icon and select the file you want to insert.

3. Click Apply.

Remove MultiPart Post

To remove a file that is part of a multipart request, select Remove MultiPart Post from the Action

list on the Request Viewer pane.

Response Actions

The area immediately below the tabs on the Response Viewer pane contains three controls:

l

a Chunked button

l

a Content Coding drop-down list

l

a

button that launches the Find In Response dialog box, allowing you to search the response

for the text string you specify

Chunked

If a server starts sending a response before knowing its total length, it might break the complete

response into smaller chunks and send them in series. Such a response contains the "Transfer-

Encoding: chunked" header. A chunked message body contains a series of chunks, followed by a line

with "0" (zero), followed by optional footers and a blank line. Each chunk consists of two parts:

l

A line with the size of the chunk data, in hex, possibly followed by a semicolon and extra

parameters you can ignore (none are currently standard), and ending with CRLF.

l

The data itself, followed by CRLF.

Content Codings

If the HTTP response contains compressed data, you can decompress the data using one of the

options from the list:

l

GZIP - A compression utility written for the GNU project.

l

Deflate - The "zlib" format defined in RFC 1950 [31] in combination with the "deflate" compression

mechanism described in RFC 1951 [29].

"Searching the Request or Response" on page 52

Micro Focus Fortify WebInspect (22.2.0)

Page 50 of 364

Tools Guide

Chapter 5: HTTP Editor

Editing and Sending a Request

To edit and send a request:

1. Modify the request message in the Request Viewer pane.

To encode or decode a text string, select the text, then right-click the selection and select either

Encoding or Decoding from the pop-up menu.

To change certain features of the request, select an item from the Action list and click Apply.

See "HTTP Editor" on page 46 for more information.

2. Click Send to send the HTTP request message.

The Response Viewer pane displays the HTTP response message when it is received.

3. To view the response as rendered in a browser, click the Browser tab.

4. You can prepare your next HTTP request using the HTML or JavaScript controls rendered on the

Browser tab. To use this feature, you must select the Interactive Navigation option (click Edit >

Settings).

a. In the Location field, enter a URL and click Send.

The application returns a logon form.

b. In the Response pane, click the Browser tab.

c. On the rendered page, enter a user name and password, and then click Submit.

Micro Focus Fortify WebInspect (22.2.0)

Page 51 of 364

Tools Guide

Chapter 5: HTTP Editor

The HTTP Editor formats the request (which uses the POST method to the Login.aspx URL)

and displays it in the Request Viewer pane, as illustrated below.

d. Click Send to send the formatted response (including the user name and password) to the

server.

5. To save a request, select File > Save Requests.

Searching the Request or Response

To search for text in the request or response:

1. Click

in either the Request Viewer or Response Viewer pane.

2. Using either the Find in Request or Find in Response window, type or select a string or regular

expression.

3. If using a regular expression as the search string, select the Regex check box.

4. Click Find.

Micro Focus Fortify WebInspect (22.2.0)

Page 52 of 364

Tools Guide

Chapter 5: HTTP Editor

Settings

To modify the HTTP Editor settings, click Edit > Settings, select one of the following tabs, make your

changes, and click OK:

l

Options

l

Authentication

l

Proxy

The settings on each tab are described in the following sections.

Options Tab

The Request Group includes the following options:

l

Send As Is - If you select this option, the HTTP Editor will not modify the request, regardless of

any other settings you may select. This allows you to send a purposely malformed message.

Authentication and Proxy settings are disabled when using this option.

Note: You can manually edit the request to go through a proxy, but most standard HTTP

proxy servers cannot process non-compliant HTTP requests.

l

Manipulate Request - If you select this option, the HTTP Editor will modify requests to

accommodate the following parameters:

l

Apply State - If your application uses cookies, URL rewriting, or post data techniques to

maintain state within a session, the HTTP Editor will attempt to identify the method and modify

the response accordingly.

l

Apply Proxy - If you select this option, the HTTP Editor will modify the request according to the

proxy settings you specify.

l

Apply Filter - This option appears only when you invoke the HTTP Editor while using Fortify

WebInspect and a scan tab has focus (that is, after opening or while conducting a scan). If this

option is selected, the HTTP Editor applies the Filters settings from Fortify WebInspect's Current

Scan Settings to add search-and-replace rules for HTTP requests and responses.

Note: Changing the Current Scan Settings before invoking the HTTP Editor has no effect.

The HTTP Editor uses the settings that were in effect when the scan began.

l

Apply Header - This option appears only when you invoke the HTTP Editor while using Fortify

WebInspect and a scan tab has focus (that is, after opening or while conducting a scan). If this

option is selected, the HTTP Editor applies the Cookies/Headers settings for Fortify

WebInspect's Current Scan Settings for HTTP requests.

Note: Changing the Current Scan Settings before invoking the HTTP Editor has no effect.

The HTTP Editor uses the settings that were in effect when the scan began.

Micro Focus Fortify WebInspect (22.2.0)

Page 53 of 364

Tools Guide

Chapter 5: HTTP Editor

In the Navigation group, select None, Interactive, or Browser Mode.

You can view the server's response as rendered in a browser by selecting the Browser tab in the

Response Viewer (the lower pane). If the Interactive feature is enabled, you can prepare your next

HTTP request using the HTML or JavaScript controls rendered in the browser.

Micro Focus Fortify WebInspect (22.2.0)

Page 54 of 364

Tools Guide

Chapter 5: HTTP Editor

For example, using the logon page at http://zero.webappsecurity.com:80/login.html (shown above),

you could enter a Login name ("username") and Password ("password"), and then click Sign in. The

HTTP Editor formats the request (which uses the POST method to the signin.html resource) and

displays it in the Request Viewer, as illustrated below. You could then edit the logon message (if

required) or simply send it to the server by clicking Send.

If you select the Browser Mode option, then Interactive mode is enabled, but the HTTP Editor will

send the request immediately, without first placing it in the Request Viewer and allowing you to edit

it.

Select the Enable Active Content check box to allow execution of JavaScript and other dynamic

content in all browser windows.

Most web pages contain information that tells the browser which character set to use. This is

accomplished by using the Content-Type response header (or a META tag with an HTTP-EQUIV

attribute) in the HEAD section of the HTML document. For pages that do not announce their

character set, you can specify which character set the HTTP Editor should use. In the Advanced

HTTP Parsing group, select the Assumed 'charset' Encoding.

Micro Focus Fortify WebInspect (22.2.0)

Page 55 of 364

Tools Guide

Chapter 5: HTTP Editor

Authentication Tab

If authentication is required, select a type from the Authentication list. After selecting an

authentication method, enter a user name and password. The authentication methods are:

l

Automatic

l

HTTP Basic

l

NTLM

After selecting an authentication method, enter a User name and Password. To prevent

typographical errors, you must re-enter the password in the Confirm Password field.

Proxy Tab

Use these settings to access the HTTP Editor through a proxy server.

l

Direct Connection (proxy disabled) - Select this option if you are not using a proxy server.

l

Auto detect proxy settings - Select this option to use the Web Proxy Autodiscovery Protocol

(WPAD) to locate and use a proxy autoconfig file to configure the browser's web proxy settings.

l

Use System proxy settings - Select this option to import your proxy server information from the

local machine.

l

Use Firefox proxy settings - Select this option to import your proxy server information from

Firefox.

Note: Using browser proxy settings does not guarantee that you will access the Internet

through a proxy server. If the Firefox browser connection settings are configured for "No proxy,"

then a proxy will not be used.

l

Explicitly configure proxy - Select this option to access the Internet through a proxy server, and

then enter the requested information:

a. In the Server field, type the URL or IP address of your proxy server, followed (in the Port field)

by the port number (for example, 8080).

b. Select a protocol for handling TCP traffic through a proxy server: SOCKS4, SOCKS5, or

standard.

c. If authentication is required, select a type from the Authentication list:

o

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of

the other authentication methods, scanning performance is noticeably improved.

o

Basic

o

Digest

o

Kerberos

Micro Focus Fortify WebInspect (22.2.0)

Page 56 of 364

Tools Guide

Chapter 5: HTTP Editor

o

Negotiate

o

NTLM

d. If your proxy server requires authentication, enter the qualifying User name and Password.

e. If you do not need to use a proxy server to access certain IP addresses (such as internal testing

sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate

entries.

l

Specify Alternative Proxy for HTTPS

For proxy servers accepting HTTPS connections, select the Specify Alternative Proxy for HTTPS

check box and provide the requested information.

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The sequence

/\n/ matches a line feed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to exclude

everything in the content directory except /content/en and /content/ca, use:

/content/[^(en|ca)].*/.* . Also see \S \D \W.

$

*

Matches the end of input or line.

Matches the preceding character zero or more times. /zo*/ matches either " z " or

"zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

[xyz]

A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a"

in "plain."

\b

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

Micro Focus Fortify WebInspect (22.2.0)

Page 57 of 364

Tools Guide

Chapter 5: HTTP Editor

Character

Description

early."

\B

\d

\D

\f

Matches a non-word boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a non-digit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a line feed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent to [

\f\n\r\t\v].

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v].

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any non-word character. Equivalent to [^A-Za-z0-9_].

See Also

"Regular Expression Extensions" below

Regular Expression Extensions

Micro Focus engineers have developed and implemented extensions to the normal regular expression

syntax. When building a regular expression, you can use the following tags and operators.

Regular Expression Tags

l

[HEADERS]

l

[COOKIES]

l

[STATUSLINE]

l

[STATUSCODE]

l

[STATUSDESCRIPTION]

l

[ALL]

l

[BODY]

l

[SETCOOKIES]

Micro Focus Fortify WebInspect (22.2.0)

Page 58 of 364

Tools Guide

Chapter 5: HTTP Editor

l

[METHOD]

l

[REQUESTLINE]

l

[VERSION]

l

[POSTDATA]

l

[URI]

Regular Expression Operators

l

AND

l

OR

l

NOT

l

[ ]

l

( )

Examples

l

To detect a response in which (a) the status line contains a status code of "200" and (b) the phrase

"logged out" appears anywhere in the message body, use the following regular expression:

[STATUSCODE]200 AND [BODY]logged\sout

l

To detect a response indicating that the requested resource resides temporarily under a different

URI (redirection) and having a reference to the path "/Login.asp" anywhere in the response, use the

following:

[STATUSCODE]302 AND [ALL]Login.asp

l

To detect a response containing either (a) a status code of "200" and the phrase "logged out" or

"session expired" anywhere in the body, or (b) a status code of "302" and a reference to the path

"/Login.asp" anywhere in the response, use the following regular expression:

( [STATUSCODE]200 AND [BODY]logged\sout OR [BODY]session\sexpired ) OR (

[STATUSCODE]302 AND [ALL]Login.asp )

Note that you must include a space (ASCII 32) before and after an "open" or "close" parenthesis;

otherwise, the parenthesis will be erroneously considered as part of the regular expression.

l

To detect a redirection response where "login.aspx" appears anywhere in the redirection Location

header, use the following regular expression:

[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx

l

To detect a response containing a specific string (such as "Please Authenticate") in the Reason-

Phrase portion of the status line, use the following regular expression:

[STATUSDESCRIPTION]Please\sAuthenticate

See Also

"Regular Expressions" on page 57

Micro Focus Fortify WebInspect (22.2.0)

Page 59 of 364

Chapter 6: Log Viewer (Fortify WebInspect

Only)

Use the Log Viewer to inspect the various logs maintained by Fortify WebInspect. This feature is used

mainly by the Fortify Customer Support group to investigate reported incidents.

To view log files:

1. Click the Tools > Log Viewer.

If you open the Log Viewer when a tab containing a scan has focus, the program assumes you

want to view logs for that scan. Go to Step 4.

2. Click Open Scan.

3. On the Open Scan window, select the scan whose logs you want to view and click Open. To open

scans in a different database, click Change Database.

4. Select a log from the Log Type list. The available types depend on the logging level that was

selected for the scan (in Fortify WebInspect's Application settings).

5. To locate text within the log, click Find on the toolbar

- or -

Select Edit > Find.

6. To save a log file, click Export on the toolbar

- or -

Select File > Export Logs.

7. To view logs that are not related to a specific scan, click WebInspect Logs (on the toolbar).

Micro Focus Fortify WebInspect (22.2.0)

Page 60 of 364

Chapter 7: Policy Manager

A policy is a collection of audit engines and attack agents that Fortify WebInspect uses when auditing

or crawling your web application. Each component has a specific task, such as testing for cross-site

scripting susceptibility, building the site tree, probing for known server vulnerabilities, etc. These

components are organized into the following groups:

l

Audit Engines

l

Audit Options

l

General Application Testing

l

General Text Searching

l

Third-Party Web Applications

l

Web Frameworks/Languages

l

Web Servers

l

Web Site Discovery

l

Custom Agents

l

Custom Checks

All these components (except for the Audit Engines) are known collectively as attack groups. Each

attack group contains subgroups of individual modules (called attack agents) that check your website

for vulnerabilities.

Fortify WebInspect contains several prepackaged policies designed to accommodate the

requirements of most users. All policies contain all possible audit engines and agents, but each policy

has a different subset of these components enabled. You edit a policy by enabling or disabling audit

engines and/or individual attack agents (or groups of agents). You create a policy by editing an

existing policy and saving it with a new name.

Views

The Policy Manager has two different views—Standard and Search—which are selectable from the

View menu by clicking icons in the toolbar.

Micro Focus Fortify WebInspect (22.2.0)

Page 61 of 364

Tools Guide

Chapter 7: Policy Manager

Standard View

This view displays, by default, a list of checks categorized by Seven Pernicious Kingdoms.

Alternatively, a drop-down list allows you to display checks by Attack Groups, Severity, and Threat

Class (according to classifications established by the Web Application Security Consortium).

You enable or disable a component by selecting or clearing its associated check box.

The check box next to an unexpanded node indicates the "selected" status of the objects within the

node.

l

A check means all objects are selected.

l

A green square means some objects are selected.

l

An empty box means no objects are selected.

Click the plus sign to expand a node.

Micro Focus Fortify WebInspect (22.2.0)

Page 62 of 364

Tools Guide

Chapter 7: Policy Manager

Search View

This view allows you to locate attack agents based on the attribute you select from the Criteria list:

l

Vulnerability ID

l

Vulnerability Name

l

Engine Type

l

Last Updated

l

CWE ID

l

Kingdom

l

Summary

l

Implication

l

Execution

l

Fix

l

Reference Info

This feature is used most often to identify checks that you want to disable. For example, if you are

scanning an application that does not contain PHP scripting, you could search summary fields for

"PHP." When the Policy Manager lists the attack agents that match your search criteria, you could

disable an agent by clearing its associated check box. Then, you can either save the modified policy

(making the policy changes permanent) or simply apply the modified policy to the current scan.

Micro Focus Fortify WebInspect (22.2.0)

Page 63 of 364

Tools Guide

Chapter 7: Policy Manager

See Also

"Policies" on page 84

"Creating or Editing a Policy" below

"Searching for Specific Agents" on page 74

"Creating a Custom Check" on the next page

Creating or Editing a Policy

Fortify WebInspect contains a number of prepackaged policies designed to accommodate the

majority of users. You cannot permanently change these policies. However, you can open any of them

as a template, modify their contents to create a custom policy, and save the customized policy under a

new name. You can edit and save a custom policy without changing its name.

To edit or create a policy:

1. On the toolbar, click Policy Manager

- or -

select Tools > Policy Manager.

The Policy Manager opens. By default, it loads the Standard policy.

2. To edit a policy that you previously created (that is, a custom policy), select File > Open and

select the policy.

3. To create a policy based on one of the prepackaged policies, select File > New (or click the New

Policy icon) and select the policy on which the new one will be modeled.

4. Disable (or enable) an attack group by clearing (or selecting) its associated check box. To disable

or enable an individual agent within a group, first expand the group and then edit its check box.

5. To rename an attack group:

a. Right-click the attack group.

b. Choose Rename from the shortcut menu.

6. To add an attack group:

a. Right-click any existing attack group.

b. Choose New Attack Group from the shortcut menu.

A highlighted entry named New Attack Group will appear.

c. Right-click the new group and choose Rename.

d. Populate the group by dragging and dropping attack agents onto it.

7. You can also create a custom check. For more information, see "Creating a Custom Check" on the

next page.

8. If you select the Auto Update check box, Fortify WebInspect determines if any updated or new

attack agents downloaded from the Micro Focus database should be enabled or disabled, based

on the analysis of its sibling agents. For example, if you disable attack agents targeting

Microsoft's Internet Information Server (IIS), and you select Auto Update, then Fortify

Micro Focus Fortify WebInspect (22.2.0)

Page 64 of 364

Tools Guide

Chapter 7: Policy Manager

WebInspect will not enable any IIS-related attack agent that it downloads to your system.

Conversely, any new or updated attack agents that are related to agents that are enabled in your

policy will also be enabled.

Note: New vulnerability checks downloaded via Smart Update are not added automatically

to any custom policies you may have created.

9. Select File > Save As. Type a name for your custom policy in the File name field and then click

Save to save the new policy in Fortify WebInspect's *.policy format. You cannot save a policy

using the name of a default policy (Assault, Blank, Standard, etc.).

See Also

"Using a Custom Agent" on page 75

"Searching for Specific Agents" on page 74

"Creating a Custom Check" below

Creating a Custom Check

Although Fortify WebInspect rigorously inspects your entire website for real and potential security

vulnerabilities, you may require a custom check to detect vulnerabilities that are unique to your

application.

If you create a custom check that duplicates an attack conducted by Fortify WebInspect, your new

check will not be submitted unless you disable the standard check. For example, Fortify WebInspect

normally runs a directory enumeration check that searches for a backup directory with "(copy)" suffix.

If you create a custom check that also searches for a backup directory with "(copy)" suffix, Fortify

WebInspect will not submit it (because it has already searched for that directory) unless you disable

check #11485 named Backup Directory ((copy)).

To create a custom check:

1. Open the Policy Manager.

2. To edit a policy that you previously created, select File > Open and select the policy.

3. To create a new policy based on a prepackaged policy, select File > New (or click the New Policy

icon) and select the policy on which you will model a new one.

4. Make sure the Standard view is selected, with Seven Pernicious Kingdoms listed in the left pane.

5. Right-click on Custom Checks and select New Custom Check from the shortcut menu.

Micro Focus Fortify WebInspect (22.2.0)

Page 65 of 364

Tools Guide

Chapter 7: Policy Manager

The Custom Check Wizard appears.

6. Select one of the following attack types, listed with detailed explanations and examples:

l

Directory enumeration

This type of check searches for a directory of the name you specify.

o

Attack Type: Directory Enumeration

o

Attack: /directory_name/ [where directory_name is the name of the directory you want to

find]

o

Signature: [STATUSCODE]3\d\d OR [STATUSCODE]2\d\d OR [STATUSCODE]40[13]

l

File extension addition

This type of check searches for files with a file extension that you specify.

During the crawl, whenever Fortify WebInspect encounters a file of any name and any

extension (for example, global.asa), it sends an HTTP request for a file of the same name plus

the found extension plus an extension that you specify. For example, if you specify a file

extension of .backup, then when Fortify WebInspect discovers a file named global.asa, it will

subsequently search for a file named global.asa.backup.

A server would normally deny any request for the global.asa file, but if a programmer has left a

backup file on the server and the file has a different extension (such as global.asa.backup),

then the server might return the file (which contains the full source of the global.asa file).

To create a custom check that searches for files with a specific added extension, enter the

following in the Custom Check Wizard:

o

Attack Type: File Extension Addition

o

Attack: .ext [where ext is the file extension of files you want to locate]. You must include

the leading dot or period (.)

Micro Focus Fortify WebInspect (22.2.0)

Page 66 of 364

Tools Guide

Chapter 7: Policy Manager

o

Signature: [STATUSCODE]200 AND ( [HEADERS]Content-Type:\stext/plain OR

[HEADERS]Content-Type:\sapplication/octet-stream )

l

File extension replacement

This type of check searches for files with a file extension that you specify.

For example, Fortify WebInspect contains a standard check that searches for files having an

extension of .old. During the crawl, whenever it encounters a file of any name and any

extension (for example, startup.asp), it sends an HTTP request for a file of the same name but

with an extension of .old (for example, startup.old).

To create a custom check that searches for files with a specific extension, enter the following

in the Custom Check Wizard:

o

Attack Type: File Extension Replacement

o

Attack: ext [where ext is the file extension of files you want to locate]. Do NOT include a

leading dot or period (.)

o

Signature: [STATUSCODE]200 AND ( [HEADERS]Content-Type:\stext/plain OR

[HEADERS]Content-Type:\sapplication/octet-stream )

l

Keyword search

This type of check determines if a specified word or phrase (defined by a regular expression)

exists anywhere in the HTTP response.

The following example searches the HTTP response for a nine-digit number formatted as a

social security number (\d = any digit).

o

Attack Type: Keyword Search

o

Attack: N/A

o

Signature: [BODY]\d\d\d-\d\d-\d\d\d\d

l

Parameter injection

This type of attack replaces an argument value with an attack string.

Example:

http://www.samplesite.com/webapp.asp?ValidParameter=ValidArgument

will be changed to

http://www.samplesite.com/webapp.asp?ValidParameter=AttackArgument

There are several types of parameter injection, as follows:

o

Command Execution

A command execution check combines strings composed of special characters with

operating system-level commands. It is an attempt to make the web application execute

the command using the provided string (if the application fails to check for and prohibit

the input).

The following example tests for parameter injection by providing spurious input to a

program named support_page.cgi; if the HTTP response contains data that matches the

regular expression, then the application is vulnerable to command execution.

Micro Focus Fortify WebInspect (22.2.0)

Page 67 of 364

Tools Guide

Chapter 7: Policy Manager

l

Attack Type: Parameter Injection

l

Attack: /support_page.cgi?file_name=|id|

Signature: [BODY]uid= AND [BODY]gid=

o

SQL Injection

SQL injection is the act of passing SQL code into an application. These attack strings are

composed of fragments of SQL syntax that will be executed on the database server if the

web application uses the string when forming a SQL statement without first filtering out

certain characters.

l

Attack Type: Parameter Injection

l

Attack: ' [an apostrophe]

l

Signature: [STATUSCODE]5\d\d

o

Cross-Site Scripting

This issue occurs when dynamically generated web pages display input that is not properly

validated. This allows an attacker to embed malicious JavaScript into the generated page,

enabling him to execute the script on the machine of any user who views the malicious

page. Any site that allows users to post text messages can be vulnerable to an attack such

as this.

The following example tests for cross-site scripting in the Fusion News application:

l

Attack Type: Parameter Injection

l

Attack: /fullnews.php?id=<script>alert(document.cookie)</script>

l

Signature: [ALL]Powered\sby\sFusion\sNews And [ALL]<script>alert\

(document\.cookie\)</script>

o

Directory Traversal

Directory traversal entails sending malformed URL strings to access non-public portions of

the web server’s content. An attacker will try to access different files on a server by using

relative hyperlinks. For example, by adding triplets of two periods and a forward slash (../)

to the target URL and by varying the number of directories to traverse, an attacker might

find and gain access to a system password file such as www.server.com/../../../../password.

The following example searches for the boot.ini file:

l

Attack Type: Parameter Injection

l

Attack: /../../../../../../../../../../../boot.ini

l

Signature: [ALL]\[boot\sloader\]

o

Abnormal Input

Abnormal input attack strings are composed of characters that can cause unhandled

exceptions (errors the program is not coded to handle) in web applications where

unexpected input is not prohibited. Unhandled exceptions often cause servers to display

error messages that disclose sensitive information about the application’s internal

mechanics. Source code may even be disclosed.

The following example sends an extraordinarily long string in an attempt to create a buffer

overflow.

Micro Focus Fortify WebInspect (22.2.0)

Page 68 of 364

Tools Guide

Chapter 7: Policy Manager

l

Attack Type: Parameter Injection

l

Attack: AAAAAAAAAAAA...AAAAAAAA [1000 repetitions of the letter "A"]

Signature: [STATUSCODE]5\d\d

l

Simple attack

This type of attack is sent once for every server scanned.

The following example attempts to obtain a UNIX password file by appending the attack

string to the target URL or IP address:

o

Attack Type: Simple Attack

o

Attack: /etc/passwd

o

Signature: [ALL]root: AND [ALL]:0:0

l

Site search

This type of attack is designed to find files commonly left on a web server. For example, check

ID #279 searches for a file named log.htm.

The following example searches for a file named xanadu.html by appending the attack string

to the target URL or IP address:

o

Attack Type: Site Search

o

Attack: xanadu.html

o

Signature: [STATUSCODE]2\d\d OR [STATUSCODE]40[1]

To create a custom check that searches for a file named confidential.txt, enter the following in

the Custom Check Wizard:

o

Attack Type: Site Search

o

Attack: confidential.txt

o

Signature: [STATUSCODE]2\d\d AND ([HEADERS]Content-Type:\stext/plain OR

[HEADERS]Content-Type:\sapplication/octet-stream)

7. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 69 of 364

Tools Guide

Chapter 7: Policy Manager

8. In the Attack field, enter the data you want to use for the attack.

In the above example of directory enumeration, the check will search for a directory named

"personnel" by appending the attack string (/personnel/) to the target URL or IP address.

9. You must specify a signature, which is simply a regular expression (that is, a special text string

for describing a search pattern). When Fortify WebInspect searches the HTTP response and finds

the text described by the signature, it flags the session as a vulnerability. You can use the Search

for field and drop-down lists to help you create the regular expression, or you can type the

regular expression directly into the text box at the bottom of the window.

To use the Search for field:

a. Enter the text you want to locate.

Enter only text in the Search for field; do not enter a regular expression.

In this example (searching for a directory named "personnel"), the server would return a

status code of 200 if the directory exists, so enter "200" in the Search for field. Realistically,

however, you might also accept any status code in the 200 or 300 series, or a status code of

401 or 403.

b. Click the drop-down arrow to specify the section of the HTTP response that should be

searched.

c. (Optional) To create a complex search, click the second drop-down and select a Boolean

operator (AND, OR, or NOT).

d. Click Insert.

e. (Optional) For complex searches, repeat steps a-d as needed. You can also edit or replace the

regular expression that appears in the bottom text box.

Micro Focus Fortify WebInspect (22.2.0)

Page 70 of 364

Tools Guide

Chapter 7: Policy Manager

10. Click Next.

11. On the Report Information panel, click each tab and enter the text that will appear in the

description.

12. Select an entry from the Check Type list.

13. Select a severity level from the Severity list.

14. Click Finish.

15. Change the default name "New Custom Check" to reflect the purpose of the check.

16. Ensure that the custom check is enabled (with a check mark).

Micro Focus Fortify WebInspect (22.2.0)

Page 71 of 364

Tools Guide

Chapter 7: Policy Manager

17. Select Attack Groups from the drop-down list, and then click to expand the Audit Engines

folder.

Micro Focus Fortify WebInspect (22.2.0)

Page 72 of 364

Tools Guide

Chapter 7: Policy Manager

18. Ensure that the appropriate audit engine is enabled (with a check mark) for the type of check you

created, according to the following table.

This Attack Type...

Directory Enumeration

File Extension Addition

Uses This Audit Engine...

Directory Enumeration

File Extension

File Extension Replacement File Extension

Keyword Search

Parameter Injection

Simple Attack

Site Search

Keyword Search

Post Data Injection

Fixed Checks

Site Search

19. Select File > Save.

20. Enter a name for the new policy and click Save.

Fortify WebInspect adds all custom checks to every policy, but does not enable them. To enable the

custom check in other policies, see "Creating or Editing a Policy" on page 64.

To disable a custom check:

1. Select a custom check.

2. Clear its associated check box.

To delete a custom check:

Caution! If you delete a custom check from a policy, you delete it from all policies and from the

entire system.

1. Right-click a custom check.

2. Select Delete from the short-cut menu.

To edit a custom check:

1. Open a policy.

2. Select a custom check.

Micro Focus Fortify WebInspect (22.2.0)

Page 73 of 364

Tools Guide

Chapter 7: Policy Manager

3. Using the right pane of the Policy Manager, modify the custom check properties.

4. Click the Save icon.

See Also

"Regular Expressions" on page 94

"Regular Expression Extensions" on page 96

Searching for Specific Agents

Use the Search view on the Policy Manager to locate specific vulnerability checks (attack agents). You

can then elect to include or exclude individual agents.

To search for attack agents:

1. On the toolbar, click Policy Manager

- or -

select Tools > Policy Manager.

2. If you do not have a policy selected, select a policy from the Open Policy window and click OK.

3. Select View > Search.

Micro Focus Fortify WebInspect (22.2.0)

Page 74 of 364

Tools Guide

Chapter 7: Policy Manager

The description of every attack agent contains "report fields" such as summary, implication,

execution, recommendation, and fix. The Search feature allows you to locate attack agents that

contain the text you specify in a selected report field.

4. From the Criteria list, select the report field that you want to search.

5. Choose an operator from the drop-down list (is, is greater than, is less than, contains).

6. In the text box, type the text or number you want to find.

7. Click Search.

8. The Policy Manager lists in the Checks area all attack agents that match your search criteria. An

active agent has a check mark next to its name. Select (or clear) a check box to activate (or

deactivate) an agent.

9. Click Save to save the revised policy.

Using a Custom Agent

Fortify WebInspect audit extensions are developed by software developers in your organization and

published to SecureBase as custom agents that can be enabled in policies and used in conducting

scans. To enable a custom agent in the Policy Manger:

1. Do one of the following:

l

To create a new policy that includes only the custom agent check, select File > New > Blank

Policy, and go to Step 2.

l

To enable the custom agent check along with other checks in an existing policy, go to Step 2.

2. Select Seven Pernicious Kingdoms from the drop-down list.

3. Expand the Custom Agents group.

4. Select a custom agent from the list.

5. Select File > Save.

When conducting a scan, select the policy that includes the enabled custom agent check.

Note: If the developer republishes an extension, you must close and re-open the Policy Manager

to get the revised custom agent.

Methodologies

A web application includes not only the code that creates your website, but also the architectural

components necessary to make a website available and useful to the public. When considering web

application security, you must account for all the components that work together to create a website,

not just the visible face presented to the world at large.

Fortify WebInspect can analyze any web application, identify potential security flaws, and supply you

with the latest information necessary to resolve security issues before unauthorized users are able to

Micro Focus Fortify WebInspect (22.2.0)

Page 75 of 364

Tools Guide

Chapter 7: Policy Manager

capitalize on them. In an ever-changing, dynamic environment like the web, having a security tool

that’s always up to date is an absolute necessity. With this in mind, Micro Focus's design team

engineered the software to automatically update its built-in knowledgebase of known successful

hacking methodologies every time it’s used. The software will then emulate these methodologies

against the applications to be tested. This knowledgebase is gathered from Micro Focus security

experts, as well as a wide variety of leading third-party security organizations and analysts.

When new methods of attack are discovered, Micro Focus is ready with same-day upgrades to its

SecureBase™ vulnerabilities database. Following is a list of the key methodologies that Fortify

WebInspect employs when assessing the security vulnerabilities of your web application.

Parameter Manipulation

Parameter manipulation involves tampering with URL parameters to retrieve information that would

otherwise be unavailable to the user. Parameter manipulation modifies, adds or removes parameter

names and/or arguments. Basically, any input can be modified. Parameter manipulation attacks can

be used to achieve a number of objectives, including disclosure of files above the web root, extraction

of information from a database and execution of arbitrary operating-system level commands. This is

applied to:

l

Query strings. Web applications often use query strings as a simple method of passing data from

the client and the server. Query strings are a way to add data calls to a hyperlink, and then retrieve

that information on the linked page when it is displayed. By manipulating query strings, an attacker

can easily steal information from a database, learn details about the architecture of your web

application, or possibly execute commands on your web server. When conducting an audit, Fortify

WebInspect implements advanced query string manipulation to ascertain the feasibility of

command execution on your server(s), and determines the vulnerability of your web applications to

query string manipulation.

l

Post data. Since manipulating a query string is as easy as typing text in the address bar of a

browser, many web applications rely on the POST method coupled with the use of forms rather

than GET to pass data between pages. Since browsers normally don't display POST data, some

programmers are lulled into thinking that it is difficult or impossible to change the data, when in

fact the opposite is true. Fortify WebInspect determines your application's susceptibility to attacks

that rely on the POST method of parameter manipulation.

l

Headers. Both HTTP requests and responses use headers to deliver information about the HTTP

message. A developer may not consider HTTP headers as areas of input, even though many web

applications will log headers such as the "referrer" or "user-agent" to a database for traffic statistics.

Fortify WebInspect intercepts header information, and attempts to pass different parameter values

during an audit.

l

Cookies. Many web applications use cookies to save information (for example, user ID's and

timestamps) on the client's machine. By changing these values, or “poisoning” the cookie, malicious

users can gain access to the accounts and information of other users. As well, attackers can also

steal a user's cookie and gain direct access to the user's account, bypassing the need to enter an ID

and password or other form of authentication. Fortify WebInspect lists all cookies discovered

during a scan, and attempts to change their parameters during an audit.

Parameter manipulation can be divided into several subcategories, as described in the following

sections.

Micro Focus Fortify WebInspect (22.2.0)

Page 76 of 364

Tools Guide

Chapter 7: Policy Manager

Parameter Injection

Parameter injection attacks replace an argument value with an attack string.

Example:

http://www.site.com/webapp.asp?ValidParameter=ValidArgument will be changed to

http://www.site.com/webapp.asp?ValidParameter=AttackString

These attempts to manipulate parameters associated with a URL are usually directed to the following

areas:

Command Execution

Command execution attack strings are composed of special characters combined with operating

system-level commands that will be run if the web application uses the string in a call to an operating

system command without first parsing out the special characters.

Example: ;id;

Fortify WebInspect submits harmless commands, such as the ID command, to ascertain the feasibility

of commands being inserted by an attacker and then executed.

SQL Injection

SQL injection is the act of passing SQL code not intended by the developer into an application. These

attack strings are composed of fragments of SQL syntax that will be executed on the database server

if the web application uses the string when forming a SQL statement without first parsing out certain

characters.

Example: '+(SELECT TOP 1 name FROM sysobjects WHERE 1=1)+'

Problems can arise when a developer does not protect against potentially malicious input such as an

apostrophe ( ' ), which could close the SQL string and give the user unintended system and

application access.

Cross-Site Scripting

This issue occurs when dynamically generated web pages display input that is not properly validated.

This allows an attacker to embed malicious JavaScript into the generated page, enabling him to

execute the script on the machine of any user who views the malicious page. Any site that allows

users to post text messages can be vulnerable to an attack such as this. This vulnerability is

commonly seen on the following:

l

Search engines that repeat the search keyword that was entered

l

Error messages that repeat the string that contained the error

l

Forms that are filled out where the values are later presented to the user

l

Web message boards that allow users to post their own messages.

An attacker who uses cross-site scripting successfully might compromise confidential information,

manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute

malicious code on the user systems.

Micro Focus Fortify WebInspect (22.2.0)

Page 77 of 364

Tools Guide

Chapter 7: Policy Manager

Abnormal Input

Abnormal input attack strings are composed of characters that can cause unhandled exceptions

(errors the program is not coded to handle) in web applications where unexpected input is not parsed

out. Unhandled exceptions often cause error messages to be displayed that disclose sensitive

information about the application’s internal mechanics. Source code may even be disclosed.

Example: %00

Parameter Overflow

Parameter overflow attacks supply web applications with extremely large amounts of data in the

forms of parameter or cookie header arguments or parameter names. If a web application is

programmed in such a manner that it cannot appropriately handle unexpected and extremely large

amounts of data, it may be possible to execute arbitrary operating system-level code or cause a

denial-of-service condition.

Buffer Overflow

Buffer overflow attacks can be used to execute arbitrary operating system commands. Fortify

WebInspect determines whether or not you are vulnerable to buffer overflow attacks, and provides

details for remedying any buffer overflow vulnerabilities.

Example:

http://www.site.com/webapp.asp?ValidParameter=ValidArgument

will be changed to

http://www.site.com/webapp.asp?XXXXXXXXXXXXXXXXX[several thousand more

characters]XXX=ValidArgument

and also to

http://www.site.com/webapp.asp?ValidParameter=XXXXXXXXXXXXXXXXX[several thousand more

characters]XXX

Parameter Addition

Parameter addition attacks insert new parameters into an HTTP request (such as admin=true) in an

attempt to gain access to restricted or undocumented application features, and to manipulate internal

application settings.

Application Debug/Backdoor Mode Parameters

Application debug/backdoor mode parameters are often undocumented application features that are

added by programmers in order to assist with quality assurance. Access to debug and backdoor

modes can lead to disclosure of sensitive information about the internal mechanics of the web

application or even administrative control.

Example:

http://www.site.com/webapp.asp?ValidParameter=ValidArgument&debug=true

Micro Focus Fortify WebInspect (22.2.0)

Page 78 of 364

Tools Guide

Chapter 7: Policy Manager

Path Manipulation

Path manipulation attacks construct or modify the Request-URI section of the HTTP request in order

to gain access to files above the web root, bypass authorization settings, display directory listings or

display file source. Each of the following is a method of path manipulation.

Path Truncation

Path truncation attacks are requests for known directories without file names. This may cause

directory listings to be displayed. Fortify WebInspect truncates paths, looking for directory listings or

unusual errors within each truncation.

Example:

If a link consists of 'http://www.site.com/folder1/folder2/file.asp' truncating the path to look for

'http://www.site.com/folder1/folder2/' and 'http://www.site.com/folder1/'. will cause the web server to

reveal directory contents or to cause unhandled exceptions.

Character Encoding

Character encoding attacks substitute encoded equivalents of characters in a request for a known

resource. If the web application performs a string comparison for authorization or processing

purposes using the encoded URI without first parsing the encoded characters, authorization settings

may be defeated or source code may be disclosed. Fortify WebInspect submits various encoded

character strings to ascertain whether your web application properly parses special characters. The

following elements are included when Fortify WebInspect performs character encoding tests.

l

Unicode: The Unicode Worldwide Character Standard includes letters, digits, diacritics, punctuation

marks, and technical symbols for all the world's principal written languages, using a uniform

encoding scheme. Fortify WebInspect submits strings that have been converted to their Unicode

equivalent, and attempts to gain unauthorized authentication credentials through this

manipulation.

l

Hexadecimal coding: This involves replacing characters with their hexadecimal equivalent. Fortify

WebInspect submits hex-encoded strings, and attempts to gain unauthorized authentication

credentials through this manipulation.

MS-DOS 8.3 Short Filename

MS-DOS 8.3 short filename attacks convert the file names to the MS-DOS 8.3 format (1 to 8

characters, as opposed to the 255 characters allowed for file names by more recent versions of

Windows). If the web application performs a string comparison for authorization or processing

purposes using the MS-DOS 8.3 filename without first converting it to its FAT32/NTFS equivalent,

this may defeat authorization settings or cause source code to be disclosed.

Example: longfilename.asp would become longfi~1.asp

Directory Traversal

Directory traversal attacks are expressions in the URI that will cause the web server to display the

contents of files above the web root if the web application uses the string to specify a file location

without first completely parsing out traversal characters.

Example: ../../../../../boot.ini

Micro Focus Fortify WebInspect (22.2.0)

Page 79 of 364

Tools Guide

Chapter 7: Policy Manager

Character Stripping

Character stripping attacks add special characters to a URI that the server or application may parse

out. If the server or application uses the URI in a string comparison for authorization or request

processing without first stripping out the special characters, authorization settings may be defeated

and source code may be disclosed.

Character Append

Character append attacks add a special character to the end of a file or directory name.

Example: file.asp would become file.asp%00

Site Search

This can be considered the information-gathering stage, emulating an intruder's attempt to learn as

much as possible about your web application before launching an attack. Site search is used to locate

resources such as documents, applications and directories on the server that are not intended to be

viewed by web users. Disclosure of such resources can result in the disclosure of confidential data,

information about internal server and application configurations and settings, administrative access

to the site, and information and application source code. Fortify WebInspect determines the

availability of the following items, among others, to users of your web application.

l

Test and sample files: These often contain information that can be used to implement an attack.

For example, authenticated test scripts that have been left on the server could provide an attacker

with the location of sensitive areas of your site.

l

Administrative interfaces: These are applications that network administrators often place on a

network to conduct remote maintenance.

l

Application data: This can be information in a database or data passed from page to page via

another method.

l

Program dumps: Programs often leave a dump file on the server when they terminate prematurely.

Attackers will often break an application through various methods and then retrieve important

information from a dump file.

l

Application logs: Several software applications leave default application logs that detail the

installation of the product. Application logs can reveal important information about the

architecture of your web application, including the location of hidden areas.

l

Installation documentation: Certain software packages place comprising information in default

installation documentation that is left available on the server.

l

Backup files: Network administrators and developers often leave backup files and scripts on the

web server. These files commonly contain information that can be used to breach a site's security.

Backup file search involves replacing extensions on files, and then looking for older or backup

versions stored on the site. For example, an attacker who finds hi.asp might search for hi.old and

hi.back, and retrieve the script’s source code.

l

Site statistics pages: These can be used to determine information about who is visiting your site.

However, it can also reveal information that an attacker can use in formulating an attack, such as

the location of other areas of your site.

Micro Focus Fortify WebInspect (22.2.0)

Page 80 of 364

Tools Guide

Chapter 7: Policy Manager

Application Mapping

Fortify WebInspect exposes and follows all known (and unknown) links located on your site. This

creates a baseline for vulnerability checking and application testing.

Crawl

One of the most important elements of discovering the security vulnerabilities of your web application

is in mapping its internal structure. A crawl completely maps a site's tree structure. In essence, a crawl

runs until no more links on the URL can be followed.

Automatic Form-Filling

Fortify WebInspect can be configured to submit data automatically for any form encountered during a

crawl (for example, if a page requires entry of a telephone number, etc.).

SSL Support

Fortify WebInspect can crawl any site that uses SSL and determine whether data is being properly

encrypted and protected.

Proxy Support

A proxy server can be used to ensure network security, provide adequate caching purposes, and

regulate administrative control. Fortify WebInspect can crawl sites that use a proxy server, and check

for vulnerabilities specifically related to that configuration.

Client Certificate Support

A certificate is a statement verifying the identity of a person or the security of a website. Attackers

will attempt to alter the values of client certificates to gain unauthorized access to your web

application.

State Management

State is a property of connectivity. HTTP is a stateless protocol; no concept of session state is

maintained by HTTP when handling client-server communications. Fortify WebInspect determines if

any cookies used on your web application are secure (are they set to expire, properly handled, etc.),

and if session IDs are managed securely.

Directory Enumeration

Directory enumeration lists all directory paths and possibilities on the application server, including

hidden directories that could possibly contain sensitive information. Fortify WebInspect uses a

database of known folders (such as admin, test, logs, etc.) and hidden areas discovered during a crawl

when composing a directory enumeration listing.

Web Server Assessment

During a web server assessment, Fortify WebInspect test your proprietary web server for

vulnerabilities utilizing information gathered during a Site Search and other applied methodologies.

Protocol and extension implementation analysis is used to determine what services the server offers,

Micro Focus Fortify WebInspect (22.2.0)

Page 81 of 364

Tools Guide

Chapter 7: Policy Manager

whether or not they conform to established standards for these services, and details regarding their

implementation. As web server configurations are responsible for serving content and launching

applications, damage from an attack on an unprotected proprietary web server can include denial of

service, the posting of inappropriate messages or graphics on the site, deletion of files, or damaging

code or software packages being left on the server.

HTTP Compliance

HTTP compliance testing assesses the web server or proxy server for proper compliance to HTTP/1.0

and HTTP/1.1 rules. This testing consists of attacks such as sending a data buffer larger than the

marked length (buffer overflows). Servers are tested to see if they properly sanitize data by mixing

and matching various methods and headers that are never seen within a normal request and

determining if the web server handles the requests properly. These attacks can determine if a web

server or web device complies with HTTP specifications and can also uncover unknown

vulnerabilities.

WebDAV Compliance

WebDAV allows users to place and manipulate files in a directory on your web server. Fortify

WebInspect determines whether or not WebDAV privileges can be exceeded and manipulated on your

web server.

SSL Strength

SSL strength identification determines the encryption level accepted by a web server. This can be

important to ensure that secure clients do not connect at an encryption level lower than the expected

standard, and that data is being properly encrypted to prevent its interception.

Certificate Analysis

Fortify WebInspect analyzes the SSL certificate for improper properties such as unknown CA

certificate analysis or expired time.

HTTP Method Support

Fortify WebInspect determines which HTTP methods are supported by the web server.

Example: Does the webserver support GET,PUT,INDEX,POST,CONNECT, etc.

Content Investigation

Content Investigation involves searching through content discovered during a Site Search to

determine what information is available to users of your web application that should remain private.

Fortify WebInspect searches for the following items when conducting Content Investigation (although

by no means a comprehensive list), and will determine each item's potential level of exploitation.

Spam Gateway Detection

Spam gateways are e-mail web applications that allow the client to specify the location of the mail

recipient via hidden form inputs or parameters.

Micro Focus Fortify WebInspect (22.2.0)

Page 82 of 364

Tools Guide

Chapter 7: Policy Manager

Client-Side Pricing

Client-side pricing is a web application flaw that allows the client to specify item pricing via hidden

form inputs or parameters.

Sensitive Developer Comments

Developer comments in HTML often reveal sensitive information about an application’s internal

mechanics and configuration. For example, something as seemingly innocuous as a comment

referencing the required order of fields in a table could potentially give an attacker a key piece of

information needed to crack the security of your site. Fortify WebInspect lists all comments found in

the site's code in the Comments area on the Information pane.

WebServer/Web Package Identification

Fortify WebInspect will identify all services and banners on the web server, and ascertain the vendors

and version numbers of all available software packages used by your web application. This is

accomplished through a variety of methods, listed below.

l

Header Evidence - For example, Server: Microsoft-IIS/5.0

l

Link Evidence - For example, <a href="/webapp.php"> indicates that the PHP web application

server is running.

l

Default/Template Page Evidence - For example, "If you can see this, it means that the installation of

the Apache web server software on this system was successful."

Absolute Path Detection

Fortify WebInspect detects whether a fully qualified pathname was able to be discovered anywhere

within an application. Certain vulnerabilities can only be exploited if the attacker has the fully

qualified pathname.

Example: /opt/Web/docroot/, c:\inetpub\wwwroot"

Error Message Identification

Often, error messages will reveal more than they were designed to do. For example, pages containing

/servletimages/logo2circle.gif are default template BEA WebLogic error pages. An attacker forearmed

with that knowledge can customize his attack to take advantage of that server's inherent

vulnerabilities.

Permissions Assessment

Fortify WebInspect will determine what level of permissions (such as uploading files to the web server,

editing data, traversing directories, etc.) are available in different areas of your web application, and

then determine the best way to remedy any inherent security vulnerabilities.

Brute Force Authentication Attacks

Brute force attacks test for susceptibility to dictionary attacks (files containing common logons and

passwords). Fortify WebInspect tests Basic, NTLM, and web form authentication for susceptibility to a

brute force attack.

Micro Focus Fortify WebInspect (22.2.0)

Page 83 of 364

Tools Guide

Chapter 7: Policy Manager

Known Attacks

Known attacks include all exploitable holes and bugs in web servers, applications, and other third-

party components that have been published, posted, or otherwise communicated. Most of these

vulnerabilities have existing patches, but hackers will exploit systems where patches have not been

installed in a timely fashion. Known attack information is included in all other methodologies.

Fortify WebInspect rely on a proprietary database that contains fingerprints of known attacks dating

back to the birth of the World Wide Web. They check for and download new risks and exploits each

they run, ensuring that the product is always updated and at the forefront of hacking expertise.

Policies

Each policy is kept up to date through the Smart Update function, ensuring that scans are accurate

and capable of detecting the most recently discovered threats. Fortify WebInspect (or sensor)

contains the following packaged policies that you can use with your scans and crawls to determine

the vulnerability of your web application.

Note: This list might not match the policies that you see in your product. SmartUpdate might

have added or deprecated policies since this document was produced.

Best Practices

The Best Practices group contains policies designed to test applications for the most pervasive and

problematic web application security vulnerabilities.

l

API: This policy contains checks that target various issues relevant to an API security assessment.

This includes various injection attacks, transport layer security, and privacy violation, but does not

include checks to detect client-side issues and attack surface discovery such as directory

enumeration or backup file search checks. All vulnerabilities detected by this policy may be directly

targeted by an attacker. This policy is not intended for scanning applications that consume Web

APIs.

l

CWE Top 25 <version>: The Common Weakness Enumeration (CWE) Top 25 Most Dangerous

Software Errors (CWE Top 25) is a list created by MITRE. The list demonstrates the most

widespread and critical software weaknesses that can lead to vulnerabilities in software.

l

DISA STIG <version>: The Defense Information Systems Agency (DISA) Security Technical

Implementation Guide (STIG) provides security guidance for use throughout the application

development lifecycle. This policy contains a selection of checks to help the application meet the

secure coding requirements of the DISA STIG <version>. Multiple versions of the DISA STIG policy

may be available in the Best Practices group.

l

General Data Protection Regulation (GDPR): The EU General Data Protection Regulation (GDPR)

replaces the Data Protection Directive 95/46/EC and provides a framework for organizations on

how to handle personal data. The GDPR articles that pertain to application security and require

Micro Focus Fortify WebInspect (22.2.0)

Page 84 of 364

Tools Guide

Chapter 7: Policy Manager

businesses to protect personal data during design and development of their products and services

are as follows:

l

Article 25, data protection by design and by default, which requires businesses to implement

appropriate technical and organizational measures for ensuring that, by default, only personal

data that is necessary for each specific purpose of the processing is processed.

l

Article 32, security of processing, which requires businesses to protect their systems and

applications from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of

or access to personal data.

This policy contains a selection of checks to help identify and protect personal data specifically

related to application security for the GDPR.

l

NIST-SP80053R5: NIST Special Publication 800-53 Revision 5 - (NIST SP 800-53 Rev.5) provides

a list of security and privacy controls designed to protect federal organizations and information

systems from security threats. This policy contains a selection of checks that must be audited to

meet the guidelines and standards of NIST SP 800-53 Rev.5.

l

OWASP Application Security Verification Standard (ASVS): The Application Security

Verification Standard (ASVS) is a list of application security requirements or tests that can be used

by architects, developers, testers, security professionals, tool vendors, and consumers to define,

build, test, and verify secure applications.

This policy uses OWASP ASVS suggested CWE mapping for each category of SecureBase checks to

include. Because CWE is a hierarchical taxonomy, this policy also includes checks that map to

additional CWEs that are implied from OWASP ASVS suggested CWE using a "ParentOf"

relationship.

l

OWASP Top 10 <year>: This policy provides a minimum standard for web application security.

The OWASP Top 10 represents a broad consensus about the most critical web application security

flaws. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the

software development culture within your organization into one that produces secure code.

Multiple releases of the OWASP Top Ten policy may be available. For more information, consult the

OWASP Top Ten Project.

l

SANS Top 25 <year>: The SANS Top 25 Most Dangerous Software Errors provides an

enumeration of the most widespread and critical errors, categorized by Common Weakness

Enumeration (CWE) identifiers, that lead to serious vulnerabilities in software. These software

errors are often easy to find and exploit. The inherent danger in these errors is that they can allow

an attacker to take over the software completely, steal data, or prevent the software from working

altogether.

l

Standard: A standard scan includes an automated crawl of the server and performs checks for

known and unknown vulnerabilities such as SQL Injection and Cross-Site Scripting as well as poor

error handling and weak SSL configuration at the web server, web application server, and web

application layers.

Micro Focus Fortify WebInspect (22.2.0)

Page 85 of 364

Tools Guide

Chapter 7: Policy Manager

By Type

The By Type group contains policies designed with a specific application layer, type of vulnerability,

or generic function as its focus. For instance, the Application policy contains all checks designed to

test an application, as opposed to the operating system.

l

Aggressive Log4Shell: This policy performs a comprehensive security assessment of your web

application for JNDI Reference injections in vulnerable versions of Apache Log4j libraries. In

vulnerable versions, Log4j does not restrict JNDI features. This allows an attacker who can control

log messages to inject JNDI references that point to an attacker-controlled server. This can lead to

remote code execution on the vulnerable target. Compared with other policies that include

Log4Shell agent, this policy performs a more accurate and decisive job, but produces a significant

number of requests and has a longer scan time.

l

Aggressive SQL Injection: This policy performs a comprehensive security assessment of your web

application for SQL Injection vulnerabilities. SQL Injection is an attack technique that takes

advantage of non-validated input vulnerabilities to pass arbitrary SQL queries and/or commands

through the web application for execution by a backend database. This policy performs a more

accurate and decisive job, but has a longer scan time.

l

Apache Struts: This policy detects supported known advisories against the Apache Struts

framework.

l

Blank: This policy is a template that you can use to build your own policy. It includes an automated

crawl of the server and no vulnerability checks. Edit this policy to create custom policies that only

scan for specific vulnerabilities.

l

Client-side: This policy intends to detect all issues that require an attacker to perform phishing in

order to deliver an attack. These issues are typically manifested on the client, thus enforcing the

phishing requirement. This includes Reflected Cross-site Scripting and various HTML5 checks. This

policy may be used in conjunction with the Server-side policy to provide coverage across both the

client and the server.

l

Criticals and Highs: Use the Criticals and Highs policy to quickly scan your web applications for

the most urgent and pressing vulnerabilities while not endangering production servers. This policy

checks for SQL Injection, Cross-Site Scripting, and other critical and high severity vulnerabilities. It

does not contain checks that may write data to databases or create denial-of-service conditions,

and is safe to run against production servers.

l

Cross-Site Scripting: This policy performs a security scan of your web application for cross-site

scripting (XSS) vulnerabilities. XSS is an attack technique that forces a website to echo attacker-

supplied executable code, such as HTML code or client-side script, which then loads in a user's

browser. Such an attack can be used to bypass access controls or conduct phishing expeditions.

l

DISA STIG <version>: The Defense Information Systems Agency (DISA) Security Technical

Implementation Guide (STIG) provides security guidance for use throughout the application

development lifecycle. This policy contains a selection of checks to help the application meet the

secure coding requirements of the DISA STIG <version>. Multiple versions of the DISA STIG policy

may be available in the By Type group.

l

Mobile: A mobile scan detects security flaws based on the communication observed between a

mobile application and the supporting backend services.

Micro Focus Fortify WebInspect (22.2.0)

Page 86 of 364

Tools Guide

Chapter 7: Policy Manager

l

NoSQL and Node.js: This policy includes an automated crawl of the server and performs checks

for known and unknown vulnerabilities targeting databases based on NoSQL, such as MongoDB,

and server side infrastructures based on JavaScript, such as Node.js.

l

OAST: This policy includes all checks that use Out-of-band Application Security Testing (OAST)

technology in scanning logic.

l

Passive Scan: The Passive Scan policy scans an application for vulnerabilities detectable without

active exploitation, making it safe to run against production servers. Vulnerabilities detected by

this policy include issues of path disclosure, error messages, and others of a similar nature.

l

PCI Software Security Framework <version> (PCI SSF <version>): The PCI SSF provides a

baseline of requirements and guidance for building secure payment systems and software that

handle payment transactions. This policy contains a selection of checks that must be audited to

meet the secure coding requirements of PCI SSF.

l

Privilege Escalation: The Privilege Escalation policy scans your web application for programming

errors or design flaws that allow an attacker to gain elevated access to data and applications. The

policy uses checks that compare responses of identical requests with different privilege levels.

l

Server-side: This policy contains checks that target various issues on the server-side of an

application. This includes various injection attacks, transport layer security, and privacy violation,

but does not include attack surface discovery such as directory enumeration or backup file search.

All vulnerabilities detected by this policy may be directly targeted by an attacker. This policy may

be used in conjunction with the Client-side policy to provide coverage across both the client and

the server.

l

SQL Injection: The SQL Injection policy performs a security scan of your web application for SQL

injection vulnerabilities. SQL injection is an attack technique that takes advantage of non-validated

input vulnerabilities to pass arbitrary SQL queries and/or commands through the web application

for execution by a backend database.

l

Transport Layer Security: This policy performs a security assessment of your web application for

insecure SSL/TLS configurations and critical transport layer security vulnerabilities, such as

Heartbleed, Poodle, and SSL Renegotiation attacks.

l

WebSocket: This policy detects vulnerabilities related to WebSocket implementation in your

application.

Custom

The Custom group contains all user-created policies and any custom policies modified by a user.

Hazardous

The Hazardous group contains a policy with potentially dangerous checks, such as a denial-of-service

attack, that could cause production servers to fail. Use this policy against non-production servers and

systems only.

l

All Checks: An All Checks scan includes an automated crawl of the server and performs all active

checks from SecureBase, the database. This scan includes all checks that are listed in the

compliance reports that are available in Fortify web application and web services vulnerability scan

Micro Focus Fortify WebInspect (22.2.0)

Page 87 of 364

Tools Guide

Chapter 7: Policy Manager

products. This includes checks for known and unknown vulnerabilities at the web server, web

application server, and web application layers.

Caution! An All Checks scan includes checks that may write data to databases, submit forms,

and create denial-of-service conditions. Fortify strongly recommends using the All Checks

policy only in test environments.

Deprecated Checks and Policies

The following policies and checks are deprecated and are no longer maintained.

l

Application (Deprecated): The Application policy performs a security scan of your web

application by submitting known and unknown web application attacks, and only submits specific

attacks that assess the application layer. When performing scans of enterprise level web

applications, use the Application Only policy in conjunction with the Platform Only policy to

optimize your scan in terms of speed and memory usage.

l

Assault (Deprecated): An assault scan includes an automated crawl of the server and performs

checks for known and unknown vulnerabilities at the web server, web application server, and web

application layers. An assault scan includes checks that can create denial-of-service conditions. It is

strongly recommended that assault scans only be used in test environments.

l

Deprecated Checks: As technologies go end of life and fade out of the technical landscape it is

necessary to prune the policy from time to time to remove checks that are no longer technically

necessary. Deprecated checks policy includes checks that are either deemed end of life based on

current technological landscape or have been re-implemented using smart and efficient audit

algorithms that leverage latest enhancements of core WebInspect framework.

l

Dev (Deprecated): A Developer scan includes an automated crawl of the server and performs

checks for known and unknown vulnerabilities at the web application layer only. The policy does

not execute checks that are likely to create denial-of-service conditions, so it is safe to run on

production systems.

l

OpenSSL Heartbleed (Deprecated): This policy performs a security assessment of your web

application for the critical TLS Heartbeat read overrun vulnerability. This vulnerability could

potentially disclose critical server and web application data residing in the server memory at the

time a malicious user sends a malformed Heartbeat request to the server hosting the site.

l

OWASP Top 10 Application Security Risks - 2010 (Deprecated): This policy provides a

minimum standard for web application security. The OWASP Top 10 represents a broad consensus

about what the most critical web application security flaws are. Adopting the OWASP Top 10 is

perhaps the most effective first step towards changing the software development culture within

your organization into one that produces secure code. This policy includes elements specific to the

2010 Top Ten list. For more information, consult the OWASP Top Ten Project.

l

Platform (Deprecated): The Platform policy performs a security scan of your web application

platform by submitting attacks specifically against the web server and known web applications.

When performing scans of enterprise-level web applications, use the Platform Only policy in

conjunction with the Application Only policy to optimize your scan in terms of speed and memory

usage.

Micro Focus Fortify WebInspect (22.2.0)

Page 88 of 364

Tools Guide

Chapter 7: Policy Manager

l

QA (Deprecated): The QA policy is designed to help QA professionals make project release

decisions in terms of web application security. It performs checks for both known and unknown

web application vulnerabilities. However, it does not submit potentially hazardous checks, making

it safe to run on production systems.

l

Quick (Deprecated): A Quick scan includes an automated crawl of the server and performs checks

for known vulnerabilities in major packages and unknown vulnerabilities at the web server, web

application server and web application layers. A quick scan does not run checks that are likely to

create denial-of-service conditions, so it is safe to run on production systems.

l

Safe (Deprecated): A Safe scan includes an automated crawl of the server and performs checks for

most known vulnerabilities in major packages and some unknown vulnerabilities at the web server,

web application server and web application layers. A safe scan does not run any checks that could

potentially trigger a denial-of-service condition, even on sensitive systems.

l

Standard (Deprecated): Standard (Deprecated) policy is copy of the original standard policy

before it was revamped in R1 2015 release. A standard scan includes an automated crawl of the

server and performs checks for known and unknown vulnerabilities at the web server, web

application server and web application layers. A standard scan does not run checks that are likely

to create denial-of-service conditions, so it is safe to run on production systems.

See Also

"Policy Manager" on page 61

Policy Manager Icons

The following table describes the icons that are used in the Policy Manager tree view.

Icon

Definition

The policy.

Attack Group Folder: Folders that contain vulnerability assessments.

Audit Methodology: A set of checks that compose an audit methodology. For

example, Site Search is part of the Audit methodology. For more information

on methodologies, see "Methodologies" on page 75.

A critical vulnerability wherein an attacker might have the ability to execute

commands on the server or retrieve and modify private information.

A high vulnerability. Generally, the ability to view source code, files out of the

web root, and sensitive error messages.

A medium vulnerability. Indicates non-HTML errors or issues that could be

sensitive.

Micro Focus Fortify WebInspect (22.2.0)

Page 89 of 364

Tools Guide

Chapter 7: Policy Manager

Icon

Definition

A low vulnerability. Indicates interesting issues or issues that could potentially

become higher ones.

Audit Engines

Fortify WebInspect uses the following audit engines:

l

Adaptive Agents: Certain vulnerabilities require a large amount of logic when checking for them.

For example, a buffer overflow JRun check might cause a server to crash if conducted through a

vulnerability database. Instead, an adaptive agent with the proper amount of logic can be written

to prevent such a problem. With this smart approach, Fortify WebInspect continuously applies

appropriate assessment resources that adapt to the specific application environment.

l

Arbitrary Remote File Include: This engine checks for vulnerabilities that may allow fetching and

incorporating data from arbitrary URLs supplied by an attacker.

l

Comment Checks: The comment audit examines each session for file names and/or URLs in

comments. Upon finding a filename or URL, the audit will check to see if the file or URL exists.

l

Cookie Injection: Cookies and headers are just as vulnerable to injection attacks as text fields in

forms. Cookie injection occurs when unvalidated data is sent by a user's browser as part of a cookie.

The Cookie Injection audit engine attempts certain traditional parameter injection attacks against

different cookie values

l

Cross-Site Scripting: This engine conducts cross-site scripting parameter injection attacks.

Applications are vulnerable to these attacks when developers do not adequately filter or verify

client-supplied data that is returned by the application to the server.

l

Directory Enumeration: Directory Enumeration finds all directory paths and possibilities on the

application server, including hidden directories which could possibly contain sensitive information.

This helps Fortify WebInspect create a full and accurate map of the targeted site.

l

Directory Extension Addition: Directory extension checking involves adding extensions to

directories and removing the trailing slash to find archived directories left on the server. Fortify

WebInspect attempts to locate all directories that have been left on your server that could be used

by an attacker.

l

File Extension: Network administrators and developers often leave backup files and scripts on the

web server. These files commonly contain information that can be used to breach a site's security.

Extension checking involves replacing extensions on files, and then looking for older or backup

versions stored on the site. For example, an attacker who finds hi.asp might search for hi.old and

hi.back, and retrieve the script's source code. Fortify WebInspect attempts to locate all files that

could be utilized by an attacker that have been left on your server.

l

File Prefix: Network administrators and developers often leave backup files and scripts on the web

server. These files commonly contain information that can be used to breach a site's security. Prefix

checking involves affixing a value to file names, and then looking for older or backup versions

stored on the site.

Micro Focus Fortify WebInspect (22.2.0)

Page 90 of 364

Tools Guide

Chapter 7: Policy Manager

l

File Suffix: File suffix checking involves affixing a value to file names, and then looking for older or

backup versions stored on the site. See File Prefix above.

l

Fixed Checks: This audit performs checks for files with known vulnerabilities. This audit is the

same as the ABS Checks audit, with the exception being that the Fixed Checks audit does not

probe the directory structure before sending the attacks.

l

FlashStaticAnalysis: Performs Flash source code analysis to detect vulnerabilities.

l

Fortify Agent Probe Engine: This engine sends probes for hints whether a particular parameter

or injection point would be vulnerable to the attack suggestions provided in the audit inputs.

l

Hacker Level Insights: This engine provides data that extends beyond the classic weaknesses and

vulnerabilities that DAST traditionally highlights.

l

Header Injection: Cookies and headers are just as vulnerable to injection attacks as text fields in

forms. HTTP header injection occurs when HTTP headers are dynamically generated with user

input that includes malicious content. The Header Injection audit engine attempts certain

traditional parameter injection attacks against different types of HTTP headers.

l

Keyword Search: Information disclosure attacks focus on ways of getting a website to reveal

system-specific information or confidential data, including user data, that should not be exposed to

anonymous users. The Keyword Search audit engine examines every response from the web server

for information, such as error messages, directory listings, credit card numbers, etc., that is not

properly protected by the website

l

Known Vulnerabilities: This engine checks for files with known vulnerabilities. The audit will

perform a probe of directories known to contain these files and then send requests based on any

discovered directories.

l

Local File Inclusion: Local file reading/inclusion vulnerabilities exist when an attacker can

influence the application to read (presumably arbitrary) files specified by the attacker. The engine

submits to the web application various values that contain various combinations of relative and

absolute file names for specific known files. The engine considers the attack a success if the

contents of those files are displayed.

l

Persistent Cross-Site Scripting: This engine must be enabled to check for Persistent Cross-Site

Scripting vulnerabilities (also known as Stored Cross-Site Scripting). When successfully exploited,

Persistent Cross-Site Scripting can allow an attacker to inject malicious scripts into the target

application's client-side code.

l

Postdata Injection: Since manipulating a query string is as easy as typing text in the address bar

of a browser, many web applications rely on the POST method coupled with the use of forms

(rather than GET) to pass data between pages. Since browsers normally don’t display POST data,

some programmers are lulled into thinking that it is difficult or impossible to change the data, when

in fact the opposite is true. Fortify WebInspect determines your application’s susceptibility to

attacks that rely on the POST method of parameter manipulation.

l

Postdata Sequence: Since manipulating a query string is as easy as typing text in the address bar

of a browser, many web applications rely on the POST method coupled with the use of forms

(rather than GET) to pass data between pages. Since browsers normally don’t display POST data,

some programmers are lulled into thinking that it is difficult or impossible to change the data, when

in fact the opposite is true. Fortify WebInspect determines your application’s susceptibility to

attacks that rely on the POST method of parameter manipulation by sending fragmented data to

the target.

Micro Focus Fortify WebInspect (22.2.0)

Page 91 of 364

Tools Guide

Chapter 7: Policy Manager

l

Query Injection: Web applications often use query strings as a simple method of passing data from

the client to the server. Query strings are a way to add data calls to a hyperlink, and then retrieve

that information on the linked page when it is displayed. By manipulating query strings, an attacker

can easily steal information from a database, learn details about the architecture of your web

application, or possibly execute commands on your web server.

When conducting an audit, Fortify WebInspect implements advanced query string manipulation to

ascertain the feasibility of command execution on your server(s), and determines the vulnerability

of your web applications to query string manipulation.

l

Query Sequence: Web applications often use query strings as a simple method of passing data

from the client to the server. Query strings are a way to add data calls to a hyperlink, and then

retrieve that information on the linked page when it is displayed. By manipulating query strings, an

attacker can easily steal information from a database, learn details about the architecture of your

web application, or possibly execute commands on your web server.

When conducting an audit, Fortify WebInspect implements advanced query string manipulation to

ascertain the feasibility of command execution on your server(s), and determines the vulnerability

of your web applications to query string manipulation by sending fragmented data to the target.

l

Reclassify: This engine analyzes the responses to generic/application non-specific attacks and

reclassifies certain vulnerability instances into specific known application vulnerabilities.

l

Request Modification: Several types of attacks involve malformed requests that result in a failed

response from the web server. The Request Modification engine generates requests that are

derived from other requests that match a pattern, and then evaluates the response to determine if

these types of attacks are possible.

l

Site Search: This can be considered the information gathering stage, much as an attacker would

learn as much as possible about your web application before launching an attack. Site search is

used to locate resources such as documents, applications and directories on the server that are not

intended to be viewed by web users. Disclosure of such resources can result in the disclosure of

confidential data, information about internal server and application configurations and settings,

administrative access to the site, and information about application source code.

l

SOAP Assessment: Web services are programs that communicate with other applications (rather

than with users) and answer requests for information. Most web services utilize SOAP (Simple

Object Access Protocol) to send XML data between the web service and the client web application

making the information request. SOAP assessment involves checking for security vulnerabilities

inherent within that transport mechanism.

l

SQL Injection: SQL Injection is an attack in which hackers use SQL statements via an Internet

browser to extract, add, or modify data, create a denial of service, bypass authentication, or

execute remote commands. The SQL Injection engine detects the following attacks:

l

Injection through user input, such as malicious strings in web forms

l

Injection through cookies, such as modified cookie fields that contain attack strings

l

Injection through server variables, such as headers that are manipulated to contain attack

strings

l

WAF Detection: This engine detects the presence of a web application firewall.

Micro Focus Fortify WebInspect (22.2.0)

Page 92 of 364

Tools Guide

Chapter 7: Policy Manager

Audit Options

Fortify WebInspect uses the following audit options.

l

CVS Entries Parser: This engine parses any Entries files found within the scan for links to add to

the crawler engine.

l

Robots.txt Parser: This engine parses any robots.txt files found within the scan for links to add to

the crawler engine.

l

WebInspect Scan Signature: This signature sends the text SCANNED-BY-HP- to the server. The

text appears in the webserver logs and indicates that a scan has occurred.

l

Ws_ftp.log Parser: This engine parses any Ws_ftp.log files it finds and will add links to the site

directory tree.

General Application Testing

This group of checks is applicable to all web applications generally. It includes Directory Enumeration,

which looks for common directories in the root of the server. It also includes input injection checks

such as SQL Injection and Cross-Site Scripting.

Third-Party Web Applications

This group of checks looks for known vulnerabilities associated with third-party web applications.

Web Frameworks/Languages

This group of agents looks for known vulnerabilities associated with web application servers. It also

determines if known flaws in certain scripting languages can be exploited on the target system.

Web Servers

This group of agents looks for known vulnerabilities associated with the following web servers:

l

Apache

l

IIS

l

Lotus Domino

l

Minor (a collection of servers including ATPhttpd, 4D, Abyss, Alibaba, BadBlue, and others)

l

Netscape/iPlanet

l

Secure IIS

Micro Focus Fortify WebInspect (22.2.0)

Page 93 of 364

Tools Guide

Chapter 7: Policy Manager

l

Website Pro

l

WebSphere Proxy

l

Zeus

For detailed information about all the possible agents, expand the Web Servers node and click on any

agent.

Custom Agents

Even though Fortify WebInspect launches thousands of agents to assess your web application during

a normal scan, a developer may want to check for a specific condition that is unique to your

environment or application. The developer may create a custom agent using the WebInspect Software

Developer's Kit (SDK). You may then integrate the custom agent into one or more policies using the

Policy Manager.

See Also

"Using a Custom Agent" on page 75

Custom Checks

A custom check is a user-defined probe for a specific vulnerability that the standard repertoire does

not address. A custom check can be created using a simple wizard.

See Also

"Creating a Custom Check" on page 65

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The sequence

/\n/ matches a linefeed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to exclude

everything in the content directory except /content/en and /content/ca, use:

/content/[^(en|ca)].*/.* . Also see \S \D \W.

Micro Focus Fortify WebInspect (22.2.0)

Page 94 of 364

Tools Guide

Chapter 7: Policy Manager

Character

Description

$

*

Matches the end of input or line.

Matches the preceding character zero or more times. /zo*/ matches either " z " or

"zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

[xyz]

A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a"

in "plain."

\b

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

early."

\B

\d

\D

\f

Matches a non-word boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a non-digit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a linefeed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent to [

\f\n\r\t\v]

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any non-word character. Equivalent to [^A-Za-z0-9_].

Micro Focus Fortify WebInspect (22.2.0)

Page 95 of 364

Tools Guide

Chapter 7: Policy Manager

Regular Expression Extensions

Micro Focus engineers have developed and implemented extensions to the normal regular expression

syntax. When building a regular expression, you can use the following tags and operators.

Regular Expression Tags

l

[ALL]

l

[BODY]

l

[STATUSLINE]

l

[HEADERS]

l

[STATUSCODE]

l

[STATUSDESCRIPTION]

l

[COOKIES]

Regular Expression Operators

l

AND

l

OR

l

NOT

l

[ ]

l

( )

Examples

l

To detect a response in which (a) the status line contains a status code of "200" and (b) the phrase

"logged out" appears anywhere in the message body, use the following regular expression:

[STATUSCODE]200 AND [BODY]logged\sout

l

To detect a response indicating that the requested resource resides temporarily under a different

URI (redirection) and has a reference to the path "/Login.asp" anywhere in the response, use the

following:

[STATUSCODE]302 AND [ALL]Login.asp

l

To detect a response containing either (a) a status code of "200" and the phrase "logged out" or

"session expired" anywhere in the body, or (b) a status code of "302" and a reference to the path

"/Login.asp" anywhere in the response, use the following regular expression:

( [STATUSCODE]200 AND [BODY]logged\sout OR [BODY]session\sexpired ) OR (

[STATUSCODE]302 AND [ALL]Login.asp )

Micro Focus Fortify WebInspect (22.2.0)

Page 96 of 364

Tools Guide

Chapter 7: Policy Manager

Note: You must include a space (ASCII 32) before and after an "open" or "close" parenthesis;

otherwise, the parenthesis will be erroneously considered as part of the regular expression.

l

To detect a redirection response where "login.aspx" appears anywhere in the redirection Location

header, use the following regular expression:

[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx

l

To detect a response containing a specific string (such as "Please Authenticate") in the Reason-

Phrase portion of the status line, use the following regular expression:

[STATUSDESCRIPTION]Please\sAuthenticate

Micro Focus Fortify WebInspect (22.2.0)

Page 97 of 364

Chapter 8: Regular Expression Editor

A regular expression is a pattern that describes a set of strings. Regular expressions are constructed

similarly to mathematical expressions by using various operators to combine smaller expressions.

Only advanced users with a working knowledge of regular expressions should use this feature.

Testing a Regular Expression

Use the Regular Expression Editor to test and verify regular expressions, as follows:

1. Click Tools > Regular Expression Editor.

The Regular Expression Editor window opens.

2. In the Expression area, type or paste a regular expression that you think will find the text for

which you are searching.

For assistance, click

to reveal a list of objects. These include metacharacters and regular

expressions that define a URL and an IP address. Click an object to insert it.

Note: You can also use Regular Expression Extensions to restrict your search to certain areas

of an HTTP message.

Micro Focus Fortify WebInspect (22.2.0)

Page 98 of 364

Tools Guide

Chapter 8: Regular Expression Editor

The Regular Expression Editor examines the syntax of the entered expression and displays

(if

valid) or (if invalid).

3. In the Search Text area, type (or paste) the text through which you want to search.

Alternatively, you can load an HTTP request or response message that you previously saved

using the HTTP Editor, as follows:

a. Click File > Open Request.

The Request file is actually a session containing data for both the HTTP request and

response.

b. Using the standard file-selection window, choose a file containing the saved session.

c. Select either Request or Response.

d. Click OK.

4. To find only those occurrences matching the case of the expression, select the Match Case check

box.

5. To substitute the string identified by the regular expression with a different string:

a. Select the Replace With check box.

b. Type or select a string using the drop-down combo box.

6. Click Test to search the target text for strings that match the regular expression. Matches are

highlighted in red.

7. If you selected the Replace option, click Replace to substitute all found strings with the

replacement string.

See Also

"Regular Expressions" below

"Regular Expression Extensions" on page 101

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The sequence

/\n/ matches a linefeed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to exclude

everything in the content directory except /content/en and /content/ca, use:

Micro Focus Fortify WebInspect (22.2.0)

Page 99 of 364

Tools Guide

Chapter 8: Regular Expression Editor

Character

Description

/content/[^(en|ca)].*/.* . Also see \S \D \W.

Matches the end of input or line.

$

*

Matches the preceding character zero or more times. /zo*/ matches either " z " or

"zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

[xyz]

A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a"

in "plain."

\b

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

early."

\B

\d

\D

\f

Matches a non-word boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a non-digit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a linefeed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent to [

\f\n\r\t\v]

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any non-word character. Equivalent to [^A-Za-z0-9_].

Micro Focus Fortify WebInspect (22.2.0)

Page 100 of 364

Tools Guide

Chapter 8: Regular Expression Editor

Regular Expression Extensions

Micro Focus engineers have developed and implemented extensions to the normal regular expression

syntax. When building a regular expression, you can use the following tags and operators.

Regular Expression Tags

l

[BODY]

l

[STATUSCODE]

l

[STATUSDESCRIPTION]

l

[STATUSLINE]

l

[HEADERS]

l

[ALL]

l

[COOKIES]

l

[SETCOOKIES]

l

[METHOD]

l

[REQUESTLINE]

l

[VERSION]

l

[POSTDATA]

l

[URI]

l

[TEXT]

Regular Expression Operators

l

AND

l

OR

l

NOT

l

[ ]

l

( )

Examples

l

To detect a response in which (a) the status line contains a status code of "200" and (b) the phrase

"logged out" appears anywhere in the message body, use the following regular expression:

[STATUSCODE]200 AND [BODY]logged\sout

l

To detect a response indicating that the requested resource resides temporarily under a different

URI (redirection) and has a reference to the path "/Login.asp" anywhere in the response, use the

Micro Focus Fortify WebInspect (22.2.0)

Page 101 of 364

Tools Guide

Chapter 8: Regular Expression Editor

following:

[STATUSCODE]302 AND [ALL]Login.asp

l

To detect a response containing either (a) a status code of "200" and the phrase "logged out" or

"session expired" anywhere in the body, or (b) a status code of "302" and a reference to the path

"/Login.asp" anywhere in the response, use the following regular expression:

( [STATUSCODE]200 AND [BODY]logged\sout OR [BODY]session\sexpired ) OR (

[STATUSCODE]302 AND [ALL]Login.asp )

Note: You must include a space (ASCII 32) before and after an "open" or "close" parenthesis;

otherwise, the parenthesis will be erroneously considered as part of the regular expression.

l

To detect a redirection response where "login.aspx" appears anywhere in the redirection Location

header, use the following regular expression:

[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx

l

To detect a response containing a specific string (such as "Please Authenticate") in the Reason-

Phrase portion of the status line, use the following regular expression:

[STATUSDESCRIPTION]Please\sAuthenticate

Micro Focus Fortify WebInspect (22.2.0)

Page 102 of 364

Chapter 9: Server Analyzer (Fortify

WebInspect Only)

The Server Analyzer interrogates a server to reveal the server's operating system, banners, cookies,

and other information.

Analyzing a Server

To analyze a server:

1. In the Target Host field, enter the URL or IP address of the target server.

2. If host authentication (user name and password) is required, or if you are accessing the target

server through a proxy server, click Edit > Settings, and enter the requested information. For

more information, see "Authentication Settings" on the next page and "Proxy Settings" on

page 105.

3. Click the Run Analysis icon.

When finished, the Server Analyzer displays the status "Analysis completed" and a list of items

that were analyzed.

4. Select an item in the Item pane to view its information in the Item Details pane.

Micro Focus Fortify WebInspect (22.2.0)

Page 103 of 364

Tools Guide

Chapter 9: Server Analyzer (Fortify WebInspect Only)

Modifying Settings

To modify the Server Analyzer settings:

1. Click Edit > Settings.

2. Select one of the following:

l

Host Authentication. See "Authentication Settings" below.

l

Proxy. See "Proxy Settings" on the next page.

3. Click OK.

Exporting Analyzer Results

To export the results of the analysis to an HTML file:

1. Click File > Export.

2. On the Export File window, select or enter a location and file name.

3. Click Save.

See Also

"Authentication Settings" below

"Proxy Settings" on the next page

Authentication Settings

Authentication Method

If authentication is required, select the authentication type:

l

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of the

other authentication methods, scanning performance is noticeably improved.

l

Digest

l

HTTP Basic

l

Kerberos

l

NTLM (NT LanMan)

Micro Focus Fortify WebInspect (22.2.0)

Page 104 of 364

Tools Guide

Chapter 9: Server Analyzer (Fortify WebInspect Only)

Authentication Credentials

Type a user ID in the User name field and the user's password in the Password field. To prevent

mistyping, repeat the password in the Confirm Password field.

To use these credentials whenever the Server Analyzer encounters a password input control, select

Submit these credentials to forms with password input fields.

Proxy Settings

To access this feature, click Edit > Settings. Then select Proxy.

Direct Connection (proxy disabled)

Select this option if you are not using a proxy server.

Auto detect proxy settings

If you select this option, Server Analyzer will use the Web Proxy Autodiscovery Protocol (WPAD) to

locate and use a proxy autoconfig file to configure the browser's web proxy settings.

Use System Proxy Settings

Select this option to import your proxy server information from the local machine.

Use Firefox proxy settings

Select this option to import your proxy server information from Firefox.

Note: Using browser proxy settings does not guarantee that you will access the Internet through

a proxy server. If the Firefox browser connection settings are configured for "No proxy," then a

proxy will not be used.

Configure proxy using a PAC file

Select this option to load proxy settings from a Proxy Automatic Configuration (PAC) file in the

location you specify in the URL field.

Micro Focus Fortify WebInspect (22.2.0)

Page 105 of 364

Tools Guide

Chapter 9: Server Analyzer (Fortify WebInspect Only)

Explicitly configure proxy

Select this option to access the Internet through a proxy server, and then enter the requested

information:

1. In the Server field, type the URL or IP address of your proxy server, followed (in the Port field)

by the port number (for example, 8080).

2. Select a protocol Type for handling TCP traffic through a proxy server: SOCKS4, SOCKS5, or

Standard.

3. If authentication is required, select a type from the Authentication list:

l

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of the

other authentication methods, scanning performance is noticeably improved.

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NTLM (NT LanMan)

4. If your proxy server requires authentication, enter the qualifying user name and password.

5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing

sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate

entries.

Specify Alternative Proxy for HTTPS

For proxy servers accepting HTTPS connections, select the Specify Alternative Proxy for HTTPS

check box and provide the requested information.

Micro Focus Fortify WebInspect (22.2.0)

Page 106 of 364

Chapter 10: Server Profiler

Use the Server Profiler to conduct a preliminary examination of a Web site to determine if certain

Fortify WebInspect settings should be modified. If changes appear to be required, the Profiler returns

a list of suggestions, which you may accept or reject.

For example, the Server Profiler may detect that authorization is required to enter the site, but you

have not specified a valid user name and password. Rather than proceed with a scan that would

return significantly diminished results, you could follow the Server Profiler's prompt to configure the

required information before continuing.

Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found"

detection. This process is useful for Web sites that do not return a status "404 Not Found" when a

client requests a resource that does not exist (they may instead return a status "200 OK," but the

response contains a message that the file cannot be found). If the Profiler determines that such a

scheme has been implemented in the target site, it would suggest that you modify the Fortify

WebInspect setting to accommodate this feature.

The Server Profiler can be selected during a Guided Scan, or enabled in the Application settings.

Using the Server Profiler

You can use either of two methods to invoke the Server Profiler:

Launch Server Profiler as a Tool

Follow these steps to launch the Server Profiler:

1. Click the Fortify WebInspect Tools menu and select ServerProfiler.

2. In the URL box, enter or select a URL or IP address.

3. (Optional) If necessary, modify the Sample Size. Large Web sites may require more than the

default number of sessions to sufficiently analyze the requirements.

4. Click Analyze.

The Profiler returns a list of suggestions (or a statement that no modifications are necessary).

5. To reject a suggestion, clear its associated check box.

6. For suggestions that require user input, provide the requested information.

7. (Optional) To save the modified settings to a file:

a. Click Save Settings.

b. Using a standard file-selection window, save the settings to a file in your Settings directory.

Invoke Server Profiler when Starting a Scan

Follow these steps to launch the profiler when beginning a scan:

Micro Focus Fortify WebInspect (22.2.0)

Page 107 of 364

Tools Guide

Chapter 10: Server Profiler

1. Start a scan using one of the following methods:

l

On the Fortify WebInspect Start Page, click Start a Basic Scan.

l

Click File > New > Basic Scan.

l

Click the drop-down arrow on the New icon (on the toolbar) and select Basic Scan.

l

On the Fortify WebInspect Start Page, click Manage Scheduled Scans, click Add, and then

select Basic Scan.

2. On step 4 of the Scan Wizard (Detailed Scan Configuration), click Profile (unless Run Profiler

Automatically is selected).

The Profiler returns a list of suggestions (or a statement that no modifications are necessary).

3. To reject a suggestion, clear its associated check box.

4. For suggestions that require user input, provide the requested information.

5. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 108 of 364

Chapter 11: Site Explorer

Site Explorer provides quick access to your scan information with faster searching and filtering than is

available in the Fortify WebInspect Scan Dashboard, and the ability to drill-down into data for more

details. You can examine certain pieces of scan data that you cannot examine in the Fortify

WebInspect Scan Dashboard. For example, you can use the Text Search view to see all text snippets

found in responses. Additionally, Site Explorer provides access to the columns of information in the

Traffic grid that you cannot see in the Fortify WebInspect Scan Dashboard.

Viewing ScanCentral DAST Scans

Fortify ScanCentral DAST includes scan visualization that is comparable to Site Explorer. However,

ScanCentral DAST does not include Text Search. For this feature, you must use Site Explorer.

Limitations of Site Explorer

This version of Site Explorer:

l

Provides a read-only view of the scan data; you cannot actively work with a scan the same way you

can in the Fortify WebInspect Scan Dashboard.

l

Shows only the scan traffic and related items such as parent/child relationships, redirects, and

attacks.

l

Supports web site scans only; does not support web service scans.

Scan Tiles

When you launch Site Explorer, it identifies all available scans from Fortify WebInspect and displays

the list of scans on the ALL SCANS tab. When Site Explorer is co-located on the same machine as

Fortify WebInspect, scans that are currently running in Fortify WebInspect are also displayed in the

list. Each scan in the list appears in a tile on the ALL SCANS page.

Micro Focus Fortify WebInspect (22.2.0)

Page 109 of 364

Tools Guide

Chapter 11: Site Explorer

ScanCentral DAST Scans

You must download scan results from ScanCentral DAST, and then import them into Site Explorer for

the scan tile to appear on the ALL SCANS tab. You cannot view scans that are currently running in

ScanCentral DAST.

Information on the Scan Tile

Each scan tile displays the following summary information about the scan:

l

Scan name

l

URL

l

Status (RUNNING, INTERRUPTED, STOPPED, COMPLETE, or REQUIRES CONVERSION)

l

Number of Critical, High, and Medium vulnerabilities

l

Total number of vulnerabilities

l

Date and time scan started

l

Duration of scan in hours, minutes, and seconds (can be incorrect if the scan terminates

abnormally)

Micro Focus Fortify WebInspect (22.2.0)

Page 110 of 364

Tools Guide

Chapter 11: Site Explorer

Real-time Updates

If a scan is currently running in Fortify WebInspect and you have enabled Fortify WebInspect to create

scan data in the traffic session file (TSF) format, Site Explorer will update the summary information on

the scan tile in real time. For more information, see "Enabling Fortify WebInspect to Create Data for

Site Explorer" on page 113.

How Scan Tiles Are Grouped

Scan tiles are grouped by when they were last viewed or when the scan was run. The groups are:

l

Most Recent – Scans that were most recently viewed

l

Today

l

Earlier this Week

l

Earlier this Month

l

Last Month

l

Earlier this Year

l

Last Year

l

Older

Showing and Hiding a Group of Scan Tiles

To hide a group of scan tiles:

l

Click the up chevron ( ).

To show a group of scan tiles:

l

Click the down chevron ( ).

Searching for Scans

You can use the scan name to search for a scan. To search for a scan:

1. Click the search icon ( ).

A search text box appears.

2. Type part or all of the scan name.

For example, to find all scans with the name http://zero.webappsecurity.com/, type zero in

the search text box.

3. Press Enter.

Site Explorer filters the scans and shows only those whose names contain the search text.

Micro Focus Fortify WebInspect (22.2.0)

Page 111 of 364

Tools Guide

Chapter 11: Site Explorer

Clearing the Search

To clear the search filter and show all scans:

l

Click the x above the search icon (

).

Deleting a Scan

You can delete scans that have been imported to Site Explorer and those that have been converted to

the traffic session file (TSF) format in Site Explorer.

Deleting a scan in Site Explorer does not delete the SITE file in Site Explorer or the scan from the

Fortify WebInspect database or the ScanCentral DAST database. It deletes only the TSF and XML files

from the WebInspect Imports directory.

To delete a scan:

l

On the ALL SCANS tab, right-click a scan tile and select Delete.

See Also

"Scan Conversion" below

"Enabling Fortify WebInspect to Create Data for Site Explorer" on the next page

Scan Conversion

During a scan, Fortify WebInspect creates a SQL Express database (MDF) file or adds the scan to an

existing SQL Server database (MDF) file. However, Site Explorer uses a variation of the traffic session

file (TSF) format. To view an existing MDF scan file in Site Explorer, you must first convert it to the

TSF format.

Important! ScanCentral DAST creates scan results that are compatible with Site Explorer. No

conversion is necessary. However, when you download a scan from ScanCentral DAST to be

imported to Site Explorer, you must select Scan Result.

What Happens During Conversion

Converting a scan does not change the original scan. Instead, the conversion process pulls the scan

data from your SQL database and inserts the data into a new TSF file. The original scan resides in its

original format in your scan database.

Micro Focus Fortify WebInspect (22.2.0)

Page 112 of 364

Tools Guide

Chapter 11: Site Explorer

Effect of Updates on Converted Scans

Additional scan information may become available in newer versions of Site Explorer. To incorporate

the new scan information, all Site Explorer scans, including previously converted scans, must be

reconverted. When this situation occurs, you will be prompted to reconvert your scans.

If the database schema changes with a new version of Fortify WebInspect, then the database schema

for scans in Site Explorer must also be updated. Scans cannot be converted for Site Explorer until

their database schema are updated. When this situation occurs, you will be prompted to open the

scan in WebInspect and follow the instructions to update.

Converting a Scan

A scan that has not been converted has the REQUIRES CONVERSION status. To convert a scan:

l

Click the scan tile.

A progress bar appears on the scan tile to show the scan conversion status.

Files are Not Synced

The TSF version of the scan data is not connected in any way to the original scan. Therefore, any

changes that you make to the original scan data in Fortify WebInspect are not synced with the TSF

file. To synchronize the files, delete the existing TSF file and convert the updated scan file to a new

TSF file. You can find the existing TSF files in the following directory:

<directory>:\Users\<username>\AppData\Local\HP\HP WebInspect\ScanData

Enabling Fortify WebInspect to Create Data for Site

Explorer

You can enable Fortify WebInspect to create scan data in the traffic session file (TSF) format

automatically when a scan is run.

To enable this feature:

1. In Fortify WebInspect, select Edit > Application Settings.

The Application Settings window opens.

2. Select Database.

3. Select the Create Scan Data for Site Explorer check box.

4. Click OK.

If you select this check box while a scan is running, it will have no effect on the current scan. Only

scans started after you select this check box will generate a TSF file for Site Explorer.

Micro Focus Fortify WebInspect (22.2.0)

Page 113 of 364

Tools Guide

Chapter 11: Site Explorer

Importing and Exporting Scans

You can import scans from Fortify WebInspect and ScanCentral DAST to view in Site Explorer. You

can also export files from Site Explorer to share with others.

About the Scan Files

Scans that are exported from Fortify WebInspect or downloaded from ScanCentral DAST have a

.scan file extension. Scans that are exported from Site Explorer have a .site file extension. The

SITE file is a ZIP archive file containing a traffic session file (TSF) and a supporting XML file.

The default location for exported files from Fortify WebInspect is:

1

%localappdata%\HP\HP WebInspect\Exports

By default, the ScanCentral DAST scan results file is downloaded to the folder on your local machine

that is specified in your browser settings for downloads.

When a SCAN or SITE file is imported into Site Explorer, the TSF and XML files are extracted and

copied to the following location:

%localappdata%\HP\HP WebInspect\Imports

Importing Scans

To import a scan into Site Explorer:

1. In Site Explorer, click

.

The TASKS menu appears.

2. Click IMPORT.

The Open window appears.

3.

Locate and select either a .scan or .site file.

4. Click Open.

If the file has been imported previously and exists on the machine, a prompt appears stating that

the scan already exists. Do one of the following:

l

Click OPEN to open the existing site file.

l

Click IMPORT to import a duplicate of the existing file.

1

%localappdata% represents the location of local application data for your operating system. For

example, for Windows 10 (using the default C: drive), %localappdata% is

C:\Users\<username>\AppData\Local.

Micro Focus Fortify WebInspect (22.2.0)

Page 114 of 364

Tools Guide

Chapter 11: Site Explorer

Exporting Scans

To export a scan to the .site file extension:

1. In Site Explorer, click EXPORT on the scan tile of the scan you want to export.

The Save As window appears.

2. Type a name in the File name field.

3. Click Save.

The scan is exported with a .site extension.

Using the Interface

The following topics describe the Site Explorer user interface and how to use it.

Viewing a Scan

When you open a scan, the scan appears on a new tab to the right of the ALL SCANS tab and all other

open scans. The following image shows the default view for an open scan.

The following table describes the components of the default view for an open scan.

Micro Focus Fortify WebInspect (22.2.0)

Page 115 of 364

Tools Guide

Chapter 11: Site Explorer

Item

Description

1

2

3

4

Site Tree (see "Using the Site Tree" below)

ALL SCANS and open scan tabs

Findings, Traffic, and Text Search tabs

Findings, Traffic, Text Search and related grid views (see

"Customizing Grid Views" on page 118, "Exploring Scan

Findings" on page 124 , "Exploring Traf f ic" on page 128, and

"Using Text Search" on page 129 )

5

6

Vulnerability Description and HTTP tabs

Vulnerability Description and HTTP detail views (see

"Customizing Detail Views" on page 120, "Working with

Sessions" on page 131 , and "Working wit h Parameters" on

page 132 )

Real-time Updates

If you open a scan that is currently running in Fortify WebInspect, the traffic data updates in real time

if you have enabled Fortify WebInspect to create scan data in the traffic session file (TSF) format. For

more information, see "Enabling Fortify WebInspect to Create Data for Site Explorer" on page 113.

Using the Site Tree

By default, the Site Tree displays an unfiltered tree view of all traffic that was generated during the

scan. The tree includes a list of hosts and all sub-directories within those hosts. In this view, you can

select a top-level host and expand the sub-directories to examine the requests and responses that

occurred at each level. To display the requests that were made to a resource, select the resource in

the Site Tree .

Hiding the Site Tree

You can hide the Site Tree using an option in the Window Position menu. To hide the Site Tree:

1. Do one of the following to open the Window Position menu:

l

Click the Window Position icon ( ) in the Site Tree.

l

Right-click the Site Tree title bar.

2. Select Hide.

Micro Focus Fortify WebInspect (22.2.0)

Page 116 of 364

Tools Guide

Chapter 11: Site Explorer

The Site Tree collapses to the left.

Showing the Site Tree

To show the Site Tree that is hidden:

l

Click the collapsed Site Tree title bar as shown below.

Off-site Hosts Node

Fortify WebInspect enforces the Allowed Hosts defined in the scan settings. Because of this, you

might see an off-site hosts node in the Site Tree that segregates the excluded hosts. Therefore, you

might not need to filter out excluded hosts.

Site Tree Icons

The following table identifies the icons displayed in the Site Tree.

Icon

Name

Represents

Server/host

The top level of your site's tree structure

/

Folder

Page

A directory

A file

Micro Focus Fortify WebInspect (22.2.0)

Page 117 of 364

Tools Guide

Chapter 11: Site Explorer

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

For more information, see "Working with Sessions" on page 131.

Viewing Only Host Names

To view a list of only the host names:

l

From the default tree view, click the filter icon once.

The Site Tree displays only the host names. Sub-directories are not accessible in this view. From

this view, you can select one or more hosts and filter out the rest. See "Filtering for Selected Hosts"

below.

To return to viewing the entire tree:

l

Click the filter icon again.

Filtering for Selected Hosts

To focus your research, you can filter for specific hosts in the Site Tree. To view only selected hosts

and their sub-directories in the Site Tree:

1. With the Site Tree displaying only the host names, select one or more hosts to view.

2. Click the filter icon.

Only the selected hosts appear in the Site Tree.

3. Expand a host to display its sub-directories.

Viewing All Host Names

To return to viewing all host names:

1. Click the filter icon.

The Site Tree displays only the host names with the previously viewed hosts selected.

2. Click each selected host to clear its selection.

3. Click the filter icon.

The Site Tree displays an unfiltered tree view of all traffic.

Customizing Grid Views

You can resize, reposition, add, and remove columns displayed in grid views.

Micro Focus Fortify WebInspect (22.2.0)

Page 118 of 364

Tools Guide

Chapter 11: Site Explorer

Resizing Columns

To resize a column:

1. Move your cursor to the border to the right of the column heading you want to resize.

Your cursor becomes a double-headed arrow and the column heading background color changes

to a lighter gray.

2. Do one of the following:

l

Drag the column border either right or left to the width you want.

l

Double-click the border to resize the column to the width of the widest amount of data in the

column. A horizontal scroll bar might be added to the bottom of the window.

Repositioning Columns

To rearrange the order of the columns across the grid:

1. Move your cursor to the column heading that you want to move.

The column heading background color changes to a lighter gray.

2. Click once.

The column heading background color changes to white.

3. Drag the column to the right or left into the position you want it.

The column of data is moved and the remaining columns are shifted right or left by one column.

Adding/Removing Columns

By default, not all columns of data are displayed in the grid. Grid view settings allow you to select

which columns of data you want visible in the grid. To add or remove displayed columns:

1. In the grid view, click

.

A list of available columns appears.

Note: The column names indicate the memo headers that are generated during a scan.

2. Do the following:

l

Select the check box for each column you want to add to the display.

l

Clear the check box for each column you want to remove from the display.

Micro Focus Fortify WebInspect (22.2.0)

Page 119 of 364

Tools Guide

Chapter 11: Site Explorer

3. Click anywhere outside the list of columns to close the list.

The displayed columns are updated.

Customizing Detail Views

You can choose the layout and color theme for non-grid detail views, and you can hide or show the

HTTP detail views.

Changing the Layout

When two detail views are visible for an item, such as the Request and Response detail views, you can

rearrange the placement of the detail views to have them stacked vertically (one on top of the other)

or have them aligned horizontally (side-by-side). To change the layout:

1. In the detail view, click

The settings menu opens.

.

2. Do one of the following:

l

To align the detail views vertically one on top of the other, click Vertical Layout.

To align the detail views horizontally side-by-side, click Horizontal Layout.

l

Changing the Color Theme

The default color theme is black and colored text on a white background. However, you might prefer

white and colored text on a black background. To change the color theme:

1. In the detail view, click

.

2. Do one of the following:

l

To use black and colored text on a white background, click Light Theme.

To use white and colored text on a black background, click Dark Theme.

l

Hiding and Showing HTTP Detail Views

You can collapse (or hide) one of the HTTP detail views, such as the Request or Response detail view,

so that only the contents of other HTTP detail view is visible.

To hide a detail view:

l

Click the hide icon ( ) in the detail view.

To show a hidden detail view:

l

Click the show icon ( ).

Micro Focus Fortify WebInspect (22.2.0)

Page 120 of 364

Tools Guide

Chapter 11: Site Explorer

Floating, Moving, and Docking

You can customize the user interface (UI) by floating, moving, and docking the Site Tree, grid views,

and detail views.

Floating and Moving the Site Tree

You can float the Site Tree and move it around on your monitor as a separate window, or you can

move it into another tabbed group.

To float the Site Tree, do one of the following:

l

Right-click the Site Tree title bar and select Float.

l

Click the Site Tree title bar and drag it to a new location.

To move the Site Tree into a tabbed group:

l

Right-click the Site Tree title bar and select Dock as Tabbed Document.

The Site Tree moves to the adjacent tabbed group, such as the Traffic and Text Search tabs.

Floating a Grid View

You can float a grid view and move it around on your monitor as a separate window.

To float a grid view, do one of the following:

l

Right-click the grid tab title and select Float.

l

Click the grid tab title and drag it to a new location.

Floating a Detail View

You can float a detail view and move it around on your monitor as a separate window.

Micro Focus Fortify WebInspect (22.2.0)

Page 121 of 364

Tools Guide

Chapter 11: Site Explorer

To float a detail view, do one of the following:

l

Right-click the detail tab title and select Float.

l

Click the detail tab title and drag it to a new location.

Note: You cannot float the Request and Response detail views separately. These two views

function as one HTTP detail view and float together as a separate window.

Moving a Tab

If the Site Tree, grid view, or detail view is docked as a tab in a tab group, you can move it into another

tab group.

l

Right-click the tab title and do one of the following:

l

To create a new tabbed group, select New Vertical Tab Group.

l

To move the tab to the tabbed group on the right, select Move To Next Tab Group.

l

To move the tab to the tabbed group on the left, select Move To Previous Tab Group.

Note: The available options for moving a tab vary based on where the tab is currently docked.

Docking Windows

You can dock a floating window so that it is once again integrated in the UI.

To dock the window in a tab group:

l

Right-click the floating window title bar and select Dock as Tabbed Document.

The window docks in a tab group.

Micro Focus Fortify WebInspect (22.2.0)

Page 122 of 364

Tools Guide

Chapter 11: Site Explorer

To dock the window in a new position:

1. Click the floating window title bar and drag it to a new location.

2. When the docking position indicator appears, move your cursor to the position where you want

to dock the floating window.

3. Release your mouse.

The window docks in the selected position.

Understanding the Docking Positions

The following image shows the five docking positions.

The following table describes where the floating window docks for each of the docking positions.

Micro Focus Fortify WebInspect (22.2.0)

Page 123 of 364

Tools Guide

Chapter 11: Site Explorer

Position

Docks on the...

Top inside the target area

Center inside the target area

Bottom inside the target area

Right inside the target area

Left inside the target area

Cloning Tab Contents

In some instances, you can clone the contents of a tab, such as a URL, a request, or a response.

Cloning the contents of a tab creates a copy of the cloned tab contents in a new window.

The tab title includes the clone icon ( ) if the contents can be cloned.

To clone an item:

1. Click the clone icon ( ) in the tab title.

A new window opens. The contents of the original tab appear in the new window. The new

window title is clone:<original tab title>.

2. (Optional) Dock the new window as a tab. For more information, see "Floating, Moving, and

Docking" on page 121.

Working with Traffic and Findings

The following topics describe how to work with scan traffic and findings in Site Explorer.

Exploring Scan Findings

You can view the vulnerabilities discovered during the scan on the Findings tab.

About the Findings Tab

The Findings tab includes the Findings grid and the Evidence grid. The Findings grid displays the

vulnerabilities that Fortify WebInspect detected during the scan. The Evidence grid shows the path to

the vulnerable session.

Micro Focus Fortify WebInspect (22.2.0)

Page 124 of 364

Tools Guide

Chapter 11: Site Explorer

Each session in the Findings grid represents a single finding. For example, you might see several

Cross-site Scripting (XSS) vulnerabilities, but when you drill down into a session, you will see evidence

for the particular version of XSS attack that was discovered in that session.

Note: When Site Explorer converts a scan, it adheres to the Use Seven Pernicious Kingdoms

(7PK) Taxonomy application setting in Fortify WebInspect. This application setting allows you to

select The Seven Pernicious Kingdoms taxonomy for ordering and organizing the reported

vulnerabilities. For more information about this application setting, see the "Application Settings:

General" topic in the Fortify WebInspect help or the Micro Focus Fortify WebInspect User Guide.

You can float and dock the Findings tab as a separate window. For more information, see "Floating,

Moving, and Docking" on page 121.

Available Columns

The Findings grid lists information about each vulnerability discovered during an audit of your Web

presence. You can select the information you want to display. For more information, see

"Adding/Removing Columns" on page 119.

The available columns are:

l

Severity: A relative assessment of the vulnerability, ranging from low to critical.

l

Check ID: The identification number of a Fortify WebInspect probe that checks for the existence of

a specific vulnerability. For example, Check ID 742 tests for database server error messages.

l

Name: A Fortify WebInspect probe for a specific vulnerability, such as Cross-site Scripting,

Unencrypted Log-in Form, and so on.

l

Location: The hierarchical path to the resource along with parameters.

l

Parameter Name: The name of the vulnerable parameter.

l

Parameter Value: The value assigned to the vulnerable parameter.

l

CWE: The Common Weakness Enumeration identifier(s) associated with the vulnerability.

l

Method: The HTTP request method used for the attack.

Viewing the Vulnerability Description

To view details about the vulnerability in the Findings grid:

l

Select an item in the Findings grid.

Detailed information about the vulnerability, including the Vulnerability Description, appears in the

detail view. The Vulnerability Description displays the Summary, Execution, Implication, Fix, and

Reference Info for the vulnerability.

Filtering in the Findings Grid

In addition to searching and filtering for data in one or more columns displayed in the Findings grid,

you can filter for a specific web vulnerability.

Micro Focus Fortify WebInspect (22.2.0)

Page 125 of 364

Tools Guide

Chapter 11: Site Explorer

To filter for a web vulnerability:

1.

Click the search icon ( ).

2. In the CATEGORY list, select a Web Vulnerability to filter on.

The Findings grid is updated to include only those findings that match the selected web vulnerability.

For more information about filtering, see "Searching and Filtering" on page 136.

Exporting Findings

You can export the data from the Findings grid to a comma-separated values (CSV) file. The grid

settings determine which data will be exported. Only the visible columns will be exported, and the

exported columns will appear in the same order as they are in the grid. The exported data will be

sorted and filtered the same as it is in the grid.

For example, if you filter in the grid for a Severity of Critical and sort by Location before exporting

the data, the CSV file will include only those findings with a Severity of Critical, and the data will

be sorted by Location.

To export findings:

1. In the Findings grid, right-click and select Export to CSV.

The Save As window appears.

2. In the File name field, type a file name.

Micro Focus Fortify WebInspect (22.2.0)

Page 126 of 364

Tools Guide

Chapter 11: Site Explorer

3. Click Save.

The file is saved with a .csv extension.

Viewing the Evidence

To view the details of how Fortify WebInspect found the vulnerability:

l

Double-click an item in the Findings grid.

The Evidence grid appears, displaying the following information:

l

Source – Identifies the URL for the selected finding

l

Parent – Lists the chain of parents leading to the source

l

Parameter Attack – Identifies an attack and is listed below the affected node, similar to the sample

shown below

l

Reflected Attack – Identifies the response that was used only for flagging the vulnerability of a

reflected attack, such as persistent cross-site scripting, and is the child of the original attack that

inserted the payload

The request and response details appear in the detail view. From here, you can view the parameters

used in the session. For more information, see "Working with Parameters" on page 132.

Identifying the Vulnerability or Attack String

If you select a Source session in the Evidence grid, the vulnerable portion of the session will be

highlighted in the REQUEST or RESPONSE or both detail views.

If you select the Parameter Attack in the Evidence grid, the attack string will be highlighted in the

REQUEST detail view.

For more information, see "Working with Sessions" on page 131.

"Searching and Filtering" on page 136

"Understanding the Search Expressions" on page 139

Micro Focus Fortify WebInspect (22.2.0)

Page 127 of 364

Tools Guide

Chapter 11: Site Explorer

Exploring Traffic

By default, the Traffic grid displays all traffic generated during the scan, enabling you to explore the

traffic for the entire scan. However, you can also view and explore traffic for a specific resource. You

can search, sort, and filter the data in the Traffic grid. For more information, see "Searching and

Filtering" on page 136.

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

From here, you can select a session in the Traffic grid to work with its request and response, explore

its related traffic, or examine its parameters. For more information, see "Working with Sessions" on

page 131, "Drilling Down Into Traffic Data" on page 134, and "Working with Parameters" on page 1 32.

Using the Breadcrumbs

When you select a resource in the Site Tree, breadcrumbs appear at the top of the traffic grid, similar

to the sample shown here.

These breadcrumbs indicate that the displayed traffic has been filtered down to the last resource

listed in the breadcrumbs.

To filter the traffic for a specific resource listed elsewhere in the breadcrumbs:

l

Click the resource in the breadcrumbs.

For example, if you want to view all traffic for the resources folder shown in the previous image,

click resources.

The selected resource becomes the final breadcrumb and Site Explorer updates the traffic sessions

to show only the traffic for the selected resource.

To remove the filter completely:

l

Click X in the final breadcrumb.

The breadcrumbs are removed and the traffic sessions are no longer filtered.

See Also

"Working with Sessions" on page 131

"Drilling Down Into Traffic Data" on page 134

"Working with Parameters" on page 132

Micro Focus Fortify WebInspect (22.2.0)

Page 128 of 364

Tools Guide

Chapter 11: Site Explorer

"Using Text Search" below

Using Text Search

The Text Search tab enables you to search text snippets in responses. The Text Search tab includes

the Text Search grid, Traffic grid, Related Traffic grid, and Related Text grid.

The first time you access the Text Search tab in an open scan, Site Explorer builds the search indexes

and displays them in the Text Search grid. The search indexes include the host where the text was

found, the type of text (such as email, comment, and so on), and the exact text from the response.

Text Search Columns

The following table describes the Text Search grid.

Column

Description

Origin ID

This is the unique ID of the traffic session where the text was first found. The

Origin ID is useful for grouping all text for a particular traffic session as well as

sorting text snippets in the order in which they were found.

Server

Type

This is the host and port that sent the response.

This is the type of response, such as Comment, Email, Form, FormAction,

HeaderLine, HeaderValue, StatusCode, and so on.

Text

This is the actual text found in the response(s).

Searching in the Text Search Grid

In addition to the searching, sorting, and filtering described in "Searching and Filtering" on page 136,

the Text Search grid provides a Type field so that you can limit your search to a specific type of text.

To use the Type field:

1. Type the text you want to search for in the Filter field.

2. Select the type of text to search from the Type drop-down list.

Search results are confined to the type of text you selected.

Working with Responses in the Text Search

When you select a text snippet in the Text Search grid, the text snippet for the selected response

appears in the TEXT detail view.

Note: Each row in the Text Search grid is limited to 40 lines of visible text. If you see ellipses (…)

at the bottom of the row of text, this indicates that there are more than 40 lines of text and the

remaining lines are not shown. You can view the complete text in the TEXT detail view.

Micro Focus Fortify WebInspect (22.2.0)

Page 129 of 364

Tools Guide

Chapter 11: Site Explorer

A single response might have many text snippets. Likewise, a text snippet might exist in many

responses. Only the request and response for the first session in which the text was found is

displayed in the REQUEST and RESPONSE detail views.

To view other responses that contain the same text snippet:

1. Double-click an entry in the Text Search grid.

The Traffic grid opens, showing a list of all the sessions whose responses contain the text

snippet.

2. Select a session in the Traffic grid.

By default, the Request and Response appear in the HTTP details view.

3. (Optional) To view the session in the BROWSER details view, click BROWSER.

Viewing Related Traffic for a Session

You can view the related traffic for a session in the Traffic grid.

To view related traffic for a session:

l

Double-click a session in the Traffic grid.

The Related Traffic grid appears. If parent traffic sessions are available, you can click through the

list of parents and see the HTTP and BROWSER detail views for them.

To return to the Traffic grid:

l

Click the vertical Traffic title bar.

The Traffic grid appears, displaying all traffic.

For more information, see "Working with Stacked Grids" on page 135.

Viewing Related Text for a Session

From the Related Traffic grid, you can see the Related Text for a session. The Related Text grid

provides a list of text found in the response for the selected session. The type of text is identified for

each entry in the Related Text grid.

To view related text for a session:

l

Double-click a session in the Related Traffic grid.

The Related Text grid appears. The information in this grid is similar to the Text Search grid, but

the text items displayed are for the selected session only.

Note: Each row in the Related Text grid is limited to 40 lines of visible text. If you see ellipses (…)

at the bottom of the row of text, this indicates that there are more than 40 lines of text and the

remaining lines are not shown. You can view the complete text in the TEXT detail view.

To view all the text in a row:

l

Click a row in the Related Text grid.

The complete text appears in the TEXT detail view.

Micro Focus Fortify WebInspect (22.2.0)

Page 130 of 364

Tools Guide

Chapter 11: Site Explorer

To return to the Related Traffic grid:

l

Click the vertical Related Traffic title bar.

The Related Traffic grid appears.

For more information, see "Working with Stacked Grids" on page 135.

See Also

"Exploring Traffic" on page 128

"Drilling Down Into Traffic Data" on page 134

Working with Sessions

You cannot modify data you are viewing in a traffic file from a scan. You can, however, research the

traffic data in Site Explorer to get a better understanding of what happened during the scan.

Viewing the HTTP Detail

You can view the request and response of a session in the HTTP detail view. This view is the default

view for sessions selected in most grids. However, if you are seeing another detail view and want to

see the request and response instead, you can switch to the HTTP detail view.

To view a session in the HTTP detail view:

1. Select a session in the grid.

2. Click HTTP.

The HTTP detail view opens, showing the request and response of the selected session.

Wrapping Text

Long lines of text in the detail views, such as in the Request and Response detail views, might make it

impossible to view the content without using the horizontal scroll bars. You can use the Word Wrap

setting to wrap the text to prevent the horizontal scroll bars. The Word Wrap setting is available in

each detail view and is not a global setting for all detail views. The Word Wrap setting is saved in your

user settings file for each detail view, and is the default behavior for the detail view the next time you

open the application.

To wrap text:

l

Right-click the detail view and select Word Wrap.

The long lines of text are wrapped and the horizontal scroll bar is removed.

Decoding Percent-encoded Characters

By default, requests and responses use percent-encoding for reserved characters. If you see percent-

encoded characters, such as %3B and %40, in the text of a request or response, you can decode these

characters to improve readability of the text. When you decode the characters in a request or

response, the requests or responses for all parent and child sessions of the selected session will also

Micro Focus Fortify WebInspect (22.2.0)

Page 131 of 364

Tools Guide

Chapter 11: Site Explorer

be decoded. These characters remain decoded only while the scan is open. If you close the scan and

reopen it, the default display applies, and reserved characters will once again be percent-encoded.

To decode percent-encoded characters:

l

Right-click in the RESPONSE or REQUEST tab and select URL Decode.

The percent-encoded characters are converted to readable text.

Viewing a Session in the Browser

You can view a session in the Browser detail view to see where the traffic occurred in your site.

To view a session in the Browser:

1. Select a session in the grid.

2. Click BROWSER.

The Browser detail view opens showing the selected session.

Expanding Compressed Content

Compressing (or minifying) content removes spaces, new line markers, comments, and block

delimiters from code to reduce file size. However, the practice also makes the content more difficult

for humans to read. You can use the Beautify setting to expand compressed text. The Beautify setting

is available in each detail view and is not a global setting for all detail views. The Beautify setting is

saved in your user settings file for each detail view, and is used as the default behavior for the detail

view the next time you open the application.

To expand compressed content:

l

Right-click in the detail view and select Beautify.

The compressed content is expanded and becomes more readable.

Note: Some text cannot be beautified, so you might not see the option.

See Also

"Working with Parameters" below

Working with Parameters

You can view the Type, Name, and Value for parameters used in a traffic session. The Parameters

detail view displays a grid with one record for each cookie or query string used in the traffic session.

You can also view every traffic record in which the same parameter is used.

Micro Focus Fortify WebInspect (22.2.0)

Page 132 of 364

Tools Guide

Chapter 11: Site Explorer

Understanding Parameters

A parameter can be one of the following:

l

Cookie data

l

A query string submitted as part of the URL in the HTTP request (or contained in another header)

l

Data submitted using the Post method (such as set_<parametername>)

Viewing Parameter Details

To view the parameter details for a session:

1. Do one of the following:

l

In the Evidence, Traffic, Related Traffic, Text Search, or Related Text grid, select a session.

l

In the Findings grid, select a session and click the HTTP tab.

2. Click Parameters.

The Parameters detail view opens showing the parameters used in the selected session.

Note: The detail view layout settings have no effect on the Parameters grid.

Adding Parameter Columns to Traffic Grid

You can add columns to the Traffic grid to display a parameter that is listed in the Parameters detail

view. Adding these columns of data to the Traffic grid is useful when you are working with a workflow

macro and need to follow a state parameter through the sessions to determine when and why you are

being logged out of the application.

For example, you might want to view the values for the JSESSIONID parameter to examine it from

session to session to see where its value changes. You can add a column for the JSESSIONID

parameter along with its companion column set_JSESSIONID to show where the value changes.

To add columns for a parameter:

1. Right-click the row for the parameter in the Parameters detail grid.

2. Select Build Columns… .

Note: If you have previously added columns for the selected parameter, the Build Columns

option is unavailable.

A column for the parameter name is added to the Traffic grid, along with a column for any methods

that set the parameter value, if applicable. These columns are permanently added to the database for

the current scan. The column names are also added to the grid settings menu. You can use the grid

settings menu to add or remove the columns from view. See "Adding/Removing Columns" on

page 119.

Micro Focus Fortify WebInspect (22.2.0)

Page 133 of 364

Tools Guide

Chapter 11: Site Explorer

Drilling Down Into Traffic Data

The Traffic tab includes the Traffic grid, Related Traffic grid, and Related Text grid. In the Traffic grid,

you can view traffic for a resource in the Site Tree, and then drill down to view related traffic for a

session in the Related Traffic grid. From there, you can view the text found in the response for the

session in the Related Text grid.

What is Related Traffic?

The Related Traffic grid displays the following information:

l

Source – Identifies the URL for the selected resource

l

Parent – Lists the chain of parents leading to the source

l

Parameter Attack – Identifies an attack and is listed below the affected node, similar to the sample

shown below

l

Reflected Attack – Identifies the response that was used only for flagging the vulnerability of a

reflected attack, such as persistent cross-site scripting, and is the child of the original attack that

inserted the payload

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

Viewing Related Traffic for a Session

You can view the related traffic for a session in the Traffic grid.

Micro Focus Fortify WebInspect (22.2.0)

Page 134 of 364

Tools Guide

Chapter 11: Site Explorer

To view related traffic for a session:

l

Double-click a session in the Traffic grid.

The Related Traffic grid appears. If parent traffic sessions are available, you can click through the

list of parents and see the HTTP and browser detail views for them.

To return to the Traffic grid:

l

Click the vertical Traffic title bar.

The Traffic grid appears displaying all traffic.

For more information, see "Working with Stacked Grids" below.

Viewing Related Text for a Session

From the Related Traffic grid, you can see the Related Text for a session. The Related Text grid

provides a list of text found in the response for the selected session. The type of text is identified for

each entry in the Related Text grid.

To view related text for a session:

l

Double-click a session in the Related Traffic grid.

The Related Text grid appears. The information in this grid is similar to the Text Search grid, but

the text items displayed are for the selected session only.

Note: Each row in the Related Text grid is limited to 40 lines of visible text. If you see ellipses (…)

at the bottom of the row of text, this indicates that there are more than 40 lines of text and the

remaining lines are not shown. You can view the complete text in the TEXT detail view.

To view all the text in a row:

l

Click a row in the Related Text grid.

The complete text appears in the TEXT detail view.

To return to the Related Traffic grid:

l

Click the vertical Related Traffic title bar.

The Related Traffic grid appears.

For more information, see "Working with Stacked Grids" below.

See Also

"Using Text Search" on page 129

"Exploring Traffic" on page 128

Working with Stacked Grids

When you drill down into grid data, an additional grid opens with a vertical title bar. When you drill

down through multiple layers of grid data, each new grid is stacked on the previous grid with its

vertical title bar visible. The following example shows three stacked grids.

Micro Focus Fortify WebInspect (22.2.0)

Page 135 of 364

Tools Guide

Chapter 11: Site Explorer

Viewing and Closing Stacked Grids

You can view a specific grid in the stack by closing any grids stacked on it. You can also close all

stacked grids at once.

To view a specific grid in the stack:

l

Click the title bar of the grid you want to view.

All grids stacked on the one you want to view are closed.

To close all stacked grids:

l

Click the leftmost grid title bar.

All stacked grids are closed.

See Also

"Customizing Grid Views" on page 118

Searching and Filtering

You can search through the data displayed in grid views and in most non-grid views. You can also sort

and filter the column data displayed in a grid. If you are viewing an active scan, you can search, filter,

and sort live data in the scan that is running. For information about formatting search queries, see

"Understanding the Search Expressions" on page 139.

Searching in Grid Views

You can search for data in a single column or in multiple columns displayed in a grid. To search the

data displayed in a grid:

1. Click the search icon ( ).

2. In the Search field, type the column name (without spaces), the operator, and the value you are

searching for.

Examples:

Status='404 Not Found'

Micro Focus Fortify WebInspect (22.2.0)

Page 136 of 364

Tools Guide

Chapter 11: Site Explorer

ResponseStart>'9/4/2015 9:08:52.242 AM'

Status~'3[0-9][0-9].*'

3. (Optional) To search across multiple columns, press the Space Bar, type another column name

(without spaces), the operator, and the value you are searching for. Searching across multiple

columns is treated as an AND search; only records that include search criteria specified for each

column are displayed. Repeat for each column that you want to search.

Example:

Method=GET Status~'3[0-9][0-9].*'

4. Press Enter or click

.

You can also use regular expressions to search the grid. For more information, see "Understanding the

Search Expressions" on page 139.

Searching in Non-grid Views

You can search for data in non-grid views, such as in the Request and Response tabs. To search in

tabs:

1. Select a row of data in the grid.

Details for the selected data appear in the associated tabs, such as in the Request and Response

tabs.

2. Type the value you are searching for in the tab search field.

3. (Optional) To use regular expressions in your search criteria, select the RegEx check box. For

more information, see "Understanding the Search Expressions" on page 139.

4. Press Enter.

Clearing the Search

To clear the search criteria, click the x in the search icon.

Sorting in the Grid

To sort by any column in the grid:

l

Click the column heading.

Filtering in the Grid

To filter one or more columns in the grid:

1. Click in the column heading.

A filter panel appears below the column heading.

2. Type a filter expression in the filter field.

Micro Focus Fortify WebInspect (22.2.0)

Page 137 of 364

Tools Guide

Chapter 11: Site Explorer

A filter expression consists of an optional operator (>,<,>=,<=,!=,~,=) or one of the functions “in”,

“notin”, or “regex” followed by a string. The range operator (..) is an exception, as it sits

between two strings. For more information, see "Understanding the Search Expressions" on the

next page.

Examples:

443

'400 Bad Request'

30*

'9/3/2015 10:53:08.000 AM'..'9/3/2015 10:53:12.089 AM'

in(200,300) notin(400,500)

Note: The equal (=) operator might not filter accurately on columns containing date and

time information.

For more information, see "Rules for Filtering in the Grid" below.

3. Press Enter.

Data in the grid is filtered based on the expression entered. The icon in the filtered column

heading changes to .

4. To filter additional columns, repeat steps 1-3 on each column.

Rules for Filtering in the Grid

The following rules apply to filtering in the grid:

l

You do not need to specify the field name. Since you edit the filter in a specific column, the field

name is identified implicitly.

l

You can use search operators in the filter field. For more information, see "The Search and Filter

Operators" on page 141.

l

If no operators or wild cards are specified in the filter field, the filter is converted to a "contains"

clause of the form field:*string*. If the search is enclosed in quotation marks, the filter is

converted to field:'*string*'.

For example, the filter string 404 Not Found in the Status column is converted to

Status:'*404*' Status:'*Not*' Status:'*Found*' and displays all sessions with a

Status that contains either 404, Not, or Found. The filtered results include such statuses as

'302 Found', '404 Not Found', and '405 Method Not Allowed'.

The filter string '404 Not Found' in the Status column is converted to Status:'*404 Not

Found*' and displays all sessions with a Status that contains '404 Not Found'.

l

You can specify multiple search filters in the filter field, separated by spaces.

l

You must enclose filters for date and time fields in either single (') or double (") quotation marks.

Micro Focus Fortify WebInspect (22.2.0)

Page 138 of 364

Tools Guide

Chapter 11: Site Explorer

Clearing a Filtered View

To clear a filtered view on one or more columns in the grid:

1. Click in a column heading that is filtered.

A search panel appears below the column heading.

2. Click Clear.

Data in the column is no longer filtered.

3. To clear the filter on additional columns, repeat steps 1 and 2 for each filtered column.

Understanding the Search Expressions

This topic explains the components of the expressions used to search in the grid and tabs.

Basic Format of a Search Query

The basic format of a search query is:

If you are searching the entire grid, the PropertyName is the column name that you want to include in

the search. If you are searching in a tab, such as the Request or Response tabs, the PropertyName is

the field/property name, such as 'Request' or 'Response'.

If you are searching within a column in the grid, omit the PropertyName. The format for this type of

search is:

To use regular expression (RegExp) syntax in your search, the format is:

<PropertyName> RegExp('[RegexSearchValue]','[RegexFlags]')

For more information about using regular expressions, see "Using Regular Expressions" on page 143.

Simple Query

You can perform a simple query on string data that contains no special characters and on integers.

Simple queries are:

Method=GET

Scan.CheckId=6

Show me on YouTube.

Micro Focus Fortify WebInspect (22.2.0)

Page 139 of 364

Tools Guide

Chapter 11: Site Explorer

Searching for Data that Contains Spaces or Special Characters

If there is a space or special character in the content you are searching for, enclose the content in

either single (') or double (") quotation marks:

Status='404 Not Found'

Path='/signin.html'

Show me on YouTube.

You can combine quotation marks with wild cards:

ResponseStart:*'7/8/2015 4:22:'*

Searching with More than One Expression

A search can include more than one expression at the same time. Separate each expression with a

space:

Path='/banklogin.asp' Method=GET

Show me on YouTube.

If the same field is listed more than once, it becomes an "OR" expression:

Path='/banklogin.asp' Path='/login1.asp'

This search returns all records where Path is either '/banklogin.asp' or '/login1.asp'.

Other fields added to the expressions are treated as an "AND" expression:

Path='/banklogin.asp' Path='/login1.asp' Method=POST

This search returns all records where Path is either '/banklogin.asp' or '/login1.asp' AND Method is

'POST'.

Another example of an AND/OR search is:

Method=POST Scan.Engine:Sql* Scan.Engine:Cross*

This search returns all records where Method is 'POST' and the value of Scan.Engine starts with either

'Sql' or 'Cross'.

Show me on YouTube.

Searching for Null Data

To search for data that contains null (empty) entries, use the = operator followed by two single

quotation marks (''):

ParameterValue=''

Micro Focus Fortify WebInspect (22.2.0)

Page 140 of 364

Tools Guide

Chapter 11: Site Explorer

To filter for data that contains null (empty) entries in a specific column, use the = operator followed

by two single quotation marks ('') in the column filter field.

Show me on YouTube.

Using Column Names in Search Queries

To search in a column or field name that includes a space, remove the space in the search query. For

example, to search on the Response End column in the grid, use the following format:

ResponseEnd='7/8/2015 4:22:52 PM'

Using Regular Expressions

To create a search pattern, you can use the regular expression operator (~) and include regular

expressions in the search:

Response~'[0-9].*='

Show me on YouTube.

You can also construct regular expression syntax:

Response RegExp('[0-9].*=','i')

For more information about using regular expressions, see "Using Regular Expressions" on page 143.

The Search and Filter Operators

The following table describes the operators and functions available for searching and filtering. The

PropertyName used in the example column is the column name when searching the grid or the

field/property name when searching tabs. If you are filtering directly in a column, do not include the

field/property name in the column filter field.

Operator

Description

Example(s)

=

Find only exact matches to the search

string

PropertyName=asdf

>

>=

<

Find data greater than the search

number or date

PropertyName>123

PropertyName>=123

PropertyName<123

PropertyName<=123

Find data greater than or equal to the

search number or date

Find data less than the search number

or date

<=

Find data less than or equal to the

Micro Focus Fortify WebInspect (22.2.0)

Page 141 of 364

Tools Guide

Chapter 11: Site Explorer

Operator

Description

Example(s)

search number or date

Find data not equal to the search string

!=

:

PropertyName!=asdf

Find only exact matches to the search

string using wild cards; search is case-

sensitive

PropertyName:asdf (find exact

matches )

PropertyName:*asdf (find data that

If the search string contains a space or

dash (-), enclose it in either single or

double quotation marks.

ends with search string)

PropertyName:*asdf* (find data that

contains search string)

PropertyName:asdf* (find data that

starts with search string)

..

Find data that is within a specified

range of values

PropertyName:'7/15/2015 5:00

PM'..'7/15/2015 5:15 PM'

~

Find the search string using regular

expressions

PropertyName~'sea[a-z]ches'

For more information about using

regular expressions, see "Using Regular

Expressions" on the next page .

in

Find matches to the search value(s)

listed in parentheses; to search for

multiple values, include a comma-

separated list in parentheses

PropertyName in(123,456) or

PropertyName in(abc,def)

Port in(80,443) (find all sessions with

a port of 80 or 443)

Show me on YouTube.

Method in(GET) (find all sessions with a

method of 'GET')

notin

Find everything except the search value

(s) listed in parentheses; to exclude

multiple values, include a comma-

separated list in parentheses

PropertyName notin(123,456) or

PropertyName notin(abc,def)

Port notin(80,443) (exclude all

sessions with a port of 80 or 443)

Show me on YouTube.

Method notin(GET) (exclude all

sessions with a method of 'GET')

Micro Focus Fortify WebInspect (22.2.0)

Page 142 of 364

Tools Guide

Chapter 11: Site Explorer

Using Regular Expressions

Using the tilde (~) operator with a regular expression means that whatever is on the left of the tilde is

searched using the regular expression on the right. You can also construct more complex regular

expression (RegExp) syntax.

Traffic String Properties for Searching

You can use regular expressions to search any of the Traffic string properties, which are numbers,

strings, or dates. This includes all fields that are listed when you click the settings icon ( ) in a

Traffic grid view.

Text Search String Properties

You can use regular expressions to search any of the Text Search string properties. The Text Search

string properties include the following:

l

Server

l

Text

l

Type

Using the Tilde (~) Operator

When using the tilde (~) operator, the format is:

<PropertyName>~'RegexPattern'

You can use single or double quotation marks.

Examples

The following query returns a list of sessions with a Referer in the request header that contains an

index.jsp file:

Request~'Referer:\\s.+/index\\.jsp'

The following query returns a list of sessions with a Location in the response header that contains an

index.php or index.html file:

Response~'Location:\\s.+/index\\.(php|html)'

The following query returns a list of sessions with index.html or index.php files that were attacked by

an audit engine whose name begins with ‘Cross’ or ‘Sql’:

Path~'/index\.(html|php)' Scan.Engine~'^(Cross|Sql)'

Micro Focus Fortify WebInspect (22.2.0)

Page 143 of 364

Tools Guide

Chapter 11: Site Explorer

Using RegExp Syntax

RegExp syntax, which is similar to JavaScript, uses the following formats:

<PropertyName> RegExp('RegexPattern') - Performs a case-sensitive search

<PropertyName> RegExp('RegexPattern','i') - Performs a case-insensitive search

Examples

The following query returns a list of sessions with a Referer in the request header that contains an

index.jsp file:

Request RegExp('Referer:\\s.+/index\\.jsp','i')

The following query returns a list of sessions with a Location in the response header that contains an

index.php or index.html file:

Response RegExp('Location:\\s.+/index\\.(php|html)','i')

Show me on YouTube.

Understanding the RegExp Syntax

The following diagrams define the parts of the RegExp syntax.

Item

Description

1

Specifies whether raw HTTP Request or raw HTTP Response

data is searched; includes both Header and Body data

2

Defines the regular expression pattern to search for using the

regular expression characters described in the table below

Micro Focus Fortify WebInspect (22.2.0)

Page 144 of 364

Tools Guide

Chapter 11: Site Explorer

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library online at

http://regexlib.com/Default.aspx.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The sequence

/\n/ matches a linefeed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to exclude

everything in the content directory except /content/en and /content/ca, use:

/content/[^(en|ca)].*/.* . Also see \S \D \W.

$

*

Matches the end of input or line.

Matches the preceding character zero or more times. /zo*/ matches either " z " or

"zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

|

Indicates OR between two or more literal text search terms. For example, the

following query will return a list of sessions where the path contains /index.html

OR /index.php:

Path~'/index\.(html|php)'

i

Ignores character case. Use this character in the second argument in the RegExp.

For example:

PropertyName RegExp('stuff[abc]','i')

You can combine this with other flags. For example:

PropertyName RegExp('stuff[abc]','mi')

m

Searches in multi-line mode. Use this character in the second argument in the

RegExp. For example:

Micro Focus Fortify WebInspect (22.2.0)

Page 145 of 364

Tools Guide

Chapter 11: Site Explorer

Character

Description

PropertyName RegExp('stuff[abc]','m')

You can combine this with other flags. For example:

PropertyName RegExp('stuff[abc]','mi')

[xyz]

\b

A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a"

in "plain."

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

early."

\B

\d

\D

\f

Matches a non-word boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a non-digit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a linefeed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent to [

\f\n\r\t\v]

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any non-word character. Equivalent to [^A-Za-z0-9_].

Micro Focus Fortify WebInspect (22.2.0)

Page 146 of 364

Chapter 12: SmartUpdate

For installations connected to the Internet, the SmartUpdate feature contacts the Micro Focus data

center to check for new or updated adaptive agents, vulnerability checks, and policy information.

SmartUpdate will also ensure that you are using the latest version of Fortify WebInspect, and will

prompt you if a newer version of the product is available for download.

You can configure Fortify WebInspect settings to conduct a SmartUpdate each time you start the

application (select Application Settings from the Edit menu and choose Smart Update).

You can also run SmartUpdate on demand through the Fortify WebInspect user interface by selecting

Start SmartUpdate from the Fortify WebInspect Start Page, by selecting SmartUpdate from the

Tools menu, or by clicking the SmartUpdate button on the standard toolbar.

For installations lacking an Internet connection, see "Performing a SmartUpdate (Offline)" on the next

page.

Caution! For enterprise installations, if SmartUpdate changes or replaces certain files used by

Fortify WebInspect, the sensor service might stop and the sensor will display a status of "off line."

You must launch the Fortify WebInspect application and restart the service. To do so:

1. Click Edit > Application Settings.

2. Select Run as a Sensor.

3. Click the Start button in the Sensor Status area.

Performing a SmartUpdate (Internet Connected)

To perform a SmartUpdate when WebInspect is connected to the Internet:

1. Do one of the following:

l

From the toolbar, click SmartUpdate.

l

Select SmartUpdate from the Tools menu.

l

Select Start SmartUpdate from the Fortify WebInspect Start Page.

If updates are available, the SmartUpdater window opens with the Summary tab in view. The

Summary tab displays up to three separate collapsible panes for downloading the following:

l

New and updated checks

l

Fortify WebInspect software

l

SmartUpdate software

2. Select the check box associated with one or more of the download options.

Micro Focus Fortify WebInspect (22.2.0)

Page 147 of 364

Tools Guide

Chapter 12: SmartUpdate

3. (Optional) To view details about the checks being updated:

a. Click the Check Detail tab.

In the left pane is a list showing the ID, Name, and Version of checks being updated. The list

is grouped by Added, Updated, and Deleted.

b. To view the policies that include a specific check being updated, select the check in the list.

A list of affected policies appears in the Related Policies pane.

4. (Optional) To view details about the policies affected:

a. Click the Policy Detail tab.

In the left pane is an alphabetical list of the policies affected by the update.

Note: The list shows only those policies that are affected by updated checks. The Policy

Detail tab does not show other policy changes that could be included in the update, such

as associating new checks with a policy or changing a policy name.

b. To view the checks being updated in a specific policy, select the policy in the list.

A list showing the ID, Name, and Version of checks being updated appears in the Related

Checks pane. The list is grouped by Added, Updated, and Deleted.

5. To install the updates, click Download.

Downloading Checks without Updating Fortify

WebInspect

Engine updates are required for some checks to be run during scans. If you are not using the latest

version of Fortify WebInspect, it is likely that some of the checks in your SecureBase cannot be run

during a scan. To test your application with all the latest checks, ensure that you are using the latest

version of Fortify WebInspect.

Performing a SmartUpdate (Offline)

Follow this process to perform a SmartUpdate for WebInspect that is offline.

Stage

Description

1.

Open a support case. Customer Support personnel will provide you with the

offline FTP server URL and login credentials (if needed). For more information,

see Contacting Micro Focus Fortify Customer Support in "Preface" on page 22.

2.

3.

On a machine that can access the Internet, access the offline FTP server.

Download the Fortify WebInspect static SmartUpdate ZIP file.

Micro Focus Fortify WebInspect (22.2.0)

Page 148 of 364

Tools Guide

Chapter 12: SmartUpdate

Stage

Description

4.

On the machine where Fortify WebInspect is installed, extract all files from the

ZIP file.

5.

6.

Close Fortify WebInspect.

Copy the extracted SecureBase.sdf and version.txt files to the directories

where your SecureBase data resides.

l

If your system is not FIPS enabled, then the default locations are:

l

C:\ProgramData\HP\HP WebInspect\SecureBase

l

C:\ProgramData\HP\HP WebInspect\Schedule\SecureBase

l

C:\Program Files\Fortify\Fortify WebInspect

l

If your system is FIPS enabled, then the locations are:

l

C:\ProgramData\HP\HP WebInspect\FIPS\SecureBase

l

C:\ProgramData\HP\HP WebInspect\FIPS\Schedule\SecureBase

l

C:\Program Files\Fortify\Fortify WebInspect

Tip: By default, these folders are hidden in Windows. Be sure to change

folder options to show hidden files.

Micro Focus Fortify WebInspect (22.2.0)

Page 149 of 364

Chapter 13: SQL Injector (Fortify WebInspect

Only)

SQL injection is a technique for exploiting web applications that use client-supplied data in SQL

queries without first removing potentially harmful characters. The SQL Injector supports MS-SQL,

Oracle, Postgress, MySQL, and DB2 database types and also supports multiple language systems

including Japanese.

Caution! This tool tests for SQL injection vulnerabilities by creating and submitting HTTP

requests that may be processed by your SQL server. If your web application allows database

records to be updated or created using data supplied by the user, the SQL Injector may create

spurious records. To avoid this possibility, do not test against your production database. Instead,

use a copy of the database, or use a test account that does not have access to the production

data, or exclude from audit any pages that may update data or delete data from the database. If

these alternatives are not feasible, back up your production database before testing at a time

when the site has little or no customer traffic.

To test for susceptibility to SQL injection:

1. If using a proxy server or if the target site requires authentication, click the Settings tab and

enter the appropriate information. For more information, see "SQL Injector Settings" on page 154.

2. Select File > New

- or -

click the New Request icon

.

3. In the Location field, type or paste the URL that you suspect is susceptible to SQL injection. See

examples below.

l

GET method (query parameters are embedded in the URL):

http://172.16.61.10/Myweb/MSSQL/Welcome.asp?login=aaa&password=bbb

l

POST method (query parameters are included in message body):

http://172.16.61.10:80/Myweb/MSSQL/Welcome.asp

Because the SQL Injector defaults to the GET method, you must also edit POST requests on the

Raw tab (visible if you select View > Show Request). The edited request would be similar to the

following:

POST /Myweb/MSSQL/POST/2.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Host: 172.16.61.10

Content-Length: 22

Content-Type: application/x-www-form-urlencoded

login=qqq&password=aaa

Micro Focus Fortify WebInspect (22.2.0)

Page 150 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Note: If Fortify WebInspect has detected a SQL injection vulnerability, you can right-click the

vulnerable session in Fortify WebInspect's navigation pane (or right-click the vulnerable URL

on the Vulnerabilities tab of the summary pane) and select Tools > SQL Injector from the

shortcut menu.

4. Click Send.

If SQL injection is successful, "SQL Injection Confirmed" appears on the Status tab and the

beginnings of a data hierarchy tree appear on the Site Tree tab in the lower left pane.

For detailed information about the tabs on this screen, see "SQL Injector Tabs" on page 153.

5. To extract all the data from all tables, click the Pump Data icon

.

Alternatively, you can selectively investigate tables and columns using the following procedure:

a. Select Get Tables.

The SQL Injector returns the names of all tables in the targeted database.

Micro Focus Fortify WebInspect (22.2.0)

Page 151 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

b. Choose tables by selecting or clearing their associated check boxes.

c. Click Get Columns.

The SQL Injector returns the names of all columns in the selected tables.

d. Choose a column by selecting or clearing its associated check box.

e. Click Get Data.

6. Select a column and click the Data tab to view the column values.

Micro Focus Fortify WebInspect (22.2.0)

Page 152 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Note: If the SQL Injector is unable to extract data, it may be able to verify the existence of a

SQL injection vulnerability by retrieving the name of the vulnerable database. To enable this

feature, see Inferential/Time-Based Extraction in the "SQL Injector Settings" on the next

page topic.

See Also

"SQL Injector Tabs" below

"SQL Injector Settings" on the next page

SQL Injector Tabs

After a successful SQL injection, the SQL Injector displays the following panes and tabs:

Request Pane

The Request pane contains the following tabs:

l

Raw - Displays the text of the HTTP request.

l

Details - Displays the request segmented by method, request URI, and protocol. Also lists the

request header fields and their associated values.

l

Hex - Displays a hexadecimal representation of the HTTP request.

To toggle the display of the Request pane, click Show Request/Hide Request.

To delete the request, replacing it with the default http://localhost:80/, click Clear Request.

Micro Focus Fortify WebInspect (22.2.0)

Page 153 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Database Pane

The lower left pane contains the following tabs:

l

Site Tree - Displays the URL, databases, tables, and columns.

l

Data Extraction Settings - Displays the maximum number of tables, columns, and rows to return

when extracting data. These values are extracted from the settings, but can be modified here or in

the Settings dialog.

Information Pane

The lower right pane contains the following tabs:

l

Status - Displays progress bars for detection and extraction functions.

l

Details - Displays database information and injectable parameter details.

l

Data - Displays data extracted from the selected tables and columns.

l

Log - Displays a synopsis of pertinent functions and the time at which they occurred.

SQL Injector Settings

To modify the SQL Injector settings:

1. Click Edit > Settings.

2. Select one of the following tabs and specify settings as described in the following sections:

l

Options (See "Options Tab" below)

l

Authentication (See "Authentication Tab" on page 156)

l

Proxy (See "Proxy Tab" on page 156)

3. Click OK.

Options Tab

Timeout in Seconds

Specify the number of seconds that the SQL Injector will wait for a response before terminating the

session.

Apply State

If your application uses cookies, URL rewriting, or post data techniques to maintain state within a

session, the SQL Injector will attempt to identify the method and modify the response accordingly.

Micro Focus Fortify WebInspect (22.2.0)

Page 154 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Apply Proxy

If you select this option, the SQL Injector will modify the request according to the proxy settings you

specify.

Logging

Select the events you want to log:

l

Requests

l

Responses

l

Errors

l

Debug Messages

Log files are stored in xml format in <drive>:\Users\<user

name>\Documents\HP\Tools\SQLInjector\logs.

The beginning of each file name is formatted as YYYY_MM_DD<current-process-id>. The remainder

of the name is formatted as follows:

l

_sqli_debug.log: Contains debugging messages for that session.

l

_errors.log: Contains errors and exceptions that occurred for that session.

l

_RequestsResponses.log: Contains all the requests and responses sent and received by the SQL

Injector.

Data Extraction

Specify the maximum number of tables, columns, and rows that should be returned when extracting

data through a URL that is vulnerable to SQL injection. These values are also displayed in the

Database pane on the Data Extraction Settings tab. You can change these values using either this

tab or the Settings dialog.

Also specify the maximum number of concurrent threads that should be used for data extraction.

Inferential/Time-Based Extraction

The SQL Injector can use two different techniques for extracting data when a SQL injection

vulnerability is discovered. All attempts are conducted using the inferential technique, which

examines the content of the HTTP responses. If this method fails, you can force the tool to use a

second technique called time-based extraction. Instead of extracting table data, this method attempts

to retrieve the name of the database by sending 4-5 long-running database queries for each

character in the database name. Since this can be a rather time-consuming exercise, you can specify

the number of characters required to confirm the existence of the SQL injection vulnerability.

Use a Macro

If you want to use a macro, select this check box and then click the browse button

macro.

to select a

Database File Path

This read-only text box displays the path to the database created by the SQL Injector tool to store

attack data and replicate portions of the attacked database.

Micro Focus Fortify WebInspect (22.2.0)

Page 155 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Authentication Tab

Authentication Method

If the site does not require authentication, select None. Otherwise, select an authentication method

from the Authentication list:

l

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of the

other authentication methods, scanning performance is noticeably improved.

l

HTTP Basic

l

NTLM (NT LanMan)

Authentication Credentials

Enter a user ID in the User name field and the user's password in the Password field. To prevent

mistyping, repeat the password in the Confirm Password field.

Proxy Tab

Use these settings to access the SQL Injector through a proxy server.

Direct Connection (proxy disabled)

Select this option if you are not using a proxy server.

Auto detect proxy settings

If you select this option, SQL Injector will use the Web Proxy Autodiscovery Protocol (WPAD) to

locate and use a proxy autoconfig file to configure the browser's web proxy settings.

Use System proxy settings

Select this option to import your proxy server information from the local machine.

Use Firefox proxy settings

Select this option to import your proxy server information from Firefox.

Note: Using browser proxy settings does not guarantee that you will access the Internet through

a proxy server. If the Firefox browser connection settings are configured for "No proxy," then a

proxy will not be used.

Configure a proxy using a PAC file

Select this option to load proxy settings from the Proxy Automatic Configuration (PAC) file in the file

location you specify in the URL field.

Micro Focus Fortify WebInspect (22.2.0)

Page 156 of 364

Tools Guide

Chapter 13: SQL Injector (Fortify WebInspect Only)

Explicitly configure proxy

Select this option to access the Internet through a proxy server, and then enter the requested

information:

1. In the Server field, type the URL or IP address of your proxy server, followed (in the Port field)

by the port number (for example, 8080).

2. Select a protocol Type for handling TCP traffic through a proxy server: SOCKS4, SOCKS5, or

Standard.

3. If authentication is required, select a type from the Authentication list:

l

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of the

other authentication methods, scanning performance is noticeably improved.

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NTLM (NT LanMan)

4. If your proxy server requires authentication, enter the qualifying user name and password.

5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing

sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate

entries.

Specify Alternative Proxy for HTTPS

For proxy servers accepting HTTPS connections, select the Specify Alternative Proxy for HTTPS

check box and provide the requested information.

Micro Focus Fortify WebInspect (22.2.0)

Page 157 of 364

Chapter 14: SWFScan (Fortify WebInspect

Only)

The SWFScan tool can help organizations secure applications developed using the Adobe Flash

platform. This innovative tool identifies many of the vulnerabilities that affect Flash applications and

provides definitive insight on how to remove or avoid them. For more information about the

vulnerabilities, see "Vulnerability Detection" below.

How It Works

SWFScan uniquely supports all versions of Adobe Flash and ActionScript, including ActionScript 2 and

3 (Flash versions 9 and 10).

When you point SWFScan at a Flash file on the Internet or intranet, or load a Flash file from your local

computer, SWFScan decompiles the SWF bytecode, generates ActionScript source code, and performs

static analysis. You can then generate reports that include:

l

Identification of the source code that caused the vulnerability

l

Implications of each specific vulnerability

l

"Best practice" guidelines to help with remediation

SWFScan also provides additional key information (such as networking calls, external domain

requests, etc.) that may be useful for manual inspection of your Flash applications.

Vulnerability Detection

SWFScan tests for the following types of Flash security vulnerabilities. Checks for additional

vulnerabilities will be added to SecureBase (through SmartUpdate) as they are developed.

ActionScript 3 Vulnerabilities Detected by SWFScan

SWFScan finds the following types of vulnerabilities in applications built on Flash 9 and above:

l

Insecure Programming Practice

l

Insecure Application Deployment

Micro Focus Fortify WebInspect (22.2.0)

Page 158 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

l

Adobe Best Practices Violation

Information Disclosure

l

For information on specific checks, select Edit > Settings, and then select the Checks tab.

ActionScript 1 and 2 Vulnerabilities Detected by SWFScan

SWFScan finds the following types of vulnerabilities in applications built on Flash 8 and below:

l

Possible Cross-Site Scripting

l

Dangerous functions accepting user supplied data

l

Insecure Programming Practice

l

Insecure Application Deployment

l

Information Disclosure

For information on specific checks, select Edit > Settings, and then select the Checks tab.

Analyzing Flash Files

You can use SWFScan as a standalone tool or as an integrated component of Fortify WebInspect to

analyze Flash files.

Using SWFScan as a Standalone Tool

To analyze a Flash file using SWFScan as a standalone tool:

1. To launch SWFScan, click Start > All Programs > Fortify > Fortify Security Toolkit >

SwfScan.

2. Specify the Flash file (.swf) you want to analyze. Do one of the following:

l

In the Path or URL combo box, enter or select the full path to a Flash file and click

the SWFScan toolbar.

on

l

Click File > Open, select a Flash file from a local storage device, and click Open.

SWFScan loads and decompiles the selected file.

3. Click

on the SWFScan toolbar.

Micro Focus Fortify WebInspect (22.2.0)

Page 159 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

Using SWFScan in Fortify WebInspect

To analyze a Flash file using SWFScan as an integrated component of Fortify WebInspect:

1. Do one of the following while or after conducting a scan:

l

Locate a Flash file (.swf) in the navigation pane, then right-click the file name and select Tools

> SWFScan from the shortcut menu.

l

Locate a Flash vulnerability on the Vulnerabilities tab, then right-click an associated URL and

select Tools > SWFScan from the shortcut menu.

The SWFScan tool launches and loads the decompiled source code.

2. Click

on the SWFScan toolbar.

Note: Fortify WebInspect analyzes Flash files if this function is enabled in the Default settings

(located in Scan Settings > Content Analyzers). However, SWFScan offers more functionality

and control by allowing you to configure independent settings, export source code and

discovered URLs, and generate individual reports for each file. You can also search the source

code or specific portions of it (see "Searching Source Code" on the next page).

See Also

"Examining Results" on the next page

"Searching Source Code" on the next page

Micro Focus Fortify WebInspect (22.2.0)

Page 160 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

Examining Results

SWFScan displays a list of detected vulnerabilities in the lower right pane.

Click an item in the list to display information about the vulnerability and to locate (in the left pane)

the module in which the vulnerability was detected.

Searching Source Code

You can search for specific text strings or text strings that match the regular expression you specify.

1. In the Search For field, enter a text string or regular expression.

2. To find only those occurrences matching the case of the text string or regular expression, select

the Match Case check box.

3. To identify the string as a regular expression, select RegEx.

4. Choose the specific area that you want to search.

Micro Focus Fortify WebInspect (22.2.0)

Page 161 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

For ActionScript 2 files:

l

All Source Code—The decompiled source code.

l

Specific Movie Clip—Select a clip from the list.

l

Specific Frame—Select a clip and a frame.

l

Specific Class—Select a class from the list.

l

Specific Method—Select a class and a method.

For ActionScript 3 files:

l

All Source Code—The decompiled source code.

l

Specific Package—Select a package from the list.

l

Specific Class—Select a package and class.

l

Specific Method—Select a package, class, and method.

5. Click Search.

The results appear on the Search Results tab, with matches highlighted.

Configuring SWFScan Settings

To configure SWFScan settings:

1. Click

on the SWFScan toolbar.

2. Configure settings on the various tabs. For more information about the settings on each tab, see

the following topics:

l

"AS2 Exclusions" below

l

"AS3 Exclusions" on the next page

l

"Proxy" on the next page

l

"Checks" on page 164

3. Click OK.

Changed settings are persisted, but cannot be applied retroactively. To analyze a Flash file after

changing settings, you must click

.

AS2 Exclusions

You can exclude ActionScript 2 packages (namespaces) from analysis by selecting the Enabled check

box associated with a particular package.

Clear the check box if you want to include the package in your analysis.

Micro Focus Fortify WebInspect (22.2.0)

Page 162 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

To add an exclusion to the list:

1. Click Add.

2. On the Add Exclusion Rule window, enter a name for the rule and a regular expression that

describes the package.

3. Click OK.

You can also edit or remove any rules that you add, but you cannot modify the default rule (the Flash

Standard Library).

AS3 Exclusions

You can exclude ActionScript 3 packages (namespaces and classes) from analysis by selecting the

Enabled check box associated with a particular package or class.

Clear the check box if you want to include the package or class in your analysis.

To add packages and classes to the exclusion list:

1. Click Add.

2. On the Add Exclusion Rule window, enter a name for the rule and a regular expression that

describes the package or class.

3. Click OK.

You can also edit or remove any rules that you add, but you cannot modify the default rules.

Proxy

Select from the following options:

l

Direct Connection (proxy disabled) - Select this option if you are not using a proxy server.

l

Auto detect proxy settings - If you select this option, the SWFScan tool will use the Web Proxy

Autodiscovery (WPAD) protocol to locate and use a proxy autoconfig file to configure the

browser's web proxy settings.

l

Use System proxy settings - Select this option to import your proxy server information from the

local machine.

l

Use Firefox proxy settings - Select this option to import your proxy server information from

Firefox.

Note: Using browser proxy settings does not guarantee that you will access the Internet

through a proxy server. If the Firefox browser connection settings are configured for "No proxy,"

then a proxy will not be used.

l

Configure a proxy using a PAC file - Select this option to load proxy settings from a Proxy

Automatic Configuration (PAC) file. Then specify the file location in the URL field.

Micro Focus Fortify WebInspect (22.2.0)

Page 163 of 364

Tools Guide

Chapter 14: SWFScan (Fortify WebInspect Only)

l

Explicitly configure proxy - Select this option to access the Internet through a proxy server, and

then enter the requested information:

a. In the Server field, type the URL or IP address of your proxy server, followed (in the Port field)

by the port number (for example, 8080).

b. Select a protocol Type for handling TCP traffic through a proxy server: SOCKS4, SOCKS5, or

Standard.

c. If authentication is required, select a type from the Authentication list:

o

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of

the other authentication methods, scanning performance is noticeably improved.

o

Basic

o

Digest

o

Kerberos

o

Negotiate

o

NTLM (NT LanMan)

d. If your proxy server requires authentication, enter the qualifying User name and Password.

e. If you do not need to use a proxy server to access certain IP addresses (such as internal testing

sites), enter the addresses or URLs in the Bypass Proxy For field. Use commas to separate

entries.

l

Specify Alternative Proxy for HTTPS - For proxy servers accepting HTTPS connections, select

the Specify Alternative Proxy for HTTPS check box and provide the requested information.

Checks

This tab lists all attacks that check for specific vulnerabilities in the decompiled code.

Sorting the Checks

By default, the list of checks is sorted by Severity, from Critical down to Best Practice. To sort

alphabetically by Check Name, click the column heading. To reverse the sort order of the selected

column, click the column heading again.

Enabling/Disabling Checks

By default, all checks in the list are enabled, as indicated by the selected check boxes in the Enabled

column. You can disable a check by clearing its check box in the Enabled column.

Micro Focus Fortify WebInspect (22.2.0)

Page 164 of 364

Chapter 15: Traffic Viewer

Fortify WebInspect normally displays in the navigation pane only the hierarchical structure of the Web

site or Web service, plus those sessions in which a vulnerability was discovered. The Traffic Viewer,

however, allows you to display and review every HTTP request sent by Fortify WebInspect and the

associated HTTP response received from the server.

Traffic Viewer Image

The following image shows the Traffic Viewer displaying a traffic file from a scan.

Option Must be Enabled

To use the Traffic Viewer, you must enable the Traffic Monitor Logging option prior to running a scan.

The Traffic Viewer is not available for a scan if the Traffic Monitor Logging option was not enabled

prior to running the scan. See "Enabling Traffic Monitor" on the next page for more information.

Proxy Server

The Traffic Viewer also includes a self-contained proxy server that you can configure and run on your

desktop. With it, you can monitor traffic from your browser as it submits HTTP requests and receives

responses from a Web server. The Traffic Viewer proxy is a tool for debugging and penetration

assessment; you can see every request and server response while browsing a site.

Micro Focus Fortify WebInspect (22.2.0)

Page 165 of 364

Tools Guide

Chapter 15: Traffic Viewer

You can also use this feature to create a Workflow macro or a Login macro that you can use with

Fortify WebInspect.

Enabling Traffic Monitor

In Fortify WebInspect, you can enable the Traffic Monitor for all scans or for an individual scan.

Enabling the Traffic Monitor for All Scans

To enable the Traffic Monitor in the Default Settings:

1. Click Edit > Default Scan Settings.

2. In the Scan Settings pane, click General.

3. Select Enable Traffic Monitor Logging.

Note: The Traffic Viewer does not support the encryption of traffic files. The Encrypt

Traffic Monitor File option is for use under special circumstances with legacy traffic files

only.

4. Click OK.

Enabling the Traffic Monitor for Individual Scans

To enable the Traffic Monitor when you start a scan through the Scan Wizard, do one of the following:

l

Select Settings (Default) at the bottom of the Scan Wizard and follow steps 2 through 4 of

"Enabling the Traffic Monitor for All Scans" above.

l

In the Detailed Scan Configuration window of the Scan Wizard, select Enable Traffic Monitor.

Launching the Traffic Viewer

You can launch the Traffic Viewer from the Scan Info Panel within an open scan in Fortify WebInspect

and Fortify WebInspect Enterprise. Launching the tool in this manner opens the Traffic Viewer with a

traffic file in view. You can also open the tool as a stand-alone tool outside of a scan and without any

traffic or proxy data in view.

Micro Focus Fortify WebInspect (22.2.0)

Page 166 of 364

Tools Guide

Chapter 15: Traffic Viewer

From an Open Scan

To launch the Traffic Viewer from an open scan in Fortify WebInspect and Fortify WebInspect

Enterprise:

l

In the Scan Info panel, click Traffic Monitor

Note: The Traffic Viewer is not available if Traffic Monitor Logging was not enabled prior to

conducting the scan.

As a Stand-alone Tool

To launch the stand alone Traffic Viewer, do one of the following:

l

In Fortify WebInspect, click Tools > Traffic Viewer.

l

In the Fortify WebInspect Enterprise Admin Console, click Tools > Traffic Viewer.

The Traffic Viewer is launched without any traffic or proxy data in view.

Note: You may also launch the Traffic Viewer from your Windows Start menu.

Using the Interface

This section describes how to open existing files, use the Site Tree, customize grid and detail views,

resize user interface (UI) elements, and use auto scroll.

Opening an Existing File

You can open the following types of existing files in the Traffic Viewer to examine sessions:

l

Traffic session files (.tsf)

l

Legacy proxy session files (.psf)

l

Burp proxy files

l

HTTP archive (.har) files

Micro Focus Fortify WebInspect (22.2.0)

Page 167 of 364

Tools Guide

Chapter 15: Traffic Viewer

Note: If you open a legacy proxy session file (.psf), Traffic Viewer will convert it to a traffic file

(.tsf).

To open an existing file:

1. Click OPEN.

The Open dialog box opens.

2. From the drop-down list, select the type of file to open.

3. Navigate to and open the file.

The sessions are populated in the Traffic Viewer.

Using the Site Tree

By default, the Site Tree displays an unfiltered tree view of all traffic that was generated during the

scan. The tree includes a list of hosts and all sub-directories within those hosts. In this view, you can

select a top-level host and expand the sub-directories to examine the requests and responses

occurring at each level. You can select an item in the Site Tree to display the traffic for the item.

Site Tree Icons

The following table identifies the icons displayed in the Site Tree.

Icon

Name

Represents

Server/host

The top level of your site's tree structure

/

Folder

Page

A directory

A file

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

For more information, see "Working with Sessions" on page 174.

Viewing Only Host Names

To view a list of only the host names:

Micro Focus Fortify WebInspect (22.2.0)

Page 168 of 364

Tools Guide

Chapter 15: Traffic Viewer

l

From the default tree view, click the filter icon once.

The Site Tree displays only the host names. Sub-directories are not accessible in this view. From

this view, you can select one or more hosts and filter out the rest. See "Filtering for Selected Hosts"

below.

To return to viewing the entire tree:

l

Click the filter icon again.

Filtering for Selected Hosts

To focus your research, you can filter for specific hosts in the Site Tree. To view only selected hosts

and their sub-directories in the Site Tree:

1. With the Site Tree displaying only the host names, select one or more hosts to view.

2. Click the filter icon.

Only the selected hosts appear in the Site Tree.

3. Expand a host to display its sub-directories.

Viewing All Host Names

To return to viewing all host names:

1. Click the filter icon.

The Site Tree displays only the host names with the previously viewed hosts selected.

2. Click each selected host to clear its selection.

3. Click the filter icon.

The Site Tree displays an unfiltered tree view of all traffic.

Customizing Grid Views

You can resize, reposition, add, and remove columns displayed in grid views.

Resizing Columns

To resize a column:

1. Move your cursor to the border to the right of the column heading you want to resize.

Your cursor becomes a double-headed arrow and the column heading background color changes

to a lighter gray.

Micro Focus Fortify WebInspect (22.2.0)

Page 169 of 364

Tools Guide

Chapter 15: Traffic Viewer

2. Do one of the following:

l

Drag the column border either right or left to the width you want.

l

Double-click the border to resize the column to the width of the widest amount of data in the

column. A horizontal scroll bar might be added to the bottom of the window.

Repositioning Columns

To rearrange the order of the columns across the grid:

1. Move your cursor to the column heading that you want to move.

The column heading background color changes to a lighter gray.

2. Click once.

The column heading background color changes to white.

3. Drag the column to the right or left into the position you want it.

The column of data is moved and the remaining columns are shifted right or left by one column.

Adding/Removing Columns

By default, not all columns of data are displayed in the grid. Grid view settings allow you to select

which columns of data you want visible in the grid. To add or remove displayed columns:

1. In the grid view, click

.

A list of available columns appears.

Note: The column names indicate the memo headers that are generated during a scan.

2. Do the following:

l

Select the check box for each column you want to add to the display.

l

Clear the check box for each column you want to remove from the display.

3. Click anywhere outside the list of columns to close the list.

The displayed columns are updated.

Micro Focus Fortify WebInspect (22.2.0)

Page 170 of 364

Tools Guide

Chapter 15: Traffic Viewer

Customizing Detail Views

You can choose the layout and color theme for non-grid detail views, and you can hide or show the

HTTP detail views.

Changing the Layout

When two detail views are visible for an item, such as the Request and Response detail views, you can

rearrange the placement of the detail views to have them stacked vertically (one on top of the other)

or have them aligned horizontally (side-by-side). To change the layout:

1. In the detail view, click

The settings menu opens.

.

2. Do one of the following:

l

To align the detail views vertically one on top of the other, click Vertical Layout.

To align the detail views horizontally side-by-side, click Horizontal Layout.

l

Changing the Color Theme

The default color theme is black and colored text on a white background. However, you might prefer

white and colored text on a black background. To change the color theme:

1. In the detail view, click

.

2. Do one of the following:

l

To use black and colored text on a white background, click Light Theme.

To use white and colored text on a black background, click Dark Theme.

l

Hiding and Showing HTTP Detail Views

You can collapse (or hide) one of the HTTP detail views, such as the Request or Response detail view,

so that only the contents of other HTTP detail view is visible.

To hide a detail view:

l

Click the hide icon ( ) in the detail view.

To show a hidden detail view:

l

Click the show icon ( ).

Resizing, Collapsing, and Expanding UI Elements

You can resize, hide (or collapse), and show (or expand) certain user interface (UI) elements, such as a

site tree or a grid view of data.

Micro Focus Fortify WebInspect (22.2.0)

Page 171 of 364

Tools Guide

Chapter 15: Traffic Viewer

Resizing an Element

To resize an element, do one of the following:

l

For UI elements with a horizontal layout of data, such as a grid view, drag the horizontal Collapse

bar to widen or narrow the element.

l

For UI elements with a vertical layout of data, such as a site tree, drag the vertical Collapse bar or

the scroll bar to widen or narrow the panel.

OR

Collapsing an Element

To collapse an element:

l

Click Collapse.

Expanding an Element

To expand an element:

l

Click Expand.

Using Auto Scroll

Enabling auto scroll causes the traffic grid to scroll up as new sessions are added so that the newest

traffic sessions are always visible. The auto scroll feature is only applicable when you are working with

a scan that is currently running.

Enabling Auto Scroll

To enable auto scroll:

l

Click the scroll lock icon ( ).

Micro Focus Fortify WebInspect (22.2.0)

Page 172 of 364

Tools Guide

Chapter 15: Traffic Viewer

Disabling Auto Scroll

You may want to pause auto scroll to examine a session in the Traffic grid. To disable auto scroll:

l

Click the scroll lock icon ( ).

Note: You can resume auto scroll at any time during the active scan.

Working with Traffic

This section describes how to explore traffic, work with sessions and parameters, search and filter

traffic data, and use regular expressions.

Exploring Traffic

By default, the Traffic grid displays all traffic generated during the scan, allowing you to explore the

traffic for the entire scan. However, you can also view and explore traffic for a specific resource. You

can search, sort, and filter the data in the Traffic grid. For more information, see "Searching and

Filtering" on page 178.

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

Using the Breadcrumbs

When you select a resource in the Site Tree, breadcrumbs appear at the top of the traffic grid, similar

to the sample shown here.

These breadcrumbs indicate that the displayed traffic has been filtered down to the last resource

listed in the breadcrumbs.

To filter the traffic for a specific resource listed elsewhere in the breadcrumbs:

l

Click the resource in the breadcrumbs.

For example, if you want to view all traffic for the resources folder shown in the previous image,

click resources.

The selected resource becomes the final breadcrumb and Site Explorer updates the traffic sessions

to show only the traffic for the selected resource.

Micro Focus Fortify WebInspect (22.2.0)

Page 173 of 364

Tools Guide

Chapter 15: Traffic Viewer

To remove the filter completely:

l

Click X in the final breadcrumb.

The breadcrumbs are removed and the traffic sessions are no longer filtered.

See Also

"Working with Sessions" below

"Drilling Down Into Traffic Data" on page 177

Working with Sessions

You cannot modify data you are viewing in a traffic file from a scan. You can, however, research the

traffic data in the Traffic Viewer to get a better understanding of what happened during the scan. For

example, you can resend a request using the HTTP Editor or you can view the session in a browser.

Viewing the HTTP Detail

You can view the request and response of a session in the HTTP detail view. This view is the default

view for sessions selected in most grids. However, if you are seeing another detail view and want to

see the request and response instead, you can switch to the HTTP detail view. To view a session in

the HTTP detail view:

1. Select a session in the grid.

2. Click HTTP.

The HTTP detail view opens, showing the request and response of the selected session.

Wrapping Text

Long lines of text in the detail views, such as in the Request and Response detail views, might make it

impossible to view the content without using the horizontal scroll bars. You can use the Word Wrap

setting to wrap the text to prevent the horizontal scroll bars. The Word Wrap setting is available in

each detail view and is not a global setting for all detail views. The Word Wrap setting is saved in your

user settings file for each detail view, and is the default behavior for the detail view the next time you

open the application.

To wrap text:

l

Right-click the detail view and select Word Wrap.

The long lines of text are wrapped and the horizontal scroll bar is removed.

Decoding Percent-encoded Characters

By default, requests and responses use percent-encoding for reserved characters. If you see percent-

encoded characters, such as %3B and %40, in the text of a request or response, you can decode these

characters to improve readability of the text. When you decode the characters in a request or

response, the requests or responses for all parent and child sessions of the selected session will also

Micro Focus Fortify WebInspect (22.2.0)

Page 174 of 364

Tools Guide

Chapter 15: Traffic Viewer

be decoded. These characters remain decoded only while the scan is open. If you close the scan and

reopen it, the default display applies, and reserved characters will once again be percent-encoded.

To decode percent-encoded characters:

l

Right-click in the RESPONSE or REQUEST tab and select URL Decode.

The percent-encoded characters are converted to readable text.

Resending a Request

You can resend a request using the HTTP Editor. To resend a request:

1. Select a session in the grid to view the request and response.

2. If the HTTP detail view is not open, click HTTP.

3. Right-click in the REQUEST detail view and select View in HTTP Editor.

The HTTP Editor opens for the request. For more information about using the HTTP Editor, see

the HTTP Editor online help or the Micro Focus Fortify WebInspect Tools Guide.

Viewing a Session in the Browser

You can view a session in the Browser detail view to see where the traffic occurred in your site. To

view a session in the Browser:

1. Select a session in the grid.

2. Click BROWSER.

The Browser detail view opens showing the selected session.

Expanding Compressed Content

Compressing (or minifying) content removes spaces, new line markers, comments, and block

delimiters from code to reduce file size. However, the practice also makes the content more difficult

for humans to read. You can use the Beautify setting to expand compressed text. The Beautify setting

is available in each detail view and is not a global setting for all detail views. The Beautify setting is

saved in your user settings file for each detail view, and is used as the default behavior for the detail

view the next time you open the application.

To expand compressed content:

l

Right-click in the detail view and select Beautify.

The compressed content is expanded and becomes more readable.

Note: Some text cannot be beautified, so you might not see the option.

Micro Focus Fortify WebInspect (22.2.0)

Page 175 of 364

Tools Guide

Chapter 15: Traffic Viewer

Working with Parameters

You can view the Type, Name, and Value for parameters used in a traffic session. The Parameters

detail view displays a grid with one record for each cookie or query string used in the traffic session.

You can also view every traffic record in which the same parameter is used. You can access the

Parameters detail view from the Traffic and Related Traffic grids.

Understanding Parameters

A parameter can be one of the following:

l

Cookie data

l

A query string submitted as part of the URL in the HTTP request (or contained in another header)

l

Data submitted using the Post method (such as set_<parametername>)

Viewing Parameter Details

To view the parameter details for a session:

1. Select a session in the Traffic or Related Traffic grid.

2. Click PARAMETERS.

The Parameters detail view opens showing the parameters used in the selected session.

Note: The detail view layout settings have no effect on the Parameters grid.

Adding Parameter Columns to Traffic Grid

You can add columns to the Traffic grid to display a parameter that is listed in the Parameters detail

view. Adding these columns of data to the Traffic grid is useful when you are working with a workflow

macro and need to follow a state parameter through the sessions to determine when and why you are

being logged out of the application.

For example, you might want to view the values for the JSESSIONID parameter to examine it from

session to session to see where its value changes. You can add a column for the JSESSIONID

parameter along with its companion column set_JSESSIONID to show where the value changes.

To add columns for a parameter:

1. Right-click the row for the parameter in the Parameters detail grid.

2. Select Build Columns… .

Note: If you have previously added columns for the selected parameter, the Build Columns

option is unavailable.

A column for the parameter name is added to the Traffic grid, along with a column for any methods

that set the parameter value, if applicable. These columns are permanently added to the database for

the current scan. The column names are also added to the grid settings menu. You can use the grid

Micro Focus Fortify WebInspect (22.2.0)

Page 176 of 364

Tools Guide

Chapter 15: Traffic Viewer

settings menu to add or remove the columns from view. See "Adding/Removing Columns" on

page 170.

Drilling Down Into Traffic Data

You can view traffic for a resource in the Site Tree, and then drill down to view related traffic for a

session in the Traffic grid view.

Viewing Traffic for a Resource

You can view the traffic for a resource in the Site Tree. To view the traffic for an item:

l

Select the item in the Site Tree.

All traffic involving that item appears in the Traffic grid.

Viewing Related Traffic for a Session

You can view the related traffic for a session in the Traffic grid.

To view related traffic for a session:

l

Double-click a session in the Traffic grid.

The Related Traffic grid appears. If parent traffic sessions are available, you can click through the

list of parents and see the HTTP and browser detail views for them.

To return to the Traffic grid:

l

Click the vertical Traffic title bar.

The Traffic grid appears displaying all traffic.

For more information, see "Working with Stacked Grids" below.

Working with Stacked Grids

When you drill down into grid data, an additional grid opens with a vertical title bar. When you drill

down through multiple layers of grid data, each new grid is stacked on the previous grid with its

vertical title bar visible. The following example shows three stacked grids.

Note: Not all applications include all of the grids shown above.

Micro Focus Fortify WebInspect (22.2.0)

Page 177 of 364

Tools Guide

Chapter 15: Traffic Viewer

Viewing and Closing Stacked Grids

You can view a specific grid in the stack by closing any grids stacked on it. You can also close all

stacked grids at once.

To view a specific grid in the stack:

l

Click the title bar of the grid you want to view.

All grids stacked on the one you want to view are closed.

To close all stacked grids:

l

Click the leftmost grid title bar.

All stacked grids are closed.

See Also

"Customizing Grid Views" on page 169

Searching and Filtering

You can search on the data displayed in grid views and in most non-grid views. You can also sort and

filter on each column displayed in a grid. If an active scan is being viewed, you can search, filter, and

sort on live data in the scan that is running. For more information about formatting search queries,

see "Understanding the Search Expressions" on page 180.

Searching in Grid Views

You can search for data in a single column or in multiple columns displayed in a grid. To search on the

data displayed in a grid:

1. Click the search icon ( ).

2. In the Search field, type the column name (without spaces), the operator, and the value you are

searching for.

Examples:

Status='404 Not Found'

ResponseStart>'9/4/2015 9:08:52.242 AM'

Status~'3[0-9][0-9].*'

3. (Optional) To search on multiple columns, press the Space Bar, type the next column name

(without spaces), the operator, and the value you are searching for. Searching on multiple

columns is treated as an AND search; only records that include search criteria specified for each

column will be displayed. Repeat for each column that you want to search.

Example:

Method=GET Status~'3[0-9][0-9].*'

4. Press Enter or click

.

Micro Focus Fortify WebInspect (22.2.0)

Page 178 of 364

Tools Guide

Chapter 15: Traffic Viewer

You can also use regular expressions to search for patterns in the grid. For more information, see

"Understanding the Search Expressions" on the next page.

Searching in Non-grid Views

You can search for data in non-grid views, such as in the Request and Response tabs. To search in

tabs:

1. Select a row of data in the grid.

Details for the selected data appear in the associated tab(s), such as in the Request and

Response tabs.

2. Type the value you are searching for in the tab search field.

3. (Optional) To use regular expressions in your search criteria, select the RegEx check box. For

more information, see "Understanding the Search Expressions" on the next page.

4. Press Enter.

Clearing the Search

To clear the search criteria, click the x in the search icon.

Sorting in the Grid

To sort by any column in the grid:

l

Click the column heading.

Filtering in the Grid

To filter on one or more columns in the grid:

1. Click in the column heading.

A filter panel appears below the column heading.

2. Type a filter expression in the filter field.

A filter expression consists of an optional operator (>,<,>=,<=,!=,~,=) or one of the functions “in”,

“notin”, or “regex” followed by a string. The range operator (..) is an exception, as it sits

between two strings. For more information, see "Understanding the Search Expressions" on the

next page.

Examples:

443

'400 Bad Request'

30*

'9/3/2015 10:53:08.000 AM'..'9/3/2015 10:53:12.089 AM'

in(200,300) notin(400,500)

Micro Focus Fortify WebInspect (22.2.0)

Page 179 of 364

Tools Guide

Chapter 15: Traffic Viewer

Note: The equal (=) operator may not filter accurately on columns containing date and time

information.

For more information, see "Rules for Filtering in the Grid" below.

3. Press Enter.

Data in the grid is filtered based on the expression entered. The icon in the filtered column

heading changes to .

4. To filter on additional columns, repeat steps 1-3 on each column.

Rules for Filtering in the Grid

The following rules apply to filtering in the grid:

l

You do not need to specify the field name. Since you edit the filter in a specific column, the field

name is identified implicitly.

l

You can use search operators in the filter field. For more information, see "The Operators" on

page 183.

l

If no operators or wild cards are specified in the filter field, the filter is converted to a "contains"

clause of the form field:*string*. If the search is enclosed in quotation marks, the filter is

converted to field:'*string*'.

For example, the filter string 404 Not Found in the Status column is converted to

Status:'*404*' Status:'*Not*' Status:'*Found*' and displays all sessions with a

Status that contains either 404, Not, or Found. The filtered results would include such statuses

as '302 Found', '404 Not Found', and '405 Method Not Allowed'.

The filter string '404 Not Found' in the Status column is converted to Status:'*404 Not

Found*' and displays all sessions with a Status that contains '404 Not Found'.

l

You can specify multiple search filters in the filter field, separated by spaces.

l

Filters on date and time fields must be enclosed in either single (') or double (") quotation marks.

Clearing a Filtered View

To clear a filtered view on one or more columns in the grid:

1. Click in a column heading that is filtered.

A search panel appears below the column heading.

2. Click Clear.

Data in the column is no longer filtered.

3. To clear the filter on additional columns, repeat steps 1 and 2 on each filtered column.

Understanding the Search Expressions

This topic explains the components of the expressions used to search in the grid and tabs.

Micro Focus Fortify WebInspect (22.2.0)

Page 180 of 364

Tools Guide

Chapter 15: Traffic Viewer

Basic Format of a Query

The basic format of a search query is:

If you are searching the entire grid, the PropertyName is the column name that you wish to include in

the search. If you are searching in a tab, such as the Request or Response tabs, the PropertyName is

the field/property name, such as 'Request' or 'Response'.

If you are searching within a column in the grid, omit the PropertyName. The format for this type of

search is:

To use regular expression (RegExp) syntax in your search, the format is:

<PropertyName> RegExp('[RegexSearchValue]','[RegexFlags]')

For more information about using regular expressions, see "Using Regular Expressions" on page 184.

Simple Query

You can perform a simple query on string data that contains no special characters and on integers.

Simple queries are:

Method=GET

Scan.CheckId=6

Show me on YouTube.

Searching for Data that Contains Spaces or Special Characters

If there is a space or special character in the content you are searching for, enclose the content in

either single (') or double (") quotation marks:

Status='404 Not Found'

Path='/signin.html'

Show me on YouTube.

The quotation marks can be combined with wildcards:

ResponseStart:*'7/8/2015 4:22:'*

Searching with More than One Expression

A search can include more than one expression at the same time, with the expressions separated from

each other by a space:

Path='/banklogin.asp' Method=GET

Show me on YouTube.

Micro Focus Fortify WebInspect (22.2.0)

Page 181 of 364

Tools Guide

Chapter 15: Traffic Viewer

If the same field is listed more than once, it becomes an "OR" expression:

Path='/banklogin.asp' Path='/login1.asp'

This search would return all records where Path is either '/banklogin.asp' or '/login1.asp'.

Other fields added to the expressions are treated as an "AND" expression:

Path='/banklogin.asp' Path='/login1.asp' Method=POST

This search would return all records where Path is either '/banklogin.asp' or '/login1.asp' AND Method

is 'POST'.

Another example of an AND/OR search is:

Method=POST Scan.Engine:Sql* Scan.Engine:Cross*

This search would return all records where Method is 'POST' and the value of Scan.Engine starts with

either 'Sql' or 'Cross'.

Show me on YouTube.

Searching for Null Data

To search for data that contains null (empty) entries, use the = operator followed by two single

quotation marks (''):

ParameterValue=''

To filter for data that contains null (empty) entries in a specific column, use the = operator followed

by two single quotation marks ('') in the column filter field.

Show me on YouTube.

Using Column Names in Search Queries

To search on a column or field name that includes a space, remove the space in the search query. For

example, to search on the Response End column in the grid, use the following format:

ResponseEnd='7/8/2015 4:22:52 PM'

Using Regular Expressions

To search for patterns, you can use the regular expression operator (~) and include regular

expressions in the search:

Response~'[0-9].*='

Show me on YouTube.

You can also construct regular expression syntax:

Response RegExp('[0-9].*=','i')

For more information about using regular expressions, see "Using Regular Expressions" on page 184.

Micro Focus Fortify WebInspect (22.2.0)

Page 182 of 364

Tools Guide

Chapter 15: Traffic Viewer

The Operators

The following table describes the operators and functions available for use in searching and filtering.

The PropertyName used in the example column would be the column name when searching the grid

or the field/property name when searching tabs. If you are filtering directly in a column, do not include

the field/property name in the column filter field.

Operator

Description

Example(s)

=

Find only exact matches to the search

string

PropertyName=asdf

>

>=

<

Find data greater than the search

number or date

PropertyName>123

PropertyName>=123

PropertyName<123

PropertyName<=123

PropertyName!=asdf

Find data greater than or equal to the

search number or date

Find data less than the search number

or date

<=

Find data less than or equal to the

search number or date

!=

:

Find data not equal to the search string

Find only exact matches to the search

string using wildcards; search is case

sensitive

PropertyName:asdf (find exact

matches )

PropertyName:*asdf (find data that

If the search string contains a space or

dash (-), it must be enclosed in either

single or double quotation marks.

ends with search string)

PropertyName:*asdf* (find data that

contains search string)

PropertyName:asdf* (find data that

starts with search string)

..

Find data that is within a specified

range of values

PropertyName:'7/15/2015 5:00

PM'..'7/15/2015 5:15 PM'

~

Find the search string using regular

expressions

PropertyName~'sea[a-z]ches'

For more information about using

regular expressions, see "Using Regular

Micro Focus Fortify WebInspect (22.2.0)

Page 183 of 364

Tools Guide

Chapter 15: Traffic Viewer

Operator

Description

Example(s)

Expressions" on the next page.

in

Find matches to the search value(s)

listed in parentheses; to search for

multiple values, include a comma-

separated list in parentheses

PropertyName in(123,456) or

PropertyName in(abc,def)

Port in(80,443) (find all sessions with

a port of 80 or 443)

Show me on YouTube.

Method in(GET) (find all sessions with a

method of 'GET')

notin

Find everything except the search value

(s) listed in parentheses; to exclude

multiple values, include a comma-

separated list in parentheses

PropertyName notin(123,456) or

PropertyName notin(abc,def)

Port notin(80,443) (exclude all

sessions with a port of 80 or 443)

Show me on YouTube.

Method notin(GET) (exclude all

sessions with a method of 'GET')

Using Regular Expressions

Using the tilde (~) operator with a regular expression means that whatever is on the left of the tilde is

searched using the regular expression on the right. You can also construct more complex regular

expression (RegExp) syntax.

Traffic String Properties for Searching

You can use regular expressions to search any of the Traffic string properties, which are numbers,

strings, or dates. This includes all fields that are listed when you click the settings icon ( ) in a

Traffic grid view.

Using the Tilde (~) Operator

When using the tilde (~) operator, the format is:

<PropertyName>~'RegexPattern'

You can use single or double quotation marks.

Examples

The following query returns a list of sessions with a Referer in the request header that contains an

index.jsp file:

Request~'Referer:\\s.+/index\\.jsp'

Micro Focus Fortify WebInspect (22.2.0)

Page 184 of 364

Tools Guide

Chapter 15: Traffic Viewer

The following query returns a list of sessions with a Location in the response header that contains an

index.php or index.html file:

Response~'Location:\\s.+/index\\.(php|html)'

The following query returns a list of sessions with index.html or index.php files that were attacked by

an audit engine whose name begins with ‘Cross’ or ‘Sql’:

Path~'/index\.(html|php)' Scan.Engine~'^(Cross|Sql)'

Using RegExp Syntax

RegExp syntax, which is similar to JavaScript, uses the following formats:

<PropertyName> RegExp('RegexPattern') - Performs a case-sensitive search

<PropertyName> RegExp('RegexPattern','i') - Performs a case-insensitive search

Examples

The following query returns a list of sessions with a Referer in the request header that contains an

index.jsp file:

Request RegExp('Referer:\\s.+/index\\.jsp','i')

The following query returns a list of sessions with a Location in the response header that contains an

index.php or index.html file:

Response RegExp('Location:\\s.+/index\\.(php|html)','i')

Show me on YouTube.

Understanding the RegExp Syntax

The following diagrams define the parts of the RegExp syntax.

Item

Description

1

Specifies whether raw HTTP Request or raw HTTP Response

data is searched; includes both Header and Body data

Micro Focus Fortify WebInspect (22.2.0)

Page 185 of 364

Tools Guide

Chapter 15: Traffic Viewer

Item

Description

2

Defines the regular expression pattern to search for using the

regular expression characters described in the table below

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library online at

http://regexlib.com/Default.aspx.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The sequence

/\n/ matches a linefeed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to exclude

everything in the content directory except /content/en and /content/ca, use:

/content/[^(en|ca)].*/.* . Also see \S \D \W.

$

*

Matches the end of input or line.

Matches the preceding character zero or more times. /zo*/ matches either " z " or

"zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

|

Indicates OR between two or more literal text search terms. For example, the

following query will return a list of sessions where the path contains /index.html

OR /index.php:

Path~'/index\.(html|php)'

i

Ignores character case. Use this character in the second argument in the RegExp.

For example:

PropertyName RegExp('stuff[abc]','i')

Micro Focus Fortify WebInspect (22.2.0)

Page 186 of 364

Tools Guide

Chapter 15: Traffic Viewer

Character

Description

You can combine this with other flags. For example:

PropertyName RegExp('stuff[abc]','mi')

m

Searches in multi-line mode. Use this character in the second argument in the

RegExp. For example:

PropertyName RegExp('stuff[abc]','m')

You can combine this with other flags. For example:

PropertyName RegExp('stuff[abc]','mi')

[xyz]

\b

A character set. Matches any one of the enclosed characters. /[abc]/ matches the "a"

in "plain."

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

early."

\B

\d

\D

\f

Matches a non-word boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a non-digit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a linefeed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent to [

\f\n\r\t\v]

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any non-word character. Equivalent to [^A-Za-z0-9_].

The Traffic Viewer Proxy

This section describes how to start proxy mode, create a new proxy file, and configure the Traffic

Viewer proxy settings.

Micro Focus Fortify WebInspect (22.2.0)

Page 187 of 364

Tools Guide

Chapter 15: Traffic Viewer

Using the Traffic Viewer Proxy

You can create a new proxy file using the Traffic Viewer in proxy mode. This file can be saved as a

traffic file or as a macro. For example, you may want to record the login process for your website and

save the captured data as a login macro.

Starting Proxy Mode

To start proxy mode, do one of the following:

l

While viewing traffic data from an open scan, click NEW.

l

After launching the Traffic Viewer from the Tools menu (or the Toolkit in Fortify WebInspect

Enterprise), click OPEN to view a previously recorded proxy file or click NEW to create a new one.

The proxy tool buttons appear at the top of the window.

Creating a New Proxy File

To create a new proxy file:

1. Click NEW.

The proxy tool buttons appear at the top of the window.

2. To begin recording the proxy file, click START.

3. Click BROWSE.

The tool launches the TruClient with Firefox browser.

4. In the browser, navigate to the portions of your site that you wish to view in the proxy file.

Traffic coming through the proxy populates the grid in the Traffic Viewer.

5. When you are finished, click STOP.

6. Do one of the following:

l

To save the proxy file as a traffic file (.tsf), click SAVE.

l

To save the proxy file as a macro (.webmacro), click the SAVE drop-down menu and select as

Macro.

Configuring the Proxy Listener

A proxy listener is a local HTTP proxy server that listens for incoming connections from your browser.

You configure the Proxy Listener on the settings page. Click to access the settings.

To configure the proxy listener:

l

In the GENERAL area, type the Local IP Address and Port number for the proxy listener.

Micro Focus Fortify WebInspect (22.2.0)

Page 188 of 364

Tools Guide

Chapter 15: Traffic Viewer

Note: By default, the proxy uses localhost (IP address 127.0.0.1) and port 8080, but you can

change this if necessary.

To configure Web Proxy on your host to be used by another host, you will need to change the value of

the Local IP Address. The default address of 127.0.0.1 is not available to outside hosts. If you change

this value to your workstation's current IP address, remote stations can use your workstation as a

proxy.

Both the proxy and your Web browser must use the same IP address and port. These settings are

automatically applied to the browser when you use the Browse button in proxy mode. If you launch

the browser outside of the Traffic Viewer, the settings are not applied.

Configuring the Proxy

You configure the proxy settings in the application settings. Click to access the settings.

To configure the proxy:

Micro Focus Fortify WebInspect (22.2.0)

Page 189 of 364

Tools Guide

Chapter 15: Traffic Viewer

1. Select from the options in the PROXY section. The options are described in the following table.

Option

Description

Direct Connection

(proxy disabled)

Select this option if you are not using a proxy server.

Auto detect proxy

settings

Use the Web Proxy Autodiscovery (WPAD) protocol to locate a proxy

autoconfig file and configure the browser's web proxy settings.

Use System proxy

settings

Import your proxy server information from the local machine.

Use Firefox proxy

settings

Import your proxy server information from Firefox.

Note: Using browser proxy settings does not guarantee that you

will access the Internet through a proxy server. If the Firefox

browser connection settings are configured for "No proxy," then a

proxy server will not be used.

Configure proxy

using a PAC file

Load proxy settings from a Proxy Automatic Configuration (PAC) file

in the location you specify in the PAC File URL field.

Explicitly configure

proxy settings

To configure a proxy, provide the following information:

a. From the Type list, select a protocol type for handling TCP traffic

through a proxy server: Socks4, Socks5, or Standard.

b. If authentication is required, select one of the following types from

the Authentication Type list:

o

Automatic

o

Basic

o

Digest

o

Kerberos

o

Negotiate

o

NTLM (NT LAN Manager)

c. In the Server field, type the URL or IP address of your proxy

server, followed (in the Port field) by the port number (for

example, 8080).

d. If your proxy server requires authentication, type credentials in

the User Name and Password fields.

Micro Focus Fortify WebInspect (22.2.0)

Page 190 of 364

Tools Guide

Chapter 15: Traffic Viewer

Option

Description

e. If you do not need to use a proxy server to access certain IP

addresses (such as internal testing sites), type the addresses or

URLs in the Bypass proxy for field. Use commas to separate

entries.

2. Click SAVE.

Configuring Client Certificates

Configure client certificates in the Traffic Viewer proxy settings. Click to access the settings.

To enable client certificates and specify a certificate to use:

1. In the CLIENT CERTIFICATES area, select Enable Client Certificates.

2. Select the Certificate Store for the certificate you want to use. Options are:

l

Local Machine - The certificate store that is local to the computer and is global to all users on

the computer.

l

Current User - The certificate store that is local to the current user account on the computer.

Note: Certificates used by a common access card (CAC) reader are user certificates and

are stored under Current User.

3. Do one of the following:

l

To select a certificate from the "Personal" ("My") certificate store, select My from the drop-

down list.

l

To select a trusted root certificate, select Root from the drop-down list.

4. Does the website use a common access card (CAC) reader?

l

If yes, do the following:

i. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.

Information about the selected certificate and a Pin field appear in the Certificate

Information area.

ii. If a PIN is required, type the PIN for the CAC in the Pin field.

iii. Click Test.

If you entered the correct PIN, a Success message appears.

l

If no, select a certificate from the Certificate list.

Information about the selected certificate appears below the Certificate list.

5. Click SAVE.

Micro Focus Fortify WebInspect (22.2.0)

Page 191 of 364

Tools Guide

Chapter 15: Traffic Viewer

Configuring Proxy Exclusions

You may not want certain types of files, such as image files or PDFs, to be included in the proxy data.

You can exclude them from being recorded. Excluding these files allows you to focus on HTTP

request/response lines and headers by removing clutter from the message body. Exclude these files

in the Traffic Viewer proxy settings. Click to access the settings.

To exclude file types:

1. In the DO NOT RECORD area, use regular expressions to type the file extension(s) that you want

to exclude from capture in the proxy file.

Example:

.*\.jpg$,.*\.png$,.*\.bmp$

For more information, see "Using Regular Expressions" on page 184.

2. Click SAVE.

Configuring Search and Replace

Search and replace allows you to create rules for locating and replacing text or values in HTTP

messages coming through the proxy. This feature provides a highly flexible tool for automating your

simulated attacks. Some suggested uses include:

l

Masking sensitive data, such as user names and passwords

l

Appending a cookie to each request

l

Modifying the Accept request-header field to add or delete media types that are acceptable for the

response

l

Replacing a variable in the Request-URI with a cross-site scripting attack

Configure search and replace in the Traffic Viewer proxy settings. Click to access the settings.

Finding and Replacing Text

To find and replace text in requests or responses:

1. Click ADD.

A default entry is added to the table.

2. Double-click the Search On column of the entry.

3. Click the drop-down arrow and select the message area you want to search. Options are:

l

RequestFull - Search and replace in the entire request message.

l

RequestHeader - Search and replace in the request header only.

l

RequestBody - Search and replace in the request body only.

l

ResponseFull - Search and replace in the entire response message.

Micro Focus Fortify WebInspect (22.2.0)

Page 192 of 364

Tools Guide

Chapter 15: Traffic Viewer

l

ResponseHeader - Search and replace in the response header only.

l

ResponseBody - Search and replace in the response body only.

The following diagram identifies the parts of a response message:

Item Description

1

2

Response Header

Response Body

4. In the For column, type the data (or a regular expression representing the data) you want to find.

5. In the Replace With column, type the data you want to substitute for the found data.

Note: To use a regular expression in the For and/or Replace With columns, select the Regex

check box. See "Using Regular Expressions in Rules" below.

6. Repeat steps 1-5 to create additional search rules.

7. Click SAVE.

Using Regular Expressions in Rules

Caution! This section should be used only by advanced users with experience in constructing

regular expression syntax.

Micro Focus Fortify WebInspect (22.2.0)

Page 193 of 364

Tools Guide

Chapter 15: Traffic Viewer

Advanced users can configure search and replace rules using regular expressions in both the For

column and the Replace With column. For example, if you enable a rule using regular expressions to

search on the ResponseBody for (<return>)([^<]+)(</return>) and replace the findings with

$1<![CDATA[$2]]>$3, the search rule would make the following changes:

For more information, see "Using Regular Expressions" on page 184.

How Rules Are Applied

The request/response rules are applied sequentially, in the order in which they appear. For example, if

a rule changes HTTPS to SSL, and if a subsequent rule then changes SSL to SECURE, the result will be

that HTTPS is changed to SECURE.

Enabling a Rule

To enable a rule:

1. Select the Enabled check box for the rule you want to enable.

2. Click SAVE.

Disabling a Rule

To disable a rule without deleting it:

1. Clear the Enabled check box for the rule you want to disable.

2. Click SAVE.

Deleting a Rule

To delete a rule:

1. Select the rule you want to delete.

2. Click REMOVE.

3. Click SAVE.

Micro Focus Fortify WebInspect (22.2.0)

Page 194 of 364

Tools Guide

Chapter 15: Traffic Viewer

Editing a Rule

To edit a rule:

1. Click an entry in the Search On, For, or Replace With column.

2. Change the data.

3. Click SAVE.

Micro Focus Fortify WebInspect (22.2.0)

Page 195 of 364

Chapter 16: Web Discovery

Use Web Discovery to find all open hosts in your enterprise environment.

How It Works

Web Discovery sends packets to all the open ports (in a range of IP addresses and ports that you

specify), searches the server's response for specific information, and then displays the results. There

are two predefined packets included with Web Discovery: Web Server and SSL Web Server. They both

contain the following HTTP request:

GET / HTTP/1.0

Web Discovery searches the HTTP response for the string "HTTP"; if it finds the string, it displays the

IP address, port number, and the text "WebServer," followed by the results of a regular expression

search designed to reveal the server's name and version number.

You can save the list of discovered servers in a text file.

Micro Focus Fortify WebInspect (22.2.0)

Page 196 of 364

Tools Guide

Chapter 16: Web Discovery

Web Discovery Tool Image

The following image shows the Web Discovery tool with an IP address range entered for discovering

sites.

Discovering Sites

To run Web Discovery to discover sites:

1. In the IPV4/IPV6 Addresses (or ranges) box, type one or more IP addresses (or a range of IP

addresses).

l

Use a semicolon to separate multiple addresses.

Example: 172.16.10.3;172.16.10.44;188.23.102.5

l

Use a dash or hyphen to separate the starting and ending IP addresses in a range.

Example: 10.2.1.70-10.2.1.90

Note: IPV6 addresses must be enclosed in brackets. For example:

Micro Focus Fortify WebInspect (22.2.0)

Page 197 of 364

Tools Guide

Chapter 16: Web Discovery

l

For http://[::1]

Fortify WebInspect scans "localhost."

l

For http://[fe80::20c:29ff:fe32:bae1]/subfolder/

Fortify WebInspect scans the host at the specified address starting in the "subfolder"

directory.

For http://[fe80::20c:29ff:fe32:bae1]:8080/subfolder/

Fortify WebInspect scans a server running on port 8080 starting in "subfolder."

2. In the Ports (or ranges) box, type the ports you want to scan.

l

Use a semicolon to separate multiple ports.

Example: 80;8080;443

l

Use a dash or hyphen to separate the starting and ending ports in a range.

Example: 80-8080.

3. To modify Web Discovery settings, click Settings. See "Settings" on the next page for more

information.

4. Click Start to initiate the discovery process.

Results display in the Discovered EndPoints area.

5. Click an entry in the IP Address column to view that site in a browser.

6. Click an entry in the Identification column to open the Session Properties window and view the

raw request and response.

Saving Discovered Sites

To save the list of discovered servers:

1. Click File > Export.

If you export the data to a .csv file, the IP addresses become default Fortify Software Security

Center applications. You can edit those applications and their associated data in Excel. In Fortify

WebInspect Enterprise, you can then import the applications into Fortify Software Security

Center. For more information, see the Fortify WebInspect Enterprise online Help.

2. Use the standard file-selection window to name and save the file.

See Also

"Settings" on the next page

Micro Focus Fortify WebInspect (22.2.0)

Page 198 of 364

Tools Guide

Chapter 16: Web Discovery

Settings

To change the Web Discovery tool settings:

1. Click Edit > Settings.

2. In the Select Protocols group, choose the packets you want to send by selecting or clearing the

check box next to the protocol name.

3. In the Logging group, select the elements you want to log:

l

Log Open Ports: Logs all available ports found open on the host; saves only Web server

information in log file.

l

Log Services: Logs all services identified during the discovery.

l

Log Web Servers: Logs Web servers identified.

4. Enter the file location in the Log To box, or click the ellipsis button and use the standard file-

selection window to specify the file in which the log entries should be recorded.

5. In the Connectivity group, set the following timeouts (in milliseconds):

l

Connection Time Out: The period of time that Web Discovery will wait before stopping a port

scan when no information has been returned from an IP address.

1

l

Send Time Out: When sending a message to the remote IP endpoint , the transmission is

divided into smaller packets. If the IP endpoint does not acknowledge receipt of a sent packet

within the specified period of time, the socket is closed and the discovery for that endpoint

reports no services.

l

Receive Time Out: When sending a message to the remote IP endpoint, the transmission is

divided into smaller packets. If the Web Discovery tool does not receive the sent packet within

the specified period of time, the socket is closed and the discovery for that endpoint reports

no services.

6. Adjust the number of open sockets using the Sockets box. A higher number of open sockets

results in a faster scan. However, a setting that exceeds a server's threshold may result in false

positives.

7. Click OK to save the updated information and return to the Web Discovery window.

See Also

"Web Discovery" on page 196

1

(The name for the entity on one end of a transport layer connection; the point at which a service

connects to the network. In a service-oriented architecture, any single network interaction involves

two endpoints: one to provide a service and the other to consume it. In Web services, an endpoint is

specified by a URI.)

Micro Focus Fortify WebInspect (22.2.0)

Page 199 of 364

Chapter 17: Web Form Editor

Most Web applications contain forms composed of input controls (text boxes, buttons, drop-down

lists, etc.). Users generally "complete" a form by modifying its input controls (such as entering text or

checking boxes) before submitting the form to an agent for processing. Usually, this processing will

lead the user to another page or section of the application. For example, after completing a logon

form, the user will proceed to the application's beginning page.

For the scanner to navigate through all possible links in the application, it must be able to submit

appropriate data for each form.

With the Web Form Editor, you can create or modify a file containing the names of all input controls

and the associated values that need to be submitted during a scan of your Web site. These entries are

categorized by URL, so even if different controls on different pages have the same name, the Web

Form Editor can discriminate between them. Alternatively, you can designate a form entry as "global,"

meaning that its value will be submitted for any input control having the same name attribute,

regardless of the URL at which it occurs.

During a scan, if the scanner encounters an input control whose name attribute is not matched in the

file you create, it will submit a default value (12345).

There are two ways to create a list of form values:

l

Create the list manually.

l

Record the values as you navigate through the application.

Record Web Form Values

The Web Form Editor serves as a proxy that handles HTTP traffic between a browser and a target

Web site. By default, it uses the local IP address 127.0.0.1 and any available port. However, you can

specify a different IP address and port by selecting Settings from the Edit menu.

Use the following procedure to capture names and values of input controls on a Web site.

1. To create a list of form values, select New from the File menu (or click the New icon on the

toolbar).

2. To add form values to an existing list, select Open from the File menu (or click the Open icon on

the toolbar) and choose a file using the standard file-selection dialog box.

3. Using the browser's Address bar, enter or select a URL and navigate to a page containing a form.

4. Complete the form and submit it (usually by clicking a button such as Log In, Submit, Go, etc.).

Micro Focus Fortify WebInspect (22.2.0)

Page 200 of 364

Tools Guide

Chapter 17: Web Form Editor

5. Navigate to additional pages and submit forms until you have traversed all the links you wish to

follow.

For example, the last two entries in the list illustrated above were derived from the following

HTML fragment ...

... and the user entered his name and password.

6. If necessary, you can modify items by right-clicking an entry and using the shortcut (pop-up)

menu.

l

To edit an entry, select Modify.

l

To add an entry, select Add Global Form Input. A Global entry is one not associated with a

specific URL.

l

To remove an entry, choose Unselect. This removes the entry from processing, but does not

delete it from the file.

l

To delete an entry, choose Delete.

Micro Focus Fortify WebInspect (22.2.0)

Page 201 of 364

Tools Guide

Chapter 17: Web Form Editor

l

To designate an entry as a smart credential, select either Smart Credential Username or

Smart Credential Password. See "Smart Credentials" on page 209 for more information.

l

To force scanner to pause the scan and display a window prompting the user to enter a value

for this entry, select Mark As Interactive Input.

When a scanner encounters an HTTP or JavaScript form, it pauses the scan and displays a

window that allows you to enter values for input controls within the form, provided that the

scanner's option to "Prompt For Web Form Values" is selected. However, if the scanner's

option to "Only Prompt Tagged Inputs" is also selected, the scanner does not pause for user

input unless a specific input control has been designated Mark As Interactive Input (except

for passwords, which always cause the scanner to pause for input).

7. From the File menu, select Save or Save As.

Manually Add or Modify Web Form Values

To add or modify Web form values:

1. Do one of the following:

l

To add a Web form value, right-click anywhere in the Web Form Editor's work area and select

Add Global Form Input from the shortcut (pop-up) menu.

l

To modify a Web form value, right-click an entry and select Modify from the shortcut (pop-

up) menu.

The Add User-Defined Input or the Modify Input window appears.

2. In the Name box, type (or modify) the name attribute of the input element.

3. In the Length box, enter either:

l

the value that must be specified by the size attribute, or

l

zero, for input elements that do not specify a size attribute.

For example, to submit data for the following HTML fragment . . .

. . . you must create an entry consisting of accessID (Name) and specify a size of "6" (Length).

4. In the Value box, type the data that should be associated with the input element (for example, a

password).

5. Use the Match list to specify how the scanner should determine if this entry qualifies to be

submitted for a particular input control. The options are:

l

Exact - The name attribute of the input control must match exactly the name assigned to this

entry.

l

Starts with - The name attribute of the input control must begin with the name assigned to

this entry.

Micro Focus Fortify WebInspect (22.2.0)

Page 202 of 364

Tools Guide

Chapter 17: Web Form Editor

l

Contains - The name attribute of the input control must contain the name assigned to this

entry.

6. Programmers sometimes use input controls with type="hidden" to store information between

client/server exchanges that would otherwise be lost due to the stateless nature of HTTP.

Although the Web Form Editor will collect and display the attributes for hidden controls, the

scanner will not submit values for hidden controls unless you select Allow Hidden Submission.

7. Click Add (or Modify).

8. If necessary, you can assign additional attributes by right-clicking an entry and using the

shortcut (pop-up) menu.

l

To remove an entry, choose Unselect. This clears the check mark and removes the entry from

processing, but does not delete it from the file.

l

To activate an entry, choose Select. This creates a check mark and includes the entry for

processing.

l

To delete an entry, choose Delete.

l

To designate an entry as a smart credential, select either Smart Credential Username or

Smart Credential Password. See "Smart Credentials" on page 209 for more information.

l

If you select Mark As Interactive Input, then the scanner will pause the scan and display a

window prompting the user to enter a value for this entry (if the scan options include the

settings Prompt For Web Form Values During Scan and Only Prompt Tagged Inputs).

Note: It is not necessary to tag passwords with Mark As Interactive Input.

Import a File

You can import a file that was designed and created for earlier versions of Fortify WebInspect and

convert it to a file that can be used by the current Web Form Editor.

1. From the File menu, select Import.

The Convert Web Form Values window appears.

2. Click the browse button

next to Select File To Import.

3. Using a standard file-selection window, locate the XML file created by an earlier version of the

Web Form Editor.

4. Click the browse button

next to Select Target File.

5. Using a standard file-selection window, specify a file name and location for the converted file.

6. Click OK.

Micro Focus Fortify WebInspect (22.2.0)

Page 203 of 364

Tools Guide

Chapter 17: Web Form Editor

Shortcut Menu

The following commands are available from the pop-up menu that appears when you right-click in the

work area of the Web Form Editor.

Command

Description

Add Global Form

Input

Displays the Add User-Defined Input window, allowing you to specify the

name, length, and value of an input control. For more information, see

"Manually Add or Modify Web Form Values" on page 202.

Make Global

Disassociates the selected entry from a specific URL. This means that the

scanner will submit the value whenever it encounters an input control

having this entry's name attribute, regardless of the control's location.

Modify

Allows you to change the name, length, value, and match type attributes of

an entry.

Unselect

Clears the check box associated with an entry. The entry will not be saved

and will not be added again to the list if you revisit this page on which it

occurred.

Select

Enables the check box associated with an entry, assuring that the entry

will be included in the saved list.

Smart Credential

Username

If you designate an entry as a Smart Credential Username, the Web Form

Editor will not save the value you entered. When the scanner scans the

page containing the input element associated with this entry, it will

substitute the user name specified in its Authentication options (or, if no

user name is specified, the string "FormFillText").

Smart Credential

Password

If you designate an entry as a Smart Credential Password, the Web Form

Editor will not save the value you entered. When the scanner scans the

page containing the input element associated with this entry, it will

substitute the password specified in its Authentication options (or, if no

password is specified, the string "FormFillText").

Mark As Interactive

Input

For Fortify WebInspect only: Tags this entry as one requiring user input if

Fortify WebInspect's options are set to Prompt For Web Form Values

During Scan AND Only Prompt Tagged Inputs. When Fortify

WebInspect scans the page containing the input element associated with

Micro Focus Fortify WebInspect (22.2.0)

Page 204 of 364

Tools Guide

Chapter 17: Web Form Editor

Command

Description

this entry, it will pause the scan until the user enters a value for this input.

This is especially useful for forms that require a unique value. Examples

include an order-processing system (where a duplicate number would

elicit a response such as, "That order has already been processed") and a

CAPTCHA (which is a type of challenge-response test to ensure that the

response is not generated by a computer).

Delete

Removes the selected entry from the list. The entry will not be saved; it

will be added again to the list if you revisit this page on which it appeared,

however.

Scanning with a Web Form File

If you designate a Web form file in the default scan settings, the scanner automatically selects that file

each time you start a Web site assessment. You can override that selection, however, by choosing a

different file for that specific scan.

Use the following procedure to scan a site using the list of Web form values you created.

1. Click the Fortify WebInspect Edit menu and select Default Scan Settings. The Default Settings

window opens.

2. In the Scan Settings section, select Method.

3. In the Scan Behavior group, select Auto-fill Web Forms During Crawl.

4. To select a previously recorded file:

a. Click the browse button

.

b. Using the standard file-selection window, select a file containing the Web form value you

want to use and click Open.

c. (Optional) You can edit the contents by right-clicking an entry and selecting an option from

the context menu.

5. To record Web form values:

a. Click Create New Web Form Values

b. Click the File menu and select New.

c. Click Launch Browser.

.

d. See "Record Web Form Values" on page 200 for further instructions.

6. To edit Web form values for the selected file:

a. Click Edit Current Web Form Values

.

b. See "Record Web Form Values" on page 200 for further instructions.

Micro Focus Fortify WebInspect (22.2.0)

Page 205 of 364

Tools Guide

Chapter 17: Web Form Editor

Matching Web Form List to Input Controls

When crawling a Web application and submitting Web form values, the Micro Focus scanner analyzes

the entries in the Web form values file to determine if a value should be submitted. The logic for

determining a match is represented in the following table, ordered from "most preferred" to "least

preferred."

Rules for Matching Web Form Values

Values

Match Case

Description

Page-specific form

values

Exact Match Name

exact match Length

exact match

The specific Web page, Web form name, and

value length detected on the crawled Web page

exactly match a single record in the

webformvalues.xml selected for the scan.

Partial Match Name- The specific Web page and Web form name

only match Length

allows wildcard

detected on the crawled Web page match a

single record in the webformvalues.xml selected

for the scan. The field length associated with

that form value allows for submission to any

field input length (wildcard field length match).

Global form values

Exact Match Name

exact match Length

exact match

The Web form name and value length detected

on the crawled Web page match a single record

in the Global Web form values section of the

webformvalues.xml selected for the scan.

Partial Match 1 Name The Web form name detected on the crawled

exact match Length

allows wildcard

Web page exactly matches a form name found

in the global values section of the

webformvalues.xml selected for the scan. The

field length associated with that form value

allows for submission to any field input length

(wildcard field length match).

Partial Match 2 Field A Web form value in the file partially matches

name starts with

Name value Length

exact match

the field name found. All characters in the Web

form value match the beginning of the Web

page field name and the field length detected

Micro Focus Fortify WebInspect (22.2.0)

Page 206 of 364

Tools Guide

Chapter 17: Web Form Editor

Values

Match Case

Description

on the crawled Web page match the record in

the Global Web form values section of the

webformvalues.xml selected for the scan.

Partial Match 3 Field A Web form value in the file partially matches

name starts with

Name value Length

allows wildcard

the field name found. All characters in the Web

form value match the beginning of the Web

page field name and the field length for the

record allows for submission to any field length

(wildcard field length match).

Partial Match 4 Name A Web form value in the file partially matches

value included in field the field name found. All characters in the Web

name Length exact

match

form value match a portion of the Web page

field name and the field length detected on the

crawled Web page match the record in the

Global Web form values section of the

webformvalues.xml selected for the scan.

Partial Match 5 Name A Web form value in the file partially matches

value included in field the field name found. All characters in the Web

name Length allows

wildcard

form value match a portion of the Web page

field name and the field length for the record

allows for submission to any field length

(wildcard field length match).

No match

Field name has no

exact or partial

matches to Web form

values

No Web form value match was found. Submit

the specified default value (Default).

No default value

The Web form values

file has no default

value specified

No Web form value match was made and the

default value is not in the webform values file.

Submit "not found."

Settings: General

Use these settings to configure how the browser will interact with the target web site. To access these

settings, select Edit > Settings > General.

Micro Focus Fortify WebInspect (22.2.0)

Page 207 of 364

Tools Guide

Chapter 17: Web Form Editor

Setting

Description

Proxy Listener

The Web Form Editor serves as a proxy that handles HTTP traffic between

a browser and a target web site. By default, it uses the local IP address

127.0.0.1 and any available port. However, you can specify a different

Local IP Address and Port.

To avoid the possibility of specifying a port that is already in use, select

Automatically Assign Port.

Advanced HTTP

Parsing

Most Web pages contain information that tells the browser what character

set to use. This is accomplished by using the Content-Type response

header (or a META tag with an HTTP-EQUIV attribute) in the HEAD

section of the HTML document. For pages that do not announce their

character set, you can specify which character set the Web Form Editor

should use in the Assumed 'charset' Encoding list.

Settings: Proxy

Use these settings to access the Web Form Editor through a proxy server. To access these settings,

select Edit > Settings > Proxy.

Setting

Description

Direct Connection

(proxy disabled)

Select this option if you are not using a proxy server.

Auto detect proxy

settings

Select this option to use the Web Proxy Autodiscovery Protocol (WPAD)

protocol to locate a proxy autoconfig file and configure the browser's Web

proxy settings.

Use Firefox proxy

settings

Select this option to import your proxy server information from Firefox.

Use System proxy

settings

Select this option to import your proxy server information from the local

machine.

Configure a proxy

using a PAC file

Select this option to load proxy settings from a Proxy Automatic

Configuration (PAC) file. Then specify the file location in the URL box.

Explicitly configure

proxy

Select this option to access the Internet through a proxy server, and then

enter the requested information:

Micro Focus Fortify WebInspect (22.2.0)

Page 208 of 364

Tools Guide

Chapter 17: Web Form Editor

Setting

Description

1. In the Server box, type the URL or IP address of your proxy server,

followed (in the Port box) by the port number (for example, 8080).

2. Select a protocol for handling TCP traffic through a proxy server:

SOCKS4, SOCKS5, or standard.

3. If authentication is required, select a type from the Authentication

list:

l

Automatic

Note: Automatic detection slows the scanning process. If you

know and specify one of the other authentication methods,

scanning performance is noticeably improved.

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NT LAN Manager (NTLM)

4. If your proxy server requires authentication, enter the qualifying user

name and password.

5. If you do not need to use a proxy server to access certain IP addresses

(such as internal testing sites), enter the addresses or URLs in the

Bypass Proxy For box. Use commas to separate entries.

Specify Alternative

Proxy for HTTPS

For proxy servers accepting HTTPS connections, select Specify

Alternative Proxy for HTTPS and provide the requested information.

Smart Credentials

When recording web form values, you will often encounter a log-on form requiring you to enter a user

name and password. You can safely use your own user name and password, provided that you

designate those entries as "Smart Credentials" before saving the file. Your actual password and user

name are not saved.

When scanning the page containing the input control associated with this entry, the scanner will

substitute the password specified in the product's Authentication options. This would be a known

user name and password that does not require security. Alternatively, if no user name or password is

specified, the scanner will submit the string "FormFillText."

Micro Focus Fortify WebInspect (22.2.0)

Page 209 of 364

Chapter 18: Web Fuzzer

The Web Fuzzer tool lets you run several automated tests for common classes of Web application

security vulnerabilities such as:

l

SQL injection

l

Format strings

l

Cross-site scripting

l

Path traversal

l

Odd characters

l

Buffer overflows

l

Protocol implementation problems

What is fuzzing?

"Fuzzing" is an automated software-testing technique that generates and submits random or

sequential data to various areas of an application in an attempt to uncover security vulnerabilities. For

example, when searching for buffer overflows, a tester can generate data of various sizes and send it

to one of the application entry points to observe how the application handles it.

Accessing Web Fuzzer

To access the Web Fuzzer tool, do one of the following:

l

On the Fortify WebInspect toolbar, click Tools > Web Fuzzer.

l

Using the Security Toolkit, click Start > Fortify > Web Fuzzer.

Understanding the Fuzzer Menu

This topic describes the various options on the Web Fuzzer menu bar.

File Menu

The following table describes the File menu options.

Option

Import

Description

Imports previously saved sessions in the Sessions area.

Micro Focus Fortify WebInspect (22.2.0)

Page 210 of 364

Tools Guide

Chapter 18: Web Fuzzer

Option

Description

Export

Exports sessions in the Sessions area to a file.

Clears the session view list.

Clear Sessions

Exit

Closes the application.

Edit Menu

The following table describes the Edit menu options.

Option

Server

Description

Allows you to specify the target server and select authentication settings.

Allows you to specify general, proxy, sockets, and protocol settings.

Settings

Session Menu

The following table describes the Session menu options.

Option

Import

Export

Create

Description

Imports an XML file containing a session that you previously saved.

Exports a session to an XML file.

Opens the Session Editor, providing a structured approach to creating

requests.

Raw Create

Edit

Opens the Raw Editor, allowing you to edit a standard request.

Available after selecting a session; opens the Session Editor.

Available after selecting a session; opens the Raw Editor.

Raw Edit

Filters Menu

The following table describes the Filters menu options.

Micro Focus Fortify WebInspect (22.2.0)

Page 211 of 364

Tools Guide

Chapter 18: Web Fuzzer

Option

Edit

Description

Opens the Filters dialog, allowing you to create a regular expression that

selects only those responses that you specify.

Enable

Applies filters to sessions.

Using Web Fuzzer

The following table describes how to use the Web Fuzzer.

Stage

1.

2.

3.

Configure the server information. For more information, see "Configuring the

Server" on the next page.

Configure the settings. For more information, see "Configuring Fuzzer Settings" on

page 221.

Do one of the following:

l

Create a session.

l

Import a previously saved session and (optionally) edit it.

For more information, see "Using the Session Editor" on the next page or "Using the

Raw Editor" on page 217.

4.

5.

Click Start.

The Sessions area lists each session (request and response) generated by the tool.

To examine the results, click an entry in the Sessions list.

The HTTP request for the selected session appears in the Request area. The

server's response appears on both the Browser View and Raw Response tabs.

6.

To edit the request that you constructed, select a session in the Sessions list, then

click the Session menu and choose either Edit or Raw Edit.

For more information, see "Using the Session Editor" on the next page or "Using the

Raw Editor" on page 217.

Micro Focus Fortify WebInspect (22.2.0)

Page 212 of 364

Tools Guide

Chapter 18: Web Fuzzer

Configuring the Server

Use the Server Configuration dialog to identify the target Web site and configure communication

settings.

To configure the server settings:

1. Click Edit, and then select Server.

The Server Configuration dialog opens.

2. In the Host Name/IP box, enter the fully qualified domain name (FQDN) or the IP address of the

Web site.

3. In the Port box, enter the server's port number.

4. If the server uses Secure Sockets Layer protocol, select the SSL check box.

5. If authentication is required, select a method from the Type list, and then enter a user name and

password in the appropriate boxes.

6. Click OK.

Using the Session Editor

Use the Session Editor to create an HTTP request or to change specific sections of an HTTP request.

You can replace an HTTP element with text that you type or paste into a text box, or you can insert a

generator that will create multiple requests containing generated data.

Creating a Session

To create a session:

l

Select Session > Create.

The Session Editor opens. Continue with "Configuring the Session" on the next page.

Editing a Session

To edit a session:

1. Select a session in the Sessions list.

2. Select Session > Edit.

The Session Editor opens. Continue with "Configuring the Session" on the next page.

Micro Focus Fortify WebInspect (22.2.0)

Page 213 of 364

Tools Guide

Chapter 18: Web Fuzzer

Configuring the Session

To configure the session in the Session Editor:

1. Click a tab.

2. See the following sections for detailed descriptions of each tab:

l

"Method Tab" below

l

"Path Tab" below

l

"Query Tab" on the next page

l

"Version Tab" on the next page

l

"Headers Tab" on the next page

l

"Cookies Tab" on page 216

l

"Post Data Tab" on page 217

3. Do one of the following:

l

Edit the data appearing in text boxes.

l

Select the Use Generator check box and then click Generator to insert a generator. For more

information, see "Understanding Fuzzer Generators" on page 218.

4. To change other areas, click a different tab.

5. After configuring the areas you want to change, click OK.

6. When you return to the Web Fuzzer window, click Start.

Method Tab

The GET method is specified by default. You can replace it with any text, or you can insert the Method

generator.

Path Tab

You can fuzz three elements related to the path:

l

The name of the file

l

The file extension

l

The character that designates a directory level (usually the forward slash / )

You can replace these elements with any text, or you can insert generators.

Micro Focus Fortify WebInspect (22.2.0)

Page 214 of 364

Tools Guide

Chapter 18: Web Fuzzer

Query Tab

Some HTTP requests include a query string, with each parameter formatted as parameter=value and

separated by an ampersand (&). The resource is separated from the query by a delimiter character

(usually a question mark, although other characters can be used depending on the application). For

example:

http://www.website.com/category.cfm?model_ID=0&category_ID=12

To create a query string:

1. Click Add.

name=value appears in the list, representing the query string you are creating.

2. Click the Name tab.

You can edit the parameter named "name" or you can substitute a generator for it (select the Use

Generator check box, and then click Generator).

3. Click the Value tab.

You can edit the "value" in the equation or you can substitute a generator for it (select the Use

Generator check box, and then click Generator).

4. Click the Separator tab.

You can edit the character that separates the name from the value (usually an equals sign) or you

can substitute a generator for it (select the Use Generator check box, and then click Generator).

5. Click the Format tab.

You can edit the order in which the equation elements appear, or you can introduce characters

between them.

6. In the Name Value Separator area, you can edit the character that separates parameters

(usually an ampersand) or you can substitute a generator for it (select the Use Generator check

box, and then click Generator).

7. To add another parameter, click Add and repeat Steps 2-6.

Version Tab

The version indicates to the server which HTTP version to use for interpreting the request. Valid

versions are 0.9, 1.0 and 1.1. The version information is formatted as "HTTP/version," which is a

name-value pair separated by a forward slash ( / ). You can fuzz all three sections: Protocol, Separator,

and Version. You can also fuzz the format by rearranging the order or introducing extraneous

characters.

Headers Tab

Headers contain basic information issued by the client to help the server or application handle the

request. Common headers are Host and User-Agent. Each header is defined by using the "name:

value" syntax. This name-value structure can also be separated into four fuzzing opportunities.

Micro Focus Fortify WebInspect (22.2.0)

Page 215 of 364

Tools Guide

Chapter 18: Web Fuzzer

To create headers:

1. Click Add.

name:value appears in the list, representing the header you are creating.

2. Click the Name tab.

You can edit the parameter named "name" or you can substitute a generator for it (select the Use

Generator check box, and then click Generator).

3. Click the Value tab.

You can edit the "value" text or you can substitute a generator for it (select the Use Generator

check box, and then click Generator).

4. Click the Separator tab.

You can edit the character that separates the name from the value (usually a colon) or you can

substitute a generator for it (select the Use Generator check box, and then click Generator).

5. Click the Format tab.

You can edit the order in which the header elements appear, or you can introduce characters

between them.

6. In the Name Value Separator area, you can edit the character that separates headers or you can

substitute a generator for it (select the Use Generator check box ,and then click Generator).

7. To add another header, click Add and repeat Steps 2-6.

Cookies Tab

Cookies are special headers that contain parameters used by the application to manage users and

states. The format of a cookie definition is:

Cookie: name=value;name=value

Each parameter is a name-value pair that can be independently fuzzed.

To create cookies:

1. Under the Cookies list, click Add.

Cookie: appears in the Cookies list, representing the cookie you are creating.

2. Under the Cookie Detail list, click Add.

name=value appears in the Cookie Detail list.

3. Click the Cookie Name tab to the right of the Cookie Detail list.

You can edit the name or you can substitute a generator for it (select the Use Generator check

box, and then click Generator).

4. Click the Value tab.

You can edit the "value" text or you can substitute a generator for it (select the Use Generator

check box, and then click Generator).

5. Click the Separator tab.

Micro Focus Fortify WebInspect (22.2.0)

Page 216 of 364

Tools Guide

Chapter 18: Web Fuzzer

You can edit the character that separates the name from the value (usually an equals sign) or you

can substitute a generator for it (select the Use Generator check box, and then click Generator).

6. Click the Format tab.

You can edit the order in which the header elements appear, or you can introduce characters

between them.

7. In the Name Value Separator area, you can edit the character that separates headers or you can

substitute a generator for it (select the Use Generator check box, and then click Generator).

8. To add another cookie, repeat Steps 1-7.

Post Data Tab

While a query can be appended to the Request-URI, post data is added to the end of the request. The

format is similar to the URI query and is mostly used with the POST method. When post data are used,

the request must contain a Content-Length header that indicates the size of the post data. You can

fuzz not only the post data, but also the Content-Length value to test how the server or application

handles the differences.

When fuzzing the HTTP request message, you affect two main layers of the application environment:

server protocol implementation and Web application.

To create post data:

1. Click Add.

name=value appears in the list, representing the post data you are creating.

2. Click the Name tab.

You can edit the parameter named "name" or you can substitute a generator for it (select the Use

Generator check box, and then click Generator).

3. Click the Value tab.

You can edit the "value" text or you can substitute a generator for it (select the Use Generator

check box, and then click Generator).

4. Click the Separator tab.

You can edit the character that separates the name from the value (usually a colon) or you can

substitute a generator for it (select the Use Generator check box, and then click Generator).

5. Click the Format tab.

You can edit the order in which the header elements appear, or you can introduce characters

between them.

6. In the Name Value Separator area, you can edit the character that separates headers or you can

substitute a generator for it (select the Use Generator check box, and then click Generator).

7. To add another post data element, click Add and repeat Steps 2-6.

Using the Raw Editor

Use the Raw Editor to create an HTTP request message.

Micro Focus Fortify WebInspect (22.2.0)

Page 217 of 364

Tools Guide

Chapter 18: Web Fuzzer

You can change any portion of the request using the tool's text-editing capabilities, or you can insert

a generator.

To insert a generator:

1. Do one of the following:

l

Place the cursor anywhere in the request.

l

Highlight any portion of the request.

2. Right-click and select Generator from the shortcut menu.

The Generators dialog opens.

3. On the Generators dialog, select a generator and click Configure.

The Options dialog opens.

4. On the Options dialog, enter the configuration information and then click OK.

5. On the Generators dialog, click OK.

6. The generator you created is inserted at the cursor position (or in place of any portion

highlighted during Step 1).

After editing the request or inserting a generator or both, click OK to return to the Web Fuzzer

window. Then click Start.

Understanding Fuzzer Generators

You can use generators to help create sessions to use for fuzzing. The following table describes the

generators available in Web Fuzzer.

Generator

ASCII

Description

Inserts one ASCII character, within the range you specify, in each request.

Specify the starting and ending character, and the number of times to loop

through the series.

Character

Generates the character you specify and inserts multiple numbers of the

character into each request.

Specify the minimum and maximum number of characters, and an increment.

Decimal Number Inserts a fractional number, within the range you specify, in each request.

Specify the Minimum and Maximum number, the Increment, and the number

of times to loop through the series.

GUID

Inserts a random Globally Unique Identifier (a 128-bit number) in each

request.

Micro Focus Fortify WebInspect (22.2.0)

Page 218 of 364

Tools Guide

Chapter 18: Web Fuzzer

Generator

Description

Specify the number of requests.

HTTP Method

Number

Inserts a method (GET, POST, PUT, etc.) in the request.

Specify the protocol version (0.9, 1.0, 1.1, or all).

Inserts a number, within the range you specify, in each request.

Specify the Minimum and Maximum number, the Increment, and the number

of times to loop through the series.

SQL Injection

Inserts a string from a text file you specify. The number of requests is

determined by the number of paragraphs in the file. All characters in the

paragraph are inserted.

The default file (sqlinjections.txt) contains the following two entries:

' or 1=1

' or like '%

Text

Inserts the text you specify in a single request.

WordList

Reader

Inserts a string from a text file you specify. The number of requests is

determined by the number of paragraphs in the file. All characters in the

paragraph are inserted.

XSS Injection

Inserts a string from a text file you specify. The number of requests is

determined by the number of paragraphs in the file. All characters in the

paragraph are inserted.

The default file (xssinjections.txt) contains the following entry:

Working with Filters

A filter consists of a name, description, and rule. The "rule" is a regular expression that defines the text

you want to locate in a particular section of the server's response. For example, if you want to display

only those responses that contain the word "error" in the response body and where the response also

specifies a status code between 500 and 599, then use the following rule:

[STATUSCODE]5\d\d AND [BODY]\serror\s

Use the following notation to specify a response section:

[HEADERS]

Micro Focus Fortify WebInspect (22.2.0)

Page 219 of 364

Tools Guide

Chapter 18: Web Fuzzer

[STATUSLINE]

[STATUSCODE]

[STATUSDESCRIPTION]

[ALL]

[SETCOOKIES]

[BODY]

Accessing the Filters Dialog

To access the Filters dialog:

l

Select Filters > Edit.

The Filters dialog opens.

Creating a Filter

To create a filter:

1. In the Filters dialog, click Add.

The tool creates a rule named Default Rule.

2. Modify the Name, Description, and Rule.

3. Click Apply to save the filter.

Editing a Filter

To edit a filter:

1. In the Filters dialog, select a filter in the Filters list.

2. Modify the Name, Description, or Rule.

3. Click Apply to save the modifications.

Using a Filter

To use a filter in a session:

1. In the Filters dialog, select a filter in the Filters list.

2. Select the Enable check box.

Important! In addition to enabling a specific rule, you must also enable the use of rules in general.

To do so, select Filters > Enable.

Micro Focus Fortify WebInspect (22.2.0)

Page 220 of 364

Tools Guide

Chapter 18: Web Fuzzer

Deleting a Filter

To delete a filter:

1. In the Filters dialog, select a filter in the Filters list.

2. Click Delete.

Configuring Fuzzer Settings

You can configure Web Fuzzer settings in the Settings dialog.

To configure Web Fuzzer settings:

1. Click Edit, and then select Settings.

The Settings dialog opens.

2. Do one of the following:

l

To configure application settings, select General in the left pane. For more information about

the available settings, see "General Settings" below.

l

To configure proxy settings, select Proxy in the left pane. For more information about the

available settings, see "Proxy Settings" on the next page.

3. When finished, click OK.

General Settings

The following table describes the General settings.

Setting

Description

Enable Filters

Enables filter support. When enabled, you can add, edit, and delete filters in

the Filters dialog. For more information, see "Working with Filters" on

page 219.

Note: You can also select Filters > Enable on the menu bar to enable

filters.

Auto Scroll View

Show ToolTips

Enables automatic scrolling in the Sessions list view. When enabled, this

will force the view to scroll down to the latest session automatically.

Enables the display of tool tips when you hover your mouse pointer over

certain elements in the user interface (UI).

Micro Focus Fortify WebInspect (22.2.0)

Page 221 of 364

Tools Guide

Chapter 18: Web Fuzzer

Setting

Description

Max Sockets

Timeout/Seconds

Specifies the maximum number of sockets to be used.

Specifies the socket send timeout (in seconds).

Enforce Content-

Length

Web Fuzzer automatically adjusts the Content-Length value in the request

when needed. If this option is enabled, you cannot fuzz the content-length

header.

Enforce Host

Header

Web Fuzzer includes the Host header in all requests. If this feature is

enabled, you cannot fuzz the host header.

Proxy Settings

The following table describes the Proxy settings.

Setting

Description

Direct

Select this option if you are not using a proxy server.

Connection

(proxy disabled)

Auto detect

proxy settings

Use the Web Proxy Autodiscovery (WPAD) protocol to locate a proxy

autoconfig file and configure the browser's Web proxy settings.

Use System

Import your proxy server information from the local machine.

Proxy Settings

Use Firefox

Import your proxy server information from Firefox.

proxy settings

Configure a

proxy using a

PAC file

Load proxy settings from a Proxy Automatic Configuration (PAC) file in the

location you specify in the URL box.

Explicitly

Configure a proxy by entering the requested information. See "Configuring a

configure proxy Proxy" on the next page.

Specify

For proxy servers accepting HTTPS connections, select this option and

Alternative

Proxy for

HTTPS

configure a proxy by entering the requested information. See "Configuring a

Proxy" on the next page.

Micro Focus Fortify WebInspect (22.2.0)

Page 222 of 364

Tools Guide

Chapter 18: Web Fuzzer

Configuring a Proxy

To configure a proxy:

1. In the Server box, type the URL or IP address of your proxy server, followed (in the Port box) by

the port number (for example, 8080).

2. From the Type list, select a protocol for handling TCP traffic through a proxy server: SOCKS4,

SOCKS5, or standard.

3. If authentication is required, select a type from the Authentication list:

l

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of the

other authentication methods, scanning performance is noticeably improved.

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NT LAN Manager (NTLM)

4. If your proxy server requires authentication, enter the qualifying user name and password.

Micro Focus Fortify WebInspect (22.2.0)

Page 223 of 364

Chapter 19: Session-based Web Macro

Recorder

Fortify WebInspect and Fortify WebInspect Enterprise include Session-based Web Macro Recorder

tools: one for login macros and one for workflow macros. In this document, these two tools are

referred to generally as "Session-based Web Macro Recorder" except for specific login-related and

workflow-related content.

The Session-based Web Macro Recorder can be launched in several ways. For more information, see

"Accessing the Session-based Web Macro Recorder" on the next page.

About Macros

A login macro is a recording of the events that occur when you access and log in to a website. You can

subsequently instruct the Fortify scanner to begin a scan using this recording. A workflow macro is a

recording of login steps (as needed) and specific URLs on a site.

Note: The term "scanner" is often used instead of "Fortify WebInspect and Fortify WebInspect

Enterprise" where the information applies to both products.

IE Technology

By default, the Session-based Web Macro Recorder uses Internet Explorer browser technology (also

referred to here as IE technology) to record and play macros.

Login Macros

A login macro is a recording of the activity that is required to access and log in to a website or web

application, typically by entering a user name and password and clicking a button such as Log In or

Log On. When you configure a scan, you usually specify a previously recorded login macro or record a

new one at the time for the scan to use.

To prevent the scanner from terminating prematurely if it gets logged out of your application, a login

macro should also specify at least one logout condition that definitively indicates that a logout has

occurred. During a scan, the scanner can get logged out for a variety of reasons, including:

l

Normal logout driven by the target site

l

An error condition in the target site such as a timeout

l

An error in the macro itself, such as an invalid parameter

Micro Focus Fortify WebInspect (22.2.0)

Page 224 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Specifying a logout condition as part of the login macro makes it unnecessary for users to manually

log back in, perhaps repeatedly, when unexpected logouts occur during a scan. When scanning a site,

the scanner analyzes every target site response to determine the state. If the scanner determines at

any time that it is logged out, it runs the login macro to log back in, and then it resumes crawling or

auditing the site at the point where the logout occurred.

As the final step in recording a login macro, the Session-based Login Macro Recorder uses

sophisticated analysis to try to automatically detect a logout condition and specify it in the login

macro. In most cases you do not have to identify a logout condition manually. However, you can add

or edit logout conditions.

Workflow Macros

A workflow macro is a recording of the login steps (as needed) and the specific URLs to which you

manually navigate on a site. Fortify WebInspect or Fortify WebInspect Enterprise audits only the URLs

that are recorded in the workflow macro and does not take any hyperlinks encountered during the

audit. This type of macro is used most often to focus on a particular subsection of an application. In

terms of the macro recording process, the essential differences from login macros are that:

l

Workflow macros include only the specific URLs to which a user navigated while recording them.

Workflow macros access only those URLs upon replay.

l

Workflow macros do not require logout conditions, so the Session-based Workflow Macro Recorder

user interface excludes logout condition functionality when recording workflow macros.

Note: If your website requires authentication, do not record login steps in a workflow macro.

Instead, record a separate login macro to log in to your website.

Accessing the Session-based Web Macro Recorder

The following paragraphs describe the various ways to launch the Session-based Web Macro

Recorder.

Login Macros

You can record a new session-based login macro or select (and optionally edit) an existing session-

based login macro that was recorded in Fortify WebInspect or Fortify WebInspect Enterprise in the

following ways:

l

When configuring a Guided Scan with Internet Explorer as the rendering engine, specify that the

target site requires a login macro, and click Create to record a new login macro or select (and

optionally edit) an existing login macro.

l

When configuring a Basic Scan in Fortify Weblnspect or a Web Site Scan in Fortify Weblnspect

Enterprise with Internet Explorer as the rendering engine, in Step 2 select Site Authentication and

record a new login macro or select (and optionally edit) an existing login macro.

Micro Focus Fortify WebInspect (22.2.0)

Page 225 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

l

On the Fortify WebInspect toolbar, click Tools > Login Macro Recorder > Session-based to run

the Login Macro Recorder in stand-alone mode, and record a new login macro or open (and

optionally edit) an existing login macro.

l

In Fortify WebInspect Enterprise, on the Administrative Console toolbar, click Tools > Login Macro

Recorder > Session-based to open the Login Macro Recorder in stand-alone mode, and record a

new login macro or open (and optionally edit) an existing login macro.

l

Using the Security Toolkit, click Start > Fortify > Login Macro Recorder (Session) to run the

Login Macro Recorder in stand-alone mode, and record a new login macro or open (and optionally

edit) an existing login macro.

l

From Windows Explorer, navigate to an existing login macro that was recorded using the Session-

based Login Macro Recorder, and double-click to open it. The Session-based Login Macro Recorder

opens in stand-alone mode.

Workflow Macros

You can record a new workflow macro or select (and optionally edit) an existing workflow macro that

was recorded in Fortify WebInspect or Fortify WebInspect Enterprise in the following ways:

l

When configuring a Guided Scan with Internet Explorer as the rendering engine, specify that the

Scan Type is Workflows and later, in the Workflows > 1. Manage Workflows step, record a new

workflow macro or import (and optionally edit) an existing workflow macro.

l

When configuring a Basic Scan in Fortify Weblnspect with Internet Explorer as the rendering

engine, in Step 1 select Workflow-Driven Scan and click Record or Manage to record a new

workflow macro or select (and optionally edit an existing workflow macro.

l

On the Fortify WebInspect toolbar, click Tools > Workflow Macro Recorder > Session-based to

run the Workflow Macro Recorder in stand-alone mode, and record a new workflow macro or open

(and optionally edit) an existing workflow macro.

l

In Fortify WebInspect Enterprise, on the Administrative Console toolbar, click Tools > Workflow

Macro Recorder > Session-based to open the Workflow Macro Recorder in stand-alone mode, and

record a new workflow macro or open (and optionally edit) an existing workflow macro.

l

Using the Security Toolkit, click Start > Fortify > Workflow Macro Recorder (Session) to run the

Workflow Macro Recorder in stand-alone mode, and record a new workflow macro or open (and

optionally edit) an existing workflow macro.

About the Session-based Web Macro Recorder

Interface

This topic describes the Session-based Web Macro Recorder user interface.

Micro Focus Fortify WebInspect (22.2.0)

Page 226 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

The following table describes the components of the Session-based Web Macro Recorder user

interface.

Item Description

1

2

3

4

Toolbar. For more information, see "Toolbar" below.

Yellow instruction bar that provides step-by-step guidance.

Target site pane.

Locations pane. For more information, see "Locations Pane" on the next page.

Tip: You can adjust the height of the locations pane relative to the target site pane.

Toolbar

The toolbar includes the options described in the following table.

Option

New

Description

Creates a new macro.

Open

Opens (or imports) a previously recorded macro to play or edit. You can open

the following file types:

l

Web Macro (*.webmacro)

Micro Focus Fortify WebInspect (22.2.0)

Page 227 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Option

Description

l

Burp Proxies (*.*)

l

HTTP Archive (HAR) files (*.har)

Save /

Saves the macro that is currently open.

Save As

Logout

Conditions

(Login Macros only) Opens the Logout Conditions Editor. For more

information, see "Logout Conditions Editor" on page 231.

Browser Settings Opens the Browser Settings dialog. For more information, see "Browser

Settings" on page 233.

Locations Pane

The locations pane has a button bar with the buttons and check box described in the following table.

Button / Check

Box

Description

Play Highlighted Plays the single request (row) you highlighted by clicking it. Plays the

highlighted request if the associated check box in the Run column is selected.

Other check boxes in the Run column do not matter.

Play All

Plays only the requests that are selected (checked) in the Run column.

Note: All steps are stored in the macro when you save it, but only the

steps selected in the Run column are run whenever the macro is played.

Stop

Available during playback after you have clicked the Play All button. Aborts

playback upon completion of the current request.

Logout

(Does not appear for workflow macros.) Logs you out of the site so that you

can determine how the site responds to a subsequent request you play when

logged out.

Delete

Deletes the single request (row) you highlighted by clicking it.

Highlighted

Delete All

Deletes all the requests, regardless of whether they are selected in the Run

column.

Micro Focus Fortify WebInspect (22.2.0)

Page 228 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Button / Check

Box

Description

Prompt for login (Does not appear for workflow macros.) CAPTCHA is a challenge-and-

(CAPTCHA)

response test designed to ensure that a login response is provided by a

person, not generated by a computer. If your target site uses CAPTCHA, select

this check box. The macro still detects a logout condition, but Fortify

WebInspect or Fortify WebInspect Enterprise users will need to log in manually

at the beginning of a scan and whenever a logout occurs. Selecting this option

disables selection of any of the listed requests and closes the right pane that

displays HTTP traffic.

Below the button bar, the locations pane lists location and has the columns described in the following

table.

Column

Description

Run

Steps that are selected (checked) are played when you click Play All. All steps

are stored in the macro when you save it, but only the selected steps are run

whenever the macro is played.

Excluded

Select Url, Directory, or Page to add that type of exclusion rule. The exclusion

rule will apply to any requests made by a scan that uses this scan

configuration. This column also displays, read only, the causes of any existing

exclusions for requests—Custom, Disallowed Host, or, if Restrict to folder was

selected at the start of configuring the scan, Outside Root.

Method

Status

Actual

The method of the request, for example, GET or POST.

The status of the response to the request, for example, 302 or 200.

The actual status returned in the response. Appears during playback if status

is different than expected.

URL

The URL of the request.

The bottom right pane includes the tabs described in the following table.

Tab

Description

Details

For the selected (highlighted) request in the left pane, shows request data in

the top right pane and associated response data in the bottom right pane.

Micro Focus Fortify WebInspect (22.2.0)

Page 229 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Tab

Description

State

A collection of all the items that represent state or could represent state, that

have been seen across all the locations that the macro has accessed. You can

select them in any combination to characterize them as representing a state

and you can manually add various types of items. Web applications can require

that certain parameters be marked as “stateful.”

Parameters

(Does not appear for workflow macros.) For login macros, allows you to

designate form input fields as being user name or password input so that the

macro using IE technology can have user name and password parameters that

can be specified at scan time.

Recording a Macro

The Session-based Web Macro Recorder uses IE technology to record macros. This topic describes

the tasks involved in interactively recording login macros and workflow macros using the Session-

based Web Macro Recorder.

Note: These procedures provide general instructions for recording a macro. For best results,

follow the guidance in the yellow instruction bar to record the macro.

For information about accessing the Session-based Web Macro Recorder, see "Accessing the Session-

based Web Macro Recorder" on page 225.

Recording a Login Macro

In the Session-based Login Macro Recorder, do the following:

1. Click Record.

2. Type the target URL in the address field and click

3. Log in to your application.

.

Note: IE technology does not support websites that require users to answer a variable set of

questions in order to log in.

As you access and log in to your application, a table of request data is added to the locations

pane.

4. After you have logged in, click Stop.

Important! Do not log out.

The macro is saved.

5. Click Play.

Micro Focus Fortify WebInspect (22.2.0)

Page 230 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

The macro plays from the beginning, accessing your application and logging in.

6. Did the macro play correctly? In other words, indicate whether the login macro successfully

logged in to the target site.

l

If you successfully accessed and logged into your application, click Yes.

The macro recorder attempts to automatically detect a logout condition. When a logout

condition is detected, the macro is complete. If a logout condition is not detected, you may

need to identify one manually. For more information, see "Logout Conditions Editor" below.

l

If you did not successfully access and log into your application, click No. Click Create to start a

new macro or see "Debugging Macros" on page 234.

When you close the Login Macro Recorder, if the macro has changed since being saved, you are

prompted to save changes before continuing.

Recording a Workflow Macro

In the Session-based Workflow Macro Recorder, do the following:

1. Type the start URL of your workflow in the address field and click

2. Click Record.

.

3. Navigate to the pages you want to record in the macro.

As you navigate your application, a table of request data is added to the locations pane.

4. When you have recorded all of the steps in your workflow, click Stop.

The macro is saved.

5. Click Play.

The macro plays from the beginning, accessing the parts of your application recorded in the

workflow.

6. Did the macro play correctly?

l

If you successfully accessed the parts of your application recorded in the workflow, click Yes.

The macro is complete.

l

If you did not successfully access the parts of your application recorded in the workflow click

No. Click Create to start a new macro or see "Debugging Macros" on page 234.

When you close the Workflow Macro Recorder, if the macro has changed since being saved, you are

prompted to save changes before continuing.

Logout Conditions Editor

The Logout Conditions Editor allows you to create or edit logout conditions for login macros. You can

specify as many different logout conditions as you need, and if any of them is met, Fortify WebInspect

or Fortify WebInspect Enterprise invokes the login macro to log back in and resume a scan where it

Micro Focus Fortify WebInspect (22.2.0)

Page 231 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

left off. The final set of all logout conditions should cover all the cases of becoming logged out during

a scan of the target site.

When the Session-based Login Macro Recorder successfully detects a logout condition automatically,

it categorizes the logout condition as one of the following types:

l

Automatic Redirect. This type of logout condition is created when the Session-based Login Macro

Recorder detects that the target site responds with a 302 redirect. It takes the form of a regular

expression (regex).

l

Automatic. This type of logout condition is created when the Session-based Login Macro Recorder

detects that the target site responds with anything other than a 302 redirect, for example, with a

200.

Adding a Logout Condition

To add a new logout condition:

1. Click the Logout Conditions button in the toolbar.

2. Click in the Logout Conditions pane.

A new logout condition is added.

3. In the Properties pane, construct a regular expression (regex) to identify a logout for this logout

condition.

A regular expression is a pattern that describes a set of strings. Regular expressions are

constructed much like mathematical expressions by using various operators to combine smaller

expressions. Only users with a working knowledge of regular expressions should use this feature.

The regex must reflect the difference between a) the response to a logged-in user’s request to

access a protected page, and b) the response to the same request from the user, while not logged

in, to access the same protected page. The general steps to construct the regex are as follows:

a. Start the Web Proxy tool to record web traffic. See the Help for that tool or the Micro Focus

Fortify WebInspect Tools Guide.

b. Log in to the target site legitimately and copy the URL of a protected page.

c. Log out and use the copied URL to try to access the protected page without logging in.

d. Compare the responses and identify a unique aspect of the response to the attempt to access

the protected page without logging in.

e. Open the Regular Expression Editor tool. See the Help for that tool or the Micro Focus Fortify

WebInspect Tools Guide.

f. Construct a regex that reflects the unique aspect of the response to the attempt to access

the protected page without logging in.

g. Copy the regex into the Regex field in the Logout Conditions Editor.

4. Click OK to save the logout condition and close the Logout Conditions Editor.

Deleting a Logout Condition

To delete a logout condition:

Micro Focus Fortify WebInspect (22.2.0)

Page 232 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

1. In the Logout Conditions pane, select logout condition to delete.

2. Click .

Browser Settings

When using the Session-based Web Macro Recorder in stand-alone mode in Fortify WebInspect or in

the Fortify WebInspect Enterprise Administrative Console, click the Browser Settings button in the

toolbar to display the Proxy Settings and Network Authentication tabs.

Note: Browser settings are not saved in macros.

Proxy Settings Tab

Select one of the options described in the following table.

Option

Description

Direct Connection (proxy

disabled)

Select this option if you are not using a proxy server.

Auto detect proxy settings

Select this option to use the Web Proxy Autodiscovery (WPAD)

protocol to locate a proxy autoconfig file and configure the

browser's web proxy settings.

Use System proxy settings

Use Firefox proxy settings

Select this option to import the proxy server information from

the local machine.

Select this option to import the proxy server information from

Firefox.

Configure proxy settings using a Select this option to load proxy settings from a Proxy

PAC file

Automatic Configuration (PAC) file in the location you specify

in the URL box.

Explicitly configure proxy

settings

Select this option to configure a proxy by entering the

requested information, as follows:

l

Server: Enter the URL or IP address of your proxy server.

l

Port: Enter the port number (for example, 8080).

l

Type: Select a protocol for handling TCP traffic through a

proxy server—Standard, SOCKS4, or SOCKS5.

Micro Focus Fortify WebInspect (22.2.0)

Page 233 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Option

Description

l

Authentication: Select an authentication method. For a

description of authentication methods, see the Help or the

User Guide for the product.

l

User Name: Specify a user name.

l

Password: Specify a password.

l

Bypass proxy for: If you do not need to use a proxy server

to access certain IP addresses (such as internal testing sites),

select this option and enter the addresses or URLs in the

box. Use commas to separate entries.

Network Authentication Tab

If network authentication is required:

1. Click Network Authentication.

2. Select one of the methods from the Method list. Methods are as follows:

l

ADFS CBT

l

Automatic

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NT LAN Manager (NTLM)

3. Specify a User Name and Password for network authentication.

4. Select or clear the Client Certificate check box. If selected, complete the Certificate Store fields

and select a certificate.

Debugging Macros

This topic describes the basic steps involved in interactively debugging a macro, mainly in the

locations pane.

Micro Focus Fortify WebInspect (22.2.0)

Page 234 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Viewing Details and State for Locations in Locations Pane

To view details and state for recorded locations:

1. In the table in the locations pane, select a location that failed in the macro.

2. By default, the Details tab shows the Request and Response data. Verify that the Scheme, Host,

and Port are correct.

3. Click the State tab to determine if state was lost during macro replay.

4. If necessary, you can add a new method for keeping state. To do so:

a. Select a type from the Type drop-down list. Options for Type are:

o

Regex

o

Query

o

Post

o

Cookie

o

Custom

b. Type a name for the new method in the Name field.

c. Click Add.

Playing a Step (Location)

To play one step or location:

1. In the table in the locations pane, select a location that failed in the macro.

2. Click Play Highlighted.

Micro Focus Fortify WebInspect (22.2.0)

Page 235 of 364

Tools Guide

Chapter 19: Session-based Web Macro Recorder

Disabling/Enabling a Step (Location) During Replay

Disabled steps or locations remain in the macro and can be re-enabled in the future, but are not

played.

To disable a macro step or location during replay:

l

In the table in the locations pane, clear the check box in the Run column for the location.

To re-enable a macro step during replay:

l

In the table in the locations pane, select the check box in the Run column for the location.

Deleting a Step (Location)

To permanently remove a location from the macro:

1. In the table in the locations pane, select a location that failed in the macro.

2. Click Delete Highlighted.

Micro Focus Fortify WebInspect (22.2.0)

Page 236 of 364

Chapter 20: Web Macro Recorder with Macro

Engine 7.1

Fortify WebInspect, Fortify WebInspect Enterprise, and Fortify ScanCentral DAST include two Web

Macro Recorder with Macro Engine 7.1 tools: one for login macros and one for workflow macros. In

this document, these two tools are referred to generally as "Web Macro Recorder" except for specific

login-related and workflow-related content.

About the Term “Sensor”

A Fortify Weblnspect sensor is the Fortify Weblnspect application when connected to Fortify

Weblnspect Enterprise or Fortify ScanCentral DAST for the purpose of performing remotely

scheduled or requested scans with no direct user interaction through the Fortify Weblnspect user

interface. When content in this document applies to Fortify Weblnspect, Fortify Weblnspect

Enterprise, and Fortify ScanCentral DAST, the term “sensor” is used.

About Macros

A login macro is a recording of the events that occur when you access and log in to a website. You can

subsequently instruct the sensor to begin a scan using this recording. A workflow macro is a recording

of specific URLs on a site. For more information, see "Login Macros" on page 240 and "Workflow

Macros" on page 241.

TruClient Technology

The Web Macro Recorder with Macro Engine 7.1 tool was designed with TruClient technology. It uses

event-based functionality and TruClient browser technology to record and play macros.

Web Macro Recorder Limitations

The Web Macro Recorder does not support the recording of Flash or Silverlight applications.

The TruClient technology used in the Web Macro Recorder is an adaptation of the Ajax TruClient

technology originally developed for use with Micro Focus LoadRunner and Micro Focus Performance

Center. It does not incorporate or support all the capabilities of the fully-featured version in those

products.

Micro Focus Fortify WebInspect (22.2.0)

Page 237 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Cookie Headers in Macros

When you play a macro, the sensor does not send any cookie headers that may have been

incorporated in the recorded macro.

URLs in Macros

If a URL is in a macro, the request is always sent when the macro is played, regardless of any exclusion

rules in scan settings.

Accessing the Web Macro Recorder with Macro

Engine 7.1

The following paragraphs describe the various ways to launch the Web Macro Recorder with Macro

Engine 7.1 in Fortify WebInspect, Fortify WebInspect Enterprise, and Fortify ScanCentral DAST.

Login Macros in Fortify WebInspect or Fortify WebInspect

Enterprise

You can record a new login macro or select (and optionally edit) an existing login macro that was

recorded using TruClient browser technology in Fortify WebInspect or Fortify WebInspect Enterprise

in the following ways:

l

When configuring a Guided Scan with Firefox as the rendering engine, specify that the target site

requires a login macro, and click Create to record a new login macro or select (and optionally edit)

an existing login macro.

l

When configuring a Basic Scan in Fortify Weblnspect or a Web Site Scan in Fortify Weblnspect

Enterprise with Firefox as the rendering engine, in Step 2 select Site Authentication and record a

new login macro or select (and optionally edit) an existing login macro.

l

On the Fortify WebInspect toolbar, click Tools > Login Macro Recorder > Macro Engine 7.1 to

run the Login Macro Recorder in stand-alone mode, and record a new login macro or open (and

optionally edit) an existing login macro.

l

In Fortify WebInspect Enterprise, on the Administrative Console toolbar, click Tools > Login Macro

Recorder > Macro Engine 7.1 to open the Login Macro Recorder in stand-alone mode, and record

a new login macro or open (and optionally edit) an existing login macro.

l

Using the Security Toolkit, click Start > Fortify > Login Macro Recorder (Event) to run the Login

Macro Recorder in stand-alone mode, and record a new login macro or open (and optionally edit)

an existing login macro.

Micro Focus Fortify WebInspect (22.2.0)

Page 238 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

l

From Windows Explorer, navigate to an existing login macro that was recorded using the Login

Macro Recorder with Macro Engine 7.1, and double-click to open it. The Login Macro Recorder

opens in stand-alone mode.

Workflow Macros in Fortify WebInspect or Fortify WebInspect

Enterprise

You can record a new workflow macro or select (and optionally edit) an existing workflow macro that

was recorded using TruClient browser technology in Fortify WebInspect or Fortify WebInspect

Enterprise in the following ways:

l

When configuring a Guided Scan with Firefox as the rendering engine, specify that the Scan Type

is Workflows and later, in the Workflows > 1. Manage Workflows step, record a new workflow

macro or import (and optionally edit) an existing workflow macro.

l

When configuring a Basic Scan in Fortify Weblnspect with Firefox as the rendering engine, in Step 1

select Workflow-Driven Scan and click Record or Manage to record a new workflow macro or

select (and optionally edit an existing workflow macro.

l

On the Fortify WebInspect toolbar, click Tools > Workflow Macro Recorder > Macro Engine 7.1

to run the Workflow Macro Recorder in stand-alone mode, and record a new workflow macro or

open (and optionally edit) an existing workflow macro.

l

In Fortify WebInspect Enterprise, on the Administrative Console toolbar, click Tools > Workflow

Macro Recorder > Macro Engine 7.1 to open the Workflow Macro Recorder in stand-alone mode,

and record a new workflow macro or open (and optionally edit) an existing workflow macro.

l

Using the Security Toolkit, click Start > Fortify > Workflow Macro Recorder (Event) to run the

Workflow Macro Recorder in stand-alone mode, and record a new workflow macro or open (and

optionally edit) an existing workflow macro.

Login Macros in Fortify ScanCentral DAST

After you have downloaded the Web Macro Recorder tool to your local machine from the ScanCentral

DAST REST API container, you can open the Login Macro Recorder in the following ways:

l

When configuring a standard scan in the Fortify ScanCentral DAST Settings Configuration wizard,

on the Authentication page, click Open Macro Recorder 7.1.

Important! You cannot open the Web Macro Recorder if it has not been downloaded and

installed on your local machine.

l

To run the Login Macro Recorder in stand-alone mode, click Start > Fortify ScanCentral DAST >

Login Macro Recorder, and record a new login macro or open (and optionally edit) an existing

login macro.

For more information about downloading the Web Macro Recorder, see the Micro Focus ScanCentral

DAST Configuration and Usage Guide.

Micro Focus Fortify WebInspect (22.2.0)

Page 239 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Workflow Macros in Fortify ScanCentral DAST

After you have downloaded the Web Macro Recorder tool to your local machine from the ScanCentral

DAST REST API container, you can open the Workflow Macro Recorder as follows:

l

When configuring a workflow-driven scan in the Fortify ScanCentral DAST Settings Configuration

wizard, on the Target page, click Open Workflow Macro Recorder 7.1.

Important! You cannot open the Web Macro Recorder if it has not been downloaded and

installed on your local machine.

l

To run the Workflow Macro Recorder in stand-alone mode, click Start > Fortify ScanCentral

DAST > Workflow Macro Recorder, and record a new workflow macro or open (and optionally

edit) an existing workflow macro.

For more information about downloading the Web Macro Recorder, see the Micro Focus ScanCentral

DAST Configuration and Usage Guide.

Login Macros

A login macro is a recording of the activity that is required to access and log in to a website or web

application, typically by entering a user name and password and clicking a button such as Log In or

Log On. When you configure a scan, you usually specify a previously recorded login macro or record a

new one at the time for the scan to use.

Logout Conditions

To prevent the scan from terminating prematurely if the sensor gets logged out of your application, a

login macro should also specify at least one logout condition that definitively indicates that a logout

has occurred. During a scan, the sensor can get logged out for a variety of reasons, including:

l

Normal logout driven by the target site

l

An error condition in the target site such as a timeout

l

An error in the macro itself, such as an invalid parameter

Specifying a logout condition as part of the login macro makes it unnecessary for users to manually

log back in, perhaps repeatedly, when unexpected logouts occur during a scan. When scanning a site,

the sensor analyzes every target site response to determine the state. If the sensor determines at any

time that it is logged out, it runs the login macro to log back in, and then it resumes crawling or

auditing the site at the point where the logout occurred.

You can specify multiple logout conditions, and if any of them are met, the sensor plays the login

macro to log back in and resume the scan where it left off.

Micro Focus Fortify WebInspect (22.2.0)

Page 240 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Workflow Macros

A workflow macro is a recording of the specific URLs to which you manually navigate on a site. When

you configure a Basic Scan in Fortify WebInspect or a scan in Fortify ScanCentral DAST, you specify a

previously recorded workflow macro or record a new one at the time for the scan to use. The sensor

audits only the URLs that are recorded in the workflow macro and does not follow any hyperlinks

encountered during the audit. This type of macro is used most often to focus on a particular

subsection of an application. In terms of the macro recording process, the essential differences from

login macros are that:

l

Workflow macros include only the specific URLs to which a user navigated while recording them.

Workflow macros access only those URLs upon replay.

l

Workflow macros do not require logout conditions.

Note: If your website requires authentication, do not record login steps in a workflow macro.

Instead, record a separate login macro to log in to your website. For more information, see "Login

Macros" on the previous page.

Understanding the User Interface

The Web Macro Recorder opens with two windows side by side as shown in the following image.

Micro Focus Fortify WebInspect (22.2.0)

Page 241 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

The following table describes the two windows.

Window

Description

1

The TruClient sidebar window. Use this window to control the recording and

editing functions.

2

The TruClient browser window. Use this window to access your website.

TruClient Sidebar Masthead

The following table describes the icons that are available in the masthead of the TruClient sidebar.

Icon

Name

Description

Search

Opens the search panel. The drop-down menu provides options

to search the macro or go to a specific step number. For more

information, see "Searching the Macro" on page 252.

General Settings Opens the General Settings dialog box. For more information,

see "Configuring Settings" on page 307.

TruClient Sidebar Toolbars

The following table describes the toolbars, which are available at the top of the TruClient sidebar.

Icon

Name

Description

Open / New

Save / Save As

Step Level

Opens an existing macro or script file, or creates a new one.

Saves a new macro or script file, or a copy of an existing file.

Modifies the script levels that are visible and replayed in the

script.

l

- Displays and replays level 1 steps only. Level 1 steps are

necessary for interacting with the application.

l

- Displays and replays level 1 and 2 steps. Level 2 steps

affect the application in a way that is probably not important

to the macro.

l

- Displays and replays level 1, 2 and 3 steps. Level 3 steps

have no apparent effect on the application.

Micro Focus Fortify WebInspect (22.2.0)

Page 242 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Icon

Name

Description

For more information, see "Modifying the Macro Replay Level"

on page 263.

Action List

Displays the actions (a set of steps) that are recorded in the

macro.

Note: Options are Init, Action, and End. However, the Init

and End options do not apply. The Web Macro Recorder

records actions in the Run Logic Action block only.

Manage Actions Opens the Actions dialog box. For more information, see

"Working with Actions" on page 267.

Add Step

Record

Opens the TruClient Steps box so that you can add steps to

your macro. For more information, see "Using the Steps Box" on

page 246.

Starts recording the macro. Additionally, you can use the arrow

to specify whether to record before, into, or after the selected

step.

Replay

Replays (or resumes replay of) the macro. Additionally, you can

use the arrow to specify whether to play the selected step only,

or to run the script step by step. Running the script step by

step pauses the replay after each step.

Pause

Stop

Pauses the replay of the macro.

Stops recording or replaying the macro.

Toggle

Breakpoint

Toggles a breakpoint on the selected step. For more

information, see "Using Breakpoints" on page 298.

Undo / Redo

Reverses your last action or restores your original change.

Not supported.

Event Handler

Editor

Edit Parameters Set parameter values. For more information, see "Working with

Parameters" on page 269.

Edit logout

Opens the Logout Condition Editor. For more information, see

Micro Focus Fortify WebInspect (22.2.0)

Page 243 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Icon

Name

Description

conditions

Snapshot view

"Working with Logout Conditions" on page 264.

Not supported.

Context Menu

Select a step in the TruClient sidebar and right click to display the context menu. The following table

describes the context menu options.

Menu Option

Description

Play This Step

Replays the selected step only.

Play From This

Step

Replays from the selected step. You cannot use Play From This Step if the

target step:

l

Is located in an action that is not part of the run logic

l

Is inside a For loop or If block

l

Is a Catch Error step

l

Acts on a Web object that is not available on the current Web page

Play Until This

Step

Replays from the beginning and stops before the selected step.

Record > Before Inserts the next set of recorded steps before the selected step.

step

Record > Into

step

Inserts the next set of recorded steps into the selected step.

Inserts the next set of recorded steps after the selected step.

Inserts or removes a breakpoint on the selected step.

Record > After

step

Toggle

Breakpoint

Group Steps

Group Into

Groups multiple steps together as a single step.

Groups multiple steps into:

l

Action - A group of steps that you define as a new or existing action.

l

If Clause - A logical structure that controls the flow of your script.

Micro Focus Fortify WebInspect (22.2.0)

Page 244 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Menu Option

Description

l

For Loop Clause - A logical structure that repeats the steps contained in

the loop a specified number of times.

l

New Function - Not supported.

Ungroup Steps

Cut

Reverts grouped step into multiple steps.

Cuts the selected step from the macro.

Copy

Copies the selected step in the macro.

Paste

Pastes the copied step into the macro.

Export Steps

Import Steps

Delete

Copies the selected steps in a macro to paste into another macro.

Pastes the steps that have been exported into a second script.

Deletes a step from the macro.

Enable/Disable

Edit Step

Fold All Steps

Toggles between disabling or enabling a step during replay.

Expands the step to display the step, argument, and transaction properties.

Minimizes all steps and groups.

Unfold All Steps Displays all steps and groups.

Reset Auto End

Event

Enables you to reset the selected step or steps to Automatic: Not Yet Set.

Change Object

Identification

Method

Enables you to change the object identification method to:

l

Automatic

l

XPath

l

JavaScript

l

Descriptors

Micro Focus Fortify WebInspect (22.2.0)

Page 245 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Using the Steps Box

The Steps box (previously called the Toolbox) contains all of the steps that you can add to a macro.

Adding a Step

To add a step to a macro:

1. In the TruClient sidebar, click the Add Step icon (

).

The Steps box opens.

2. Select the tab for the type of step to add. For more information about the tabs, see the following:

l

"Functions Tab" on the next page

l

"Flow Control Tab" on page 248

l

"Miscellaneous Tab" on page 249

l

"Composite Steps Tab" on page 249

3. Select a step in the tabs and drag it to the desired location in the macro.

Marking a Step as Favorite

You can mark a step as a favorite and then quickly access it in the favorites view.

To mark a step as a favorite:

l

Click the star icon for the desired step.

Micro Focus Fortify WebInspect (22.2.0)

Page 246 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Viewing Favorite Steps

To view your favorite steps:

l

Click the star icon in the Steps box.

Functions Tab

The following table describes functions steps.

Step

Description

Verify

Verify that an object exists in the application.

Wait for a specified number of seconds before continuing with the next step.

Wait for an object to load before continuing with the next step.

Wait

Wait for Object

Generic Object

Action, Generic

Blank steps that can be inserted and manually configured. For API argument

details, refer to the API Help in the TruClient Help Center at

Browser Action, https://admhelp.microfocus.com/tc/en/2022-2022-r1/Content/TruClient/TC_

or Generic API

Functions.htm .

Action

Call Function

Wait for 2FA

Not supported.

Wait for a two-factor authentication response to be forwarded from the two-

factor authentication control center. The two-factor authentication control

center processes the SMS and email responses coming from your application

server. For more information, see "Using Two-factor Authentication" on

page 258.

Note: This step is included in the Two-factor Authentication group step.

Micro Focus Fortify WebInspect (22.2.0)

Page 247 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Flow Control Tab

The following table describes flow control steps.

Step

Description

For Loop

A logical structure that repeats the steps contained in the loop a specified

number of times. For more information, see "Inserting Loops and Loop

Modifiers" on page 293.

If Block

A logical structure that runs the steps contained in the block if the condition is

met.

l

Add else – Click the Add else link to add an Else section to your If block. If

the condition is not met, the steps included in the Else section run.

l

Remove else – Removes the Else section from the If block.

Note: The else sections apply to all If types (If Block, If Exists, If Verify,

and If Browser). If the Else section contains steps and you click

Remove else, the steps are deleted. Copy and paste them into the main

body of your macro to save them.

For more information, see "Inserting If Blocks, If-else Blocks, and Exit Steps" on

page 294.

If Verify

A combination of “If Block” and “Verify,” a logical structure that runs the steps

contained in the block if the condition on a property of the selected object is

met.

If Exists

Break

A logical structure that runs the steps contained in the block if the selected

object exists in the application.

Causes the loop to end immediately without completing the current or

remaining iterations.

Continue

Catch Error

Causes the current loop iteration to end immediately. The macro continues

with the next iteration.

Catches an error in the step immediately preceding and runs the contents of

the catch error step. For more information, see "Inserting Catch Error Steps" on

page 296.

Exit

Exits the iteration or the entire macro, depending on the specified setting.

Micro Focus Fortify WebInspect (22.2.0)

Page 248 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Step

Description

Two-factor

Authentication

Sends a request to the two-factor authentication control center to begin the

authentication flow. This group step includes basic instructions on how to

configure two-factor authentication components. For more information, see

"Using Two-factor Authentication" on page 258.

Note: This is a group step that includes the Wait for 2FA step.

Miscellaneous Tab

The following table describes miscellaneous steps.

Option

Description

Evaluate

Runs the JavaScript code contained in the step.

JavaScript

Evaluate JS on

Object

Runs the JavaScript code contained in the step after the specified object is

loaded in the application.

Comment

A blank step that allows you to write comments in your macro.

Composite Steps Tab

The Answer Security Questions step allows you to select the interface object (usually a label) that

asks a security question and the interface object (usually a text box) where the user provides the

answer. Then you specify the text of the question and the answer.

Recording a Macro

When recording a macro, use the TruClient sidebar to control the recording functions and the

TruClient browser to access your website.

Recording a Login Macro

This procedure describes how to record a basic login macro. For information about challenge-

response login macros, see "Challenge-Response Authentication" on page 254 and "Recording a

Macro for Challenge-Respo nse Logins" on page 255 .

Micro Focus Fortify WebInspect (22.2.0)

Page 249 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To record a login macro:

1. In the TruClient browser, navigate to the start URL for your website.

2. In the TruClient sidebar, click the Record icon ( ).

3. In the TruClient browser, navigate to the login form and log in to the application.

4. After you log in, click the Stop icon ( ) in the TruClient sidebar, but do not log out.

5. In the TruClient sidebar, click the Play icon ( ) to verify that your macro logs in correctly.

6. Did the macro log in correctly?

l

If yes, the TruClient sidebar prompts you to select an object to indicate a successful login.

Proceed to the next step.

Note: If the Force last step to be a validation step setting on the Interactive Options

tab is disabled, you will not be prompted to select an object. Proceed to Step 8. For more

information, see "Configuring Settings" on page 307.

l

If no, click File > New. If prompted, do not save the macro. Return to Step 1.

7. In the TruClient browser, identify an object that appears only after successful login.

Important! If the Force last step to be a validation step setting on the Interactive

Options tab is enabled, the last step must be a “wait for object” step.

A wait action for the selected object is added to the recorded steps.

The Web Macro Recorder attempts to automatically detect a logout condition. For information

about how to add or edit logout conditions later, see "Working with Logout Conditions" on

page 264.

8. Click the Save icon ( ) to save the macro.

To add options to the login macro, see "Enhancing Macros" on page 293.

Recording a Workflow Macro

To record a workflow macro:

1. In the TruClient browser, navigate to the start URL for your workflow.

2. In the TruClient sidebar, click the Record icon ( ).

3. In the TruClient browser, navigate to the pages you want to record in the macro.

4. After you record your navigation, click the Stop icon ( ) in the TruClient sidebar.

5. Do one of the following:

l

To verify that your navigation was recorded correctly, click the Play icon ( ) in the

TruClient sidebar.

l

To add steps from the Steps box to your recorded navigation, click the Add Step (

icon. For more information, see "Using the Steps Box" on page 246.

)

6. When you have finished, click the Save icon ( ) to save the macro.

Micro Focus Fortify WebInspect (22.2.0)

Page 250 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Automatic Detection of Client-side Frameworks

When accessing an application, the Web Macro Recorder attempts to detect client-side frameworks

that are used in the target application. If the Web Macro Recorder detects such frameworks, an icon

with a Fortify logo appears to the right of the URL address box in the TruClient browser window.

Viewing Detected Frameworks

To view the detected client-side frameworks:

1. Click the Fortify logo to the right of the URL address.

The list of detected frameworks appears.

Tip: If you notice a framework in the list that indicates a single-page application (SPA), you

can enable the SPA Support option in your scan settings. For more information, refer to the

Micro Focus Fortify WebInspect User Guide or the Micro Focus Fortify ScanCentral DAST

Configuration and Usage Guide.

2. (Optional) Hover over a framework in the list to view its version.

Note: The Web Macro Recorder cannot determine all versions of frameworks. In such cases,

it indicates "unknown version."

Micro Focus Fortify WebInspect (22.2.0)

Page 251 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Editing a Macro

As you edit a macro, you use the TruClient sidebar to add or edit the recorded steps and the TruClient

browser to access your website. For more information, see "Understanding the User Interface" on

page 241.

To edit a macro:

1. In the TruClient sidebar, click the drop-down arrow in the File icon ( ) and select Open.

2. Add or edit steps in the macro. For more information, see "Enhancing Macros" on page 293 and

"Debugging Macros" on page 297.

3. Click the save icon ( ) to save the macro.

Searching the Macro

You can search the macro or go to a specific step number in the macro.

Searching the Steps

To search the macro:

1. In the TruClient sidebar, click the search icon (

The search panel opens.

).

2. Optionally, specify what to search in the drop-down lists. Options for the search scope are:

l

Current View - searches only steps that are visible

l

Whole Script - searches all steps, even those that are not expanded

Options for the entity type are:

l

All - searches in steps and transactions

l

Steps - searches steps only

Note: Transactions are not used in the Web Macro Recorder, so the Transactions entity

type does not apply.

3. Type a search string in the search box.

For a Current View search, the search string is highlighted in the visible steps and/or transactions

as you type.

For a Whole Script search, a list of the steps and/or transactions in which the search string is

found appears as you type.

Micro Focus Fortify WebInspect (22.2.0)

Page 252 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

4. Press the Enter key to navigate through the search results.

Tip: You may also use the Go to the next result and Go to the previous result icons beside

the result count to navigate through the search results.

Going to a Specific Step Number

To go to a specific step number in the macro:

1. In the TruClient sidebar, click the search icon drop-down arrow (

The Go To dialog box appears.

), and then select Go To.

2. In the Step number box, type a number.

3. Click Go To.

The step is highlighted in the macro.

Using the CLI

You can perform some common tasks using the Web Macro Recorder with Macro Engine 7.1 by way

of the command-line interface (CLI).

Launching the CLI

To launch the CLI:

l

Right-click the Windows Command Prompt (cmd.exe) application, and select Run as

administrator.

The Administrator: Command Prompt window appears.

Important! At the command prompt, use the cd command to change the current working

directory to the directory where the Web Macro Recorder application is installed.

The Web Macro Recorder is installed in the same directory as Fortify Weblnspect. By default, the

installation directory is:

C:\Program Files\Fortify\Fortify Weblnspect

CLI Options

The following table describes the options that are available for the Web Macro Recorder tool in the

CLI.

Micro Focus Fortify WebInspect (22.2.0)

Page 253 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To...

Type the following at the command prompt...

Record a login macro

macrorecorder.exe

Load an existing login macro for

editing

macrorecorder.exe --fileToLoad 'PathToFile'

Record a workflow macro

macrorecorder.exe --workflow

Load an existing workflow macro for

editing

macrorecorder.exe --fileToLoad 'PathToFile' -

-workflow

Load and automatically play an

existing login macro so that a

workflow macro can be recorded

macrorecorder.exe --pre-workflow-login

'PathToLoginFile' --workflow

Load and automatically play an

existing login macro followed by an

existing workflow macro for editing

macrorecorder.exe --fileToLoad 'PathToFile' -

-pre-workflow-login 'PathToLoginFile' --

workflow

Display the CLI help

macrorecorder.exe --help

Challenge-Response Authentication

Challenge-response authentication is a family of protocols in which the server presents a question

(the challenge) and the client must provide a valid answer (the response). In the simplest example,

the challenge asks for a password and the valid response is the correct password.

Multiple Challenges

Some websites present multiple challenges to the user. Typically, when a user first registers with a

website, the site presents a list of questions to which the user provides answers that will be used for

subsequent authentication. For example:

l

What is your favorite color?

l

What was the name of your first pet?

l

In what town or city were your born?

l

What was the make of your first automobile?

When the user later attempts to log in, the website presents two or more of these challenges.

Micro Focus Fortify WebInspect (22.2.0)

Page 254 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Groups of Challenges

Some sites also create groups of challenges, and present questions from the groups on each new

login attempt, as demonstrated in the following example.

When registering for the example website, the user is asked to provide answers to nine questions,

which are arranged into three groups of three questions each, as follows.

Group 1

Q: What is your quest? A: happiness

Q: What is your name? A: Smith

Q: What is your favorite color A: blue

Group 2

Q: What is the name of your favorite pet? A: Rusty

Q: What is your mother's maiden name? A: Jones

Q: In what state were you born? A: Delaware

Group 3

Q: What is the capital of Mongolia? A: Ulaanbaatar

Q: What is the name of a sea bird? A: Albatross

Q: What is your paternal grandmother's first name? A: Esther

The login page might look like this (using the first question from each group):

Recording a Macro for Challenge-Response Logins

When recording a macro for a challenge-response type of login, you must know all possible question-

and-answer combinations, even if only a subset of those combinations might be presented during any

one login. You enter these combinations manually, as special steps as you record a macro.

Micro Focus Fortify WebInspect (22.2.0)

Page 255 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

At the point where the target site asks the challenge questions, usually after logging in with username

and password credentials, use the following procedure to manually create the required steps for the

set of questions:

1. While recording the macro, click the Stop icon ( ) in the TruClient sidebar.

2. Click the Add Step icon (

).

3. Click Composite Steps, and then click and drag the Answer Security Question step into the

recorded steps.

A new step is created.

4. Click the first Click to choose an object link in the new step and then, in the TruClient browser

window, click the object representing the question (usually a label).

5. Click the second Click to choose an object link in the new step and then, in the TruClient

browser window, click the object representing the answer (usually a text box).

6. In the TruClient sidebar, click the Step Editor icon ( ) for the Answer Security Question step.

The Step Editor opens.

7. Click (expand) the Security Questions section.

8. Click to open the Security Questions editor.

9. In Security Questions Editor, click the Add a new question icon ( ).

A new question appears with the default name "Question1." Its properties include the text box

labeled Question (also shown with a default value of "Question1") and the text box labeled

Answer, with a default value of "Answer1."

10. In the Question text box, type over the default text with the actual question exactly as it appears

on the login page, including capitalization and punctuation. The question in the left pane is

simultaneously updated.

Important! Be sure to enclose the text in quotation marks.

Micro Focus Fortify WebInspect (22.2.0)

Page 256 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

11. In the Answer box, enter the correct response in quotation marks.

12. Repeat Steps 9 through 11 to add the information for the second question that might appear in

the same location on the web page. In this example, the question is "What is the name of your

favorite pet?"

13. Repeat Steps 9 through 11 to add the information for the third question that might appear in the

same location on the web page. In this example, the question is "What is the capital of Mongolia?"

14. Click OK.

The questions and answers are added to the table in the Security Questions section in the macro

step.

Tip: If you later need to edit a question or answer, reopen the Security Questions Editor.

This completes the macro step for this particular location on the web page. To create more questions

and answers for additional challenges, continue with "Adding Questions and Answers for Additional

Challenges" below.

Adding Questions and Answers for Additional Challenges

To add questions and answers for additional challenges:

1. Do one of the following to refresh the web page until the second set of questions appears:

l

Click in the TruClient browser window and press F5.

l

Right-click in the TruClient browser window and select the Reload icon.

2. Repeat Steps 2 through 14 of "Recording a Macro for Challenge-Response Logins" on page 255

to add another macro step for the second set of three questions and answers at the second

location on the web page.

Micro Focus Fortify WebInspect (22.2.0)

Page 257 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

3. Do one of the following to refresh the web page until the third set of questions appears:

l

Click in the TruClient browser window and press F5.

l

Right-click in the TruClient browser window and select the Reload icon.

4. Repeat Steps 2 through 14 of "Recording a Macro for Challenge-Response Logins" on page 255

to add another macro step for the third set of three questions and answers at the third location

on the web page.

Recording Additional Steps

If you need to record additional steps after creating steps for all possible question-and-answer

combinations, then do the following:

1. In the TruClient sidebar, select the last step you created.

2. Click the drop-down arrow in the Record icon ( ) and select Record after selected step.

3. Continue recording as usual.

4. Click the Stop icon ( ).

5. Replay and save the macro.

Using Two-factor Authentication

After recording your login macro, you can add a Two-factor Authentication group step to the macro

to use two-factor authentication in a scan in Fortify WebInspect or Fortify ScanCentral DAST.

Note: Two-factor authentication is not supported in Fortify WebInspect Enterprise.

Important! If testing locally prior to using two-factor authentication in a scan, then you must first

configure the two-factor authentication control center and the Fortify2FA mobile application.

For more information, see "Configuring Settings" on page 307.

Recommendation

Fortify strongly recommends that you use test phones and test email addresses only. For privacy

concerns, do not use personal phones and email addresses.

Micro Focus Fortify WebInspect (22.2.0)

Page 258 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Known Limitations

The following known limitations apply to the two-factor authentication feature:

l

Only POP3 servers that support unique ID listing (UIDL) are supported.

l

Currently, only Android mobile phones are supported.

l

The mobile phone requires a Wi-Fi connection on the same subnet where Fortify WebInspect is

installed.

Guidelines

Follow these guidelines when configuring Two-factor Authentication:

l

You cannot have a Two-factor Authentication group step inside another Two-factor

Authentication group step.

l

You cannot have two Wait for 2FA steps inside a Two-factor Authentication group step.

l

You must configure a Type step and a Click step after the Wait for 2FA step to complete the log

in process.

l

When configuring a login macro for Two-factor Authentication, the login step must be inside the

Two-factor Authentication group step as shown in the following image.

Micro Focus Fortify WebInspect (22.2.0)

Page 259 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Adding a Two-factor Authentication Group Step

The Two-factor Authentication group step sends a request to the two-factor authentication control

center to begin the authentication flow.

Important! The Two-factor Authentication group step includes a Wait for 2FA step that you

must also configure. Otherwise, the Two-factor Authentication group step will fail.

To add a Two-factor Authentication group step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the Two-factor Authentication group step to the recorded steps, and drop it

after the username and password have been entered.

By default, an SMS Two-factor authentication step is added.

4. Continue according to the following table.

For...

Do this...

SMS Responses

Expand the Arguments and configure the following:

l

In the Phone Number box, enter the phone number that will

receive SMS responses.

Tip: You can enter JavaScript, but the result of the

JavaScript execution must be the phone number. You can

also use a Parameter Name. For more information, see

"Creating Parameters for Two-factor Authentication" on

page 275 .

l

In the Regular Expression box, construct a regular expression

that will extract only the token from the SMS response.

Tip: Click the drop-down arrow for a sample regular

expression.

Email Responses

a. Expand the Step.

b. In the Action list, select Email Two-factor authentication.

c. Expand the Arguments and configure the following:

Note: Only POP3

servers that support

unique ID listing

o

In the Email box, enter the email address that will receive

(UIDL) are supported.

the email response.

Micro Focus Fortify WebInspect (22.2.0)

Page 260 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

For...

Do this...

Tip: You can enter JavaScript, but the result of the

JavaScript execution must be the email address. You

can also use a Parameter Name. For more information,

see "Creating Parameters for Two-factor

Authentication" on page 275 .

o

In the Server box, enter the IP address or URL for the

email server.

o

In the Server Port box, enter the port used for email

messages.

In the TLS box, select whether the email server uses the

TLS protocol.

Note: The default setting is true.

o

In the Password box, enter the password for the email

account.

In the Regular Expression box, construct a regular

expression that will extract only the token from the email

response.

Tip: Click the drop-down arrow for a sample regular

expression.

Configuring the Wait for 2FA Step

The Two-factor Authentication group step includes a Wait for 2FA step that you must also

configure. The Wait for 2FA step waits for a two-factor authentication response to be forwarded

from the two-factor authentication control center.

Important! The Wait for 2FA step can only be executed inside the Two-factor Authentication

group step. It cannot be executed as a standalone step.

To configure the Wait for 2FA step:

1. By default, the Step Timeout extends the macro playback time by 180 seconds. To extend it

further, such as in the case of a slow response from the application server, increase the Step

Timeout setting.

2. Expand the Arguments and enter a variable name in the Variable box.

The following image uses TwoFactorResponse as an example.

Micro Focus Fortify WebInspect (22.2.0)

Page 261 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

The Web Macro Recorder places the response from the control center into this variable.

Adding Type and Click Steps

You must also add two Generic Object Action steps inside the Two-factor Authentication group

step. You must configure one as a Type step that types the response from the control center into the

two-factor authentication response text box. You must configure the other as a Click step that clicks

a button, such as Sign In or Next, to gain access to the site.

To add and configure Type and Click steps:

1. In the TruClient sidebar, click the Add Step icon (

).

The Steps box opens.

2. In the Functions tab, click and drag the Generic Object Action step to the recorded steps, and

drop it inside the Two-factor Authentication group step immediately following the Wait for

2FA step.

3. Configure the step as follows:

a. Click Choose an object and follow the instructions to select the two-factor authentication

response text box.

b. Expand the Step, and then select Type from the Action list.

c. Expand the Arguments.

d. In the Value box, select JS.

e. In the Value box, type the variable name you created in the Wait for 2FA step. The

preceding procedure uses TwoFactorResponse as an example.

Micro Focus Fortify WebInspect (22.2.0)

Page 262 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

4. In the TruClient sidebar, click the Add Step icon (

).

The Steps box opens.

5. In the Functions tab, click and drag the Generic Object Action step to the recorded steps, and

drop it inside the Two-factor Authentication group step immediately following the Type step.

6. Configure the step as follows:

a. Click Choose an object and follow the instructions to select the button, such as Sign In or

Next, to gain access to the site.

b. Expand the Step, and then select Click from the Action list.

The completed Type and Click steps should be similar to those in the following image. Note their

placement directly following the Wait for 2FA step.

Modifying the Macro Replay Level

As you record a macro, TruClient assigns a level from 1 to 3 to each step. For example, a level 1 step

is essential to the macro. A click step that occurs in an area of the application that has no effect is

Micro Focus Fortify WebInspect (22.2.0)

Page 263 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

assigned to level 2. Mouse-over steps are generally considered unnecessary for the macro and are

assigned to level 3.

Macro steps are displayed and played with the granularity specified as level 1, 2, or 3 in the step level

slider in the toolbar at the top of the TruClient browser. The highest granularity is level 3—setting the

slider to level 3 displays and plays back all the steps at levels 1, 2, and 3. Using higher granularity

might be required for successful playback, but it can cause the macro to take longer to run. By default,

the Script Level is set to 1.

To modify a macro's replay level:

l

In the TruClient browser, click the step-level drop-down arrow ( ) and select one of the

following:

l

- Displays and replays level 1 steps only. Level 1 steps are necessary for interacting with the

application.

l

- Displays and replays level 1 and 2 steps. Level 2 steps affect the application in a way that is

probably not important to the macro.

l

- Displays and replays level 1, 2 and 3 steps. Level 3 steps have no apparent effect on the

application.

If you select a lower level, some steps are hidden. If you select a higher level, additional steps become

visible.

Working with Logout Conditions

The Web Macro Recorder may be able to automatically detect a logout condition for the target

website. However, you can specify as many different logout conditions as you need, and if any of them

is met, the sensor will invoke the login macro to log back in and resume a scan where it left off. You

can add, edit, and delete logout conditions using the Logout Condition Editor.

Important! The final set of all logout conditions should cover all the cases of becoming logged

out during a scan of the target site.

Logout Conditions from Earlier Web Macro Recorder Versions

Conducting a scan with a macro that uses automatic logout detection and that was recorded in the

Web Macro Recorder with Macro Engine 5.<version> may yield undesirable results. Fortify

recommends that you remove the previously-detected logout condition as follows:

1. Open the existing macro in the Web Macro Recorder with Macro Engine 7.1.

2. Click the Edit logout conditions icon ( ).

The Logout Condition Editor opens and displays all logout conditions already detected or

created.

3. Delete the existing automatic logout condition.

Micro Focus Fortify WebInspect (22.2.0)

Page 264 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

4. Play the macro.

A new logout condition is automatically detected.

Accessing the Logout Condition Editor

To open the Logout Condition Editor:

l

After recording a successful login, click the Edit logout conditions icon ( ).

The Logout Condition Editor opens and displays all logout conditions already detected or created.

Adding a Logout Condition

To add a logout condition in the Logout Condition Editor:

1. Click the Add icon ( ) in the left pane

2. Type a name for the new condition in the Name field.

The name in the left column is simultaneously updated with your changes.

3. Select which type of logout condition you want to use and complete the information required for

that type. The following table describes the options.

Option

Description

Regex

With this option, you construct a regular expression (regex). A regular

expression is a pattern that describes a set of strings. Regular expressions

are constructed much like mathematical expressions by using various

operators to combine smaller expressions. Only users with a working

knowledge of regular expressions should use this feature.

The regex must reflect the difference between a) the response to a logged-

in user’s request to access a protected page, and b) the response to the

same request from the user, while not logged in, to access the same

protected page. The general steps to construct the regex are as follows:

a. Start the Web Proxy tool to record web traffic. For more information,

see the Web Proxy Help or the Micro Focus Fortify WebInspect Tools

Guide.

b. Log in to the target site and copy the URL of a protected page.

c. Log out and use the copied URL to try to access the protected page

without logging in.

d. Compare the responses and identify a unique aspect of the response to

the attempt to access the protected page without logging in.

Micro Focus Fortify WebInspect (22.2.0)

Page 265 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Option

Description

e. Open the Regular Expression Editor. For more information, see the

Regular Expression Editor Help or the Micro Focus Fortify WebInspect

Tools Guide.

f. Construct a regex that reflects the unique aspect of the response to

the attempt to access the protected page without logging in.

g. Copy the regex into the Regex field of the Logout Condition Editor.

URL

When you select this option, the currently displayed web page is

automatically used as the default value. You can specify a static URL to

which the target site redirects users when it logs them out. Do not specify

the target site’s general login page.

4. Click Close to save the logout conditions and close the Logout Condition Editor.

Editing a Logout Condition

To edit an existing logout condition in the Logout Condition Editor:

1. Select the logout condition to edit in the left pane.

The Properties pane lists the properties.

2. Edit the properties as needed.

3. Click Close to save the logout conditions and close the Logout Condition Editor.

Deleting a Logout Condition

To delete an existing logout condition in the Logout Condition Editor:

1. Select the logout condition to delete in the left pane.

2. Click the Delete icon ( ).

A Confirm Delete prompt appears.

3. Click Yes.

4. Click Close to save the logout conditions and close the Logout Condition Editor.

Micro Focus Fortify WebInspect (22.2.0)

Page 266 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Working with Actions

You create and run actions in the Actions tab, which you access from the bottom of the TruClient

sidebar window.

From this tab, you record, edit, and replay your macros.

Adding an Action to Your Macro

To add an action to your macro:

1. Click the Manage Actions icon ( ) at the upper right hand corner of the TruClient sidebar

window.

The Manage Actions dialog box appears.

Micro Focus Fortify WebInspect (22.2.0)

Page 267 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

2. Click the Add action icon ( ). Give the action a meaningful name.

Rearranging the Order of Actions

To rearrange the order of actions:

1. Click the Manage Actions icon ( ) at the upper right hand corner of the TruClient sidebar

window.

The Manage Actions dialog box appears.

2. Select an action.

3. Click the Move up or Move down icons (

) to move the action up or down in the list.

Deleting an Action

To delete an action:

1. Click the Manage Actions icon ( ) at the upper right hand corner of the TruClient sidebar

window.

The Manage Actions dialog box appears.

2. Select the action to delete.

3. Click the Delete icon ( ).

Micro Focus Fortify WebInspect (22.2.0)

Page 268 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Working with Parameters

When recording a macro, you can use parameters to do the following:

l

Create parameters for the user name and password to allow testers to use their own authentication

credentials when starting a scan or to use multiple credentials for a multi-user login scan. For more

information, see "Using Username and Password Parameters" below.

l

Create a parameter for the URL to allow testers to designate an alternate URL when the macro

runs. This method may be useful if your application resides in multiple environments and you want

to run scans as part of a continuous integration and continuous delivery (CI/CD) pipeline. For more

information, see "Using a URL Parameter" on page 272.

l

Create parameters for phone number, email, and email password to allow testers to conduct multi-

user login scans that require two-factor authentication. For more information, see "Creating

Parameters for Two-factor Authentication" on page 275.

Case-sensitive Parameter Names

Parameter names are case sensitive and must contain lowercase letters only.

Using Username and Password Parameters

After creating and testing your login macro, you can create username and password parameters that

replace the recorded values with parameter names. You can then create a list of values to substitute

for the username and password parameters during playback.

Creating Parameters in Steps

You can create username and password parameters directly in steps using the context menu.

To create parameters in steps:

1. In the step that contains the username, click the Step Editor icon ( ).

The Step Editor opens.

2. Click (expand) Arguments.

3. In the Value box, select the value and then right-click.

Micro Focus Fortify WebInspect (22.2.0)

Page 269 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

4. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

5.

In the Parameter Name box, type username, and then click OK.

Important! Parameter names are case sensitive and must contain lowercase letters only.

6. In the step that contains the password, click the Step Editor icon ( ).

The Step Editor opens.

7. Click (expand) Arguments.

8. In the Value box, select the value and then right-click.

9. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

10.

In the Parameter Name box, type password, and then click OK.

The username and password parameters have been created directly in steps where they will be used

during playback. You must now use the Parameters Dialog to create the lists of values for the

username and password parameters.

Micro Focus Fortify WebInspect (22.2.0)

Page 270 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Creating List of Values in the Parameters Dialog

Use the Parameters Dialog to create the lists of values to substitute for the username and password

parameters.

To create a list of values:

1. In the TruClient sidebar, click the Edit Parameters icon ( ).

The Parameter Dialog opens with the parameters listed.

2. Click the username parameter.

The list of username values appears. The original value recorded in the macro is listed as the first

value to use during macro replay.

Tip: To edit the column name, click the edit icon in the column heading and type a new

column name, such as User Names.

Micro Focus Fortify WebInspect (22.2.0)

Page 271 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

3. (Optional) To mask the value entered, select Masked.

Note: Values that are masked in the Web Macro Recorder are also masked when configuring

a Guided Scan in Fortify WebInspect and Fortify WebInspect Enterprise.

4. (Optional) To add another value (for example, to create a list of usernames for a multi-user login

scan):

a. Click Add Row.

b. Place your cursor in the new row.

c. Type the next value to use during macro replay.

d. Repeat Steps a through c for each additional value to add.

5. Click the password parameter.

The list of password values appears. The original value recorded in the macro is listed as the first

value to use during macro replay.

6. (Optional) To mask the value entered, select Masked.

Note: Values that are masked in the Web Macro Recorder are also masked when configuring

a Guided Scan in Fortify WebInspect and Fortify WebInspect Enterprise.

7. (Optional) To add another value (for example, to create a list of passwords for a multi-user login

scan):

a. Click Add Row.

b. Place your cursor in the new row.

c. Type the next value to use during macro replay.

d. Repeat Steps a through c for each additional value to add.

8. Click OK to save the parameters to the macro and close the Parameters Dialog.

9. Play the macro to verify that it logs in correctly.

10. Save the macro.

Policy

The Policy settings that are visible in the Parameters Dialog are not applicable to Fortify WebInspect.

Using a URL Parameter

After creating and testing your login macro, you can create a URL parameter that replaces the

recorded value with a parameter name.

Creating the Parameter in a Step

You can create a URL parameter directly in a step using the context menu.

Micro Focus Fortify WebInspect (22.2.0)

Page 272 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To create a parameter in a step:

1. In the step that contains the URL ("Navigate to..."), click the Step Editor icon ( ).

The Step Editor opens.

2. Click (expand) Arguments.

3. In the Location box, select the value and then right-click.

4. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

Important! Parameter names are case sensitive and must contain lowercase letters only.

5.

In the Parameter Name box, type a name, such as starturl, and then click OK.

The starturl parameter has been created directly in the step where it will be used during playback.

You must now use the Parameters Dialog to create the list of values for the starturl parameter.

Creating List of Values in the Parameters Dialog

Use the Parameters Dialog to create the list of values to substitute for the starturl parameter.

Micro Focus Fortify WebInspect (22.2.0)

Page 273 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To create a list of values:

1. In the TruClient sidebar, click the Edit Parameters icon ( ).

The Parameter Dialog opens with the parameter listed.

2. Click the URL parameter, which is starturl in this example.

The list of URL values appears. The original value recorded in the macro is listed as the first value

to use during macro replay.

Tip: To edit the column name, click the edit icon in the column heading and type a new

column name, such as URLs List.

3. (Optional) To add another value:

a. Click Add Row.

b. Place your cursor in the new row.

c. Type the next value to use during macro replay.

d. Repeat Steps a through c for each additional value to add.

4. Click OK to save the parameters to the macro and close the Parameters Dialog.

Micro Focus Fortify WebInspect (22.2.0)

Page 274 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

5. Play the macro to verify that it logs in correctly.

6. Save the macro.

Policy

The Policy settings that are visible in the Parameters Dialog are not applicable to Fortify WebInspect.

Creating Parameters for Two-factor Authentication

After creating and testing your login macro, you can create phone number, email, and email password

parameters. You can then create a list of values to substitute for these parameters during playback.

Using parameters for two-factor authentication allows you to conduct a multi-user login scan.

Tip: After creating parameters in the Web Macro Recorder with Macro Engine 7.1, you can

configure a multi-user login scan and enter additional phone numbers, email addresses, and email

passwords in the Scan Settings: Authentication dialog box in Fortify WebInspect.

Creating a Phone Number Parameter

You can create a phone number parameter directly in the Two-factor Authentication group step

using the context menu.

To create a phone number parameter:

1. In the Two-factor Authentication group step, click the Step Editor icon ( ).

The Step Editor opens.

2. Click (expand) Arguments.

3. In the Phone Number box, select the number and then right-click.

4. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

5.

In the Parameter Name box, type twofa_phone, and then click OK.

Micro Focus Fortify WebInspect (22.2.0)

Page 275 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Important! Parameter names are case sensitive and must contain lowercase letters only.

Creating Email and Email Password Parameters

You can create email and email password parameters directly in the Two-factor Authentication

group step using the context menu.

To create email and email password parameters:

1. In the Two-factor Authentication group step, click the Step Editor icon ( ).

The Step Editor opens.

2. Click (expand) Arguments.

3. In the Email box, select the email address and then right-click.

4. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

5.

In the Parameter Name box, type twofa_email, and then click OK.

Micro Focus Fortify WebInspect (22.2.0)

Page 276 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Important! Parameter names are case sensitive and must contain lowercase letters only.

6. In the Password box, select the password and then right-click.

7. Select Create New Parameter From Selection....

The Enter Parameter Name dialog box opens.

8.

In the Parameter Name box, type twofa_emailpassword, and then click OK.

Step Arguments Related to Objects

The following step arguments related to objects, categorized by role, are available in TruClient:

l

"Audio Role" on the next page

l

"Browser Role" on the next page

l

"Checkbox Role" on page 282

l

"Datepicker Role" on page 282

l

"Element Role" on page 282

l

"Filebox Role" on page 286

l

"Flash Object Role" on page 287

l

"Focusable Role" on page 287

l

"Listbox Role" on page 287

l

"Multi_listbox Role" on page 288

l

"Radiogroup Role" on page 289

l

"Slider Role" on page 289

l

"Textbox Role" on page 289

l

"Video Role" on page 290

Micro Focus Fortify WebInspect (22.2.0)

Page 277 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Audio Role

The following table describes the step argument for the Seek action of the audio role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Time

Description

Sets or returns the current position (in seconds) of the audio playback.

Browser Role

The following tables describe the step arguments related to browser role objects.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Activate

The following table describes the step arguments for the Activate action.

Argument

Ordinal

Title

Description

Defined as an integer.

Defined as a string.

Note: The title is automatically updated during recording and can be

set as an alternative step.

Activate Tab

The following table describes the step arguments for the Activate Tab action.

Argument

Ordinal

Title

Description

Specifies which tab (integer) to activate.

Defined as a string.

Note: The title is automatically updated during recording and can be

set as an alternative step.

Micro Focus Fortify WebInspect (22.2.0)

Page 278 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Close Tab

The following table describes the step arguments for the Close Tab action.

Argument

Ordinal

Title

Description

Specifies which tab (integer) to close.

Moves the specified browser window to the foreground. Defined as a

string.

Note: The title is automatically updated during recording and can be

set as an alternative step.

Add Tab

The following table describes the step arguments for the Add Tab action.

Argument

Location

Window

Description

Specifies the URL to navigate to in the newly opened tab.

Points to the global window object of the application.

Note: The window.location object cannot be used with Internet

Explorer. Use the document.URL object instead.

Navigate

The following table describes the step argument for the Navigate action.

Argument

Location.

Description

Specifies the URL to navigate to.

Go Back

The following table describes the step argument for the Go Back action.

Argument

Count

Description

Specifies the number of pages to go back.

Micro Focus Fortify WebInspect (22.2.0)

Page 279 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Go Forward

The following table describes the step argument for the Go Forward action.

Argument

Count

Description

Specifies the number of pages to go forward.

Resize

The following table describes the step arguments for the Resize action.

Argument

Width

Description

Specifies the new width. Leaving this blank means do not resize the

width.

Height

Specifies the new height. Leaving this blank means do not resize the

height.

Scroll

The following table describes the step arguments for the Scroll action.

Argument

Description

X Coordinate

Indicates the new x coordinate. Leaving this blank means do not scroll

along the x axis.

Y Coordinate

Indicates the new y coordinate. Leaving this blank means do not scroll

along the y axis.

Dialog - Confirm

The following table describes the step argument for the Dialog - Confirm action.

Argument

Button

Description

Indicates OK or Cancel.

Micro Focus Fortify WebInspect (22.2.0)

Page 280 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Dialog Prompt

The following table describes the step arguments for the Dialog Prompt action.

Argument

Value

Description

Indicates the string to enter.

Indicates OK or Cancel.

Button

Dialog - Authenticate

The following table describes the step arguments for the Dialog - Authenticate action.

Argument

Username

Password

Domain

Description

Specifies the username to enter.

Specifies the password to enter.

Specifies the domain to enter.

Indicates OK or Cancel.

Button

Dialog - Prompt Password

The following table describes the step arguments for the Dialog - Prompt Password action.

Argument

Password

Button

Description

Specifies the password to enter.

Indicates OK or Cancel.

Verify

The following table describes the step arguments for the Verify action.

Argument

Value

Description

Indicates the value of the property to verify.

Property

Identifies the property to verify. You can verify the following properties of

a browser object:

Micro Focus Fortify WebInspect (22.2.0)

Page 281 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Argument

Description

l

Title - Specifies the title of the browser window.

l

Location - Specifies the location of the browser window.

Condition

Specifies the relationship between the value and property arguments.

Checkbox Role

The following table describes the step argument for the Set action of the checkbox role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Checked

Description

Sets the check box to either checked (true) or unchecked (false).

Datepicker Role

The following table describes the step argument for the Set Day action of the datepicker role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Day

Description

Represents the day of the month. Value is an integer between 1-31.

Element Role

The following tables describe the step arguments related to element role objects.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Mouse Actions

The following table describes the step arguments for the Mouse Down, Mouse Up, Mouse Over, Click,

and Double Click mouse actions.

Note: Mouse Over does not have the X/Y Coordinate arguments.

Micro Focus Fortify WebInspect (22.2.0)

Page 282 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Argument

Button

Description

Identifies the mouse button that is clicked.

X Coordinate

Identifies the offset location of the action relative to the upper left corner

of the object. If not specified, the default is the center of the object.

Y Coordinate

Identifies the offset location of the action relative to the upper left corner

of the object. If not specified, the default is the center of the object.

Ctrl Key

Alt Key

Indicates whether this key is pressed during the action.

Shift Key

Drag

The following table describes the step arguments for the Drag action.

Argument

Button

Description

Identifies the mouse button that is clicked.

X Offset

Indicates the amount of pixels to drag the object on the x axis. A positive

number indicates a drag to the right.

Y Offset

Path

Indicates the amount of pixels to drag the object on the y axis. A positive

number indicates a drag down.

Identifies the list of coordinates representing the user drag path. Do not

modify this argument.

Ctrl Key

Alt Key

Indicates whether this key is pressed during the action.

Shift Key

Note: The X Offset, Y Offset, and Path arguments are mutually exclusive.

Micro Focus Fortify WebInspect (22.2.0)

Page 283 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Drag To

The following table describes the step arguments for the Drag To action.

Argument

Target Object

HTML 5

Description

Indicates that the step object is dragged to this target object.

Provides drag and drop support to the browser making it easier to code.

When this argument is "true", only the "Target Object" and "HTML5"

arguments are visible. When it is "false", the other arguments are also

visible.

Button

Identifies the mouse button that is clicked.

X Offset

Identifies the offset from the top left of the target object in the x axis.

This number must be positive.

Y Offset

Identifies the offset from the top left of the target object in the y axis.

This number must be positive.

Ctrl Key

Alt Key

Indicates whether this key is pressed during the action.

Shift Key

Get Property

The following table describes the step arguments for the Get Property action.

Argument

Property

Description

Indicates the property whose value will be stored in the specified variable.

The list of properties available depends on all the roles of the object. The

following are the default properties available for all objects:

l

Visible text - Indicates the visible text of the item, corresponding to

the DOM textContent property.

l

All text - Indicates the entire text of the item, corresponding to the

DOM textContent property.

l

Inner HTML - Indicates the inner html markup of the object,

corresponding to the DOM innerHTML property.

Micro Focus Fortify WebInspect (22.2.0)

Page 284 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Argument

Variable

Description

Indicates the name of the variable in which to store the specified property

value.

Scroll

The following table describes the step arguments for the Scroll action.

Argument

Horizontally

Vertically

Description

Specifies the distance (in pixels) to scroll horizontally.

Specifies the distance (in pixels) to scroll vertically.

Note: Both arguments must be integers, with a minimum and default value of 0. The scrolling is

done on the containing document rather than on the element itself.

Upload

The following table describes the step arguments for the Upload action.

Argument

Path

Description

Specifies the selected path.

Verify

The following table describes the step arguments for the Verify action.

Argument

Value

Description

Indicates the string or number to verify.

Property

Indicates the object property whose value will be verified. The list of

properties available to verify depends on all the roles of the object. The

following are the default properties available for verification on all

objects:

l

Visible text - Identifies items that are visible in the application.

l

All text - Identifies items that are in the application but are not

necessarily visible. Items in this category are contained in DOM

property textContent.

Micro Focus Fortify WebInspect (22.2.0)

Page 285 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Argument

Description

l

Inner HTML - Identifies items that are contained in the DOM property

innerHTML.

Condition

Indicates the relationship between the value and property arguments.

Wait for Property

The following table describes the step arguments for the Wait for Property action.

Argument

Value

Description

Indicates the value of the specified property that the step will wait for,

before the step passes.

Property

Indicates the object property whose value the script will wait for. The list

of properties available for which to wait, depends on all the roles of the

object. The following are the default properties available for all objects:

l

Visible text - Identifies items that are visible in the application.

l

All text - Identifies items that are in the application but are not

necessarily visible. Items in this category are contained in DOM

property textContent.

l

Inner HTML - Identifies items that are contained in the DOM property

innerHTML.

Condition

Indicates the relationship between the value and property arguments.

Filebox Role

The following table describes the step argument for the Set action of the filebox role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Path

Description

Specifies the selected path.

Micro Focus Fortify WebInspect (22.2.0)

Page 286 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Flash Object Role

The following table describes the step argument for the Type action of the flash object role.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Value

Description

Specifies what is typed.

Focusable Role

The following table describes the step arguments for the Press Key action of the focusable role

object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Key Name

Ctrl Key

Description

Specifies Enter or Space.

Indicates whether this key is pressed during the action.

Alt Key

Shift Key

Listbox Role

The following table describes the step arguments for the Select action of the listbox role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Text

Description

Indicates the selected string or a regular expression. This value is

optional.

Ordinal

Specifies the order of the selected item in the list. If the text argument is

Micro Focus Fortify WebInspect (22.2.0)

Page 287 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Argument

Description

also specified, then this argument refers to the instance of the specified

text value in the listbox. An ordinal of 0 generates a random value. If both

text and ordinal are left empty, then the default ordinal (1) is

automatically filled.

Inner Object

Allows selecting an option based on TruClient’s object identification

mechanism for the option element itself, rather than identifying its

container object and specifying an Ordinal.

Multi_listbox Role

The following tables describe the step arguments related to multi_listbox role objects.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Select

The following table describes the step arguments for the Select action.

Argument

Text

Description

Indicates the selected string or a regular expression.

Ordinal

Specifies the order of the selected item in the list. If the text argument is

also specified, then this argument refers to the instance of the specified

text value in the listbox. An ordinal of 0 generates a random value.

Multi Select

The following table describes the step arguments for the Multi Select action.

Argument

Text

Description

The option's text.

By Ordinal

Delimiter

Specifies the ordinals of the item's Delimiter.

Specifies the characters used to separate the selected values.

Micro Focus Fortify WebInspect (22.2.0)

Page 288 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Radiogroup Role

The following table describes the step arguments for the Select action of the radiogroup role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Text

Description

Indicates the selected string or regular expression.

Ordinal

Specifies the order of the selected item in the list. If the text argument is

also specified, then this argument refers to the instance of the specified

text value in the listbox. An ordinal of 0 generates a random value.

Slider Role

The following table describes the step argument for the Set action of the slider role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Value

Description

Specifies the value to which the slider is set.

Textbox Role

The following table describes the step arguments for the Type action of the textbox role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Value

Description

Indicates what is typed.

Clear

Clears the text box before typing. The default is true.

Indicates the average time in milliseconds between keystrokes.

Typing Interval

Micro Focus Fortify WebInspect (22.2.0)

Page 289 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Video Role

The following table describes the step argument for the Seek action of the video role object.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Argument

Time

Description

Sets or returns the current position (in seconds) of the video playback.

Step Arguments not Related to Objects

The following tables describe the step arguments not related to objects. The actions in these step

arguments do not operate on objects. Therefore, they do not have a role.

Tip: Mandatory arguments are marked with a red star to the left of the argument name in the

user interface. All arguments can accept JavaScript code and TruClient functions as values.

Evaluate JavaScript

The Evaluate JavaScript action runs the JavaScript code contained in the step. The following table

describes the step argument for the Evaluate JavaScript action.

Argument

Code

Description

Specifies the JavaScript code to run.

Evaluate JS on Object

The Evaluate JS on Object action runs the JavaScript code contained in the step after the specified

object is loaded in the application. It also allows you to interact with the object by using the "object"

keyword. For example, you can execute object.click(); to initiate a click on the object.

The following table describes the step argument for the Evaluate JS on Object action.

Argument

Code

Description

Specifies the JavaScript code to run.

Micro Focus Fortify WebInspect (22.2.0)

Page 290 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Catch Error

The Catch Error action catches an error in the step immediately preceding and runs the contents of

the catch error step. The following table describes the step argument for the Evaluate C action.

Argument

Description

Error Type.

Specifies the error type you want to catch:

l

Any

l

Object identification - Indicates that the object the action is

performed on cannot be found.

l

Step arguments - Indicates that one or more of the arguments to the

preceding step is invalid. For example, the data type is wrong.

l

Step Action - Indicates that the user action failed. For example, a

navigation step did not find the page. For an action on a UI element,

this error is triggered if the object was found and the action failed

anyway.

For Loop

The For Loop is a logical structure that repeats the steps contained in the loop a specified number of

times. The following table describes the step arguments for the For Loop action.

Argument

Init

Description

Specifies the condition for the initialization operation, which must be met

before testing the condition of the first iteration.

Condition

Specifies the condition for continuing to the next iteration. Options are:

l

true - Indicates that the specified condition is met.

l

false - Indicates that the specified condition is not met.

l

Regular expression - Defines a regular expression as the condition.

Increment

Increments a counter in the condition.

Generic API Action

The Generic API Action are blank steps that can be inserted and manually configured. The arguments

vary according to the API selected. For API argument details, refer to the API Help in the TruClient

Micro Focus Fortify WebInspect (22.2.0)

Page 291 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Help Center at https://admhelp.microfocus.com/tc/en/2022-2022-r1/Content/TruClient/TC_

Functions.htm.

The following table describes the step argument for the Generic API Action.

Argument

Variable

Description

Specifies the name of the JavaScript variable in which the returned value

is stored.

If Block

The If Block action is a logical structure that runs the steps contained in the block if the condition is

met. The following table describes the step argument for the If Block action.

Argument

Condition

Description

Specifies the condition for continuing to the next iteration. Options are:

l

true - Indicates that the specified condition is met (this is the default

setting).

l

false - Indicates that the specified condition is not met.

l

Regular expression - Defines a regular expression as the condition.

Wait

The Wait action waits for a specified number of seconds (or milliseconds), before continuing with the

next step. The following table describes the step arguments for the Verify PDF Content action.

Argument

Interval

Description

Specifies the time value that the step will wait for, before the step passes.

The default value is 3.

Unit

Specifies the interval value. The unit properties available are Seconds

(this is the default setting) and Milliseconds.

Think Time

Specifies whether to include the wait time in the think time calculation.

The default setting is true.

Micro Focus Fortify WebInspect (22.2.0)

Page 292 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Enhancing Macros

You can incorporate the following optional enhancements to recorded macros:

l

"Modifying Steps" below

l

"Inserting Loops and Loop Modifiers" below

l

"Inserting If Blocks, If-else Blocks, and Exit Steps" on the next page

l

"Inserting Comments " on page 295

l

"Inserting Catch Error Steps" on page 296

l

"Verifying that an Object Exists" on page 296

l

"Inserting Generic Steps" on page 296

Modifying Steps

To modify step arguments and objects:

l

Select the desired step and expand the options.

This expands the step and allows you to modify the objects and properties.

Inserting Loops and Loop Modifiers

Loops repeat selected portions of the macro until certain criteria are met or for a specified number of

iterations. You can insert loops and break/continue loop modifiers from the Flow Control section of

the Steps box.

Micro Focus Fortify WebInspect (22.2.0)

Page 293 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Inserting "For" Loops

"For" loops perform the steps surrounded by the loop until the end condition is met or the code

reaches a break statement. Loop arguments use JavaScript syntax.

To insert a For loop:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the For loop step to the desired location in the recorded steps.

Inserting "Break" Statements

Break statements indicate that the current loop should end immediately. For example, if a Break

statement is encountered in the second of five iterations in a For loop, the loop will end immediately

without completing the remaining iterations.

To insert a Break statement:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the Break step to the desired location in the recorded steps.

Inserting "Continue" Statements

Continue statements indicate that the current loop iteration should end immediately. The loop

condition is then checked to see if the entire loop should end as well. For example, if a Continue

statement is encountered in the second of five iterations in a For loop, the second iteration will end

immediately and the third iteration will begin.

To insert a Continue statement:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the Continue step to the desired location in the recorded steps.

Inserting If Blocks, If-else Blocks, and Exit Steps

To conditionalize a portion of the macro, you can insert If or If-else blocks. Exit steps cause a macro to

exit the iteration or the entire macro. These can be used with If statements to exit a macro or iteration

when a specified condition occurs.

Micro Focus Fortify WebInspect (22.2.0)

Page 294 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

For information about specific actions and arguments for each of these, see "Step Arguments not

Related to Objects" on page 290.

Inserting an If Block

To insert an If block:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the If block step to the desired location in the recorded steps.

Adding an Else Condition

To add an else condition:

1. Click the Add else link in the expanded step.

2. In the Else field, type the else condition.

Inserting an Exit Step

To insert an exit step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the Exit step to the desired location in the recorded steps.

Inserting Comments

You can add comments to your macro so that others can understand what specific steps in the macro

accomplish.

Micro Focus Fortify WebInspect (22.2.0)

Page 295 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To insert comments into your macro:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Miscellaneous.

3. Click and drag the Comment step to the desired location in the recorded steps.

4. Type the comment in the space provided.

Inserting Catch Error Steps

"Catch error" steps are group steps that run their contents if the previous step contains an error.

Additionally, the error is "caught" and is not returned. You can define catch error steps to catch any

error, or a specific type of error. If there are two catch error steps in a row, they both apply to the

same step.

Tip: To group steps, use Ctrl + click to select multiple steps, right-click any of them, and click

Group Steps.

To insert a catch error step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Flow Control.

3. Click and drag the Catch Error step to the desired location in the recorded steps.

4. Expand the catch error step and configure the argument. For more information, see "Step

Arguments not Related to Objects" on page 290.

Verifying that an Object Exists

You can insert a verify step to verify that a string or object exists in the application.

To insert a verify step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Functions.

3. Click and drag the Verify step to the desired location in the recorded steps.

4. In the verify step, click the Click to choose an object link.

5. In the TruClient browser, select the object you want to verify.

Inserting Generic Steps

You can insert a blank or generic step and manually configure it.

Micro Focus Fortify WebInspect (22.2.0)

Page 296 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

To insert a generic step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Functions.

3. Click and drag the Generic Object Action step or the Generic Browser Action step to the

desired location among the macro steps.

Tip: Generic Object Actions perform an unspecified action on an object. Generic Browser

Actions perform an unspecified action on the browser such as go back, reload, switch tabs,

and so on.

4. Expand the step, and configure the step properties. For more information, see "Step Arguments

not Related to Objects" on page 290.

Inserting a Wait Step

Wait steps cause the macro to pause for a specified amount of time before continuing with the next

step. Wait for Object steps cause the macro to wait for a specified object to appear in the application

before continuing with the next step. Wait steps begin after the End Event of the previous step is

reached. This means that the previous step may continue to run after the wait step has been reached.

To insert a wait step:

1. In the TruClient sidebar, click the Add Step icon (

The Steps box opens.

).

2. Click Functions.

3. Click and drag the Wait step or the Wait for Object step to the location you want in the recorded

steps.

4. If you inserted a Wait for Object step, select the Click to choose an object link to select the

target object in the application.

Debugging Macros

You can try these tasks to interactively debug a macro:

l

"Viewing Replay Errors" on the next page

l

"Running the Macro Step by Step" on the next page

l

"Using Breakpoints" on the next page

l

"Modifying Step Levels" on page 299

l

"Inserting a Wait Step" above

l

"Disabling/Enabling Steps" on page 300

Micro Focus Fortify WebInspect (22.2.0)

Page 297 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

l

"Making a Step Optional" on page 300

l

"Playing a Step" on page 300

l

"Playing From a Step to End of Macro" on page 301

Viewing Replay Errors

If any steps failed during replay, they are marked with an error icon ( ).

To view details about the error:

l

Hover the mouse pointer over the error icon.

A description of the error appears.

Running the Macro Step by Step

The step-by-step replay pauses the replay after each step, which allows you to view the sequence

more slowly and in a controlled manner.

To run the macro step by step:

l

In the TruClient sidebar, select the drop-down arrow in the Replay icon ( ) and select Replay

step by step.

The first (or next) step plays and the replay stops.

Repeat this procedure after each step to continue the step-by-step replay.

Using Breakpoints

Breakpoints instruct the macro to stop running during a replay. You can insert (or toggle on)

breakpoints to help debug a macro. After inserting a breakpoint on a step, the macro plays to the

breakpoint and pauses. At this point, the Inspector Panel opens at the bottom of the TruClient

browser. You can then continue playing the macro from the breakpoint.

Note: The Web Macro Recorder adds a breakpoint automatically if the macro fails during

playback.

Inserting a Breakpoint

To insert a breakpoint:

1. In the TruClient browser, select the step where you want to insert the breakpoint.

2. Click the toggle breakpoint icon ( ).

Micro Focus Fortify WebInspect (22.2.0)

Page 298 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

A breakpoint is added to the step.

Deleting a Breakpoint

To delete a breakpoint:

1. In the TruClient browser, select the step where the breakpoint has been inserted.

2. Click the toggle breakpoint icon ( ).

The breakpoint is removed from the step.

Modifying Step Levels

As you record a macro, TruClient assigns a level from 1 to 3 to each step. For example, a level 1 step

is essential to the macro. A click step that occurs in an area of the application that has no effect is

assigned to level 2. Mouse-over steps are generally considered unnecessary for the macro and are

assigned to level 3.

Macro steps are displayed and played with the granularity specified as level 1, 2, or 3 in the step level

slider in the toolbar at the top of the TruClient browser. The highest granularity is level 3—setting the

slider to level 3 displays and plays back all the steps at levels 1, 2, and 3. Using higher granularity

might be required for successful playback, but it can cause the macro to take longer to run. By default,

the Script Level is set to 1.

In certain cases, you may want to manually change the level of a particular step, not the entire macro.

For example, you may want to display and play a particular mouse-over step.

To change the level of a step:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click the Step Level drop-down arrow and select the desired level.

Important! If the step is part of a group step, both the group step and the individual step must

be modified.

Tip: To group steps, use Ctrl + click to select multiple steps, right-click any of them, and click

Group Steps.

Micro Focus Fortify WebInspect (22.2.0)

Page 299 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Disabling/Enabling Steps

You can disable recorded steps so that they remain in the macro and can be re-enabled in the future,

but are not played.

To disable/enable a macro step during replay:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click the Disable/Enable during replay icon ( ) in the toolbar for the step.

Tip: Alternatively, to disable or re-enable one or more steps, use Ctrl + click to select them, right-

click one of the steps, and click Disable Steps or Enable Steps on the context menu.

Making a Step Optional

You can make some steps optional. An optional step is skipped during replay if its object is not found.

To make a step optional:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2.

Click the Set step as optional icon ( ) in the step toolbar.

Tip: To make a step non-optional again, click the icon again.

Playing a Step

You can play a specific step to inspect the activity recorded in the step.

To play one step:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click the Play this step only icon ( ) in the step toolbar.

Micro Focus Fortify WebInspect (22.2.0)

Page 300 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Playing From a Step to End of Macro

To start playback at a particular step and continue until the end of the macro:

1. Select the step where you want to start playback.

2. Right-click the step, and then select Play From This Step on the context menu.

Resolving Object Identification Issues

In dynamic websites, objects that have been recorded can often move or change content. Object

identification presents one of the biggest challenges with recording and replaying Web 2.0

applications. The dynamic nature of these sites can cause the macro to fail to locate the object.

The Web Macro Recorder includes sophisticated mechanisms to overcome this challenge, including

the Highlight, Improve Object Identification, Replace, and Related Object options within steps that

have objects. Using these options requires that you select an object in the application. For cases

where various actions are required in the application to make the object visible, such as mouse over

and mouse click, use the Ctrl+Alt+F4 option to suspend the object-selection mode until you bring the

object into view and press Ctrl+Alt+F4 again to select the object.

When identifying objects for applications recorded in windows, use the Windows tab to make sure

that the correct window is selected.

After you perform any of the changes, first replay the single failed step in question, and then replay

the entire macro. This will help verify whether the change has solved the issue you encountered.

The following topics describe ways to resolve object identification issues:

l

"Highlighting an Object" below

l

"Improving Object Identification" on the next page

l

"Using Alternative Steps" on the next page

l

"Modifying the Object Identification Method" on page 304

l

"Modifying the Macro Timing" on page 305

l

"Relating Objects to Other Objects" on page 306

l

"Replacing an Object" on page 307

Highlighting an Object

For help in identifying an object previously selected in a step:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click (expand) Object.

3. Click Highlight to identify the object in the application.

Micro Focus Fortify WebInspect (22.2.0)

Page 301 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

If the object is found, it is temporarily highlighted by a blinking box.

If the object is not found, an error message is displayed. For more information, see "Improving

Object Identification" below.

Tip: The error could be an issue of pacing and timing, or it might indicate that the correct

page to find the object is not currently displayed.

Improving Object Identification

If highlighting an object fails, you can use the improve object identification function to re-select the

target object.

To re-select the object:

1. In the Step Editor for the failed step, click the Improve object identification icon ( ) next to the

ID Method field.

The Web Macro Recorder relearns the properties of the object and compares them to the

properties learned during recording. Based on the detected differences, you can make the

necessary adjustments. Depending on how dynamic the application is, you may need to use the

improve object identification function more than once.

2. Replay the step to see whether the problem was solved.

Using Alternative Steps

Alternative steps allow you to view multiple ways to perform the same action in a step, where it is

possible. You can modify the step for the best or most consistent macro performance, or for

debugging purposes.

For example, you may click on an option in a list in which the text changes based on some value. If you

try to click based on the text, the step may fail. If you use an alternative step that selects the item in

the list based on the ordinal value of the option within the list, the click succeeds regardless of the

text.

Steps that have alternative options are labeled with an alternative step icon ( ) on the left.

Micro Focus Fortify WebInspect (22.2.0)

Page 302 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Viewing and Selecting Alternative Steps

To view and select alternative steps:

1.

Click the alternative step icon ( ) to view the alternative options for that step.

Tip: If the Step Editor is open, the same icon appears in the step’s toolbar and performs the

same function.

The alternative steps are shown.

2. Do one of the following:

l

To view an alternative step in the application, click the Highlight the object in the AUT icon

( ) to the right of the alternative.

Tip: AUT means application under test.

This performs the same highlighting function as described in "Highlighting an Object" on

page 301, with the convenience of allowing you to highlight each alternative one at a time

within the macro step.

l

To play an alternative step in the application, click the Play icon ( ) to the right of the

alternative.

3. Click an alternative to make it active.

4. Click Back to return to the Step Editor.

The alternative that you selected is displayed for the step.

5. Replay the macro to test it.

Micro Focus Fortify WebInspect (22.2.0)

Page 303 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Modifying the Object Identification Method

You can modify the way the Web Macro Recorder identifies the object by modifying the object

identification method (ID method) in the Object section of the Step Editor.

Available Methods

The following table describes the available methods of object identification.

Method

Description

Automatic

The Automatic method is the default and recommended object identification

method. This method allows the Web Macro Recorder to use its internal

advanced algorithms to locate the object.

Tip: If this method does not successfully find the object during replay,

click the Improve object identification icon ( ) and replay the macro

again.

XPath

If Automatic identification fails, even after using improve object identification

or related objects, try using the XPath identification method. This method

identifies the object based on an XPath expression that defines the object in

the DOM tree. For example, if you need to select the first search result,

regardless of the term being searched for, using XPath identification may help.

Tip: For the XPath ID method, the icon function changes to Regenerate

expression. When you click the icon, you can select an object in the

interface and create its associated XPath.

JavaScript

This method uses JavaScript code that returns an object. For example:

document.getElementById("SearchButton") returns an element that has

a DOM ID attribute of "SearchButton."

This method allows you to write JavaScript code that references the returned

document. You can use CSS selectors and other standard functions.

For example, the page returned by the server contains multiple links with the

same "title" attribute (search results) and we want the script to randomly click

on one of the available links.

Object identification for this case, using the JavaScript identification method,

may look similar to the following:

Micro Focus Fortify WebInspect (22.2.0)

Page 304 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Method

Description

var my_results = document.querySelectorAll('a

[title="SearchResult"]');

random(my_results);

Descriptors

Enables you to identify an object by its properties in an editor. For more

information, see TruClient Descriptors at

https://admhelp.microfocus.com/tc/en/2022-2022-

r1/Content/TruClient/descriptors.htm .

Selecting the Object Identification Method

To select a different object identification method:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click (expand) Object.

3. Select a different method from the ID Method drop-down list.

4. Continue as follows:

l

If you selected Automatic, the procedure is complete.

l

If you selected XPath, a code snippet appears in an XPath text box below the ID Method list.

Optionally, click the drop-down arrow next to the XPath text box and select a suggested

XPath code for the object.

Tip: You can click the Edit icon ( ) at the right end of the XPath text box to open the

XPath Editor and edit the suggested XPath code.

l

If you selected JavaScript, a code snippet appears in a JavaScript text box below the

ID Method list. Optionally, click the Edit icon ( ) at the right end of the JavaScript text box

to open the JavaScript Editor and edit the suggested JavaScript code.

l

If you selected Descriptors, an empty Descriptors text box appears below the ID Method list.

Click the Edit icon ( ) to create descriptor conditions for the object. For more information,

see TruClient Descriptors at https://admhelp.microfocus.com/tc/en/2022-2022-

r1/Content/TruClient/descriptors.htm .

Modifying the Macro Timing

Sometimes objects may not be found because of timing and synchronization issues. For example, the

macro may be looking for an object that was in the application, but the macro replayed too quickly

and already progressed to another page. If you suspect that the object is not being found because of

Micro Focus Fortify WebInspect (22.2.0)

Page 305 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

a timing or synchronization issue, you can insert Wait steps. For more information, see "Inserting a

Wait Step" on page 297.

Relating Objects to Other Objects

If other options do not solve the issue with object identification, you can try using the Related

Objects option.

If an object becomes difficult to identify on its own, you can label the object based on a different, more

stable object. For example, you can select an object that is not dynamic and "relate it" to the target

object. Relations are defined visually, relating objects according to their distance in pixels from other

objects. Relations are defined per ID method, per object. If more than one relation is defined for an ID

method of a given object, both relations must locate the same object for the step to pass.

To use this function:

1. In the Step Editor for the failed step, click (expand) Object.

2. Click (expand) Related Objects.

A relation table appears.

3. Click the Add a new relation icon ( ).

The Add related object window appears.

4. Follow the onscreen instructions to create a relation.

The anchor object is added to the Related Objects table.

Tips

Follow these tips when using the Related Objects option:

l

Use this feature only if other identification methods have failed, as it may be more resource

intensive.

l

Use the minimum search area to improve performance.

l

Related Objects are sensitive to window sizing. Resizing may alter object positions and

relationships. Take this into account.

Micro Focus Fortify WebInspect (22.2.0)

Page 306 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

l

Each identification method (Automatic, XPath, JavaScript, and Descriptors) has its own set of

related objects. These related objects are not shared among identification methods.

l

If several relations exist, they must all be found in order for the identification to succeed.

Replacing an Object

If you selected the wrong object during recording, or an object has permanently changed, you can

replace it with a different object without replacing the step. This effectively resets the step, deleting

changes (such as relations) made to the original step.

Using the Replace option tells the macro recorder that the object currently referenced in the step is

incorrect. The macro recorder removes all current knowledge of the object and learns the object you

select. Therefore, you must use the Replace option only if you used the wrong object during

recording.

To replace an object:

1. In the TruClient sidebar, click the Step Editor icon ( ) for the step to change.

The Step Editor opens.

2. Click (expand) Object.

3. Click Replace.

4. Select the new object.

5. Replay the macro.

Configuring Settings

You can configure browser settings and interactive settings in the TruClient General Settings.

Accessing the TruClient General Settings

To access the General Settings:

1. In the TruClient sidebar, click the General Settings icon ( ).

The TruClient General Settings window appears.

2. Configure settings as described in the following topics:

l

"Browser Settings" on the next page

l

"Interactive Options" on page 311

l

"Two-Factor Authentication" on page 313

3. Click Done to save the settings and close the TruClient General Settings window.

Micro Focus Fortify WebInspect (22.2.0)

Page 307 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Browser Settings

The following table describes the options on the Browser Settings tab.

Setting

Description

User Agent

Specifies the user agent string for the browser. You can configure

user agent settings that will synchronize in both Fortify WebInspect

and the Web Macro Recorder with Macro Engine 7.1.

- HTTP Header

The following list shows sample values, but is not complete:

Default

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)

Gecko/20100101 Firefox/71.0

Internet Explorer 6

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;

.NET CLR 1.1.4322)

Internet Explorer 7

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Internet Explorer 8

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;

Trident/4.0; GTB5; .NET CLR 1.1.4322; .NET CLR

2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET

CLR 3.5.30729)

Googlebot 2.1

Mozilla/5.0 (compatible; Googlebot/2.1;

+http://www.google.com/bot.html)

Bingbot

Mozilla/5.0 (compatible; bingbot/2.0;

+http://www.bing.com/bingbot.htm)

Yahoo! Slurp

Mozilla/5.0 (compatible; Yahoo! Slurp;

http://help.yahoo.com/help/us/ysearch/slurp)

iPhone, iOS 14.3

Micro Focus Fortify WebInspect (22.2.0)

Page 308 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Setting

Description

Mozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS

X) AppleWebKit/605.1.15 (KHTML, like Gecko)

Version/14.0.2 Mobile/15E148 Safari/604.1

Important! You may also use a custom user agent string.

However, Fortify recommends that only advanced users use a

custom user agent string.

User Agent

These settings provide information that legacy web applications use

to facilitate browser detection. You can customize these settings if

you require browser-specific behavior.

- Navigator Interface

l

appName - All browsers return "Netscape" as the value of this

property.

l

appVersion - The browser returns either "4.0" or a string

representing version information about the browser.

l

platform - The browser returns an empty string or a string

representing the platform on which the browser is running.

Examples:

MacIntel, Win32, Win64, iPhone

Customize Keep-Alive

timeout value

If you select the checkbox to enable this setting, configure the

following:

l

Keep-Alive timeout (milliseconds) - Specifies the timeout (in

milliseconds) for keeping idle connections open. This setting

applies to both direct and proxied connections.

Temporary Internet Files The browser stores copies of web pages, images, and media for

faster viewing later. Configure the check for newer versions of

stored pages to determine when the browser is to compare the local

copy of resource (cache) to the Web server. The options are:

l

Every time I visit the webpage - The browser checks the

resource on every request to see whether the page changed since

you last viewed it. If the page has changed, the browser displays

the new page and stores it in the Temporary Internet Files folder.

l

Every time I start browser - The browser checks the resource on

browser start. When you view a website that you have visited

Micro Focus Fortify WebInspect (22.2.0)

Page 309 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Setting

Description

before in the same browser session, the browser uses the cached

temporary Internet files instead of downloading the page.

l

Automatically - The browser checks for new content only when

you return to a page that you viewed in an earlier session or on an

earlier date. Over time, if the browser determines that images on

the page are changing infrequently, it checks for newer images

less frequently.

l

Never - The browser does not check the Web server for newer

content.

SSL

Specifies the secure connection settings. The Minimum supported

secure protocol options are:

l

SSL 3.0 - Use Secure Sockets Layer (SSL) 3.0 for minimum

version of secure connections.

l

TLS 1.0 - Use Transport Layer Security (TLS) 1.0 for minimum

version of secure connections.

l

TLS 1.1 - Use TLS 1.1 for minimum version of secure connections.

l

TLS 1.2 - Use TLS 1.2 for minimum version of secure connections.

Proxy

Specifies the proxy settings. The options are:

l

Direct connection (proxy disabled) - Make requests without a

proxy connection.

l

Auto detect proxy settings - Use the Web Proxy Autodiscovery

Protocol (WPAD) to locate and use a proxy autoconfig file to

configure the browser's web proxy settings.

l

Use System proxy settings - Import your proxy server

information from the local machine.

l

Use Firefox proxy settings - Import your proxy server

information from Firefox.

Note: Using browser proxy settings does not guarantee that

you will access the Internet through a proxy server. If the

Firefox browser connection settings are configured for "No

proxy," then a proxy will not be used.

l

Configure proxy settings using a PAC file - Load proxy settings

from a Proxy Automatic Configuration (PAC) file in the location

Micro Focus Fortify WebInspect (22.2.0)

Page 310 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Setting

Description

you specify in the URL field.

l

Explicitly configure proxy settings - Access the Internet

through a proxy server. Provide the following server information:

l

Server - Enter the URL or IP address of your proxy server.

l

Port - Enter the port number (for example, 8080).

l

Type - Select the protocol type for handling TCP traffic

through the proxy server. The options are: Standard, SOCKS4,

or SOCKS5.

l

Authentication - If authentication is required, select a type

from the Authentication list. The options are: None, Basic,

NTLM, Digest, Automatic, Kerberos, or Negotiate.

l

User Name - If your proxy server requires authentication,

enter the qualifying user name.

l

Password - If your proxy server requires authentication, enter

the qualifying password.

l

Bypass proxy for - If you do not need to use a proxy server to

access certain IP addresses (such as internal testing sites),

enter the addresses or URLs in the Bypass Proxy For field.

Use commas to separate entries.

Interactive Options

The following table describes the settings on the Interactive Options tab.

Setting

Description

Enable webmacro file

encryption

Encrypts the entire macro file upon saving. Otherwise, the file is

saved in plain text, which exposes user names and passwords. This

option is selected (ON) by default.

Note: You can open encrypted macros even if this option is not

selected. You can also open encrypted macros that were

recorded using Web Macro Recorder with Firefox 30.

Force last step to be a

Forces the last step in a login macro to be a validation step. After

Micro Focus Fortify WebInspect (22.2.0)

Page 311 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Setting

Description

validation step

successful playback of a recorded macro, you are prompted to select

an object to use for login validation. If you do not select an object, a

prompt enforces this setting by asking you to select an object or

discard the macro.

This option is selected (ON) by default. If your application does not

use an object for login validation, then disable this setting.

Action on error

Specifies the action that TruClient takes when an error occurs during

replay. The options are:

l

Abort script - Abort the script on error.

l

Continue to the next iteration - Stop iteration on error and

continue to the next iteration.

l

Continue to the next step - Continue to the next step on error.

Snapshot generation

Steps generation

Not supported.

Configures settings for step generation. The Default identification

method setting options are:

l

Replace server with parameter - Replace the server name with a

parameter in navigation steps.

l

Create alternative steps when applicable - Indicate whether or

not to create alternative steps (when applicable).

l

Create level 2 or level 3 steps during recording - Indicate

whether or not to create steps in level 2 or level 3.

Debug

The debug settings do not apply to replay outside of debugging.

The options are:

l

Enable Object Identification Assistant - Enable object

identification assistant.

l

Ignore wait steps - Accelerate script debugging by ignoring wait

steps.

l

Hide inspector panel - If the script hits a breakpoint, hide the

inspector panel.

l

Automatically populate inspector pane - Automatically load

user defined data to the inspector panel. This option does not

apply to coded-action debugging.

Micro Focus Fortify WebInspect (22.2.0)

Page 312 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Two-Factor Authentication

Important! Configuring the two-factor authentication control center and mobile application

applies only to standalone instances of the Web Macro Recorder with Macro Engine 7.1. It is

intended for testing locally prior to using in a scan.

"Something you have" two-factor authentication involves an application server sending an SMS or

email response to the user upon login to the web application. To use two-factor authentication in a

scan, you must configure a Node.js server as a control center to process the SMS and email responses

coming from your application server.

Note: Only POP3 servers that support unique ID listing (UIDL) are supported.

Two-Factor Authentication Control Center

To configure the two-factor authentication control center:

1. In the Local IP Address drop-down list, select an IP address.

Note: These IP addresses are available on the machine where the Web Macro Recorder with

Macro Engine 7.1 is installed.

2. Do one of the following:

l

To use a specific port, select the port from the Port list.

l

To have the Web Macro Recorder choose the port, select the Automatically Assign Port

check box.

Important! The port for the control center must be exposed in the firewall so that the

mobile application can access the server.

3. Click Initialize.

The control center is started.

Mobile Application

If your application server sends SMS responses, then you must install the Fortify2FA mobile

application and download your two-factor authentication settings to it. After configuration, the

mobile application receives the SMS response and forwards it to the control center.

Note: Currently, the mobile application is available only for Android operating systems.

To configure the mobile application:

1. In the Phone Number box, enter the phone number that will receive SMS responses.

2. Click Generate QR Code.

Micro Focus Fortify WebInspect (22.2.0)

Page 313 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

The control center generates a quick response (QR) code that includes the two-factor

authentication settings and a link to download the mobile application.

3. Install and configure the mobile application. For more information, see "Installing and Configuring

the Fortify2FA Mobile App" below.

Tip: If you use multiple threads in the scan, you might want to use more than one phone.

Using the same phone number for multi-user scans can affect the scan time.

4. (Optional) To configure the mobile application for another phone, repeat steps 1-3.

Installing and Configuring the Fortify2FA Mobile App

To install and configure the mobile application on the phone that will receive SMS responses:

1. Use the mobile phone's camera or QR code scanner to scan the QR code in the Two-factor

Authentication Mobile Application settings.

A link appears.

2. Click the link (or Open button) to access the site for downloading the app.

A warning about the self-signed certificate appears.

3. Click ADVANCED.

Micro Focus Fortify WebInspect (22.2.0)

Page 314 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

Additional information is provided along with a link to proceed.

4. Click PROCEED TO <ip_address> (UNSAFE).

A prompt requests storage access to download files.

5. Click CONTINUE.

Micro Focus Fortify WebInspect (22.2.0)

Page 315 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

A prompt requests access to photos, media, and files on the device.

6. Click ALLOW.

The fortify-2fa.apk file is downloaded.

7. Click OPEN.

Micro Focus Fortify WebInspect (22.2.0)

Page 316 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

A prompt advises about installing unknown apps.

8. Click SETTINGS.

The Install unknown apps setting appears.

9. Enable Allow from this source.

Micro Focus Fortify WebInspect (22.2.0)

Page 317 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

A prompt asks if you want to install the application.

10. Click INSTALL.

A message indicates that the app is installed.

11. Click OPEN.

Micro Focus Fortify WebInspect (22.2.0)

Page 318 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

A prompt requests permission to take pictures and record video.

12. Click ALLOW.

A prompt requests permission to send and view SMS messages.

13. Click ALLOW.

Micro Focus Fortify WebInspect (22.2.0)

Page 319 of 364

Tools Guide

Chapter 20: Web Macro Recorder with Macro Engine 7.1

The app is ready to be configured.

14. Click READ QR CODE to scan the QR code in the Two-factor Authentication Mobile

Application settings.

The two-factor authentication settings are configured in the Fortify2FA mobile application.

Micro Focus Fortify WebInspect (22.2.0)

Page 320 of 364

Chapter 21: Web Proxy

Web Proxy is a stand-alone, self-contained proxy server that you can configure and run on your

desktop. With it, you can monitor traffic from a scanner, a browser, or any other tool that submits

HTTP requests and receives responses from a server. It is a tool for debugging and penetration

assessment; you can see every request and server response while browsing a site.

You can also create a Workflow macro or a Login macro that you can use with Fortify WebInspect.

Tip: You can create a Workflow macro from a set of Burp proxy files or an HTTP Archive (HAR)

file. For more information, see "Creating a Web Macro" on page 337.

Using Web Proxy

To use Web Proxy with a browser:

1. Click Tools > Web Proxy.

The Web Proxy window opens.

2. Click Start (or select Start from the Proxy menu).

“Listening on <server:port number>” appears in the Web Proxy status bar.

3. Click Launch Browser

.

This starts a Web browser and configures it to communicate through Web Proxy. Alternatively, if

you prefer to use a different browser, see "Manual Configuration of Browser" on page 341 for

configuration instructions.

4. Manually navigate the site for which you want capture requests/responses.

5. If Web Proxy receives a request for a certificate from a Web server, it displays a dialog box asking

you to locate the certificate. The program then caches your selection on a "per server" basis.

Therefore, if you subsequently want to use a different certificate for a particular server, you must

clear the cache by stopping and then restarting Web Proxy.

6. When you have browsed to all necessary pages, return to Web Proxy and click (or select Stop

from the Proxy menu).

Micro Focus Fortify WebInspect (22.2.0)

Page 321 of 364

Tools Guide

Chapter 21: Web Proxy

Image of Web Proxy

The following image shows the Web Proxy after it has been stopped.

7. To change the format in which the message is displayed, select one of the tabs (View, Split, Info,

or Browser).

When using the View or Split tabs, you can enable or disable URL decoding of requests and

responses by selecting the URL Decode button. Since most Fortify WebInspect attack traffic is

URL encoded, this feature makes it easier to analyze HTTP messages. To illustrate, compare the

following URL encoded and decoded versions of the same GET request:

l

GET

Micro Focus Fortify WebInspect (22.2.0)

Page 322 of 364

Tools Guide

Chapter 21: Web Proxy

/notes.asp?noteid=1%20union%20%20select%200%2c1%2c2%20from%20informatio

n_schema.tables%20order%20by%204%20desc%20limit%201 HTTP/1.1

l

GET /notes.asp?noteid=1 union select 0,1,2 from information_

schema.tables order by 4 desc limit 1 HTTP/1.1

The Chunked and Compressed buttons are enabled if a response is either chunked-encoded or

compressed. This allows you to view the original response received by Web Proxy as well as the

de-chunked or decompressed response.

8. To resend a request (with or without editing), select it from the list of displayed sessions and

click the HTTP Editor icon (or right-click the request and select HTTP Editor from the context

menu).

9. To clear sessions from the list, select one or more sessions and press the Delete key (or click Edit

> Clear Selected). To clear all sessions, click Edit > Clear All.

Note: When you clear a session from the Web Proxy list, you also remove it from the

captured data. For example, if you have 100 sessions in the list and clear 98 of them, and

then save the sessions to a file, only the two remaining sessions will be included. When

clearing sessions, ignore the check boxes.

Use the File menu to save selected requests to a traffic session file (.tsf) and later load them for

analysis (using the File > Open command). You can also save a sequence of requests as a Web Macro

that you can use when conducting a Fortify WebInspect scan. All File menu commands apply to

“check-marked” requests.

Saving Sessions

To save one or more sessions for later analysis:

1. Select the sessions you want to save by placing a check mark in the left column.

2. Click the File menu and select Save or Save As.

3. Enter a name in the File name box and click Save.

Clearing Sessions

When you clear a session from the Web Proxy list, you also remove it from the captured data. For

example, if you have 100 sessions in the list and clear 98 of them, and then save the sessions to a file,

only the two remaining sessions will be included.

To clear one or more sessions:

1. Select a session. For multiple sessions, use the CTRL or SHIFT keys.

Note: Note: When clearing sessions, ignore the check boxes.

Micro Focus Fortify WebInspect (22.2.0)

Page 323 of 364

Tools Guide

Chapter 21: Web Proxy

2. Do one of the following:

l

Press the Delete key

l

Click Edit > Clear Selected.

To clear all sessions, click

(or click Edit > Clear All).

Searching a Message

You can locate information in the message displayed on the View, Split, or Info tabs using the controls

at the bottom of the Web Proxy window.

To search a message:

1. From the Search list, select a tab to search.

2. In the For box, enter the text (or a regular expression representing the text) you want to locate.

3. If you entered a regular expression in step 2, select the Regex check box.

4. Click Find.

Note: You can also create rules that will locate information during each session, without requiring

you to manually search using the above procedure. See "Settings: Search-and-Replace" on

page 332 and "Settings: Flag" on page 333.

Searching All Messages

You can search all sessions for specific information.

To search all messages:

1. Click the Toggle Search View button

on the toolbar (or select Search from the View menu).

2. Use the Search Area list to specify whether you want to search the entire contents of all sessions

or limit the search to a particular segment.

3. In the Search For box, enter a regular expression representing the text you want to locate.

4. Click Search.

Note: You can also create rules that will locate information during each session, without requiring

you to manually search using the above procedure. See "Settings: Search-and-Replace" on

page 332 and "Settings: Flag" on page 333.

Micro Focus Fortify WebInspect (22.2.0)

Page 324 of 364

Tools Guide

Chapter 21: Web Proxy

Changing Options

To change Web Proxy options:

1. If Web Proxy is listening, do one of the following:

l

Click the Proxy menu and select Stop

l

Click on the toolbar.

2. Click Edit > Settings, and select Proxy Servers tab.

See "Settings: Proxy Servers" on page 329 for more information.

Web Proxy Tabs

Each HTTP session (a single request and the associated response) is listed in the top pane of Web

Proxy. When you select a session, Web Proxy displays information about the session in the lower

pane. The information displayed depends on which tab you select.

You can search these tabs for specific content using the controls immediately above the status bar.

View

Use the View tab to select which HTTP messages you want to inspect. Options available from the

drop-down list immediately below the tab are:

l

Session: view the complete session (both request and response)

l

Request from browser to Web Proxy: view only the request made by the browser to Web Proxy

l

Request to server from Web Proxy: view only the Web Proxy request to the server

l

Response from server to Web Proxy: view only the server response to Web Proxy

l

Response to browser from Web Proxy: view only the Web Proxy response to the browser

Split

Click the Split tab to create two information areas for a single session. For example, you could show

the HTTP request message created by the browser (in one area) and the HTTP response generated

by the server (in the second area).

Info

Use the Info tab to view detailed information about the requests. Information includes the number of

forms found, header information, and the properties of the page.

Micro Focus Fortify WebInspect (22.2.0)

Page 325 of 364

Tools Guide

Chapter 21: Web Proxy

Browser

Click the Browser tab to view the response as formatted in a browser.

Web Proxy Interactive Mode

Use Interactive mode to view each browser request and each server response as the messages arrive

at Web Proxy. The message will not continue toward its destination until you click Send. This permits

you to modify the message before it is delivered.

You can also prevent the message from being sent to the server by clicking Deny.

Using the General tab in the Web Proxy Settings window, you can force Web Proxy to pause as

follows:

l

After each request

l

After each response

l

After locating specific text in either the request or response (using search rules)

Image of Web Proxy Interactive Mode

The following image shows the Web Proxy in interactive mode.

Micro Focus Fortify WebInspect (22.2.0)

Page 326 of 364

Tools Guide

Chapter 21: Web Proxy

Enabling Interactive Mode

To enable interactive mode:

1. Click the Proxy menu and select Stop.

2. Do one of the following:

l

Click the Proxy menu and select Interactive.

l

Click

on the toolbar.

3. Click the Proxy menu and select Start.

Note: When Web Proxy is in Interactive mode, a check mark appears next to the Interactive

command on the Proxy menu and the Interactive icon is backlit

the command will toggle the Interactive mode on or off.

. Clicking the icon or selecting

Micro Focus Fortify WebInspect (22.2.0)

Page 327 of 364

Tools Guide

Chapter 21: Web Proxy

Settings

Use this property sheet to configure Web Proxy's interface, add proxy servers, and create regular

expressions for locating specific information in the request or response.

Note: You cannot change settings while Web Proxy is running. Select Stop from the Proxy menu,

change the settings, and then restart Web Proxy.

The Web Proxy Settings property sheet has the following tabs:

l

General (see "Settings: General" below)

l

Proxy Servers (see "Settings: Proxy Servers" on the next page)

l

Search and Replace (see "Settings: Search-and-Replace" on page 332)

l

Flag (see "Settings: Flag" on page 333)

l

Evasions (see "Settings: Evasions" on page 333)

l

Network Authentication (see "Settings: Network Authentication" on page 336)

Settings: General

The General tab contains the following options.

Proxy Listener Configuration

Enter an IP address and port number. By default, Web Proxy uses address 127.0.0.1 and port 8080,

but you can change this if necessary.

Note: Both Web Proxy and your Web browser must use the same IP address and port.

To configure Web Proxy on your host to be used by another host, you will need to change the value of

the Local IP Address. The default address of 127.0.0.1 is not available to outside hosts. If you change

this value to your workstation's current IP address, remote stations can use your workstation as a

proxy.

Do Not Record

Use this option to create a regular expression filter that keeps files of specific types from being

handled by Web Proxy. The most common types are already excluded as defaults, but other types

(MPEG, PDF, etc.) can also be excluded. The purpose is to allow you to focus on HTTP

request/response lines and headers by removing clutter from the message body.

Micro Focus Fortify WebInspect (22.2.0)

Page 328 of 364

Tools Guide

Chapter 21: Web Proxy

Interactive

When using the interactive mode, you can force Web Proxy to pause when it:

l

Receives a request from the client

l

Receives a response from the server

l

Finds text that satisfies the search rules you create (using the Flag tab)

If you select any of these options, Web Proxy will continue only after you click the Allow button.

Logging

Select the type of items you want to record in the log file and specify the directory in which the log file

should be maintained.

If you elect to record requests and/or responses, you can also choose to convert and log the data

using Base 64 encoding. This can be useful when responses contain binary data (such as images or

flash files) that you want to examine.

l

Raw Request refers to the HTTP message sent from the client to Web Proxy.

l

Modified Request refers to the HTTP message sent from Web Proxy to the server.

l

Raw Response refers to the HTTP message sent from the server to Web Proxy.

l

Modified Response refers to the HTTP message sent from Web Proxy to the client.

Advanced HTTP Parsing

Most Web pages contain information that tells the browser what character set to use. This is

accomplished by using the Content-Type response header (or a META tag with an HTTP-EQUIV

attribute) in the HEAD section of the HTML document. For pages that do not announce their

character set, you can specify which character set Web Proxy should use.

Settings: Proxy Servers

Use this area to add one or more proxy servers through which Web Proxy will route all its requests.

Distributing the attack across multiple servers makes detection and counter-measures more difficult,

thus mimicking how a hacker might attempt to avoid an intrusion detection system.

If you use multiple proxy servers, Web Proxy will "round-robin" the requests (i.e., Web Proxy will

sequence through the list of proxy servers, sending the first request to the first server, the second

request to the second server, and so on).

You can also specify IP addresses that should be accessed without using a proxy server.

Micro Focus Fortify WebInspect (22.2.0)

Page 329 of 364

Tools Guide

Chapter 21: Web Proxy

Adding a Proxy Server

To add a proxy server through which Web Proxy requests will be routed:

1. In the Proxy Address box, type the IP address of the server through which you want to route

Web Proxy requests.

2. Specify the port number in the Proxy Port box.

3. Select the type of proxy (standard, SOCKS4, or SOCKS5) from the Proxy Type list.

4. Select an authentication type: None, Auto, Kerberos, NTLM, or Basic.

If you are unsure of which type to use, select Auto; Web Proxy will attempt both NTLM and Basic

authentication.

5. If this server requires authentication, type your authentication credentials in the Username and

Password boxes.

6. Click Add to add that server and display its IP address in the Available Proxy Servers list.

Importing a Proxy Server

To import a list of proxy servers:

1. Click Import.

2. Using the standard file-selection dialog box, select a delimited text file that contains the list of

proxy servers.

3. Click Open.

The file containing proxy information must be formatted as follows:

l

Each line contains one record followed by a carriage return and line feed.

l

Each field in the record is separated by a semicolon.

l

The fields appear in the following order:

address;port;proxytype;username;password;authenticationtype

l

The username and the password are optional. However, if authorization is not used, you must

include two semicolons as placeholders.

Examples:

128.121.4.5;8080;Standard;magician;abracadabra;NTLM

127.153.0.3;80;socks4;;None

128.121.6.9;443;socks5;myname;mypassword;None

Editing Proxy Servers

To edit the list of proxy servers:

1. Select a server from the Available Proxy Servers list.

2. Change the information displayed in any of the controls: Proxy Address, Proxy Port, Proxy Type,

Micro Focus Fortify WebInspect (22.2.0)

Page 330 of 364

Tools Guide

Chapter 21: Web Proxy

Username, or Password.

3. Click Update.

Removing a Proxy Server

To remove a proxy server from the list:

1. Select a server from the Available Proxy Servers list.

2. Click Remove.

3. Click Yes to confirm the deletion.

Bypassing Proxy Servers

If you do not need to use a proxy server to access certain URLs (such as internal testing sites), you

can specify one or more hosts in the Bypass Proxy List area. To bypass proxy servers when

accessing certain sites:

1. Click Add.

The Bypass Proxy dialog box appears.

2. Enter the host portion of the HTTP URL that should be bypassed.

Do not include the protocol (such as http://).

For example, to bypass a proxy server for this URL

http://zero.webappsecurity.com/Page.html

enter this string

zero.webappsecurity.com

or this string

zero.*

Note: You can also enter an IP address. Note that Web Proxy will not resolve host names to

IP addresses. That is, if you specify an IP address and the HTTP request actually contains

that numeric IP address, then Web Proxy will bypass a proxy server for that host. However, if

the HTTP request contains a host name that normally resolves to the IP address you specify,

Web Proxy will still send the request to a proxy server (unless you also specify the host

name).

3. Click OK.

Deleting an Address

To delete an address from the Bypass Proxy List, select the address and click Remove.

Micro Focus Fortify WebInspect (22.2.0)

Page 331 of 364

Tools Guide

Chapter 21: Web Proxy

Settings: Search-and-Replace

Use this tab to create rules for locating and replacing text or values in HTTP messages. This feature

provides a highly flexible tool for automating your simulated attacks. Some suggested uses include:

l

Masking sensitive data, such as user names and passwords

l

Appending a cookie to each request

l

Modifying the Accept request-header field to add or delete media types that are acceptable for the

response

l

Replacing a variable in the Request-URI with a cross-site scripting attack

Finding and Replacing Text

To find and replace text in requests or responses:

1. Click Add.

Web Proxy creates a default entry in the table.

2. Click the Search Field column of the entry.

3. Click the drop-down arrow and select the message area you want to search.

4. In the Search For column, type the data (or a regular expression representing the data) you want

to find.

5. In the Replace With column, type the data you want to substitute for the found data.

6. Repeat steps 1-5 to create additional search rules.

The request/response rules are applied sequentially, in the order in which they appear. For example, if

a rule changes HTTPS to SSL, and if a subsequent rule then changes SSL to SECURE, the result will be

that HTTPS is changed to SECURE.

Note: Search-and-replace rules are executed on request messages sent from Web Proxy to the

Server and on response messages sent from Web Proxy to the Browser. You can observe the

altered messages by choosing the Info tab, or by selecting either the View or Split tab and then

choosing one of the following from the drop-down list immediately below the tab:

l

Request: WebProxy -> Server

l

Response: Browser <- WebProxy

l

Session

Deleting a Rule

To delete a rule:

1. Select the rule you want to delete.

2. Click Remove.

Micro Focus Fortify WebInspect (22.2.0)

Page 332 of 364

Tools Guide

Chapter 21: Web Proxy

Editing a Rule

To edit a rule:

1. Click an entry in the Search Field, Search for, or Replace with column.

2. Change the data

Deactivating a Rule

To deactivate a rule without deleting it:

1. Clear the On check box.

2. Click OK.

Settings: Flag

You can search areas of request and response messages to find and highlight the data you specify.

1. Click Add.

Web Proxy creates a default entry in the table.

2. Click the Search Field column of the entry.

3. Click the drop-down arrow and select the message area you want to search.

4. In the Search column, type the data (or a regular expression representing the data) you want to

find.

5. Click the Flag column of the entry.

6. Click the drop-down arrow and select a color with which to highlight the data, if found.

7. Repeat steps 1-6 to create additional search rules.

Settings: Evasions

Evasions are techniques that Web Proxy uses to circumvent intrusion detection systems, monitors,

sniffers, firewalls, log parsers, or any device that attempts to shield systems from attack by filtering

HTTP requests. Typically, these filters examine portions of the request, searching for "signatures"

that indicate malicious threats or potential breeches of system security. If they detect these

signatures, they reject the request.

To evade detection, Web Proxy modifies the HTTP request to obscure the signature for which the

filter is searching, while retaining integrity sufficient for the message to be processed by the server.

Of course, the techniques used by Web Proxy are not always successful. As developers become aware

of methods that compromise their product's effectiveness, they incorporate procedures to combat

them.

Micro Focus Fortify WebInspect (22.2.0)

Page 333 of 364

Tools Guide

Chapter 21: Web Proxy

Caution! This feature is intended for use as a penetration testing tool. Do not use it or enable it

when conducting vulnerability assessment scans with Fortify WebInspect.

Use the following procedure to enable evasions:

1. Select Enable Evasions.

2. Choose one or more evasion techniques, as described in the following sections.

Method Matching

Web Proxy replaces the GET method with HEAD. This is an attempt to defeat a filter that

searches for a signature that begins with GET.

For example, the browser sends the following message to Web Proxy:

GET http://www.microsoft.com/secretfile.txt HTTP/1.1

Web Proxy sends the following message to the server:

HEAD http://www.microsoft.com/secretfile.txt HTTP/1.1

URL Encoding

Web Proxy converts characters in the URL to a "%" followed by two hexadecimal digits

corresponding to the character values in the ISO-8859-1 character set.

For example, the browser sends the following message to Web Proxy:

GET http://zero.webappsecurity.com/cgi-bin/filename.cgi HTTP/1.1

Web Proxy sends the following message to the server:

GET %2f%63%67%69%2d%62%69%6e%2f%66%69%6c%65%6e%61%6d%65%2e%63%67%69

HTTP/1.1

Host: zero.webappsecurity.com

If the device is looking for "cgi-bin" as the signature, it does not match the string

"%63%67%69%2d%62%69%6e" and so the request is not rejected.

Double Slashes

Web proxy converts each forward slash (/) into a double forward slash (//).

For example, the browser sends the following message to Web Proxy:

GET http://www.microsoft.com/en/us/secrets.aspx HTTP/1.1

Web Proxy sends the following message to the server:

GET //en//us//secrets.aspx HTTP/1.1

Host: www.microsoft.com

If the device is looking for "/secrets.aspx" as the signature, it does not match the string

"//secrets.aspx" and so the request is not rejected.

Reverse Traversal

This technique attempts to disguise a request for a certain resource by interjecting references to

relative directories, which equates to the original request.

Micro Focus Fortify WebInspect (22.2.0)

Page 334 of 364

Tools Guide

Chapter 21: Web Proxy

For example, the browser sends the following message to Web Proxy:

GET http://www.TargetSite.com/cgi-bin/some.cgi HTTP/1.1

Web Proxy sends the following message to the server:

GET /d/../cgi-bin/d/../some.cgi HTTP/1.1 [which equates to GET/cgi-

bin/some.cgi]

Host: www.TargetSite.com

Self-Reference Directories

Web Proxy uses the notation for parent directory (../) and current directory (./) to obfuscate the

request.

For example, the browser sends the following message to Web Proxy:

GET http://www.TargetSite.com/cgi-bin/phf HTTP/1.1

Web Proxy sends the following message to the server:

GET /./cgi-bin/./phf HTTP/1.1 [which equates to GET /cgi-bin/phf]

Host: www.TargetSite.com

Parameter Hiding

A request can contain parameters that are used to build dynamic page content. These

parameters are typically used when search requests or selections are made and take

this form:

/anypage.php?attack=paramhiding&evasion=blackhat&success...

This technique is effective against a device that does not examine that portion of the request

following the question mark (?). However, the parameter indicator can be used to potentially

mask further relevant data.

For example, the browser sends the following message to Web Proxy:

GET /index.htm%3fparam=/../cgi -bin/test.cgi

Web Proxy sends the following message to the server:

GET /index.htm?param=/../cgi -bin/test.cgi

HTTP Misformatting

An HTTP request has a clearly defined structure:

Method<space>URI<space>HTTP/Version<CR><LF>

However, some Web servers will accept a request that contains a tab character instead of a

space, as in the following:

Method<tab>URI<tab>HTTP/Version<CR><LF>

Any filter that incorporates the space (between the three components) as part of the signature

for which it searches will fail to reject the request.

Long URLs

This technique is directed toward devices that do not examine the entire request string, but

concentrate only on a subset of a programmable length (such as the first 50 characters). Web

Micro Focus Fortify WebInspect (22.2.0)

Page 335 of 364

Tools Guide

Chapter 21: Web Proxy

Proxy inserts a large number of random characters at the beginning of the request so that the

operative portion of the request is pushed beyond the area normally examined by the filter.

For example, the browser sends the following message to Web Proxy:

GET http://zero.webappsecurity.com/ HTTP/1.1

Web Proxy sends the following message to the server:

GET /YPVIFAHD[hundreds of characters]NIWCJBXZPXMP/../ HTTP/1.1

Host: zero.webappsecurity.com

DOS/Win Directory Syntax

A Windows-based filter that attempts to detect a specific signature (such as /cgi-bin/some.cgi)

might be fooled if a backward slash is substituted for a forward slash (such as /cgi-bin\some.cgi).

Windows-based Web servers convert a forward slash to a backward slash when interpreting

directory structures, so the notation is valid. However, HTTP rules require the first character of a

URI to be a forward slash.

NULL Method Processing

This technique injects a URL-encoded NULL character immediately after the METHOD (such as

GET%00). It is designed for a filter that attempts to apply string operations on the request, and

those string libraries use the NULL character to denote the end of a string. If this ploy is

successful, detection of the NULL character prevents the device from examining the remainder of

the message.

Case Sensitivity

This technique is designed to evade a filter that searches for a case-specific string.

For example, the browser sends the following message to Web Proxy:

GET http://zero.webappsecurity.com/cgi-bin/some.cgi HTTP/1.1

Web Proxy sends the following message to the server:

GET /CGI-BIN/SOME.CGI HTTP/1.1

Host: zero.webappsecurity.com

Settings: Network Authentication

If your proxy server requires network authentication, you can configure it on the Network

Authentication tab in the Web Proxy Settings.

To configure network authentication:

1. Select Enable Network Authentication.

2. Choose an authentication type from the Authentication Type list. Available types are as follows:

l

ADFS CBT

l

Automatic

l

Basic

Micro Focus Fortify WebInspect (22.2.0)

Page 336 of 364

Tools Guide

Chapter 21: Web Proxy

l

Digest

l

Kerberos

l

Negotiate

l

NT LAN Manager (NTLM)

3. Type a user ID in the Username box and the user's password in the Password box.

Creating a Web Macro

You can use either the Web Macro Recorder or Web Proxy to create a Workflow macro or a Login

macro.

A Workflow macro is used most often to focus on a particular subsection of an application. It specifies

URLs that a Micro Focus scanner will use to navigate to the area. It may also include login information,

but does not contain logic that will prevent the scanner from logging out of your application. You can

use sessions captured by Web Proxy or a set of Burp proxy files or an HTTP Archive (HAR) file.

A Login macro is used for Web form authentication, allowing the scanner to log in to an application.

You can also incorporate logic that will prevent the scanner from inadvertently logging out of your

application.

Using Burp Proxy or HAR Files

To create a Workflow macro from a set of Burp proxy files or an HTTP Archive (HAR) file:

1. Click File > Open.

A standard Windows Open dialog box opens.

2. In the drop-down list, select either Burp proxy (*.*) or Har File (*.har).

3.

Navigate to and open the Burp proxy or .Har files.

The sessions are populated in the Web Proxy.

4. Continue with "Creating a Web Macro from Selected Sessions" below.

Creating a Web Macro from Selected Sessions

To create a Web macro using sessions displayed in or captured by Web Proxy:

1. Select the sessions you want to include in the macro by placing a check mark in the left column.

2. Click the File menu and select Create Web Macro.

The Create Web Macro dialog box opens.

3. (Optional) On the Create Web Macro dialog box, select Enable Check for Logout and then enter

a regular expression that identifies a unique text or phrase that occurs in the server's HTTP

response when a user logs out or when a user who is not logged in requests access to a protected

Micro Focus Fortify WebInspect (22.2.0)

Page 337 of 364

Tools Guide

Chapter 21: Web Proxy

URL.

Example: During a normal scan, the scanner begins crawling your site at the home page. If it

encounters a link to another resource (usually through an <A HREF> HTML tag), it will

navigate to that URL and continue its assessment. If it follows a link to a logout page (or if

the server automatically "logs out" a client after a certain number of minutes), the scanner

will not be able to visit additional resources where the client is required to be logged in. When

this inadvertent log-out occurs, the scanner must be able to log in again without user

intervention. This process hinges on the scanner's ability to recognize when it is no longer

logged in.

In some applications, if the user logs out (by clicking a button or some other control), the

server responds with a unique message, such as "Have a nice day." If you specify this phrase

as the server's logout signature, the scanner will search every response message for this

phrase. Whenever it detects the phrase, the scanner will attempt to log in again by sending

an HTTP request containing the user name and password.

The scanner can also detect that it has logged out if the server sends a specific message in

response to the scanner's attempt to access a password-protected URL. For example, the

server may respond with a status code of "302 Object moved." If the scanner knows

specifically what to look for in this response, the program will recognize that it has been

logged out and can re-establish a logged-in state.

Using the example above, if your server returns a message such as "Have a nice day" when a user

logs out of your application, then enter "Have\sa\snice\sday" as the regular expression ("\s" is

used in regular expressions to designate a space). A more likely example is where the server

returns a 302 status code and references a new URL. In this case, "[STATUSCODE]302 AND

[ALL]http://login.myco.com/config/mail?" might be a typical regex phrase. For tips on building a

regular expression, see "Regular Expression Extensions" on page 340.

4. Enter a path and file name in the Save Macro As box, or click Browse to open a standard file-

selection dialog box and name the file.

5. Click OK.

Client Certificates

If Web Proxy receives a request for a certificate from a Web Server, it displays a dialog box asking you

to locate the certificate. The program then caches your selection on a "per server" basis. Therefore, if

you subsequently want to use a different certificate for a particular server, you must clear the cache

by stopping and then restarting Web Proxy.

Regular Expressions

Special characters and sequences are used in writing patterns for regular expressions. The following

table describes some of these characters and includes short examples showing how the characters are

used. Another recommended resource is the Regular Expression Library.

Micro Focus Fortify WebInspect (22.2.0)

Page 338 of 364

Tools Guide

Chapter 21: Web Proxy

Also see "Regular Expression Extensions" on the next page for information about special tags and

operators that may be used.

Character

Description

\

Marks the next character as special. /n/ matches the character " n ". The

sequence /\n/ matches a linefeed or newline character.

^

Matches the beginning of input or line.

Also used with character classes as a negation character. For example, to

exclude everything in the content directory except /content/en and

/content/ca, use: /content/[^(en|ca)].*/.* . Also see \S \D \W.

$

*

Matches the end of input or line.

Matches the preceding character zero or more times. /zo*/ matches either " z "

or "zoo."

+

?

Matches the preceding character one or more times. /zo+/ matches "zoo" but

not "z."

Matches the preceding character zero or one time. /a?ve?/ matches the "ve" in

"never."

.

Matches any single character except a newline character.

[xyz]

A character set. Matches any one of the enclosed characters. /[abc]/ matches

the "a" in "plain."

\b

Matches a word boundary, such as a space. /ea*r\b/ matches the "er" in "never

early."

\B

\d

\D

\f

Matches a nonword boundary. /ea*r\B/ matches the "ear" in "never early."

Matches a digit character. Equivalent to [0-9].

Matches a nondigit character. Equivalent to [^0-9].

Matches a form-feed character.

\n

\r

Matches a linefeed character.

Matches a carriage return character.

\s

Matches any white space including space, tab, form-feed, and so on. Equivalent

to [ \f\n\r\t\v]

Micro Focus Fortify WebInspect (22.2.0)

Page 339 of 364

Tools Guide

Chapter 21: Web Proxy

Character

Description

\S

\w

\W

Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v]

Matches any word character including underscore. Equivalent to [A-Za-z0-9_].

Matches any nonword character. Equivalent to [^A-Za-z0-9_].

Regular Expression Extensions

Micro Focus engineers have developed and implemented extensions to the normal regular expression

syntax. When building a regular expression, you can use the following tags and operators.

Regular Expression Tags

l

[HEADERS]

l

[COOKIES]

l

[STATUSLINE]

l

[STATUSCODE]

l

[STATUSDESCRIPTION]

l

[ALL]

l

[BODY]

l

[SETCOOKIES]

l

[METHOD]

l

[REQUESTLINE]

l

[VERSION]

l

[POSTDATA]

l

[URI]

Regular Expression Operators

l

AND

l

OR

l

NOT

l

[ ]

l

( )

Micro Focus Fortify WebInspect (22.2.0)

Page 340 of 364

Tools Guide

Chapter 21: Web Proxy

Examples

l

To detect a response in which (a) the status line contains a status code of "200" and (b) the phrase

"logged out" appears anywhere in the message body, use the following regular expression:

[STATUSCODE]200 AND [BODY]logged\sout

l

To detect a response indicating that the requested resource resides temporarily under a different

URI (redirection) and having a reference to the path "/Login.asp" anywhere in the response, use the

following:

[STATUSCODE]302 AND [ALL]Login.asp

l

To detect a response containing either (a) a status code of "200" and the phrase "logged out" or

"session expired" anywhere in the body, or (b) a status code of "302" and a reference to the path

"/Login.asp" anywhere in the response, use the following regular expression:

( [STATUSCODE]200 AND [BODY]logged\sout OR [BODY]session\sexpired ) OR (

[STATUSCODE]302

AND [ALL]Login.asp )

Note that you must include a space (ASCII 32) before and after an "open" or "close" parenthesis;

otherwise, the parenthesis will be erroneously considered as part of the regular expression.

l

To detect a redirection response where "login.aspx" appears anywhere in the redirection Location

header, use the following regular expression:

[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx

l

To detect a response containing a specific string (such as "Please Authenticate") in the Reason-

Phrase portion of the status line, use the following regular expression:

[STATUSDESCRIPTION]Please\sAuthenticate

Manual Configuration of Browser

If you do not start a Web browser by clicking Launch Browser

on the Web Proxy toolbar, you can

launch a browser outside the Web Proxy user interface. However, you must configure your browser's

proxy settings. See your browser documentation for specific instructions.

Micro Focus Fortify WebInspect (22.2.0)

Page 341 of 364

Chapter 22: Web Service Test Designer

Web services are programs that communicate with other applications (rather than with users) and

answer requests for information. Most Web services use Simple Object Access Protocol (SOAP) to

send XML data between the Web service and the client Web application that initiated the information

request. Unlike HTML, which only describes how Web pages are displayed, XML provides a framework

to describe and contain structured data. The client Web application can readily understand the

returned data and display that information to the end user.

A client Web application that accesses a Web service receives a Web Services Definition Language

(WSDL) document so that it can understand how to communicate with the service. The WSDL

document describes the programmed procedures included in the Web service, the parameters those

procedures expect, and the type of return information the client Web application will receive.

Use the Web Service Test Designer to create a Web Service Test Design file (filename.wsd) containing

the values that should be submitted when conducting a Web service scan.

Although the following procedure invokes the Web Service Test Designer from the Fortify WebInspect

Tools menu, you can also open the designer through the Fortify WebInspect Scan Wizard by selecting

Start a Web Service Scan from the Fortify WebInspect Start page and, when prompted, electing to

launch the designer.

Note: When the Web Service Test Designer is launched from the Fortify WebInspect Scan Wizard,

if the WSDL has not yet been configured, the designer will automatically import the WSDL, assign

"auto values" to each parameter, and invoke all operations. This does not occur when you launch

the tool from the Fortify WebInspect Tools menu or from the Security Toolkit.

1. Select Tools > Web Service Test Designer.

2. On the startup dialog box, select one of the following:

l

New Web Service Test - Design a new Web Service test.

l

Open Web Service Test - Edit a design that you previously created.

The following procedure assumes that you are creating a design.

3. Do one of the following:

l

In the Import WSDL box, type or select the URL of the WSDL site (for example,

http://www.webservicex.net/stockquote.asmx?WSDL) and click Import WSDL

.

l

Click Browse for WSDL

and select a WSDL file that you previously saved locally.

Note: If authentication is required, or if SOAP requests need to be made through a proxy

server, see "Settings" on page 353 for more information.

Micro Focus Fortify WebInspect (22.2.0)

Page 342 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Also note that "Other Services" appears by default. This feature is used to add services manually

when a service is not associated with a WSDL. See "Manually Adding Services" on page 348 for

more information. Remove the check mark next to this item.

Image of Imported WSDL

The following image shows an imported WSDL in the Web Service Test Designer.

4. Select a service transport in the left pane to display the port information in the right pane. A port

defines an individual endpoint by specifying an address for a binding. Note that if the description

of the WSDL includes both SOAP version 1.1 and version 1.2, and if the operations in both

descriptions are the same, the versions are assumed to be identical and the services in version

1.1 only are configured. If you wish to attack both versions, then you must select the check box

for each version 1.2 operation.

Micro Focus Fortify WebInspect (22.2.0)

Page 343 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Note: The Port Overview panel for SOAP version 1.2 contains an additional option to include

SOAP action in the HTTP header.

Even though the SOAP specification states that the SOAP Action is optional for SOAP version

1.2, some architectures require it and some cannot accept it. You can choose to include or

exclude the SOAP action for a SOAP 1.2 binding, depending on your specific environment. The

check box appears for SOAP 1.2 ports only and defaults to true.

Caution! RPC-encoded services require manual configuration. The Schema Fields tab is

populated using a default SOAP schema. You can obtain the desired SOAP message from a

developer or a proxy capture, and then paste the message into the XML tab (or import the

saved message from a file). You can then click Send to test the operation.

Micro Focus Fortify WebInspect (22.2.0)

Page 344 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Image of Service Transport/Port Information

The following image shows the port information for the selected transport.

5. If security is required:

a. Select WS Security.

b. Select an option from the Service Details list.

c. Provide the required information. For help with security settings, see "WS Security" on

page 356.

6. Click an operation to display schema for the request (in the top half of the right pane) and the

response (in the lower half).

Micro Focus Fortify WebInspect (22.2.0)

Page 345 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Image of Request/Response Schema

The following image shows the schema for the selected request.

7. Enter a value for the operation. In this example, the user entered MFGP (the NYSE symbol for

Micro Focus).

Note: If you click Auto Value, the designer assigns a value to the operation. This value is

either:

l

Obtained from the GlobalValuesDefault.xpr file, if the file contains an entry that matches

the name of the parameter; see "Global Values Editor" on page 349 for more information.

l

Created by the designer, based on the data type. In this example, the designer would

populate the parameter "symbol" with the value "symbol1."

See "Using Autovalues" on page 349 for more information.

8. Click Send

.

Micro Focus Fortify WebInspect (22.2.0)

Page 346 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Results appear in the lower response pane. You can alternate between the Schema and XML

views by clicking the appropriate tabs.

Image of Sending a Request

The following image shows the test results of a request that was sent.

9. When you have assigned and tested values for each operation (although only one operation is

depicted in this example):

a. Click File > Save.

b. Using the standard file-selection dialog box, select a name and location for the Web Service

Design file (.wsd).

Note: If the WSDL contains multiple operations, data is saved for each operation regardless of

whether or not the operation is checked. A check mark simply indicates that the operation will be

used for auditing.

Micro Focus Fortify WebInspect (22.2.0)

Page 347 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Manually Adding Services

You may encounter a Web service that does not have a WSDL associated with it.

For example, the Fortify WebInspect Recommendations module monitors scans to detect omissions,

abnormalities, or anomalies that interfere with or diminish the thoroughness of a scan. If it detects

SOAP requests during a Web Site scan, it suggests that you conduct a Web Service scan of that site

and creates a Web Service Test Design file (filename.wsd) for that purpose. A WSDL file may or may

not be available.

You may create a service manually, as shown in the following example.

1. Right-click the default "Other Services" service and select Add Service.

New Service 1 appears in the Web Services tree in the left pane.

2. If authentication is required, select WS Security and provide the required credentials.

3. Right-click New Service 1, select Add Port. and then choose either SOAP 1.1 or SOAP 1.2.

New Port 1 appears in the Web Services tree.

4. In the Port URL box, enter the correct URL to the service.

5. Right-click New Port 1 and select Add Operation.

Note: To change service, port, or operation names, double-click the name.

Micro Focus Fortify WebInspect (22.2.0)

Page 348 of 364

Tools Guide

Chapter 22: Web Service Test Designer

6. You can import a file containing a SOAP envelope (possibly obtained using the Web Proxy tool)

or you can copy and paste a SOAP envelope that you obtained from a developer onto the XML

tab.

If importing from a proxy capture, the SOAP action will be in the HTTP header

(Soapaction=<action_name>).

7. If necessary, modify the values using either the Schema Fields tab or the XML tab.

8. To test the service, click either Send or Run All.

Global Values Editor

You can create a library of name/value parameters for operations that you frequently encounter.

After importing a WSDL file, if you click Set Auto Values , the Web Service Test Designer searches

the Global Values file for the names of parameters contained in the WSDL operations. If it finds a

matching name, it inserts the associated value from the file into the parameter value field.

To add a global value:

1. Click Edit > Global Values Editor.

The Global Values Editor opens and displays the contents of the default xml parameter registry

(xpr) file named GlobalValuesDefault.xpr.

2. Click Add.

This creates an entry with the default name of [Name] and a default value of [Value].

3. Click anywhere on the entry and substitute an actual name and value for the default.

4. Repeat steps 2-3 to create additional entries.

5. Do one of the following:

l

Click OK to save and close the file.

l

Click Save As to create and close the file using a different file name and/or location.

Using Autovalues

Use the Autovalues feature as an alternative to manually entering specific values for each parameter.

The Web Service Test Designer analyzes each parameter and inserts a value that is likely to fulfill the

service requirement. This can save considerable time when dealing with large web services.

After selecting a WSDL file:

1. Place a check mark next to each operation you want to autofill.

2. Click Set Auto Values

.

Micro Focus Fortify WebInspect (22.2.0)

Page 349 of 364

Tools Guide

Chapter 22: Web Service Test Designer

The following message appears: "Would you like the default values to be replaced with the

defined global values?"

If you click Yes, any values you may have entered manually will be erased. Also, if any parameter

name in any operation matches a parameter name in the Global Values file, the associated value

in the file will be substituted for the value that would normally be generated for the operation.

If you click No, the function terminates.

3. Click Yes.

4. Click Run All Tests

.

The Web Service Test Designer submits the service request, with values inserted for each

operation.

5. Click the Test Results tab (at the bottom of the window).

6. If an operation returned an error, double-click the operation to open it in the Request pane and

manually provide a value.

Importing and Exporting Operations

You can build a library of operations and their assigned values, allowing you to quickly modify other

Web service designs or exchange these components with other developers/testers. Each module is

saved as an XML file, such as the following request used in the preceding example:

<Body>

</GetQuote>

</Body>

</Envelope>

To save or import an operation:

1. Select an operation in the left pane.

2. Click Import Request

to load the operation.

3. Click Export Request to save the operation.

Micro Focus Fortify WebInspect (22.2.0)

Page 350 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Testing Your Design

You can, at any time, test the configuration of any or all operations.

After importing the WSDL, click Run All Tests.

The designer attempts to submit all selected operations and displays the results.

To open the special Test Results pane, click Test Results on the Status bar.

Micro Focus Fortify WebInspect (22.2.0)

Page 351 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Image of Test Results

The following image shows test results in the Web Service Test Designer.

The Test Results pane displays the following information:

l

Result – The test outcome. Possible values are:

l

Valid: The operation succeeded without a server error or SOAP fault.

l

Not Run: The operation was not submitted because it was not selected (no check mark) or the

Stop button was pressed before the operation was submitted.

l

Pending: The Run button has been pressed but the operation has not yet been submitted.

l

Failed: The request was unsuccessful, the server returned an error message, or a SOAP fault was

received.

l

Web Service Port URL – The URL associated with the item

l

Service – The service associated with the item

l

Port – The port associated with the item

Micro Focus Fortify WebInspect (22.2.0)

Page 352 of 364

Tools Guide

Chapter 22: Web Service Test Designer

l

Operation – The operation the item represents

l

Error Message – Explanation for failure

The Test Results toolbar contains the following buttons:

l

Run All – The designer submits the service request for each checked operation.

l

Run Selected – The designer submits the service request for operations selected in the Test

Results pane.

l

Stop – cancels the sending of service request.

l

Clear – Removes all items from the Test Results pane.

If you double-click an item in the Test Results pane, the designer highlights the related operation in

the Schema Fields pane, where you can enter values for each parameter.

Image of Selected Error with Operation Highlighted

The following image shows a selected error and its operation displayed in the Schema Fields pane.

Settings

The Web Services Designer has two categories of settings:

l

"Network Proxy" on the next page

l

"Network Authentication" on page 355

Micro Focus Fortify WebInspect (22.2.0)

Page 353 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Network Proxy

To configure a network proxy:

1. Select a profile from the Proxy Profile list:

l

Direct: Do not use a proxy server.

l

Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy

autoconfig file and use this to configure the browser's Web proxy settings.

l

Use System Proxy: Import your proxy server information from the local machine.

l

Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. Then

specify the file location in the URL box.

l

Use Explicit Proxy Settings: Access the Internet through a proxy server using information

you provide in the Explicitly Configure Proxy section.

l

Use Mozilla Firefox: Import proxy server information from Firefox.

Note: Electing to use browser proxy settings does not guarantee that you will access the

Internet through a proxy server. If the Firefox browser connection settings are configured

for "No proxy," then a proxy will not be used.

2. If you selected Use PAC File, enter the location of the PAC file in the URL box.

3. If you selected Use Explicit Proxy Settings, provide the following information:

a. In the Server box, type the URL or IP address of your proxy server, followed (in the Port box)

by the port number (for example, 8080).

b. From the Type list, select a protocol for handling TCP traffic through a proxy server:

SOCKS4, SOCKS5, or standard.

c. If authentication is required, select a type from the Authentication list:

o

Automatic

Note: Automatic detection slows the scanning process. If you know and specify one of

the other authentication methods, scanning performance is noticeably improved.

o

Basic

o

Digest

o

Kerberos

o

Negotiate

o

NTLM (NT LAN Manager)

4. If your proxy server requires authentication, enter the qualifying user name and password.

5. If you do not need to use a proxy server to access certain IP addresses (such as internal testing

sites), enter the addresses or URLs in the Bypass Proxy For box. Use commas to separate

entries.

6. Click Save.

Micro Focus Fortify WebInspect (22.2.0)

Page 354 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Network Authentication

If server authentication is not required, select None from the Method list.

Otherwise, select an authentication method and enter your network credentials. The authentication

methods are:

l

ADFS CBT

l

Automatic

l

Basic

l

Digest

l

Kerberos

l

Negotiate

l

NTLM (NT LAN Manager)

Using a Client Certificate

Client certificate authentication allows users to present client certificates rather than entering a user

name and password. You can select a certificate from the local machine or a certificate assigned to a

current user. You can also select a certificate from a mobile device, such as a common access card

(CAC) reader that is connected to your computer. To use client certificates:

1. Select the Enable client certificate on proxy check box.

2. Click Client Certificate.

The Soap Client Certificate window opens.

3. Do one of the following:

l

To use a certificate that is local to the computer and is global to all users on the computer,

select Local Machine.

l

To use a certificate that is local to a user account on the computer, select Current User.

Note: Certificates used by a common access card (CAC) reader are user certificates and

are stored under Current User.

4. Do one of the following:

l

To select a certificate from the "Personal" ("My") certificate store, select My from the drop-

down list.

l

To select a trusted root certificate, select Root from the drop-down list.

5. Does the website use a CAC reader?

Micro Focus Fortify WebInspect (22.2.0)

Page 355 of 364

Tools Guide

Chapter 22: Web Service Test Designer

l

If yes, do the following:

i. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.

Information about the selected certificate and a PIN field appear in the Certificate

Information area.

ii. If a PIN is required, type the PIN for the CAC in the PIN field.

Note: If a PIN is required and you do not enter the PIN at this point, you must enter

the PIN in the Windows Security window each time it prompts you for it during the

scan.

iii. Click Test.

If you entered the correct PIN, a Success message appears.

l

If no, select a certificate from the Certificate list.

Information about the selected certificate appears in the Certificate Information area.

6. Click OK.

WS Security

You can configure security settings for all operations in a Web service port, using a variety of services:

l

Web Service (see "Web Service Settings" below)

l

Windows Communication Foundation (WCF) Service (see "WCF Service (CustomBinding) Settings"

on page 358)

l

WCF Service (Federation) (see "WCF Service (Federation) Settings" on page 359)

l

WWCF Service (WSHttpBinding) (see "WCF Service (WSHttpBinding) Settings" on page 360)

Select an appropriate service from the Service Details list and then provide the requested

information.

Web Service Settings

When Security credentials, known as tokens, are placed in the SOAP request, the Web server can

verify that the credentials are authentic before allowing the Web Service to execute the application.

To further secure Web Services, it is common to use digital signatures or encryption for the SOAP

messages. Digitally signing a SOAP message verifies that the message has not been altered during

transmission. Encrypting a SOAP message helps secure a Web Service by making it difficult for

anyone other than the intended recipient to read the contents of the message.

Micro Focus Fortify WebInspect (22.2.0)

Page 356 of 364

Tools Guide

Chapter 22: Web Service Test Designer

WS-Security Tab

1. To add a security token, click

, select a token type, and provide the requested information.

l

UserName. This token specifies a user name and password. You can elect to include a nonce,

specify how to send the password to the server for authentication (Text, None, or Hash) and

indicate whether to include a timestamp.

l

X509 Certificate. This token is based on an X.509 certificate. You can purchase a certificate

from a certificate authority, such as VeriSign, Inc., or set up your own certificate service to

issue a certificate. Most Windows servers support the public key infrastructure (PKI), which

enables you to create certificates. You can then have it signed by a certificate authority or use

an unsigned certificate. Select a certificate and specify the reference type

(BinaryCertificateToken or Reference).

l

Kerberos /Kerberos2. (For Windows 2003 or XP SP1 and later). The Kerberos protocol is

used to mutually authenticate users and services on an open and unsecured network. Using

shared secret keys, it encrypts and signs user credentials. A third party, known as a Kerberos

Key Distribution Center (KDC), authenticates the credentials. After authentication, the user

may request a service ticket to access one or more services on the network. The ticket

includes the encrypted, authenticated identity of the user. The tickets are obtained using the

current user’s credentials. The primary difference between the Kerberos and Kerberos2

tokens is that Kerberos2 uses the Security Support Provider Interface (SSPI), so it does not

require elevated privileges to impersonate the client's identity. In addition, the Kerberos2

security token can be used to secure SOAP messages sent to a Web Service running in a Web

farm. Specify the host and domain.

l

SAML Token. Security Assertion Markup Language (SAML) is an XML standard for

exchanging security-related information, called assertions, between business partners over

the Internet. The assertions can include attribute statements, authentication, decision

statements, and authorization decision statements. Click Load from file to browse to a SAML

certificate. Click Certificate to import a certificate. Finally, select a certificate reference type:

X509 Data or RSA.

2. To add a message signature, click

and provide the requested information.

l

Signing token. The token to use for signing, usually an X.509 type. Select from the list of all

added tokens.

Canonicalization algorithm. A URL for the algorithm to use for canonicalization. A drop-

down list provides common algorithms. If you are unsure which value to use, keep the default.

Transform algorithm. A URL for the Transform algorithm to apply to the message signature.

A drop-down list provides common algorithms. If you are unsure which value to use, keep the

default.

l

Inclusive namespaces list. A list of comma-separated prefixes to be treated as inclusive

(optional).

What to sign. The SOAP elements to sign: SOAP Body, Timestamp, and WS-Addressing.

Micro Focus Fortify WebInspect (22.2.0)

Page 357 of 364

Tools Guide

Chapter 22: Web Service Test Designer

l

XPath (optional). An XPath that specifies which parts in the message to sign. If left blank, the

elements selected in the Signature options field are signed. For example, //*[local-name

(.)='Body'].

l

Token (optional). The target token you want to sign. Select from the drop-down list of all

added tokens. With most services, this field should be left empty.

3. To add message encryption, click

and provide the requested information.

l

Encrypting token. The token to use for encryption (usually an X.509 type). You can select

from a list of all previously created tokens.

l

Encrypting type. Indicates whether to encrypt the whole destination Element or only its

Content.

Key algorithm. The algorithm to use for the encryption of the session key: RSA15 or

RSAOAEP.

Session algorithm. The algorithm to use for the encryption of the SOAP message. You can

select from a list of common values.

XPath (optional). An XPath that indicates the parts of the message to encrypt. If left blank,

only the SOAP body is encrypted.

Token (optional). The name of the encrypted token. A drop-down box provides a list of all

added tokens. With most services, this field should be left empty.

4. Use the Up and Down arrows

to position the security elements in order of their priority.

WS Addressing

Use the WS-Addressing tab to indicate whether WS-Addressing is used by the service, and if so, its

version number.

WCF Service (CustomBinding) Settings

WCF Service (CustomBinding) enables the highest degree of customization. Since it is based on WCF

customBinding standard, it allows you to test most WCF services, along with services on other

platforms such as Java-based services that use the WS - <spec_name> specifications.

Transport. Select HTTP, HTTPS, or AutoSecuredHTTP. Named Pipes and TCP transport are not

supported.

Encoding. Select Text, MTOM, or WCF Binary.

Security. Select an authentication mode and bootstrap policy from the appropriate list.

Net Security. The type of stream security: None, Windows stream security, or SSL stream security.

Reliable Messaging. Select Enabled to use reliable messaging and then select a format: either

Ordered or Not Ordered.

Micro Focus Fortify WebInspect (22.2.0)

Page 358 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Identities. Provide identity information for the bindings and certificate:

l

Username and Password

l

Server Certificate/Client certificate. A certificate that provides identity information for the server

or client. Use the Browse button to open the Select Certificate dialog box.

l

Expected DNS, SPN, and UPN. The expected identity of the server in terms of its DNS, SPN, or

UPN. This can be localhost, an IP address, or a server name.

Client Windows Identity. Provide identity information for the client windows:

l

Current User. The identity of the user logged onto the machine.

l

Custom User. Specify the Username, Password, and Domain.

Click Advanced to open the Advanced Settings dialog box. See "Advanced Security Settings" on

page 361 for additional information.

WCF Service (Federation) Settings

When using WCF Service (Federation), the client authenticates against the Security Token Service

(STS) to obtain a token. The client uses the token to authenticate against the application server.

Server

l

Transport. The transport type: HTTP or HTTPS.

l

Encoding. The server’s encoding policy: Text or MTOM.

Security

l

Authentication mode. A drop-down list of possible modes of authentication, such as

AnonymousForCertificate, MutualCertificate, and so forth.

l

Bootstrap Policy. A drop-down list of possible bootstrap policies for Secure Conversation

authentication, such as SspiNegotiated, UserNameOverTransport, and so forth.

Identities

The identity information for the bindings and certificate:

l

Server certificate. A certificate that provides identity information for the server. Use the Browse

button to open the Select Certificate dialog box.

l

Expected DNS. The expected identity of the server in terms of its DNS. This can be localhost, an IP

address, or a server name.

STS (Security Token Service) Details

l

Endpoint address. The endpoint address of the STS. This can be localhost, an IP address, or a

server name.

l

Binding. The scenario which references the binding that contacts the STS.

Micro Focus Fortify WebInspect (22.2.0)

Page 359 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Click Advanced to open the Advanced Settings dialog box. See "Advanced Security Settings" on the

next page for additional information.

WCF Service (WSHttpBinding) Settings

Using WCF Service (WSHttpBinding), you can choose from several types of authentication: None,

Windows, Certificate, or Username (message protection). Select an option from the Client

authentication type list. Your selection determines which additional information is required, as

described below.

Type

None

Parameters

l

Negotiate server credentials. Negotiates the Web Service's certificate with

the server. You can also provide the server's DNS information.

l

Specify service certificate. The location of the service’s certificate. If you

select this option, the Negotiate service credentials option is not relevant.

l

Expected server DNS. The expected identity of the server in terms of its

domain name system. This can be localhost, an IP address, or a server name.

It can also be the common name by which the certificate was issued.

l

Enable secure session. Allows a secure session using Certificate type

authentication.

l

Windows

Expected server identity. The service principal name (SPN) or user

principal name (UPN). SPN ensures that the SPN and the specific Windows

account associated with the SPN identify the service. UPN ensures that the

service is running under a specific Windows user account; the user account

can be either the current logged-on user or the service running under a

particular user account.

l

Client Windows identity. The identity information for the client windows:

l

Current User. Use the credentials of the user logged onto the machine.

l

Custom User. Provide the user credentials (Username, Password, and

Domain) and optionally select an impersonation level (which determines

the operations a server can perform in the client's context). Impression

levels are as follows:

o

None - No level selected.

o

Anonymous - The server cannot impersonate or identify the client.

o

Identification - The server can get the identity and privileges of the

client, but cannot impersonate the client.

o

Impersonation - The server can impersonate the client's security

Micro Focus Fortify WebInspect (22.2.0)

Page 360 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Type

Parameters

context on the local system.

o

Delegation - The server can impersonate the client's security context

on remote systems.

l

Enable secure session. Allows a secure session using Windows type

authentication.

l

Certificate

Client certificate. The location of the client certificate. The Browse button

opens the Select Certificate dialog box.

Negotiate server credentials. Negotiates the Web Service’s certificate with

the server. You can also provide the server’s DNS information.

Specify service certificate. The location of the service’s certificate. If you

select this option, the Negotiate server credentials option is disabled.

Expected server DNS. The expected identity of the server in terms of its

DNS. This can be localhost, an IP address, or a server name. It can also be

the common name by which the certificate was issued.

l

Enable secure session. Allows a secure session using Certificate type

authentication.

l

User Name

(Message

Protection)

Username, Password. The authentication credentials of the client.

Negotiate server credentials. Negotiates the Web Service’s certificate with

the server. You can also provide the server’s DNS information.

l

Specify service certificate. The location of the service’s certificate. If you

select this option, the Negotiate server credentials option is disabled.

Expected server DNS. The expected identity of the server in terms of its

DNS. This can be localhost, an IP address, or a server name. It can also be

the common name by which the certificate was issued.

l

Enable secure session. Allows a secure session using Username type

authentication.

Advanced Security Settings

This dialog box allows you to customize the security settings for your test on the following tabs.

Micro Focus Fortify WebInspect (22.2.0)

Page 361 of 364

Tools Guide

Chapter 22: Web Service Test Designer

Encoding Tab

The Encoding tab includes the following options:

l

Encoding. The encoding type to use for the messages: Text, MTOM, or WCF Binary.

l

WS-Addressing version. The version of WS-Addressing for the selected encoding: None, WSA 1.0,

or WSA 04/08.

Advanced Standards Tab

The Advanced Standards tab includes the following options:

l

Reliable messaging. Enables reliable messaging for services that implement the WS-

ReliableMessaging specification. The encoding type to use for the messages: Text, MTOM, or WCF

Binary.

l

Reliable messaging ordered. Indicates whether the reliable session should be ordered.

l

Reliable messaging version. The version to apply to the messages:

WSReliableMessagingFebruary2005 or WSReliableMessaging11.

l

Specify via address. Sends a message to an intermediate service that submits it to the actual

server. This may also apply when you send the message to a debugging proxy. This corresponds to

the WCF clientVia behavior. This is useful to separate the physical address to which the message is

actually sent, from the logical address for which the message is intended.

l

Via address. The logical address to which to send the message. It may be the physical of the final

server or any name. It appears in the SOAP message as follows:

<wsa:Action>http://myLogicalAddress<wsa:Action>

The logical address is retrieved from the user interface. By default, it is the address specified in the

WSDL. You can override this address using this field.

Security Tab

The Security tab includes the following options:

l

Enable secure session. Establish a security context using the WS-SecureConversation standard.

l

Negotiate service credentials. Allow WCF proprietary negotiations to negotiate the service’s

security.

l

Default algorithm suite. The algorithm to use for symmetric/asymmetric encryption. The list of

algorithms is populated from the SecurityAlgorithmSuite configuration in WCF.

l

Protection level. Indicates whether the SOAP Body should be encrypted/signed. The possible

values are: None, Sign, and Encrypt And Sign (default)

l

Message protection order. The order for signing and encrypting. Choose from: Sign Before

Encrypt, Sign Before Encrypt And Encrypt Signature, Encrypt Before Sign.

l

Message security version. The WS-Security security version. You can also indicate whether to

require derived keys for the message.

Micro Focus Fortify WebInspect (22.2.0)

Page 362 of 364

Tools Guide

Chapter 22: Web Service Test Designer

l

Security header layout. The layout for the message header: Strict, Lax, Lax Timestamp First, or

Lax Timestamp Last.

l

Key entropy mode. The entropy mode for the security key. The possible values are: Client

Entropy, Security Entropy, and Combined Entropy.

l

Require security context cancellation. Indicates whether to require the cancellation of the

security context. If you disable this option, stateful security tokens will be used in the WS-

SecureConversation session, if they are enabled.

l

Include timestamp. Includes a timestamp in the header.

l

Allow serialized signing token on reply. Enables the reply to send a serialized signing token.

l

Require signature confirmation. Instructs the server to send a signature confirmation in the

response.

Note: The next four options apply only when using an X.509 certificate.

l

X509 Inclusion Mode. Specifies when to include the X.509 certificate: Always to Recipient. Never,

Once, Always To Initiator.

l

X509 Reference Style. Specify how to reference the certificate: Internal or External.

l

X509 require derived keys. Indicates whether X.509 certificates should require derived keys.

l

X509 key identifier clause type. The type of clause used to identify the X.509 key: Any,

Thumbprint, Issuer Serial, Subject Key Identifier, Raw Data Key Identifier.

HTTP & Proxy Tab

The HTTP and Proxy tab includes the following options:

l

Transfer mode. The transfer method for requests/responses. The possible values are Buffered,

Streamed, Streamed Request, and Streamed Response.

l

Max response size (KB). The maximum size of the response before being concatenated.

l

Allow cookies. Indicates whether to enable or disable cookies.

l

Keep-Alive enabled. Indicates whether to enable or disable keep-alive connections.

l

Authentication scheme. The HTTP authentication method: None, Digest, Negotiate, NTLM,

Integrated Windows Authentication, Basic, or Anonymous.

l

Realm. The realm of the authentication scheme in the form of a URL.

l

Require client certificate. Indicates whether to require a certificate for SSL transport.

l

Use default web proxy. Indicates whether to use machine’s default proxy settings.

l

Bypass proxy on local. Indicates whether to ignore the proxy when the service is on the local

machine.

l

Proxy address. The URL of the proxy server.

l

Proxy authentication scheme. HTTP authentication method on Proxy: Digest, Negotiate, NTLM,

Basic, or Anonymous.

Micro Focus Fortify WebInspect (22.2.0)

Page 363 of 364

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Micro Focus Fortify Customer Support at

https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on Tools Guide (Fortify WebInspect 22.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@microfocus.com.

We appreciate your feedback!

Micro Focus Fortify WebInspect (22.2.0)

Page 364 of 364