User Guide
Chapter 1: About Fortify WebInspect Enterprise
(IDS/IPS) are in place to prevent these activities. Therefore, these tools can be problematic when
conducting a scan for vulnerabilities.
First, these tools can interfere with the sensor’s scanning of a server. An attack that the sensor sends to
the server can be intercepted, resulting in a failed request to the server. If the server is vulnerable to that
attack, then a false negative is possible.
Second, results or attacks that are in the WebInspect sensor product, cached on disk locally, or in the
WebInspect Enterprise or sensor database can be identified and quarantined by these tools. When
working files used by the sensor or data in the WebInspect Enterprise or sensor database are
quarantined, the sensor can produce inconsistent results. Such quarantined files and data can also
cause unexpected behavior.
These types of issues are environmentally specific, though McAfee IPS is known to cause both types of
problems, and any WAF will cause the first problem. Fortify has seen other issues related to these tools
as well.
If such issues arise while conducting a scan, Fortify recommends that you disable WAF, anti-virus
software, firewall, and IDS/IPS tools for the duration of the scan. Doing so is the only way to be sure
you are getting reliable scan results.
Increased Form Input
Most Web applications contain HTML or JavaScript forms composed of special elements called input
controls (text boxes, buttons, drop-down lists, etc.). Users generally “complete” a form by modifying its
input controls (such as entering text or checking boxes) before submitting the form to an agent for
processing. Usually, this processing will lead the user to another page or section of the application. For
example, after completing a logon form, the user will proceed to the application’s beginning page.
To conduct a thorough scan, Fortify WebInspect attempts to identify every page, form, file, and folder
in your application. If you select the option to submit forms during a crawl of your site, Fortify
WebInspect will complete and submit all forms it encounters.
To navigate through all possible links in the application, Fortify WebInspect submits appropriate data
for each form by using a file containing the names of input controls and the associated values that need
to be submitted during the scan. Fortify WebInspect includes a default Web form file containing sample
name/value pairs. You can use the Web Form Editor to create and edit your own file containing web
form values. The pre-defined forms enable Fortify WebInspect to navigate seamlessly through your
application, but they may also produce the following consequences:
l
When a user normally submits a form, if the application creates and sends email messages or bulletin
board postings (to a product support or sales group, for example), Fortify WebInspect will also
generate these messages as part of the audit.
Tip: If your system generates email messages in response to user-submitted forms, you might
want to disable your mail server. Alternatively, you could redirect all emails to a queue and then,
after the audit, manually review and delete those emails that were generated in response to
forms submitted by Fortify WebInspect.
l
If normal form submission causes records to be added to a database, then forms submitted by Fortify
WebInspect will create spurious records.
Micro Focus Fortify WebInspect Enterprise (21.1.0)
Page 30 of 417