Micro Focus Fortify WebInspect

Software Version: 21.2.0 Windows® operating systems


User Guide


Document Release Date: November 2021 Software Release Date: November 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2004-2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:


This document was produced on November 11, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

About this PDF Version of Online Help

This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the help information or read the online help in PDF format. Because this content was originally created to be viewed as online help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF version. Those topics can be successfully printed from within the online help.


Contents


Preface                                             25 Contacting Micro Focus Fortify Customer Support                      25 For More Information                                     25 About the Documentation Set                                25 Fortify Product Feature Videos                                25


Change Log                                            26


Chapter 1: Introduction                                     33 Understanding the Findings                                 33

Fortify WebInspect Overview                                 33 Crawling and Auditing                                   33 Reporting                                         33 Manual Hacking Control                                  34 Summary and Fixes                                    34 Scanning Policies                                     34 Sortable and Customizable Views                             34 Enterprise-wide Usage Capabilities                            35 Web Services Scan Capabilities                               35 Export Wizard                                       35 Web Service Test Designer                                 35 API Scans                                         35 API Discovery                                       35 Integration Capabilities                                  36 Enhanced Third-party Commercial Application Threat Agents               36 Hacker-level Insights                                   36

About Fortify WebInspect Enterprise                            36 Fortify WebInspect Enterprise Components                       38 Component Descriptions                                38

FIPS Compliance                                       39 About FIPS Compliance in Fortify WebInspect Products                  39 Selecting FIPS-compliant Mode                              40



Related Documents                                     40 All Products                                       40 Micro Focus Fortify WebInspect                              41 Micro Focus Fortify WebInspect Enterprise                        43


Chapter 2: Getting Started                                   44

Preparing Your System for Audit                               44 Sensitive Data                                      44 Firewalls, Anti-virus Software, and Intrusion Detection Systems              44 Effects to Consider                                    45 Helpful Hints                                       45

Quick Start                                           46 Update SecureBase                                     46 Prepare Your System for Audit                               47 Start a Scan                                         47


Chapter 3: WebInspect User Interface                               48 The Activity Panel                                       48 Closing the Activity Panel                                   49 The Button Bar                                         49 Panes Associated with a Scan                                 51

Start Page                                            52 Home                                             52 Manage Scans                                        52 Manage Schedule                                      53

Menu Bar                                            53 File Menu                                            53 Edit Menu                                            54 View Menu                                           55 Tools Menu                                           55 Scan Menu                                           55 Enterprise Server Menu                                     56 Reports Menu                                          57 Help Menu                                            58



WebInspect Help                                     58 Search                                          58 Support > Request an Enhancement                            58 Support > Contact Technical Support                           58 Support > Get Open TC Browsers info                           58 Support > Copy Application Snapshot to Clipboard                    59 Tutorials                                         59 About WebInspect                                    59

Toolbars                                          59 Buttons Available on the Scan Toolbar                          59 Buttons Available on the Standard Toolbar                        61 Buttons Available on the "Manage Scans" Toolbar                    62

Navigation Pane                                        63 Site View                                          64 Excluded Hosts                                     64 Allowed Hosts Criteria                                  65 Sequence View                                       66 SPA Coverage                                        67 Search View                                         68 Step Mode View                                       69 Navigation Pane Icons                                   69 Navigation Pane Shortcut Menu                               71

Information Pane                                        73 Scan Info Panel                                       74 Dashboard                                        74 Traffic Monitor                                      75 Attachments                                       75 False Positives                                      76 Dashboard                                        77 Progress Bars                                     78 Progress Bar Descriptions                             78

Progress Bar Colors                               79 Activity Meters                                   79 Activity Meter Descriptions                            80 Vulnerabilities Graphics                               80 Statistics Panel - Scan                                80 Statistics Panel - Crawl                               82 Statistics Panel - Audit                               82



Statistics Panel - Network                              82 Attachments - Scan Info                                83 False Positives                                     84 Importing False Positives                              84 Inactive / Active False Positives Lists                        84 Loading False Positives                               84 Working with False Positives                             84 Session Info Panel                                     85 Options Available                                    85 Vulnerability                                      88 Web Browser                                      88 HTTP Request                                     89 Highlighted Text in the Request                           89 HTTP Response                                    89 Highlighted Text in the Response                          89

Stack Traces                                      89

Details                                          89 Steps                                          90 Links                                           90 Comments: Session Info                                 90 Text                                           90 Hiddens: Session Info                                  90 Forms: Session Info                                   91 E-Mail                                          91 Scripts - Session Info                                   91 Attachments - Session Info                               91 Viewing an Attachment                                92 Adding a Session Attachment                            92 Editing an Attachment                                92 Attack Info                                        93 Web Service Request                                  93 Web Service Response                                  93 XML Request                                      93 XML Response                                      93

Host Info Panel                                      93

Options Available                                    94 P3P Info                                         95 P3P User Agents                                   95 AJAX                                           96



How AJAX Works                                   96 Certificates                                        97 Comments - Host Info                                  97 Cookies                                          97 E-Mails - Host Info                                    98 Forms - Host Info                                     98 Hiddens - Host Info                                   99 Scripts - Host Info                                    99 Broken Links                                      100 Offsite Links                                      100 Parameters                                       100

Summary Pane                                        101 Findings Tab                                       101 Available Columns                                   102 Vulnerability Severity                                 103 Working with Findings                                 104 Not Found Tab                                      105 Scan Log Tab                                       106 Server Information Tab                                  106

Micro Focus Fortify Monitor                                107


Chapter 4: Working with Scans                                108

Guided Scan Overview                                    108 Predefined Templates                                  108 Mobile Templates                                    108

Running a Guided Scan                                  109 Predefined Template (Standard, Quick, or Thorough)                  109 Mobile Scan Template                                 109 Native Scan Template                                 110

Using the Predefined Template                               110 Launching a Guided Scan                                110 Understanding the Rendering Engine                          111 About the Site Stage                                   111 Verifying Your Web Site                               111 Choosing a Scan Type                                113 About the Login Stage                                  114 Network Authentication Step                             114



Configuring Network Authentication                      114 Application Authentication Step                          115 Masked Values Supported                             116 Using a Login Macro without Privilege Escalation                  116 Using Login Macros for Privilege Escalation                     116 Using a Login Macro when Connected to Fortify WebInspect Enterprise        117 Automatically Creating a Login Macro                       118 About the Workflows Stage                              118 To Add Burp Proxy results                              119 About the Active Learning Stage                           119 Using the Profiler                                 119 About the Settings Stage                               121 Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan    123

Using the Mobile Scan Template                            125 Launching a Mobile Scan                                125 Creating a Custom User Agent Header                         126 About the Site Stage                                  126 Verifying Your Web Site                               126 Choosing a Scan Type                                128 About the Login Stage                                 129 Network Authentication Step                            129 Configuring Network Authentication                         130 Application Authentication Step                           130 Masked Values Supported                              131 Using a Login Macro without Privilege Escalation                   131 Using Login Macros for Privilege Escalation                     131 Using a Login Macro when Connected to Fortify WebInspect Enterprise        132 Automatically Creating a Login Macro                        133 About the Workflows Stage                               133 Adding Burp Proxy Results                             134 Adding Burp Proxy Results                            134 About the Active Learning Stage                            135 Using the Profiler                                  135 About the Settings Stage                                136 Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan    139

Using the Native Scan Template                              140 Setting Up Your Mobile Device                             141 Guided Scan Stages                                   141



Supported Devices                                 141 Supported Development Emulators                           141 Launching a Native Scan                                142 About the Native Mobile Stage                             142 Choose Device/Emulator Type Step                         142 Selecting a Profile                                  143 Setting the Mobile Device Proxy Address                       143 Adding a Trusted Certificate                             144 Choose Scan Type Step                                 145 About the Login Stage                                 145 Network Authentication Step                            145 Configuring Network Authentication                         146 Configuring a Client Certificate                            146 Application Authentication Step                           147 Masked Values Supported                              147 Using a Login Macro without Privilege Escalation                   148 Using Login Macros for Privilege Escalation                     148 Using a Login Macro when Connected to Fortify WebInspect Enterprise        149 Testing the Macro                                  149 About the Application Stage                              149 Run Application Step                                150 Finalizing Allowed Hosts and RESTful Endpoints                   150 About the Settings Stage                                150 Final Review Step                                  151 Validate Settings and Start Scan                           151 Post Scan Steps                                     153

Running an API or Web Service Scan                            153 API Scans                                        154 Web Service Scans                                    154 Getting Started with the API Scan Wizard                        154 What's Next?                                       154 Configuring an API Scan                                 154 What's Next?                                       156 Configuring a Web Service Scan                             156 Using a WSDL File                                    156 Using an Existing WSD File                                157 What's Next?                                       157 Configuring Proxy Settings for API and Web Service Scans                157 What's Next?                                       158



Configuring Authentication for API and Web Service Scans              158 Configuring Network Authentication                         158 Viewing and Adjusting Postman Configuration Settings                 158 What's Next?                                    159 Configuring Scan Details for API and Web Service Scans                159 Selecting a Policy for API Scans                            159 Launching the Web Service Test Designer                       159 Configuring Additional Settings for API and Web Service Scans             160 What's Next?                                    161 Congratulations                                   161

Running a Basic Scan (Web Site Scan)                           161 Basic Scan Options                                    162 Authentication and Connectivity                             164 Coverage and Thoroughness                               167 Detailed Scan Configuration                               169 Profiler                                        169 Settings                                        169 Auto Fill Web Forms                                  170 Add Allowed Hosts                                  170 Reuse Identified False Positives                            170 Sample Macro                                     170 Traffic Analysis                                    171 Message                                         171 Congratulations                                     171 Upload to Fortify WebInspect Enterprise Scan Template                171 Save Settings                                     171 Generate Reports                                   171 Using the Site List Editor                                 172 Configuring the Proxy Profile                               173 Configure proxy using a PAC file                           173 Explicitly configure proxy                               173 Specifying Allowed Hosts                                 174 Specifying Allowed Hosts                               174 Editing Allowed Hosts                                 175

Multi-user Login Scans                                    175 Before You Begin                                      175 Known Limitations                                     175 Process Overview                                     176



Configuring a Multi-user Login Scan                           176 Adding Credentials                                    177 Editing Credentials                                    178 Deleting Credentials                                   178

Using Two-factor Authentication                              178 How Scanning with Two-factor Authentication Works                  179 Technology Preview                                   179 Recommendation                                    179 Known Limitations                                    179 Understanding the Process                               179

Interactive Scans                                      180 Configuring an Interactive Scan                             181

Restrict to Folder Limitations                                182 JavaScript Include Files                                  182 Login Macros                                       182 Workflow Macros                                     183

Running an Enterprise Scan                                 183 Edit the 'Hosts to Scan' List                                185 Export a List                                       185 Start the Scan                                       186

Running a Manual Scan                                   186

About Privilege Escalation Scans                         187 Two Modes of Privilege Escalation Scans                      188 What to Expect During the Scan                          188 Regex Patterns Used to Identify Restricted Pages                  188 Effect of Crawler Limiting Settings on Privilege Escalation Scans            189 Effect of Parameters with Random Numbers on Privilege Escalation Scans       189

About Single-page Application Scans                           190 Technology Preview                                  190 The Challenge of Single-page Applications                       191 Enabling SPA Support                                 191

Scan Status                                        191 Updates to Information in the Scan Manager                      192

Opening a Saved Scan                                   193

Comparing Scans                                      193 Selecting Scans to Compare Scans                            193



Reviewing the Scan Dashboard                            194 Scan Descriptions                                  195 The Venn Diagram                                 195 Vulnerabilities Bar Chart                               195 Effect of Scheme, Host, and Port Differences on Scan Comparison           196 Compare Modes                                    196 Session Filtering                                    196 Using the Session Info Panel                              197 Using the Summary Pane to Review Vulnerability Details                 197 Grouping and Sorting Vulnerabilities                         197 Filtering Vulnerabilities                               197 Working with Vulnerabilities                             198

Manage Scans                                       199 Schedule a Scan                                      200 Configuring Time Interval for Scheduled Scan                        201

Managing Scheduled Scans                                 201 Selecting a Report                                    203 Configuring Report Settings                               204

Stopping a Scheduled Scan                                205 Scheduled Scan Status                                   205 Exporting a Scan                                      206 Exporting Scan Details                                   207 Export Scan to Software Security Center                          209 Exporting Protection Rules to Web Application Firewall (WAF)               210 Importing a Scan                                      211 Importing False Positives                                  211 Importing Legacy Web Service Scans                            212 Changing Import/Export Settings                              212

Downloading a Scan from Enterprise Server                         213 Log Files Not Downloaded                                213

Uploading a Scan to Enterprise Server                          213 Running a Scan in Enterprise Server                           214

Transferring Settings to/from Enterprise Server                   214 Creating a Fortify WebInspect Enterprise Scan Template               215



Creating a Fortify WebInspect Settings File                    215 Publishing a Scan (Fortify WebInspect Enterprise Connected)              216

Integrating Vulnerabilities into Fortify Software Security Center               217 First scan                                        218 Second scan                                       219 Third scan                                        219 Fourth Scan                                       219 Synchronize with Fortify Software Security Center                    219


Chapter 5: Using WebInspect Features                            221

Retesting and Rescanning                                 221 Retesting Vulnerabilities                                 221 Understanding the Retest Status                           222 Recommendation for Failed and Not Supported Vulnerabilities            222 Retesting All Vulnerabilities                              223 Retesting All Vulnerabilities with a Specific Severity                  223 Retesting Selected Vulnerabilities                           223 Retesting Grouped Categories                             224 Retesting a Retest Scan                                224 Retest Scan Log                                    224 Comparison Views                                   224 Keeping or Deleting a Retest Scan                           225 Rescanning a Site                                     225 Reusing Scans                                      226 Reuse Options                                     226 Difference between Remediation Scans and Retest Vulnerability            226 Guidelines for Reusing Scans                             227 Reusing a Scan                                    227 Incremental Scanning                                   227 Merging Baseline and Incremental Scans                        228 Incremental Scan with Continuous or Deferred Audit                  228

Using Macros                                        229 Selecting a Workflow Macro                                 230

Using a Web Macro Recorder                                230 Web Macro Recorder with Macro Engine 6.1                       231 Session-based Web Macro Recorder                           231

Traffic Monitor (Traffic Viewer)                              231



Traffic Session Data in Traffic Viewer                         231 Viewing Traffic in the Traffic Viewer                          231

Server Profiler                                        232 Using the Server Profiler                                 232

Inspecting the Results                                    233 Basic Scan                                        233 Working with One or More Vulnerabilities                       234 Working with a Group                                 235 Understanding the Severity                              235 Working in the Navigation Pane                            236 Web Services Scan                                    236

Search View                                         237

Using Filters and Groups in the Summary Pane                        238 Using Filters                                       238 No Filters                                       238 Filtered by Method:Get                                239 Specifying Multiple Filters                               239 Filter Criteria                                     239 Using Groups                                       240

Auditing Web Services                                  241 Options Available from the Session Info Panel                     241

Adding/Viewing Vulnerability Screenshot                        243 Viewing Screenshots for a Selected Session                      243 Viewing Screenshots for All Sessions                         244

Editing Vulnerabilities                                   244 Editing a Vulnerable Session                               245

Vulnerability Rollup                                     246 What Happens to Rolled Up Vulnerabilities                        246 Rollup Guidelines                                     246 Rolling Up Vulnerabilities                                 247 Undoing Rollup                                      247

Mark As False Positive                                    248 Mark As Vulnerability                                    248

Flag Session for Follow-Up                                 249 Viewing Flags for a Selected Session                           249 Viewing Flags for All Sessions                              249



Scan Note                                          249

Session Note                                        250 Viewing Notes for a Selected Session                          250 Viewing Notes for All Sessions                              250

Vulnerability Note                                     250 Viewing Notes for a Selected Session                          251 Viewing Notes for All Sessions                              251

Recovering Deleted Items                                 251

Sending Vulnerabilities to Micro Focus ALM                        252 Additional Information Sent                              252

Disabling Data Execution Prevention                          253

Generating a Report                                     253 Saving a Report                                      254

Advanced Report Options                                 254

Report Viewer                                        255 Adding a Note                                       256

Standard Reports                                      256 Manage Reports                                       258 Compliance Templates                                    258

Managing Settings                                     269 Creating a Settings File                                  269 Editing a Settings File                                  269 Deleting a Settings File                                  270 Importing a Settings File                                 270 Exporting a Settings File                                 270 Scanning with a Saved Settings File                            270

SmartUpdate                                      270 Performing a SmartUpdate (Internet Connected)                    271 Downloading Checks without Updating Fortify WebInspect               272 Performing a SmartUpdate (Offline)                          272

WebSphere Portal FAQ                                   273

Command-line Execution                                   275 Launching the CLI                                     275 CLI Limitations in Fortify WebInspect on Docker                      275 Using WI.exe                                       275



Options                                         276 Examples                                        291 Selenium Login Macro Example                             291 Response State Rule Example                             291 Merging Scans                                     292 Hyphens in Command Line Arguments                         292 Exit Codes                                       292 Using WIScanStopper.exe                                 293 Using MacroGenServer.exe                                 293 Options                                         293

Regular Expressions                                     295

Regex Extensions                                       296 Regular Expression Tags                                 296 Regular Expression Operators                               297 Examples                                         297

Fortify WebInspect REST API                              298 What is the Fortify WebInspect REST API?                       298 Configuring the Fortify WebInspect REST API                     298 Accessing the Fortify WebInspect REST API Swagger UI                301 Using the Swagger UI                                 301 Getting Field-level Details                               302 Automating Fortify WebInspect                            303 Fortify WebInspect Updates and the API                        303

Scanning with a Postman Collection                            303 What is Postman?                                    303 Benefits of a Postman Collection                             304 Known Limitations with Postman Variables                       304 Options for Postman Scans                               304 Postman Prerequisites                                 304 Using Client Certificates with Postman                          304 Tips for Preparing a Postman Collection                         305 Ensure Valid Responses                               305 Order of Requests                                  305 Handling Authentication                               305 Using Static Authentication                             306 Using Dynamic Authentication                            306 Using a Postman Login Macro                            306 Postman Auto-configuration                             306



Sample Postman Scripts                            307 Manually Configuring Postman Login for Dynamic Tokens               307 What are Dynamic Tokens?                            307 Before You Begin                                 307 Process Overview                                 307 Identifying and Isolating the Login Request                     308 Creating a Logout Condition with Regular Expressions                308 Creating a Response State Rule for a Bearer Token                 309 Creating a Response State Rule for an API Key                   309 Postman API Scan Using WI.exe or WebInspect REST API                310 Process                                     310 Troubleshooting the Postman Scan                          311

Integrating with Selenium WebDriver                             311 Known Limitations                                     312 Process Overview                                     312 Adding the Proxy to Selenium Scripts                           314 Advantages                                      314 Disadvantages                                     314 Sample Code                                      314 Using the CLI                                      318 Using the Fortify WebInspect geckodriver.exe                       318 Advantages                                      319 Disadvantages                                     319 Installing the Selenium WebDriver Environment                      319 Testing from the Command Line                              319 Creating a Selenium Command                             320 Uploading Files to Fortify WebInspect                           322 Using the CLI                                      322 Using the API                                      323 Using the Selenium Command                               323 Running a Scan Using WI.exe                              323 Creating a Macro Using the API                             324

About the Burp API Extension                               325 Benefits of Using the Burp API Extension                        325 Supported Versions                                   326

Using the Burp API Extension                               326 Loading the Burp Extension                               326 Connecting to Fortify WebInspect                            327



Refreshing the List of Scans                               329 Working with a Scan in Burp                               329 Sending Items from Burp to Fortify WebInspect                      332

About the WebInspect SDK                                 333 Audit Extensions / Custom Agents                            334 SDK Functionality                                    334 Installation Recommendation                               334 Installing the WebInspect SDK                              335 Verifying the Installation                                 335 After Installation                                     336

Add Page or Directory                                    336 Add Variation                                        336

Fortify Monitor: Configure Enterprise Server Sensor                   337 After Configuring as a Sensor                            338

Example 1

                                      339

Example 2

                                      339

Example 3

                                      340

Example 4

                                      340

Blackout Period                                       338 Creating an Exclusion                                    338


Internet Protocol Version 6                                340


Chapter 6: Default Scan Settings                              341

Scan Settings: Method                                    341 Scan Mode                                        341 Crawl and Audit Mode                                   342 Crawl and Audit Details                                  342 Navigation                                        343 SSL/TLS Protocols                                    344

Scan Settings: General                                    345 Scan Details                                        345 Crawl Details                                       346

Scan Settings: JavaScript                                  350 JavaScript Settings                                   350

Scan Settings: Requestor                                  351 Requestor Performance                                  352



Requestor Settings                                  353 Stop Scan if Loss of Connectivity Detected                       353

Scan Settings: Session Exclusions                              354 Excluded or Rejected File Extensions                          355 Excluded MIME Types                                  355 Other Exclusion/Rejection Criteria                            355 Editing Criteria                                    356 Adding Criteria                                    356

Scan Settings: Allowed Hosts                                358 Using the Allowed Host Setting                             358 Adding Allowed Domains                                358 Editing or Removing Domains                              359

Scan Settings: HTTP Parsing                                 359 Options                                          359

CSRF                                             363

About CSRF                                       364 Using CRSF Tokens                                   364 Enabling CSRF Awareness in Fortify WebInspect                     364

Scan Settings: Custom Parameters                             365 URL Rewriting                                      365 RESTful Services                                     365 Enable automatic seeding of rules that were not used during scan           366 Double Encode URL Parameters                           367

Path Matrix Parameters                                   367 Definition of Path Segment                               368 Special Elements for Rules                                368 Asterisk Placeholder                                   369 Benefit of Using Placeholders                             370 Multiple Rules Matching a URL                            370

Scan Settings: Filters                                     370 Options                                          371 Adding Rules for Finding and Replacing Keywords                    371

Scan Settings: Cookies/Headers                               372 Standard Header Parameters                               372 Append Custom Headers                                 372 Adding a Custom Header                               373 Append Custom Cookies                                 373



Adding a Custom Cookie                               373

Scan Settings: Proxy                                     373 Options                                          374

Scan Settings: Authentication                                375 Scan Requires Network Authentication                          375 Authentication Method                                 375 Authentication Credentials                                376 Client Certificates                                    376 Editing the Proxy Config File for WebInspect Tools                    377 Enable Macro Validation                                 378 Use a login macro for forms authentication                        378 Login Macro Parameters                                 378 Use a startup macro                                   378 Multi-user Login                                     379

Scan Settings: File Not Found                                380 Options                                          380

Scan Settings: Policy                                     381 Creating a Policy                                     382 Editing a Policy                                      382 Importing a Policy                                     382 Deleting a Policy                                      383

Scan Settings: User Agent                                 383 Profile and User-Agent String                              383 Navigator Interface Settings                               384


Chapter 7: Crawl Settings                                   385

Crawl Settings: Link Parsing                                 385 Adding a Specialized Link Identifier                           385

Crawl Settings: Link Sources                                 385 What is Link Parsing?                                   385 Pattern-based Parsing                                  386 DOM-based Parsing                                    386 Form Actions, Script Includes, and Stylesheets                      390 Miscellaneous Options                                  391 Limitations of Link Source Settings                            392

Crawl Settings: Session Exclusions                             392 Excluded or Rejected File Extensions                          393



Adding a File Extension to Exclude/Reject                      393 Excluded MIME Types                                 393 Adding a MIME Type to Exclude                           393 Other Exclusion/Rejection Criteria                           393 Editing the Default Criteria                             394 Adding Exclusion/Rejection Criteria                         394


Chapter 8: Audit Settings                                   396

Audit Settings: Session Exclusions                             396 Excluded or Rejected File Extensions                          396 Adding a File Extension to Exclude/Reject                      396 Excluded MIME Types                                 396 Adding a MIME Type to Exclude                           397 Other Exclusion/Rejection Criteria                           397 Editing the Default Criteria                             397 Adding Exclusion/Rejection Criteria                         397

Audit Settings: Attack Exclusions                              399 Excluded Parameters                                   399 Adding Parameters to Exclude                            399 Excluded Cookies                                    400 Excluding Certain Cookies                               400 Excluded Headers                                    401 Excluding Certain Headers                              401 Audit Inputs Editor                                    401

Audit Settings: Attack Expressions                           402 Additional Regular Expression Languages                       402

Audit Settings: Vulnerability Filtering                           402 Adding a Vulnerability Filter                              403 Suppressing Off-site Vulnerabilities                           403

Audit Settings: Smart Scan                               403 Enable Smart Scan                                  403 Use regular expressions on HTTP responses                    403 Use server analyzer fingerprinting and request sampling              404 Custom server/application type definitions                     404


Chapter 9: Application Settings                                405 Application Settings: General                               405



General                                          405 WebInspect Agent                                     408

Application Settings: Database                              408 Connection Settings for Scan/Report Storage                     409 SQL Server Database Privileges                            409 Configuring SQL Server Standard Edition                       409 Connection Settings for Scan Viewing                         410 Creating Scan Data for Site Explorer                          410

Application Settings: Directories                            410 Changing Where Fortify WebInspect Files Are Saved                 410

Application Settings: License                                411 License Details                                      411 Direct Connection to Micro Focus                             411 Connection to APLS                                   412 Connection to LIM                                    412

Application Settings: Server Profiler                             412 Modules                                         413

Application Settings: Step Mode                             414

Application Settings: Two-Factor Authentication                      415 Technology Preview                                  415 Two-Factor Authentication Control Center                       415 Mobile Application                                   416 Installing and Configuring the Fortify2FA Mobile App                  416

Application Settings: Logging                               423

Application Settings: Proxy                                 423 Not Using a Proxy Server                                 423 Using a Proxy Server                                   424 Configuring a Proxy                                   424

Application Settings: Reports                                 425 Options                                          425 Headers and Footers                                   426

Application Settings: Telemetry                               426 About Telemetry                                     427 Enabling Telemetry                                   427 Uploading Scans via Telemetry                              427 Setting the Upload Interval                                427



Setting the On-disk Cache Size                            427 Identifying Categories of Information to Send                     428

Application Settings: Run as a Sensor                            428 Sensor                                         428

Application Settings: Override SQL Database Settings                   429 Override Database Settings                              429 Configure SQL Database                               430

Application Settings: Smart Update                             430 Options                                         430

Application Settings: Support Channel                          431 Opening the Support Channel                             431

Application Settings: Micro Focus ALM                           431 ALM License Usage                                   431 Before You Begin                                    431 Creating a Profile                                     432


Chapter 10: Reference Lists                                  433

Fortify WebInspect Policies                                  433 Best Practices                                        433 By Type                                           435 Custom                                           436 Hazardous                                         436 Deprecated Checks and Policies                              437

Scan Log Messages                                      438 HTTP Status Codes                                     461


Chapter 11: Troubleshooting                                 465

Troubleshooting WebInspect                                465 Connectivity Issues                                   465 Scan Initialization Failures                                466 Scan Configuration Issues                                466

Troubleshooting Alerts                                   467 Technology Preview                                   467 Disabling Alerts                                      467 Alerts Troubleshooting Table                               467

Testing Login Macros                                   468



Validation Tests Performed                               468 Troubleshooting Tips                                  469

Uninstalling Fortify WebInspect                               470 Options for Removing                                  470


Send Documentation Feedback                               471

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to: