Micro Focus Fortify WebInspect

Software Version: 21.2.0 Windows® operating systems


Tools Guide


Document Release Date: November 2021 Software Release Date: November 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2004-2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:


This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

About this PDF Version of Online Help

This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the help information or read the online help in PDF format. Because this content was originally created to be viewed as online help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF version. Those topics can be successfully printed from within the online help.


Contents


Preface                                             22 Contacting Micro Focus Fortify Customer Support                      22 For More Information                                     22 About the Documentation Set                                22 Fortify Product Feature Videos                                22


Change Log                                            23


Chapter 1: Welcome to Micro Focus Fortify WebInspect Tools                  26 About Fortify WebInspect Tools                               26 Using Tools with a Proxy                                   26

Related Documents                                     26 All Products                                       27 Micro Focus Fortify ScanCentral DAST                          27 Micro Focus Fortify WebInspect                              28 Micro Focus Fortify WebInspect Enterprise                        29


Chapter 2: Audit Inputs Editor                                   31 Check Inputs                                          31 Engine Inputs                                         32


Chapter 3: Compliance Manager (Fortify WebInspect Only)                   35 How It Works                                        35

Creating a Compliance Template                                36 Usage Notes                                        41

General Text Searching Group                                41 Threat Classes                                        41


Chapter 4: Encoders/Decoders                                  42 Encoding a String                                       42



Decoding a String                                       43 Manipulating Encoded Strings                                 43 Encoding Types                                        44


Chapter 5: HTTP Editor                                      46 Request Viewer                                         46 Response Viewer                                        47 HTTP Editor Menus                                       47 Help Menu                                           48 Request Actions                                         48 Response Actions                                        50 Editing and Sending a Request                                 51 Searching the Request or Response                               52

Settings                                             53 Options Tab                                         53 Authentication Tab                                     56 Proxy Tab                                          56

Regular Expressions                                     57

Regular Expression Extensions                                 58 Regular Expression Tags                                  58 Regular Expression Operators                               59 Examples                                          59


Chapter 6: Log Viewer (Fortify WebInspect Only)                       60


Chapter 7: Policy Manager                                     61 Views                                              61 Creating or Editing a Policy                                   64 Creating a Custom Check                                    65 Searching for Specific Agents                                  74 Using a Custom Agent                                     75

Methodologies                                        75 Parameter Manipulation                                  76



Parameter Overflow                                    78 Parameter Addition                                     78 Site Search                                         80 Application Mapping                                    81 Web Server Assessment                                  81 Content Investigation                                    82 Brute Force Authentication Attacks                             83 Known Attacks                                       84

Policies                                             84 Best Practices                                        84 By Type                                           86 Custom                                            87 Hazardous                                          87 Deprecated Checks and Policies                               88

Policy Manager Icons                                      89 Audit Engines                                         90 Audit Options                                         93 General Application Testing                                  93 Third-Party Web Applications                                 93 Web Frameworks/Languages                                 93 Web Servers                                          93 Custom Agents                                        94 Custom Checks                                        94 Regular Expressions                                      94

Regular Expression Extensions                                 96 Regular Expression Tags                                  96 Regular Expression Operators                               96 Examples                                          96


Chapter 8: Regular Expression Editor                               98 Testing a Regular Expression                                 98 Regular Expressions                                      99

Regular Expression Extensions                               101 Regular Expression Tags                                 101 Regular Expression Operators                              101



Examples                                         101


Chapter 9: Server Analyzer (Fortify WebInspect Only)                      103 Analyzing a Server                                      103 Modifying Settings                                      104 Exporting Analyzer Results                                  104

Authentication Settings                                   104 Authentication Method                                  104 Authentication Credentials                                105

Proxy Settings                                       105 Direct Connection (proxy disabled)                            105 Auto detect proxy settings                                105 Use System Proxy Settings                                105 Use Firefox proxy settings                                105 Configure proxy using a PAC file                             105 Explicitly configure proxy                                106 Specify Alternative Proxy for HTTPS                           106


Chapter 10: Server Profiler                                   107 Using the Server Profiler                                  107


Chapter 11: Site Explorer                                    109 Viewing ScanCentral DAST Scans                               109 Limitations of Site Explorer                                  109 Technology Preview                                     109

Scan Tiles                                           109 ScanCentral DAST Scans                                  110 Information on the Scan Tile                                110 Real-time Updates                                     111 How Scan Tiles Are Grouped                                111 Showing and Hiding a Group of Scan Tiles                         111 Searching for Scans                                    111 Clearing the Search                                    112 Deleting a Scan                                      112

Scan Conversion                                       112 What Happens During Conversion                            112



Effect of Updates on Converted Scans                          113 Converting a Scan                                    113 Files are Not Synced                                   113

Enabling Fortify WebInspect to Create Data for Site Explorer             113

Importing and Exporting Scans                                114 About the Scan Files                                   114 Importing Scans                                     114 Exporting Scans                                     115

Using the Interface                                     115 Viewing a Scan                                      115 Real-time Updates                                  116 Using the Site Tree                                    116 Hiding the Site Tree                                  116 Showing the Site Tree                                 117 Off-site Hosts Node                                  117 Site Tree Icons                                    117 Viewing Traffic for a Resource                             118 Viewing Only Host Names                               118 Filtering for Selected Hosts                              118 Viewing All Host Names                                118 Customizing Grid Views                                  118 Resizing Columns                                   119 Repositioning Columns                                119 Adding/Removing Columns                              119 Customizing Detail Views                                 120 Changing the Layout                                 120 Changing the Color Theme                              120 Hiding and Showing HTTP Detail Views                        120 Floating, Moving, and Docking                              121 Floating and Moving the Site Tree                           121 Floating a Grid View                                  121 Floating a Detail View                                 121 Moving a Tab                                     122 Docking Windows                                   122 Understanding the Docking Positions                         123 Cloning Tab Contents                                   124

Working with Traffic and Findings                             124 Exploring Scan Findings                                124



About the Findings Tab                             124 Available Columns                                  125 Viewing the Vulnerability Description                         125 Filtering in the Findings Grid                             125 Exporting Findings                                  126 Viewing the Evidence                                 127 Identifying the Vulnerability or Attack String                     127 Exploring Traffic                                     128 Viewing Traffic for a Resource                            128 Using the Breadcrumbs                                128 Using Text Search                                    129 Text Search Columns                                 129 Searching in the Text Search Grid                           129 Working with Responses in the Text Search                      129 Viewing Related Traffic for a Session                         130 Viewing Related Text for a Session                          130 Working with Sessions                                  131 Viewing the HTTP Detail                               131 Wrapping Text                                    131 Decoding Percent-encoded Characters                        131 Viewing a Session in the Browser                           132 Expanding Compressed Content                           132 Working with Parameters                                132 Understanding Parameters                              133 Viewing Parameter Details                              133 Adding Parameter Columns to Traffic Grid                      133 Drilling Down Into Traffic Data                              134 What is Related Traffic?                               134 Viewing Traffic for a Resource                            134 Viewing Related Traffic for a Session                         134 Viewing Related Text for a Session                          135 Working with Stacked Grids                               135 Viewing and Closing Stacked Grids                          136 Searching and Filtering                                 136 Searching in Grid Views                                136 Searching in Non-grid Views                             137 Clearing the Search                                  137 Sorting in the Grid                                  137 Filtering in the Grid                                  137



Rules for Filtering in the Grid                            138 Clearing a Filtered View                               139 Understanding the Search Expressions                         139 Basic Format of a Search Query                           139 The Search and Filter Operators                           141 Using Regular Expressions                               143 Traffic String Properties for Searching                        143 Text Search String Properties                            143 Using the Tilde (~) Operator                             143 Using RegExp Syntax                                144 Understanding the RegExp Syntax                          144 Regular Expressions                                 145


Chapter 12: SmartUpdate                                 147 Performing a SmartUpdate (Internet Connected)                     147 Downloading Checks without Updating Fortify WebInspect                148 Performing a SmartUpdate (Offline)                           148


Chapter 13: SQL Injector (Fortify WebInspect Only)                     150

SQL Injector Tabs                                      153 Request Pane                                       153 Database Pane                                      154 Information Pane                                     154

SQL Injector Settings                                     154 Options Tab                                        154 Authentication Tab                                    156 Proxy Tab                                         156


Chapter 14: SWFScan (Fortify WebInspect Only)                        158 How It Works                                        158

Vulnerability Detection                                158 ActionScript 3 Vulnerabilities Detected by SWFScan                 158 ActionScript 1 and 2 Vulnerabilities Detected by SWFScan               159

Analyzing Flash Files                                    159 Using SWFScan as a Standalone Tool                          159 Using SWFScan in Fortify WebInspect                          160



Examining Results                                      161 Searching Source Code                                    161 Configuring SWFScan Settings                                162 AS2 Exclusions                                        162 AS3 Exclusions                                        163 Proxy                                            163

Checks                                            164 Sorting the Checks                                    164 Enabling/Disabling Checks                                164


Chapter 15: Traffic Viewer                                   165 Option Must be Enabled                                   165 Proxy Server                                         165

Enabling Traffic Monitor                                 166 Enabling the Traffic Monitor for All Scans                       166 Enabling the Traffic Monitor for Individual Scans                    166

Launching the Traffic Viewer                                 166 From an Open Scan                                    167 As a Stand-alone Tool                                   167

Using the Interface                                     167 Using the Site Tree                                    167 Site Tree Icons                                    167 Viewing Traffic for a Resource                            168 Viewing Only Host Names                              168 Filtering for Selected Hosts                              168 Viewing All Host Names                               168 Customizing Grid Views                                 169 Resizing Columns                                   169 Repositioning Columns                                169 Adding/Removing Columns                              170 Customizing Detail Views                                170 Changing the Layout                                 170 Changing the Color Theme                              170 Hiding and Showing HTTP Detail Views                        171 Resizing, Collapsing, and Expanding UI Elements                     171 Resizing an Element                                 171



Collapsing an Element                                 171 Expanding an Element                                 172 Using Auto Scroll                                     172 Enabling Auto Scroll                                  172 Disabling Auto Scroll                                 172

Working with Traffic                                   172 Exploring Traffic                                     172 Viewing Traffic for a Resource                            172 Using the Breadcrumbs                                173 Working with Sessions                                  173 Viewing the HTTP Detail                               173 Wrapping Text                                    174 Decoding Percent-encoded Characters                        174 Resending a Request                                 174 Viewing a Session in the Browser                           174 Expanding Compressed Content                           175 Working with Parameters                                175 Understanding Parameters                              175 Viewing Parameter Details                              175 Adding Parameter Columns to Traffic Grid                      176 Drilling Down Into Traffic Data                              176 Viewing Traffic for a Resource                            176 Viewing Related Traffic for a Session                         176 Working with Stacked Grids                               177 Viewing and Closing Stacked Grids                          177 Searching and Filtering                                 177 Searching in Grid Views                                178 Searching in Non-grid Views                             178 Clearing the Search                                  178 Sorting in the Grid                                  179 Filtering in the Grid                                  179 Rules for Filtering in the Grid                             179 Clearing a Filtered View                                180 Understanding the Search Expressions                          180 Basic Format of a Query                               180 The Operators                                    182 Using Regular Expressions                                184 Traffic String Properties for Searching                        184 Using the Tilde (~) Operator                             184



Using RegExp Syntax                                184 Understanding the RegExp Syntax                          185 Regular Expressions                                 185

The Traffic Viewer Proxy                                  187 Using the Traffic Viewer Proxy                              187 Starting Proxy Mode                                 187 Creating a New Proxy File                               188 Configuring the Proxy Listener                              188 Configuring the Proxy                                  188 Configuring Client Certificates                              190 Configuring Proxy Exclusions                               191 Configuring Search and Replace                             191 Finding and Replacing Text                              191 Using Regular Expressions in Rules                          192 How Rules Are Applied                                193 Enabling a Rule                                    193 Disabling a Rule                                    193 Deleting a Rule                                    193 Editing a Rule                                     194


Chapter 16: Web Discovery                                   195 How It Works                                         195 Discovering Sites                                       196 Saving Discovered Sites                                   197 Settings                                           198


Chapter 17: Web Form Editor                                  199 Record Web Form Values                                  199 Manually Add or Modify Web Form Values                          201 Import a File                                         202 Shortcut Menu                                       203 Scanning with a Web Form File                               204

Matching Web Form List to Input Controls                        205 Rules for Matching Web Form Values                         205

Settings: General                                      206



Settings: Proxy                                        207 Smart Credentials                                      209


Chapter 18: Web Fuzzer                                     210 What is fuzzing?                                       210 Accessing Web Fuzzer                                    210

Understanding the Fuzzer Menu                               210 File Menu                                         210 Edit Menu                                         211 Session Menu                                       211 Filters Menu                                        211

Using Web Fuzzer                                      212 Configuring the Server                                    213

Using the Session Editor                                   213 Creating a Session                                     213 Editing a Session                                      213 Configuring the Session                                  214 Method Tab                                        214 Path Tab                                          214 Query Tab                                         215 Version Tab                                        215 Headers Tab                                        215 Cookies Tab                                        216 Post Data Tab                                       217

Using the Raw Editor                                    217

Understanding Fuzzer Generators                            218

Working with Filters                                      219 Accessing the Filters Dialog                                220 Creating a Filter                                      220 Editing a Filter                                       220 Using a Filter                                       220 Deleting a Filter                                      221

Configuring Fuzzer Settings                                 221 General Settings                                     221 Proxy Settings                                      222 Configuring a Proxy                                    223



Chapter 19: Session-based Web Macro Recorder                         224 About Macros                                         224 IE Technology                                         224 Login Macros                                         224 Workflow Macros                                       225

Accessing the Session-based Web Macro Recorder                      225 Login Macros                                       225 Workflow Macros                                     226

About the Session-based Web Macro Recorder Interface                  226 Toolbar                                         227 Locations Pane                                     227

Recording a Macro                                      229 Recording a Login Macro                                 230 Recording a Workflow Macro                               230

Logout Conditions Editor                                  231 Adding a Logout Condition                                231 Deleting a Logout Condition                               232

Browser Settings                                       232 Proxy Settings Tab                                    232 Network Authentication Tab                               233

Debugging Macros                                    234 Viewing Details and State for Locations in Locations Pane                234 Playing a Step (Location)                               235 Disabling/Enabling a Step (Location) During Replay                   235 Deleting a Step (Location)                               235


Chapter 20: Web Macro Recorder with Macro Engine 6.1                    236 About the Term “Sensor”                                   236 About Macros                                        236 TruClient Technology                                    236 Web Macro Recorder Limitations                               236 Cookie Headers in Macros                                  237 URLs in Macros                                       237 Accessing the Web Macro Recorder with Macro Engine 6.1                  237



Login Macros in Fortify WebInspect or Fortify WebInspect Enterprise        237 Workflow Macros in Fortify WebInspect or Fortify WebInspect Enterprise       238 Login Macros in Fortify ScanCentral DAST                   238 Workflow Macros in Fortify ScanCentral DAST                  239

Login Macros                                         239 Logout Conditions                                     239

Workflow Macros                                      240

Understanding the User Interface                              240 TruClient Sidebar Masthead                               241 TruClient Sidebar Toolbars                               241 Context Menu                                      243

Using the Steps Box                                      245 Adding a Step                                       245 Marking a Step as Favorite                                 245 Viewing Favorite Steps                                   246 Functions Tab                                       246 Flow Control Tab                                      247 Miscellaneous Tab                                     248 Composite Steps Tab                                    248

Recording a Macro                                      248 Recording a Login Macro                                 248 Recording a Workflow Macro                               249

Automatic Detection of Client-side Frameworks                     250 Viewing Detected Frameworks                            250

Editing a Macro                                       251

Searching the Macro                                     251 Searching the Steps                                    251 Going to a Specific Step Number                             252

Using the CLI                                         252 Launching the CLI                                     252 CLI Options                                        252

Challenge-Response Authentication                           253 Multiple Challenges                                 253 Groups of Challenges                                 254 Recording a Macro for Challenge-Response Logins                   254 Adding Questions and Answers for Additional Challenges              256



Recording Additional Steps                             257

Using Two-factor Authentication                              257 Technology Preview                                   257 Recommendation                                    258 Known Limitations                                    258 Guidelines                                        258 Adding a Two-factor Authentication Group Step                     258 Configuring the Wait for 2FA Step                            260 Adding Type and Click Steps                               260

Modifying the Macro Replay Level                            262

Working with Logout Conditions                              263 Logout Conditions from Earlier Web Macro Recorder Versions              263 Accessing the Logout Condition Editor                         263 Adding a Logout Condition                               264 Editing a Logout Condition                               265 Deleting a Logout Condition                              265

Working with Actions                                    266 Adding an Action to Your Macro                             266 Rearranging the Order of Actions                             267 Deleting an Action                                    267

Working with Parameters                                268 Case-sensitive Parameter Names                            268 Using Username and Password Parameters                       268 Creating Parameters in Steps                            268 Creating List of Values in the Parameters Dialog                   270 Policy                                       271 Using a URL Parameter                                271 Creating the Parameter in a Step                          271 Creating List of Values in the Parameters Dialog                   272 Policy                                       274 Creating Parameters for Two-factor Authentication                   274 Creating a Phone Number Parameter                        274 Creating Email and Email Password Parameters                   275

Step Arguments Related to Objects                              276 Audio Role                                         277 Browser Role                                       277 Activate                                        277



Activate Tab                                      277 Close Tab                                        278 Add Tab                                         278 Navigate                                         278 Go Back                                         278 Go Forward                                       279 Resize                                          279 Scroll                                          279 Dialog - Confirm                                     279 Dialog Prompt                                      280 Dialog - Authenticate                                  280 Dialog - Prompt Password                                280 Verify                                          280 Checkbox Role                                       281 Datepicker Role                                       281 Element Role                                        281 Mouse Actions                                      281 Drag                                           282 Drag To                                         283 Get Property                                      283 Scroll                                          284 Upload                                         284 Verify                                          284 Wait for Property                                    285 Filebox Role                                         285 Flash Object Role                                      286 Focusable Role                                       286 Listbox Role                                        286 Multi_listbox Role                                      287 Select                                          287 Multi Select                                       287 Radiogroup Role                                      288 Slider Role                                         288 Textbox Role                                        288 Video Role                                         289

Step Arguments not Related to Objects                           289 Evaluate JavaScript                                   289 Evaluate JS on Object                                  289 Catch Error                                        290



For Loop                                          290 Generic API Action                                     290 If Block                                           291 Wait                                             291

Enhancing Macros                                     292 Modifying Steps                                     292 Inserting Loops and Loop Modifiers                           292 Inserting "For" Loops                                 293 Inserting "Break" Statements                             293 Inserting "Continue" Statements                            293 Inserting If Blocks, If-else Blocks, and Exit Steps                     293 Inserting an If Block                                  294 Adding an Else Condition                               294 Inserting an Exit Step                                 294 Inserting Comments                                   294 Inserting Catch Error Steps                                295 Verifying that an Object Exists                              295 Inserting Generic Steps                                  295 Inserting a Wait Step                                   296

Debugging Macros                                      296 Viewing Replay Errors                                  297 Running the Macro Step by Step                             297 Using Breakpoints                                    297 Inserting a Breakpoint                                 297 Deleting a Breakpoint                                 298 Modifying Step Levels                                  298 Disabling/Enabling Steps                                 299 Making a Step Optional                                  299 Playing a Step                                      299 Playing From a Step to End of Macro                           300

Resolving Object Identification Issues                           300 Highlighting an Object                                 300 Improving Object Identification                             301 Using Alternative Steps                                 301 Viewing and Selecting Alternative Steps                       302 Modifying the Object Identification Method                       303 Available Methods                                  303 Selecting the Object Identification Method                      304



Modifying the Macro Timing                               304 Relating Objects to Other Objects                             305 Tips                                          305 Replacing an Object                                    306

Configuring Settings                                    306 Accessing the TruClient General Settings                        306 Browser Settings                                    307 Interactive Options                                   310 Two-Factor Authentication                               312 Technology Preview                                 312 Two-Factor Authentication Control Center                      312 Mobile Application                                  312 Installing and Configuring the Fortify2FA Mobile App                 313


Chapter 21: Web Proxy                                      320 Using Web Proxy                                       320 Saving Sessions                                        322 Clearing Sessions                                       322 Searching a Message                                     323 Searching All Messages                                    323 Changing Options                                       324

Web Proxy Tabs                                        324 View                                             324 Split                                             324 Info                                             324 Browser                                           325

Web Proxy Interactive Mode                                325 Enabling Interactive Mode                                326

Settings                                            327 Settings: General                                      327 Proxy Listener Configuration                              327 Do Not Record                                     327 Interactive                                       328 Logging                                        328 Advanced HTTP Parsing                                328 Settings: Proxy Servers                                  328



Adding a Proxy Server                                329 Importing a Proxy Server                               329 Editing Proxy Servers                                 329 Removing a Proxy Server                               330 Bypassing Proxy Servers                               330 Deleting an Address                                  330 Settings: Search-and-Replace                               331 Finding and Replacing Text                              331 Deleting a Rule                                    331 Editing a Rule                                     332 Deactivating a Rule                                  332 Settings: Flag                                       332 Settings: Evasions                                    332 Settings: Network Authentication                             335

Create a Web Macro                                     336 Client Certificates                                      337 Regular Expressions                                     337

Regular Expression Extensions                                339 Regular Expression Tags                                 339 Regular Expression Operators                               339 Examples                                         339

Manual Configuration of Browser                             340


Chapter 22: Web Service Test Designer                             341 Manually Adding Services                                  347 Global Values Editor                                     348 Using Autovalues                                      348 Importing and Exporting Operations                             349 Testing Your Design                                     350 Settings                                           352 Network Proxy                                        353

Network Authentication                                   354 Using a Client Certificate                                 354

WS Security                                         355 Web Service Settings                                   355



WS-Security Tab                                   356 WS Addressing                                    357 WCF Service (CustomBinding) Settings                          357 WCF Service (Federation) Settings                            358 Server                                         358 Security                                        358 Identities                                       358 STS (Security Token Service) Details                         358 WCF Service (WSHttpBinding) Settings                          359 Advanced Security Settings                                360 Encoding Tab                                     361 Advanced Standards Tab                               361 Security Tab                                     361 HTTP & Proxy Tab                                  362


Send Documentation Feedback                               363

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to: