 |
Software Version: 21.2.0 Windows® operating systems
Document Release Date: November 2021 Software Release Date: November 2021
Legal Notices
Micro Focus The Lawn
22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2004-2021 Micro Focus or one of its affiliates
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number
Document Release Date, which changes each time the document is updated
Software Release Date, which indicates the release date of this version of the software
This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support/documentation
About this PDF Version of Online Help
This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the help information or read the online help in PDF format. Because this content was originally created to be viewed as online help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF version. Those topics can be successfully printed from within the online help.
Preface 22 Contacting Micro Focus Fortify Customer Support 22 For More Information 22 About the Documentation Set 22 Fortify Product Feature Videos 22
Chapter 1: Welcome to Micro Focus Fortify WebInspect Tools 26 About Fortify WebInspect Tools 26 Using Tools with a Proxy 26
Related Documents 26 All Products 27 Micro Focus Fortify ScanCentral DAST 27 Micro Focus Fortify WebInspect 28 Micro Focus Fortify WebInspect Enterprise 29
Chapter 2: Audit Inputs Editor 31 Check Inputs 31 Engine Inputs 32
Chapter 3: Compliance Manager (Fortify WebInspect Only) 35 How It Works 35
Creating a Compliance Template 36 Usage Notes 41
General Text Searching Group 41 Threat Classes 41
Chapter 4: Encoders/Decoders 42 Encoding a String 42
Decoding a String 43 Manipulating Encoded Strings 43 Encoding Types 44
Chapter 5: HTTP Editor 46 Request Viewer 46 Response Viewer 47 HTTP Editor Menus 47 Help Menu 48 Request Actions 48 Response Actions 50 Editing and Sending a Request 51 Searching the Request or Response 52
Settings 53 Options Tab 53 Authentication Tab 56 Proxy Tab 56
Regular Expression Extensions 58 Regular Expression Tags 58 Regular Expression Operators 59 Examples 59
Chapter 6: Log Viewer (Fortify WebInspect Only) 60
Chapter 7: Policy Manager 61 Views 61 Creating or Editing a Policy 64 Creating a Custom Check 65 Searching for Specific Agents 74 Using a Custom Agent 75
Methodologies 75 Parameter Manipulation 76
Parameter Overflow 78 Parameter Addition 78 Site Search 80 Application Mapping 81 Web Server Assessment 81 Content Investigation 82 Brute Force Authentication Attacks 83 Known Attacks 84
Policies 84 Best Practices 84 By Type 86 Custom 87 Hazardous 87 Deprecated Checks and Policies 88
Policy Manager Icons 89 Audit Engines 90 Audit Options 93 General Application Testing 93 Third-Party Web Applications 93 Web Frameworks/Languages 93 Web Servers 93 Custom Agents 94 Custom Checks 94 Regular Expressions 94
Regular Expression Extensions 96 Regular Expression Tags 96 Regular Expression Operators 96 Examples 96
Chapter 8: Regular Expression Editor 98 Testing a Regular Expression 98 Regular Expressions 99
Regular Expression Extensions 101 Regular Expression Tags 101 Regular Expression Operators 101
Examples 101
Chapter 9: Server Analyzer (Fortify WebInspect Only) 103 Analyzing a Server 103 Modifying Settings 104 Exporting Analyzer Results 104
Authentication Settings 104 Authentication Method 104 Authentication Credentials 105
Proxy Settings 105 Direct Connection (proxy disabled) 105 Auto detect proxy settings 105 Use System Proxy Settings 105 Use Firefox proxy settings 105 Configure proxy using a PAC file 105 Explicitly configure proxy 106 Specify Alternative Proxy for HTTPS 106
Chapter 10: Server Profiler 107 Using the Server Profiler 107
Chapter 11: Site Explorer 109 Viewing ScanCentral DAST Scans 109 Limitations of Site Explorer 109 Technology Preview 109
Scan Tiles 109 ScanCentral DAST Scans 110 Information on the Scan Tile 110 Real-time Updates 111 How Scan Tiles Are Grouped 111 Showing and Hiding a Group of Scan Tiles 111 Searching for Scans 111 Clearing the Search 112 Deleting a Scan 112
Scan Conversion 112 What Happens During Conversion 112
Effect of Updates on Converted Scans 113 Converting a Scan 113 Files are Not Synced 113
Enabling Fortify WebInspect to Create Data for Site Explorer 113
Importing and Exporting Scans 114 About the Scan Files 114 Importing Scans 114 Exporting Scans 115
Using the Interface 115 Viewing a Scan 115 Real-time Updates 116 Using the Site Tree 116 Hiding the Site Tree 116 Showing the Site Tree 117 Off-site Hosts Node 117 Site Tree Icons 117 Viewing Traffic for a Resource 118 Viewing Only Host Names 118 Filtering for Selected Hosts 118 Viewing All Host Names 118 Customizing Grid Views 118 Resizing Columns 119 Repositioning Columns 119 Adding/Removing Columns 119 Customizing Detail Views 120 Changing the Layout 120 Changing the Color Theme 120 Hiding and Showing HTTP Detail Views 120 Floating, Moving, and Docking 121 Floating and Moving the Site Tree 121 Floating a Grid View 121 Floating a Detail View 121 Moving a Tab 122 Docking Windows 122 Understanding the Docking Positions 123 Cloning Tab Contents 124
Working with Traffic and Findings 124 Exploring Scan Findings 124
About the Findings Tab 124 Available Columns 125 Viewing the Vulnerability Description 125 Filtering in the Findings Grid 125 Exporting Findings 126 Viewing the Evidence 127 Identifying the Vulnerability or Attack String 127 Exploring Traffic 128 Viewing Traffic for a Resource 128 Using the Breadcrumbs 128 Using Text Search 129 Text Search Columns 129 Searching in the Text Search Grid 129 Working with Responses in the Text Search 129 Viewing Related Traffic for a Session 130 Viewing Related Text for a Session 130 Working with Sessions 131 Viewing the HTTP Detail 131 Wrapping Text 131 Decoding Percent-encoded Characters 131 Viewing a Session in the Browser 132 Expanding Compressed Content 132 Working with Parameters 132 Understanding Parameters 133 Viewing Parameter Details 133 Adding Parameter Columns to Traffic Grid 133 Drilling Down Into Traffic Data 134 What is Related Traffic? 134 Viewing Traffic for a Resource 134 Viewing Related Traffic for a Session 134 Viewing Related Text for a Session 135 Working with Stacked Grids 135 Viewing and Closing Stacked Grids 136 Searching and Filtering 136 Searching in Grid Views 136 Searching in Non-grid Views 137 Clearing the Search 137 Sorting in the Grid 137 Filtering in the Grid 137
Rules for Filtering in the Grid 138 Clearing a Filtered View 139 Understanding the Search Expressions 139 Basic Format of a Search Query 139 The Search and Filter Operators 141 Using Regular Expressions 143 Traffic String Properties for Searching 143 Text Search String Properties 143 Using the Tilde (~) Operator 143 Using RegExp Syntax 144 Understanding the RegExp Syntax 144 Regular Expressions 145
Chapter 12: SmartUpdate 147 Performing a SmartUpdate (Internet Connected) 147 Downloading Checks without Updating Fortify WebInspect 148 Performing a SmartUpdate (Offline) 148
Chapter 13: SQL Injector (Fortify WebInspect Only) 150
SQL Injector Tabs 153 Request Pane 153 Database Pane 154 Information Pane 154
SQL Injector Settings 154 Options Tab 154 Authentication Tab 156 Proxy Tab 156
Chapter 14: SWFScan (Fortify WebInspect Only) 158 How It Works 158
Vulnerability Detection 158 ActionScript 3 Vulnerabilities Detected by SWFScan 158 ActionScript 1 and 2 Vulnerabilities Detected by SWFScan 159
Analyzing Flash Files 159 Using SWFScan as a Standalone Tool 159 Using SWFScan in Fortify WebInspect 160
Examining Results 161 Searching Source Code 161 Configuring SWFScan Settings 162 AS2 Exclusions 162 AS3 Exclusions 163 Proxy 163
Checks 164 Sorting the Checks 164 Enabling/Disabling Checks 164
Chapter 15: Traffic Viewer 165 Option Must be Enabled 165 Proxy Server 165
Enabling Traffic Monitor 166 Enabling the Traffic Monitor for All Scans 166 Enabling the Traffic Monitor for Individual Scans 166
Launching the Traffic Viewer 166 From an Open Scan 167 As a Stand-alone Tool 167
Using the Interface 167 Using the Site Tree 167 Site Tree Icons 167 Viewing Traffic for a Resource 168 Viewing Only Host Names 168 Filtering for Selected Hosts 168 Viewing All Host Names 168 Customizing Grid Views 169 Resizing Columns 169 Repositioning Columns 169 Adding/Removing Columns 170 Customizing Detail Views 170 Changing the Layout 170 Changing the Color Theme 170 Hiding and Showing HTTP Detail Views 171 Resizing, Collapsing, and Expanding UI Elements 171 Resizing an Element 171
Collapsing an Element 171 Expanding an Element 172 Using Auto Scroll 172 Enabling Auto Scroll 172 Disabling Auto Scroll 172
Working with Traffic 172 Exploring Traffic 172 Viewing Traffic for a Resource 172 Using the Breadcrumbs 173 Working with Sessions 173 Viewing the HTTP Detail 173 Wrapping Text 174 Decoding Percent-encoded Characters 174 Resending a Request 174 Viewing a Session in the Browser 174 Expanding Compressed Content 175 Working with Parameters 175 Understanding Parameters 175 Viewing Parameter Details 175 Adding Parameter Columns to Traffic Grid 176 Drilling Down Into Traffic Data 176 Viewing Traffic for a Resource 176 Viewing Related Traffic for a Session 176 Working with Stacked Grids 177 Viewing and Closing Stacked Grids 177 Searching and Filtering 177 Searching in Grid Views 178 Searching in Non-grid Views 178 Clearing the Search 178 Sorting in the Grid 179 Filtering in the Grid 179 Rules for Filtering in the Grid 179 Clearing a Filtered View 180 Understanding the Search Expressions 180 Basic Format of a Query 180 The Operators 182 Using Regular Expressions 184 Traffic String Properties for Searching 184 Using the Tilde (~) Operator 184
Using RegExp Syntax 184 Understanding the RegExp Syntax 185 Regular Expressions 185
The Traffic Viewer Proxy 187 Using the Traffic Viewer Proxy 187 Starting Proxy Mode 187 Creating a New Proxy File 188 Configuring the Proxy Listener 188 Configuring the Proxy 188 Configuring Client Certificates 190 Configuring Proxy Exclusions 191 Configuring Search and Replace 191 Finding and Replacing Text 191 Using Regular Expressions in Rules 192 How Rules Are Applied 193 Enabling a Rule 193 Disabling a Rule 193 Deleting a Rule 193 Editing a Rule 194
Chapter 16: Web Discovery 195 How It Works 195 Discovering Sites 196 Saving Discovered Sites 197 Settings 198
Chapter 17: Web Form Editor 199 Record Web Form Values 199 Manually Add or Modify Web Form Values 201 Import a File 202 Shortcut Menu 203 Scanning with a Web Form File 204
Matching Web Form List to Input Controls 205 Rules for Matching Web Form Values 205
Settings: Proxy 207 Smart Credentials 209
Chapter 18: Web Fuzzer 210 What is fuzzing? 210 Accessing Web Fuzzer 210
Understanding the Fuzzer Menu 210 File Menu 210 Edit Menu 211 Session Menu 211 Filters Menu 211
Using Web Fuzzer 212 Configuring the Server 213
Using the Session Editor 213 Creating a Session 213 Editing a Session 213 Configuring the Session 214 Method Tab 214 Path Tab 214 Query Tab 215 Version Tab 215 Headers Tab 215 Cookies Tab 216 Post Data Tab 217
Using the Raw Editor 217
Understanding Fuzzer Generators 218
Working with Filters 219 Accessing the Filters Dialog 220 Creating a Filter 220 Editing a Filter 220 Using a Filter 220 Deleting a Filter 221
Configuring Fuzzer Settings 221 General Settings 221 Proxy Settings 222 Configuring a Proxy 223
Chapter 19: Session-based Web Macro Recorder 224 About Macros 224 IE Technology 224 Login Macros 224 Workflow Macros 225
Accessing the Session-based Web Macro Recorder 225 Login Macros 225 Workflow Macros 226
About the Session-based Web Macro Recorder Interface 226 Toolbar 227 Locations Pane 227
Recording a Macro 229 Recording a Login Macro 230 Recording a Workflow Macro 230
Logout Conditions Editor 231 Adding a Logout Condition 231 Deleting a Logout Condition 232
Browser Settings 232 Proxy Settings Tab 232 Network Authentication Tab 233
Debugging Macros 234 Viewing Details and State for Locations in Locations Pane 234 Playing a Step (Location) 235 Disabling/Enabling a Step (Location) During Replay 235 Deleting a Step (Location) 235
Chapter 20: Web Macro Recorder with Macro Engine 6.1 236 About the Term “Sensor” 236 About Macros 236 TruClient Technology 236 Web Macro Recorder Limitations 236 Cookie Headers in Macros 237 URLs in Macros 237 Accessing the Web Macro Recorder with Macro Engine 6.1 237
Login Macros in Fortify WebInspect or Fortify WebInspect Enterprise 237 Workflow Macros in Fortify WebInspect or Fortify WebInspect Enterprise 238 Login Macros in Fortify ScanCentral DAST 238 Workflow Macros in Fortify ScanCentral DAST 239
Login Macros 239 Logout Conditions 239
Understanding the User Interface 240 TruClient Sidebar Masthead 241 TruClient Sidebar Toolbars 241 Context Menu 243
Using the Steps Box 245 Adding a Step 245 Marking a Step as Favorite 245 Viewing Favorite Steps 246 Functions Tab 246 Flow Control Tab 247 Miscellaneous Tab 248 Composite Steps Tab 248
Recording a Macro 248 Recording a Login Macro 248 Recording a Workflow Macro 249
Automatic Detection of Client-side Frameworks 250 Viewing Detected Frameworks 250
Searching the Macro 251 Searching the Steps 251 Going to a Specific Step Number 252
Using the CLI 252 Launching the CLI 252 CLI Options 252
Challenge-Response Authentication 253 Multiple Challenges 253 Groups of Challenges 254 Recording a Macro for Challenge-Response Logins 254 Adding Questions and Answers for Additional Challenges 256
Recording Additional Steps 257
Using Two-factor Authentication 257 Technology Preview 257 Recommendation 258 Known Limitations 258 Guidelines 258 Adding a Two-factor Authentication Group Step 258 Configuring the Wait for 2FA Step 260 Adding Type and Click Steps 260
Modifying the Macro Replay Level 262
Working with Logout Conditions 263 Logout Conditions from Earlier Web Macro Recorder Versions 263 Accessing the Logout Condition Editor 263 Adding a Logout Condition 264 Editing a Logout Condition 265 Deleting a Logout Condition 265
Working with Actions 266 Adding an Action to Your Macro 266 Rearranging the Order of Actions 267 Deleting an Action 267
Working with Parameters 268 Case-sensitive Parameter Names 268 Using Username and Password Parameters 268 Creating Parameters in Steps 268 Creating List of Values in the Parameters Dialog 270 Policy 271 Using a URL Parameter 271 Creating the Parameter in a Step 271 Creating List of Values in the Parameters Dialog 272 Policy 274 Creating Parameters for Two-factor Authentication 274 Creating a Phone Number Parameter 274 Creating Email and Email Password Parameters 275
Step Arguments Related to Objects 276 Audio Role 277 Browser Role 277 Activate 277
Activate Tab 277 Close Tab 278 Add Tab 278 Navigate 278 Go Back 278 Go Forward 279 Resize 279 Scroll 279 Dialog - Confirm 279 Dialog Prompt 280 Dialog - Authenticate 280 Dialog - Prompt Password 280 Verify 280 Checkbox Role 281 Datepicker Role 281 Element Role 281 Mouse Actions 281 Drag 282 Drag To 283 Get Property 283 Scroll 284 Upload 284 Verify 284 Wait for Property 285 Filebox Role 285 Flash Object Role 286 Focusable Role 286 Listbox Role 286 Multi_listbox Role 287 Select 287 Multi Select 287 Radiogroup Role 288 Slider Role 288 Textbox Role 288 Video Role 289
Step Arguments not Related to Objects 289 Evaluate JavaScript 289 Evaluate JS on Object 289 Catch Error 290
For Loop 290 Generic API Action 290 If Block 291 Wait 291
Enhancing Macros 292 Modifying Steps 292 Inserting Loops and Loop Modifiers 292 Inserting "For" Loops 293 Inserting "Break" Statements 293 Inserting "Continue" Statements 293 Inserting If Blocks, If-else Blocks, and Exit Steps 293 Inserting an If Block 294 Adding an Else Condition 294 Inserting an Exit Step 294 Inserting Comments 294 Inserting Catch Error Steps 295 Verifying that an Object Exists 295 Inserting Generic Steps 295 Inserting a Wait Step 296
Debugging Macros 296 Viewing Replay Errors 297 Running the Macro Step by Step 297 Using Breakpoints 297 Inserting a Breakpoint 297 Deleting a Breakpoint 298 Modifying Step Levels 298 Disabling/Enabling Steps 299 Making a Step Optional 299 Playing a Step 299 Playing From a Step to End of Macro 300
Resolving Object Identification Issues 300 Highlighting an Object 300 Improving Object Identification 301 Using Alternative Steps 301 Viewing and Selecting Alternative Steps 302 Modifying the Object Identification Method 303 Available Methods 303 Selecting the Object Identification Method 304
Modifying the Macro Timing 304 Relating Objects to Other Objects 305 Tips 305 Replacing an Object 306
Configuring Settings 306 Accessing the TruClient General Settings 306 Browser Settings 307 Interactive Options 310 Two-Factor Authentication 312 Technology Preview 312 Two-Factor Authentication Control Center 312 Mobile Application 312 Installing and Configuring the Fortify2FA Mobile App 313
Chapter 21: Web Proxy 320 Using Web Proxy 320 Saving Sessions 322 Clearing Sessions 322 Searching a Message 323 Searching All Messages 323 Changing Options 324
Web Proxy Tabs 324 View 324 Split 324 Info 324 Browser 325
Web Proxy Interactive Mode 325 Enabling Interactive Mode 326
Settings 327 Settings: General 327 Proxy Listener Configuration 327 Do Not Record 327 Interactive 328 Logging 328 Advanced HTTP Parsing 328 Settings: Proxy Servers 328
Adding a Proxy Server 329 Importing a Proxy Server 329 Editing Proxy Servers 329 Removing a Proxy Server 330 Bypassing Proxy Servers 330 Deleting an Address 330 Settings: Search-and-Replace 331 Finding and Replacing Text 331 Deleting a Rule 331 Editing a Rule 332 Deactivating a Rule 332 Settings: Flag 332 Settings: Evasions 332 Settings: Network Authentication 335
Create a Web Macro 336 Client Certificates 337 Regular Expressions 337
Regular Expression Extensions 339 Regular Expression Tags 339 Regular Expression Operators 339 Examples 339
Manual Configuration of Browser 340
Chapter 22: Web Service Test Designer 341 Manually Adding Services 347 Global Values Editor 348 Using Autovalues 348 Importing and Exporting Operations 349 Testing Your Design 350 Settings 352 Network Proxy 353
Network Authentication 354 Using a Client Certificate 354
WS Security 355 Web Service Settings 355
WS-Security Tab 356 WS Addressing 357 WCF Service (CustomBinding) Settings 357 WCF Service (Federation) Settings 358 Server 358 Security 358 Identities 358 STS (Security Token Service) Details 358 WCF Service (WSHttpBinding) Settings 359 Advanced Security Settings 360 Encoding Tab 361 Advanced Standards Tab 361 Security Tab 361 HTTP & Proxy Tab 362
Send Documentation Feedback 363
Preface
Contacting Micro Focus Fortify Customer Support
Visit the Support website to:
Manage licenses and entitlements
Create and manage technical assistance requests
Browse documentation and knowledge articles
Download software
Explore the Community https://www.microfocus.com/support
For more information about Fortify software products: https://www.microfocus.com/cyberres/application-security
The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation
To be notified of documentation updates between releases, subscribe to Fortify Product Announcements on the Micro Focus Community:
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements
Fortify Product Feature Videos
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube channel:
https://www.youtube.com/c/FortifyUnplugged
The following table lists changes made to this document. Revisions to this document are published between software releases only if the changes made affect product functionality.
Software Release / Document Version | Changes |
21.2.0 | Added: Updated: Two-factor authentication steps. See "Using the Steps Box" on page 245. |
21.1.0 | Added: Updated: |
Chapter documenting Web Fuzzer. See "Web Fuzzer" on page 210.
Procedures for using two-factor authentication in login macros. See "Using Two-factor Authentication" on page 257 and "Creating Parameters for Two-factor Authentication" on page 274.
Viewing ScanCentral DAST scans in Site Explorer. See "Site Explorer" on page 109.
Content for Web Macro Recorder with Macro Engine 6.1:
Functions tab and Flow Control tab with steps with Wait for 2FA and
Content related to settings with details for configuring a server and a mobile application for two-factor authentication. See "Configuring Settings" on page 306 and "Configuring Settings" on page 306.
Logout conditions content with workaround for logout conditions from earlier Web Macro Recorder versions. See "Working with Logout Conditions" on page 263.
Chapter documenting Site Explorer. See "Site Explorer" on page 109.
Procedures for using the search feature in Web Macro Recorder with Macro Engine 6.0. See "Understanding the User Interface" on page 240 and "Searching the Macro" on page 251.
Content for Policy Manager:
Software Release / Document Version | Changes |
Removed: | |
20.2.0 | Added: Updated: |
List of audit engines to include Hacker Level Insights and WAF Detection. See "Audit Engines" on page 90.
List of policies with description of the NIST-SP80053R5 policy. See "Policies" on page 84.
Content for Web Macro Recorder with Macro Engine 6.0:
Icons and UI elements in multiple topics. For an overview, see "Understanding the User Interface" on page 240.
Toolbox references and replaced with Steps box. See "Using the Steps Box" on page 245 and "Recording a Macro for Challenge-Response Logins" on page 254.
Procedures for using parameters with new masking feature. See "Using Username and Password Parameters" on page 268.
Browser settings with updated HTTP Header setting. See "Configuring Settings" on page 306.
Procedure for viewing snapshots from Macro Recorder with Macro Engine 6.0 content.
List of policies with description of the API, CWE Top 25, and OWASP Application Security Verification Standard (ASVS) policies. See "Policies" on page 84.
Topic describing new feature for automatically detecting client-side frameworks in applications. See "Automatic Detection of Client-side Frameworks" on page 250.
Description of use of the term "sensor" in Web Macro Recorder with Macro Engine 5.x content. See "About the Term “Sensor”" on page 236.
Description for Network Authentication settings for WebProxy tool. See "Settings: Network Authentication" on page 335.
Ways to open Web Macro Recorder with Macro Engine 5.x to include
Software Release / Document Version | Changes |
Fortify ScanCentral DAST. | |
20.1.0 | Updated: 1.0 policy. See "Policies" on page 84. |
Streamlined procedures for creating and editing parameters in macros. See "Using Username and Password Parameters" on page 268 and "Using a URL Parameter" on page 271.
List of policies with description of the PCI Software Security Framework
Renamed "Web Macro Recorder with Macro Engine 4.0" to "Session-based Web Macro Recorder." Revised and reworked multiple topics after removing TruClient-related content.
Ways to access the Session-based Web Macro Recorder.
Ways to access the Web Macro Recorder with Macro Engine 5.0.
Web Macro Recorder with Macro Engine 5.0 settings and recording topics to document new setting to force the last step in a login macro to be a validation step. See "Configuring Settings" on page 306 and "Recording a Macro" on page 248.
Chapter 1: Welcome to Micro Focus Fortify WebInspect Tools
About Fortify WebInspect Tools
Fortify WebInspect Tools is a robust set of diagnostic and penetration testing tools and configuration utilities packaged with Fortify WebInspect and Micro Focus Fortify WebInspect Enterprise.
The tools provided in Fortify WebInspect Enterprise are a subset of the tools provided in Fortify WebInspect. The chapters in this guide that describe tools that are provided in Fortify WebInspect but not in Fortify WebInspect Enterprise have titles that end with “(Fortify WebInspect Only).”
When using tools that incorporate a proxy, you may encounter servers that do not ask for a client certificate even though a client certificate is required. To accommodate this situation, you must edit the SPI.Net.Proxy.Config file.
Related Documents
This topic describes documents that provide information about Micro Focus Fortify software products.
The following documents provide general information for all products. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website.
Document / File Name | Description |
About Micro Focus Fortify Product Software Documentation About_Fortify_Docs_<version>.pdf | This paper provides information about how to access Micro Focus Fortify product documentation. Note: This document is included only with the product download. |
Micro Focus Fortify License and Infrastructure Manager Installation and Usage Guide LIM_Guide_<version>.pdf | This document describes how to install, configure, and use the Fortify License and Infrastructure Manager (LIM), which is available for installation on a local Windows server and as a container image on the Docker platform. |
Micro Focus Fortify Software System Requirements Fortify_Sys_Reqs_<version>.pdf | This document provides the details about the environments and products supported for this version of Fortify Software. |
Micro Focus Fortify Software Release Notes FortifySW_RN_<version>.pdf | This document provides an overview of the changes made to Fortify Software for this release and important information not included elsewhere in the product documentation. |
What’s New in Micro Focus Fortify Software <version> Fortify_Whats_New_<version>.pdf | This document describes the new features in Fortify Software products. |
Micro Focus Fortify ScanCentral DAST
The following document provides information about Fortify ScanCentral DAST. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-ScanCentral-DAST.
Document / File Name | Description |
Micro Focus Fortify ScanCentral | This document provides information about how to |
Document / File Name | Description |
DAST Configuration and Usage Guide SC_DAST_Guide_<version>.pdf | configure and use Fortify ScanCentral DAST to conduct dynamic scans of Web applications. |
Micro Focus Fortify WebInspect
The following documents provide information about Fortify WebInspect. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-webinspect.
Document / File Name | Description |
Micro Focus Fortify WebInspect Installation Guide WI_Install_<version>.pdf | This document provides an overview of Fortify WebInspect and instructions for installing Fortify WebInspect and activating the product license. |
Micro Focus Fortify WebInspect User Guide WI_Guide_<version>.pdf | This document describes how to configure and use Fortify WebInspect to scan and analyze Web applications and Web services. Note: This document is a PDF version of the Fortify WebInspect help. This PDF file is provided so you can easily print multiple topics from the help information or read the help in PDF format. Because this content was originally created to be viewed as help in a web browser, some topics may not be formatted properly. Additionally, some interactive topics and linked content may not be present in this PDF version. |
Micro Focus Fortify WebInspect on Docker User Guide WI_Docker_Guide_<version>.pdf | This document describes how to download, configure, and use Fortify WebInspect that is available as a container image on the Docker platform. This full version of the product is intended to be used in automated processes as a headless sensor configured by way of the command line interface (CLI) or the application programming interface (API). It can also be run as a Fortify ScanCentral DAST sensor and used in conjunction with Fortify Software Security Center. |
Document / File Name | Description |
Micro Focus Fortify WebInspect Tools Guide WI_Tools_Guide_<version>.pdf | This document describes how to use the Fortify WebInspect diagnostic and penetration testing tools and configuration utilities packaged with Fortify WebInspect and Fortify WebInspect Enterprise. |
Micro Focus Fortify WebInspect Agent Installation Guide WI_Agent_Install_<version>.pdf | This document describes how to install the Fortify WebInspect Agent for applications running under a supported Java Runtime Environment (JRE) on a supported application server or service and applications running under a supported .NET Framework on a supported version of IIS. |
Micro Focus Fortify WebInspect Agent Rulepack Kit Guide WI_Agent_Rulepack_Guide_ <version>.pdf | This document describes the detection capabilities of Fortify WebInspect Agent Rulepack Kit. Fortify WebInspect Agent Rulepack Kit runs atop the Fortify WebInspect Agent, allowing it to monitor your code for software security vulnerabilities as it runs. Fortify WebInspect Agent Rulepack Kit provides the runtime technology to help connect your dynamic results to your static ones. |
Micro Focus Fortify WebInspect Enterprise
The following documents provide information about Fortify WebInspect Enterprise. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-webinspect-enterprise.
Document / File Name | Description |
Micro Focus Fortify WebInspect Enterprise Installation and Implementation Guide WIE_Install_<version>.pdf | This document provides an overview of Fortify WebInspect Enterprise and instructions for installing Fortify WebInspect Enterprise, integrating it with Fortify Software Security Center and Fortify WebInspect, and troubleshooting the installation. It also describes how to configure the components of the Fortify WebInspect Enterprise system, which include the Fortify WebInspect Enterprise application, database, sensors, and users. |
Micro Focus Fortify WebInspect Enterprise User Guide | This document describes how to use Fortify WebInspect Enterprise to manage a distributed network of Fortify |
Document / File Name | Description |
WIE_Guide_<version>.pdf | WebInspect sensors to scan and analyze Web applications and Web services. Note: This document is a PDF version of the Fortify WebInspect Enterprise help. This PDF file is provided so you can easily print multiple topics from the help information or read the help in PDF format. Because this content was originally created to be viewed as help in a web browser, some topics may not be formatted properly. Additionally, some interactive topics and linked content may not be present in this PDF version. |
Micro Focus Fortify WebInspect Tools Guide WI_Tools_Guide_<version>.pdf | This document describes how to use the Fortify WebInspect diagnostic and penetration testing tools and configuration utilities packaged with Fortify WebInspect and Fortify WebInspect Enterprise. |
Chapter 2: Audit Inputs Editor
This tool allows you to create or edit inputs to the audit engines and to a distinct set of checks. There are two ways to access the Audit Inputs Editor:
From the Policy Manager (using the Policy Manager Tools menu). Use this method to create or
modify an inputs file (<filename>.inputs). You can then specify this file when modifying scan settings.
To modify an inputs file, click the Open icon on the Audit Input Editor's toolbar or select File > Open.
From the Default or Current Settings, by clicking the Audit Inputs Editor button on the Attack Exclusions settings. Using this method, you can modify the Default settings file directly, but you cannot create a separate inputs file.
If you access the Audit Inputs Editor from Default Settings or Current Settings, the check inputs you create or modify become part of the settings file.
However, if you access the Audit Inputs Editor from the Policy Manager, you must import into Fortify WebInspect the saved file containing your check input modifications, as follows:
On the Fortify WebInspect menu bar, click Edit > Default Settings.
Under Audit Settings, select Attack Exclusions.
Click Import Audit Inputs.
Select the file you created (*.inputs) and click Open.
When accessed through the Current Settings window or the Default Settings window, Attack Exclusions panel, the Audit Inputs Editor does not contain a menu bar or toolbar.
Certain checks require inputs that accommodate the specific design of the target website. Fortify WebInspect conducts these checks using default values, which you may need to change.
To create or modify inputs for specific checks:
Click the Check Inputs tab.
Select a check from the list.
The inputs for the selected check appear on the right.
Enter the requested input values.
Do one of the following:
If you launched the Audit Inputs Editor from the Default Settings or Current Settings, click OK.
If you launched the Audit Inputs Editor from the Policy Manager, click File > Save or File > Save As.
To create or modify inputs to audit engines:
Click the Engine Inputs tab.
Click the drop-down arrow.
To apply your modifications to all audit engines, select <Default>. The Default parameters are extracted from the default Fortify WebInspect Audit Settings - Attack Exclusions.
To modify inputs for a specific audit engine, select one from the list.
Select an engine input.
If you selected one of the following:
Excluded Query Parameters
Excluded Post Parameters
Excluded Cookies
Excluded Headers
Root Directories then do the following:
To add an item to the list, click Add.
To edit an item, select an item and click Edit.
To delete an item, select the item and click Remove.
If you selected a specific engine (rather than Defaults), select one of the following options:
Note: If you specify a Root Directory, then the engine will attack the object in the directory you specify, rather than the actual root. For example, if an engine normally attacks filename.txt in the default root directory rootdir (/rootdir/filename.txt), then if you specify a root directory of /foobar/, the engine will attack /foobar/filename.txt.
If you selected one of the following:
Header Audit Rules
Cookie Audit Rules then do the following:
Clear the Use value from defaults check box.
Select an option from the drop-down list. Options are as follows:
For example, if the parent session request sets the following cookie with JSESSION ID:
GET /auth/link.page; HTTP/1.1
Referer: http://zero.webappsecurity.com/auth/security-check.html
… Cookie:
CustomCookie=WebInspect83644ZX632F0EE21C7249358BE159C67CEE9085YCE5 1;
JSESSIONID=2DC913EA;username=username;password=password
And the child session includes the inherited cookie:
GET /auth/link.page HTTP/1.1
Referer: http://zero.webappsecurity.com/auth/link.page;
… Cookie:
CustomCookie=WebInspect83644ZX632F0EE21C7249358BE159C67CEE9085YCE5 1;
JSESSIONID=2DC913EA;username=username;password=password
Then the cookie will be attacked in the child session.
A child session might have multiple cookies, but only the one that was set in the parent
session will be attacked.
Click OK if you launched the Audit Inputs Editor from Default or Current Settings, or click File > Save or File > Save As if you launched the Audit Inputs Editor from the Policy Manager.
Chapter 3: Compliance Manager (Fortify WebInspect Only)
Fortify WebInspect employs an extensive arsenal of attack agents designed to detect security flaws in web-based applications. It probes your system with thousands of HTTP requests and evaluate each individual response. This session-based assessment reports each vulnerability, pinpoints its location in the application, and recommends corrective actions you should take. It is, basically, a quantitative analysis of your system.
Fortify WebInspect can also perform a qualitative analysis by grading how well your application complies with certain government-mandated regulations or corporate-defined guidelines. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers using web-based applications to provide "procedures for creating, changing, and safeguarding passwords." With Fortify WebInspect, you can assess your application and then generate a Compliance Report that measures how well your application satisfies this HIPAA rule.
You create a compliance template that associates requirements with one or more attack agents or vulnerabilities. For example, you might include the statement (or question) "The application will not use any 'hidden' fields." The attack agent that tests for compliance to this requirement is Hidden Form Value, ID #4727 (which is one of the agents in the "General Text Searching Group" on page 41).
Compliance templates are completely flexible. You can enable or disable individual requirements. You can also modify requirements by adding or removing attack agents or "Threat Classes" on page 41.
For maximum flexibility, you can even create your own agents and associate them with a user-defined requirement.
Fortify WebInspect includes sample compliance templates that you can edit to fit your company's specific requirements.
For step-by-step instructions for creating a policy, see "Creating a Compliance Template" on the next page.
To test your website for compliance:
If necessary, create or modify a compliance template.
Scan your website.
On the Fortify WebInspect Start page, click Generate a Report. The Generate a Report window opens.
If the scan data is stored in a different database, click Change DB and then select a database.
Select a scan (designated by name, URL, or IP address).
Click Next.
Select Compliance.
If you want to produce individual reports on separate tabs (rather than combining all reports on one tab), select Open Reports in Separate Tabs.
Select either Adobe PDF or HTML as the report format.
Adobe Reader 7 or later is required to read reports in portable data format (PDF).
Specify a compliance template. You can select a default template from the list, click the browse button to browse for templates you have created, or open the Compliance Manager and create a custom template.
Click Finished.
After Fortify WebInspect generates the report and displays it on a tab, you can save a report by clicking the Save Report icon on the toolbar.
"Creating a Compliance Template" below
Creating a Compliance Template
To create a compliance template:
On the Fortify WebInspect menu bar, click Tools > Compliance Manager.
The Compliance Manager window opens, displaying the outline of a new template.
Click the phrase "New Compliance Template."
The Compliance Manager creates an editing area in the lower half of the window.
In the editing area, replace the phrase "New Compliance Template" with a description of the template you are creating ("HIPAA" in this example).
Click the phrase "<Click here to add a new category...>."
In the editing area, enter the name and description of the new category. In this example, the name is "Password Protection" and the description is "Maintain security during entry and transmission of passwords."
Click the plus sign to expand the node labeled Password Protection.
Click the phrase "<Click here to add a new question...>."
Click the phrase "New Question."
The editing area displays tabs allowing you to create a question related to the category "Password Protection."
In the Question area, type a question related to the category. This example asks the question, "Is each character of entered password displayed as an asterisk?"
You can associate this question with threat classes, vulnerabilities defined by Micro Focus, or a custom check or agent that you previously created. For this example, click the Vulnerabilities tab and then click Add By ID.
On the Add Check By ID window, enter 4724 and click OK. 4724 is the ID number of the "Password Field Masked" check.
The check you specified appears in the Selected Vulnerabilities area.
The Selected Vulnerabilities area contains two check boxes:
To view a list of broken links in the compliance report, select the Include Broken Links check box.
If you select the check box, then when you run a compliance report, any broken links found will be listed at the end of the report. If broken links are associated with a question in the template, then that question will be marked as failed.
Continue adding threat classes, vulnerabilities, or custom checks until you have included all that sufficiently test your application for the compliance question.
Create additional questions and categories using the above procedures until the compliance template is complete.
Click Save.
To rearrange categories or items, select an item and click Move Up or Move Down.
To insert categories or items, you can alternatively right-click a category/question and select
You can add an HTML link to any description or question, as depicted in the following illustration.
This group of agents, used mainly by the Directory Enumeration engine, follows all known and unknown paths located on your site. Individual checks are grouped alphabetically from A (which begins with the search for a directory named Accounting) to Z (which ends with the search for a directory named Zips). This group also includes checks for other types of commonly occurring directories, such as those associated with Microsoft FrontPage and Microsoft Internet Information Server log files (W3SVCnn).
For detailed information about all the possible agents, start the Policy Manager in Standard view, expand the General Text Searching node and click on any agent.
The Web Application Security Consortium has developed industry-standard terminology to clarify and organize threats to the security of a web site. These are listed on the Threat Classes tab.
To determine if a scan revealed a susceptibility to these threats:
Select a threat class (or one of its components).
Click
to include it in the Selected Threat Classes for this question.
This tool allows you to encode and decode values using Base 64, hexadecimal, MD5, and other schemes. You can also encode a string into a Unicode string and use special characters in URL construction.
During the analysis of your scan results, when you encounter a string that you suspect is in an encoded or encrypted format, you can simply copy the string, paste it into the Encoders/Decoders tool, and then click Decode.
To encode a string:
Type (or paste) a string in the Text area, or load the contents of a file by selecting File > Open
from the menu.
Select an encoding character set using either the Character Set Name or the Display Name.
Select a cipher type from the Encoding list. For more information, see "Encoding Types" on page 44.
If necessary, type a key in the Key field. When a valid key is entered, the Encode and Decode
buttons become enabled.
Click Encode.
The Text area displays the encoded string. The Hex Display area displays the hexadecimal value of each character in the encoded string (formatted in the character set that you select).
If you select Prefixed, "0x" is added to the beginning of the hexadecimal numbers. C and languages with a similar syntax (such as C++, C#, Java and JavaScript) prefix hexadecimal numerals with “0x” (for example, 0x5A3). The leading zero allows the parser to recognize a number, and the “x” stands for hexadecimal.
To decode a string:
Type (or paste) a string in the Text area, or load the contents of a file by selecting File > Open
from the menu.
Select a cipher type from the Encoding list.
If necessary, type a key in the Key field.
Click Decode.
You can also use Fortify WebInspect's encoding and decoding capabilities in the HTTP Editor. Right-click while editing a session to access encoding and decoding options.
The encoded form of a string may contain characters that are non-printable. This often occurs when using a hash-based encoding scheme or any encoding scheme that requires a key. Since non-printable characters cannot be copied to the Windows clipboard, you cannot simply copy from or paste into the Encoder/Decoder. However, there are two methods you can use to work around this limitation:
Save the encoded string to a file and, when you want to decode it, select File > Open from the menu to load it into the Encoder tool. Then decode it using the original method and (if applicable) key.
Also, after encoding the string using the chosen encoding method and key, you can encode the resulting string using the base 64 method; then copy the string to the clipboard, paste the clipboard contents, decode using base 64, and decode again using the original method and (if applicable) key.
The Encoder/Decoder allows you to select the encoding types described in the following table.
Encoding Type | Definition |
3DES | Triple DES; a mode of the DES encryption algorithm that encrypts data three times (the string is encrypted, then the encryption is encrypted, and the resulting cipher text is encrypted a third time). The key must be 128 or 192 bits (16 or 24 characters). |
Base64 | Encodes and decodes triplets of 8-bit octets as groups of four characters, each representing 6 bits of the source 24 bits. Only characters present in all variants of ASCII and EBCDIC are used, avoiding incompatibilities in other forms of encoding. |
Blowfish | An encryption algorithm that can be used as a replacement for the DES algorithm. |
DES | Data Encryption Standard. A widely used method of data encryption that can use more than 72 quadrillion different private (and secret) encryption keys. Both the sender and the user must use the same private key. |
Hex | Hexadecimal. |
MD5 | Produces a 128-bit "fingerprint" or "message digest" of whatever data you enter. |
RC2 | A variable key-size block cipher designed by Ronald Rivest. It has a block size of 64 bits and is about two to three times faster than DES in software. |
RC4 | A stream cipher designed by Ronald Rivest. It is a variable key-size stream cipher with byte-oriented operations. Used for file encryption in products such as RSA SecurPC and also used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol. |
ROT13 | A simple Caesar cipher used for obscuring text by replacing each letter with the letter thirteen places down the alphabet. |
SHA1 | Secure Hash Algorithm. A one-way hash function developed by NIST and defined in standard FIPS 180. SHA-1 is a revision published in 1994; it is also described in ANSI standard X9.30 (part 2). |
SHA256 | Secure Hash Algorithm that uses 256-bit encryption. |
Encoding Type | Definition |
SHA384 | Secure Hash Algorithm that uses 384-bit encryption. |
SHA512 | Secure Hash Algorithm that uses 512-bit encryption. |
ToLower | Changes uppercase letters to lowercase. |
ToUpper | Changes lowercase letters to uppercase. |
TwoFish | An encryption algorithm based on an earlier Blowfish. |
Unicode | Provides a unique number for every character, regardless of the platform, program, or language. |
URL | Creates values that can be used for URL-encoding non-standard letters and characters for display in browsers and plug-ins that support them. |
XHTML | Encapsulates the entered data with text tags: <text>data</text> |
XOR | XOR performs an Exclusive OR operation. You must provide a key. If the length of the key string is only one character, that character is ORed against each character in the encode/decode string. |
Use the HTTP Editor to create or edit requests, send them to a server, and view the response either in raw HTML or as rendered in a browser. The HTTP Editor is a manual hacking tool, and requires a working knowledge of HTML, HTTP, and request methods.
To set proxy and authorization parameters, if necessary, select Edit > Settings.
The Request Viewer contains the HTTP request message, which you can view in four different formats using the following tabs:
The Response Viewer contains the HTTP response message, which you can also view in four different formats using the following tabs:
The File menu contains the following options:
The Edit menu contains the following options:
The View menu contains the following options:
The Help menu contains the following commands:
The following options are available from the Request Action list in the Request Viewer pane.
The PUT method requests that the enclosed entity be stored under the supplied Request-URI. To write a file to a server:
Select PUT File Upload from the drop-down list on the Request Viewer pane.
In the text box that appears to the right of the list, type the full path to a file
- or -
Click the Open Folder icon and select the file you want to upload.
Click Apply. This will also recalculate the content length.
In normal mode, if you edit the message body of the request, the HTTP Editor recalculates the content length and substitutes the appropriate value in the Content-length header. However, when using the Send As Is option, the HTTP Editor does not modify the content length. You can force this recalculation before sending the request by selecting Change Content-Length and clicking Apply.
The specification for URLs (RFC 1738, Dec . '94) limits the use of characters in URLs to a subset of the US-ASCII character set. HTML, on the other hand, allows the entire range of the ISO-8859-1 (ISO-Latin) character set to be used in documents, and HTML4 expands the allowable range to include the complete Unicode character set as well. To circumvent this limitation, you can encode non-standard letters and characters for display in browsers and plug-ins that support them.
URL encoding of a character consists of a "%" symbol, followed by the two-digit hexadecimal representation of the ISO-Latin code point for the character. For example:
The asterisk symbol ( * ) = 42 decimal in the ISO-Latin set
42 decimal = 2A hexadecimal
URL code for asterisk = %2A
You can use URL encoding to bypass an intruder detection system (IDS) that inspects request messages for certain keywords using only the ISO-Latin character set. For example, the IDS may search for "login" (in ISO-Latin), but not "%4C%4F%47%49%4E" (the URL-encoded equivalent).
To substitute URL code for parameters throughout the entire message, select URL Encode Param Values and click Apply.
To translate URL-encoded parameters to ISO-Latin, select URL Decode Param Values and click
The Unicode Worldwide Character Standard includes letters, digits, diacritics, punctuation marks, and technical symbols for all the world's principal written languages, using a uniform encoding scheme.
Incorporating Unicode into client-server applications and websites offers significant cost savings over the use of legacy character sets. Unicode enables a single software product or a single website to be targeted across multiple platforms, languages and countries without re-engineering. It allows data to be transported through many different systems without corruption.
To translate the entire request message into Unicode, select Unicode Encode Request and click
To translate the entire request message from Unicode into ISO-Latin, select Unicode Decode Request and click Apply.
The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. You can attempt to upload data by manipulating a POST request message.
To insert data from a file:
Select Create MultiPart Post from the Action drop-down list on the Request Viewer pane.
In the text box to the right of the Action list, type the full path to a file
- or -
Click the Open Folder icon and select the file you want to insert.
Click Apply. Remove MultiPart Post
To remove a file that is part of a multipart request, select Remove MultiPart Post from the Action
list on the Request Viewer pane.
The area immediately below the tabs on the Response Viewer pane contains three controls:
a Chunked button
a Content Coding drop-down list
a
button that launches the Find In Response dialog box, allowing you to search the response for the text string you specify
If a server starts sending a response before knowing its total length, it might break the complete response into smaller chunks and send them in series. Such a response contains the "Transfer-Encoding: chunked" header. A chunked message body contains a series of chunks, followed by a line with "0" (zero), followed by optional footers and a blank line. Each chunk consists of two parts:
A line with the size of the chunk data, in hex, possibly followed by a semicolon and extra parameters you can ignore (none are currently standard), and ending with CRLF.
The data itself, followed by CRLF.
If the HTTP response contains compressed data, you can decompress the data using one of the options from the list:
GZIP - A compression utility written for the GNU project.
Deflate - The "zlib" format defined in RFC 1950 [31] in combination with the "deflate" compression mechanism described in RFC 1951 [29].
"Editing and Sending a Request" on the next page "Searching the Request or Response" on page 52
Editing and Sending a Request
To edit and send a request:
Modify the request message in the Request Viewer pane.
To encode or decode a text string, select the text, then right-click the selection and select either
To change certain features of the request, select an item from the Action list and click Apply. See "HTTP Editor" on page 46 for more information.
Click Send to send the HTTP request message.
The Response Viewer pane displays the HTTP response message when it is received.
To view the response as rendered in a browser, click the Browser tab.
You can prepare your next HTTP request using the HTML or JavaScript controls rendered on the Browser tab. To use this feature, you must select the Interactive Navigation option (click Edit > Settings).
In the Location field, enter a URL and click Send. The application returns a logon form.
In the Response pane, click the Browser tab.
On the rendered page, enter a user name and password, and then click Submit.
The HTTP Editor formats the request (which uses the POST method to the Login.aspx URL) and displays it in the Request Viewer pane, as illustrated below.
