Micro Focus

Fortify WebInspect Enterprise

Software Version: 21.1.0 Windows® operating systems


User Guide


Document Release Date: July 2021 Software Release Date: July 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2009-2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

This document was produced on May 18, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

About this PDF Version of Online Help

This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from the help information or read the online help in PDF format. Because this content was originally created to be viewed as online help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present in this PDF version. Those topics can be successfully printed from within the online help.


Contents


Preface                               

22

Contacting Micro Focus Fortify Customer Support               

22

For More Information                         

22

About the Documentation Set                      

22


Change Log                              

23


Chapter 1: About Fortify WebInspect Enterprise                 

28

Benefits of Fortify WebInspect Enterprise                   

28

Fortify WebInspect Enterprise Components                  

28

Preparing Your System for Audit                     

29

Increased Network Traffic                       

29

Firewalls, Anti-virus Software, and Intrusion Detection Systems          

29

Increased Form Input                        

30

Increased HTTP Requests and Invalid Input                 

31

Uploading of Files                         

31

Related Documents                          

31

All Products                           

32

Micro Focus Fortify Software Security Center                

32

Micro Focus Fortify WebInspect                     

33

Micro Focus Fortify WebInspect Enterprise                 

34


Chapter 2: WebInspect Enterprise Administrative Console              

36

About the User Interface                        

36

About the Groups and Their Shortcuts                  

36

Scans Group                           

37

Sensors Group                           

37

Administration Group                        

37

Menu Bar and Toolbar                        

38

Logging On                            

39

Changing the Screen Refresh Rate                    

40

Selecting Which Table Columns to Display                 

40


Grouping and Sorting Items in Lists                    

41

Performing Common Tasks                      

42

Managing SmartUpdates                        

43

Managing the SmartUpdate History and Schedules              

44

Performing a Manual SmartUpdate                    

45

Adding a SmartUpdate Schedule                    

45

Performing a SmartUpdate (Offline)                   

46

Working with SmartUpdate Binary Files                  

46

Updating the List of Available Binary Files                

47

Updates to SecureBase and SmartUpdater                

47

Accessing the SmartUpdate Approval Form                

47

Viewing Update Details                       

47

Downloading Binary Update Files                   

47

Approving or Declining Binary Update Files                

48

Deleting a Downloaded File                     

48

How Updates Occur on the Client                    

49

SmartUpdate Affect on Scans                    

49

Managing Proxy Server Settings                      

49

About Roles and Permissions                       

50

Managing Roles and Permissions                    

51

Adding, Removing, and Distributing Global Roles               

52

Adding a Global Role                       

52

Removing a Global Role                      

53

Distributing an Existing Global Role to All Organizations           

53

Adding a User Or Group To Multiple Roles                 

53

Displaying or Removing Roles of Users or Groups               

54

About Fortify WebInspect Enterprise System Administrators, Roles, and Permissions   

55

Adding an Organization                      

56

Adding and Removing Fortify WebInspect Enterprise System Administrators     

56

Adding a Fortify WebInspect Enterprise System Administrator         

56

Removing a Fortify WebInspect Enterprise System Administrator        

57

Managing Fortify WebInspect Enterprise System Roles and Permissions       

57

Adding a Fortify WebInspect Enterprise System Role             

57

Assigning Groups or Users to a Fortify WebInspect Enterprise System Role     

58

Copying a Fortify WebInspect Enterprise System Role            

59

About Organization Administrators, Roles, and Permissions           

59

Adding, Removing, and Renaming Organizations               

60

Adding an Organization                      

61


Removing an Organization                     

61

Renaming an Organization                     

61

Adding and Removing Organization Administrators              

62

Adding an Organization Administrator                 

62

Removing an Organization Administrator                

62

Configuring Organization Options                    

63

Configuring Option: Organization Maximum Security Priority          

63

Configuring Option: Disable Retest Browser Tab              

63

Managing Organization Roles And Permissions               

64

Adding an Organization Role                     

64

Adding Groups or Users to an Organization Role              

65

Copying or Moving an Organization Role                

65

Removing an Organization Role                    

66

Renaming an Organization Role                    

66

Specifying Resources Available to Organizations               

67

Moving or Copying Objects to Groups or Other Organizations           

68

About Group Administrators, Roles, and Permissions              

69

Adding, Removing, and Renaming Groups                 

70

Adding a Group                         

70

Removing a Group                        

71

Renaming a Group                        

71

Adding and Removing Group Administrators                

71

Adding a Group Administrator                    

72

Removing a Group Administrator                   

72

Configuring Group Options                      

73

Configuring Option: Group Maximum Security Priority            

73

Configuring Option: Group IP and Host Permissions             

73

Managing Group Roles And Permissions                  

74

Adding a Group Role                       

74

Adding Groups or Users to a Group Role                 

75

Copying or Moving a Group Role                   

75

Removing a Group Role                      

76

Renaming a Group Role                      

76

Specifying Resources Available to Groups                 

77

Moving or Copying Objects to Organizations or Other Groups           

78

Managing Scans, Sensors, and Sensor Users                  

79

About Controlling Scans Using the Scan Queue               

79

Controlling Scans Using the Scan Queue                  

80

About Managing Scan Policies                     

80


Managing Scan Policies                        

81

Creating Custom and Master Scan Policies                 

82

Adding, Editing, and Deleting Export Paths for Saving Scans           

84

Specifying Export Paths for Saving Scans                 

84

About Sensor Management                      

85

Managing Sensors and Their Scans                    

85

Managing Sensor Users                        

86

Managing E-mail and SNMP Alerts                     

87

Adding, Editing, and Deleting E-mail Alerts                 

87

Specifying E-mail Alert Settings                     

89

Understanding Assigned Risks and the Total Risk Score             

90

Assigned Risks                         

90

Total Risk Score                         

90

Where Total Risk Score Appears                    

91

Adding, Editing, and Deleting SNMP Alerts                 

91

Specifying SNMP Alert Settings                     

93

Working with Fortify Software Security Center                 

93

Configuring Settings for Fortify Software Security Center            

94

Disabling Automatic Publishing of Scans to Fortify Software Security Center

    95

Importing Applications into Fortify Software Security Center from a CSV File     

95

Managing Users and the Activity Log                    

97

About Managing Connected Users                    

97

Managing Connected Users                      

97

Viewing License Information                      

98

Managing the Activity Log                       

99

Reference Lists                            

99

Policies List                           

100

Best Practices                         

100

By Type                           

101

Custom                           

103

Hazardous                          

103

Deprecated Checks and Policies                   

103

Scan Status Messages List                      

104

HTTP Status Codes List                       

105

Sensor Status List                         

109


Chapter 3: WebInspect Enterprise Services Manager                

110


About the Fortify WebInspect Enterprise Services Manager            

110

Configuring the Scan Uploader Service                   

110

Service Status                          

110

Fortify WebInspect Enterprise Configuration                

111

Dropbox Configuration                       

111

Logging Configuration                       

112

Starting the Service                        

112

Configuring the Task Service                      

112

Service Status                          

112

Database Configuration                       

113

Logging Configuration                       

113

Fortify Software Security Center Poll Interval                

114

Starting the Service                        

114

Configuring the Scheduler Service                     

114

Service Status                          

114

Fortify WebInspect Enterprise Manager                  

115

Logging Configuration                       

115

Starting the Service                        

115


Chapter 4: WebInspect Enterprise Web Console                 

116

Using the Interface                          

116

Navigation Pane                          

117

Toolbar                             

118

About the WebInspect Enterprise Desktop Application             

118

Downloading from Initial Prompt                   

119

Downloading from Toolbar                     

119

Configuring Toolbar Options                     

120

Configuring Form Layouts                      

121

Columns                           

122

Grouping                           

123

Sorting                            

123

Paging                            

123

Enabling New Scan Schedules                     

124

Enabling New Blackout Periods                    

124

Conducting Scans                          

124

Accessing Guided Scan                       

124

Launching Guided Scan                      

124


Configuring a Web Site Scan                     

125

Accessing the New Scan Page                    

125

Specifying the Application Version                  

125

Configuring General Settings                    

125

Configuring Authentication                     

127

Configuring Coverage                      

128

Configuring Priority                       

129

Starting or Canceling the Scan                    

129

Scan Dependencies                         

129

Internet Protocol Version 6                      

129

About Web Services                        

130

Configuring a Web Service Scan                    

130

Accessing the New Scan Page                    

130

Specifying the Application Version                  

130

Configuring General Settings                    

131

Configuring Authentication                     

131

Configuring Coverage                      

132

Configuring Priority                       

132

Starting or Canceling the Scan                    

132

Configuring a Scheduled Scan                     

133

Specifying the Application Version                  

133

Configuring General Settings                    

133

Configuring Recurrence Settings                   

134

Configuring Behavior Settings                    

135

Configuring Overrides                      

135

Finishing Up                          

136

Scan Schedules                          

136

Reviewing Scheduled Scan Settings                  

136

Using the Context Menu                      

136

Using the Icons Above the Form Grid                 

137

Searching On This Page                      

137

Scheduled Scan Dependencies                     

138

Using Scan Requests from Fortify Software Security Center           

139

Processing a Pending Request                    

139

Associating Scans Manually                     

140

Creating a Scan Request in Fortify Software Security Center           

140

Using Scan Templates                        

142

Searching On This Page                      

143

Configuring a Scan Template                     

145


Specifying the Application Version                  

145

Configuring General Settings                    

145

Configuring Overrides                      

146

Finishing Up                          

146

Editing a Scan Template in Guide Scan                  

146

Process Overview                        

147

Scan Template Dependencies                     

147

Blackouts Overview                        

148

Using Blackouts                          

148

Searching On This Page                      

150

Creating a Blackout Period                      

151

Policies List                           

153

Best Practices                         

154

By Type                           

155

Custom                           

156

Hazardous                          

157

Deprecated Checks and Policies                   

157

Working with Applications                       

158

Creating New Application Versions                   

158

Creating an Application Version                   

159

Viewing Application Versions                     

159

Searching On This Page                      

161

Reviewing Application Version Details                  

162

All Scans                           

162

Issues                            

163

Scan Templates                         

164

Schedules                           

164

Properties                           

165

Notes                            

165

Aliases                            

165

Login Macros                         

165

Additional Functions                       

165

Searching On This Page                      

166

Viewing Vulnerabilities                       

168

Managing Deleted Applications                    

168

Recovering Deleted Applications (Standalone)              

169

Recovering Deleted Applications (Integrated with Software Security Center)    

169

Permanently Deleting Applications                  

169

About Dependencies                        

169


Adding or Editing an Alias                      

170

When to Set Up Aliases                      

170

Creating an Alias                        

170

Working with the Macro Repository                   

171

Adding a New Macro                       

171

Downloading a Macro                       

171

Updating a Macro                        

172

Deleting a Macro                        

172

Using Repository Macros in Scans                  

172

Working with Scans                          

173

Reviewing the Scan List                       

173

Scans Form Columns                       

173

Available Functions                       

175

Searching On This Page                      

178

Reviewing Scan Results                       

179

Toolbar                           

189

Reviewing the Scan Dashboard                     

190

Progress Bars                         

191

Progress Bar Descriptions                    

191

Progress Bar Colors                      

192

Activity Meters                         

192

Scan Status                          

193

Fortify WebInspect Agent Detected or Not Detected            

193

Vulnerabilities Graphics                      

193

Statistics Panel - Scan Section                    

194

Statistics Panel - Crawl Section                    

195

Statistics Panel - Audit Section                    

195

Statistics Panel - Network Section                   

195

Adding a Page or Directory                      

196

Adding a Variation                         

196

What is a Variation?                       

196

Procedure                           

197

Comparing Scans                         

197

Guidelines for Scan Comparison                   

197

Effect of Scheme, Host, and Port Differences on Scan Comparison       

197

Selecting Scans to Compare                     

198

Reviewing the Scan Dashboard                   

199

Scan Descriptions                       

199

Venn Diagram                        

199


Vulnerabilities Bar Chart                     

200

Compare Modes                        

200

Session Filtering                        

201

Using the Session Info Panel                    

201

Using the Summary Pane to Review Findings               

201

About Publishing Scans to Fortify Software Security Center           

202

Publishing Scans to Fortify Software Security Center             

204

Working with Vulnerabilities                       

205

Reviewing Vulnerabilities                       

205

Retesting the Session                       

206

Editing and Adding Vulnerabilities                    

207

To Edit or Add a Vulnerability                    

207

To Remove Edits                        

208

Adding a Vulnerability Note                      

208

Adding a Vulnerability Screenshot                    

208

Marking a Vulnerability as a False Positive                 

209

Recovering Deleted Items                      

209

About Vulnerability Rollup                      

210

What Happens to Rolled Up Vulnerabilities               

210

Rollup Guidelines                        

210

Rolling Up Vulnerabilities                     

211

Undoing Rollup                         

211

Advanced Settings                          

212

Legacy Scan: General                        

212

Scan                            

212

Scan URL                           

212

Priority                            

213

Sensor                            

214

Legacy Scan Settings: Method                     

214

Scan Mode                          

214

Crawl and Audit Mode                      

215

Scan Behavior                         

215

Legacy Scan Settings: General                     

216

Scan Details                          

216

Crawl Details                          

217

Audit Details                          

219

Legacy Scan Settings: Content Analyzers                 

219

Flash                            

219


JavaScript/VBScript                       

219

Silverlight                           

221

Legacy Scan Settings: Requestor                    

221

Requestor Performance                      

221

Requestor Settings                       

222

Stop Scan if Loss of Connectivity Detected               

222

Legacy Scan Settings: Session Storage                  

223

Log Rejected Session to Database                  

223

Session Storage                         

225

Legacy Scan Settings: Session Exclusions                 

225

Excluded or Rejected File Extensions                  

225

Excluded MIME Types                      

225

Excluded or Rejected URLs and Hosts                 

225

MIME Types                           

226

Legacy Scan Settings: Allowed Hosts                   

227

Allowable Hosts for Crawl and Audit                  

227

Legacy Scan Settings: HTTP Parsing                   

228

HTTP Parameters Used for State                   

228

Determine State from URL Path                   

228

Legacy Scan Settings: Filters                     

229

Using the Filter Settings                      

229

Legacy Scan Settings: Cookies/Headers                  

230

Standard Header Parameters                    

230

Append Custom Headers                     

231

Append Custom Cookies                      

231

Legacy Scan Settings: Proxy                      

231

Proxy Settings                         

231

Legacy Scan Settings: Authentication                  

232

Scan Requires Network Authentication                 

232

Legacy Scan Settings: File Not Found                  

234

Legacy Scan Settings: Policy                      

235

Scan Policy                          

235

Legacy Crawl Settings: Link Parsing                   

235

Link Parsing                          

235

Legacy Crawl Settings: Session Exclusions                 

236

Excluded or Rejected File Extensions                  

236

Excluded MIME Types                      

236

Excluded or Rejected URLs and Hosts                 

237

Legacy Audit Settings: Session Exclusions                 

237


Excluded or Rejected File Extensions                  

237

Legacy Audit Settings: Attack Exclusions                 

238

Excluded Parameters                       

239

Excluded Cookies                        

239

Excluded Headers                        

239

Audit Inputs Editor                       

239

Legacy Audit Settings: Attack Expressions                 

240

Additional Regular Expression Languages                

240

Legacy Audit Settings: Vulnerability Filters                 

240

Select Vulnerability Filters to Enable                  

241

Audit Settings: Smart Scan                      

241

Smart Scan                          

241

Custom Server/Application Type Definitions (more accurate detection)      

242

Legacy Scan Behavior: Blackout Action                  

242

Legacy Export: General                       

242

Export Scan Results                       

243

Blackout Settings                          

243

Blackout: General                         

243

Creating a Blackout Period                     

243

Blackout: Recurrence                        

245

Recurring                           

245

Legacy Scheduled Scan Settings                     

246

Legacy Scheduled Scan - Schedule: General                

246

Legacy Scheduled Scan - Schedule: Recurrence               

247

Legacy Scheduled Scan - Scan: General                  

247

Scan URL                           

248

Priority                            

249

Sensor                            

249

Legacy Scheduled Scan - Scan Settings: Method               

249

Scan Mode                          

250

Crawl and Audit Mode                      

250

Scan Behavior                         

250

Legacy Scheduled Scan - Scan Settings: General               

251

Scan Details                          

251

Crawl Details                          

252

Audit Details                          

254

Legacy Scheduled Scan - Scan Settings: Content Analyzers           

254

Content Analyzers                        

255


Parser Settings                         

255

Legacy Scheduled Scan - Scan Settings: Requestor              

256

Requestor Performance                      

256

Requestor Settings                       

257

Stop Scan if Loss of Connectivity Detected               

257

Legacy Scheduled Scan - Scan Settings: Session Storage            

258

Log Rejected Session to Database                  

258

Session Storage                         

259

Legacy Scheduled Scan - Scan Settings: Session Exclusions           

259

Excluded or Rejected File Extensions                  

260

Excluded MIME Types                      

260

Excluded or Rejected URLs and Hosts                 

260

Legacy Scheduled Scan - Scan Settings: Allowed Hosts             

261

Allowable Hosts for Crawl and Audit                  

262

Legacy Scheduled Scan - Scan Settings: HTTP Parsing             

262

HTTP Parameters Used for State                   

263

Determine State from URL Path                   

263

Legacy Scheduled Scan - Scan Settings: Filters               

264

Using Filters                          

264

Legacy Scheduled Scan - Scan Settings: Cookies/Headers            

265

Standard Header Parameters                    

265

Append Custom Headers                     

265

Append Custom Cookies                      

266

Legacy Scheduled Scan - Scan Settings: Proxy               

266

Proxy Settings                         

266

Legacy Scheduled Scan - Scan Settings: Authentication            

267

Scan Requires Network Authentication                 

267

Legacy Scheduled Scan - Scan Settings: File Not Found            

269

Legacy Scheduled Scan - Scan Settings: Policy               

270

Scan Policy                          

270

Legacy Scheduled Scan - Crawl Settings: Link Parsing             

270

Link Parsing                          

271

Legacy Scheduled Scan - Crawl Settings: Session Exclusions           

271

Excluded or Rejected File Extensions                  

271

Excluded MIME Types                      

272

Excluded or Rejected URLs and Hosts                 

272

Legacy Scheduled Scan - Audit Settings: Session Exclusions           

272

Excluded or Rejected File Extensions                  

273

Legacy Scheduled Scan - Audit Settings: Attack Exclusions           

274


Excluded Parameters                       

274

Excluded Cookies                        

274

Excluded Headers                        

275

Audit Inputs Editor                       

275

Legacy Scheduled Scan - Audit Settings: Attack Expressions           

275

Additional Regular Expression Languages                

276

Legacy Scheduled Scan - Audit Settings: Vulnerability Filters           

276

Select Vulnerability Filters to Enable                  

276

Legacy Scheduled Scan - Audit Settings: Smart Scan             

277

Smart Scan                          

277

Custom Server/Application Type Definitions (more accurate detection)      

278

Legacy Scheduled Scan - Scan Behavior: Blackout Action            

278

Legacy Scheduled Scan - Export: General                 

278

Export Scan Results                       

279

Legacy Scan Template Settings                      

279

Legacy Scan Template - Scan: General                  

279

Scan URL                           

280

Legacy Scan Template - Scan Settings: Method               

281

Scan Mode                          

282

Crawl and Audit Mode                      

282

Scan Behavior                         

282

Legacy Scan Template - Scan Settings: General               

283

Scan Details                          

283

Crawl Details                          

284

Audit Details                          

286

Legacy Scan Template - Scan Settings: Content Analyzers           

286

Content Analyzers                        

287

Parser Settings                         

287

Legacy Scan Template - Scan Settings: Requestor              

288

Requestor Performance                      

288

Requestor Settings                       

289

Stop Scan if Loss of Connectivity Detected               

289

Legacy Scan Template - Scan Settings: Session Storage            

290

Log Rejected Session to Database                  

290

Session Storage                         

292

Legacy Scan Template - Scan Settings: Session Exclusions           

292

Excluded or Rejected File Extensions                  

292

Excluded MIME Types                      

292

Excluded or Rejected URLs and Hosts                 

292


Legacy Scan Template - Scan Settings: Allowed Hosts             

294

Allowable Hosts for Crawl and Audit                  

294

Legacy Scan Template - Scan Settings: HTTP Parsing             

295

HTTP Parameters Used for State                   

295

Determine State from URL Path                   

296

Legacy Scan Template - Scan Settings: Filters                

296

Legacy Scan Template - Scan Settings: Cookies/Headers            

297

Standard Header Parameters                    

298

Append Custom Headers                     

298

Append Custom Cookies                      

298

Legacy Scan Template - Scan Settings: Proxy                

298

Proxy Settings                         

299

Legacy Scan Template - Scan Settings: Authentication             

300

Scan Requires Network Authentication                 

300

Legacy Scan Template - Scan Settings: File Not Found             

301

Legacy Scan Template - Scan Settings: Policy                

302

Scan Policy                          

303

Legacy Scan Template - Crawl Settings: Link Parsing             

303

Link Parsing                          

303

Legacy Scan Template - Crawl Settings: Session Exclusions           

304

Excluded or Rejected File Extensions                  

304

Legacy Scan Template - Audit Settings: Session Exclusions           

305

Excluded or Rejected File Extensions                  

305

Legacy Scan Template - Audit Settings: Attack Exclusions           

306

Excluded Parameters                       

307

Excluded Cookies                        

307

Excluded Headers                        

307

Audit Inputs Editor                       

308

Legacy Scan Template - Audit Settings: Attack Expressions           

308

Additional Regular Expression Languages                

308

Legacy Scan Template - Audit Settings: Vulnerability Filters           

309

Select Vulnerability Filters to Enable                  

309

Legacy Scan Template - Audit Settings: Smart Scan              

310

Smart Scan                          

310

Custom Server/Application Type Definitions (more accurate detection)      

310


Chapter 5: WebInspect Enterprise Guided Scan and Reporting            

311

About Guided Scan and Reporting                    

311


Launching a Guided Scan                       

311

Selecting the Type of Guided Scan to Run                 

311

Guided Scan Logging                        

312

Generating a Report                         

312

Configuring a Guided Scan                       

313

Predefined Templates for Scanning Web Sites               

313

Mobile Templates for Scanning Mobile Sites or Recording Back-End Traffic      

313

Configuring Web Site Scans Using a Predefined Template           

314

Setting the Rendering Engine                    

314

Overview of Guided Scan Stages and Steps               

314

Site                             

315

Login                            

318

Workflows                          

322

Active Learning                         

324

Settings                           

325

Configuring Mobile Web Site Scans Using a Mobile Template          

327

About Mobile Web Site Scans                    

327

Creating a Mobile Web Site Scan                   

327

About the Site Stage                       

328

About the Login Stage                      

331

About the Workflows Stage                     

335

About the Active Learning Stage                   

336

About the Settings Stage                     

337

Configuring Native Scans Using a Mobile Template              

339

About Native Scans                       

339

Supported Devices                        

339

Supported Development Emulators                  

340

Creating a Native Scan                      

340

About the Native Mobile Stage                   

340

About the Login Stage                      

343

Application Authentication Step                  

345

About the Application Stage                    

347

About the Settings Stage                     

348

Post Scan Steps                         

349

Multi-user Login Scans                       

350

Before You Begin                        

350

Known Limitations                        

350

Process Overview                        

350


Configuring a Multi-user Login Scan                  

351

Adding Credentials                       

351

Editing Credentials                        

352

Deleting Credentials                       

352

Privilege Escalation Scans                      

352

Two Modes of Privilege Escalation Scans                

352

What to Expect During the Scan                   

353

Single-page Application Scans                     

353

Technology Preview                       

353

The Challenge of Single-page Applications               

353

Enabling SPA Support                      

354

Importing Micro Focus Unified Functional Testing Scripts            

354

Testing Login Macros                        

355

Validation Tests Performed                     

356

Troubleshooting Tips                       

356

Advanced Guided Scan Settings                     

357

Scan Settings: Method                       

357

Scan Mode                          

357

Crawl and Audit Mode                      

358

Crawl and Audit Details                      

358

Navigation                          

359

SSL/TLS Protocols                        

360

Scan Settings: General                        

360

Scan Details                          

360

Crawl Details                          

362

Scan Settings: JavaScript                       

365

JavaScript Settings                        

365

Scan Settings: Requestor                       

367

Requestor Performance                      

367

Requestor Settings                       

368

Stop Scan if Loss of Connectivity Detected               

369

Scan Settings: Session Exclusions                    

370

Excluded or Rejected File Extensions                  

370

Excluded MIME Types                      

370

Other Exclusion/Rejection Criteria                  

371

Editing Criteria                        

371

Adding Criteria                        

371

Scan Settings: Allowed Hosts                     

373

Using the Allowed Host Setting                   

373


Adding Allowed Domains                     

373

Editing or Removing Domains                    

374

Scan Settings: HTTP Parsing                     

374

Options                           

374

CSRF                            

377

About CSRF                         

377

Using CSRF Tokens                      

377

Scan Settings: Custom Parameters                   

377

URL Rewriting                         

378

RESTful Services                        

378

Enable automatic seeding of rules that were not used during scan       

379

Double Encode URL Parameters                  

380

Path Matrix Parameters                      

380

Definition of Path Segment                    

381

Special Elements for Rules                    

381

Asterisk Placeholder                      

382

Benefit of Using Placeholders                  

383

Multiple Rules Matching a URL                 

383

Scan Settings: Filters                        

383

Options                           

384

Adding Rules for Finding and Replacing Keywords             

384

Scan Settings: Cookies/Headers                    

385

Standard Header Parameters                    

385

Append Custom Headers                     

385

Adding a Custom Header                    

386

Append Custom Cookies                      

386

Adding a Custom Cookie                    

386

Scan Settings: Proxy                        

386

Options                           

387

Scan Settings: Authentication                     

390

Network Authentication                      

390

Authentication Method                      

390

Authentication Credentials                     

392

Client Certificate                        

392

Enable Macro Validation                      

393

Use a Login Macro for Forms Authentication               

393

Login Macro Parameters                      

393

Use a Startup Macro                       

394

Multi-user Login                        

394


Scan Settings: File Not Found                     

395

Options                           

395

Scan Settings: Policy                        

397

Creating a Policy                        

397

Editing a Policy                         

397

Importing a Policy                        

397

Deleting a Policy                        

398

Scan Settings: User Agent                      

398

Profile and User-Agent String                    

398

Navigator Interface Settings                    

399

Crawl Settings: Link Parsing                      

399

Adding a Specialized Link Identifier                  

400

Crawl Settings: Link Sources                      

400

What is Link Parsing?                       

400

Pattern-based Parsing                      

400

DOM-based Parsing                       

400

Form Actions, Script Includes, and Stylesheets              

403

Miscellaneous Options                      

404

Limitations of Link Source Settings                  

405

Crawl Settings: Session Exclusions                    

405

Excluded or Rejected File Extensions                  

405

Adding a File Extension to Exclude/Reject               

406

Excluded MIME Types                      

406

Adding a MIME Type to Exclude                  

406

Other Exclusion/Rejection Criteria                  

406

Editing the Default Criteria                    

406

Adding Exclusion/Rejection Criteria                 

407

Audit Settings: Session Exclusions                    

408

Excluded or Rejected File Extensions                  

409

Adding a File Extension to Exclude/Reject               

409

Excluded MIME Types                      

409

Adding a MIME Type to Exclude                  

409

Other Exclusion/Rejection Criteria                  

409

Editing the Default Criteria                    

410

Adding Exclusion/Rejection Criteria                 

410

Audit Settings: Attack Exclusions                    

412

Excluded Parameters                       

412

Adding Parameters to Exclude                   

412

Excluded Cookies                        

412


Excluding Certain Cookies                    

412

Excluded Headers                        

413

Excluding Certain Headers                    

413

Audit Inputs Editor                       

414

Audit Settings: Attack Expressions                   

414

Additional Regular Expression Languages                

414

Audit Settings: Vulnerability Filtering                   

415

Adding a Vulnerability Filter                    

415

Audit Settings: Smart Scan                      

415

Enable Smart Scan                        

416

Use regular expressions on HTTP responses to identify server/application types  

416

Use server analyzer fingerprinting and request sampling to identify

server/application types                     


416

Custom server/application type definitions (more accurate detection)     

416


Send Documentation Feedback                       

417

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to: