Sign up with Facebook Sign up with Twitter. I don't have a Facebook or a Twitter account. Research and publish the best content. Try Business. Join Free. No tag on any scoop yet.
|Published (Last):||17 March 2019|
|PDF File Size:||9.74 Mb|
|ePub File Size:||6.72 Mb|
|Price:||Free* [*Free Regsitration Required]|
Start your free trial. With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the functionalities to their users with a single click. In this quest for providing the customers with single click solutions, all the sensitive data is shifted on to a server which is then accessed by a web application.
In most of the scenarios, web applications have direct access to the backend database and thus control valuable data. With a simple well crafted malicious payload a hacker can now get all the information from database.
The real question is how it can be achieved. Below are some of the checks that are in place to ensure that security holes in the web application are identified:. WebInspect is one of the most widely used automated vulnerability scanners in the market today. It helps us to identify vulnerabilities present in the web application by taking necessary input from us. For the rest of this article I will be focusing on using WebInspect to identify security vulnerabilities.
WebInspect is a web application security scanning tool offered by HP. It helps the security professionals to assess the potential security flaws in the web application. WebInspect is basically a dynamic black box testing tool which detects the vulnerabilities by actually performing the attack.
After initiating the scan on a web application, there are assessment agents that work on different areas of the application. They report their results to security engine which evaluates the results. It uses Audit engines to attack the application and determine the vulnerabilities. Using this report, client can fix the issues and then go for validation scanning to confirm the same. HP WebInspect is a commercial tool and you need license to scan a web site. With the trail version you will be permitted to scan only zero.
As with every other tool there are both advantages and disadvantages associated with using WebInspect. Having said that, WebInspect scores high on many features and helps a great deal in providing scanning solutions. WebInspect 9. Below lines would throw an insight into various features that are available in WebInspect. Depending on the scanning policy selected, WebInspect will try to attack the web application which can harm the server.
It sends many HTTP requests which results in increased traffic. So make sure that you keep these things in mind and accordingly conduct the scan.
Crawl: Crawling is the process by which WebInspect will build the tree structure of the entire website by traversing every possible link on that site. Configure: You need to tell the WebInspect what you need from it. So configuring is basically letting the WebInspect know what you want and what you do not want.
Analyze: Here you need to analyze the results presented by the WebInspect and eliminate the false positives. To begin a scan, start WebInspect and as shown below Figure 2 Scan Wizard window opens and you can select the type of scan you want to conduct. So select Website scan. In the scan wizard, on the right hand side you can see the recently opened scans and the scans that are in schedule. You can also schedule a scan to begin at a particular time. Figure 2. Upon selecting the website scan you will be taken to the below window Figure 3 where you need to enter the scan name.
Only those URLs will be scanned. Workflow Driven scan: This is used to scan only a part of your site not the entire site.
The part that needs to be scanned can be specified by a workflow macro which we will be looking into soon. Manual scan: Allows you to manually specify the links that are to be scanned by browsing through them in the step mode.
Below the standard scan you can see restrict to folder option which defines the scan coverage. This is very important as the scan coverage depends on the option that you select. The following are the options you can choose from the dropdown list:. Using this we configure the scan and tell WebInspect what we want from it. There are many options and they further have many choices among them.
I will try to cover as many as possible and the left over ones are something which are easy to understand. Under default settings, as you can see on the left hand side of the above picture we have Scan settings, Crawl settings and Audit settings.
It is very important to have strong hold on configuring these settings because the output of the scan depends on your input to WebInspect. Let us have a brief outlook on each of these settings. The options available under this define the way in which a scan is conducted by WebInspect. For instance you can exclude certain sections of your web application from being scanned by WebInspect. Similarly you can define many parameters which affect the scan performance and the output.
All the options under this section will be covered in detail in the next post. As the name suggests, the parameters which control the way in which WebInspect crawls are mentioned under this.
From figure 4 you can see that it includes link parsing and session exclusion. The parameters here define the way in which auditing is performed by WebInspect. It deals with session exclusions, attack exclusions, attack expressions, vulnerability filtering, smart scan etc.
Smart scan is a new feature that is introduced to find out the underlying server and accordingly send the attack vectors and payloads. So WebInspect will probe only for those particular vulnerabilities that the server is susceptible. You can save the settings in a file and load the same for every scan if it suits your requirement.
You can save different settings in different files and load the files when needed. Once you are done with the settings here, click on next and Authentication and Connectivity window appears figure 5.
Here the values are shown based on your input under proxy tab and authentication tab in Default Settings window. Move to the next window Coverage and thoroughness where the information about crawl coverage and audit depth will be shown based on your input under requester tab in default settings. Click on next and detailed scan configuration window appears figure 7. Under this profiler runs a quick examination of the target and if necessary it recommends you certain changes.
You may or may not accept the recommendations. Upon clicking the scan button, scan will initiate. The scan completion time depends on size of the application, policy selected and other factors. Once the scan gets completed, you need to analyze the results to eliminate the false positives and generate report for valid findings. Hence my next post which comes as a continuation to this article covers in depth details about Default scan settings, configuring and analyzing using WebInspect, generating the reports etc.
Hi Rahul.. My next post would cover configuring and analyzing a web application.. Web service would need a seperate post : Will try that too! Costs are a variety, what needs to be deployed is the quality and minimal false positives. Please help me to scan this webapp… thanks in advance.. Shritam: Thanks for your response. Even though I dint point out the differences, I have written an article on IBM Appscan too if you would like to have a look at :.
The pricing is definetly high but the open source tools do not have the features that these commercial tools have which really come in handy when pen testing. Munna: Hi.. Never came across such a situation. Hi, I am not receiving activation or licence key after entering my email id to get the trail version licence.
When you request a trial license, you need to use company email address. If you have used something like gmail, yahoo, hotmail etc you will probably not get the code. The request for trial license is actually reviewed before sending you the mail :. For completed scan, I am unable to change my scan name under Manage scan option.
Tool fails to display the edit mode to change the scan name. Bcaz I must change my scan name ] Thanks in advance! Regards, Munna. I think you will not able to edit the scan name of already scanned item.. You can only save it to your system with a desired scan name.. Easy to follow thank you. One note though I tend to focus on a fact that is confusing and it makes for an issue to digest the rest.
Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing.
We will never sell your information to third parties. You will not be spammed. Share Tweet.
HP WebInspect Tutorial
Security Testing - Automation Tools