Application Settings: Server Profiler
To access this feature, click Edit > Application Settings and then select Server Profiler.
Before starting a scan, Fortify WebInspect can invoke the Server Profiler to conduct a preliminary examination of the target Web site to determine if certain scan settings should be modified. If changes appear to be required, the Server Profiler returns a list of suggestions, which you may accept or reject.
To enable this preliminary examination, click Profile (or select Run Profiler Automatically) on Step 4.
By default, 10 specific modules are enabled. To exclude a module, clear its associated check box.
Modules
The Server Profiler modules are described in the following table.
| Module | Description |
|---|---|
| Check for case-sensitive servers | This module determines if the host server is case-sensitive when discriminating among URLs. For example, some servers (such as IIS) do not differentiate between www.mycompany.com/samplepage.htm and www.mycompany.com/SamplePage.htm. If the profiler determines that the server is not case-sensitive, you can disable Fortify WebInspect’s case-sensitive feature, which would improve the speed and accuracy of the crawl. |
| Check ‘Maximum Folder Depth’ setting | The maximum folder depth setting is intended primarily for sites that programmatically append subfolders to URLs. Without such a limit, Fortify WebInspect would endlessly crawl these dynamic folders. This module determines if the site contains valid URLs that extend beyond that limit and, if so, allows you to increase the setting. |
| Verify client authentication protocol | This module determines which authentication (sign-in) protocol, if any, is required. Fortify WebInspect supports ADFS CBT, Automatic, Digest, HTTP Basic, Kerberos, and NTLM. |
| Check for additional hosts | This module searches the target site for references to additional host servers and allows you to include them as allowed hosts. |
| Reveal navigation parameters | This module determines if the target site uses query parameters in URLs to specify the content of the page and, if so, displays a list of parameters and values that were encountered during the analysis. You can select one or more parameters for Fortify WebInspect to use during the scan. |
| Check for non-standard ‘file not found’ responses | This module determines if a site returns a response code other than 404 when the client requests a non-existent resource. Recognizing this will prevent Fortify WebInspect from auditing non-essential responses. |
| Check for session state embedded in URLs | Instead of using cookies, some servers embed session state in URLs. Fortify WebInspect detects this practice by analyzing the URL with regular expressions. This module attempts to determine if changes to the regular expressions are required. |
| Analyze thread count | This module determines if the thread count should be lowered. Relatively high thread counts, while enabling a faster scan, can sometimes exhaust server resources. |
| Check for invalid audit exclusions | Fortify WebInspect settings prevent pages with certain file extensions from being audited (see Audit Settings: Session Exclusions). The specified extensions are for pages that ordinarily do not have query parameters in the URL of the request. If the settings are incorrect, the audit will not be as thorough. The profiler can detect when pages having audit-excluded extensions actually contain query parameters and will recommend removing those exclusions. |
| Verify maximum response size | A Fortify WebInspect scan setting specifies the maximum response size allowed; the default is 1,000 kilobytes. This module attempts to detect responses larger than the maximum and, if found, recommends that you increase the limit. |
| Optimize settings for specific applications | This module determines if you are scanning a well-known test site (such as WebGoat, Hacme Bank, etc.) and determines if Fortify WebInspect has a prepopulated settings file (a template) designed specifically for that site. These templates are configured to optimize the crawl, audit, and performance of your scans. |
| Add/Remove Trailing Slash | This module determines if the target site requires or prohibits a trailing slash on the start URL. |
| Check for cross-site request forgery | Cross-site request forgery, also known as a one-click attack or session riding, is often abbreviated as CSRF. CSRF is a type of website exploit where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting , which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. For more on CSRF, see CSRF. |
| Check for WebSphere servers | WebSphere servers require additional settings changes; enables the Profiler to detect these changes are required. |
See Also
Application Settings: Database
Application Settings: Directories
Application Settings: Micro Focus ALM
Application Settings: Override SQL Database Settings
Application Settings: Run as a Sensor
Application Settings: Smart Update
Application Settings: Step Mode
Application Settings: Support Channel