Audit Settings: Smart Scan

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Audit Settings category, select Smart Scan.

Enable Smart Scan

Smart Scan is an "intelligent" feature that discovers the type of server that is hosting the Web site and checks for known vulnerabilities against that specific server type. For example, if you are scanning a site hosted on an IIS server, Fortify WebInspect will probe only for those vulnerabilities to which IIS is susceptible. It would not check for vulnerabilities that affect other servers, such as Apache or iPlanet.

If you select this option, you can choose one or more of the identification methods described below.

Use regular expressions on HTTP responses

This method, employed by previous releases of Fortify WebInspect, searches the server response for strings that match predefined regular expressions designed to identify specific servers.

Use server analyzer fingerprinting and request sampling

This advanced method sends a series of HTTP requests and then analyzes the responses to determine the server/application type.

Custom server/application type definitions

If you know the server type for a target domain, you can select it using the Custom server/application type definitions section. This identification method overrides any other selected method for the server you specify.

To specify a custom definition:

  1. Click Add.

    The Server/Application Type Entry window opens.

  2. In the Host box, enter the domain name or host, or the server's IP address.

  3. (Optional) Click Identify.

    Fortify WebInspect contacts the server and uses the server analyzer fingerprinting method to determine the server type. If successful, it selects the corresponding check box in the Server/Application Type list.

    Note: Alternatively, if you select the Use Regular Expressions option, enter a regular expression designed to identify a server. Click to insert regular expression notations or to launch the Regular Expression Editor (which facilitates the creation and testing of an expression).

  4. Select one or more entries from the Server/Application Type list.

  5. Click OK.

See Also

Audit Settings: Attack Exclusions

Audit Settings: Attack Expressions

Audit Settings: Session Exclusions

Audit Settings: Vulnerability Filtering