Scan Settings: Requestor

A requestor is the software module that handles HTTP requests and responses.

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Requestor.

Requestor Performance

The Requestor Performance options are described in the following table.

Option	Description
Use a shared requestor	If you select this option, the crawler and the auditor use a common requestor when scanning a site, and each thread uses the same state, which is also shared by both modules. This replicates the technique used by previous versions of Fortify WebInspect and is suitable for use when maintaining state is not a significant consideration. You also specify the maximum number of threads (up to 75).
Use separate requestors	If you select this option, the crawler and auditor use separate requestors. Also, the auditor's requestor associates a state with each thread, rather than having all threads use the same state. This method results in significantly faster scans. When performing crawl and audit, you can specify the maximum number of threads that can be created for each requestor. The Crawl requestor thread count can be configured to send up to 25 concurrent HTTP requests before waiting for an HTTP response to the first request; the default setting is 5. The Audit requestor thread count can be set to a maximum of 50; the default setting is 10. Increasing the thread counts may increase the speed of a scan, but might also exhaust your system resources as well as those of the server you are scanning. Note: Depending on the capacity of the application being scanned, increasing thread counts may increase request failures due to increased load on the server, causing some responses to exceed the Request timeout setting. Request failures may reduce scan coverage because the responses that failed may have exposed additional attack surface or revealed vulnerabilities. If you notice increased request failures, you might reduce them by either increasing the Request timeout or reducing the Crawl requestor thread count and Audit requestor thread count. Also, depending on the nature of the application being scanned, increased crawl thread counts may reduce consistency between subsequent scans of the same site due to differences in crawl request ordering. By reducing the default Crawl requestor thread count setting to 1, consistency may be increased.

Option

Description

Use a shared requestor

If you select this option, the crawler and the auditor use a common requestor when scanning a site, and each thread uses the same state, which is also shared by both modules. This replicates the technique used by previous versions of Fortify WebInspect and is suitable for use when maintaining state is not a significant consideration. You also specify the maximum number of threads (up to 75).

Use separate requestors

If you select this option, the crawler and auditor use separate requestors. Also, the auditor's requestor associates a state with each thread, rather than having all threads use the same state. This method results in significantly faster scans.

When performing crawl and audit, you can specify the maximum number of threads that can be created for each requestor. The Crawl requestor thread count can be configured to send up to 25 concurrent HTTP requests before waiting for an HTTP response to the first request; the default setting is 5.

The Audit requestor thread count can be set to a maximum of 50; the default setting is 10. Increasing the thread counts may increase the speed of a scan, but might also exhaust your system resources as well as those of the server you are scanning.

Note: Depending on the capacity of the application being scanned, increasing thread counts may increase request failures due to increased load on the server, causing some responses to exceed the Request timeout setting. Request failures may reduce scan coverage because the responses that failed may have exposed additional attack surface or revealed vulnerabilities. If you notice increased request failures, you might reduce them by either increasing the Request timeout or reducing the Crawl requestor thread count and Audit requestor thread count.

Also, depending on the nature of the application being scanned, increased crawl thread counts may reduce consistency between subsequent scans of the same site due to differences in crawl request ordering. By reducing the default Crawl requestor thread count setting to 1, consistency may be increased.

Requestor Settings

The Requestor Settings options are described in the following table.

Option	Description
Limit maximum response size to	Select this option to limit the size of accepted server responses, and then specify the maximum size (in kilobytes). The default is 1000 kilobytes. Note that Flash files (.swf) and JavaScript "include" files are not subject to this limitation.
Request retry count	Specify how many times Fortify WebInspect will resubmit an HTTP request after receiving a "failed" response (which is defined as any socket error or request timeout). The value must be greater than zero.
Request timeout	Specify how long Fortify WebInspect will wait for an HTTP response from the server. If this threshold is exceeded, Fortify WebInspect resubmits the request until reaching the retry count. If it then receives no response, Fortify WebInspect logs the timeout and issues the first HTTP request in the next attack series. The default value is 20 seconds. Note: The first time a timeout occurs, Fortify WebInspect will extend the timeout period to confirm that the server is unresponsive. If the server responds within the extended Request timeout period, then the extended period becomes the new Request timeout for the current scan.

Stop Scan if Loss of Connectivity Detected

There may be occasions during a scan when a Web server fails or becomes too busy to respond in a timely manner. You can instruct Fortify WebInspect to terminate a scan by specifying a threshold for the number of timeouts.

The options are described in the following table.

Option	Description
Consecutive "single host" retry failures to stop scan	Enter the number of consecutive timeouts permitted from one specific server. The default value is 75.
Consecutive "any host" retry failures to stop scan	Enter the total number of consecutive timeouts permitted from all hosts. The default value is 150.
Nonconsecutive "single host" retry failures to stop scan	Enter the total number of nonconsecutive timeouts permitted from a single host. The default value is "unlimited."
Nonconsecutive "any host" retry failures to stop scan	Enter the total number of nonconsecutive timeouts permitted from all hosts. The default value is 350.
If first request fails, stop scan	Selecting this option will force Fortify WebInspect to terminate the scan if the target server does not respond to Fortify WebInspect's first request.
Response codes to stop scan if received	Enter the HTTP status codes that, if received, will force Fortify WebInspect to terminate the scan. Use a comma to separate entries; use a hyphen to specify an inclusive range of codes.

See Also

Scan Settings: Allowed Hosts

Scan Settings: Authentication

Scan Settings: Cookies/Headers

Scan Settings: Custom Parameters

Scan Settings: File Not Found

Scan Settings: Filters

Scan Settings: General

Scan Settings: HTTP Parsing

Scan Settings: JavaScript

Scan Settings: Method

Scan Settings: Policy

Scan Settings: Proxy

Scan Settings: Session Exclusions

Scan Settings: User Agent