Interactive Scans

Web applications using certain types of anti-scanning technology, such as CAPTCHA, require an interactive scan configuration in WebInspect. In an interactive scan, you are presented with a browser window asking for user input for authentication. You can configure an automated interactive scan that will pause only when an input field is encountered. This pause affects only the Requestor thread that encounters the input field. The remaining threads are unaffected.

Interactive scan configuration works for CAPTCHA, RSA ID token fields, virtual PIN pads, virtual keyboards, and common access card (CAC) readers where the PIN or input is dynamic and changes.

Tip: For websites that use a CAC reader with a static PIN, you can configure the scan to use CAC certificates. See one of the following topics:

Note: Two-factor authentication does not require an interactive scan. You can configure fully-automated scans using two-factor authentication. For more information, see Using Two-factor Authentication.

Configuring an Interactive Scan

The following table describes the process for configuring an interactive scan.

Stage Description
1.

Prepare the Web forms input file as follows:

  1. Record or enter the field name into the Web Form Editor tool.

  2. Right-click the form name and select Mark As Interactive.

  3. Save the Web Forms input file.

For more information, see the Web Form Editor chapter in the Micro Focus Fortify WebInspect Tools Guide.
2.

Are you using a client-side certificate that requires a dynamic PIN?

  • If yes, launch Internet Explorer and ensure that the client-side certificate is listed or manually import it.

    This action temporarily loads the certificate into the Windows certificate store.

    Note: Plugging in the hardware token and entering the requested PIN may do this automatically.

  • If no, skip to Stage 3.

3.

Configure the scan method for interactive scan mode as follows:

  1. Open the Scan Settings: Method window.

  2. In the Auto fill web forms field, specify the Web Forms input file you created in Stage 1.

  3. Select the Prompt for web form values during scan (interactive mode) check box.

  4. Select the Only prompt for tagged inputs check box.

    Note: If this final check box is not selected, you will be prompted for all inputs encountered on the site.

4.

Are you using a client-side certificate that requires a dynamic PIN?

  • If yes, configure authentication to use the client-side certificate:

    1. Open the Scan Settings: Authentication window.

    2. In the Client Certificates area, select the Enable check box and browse to select the user's certificate.

      3. Fortify WebInspect uses this certificate until it times out and fails to enter the requested PIN, or until the hardware token is removed and Windows drops the certificate from the store.

  • If no, skip to Stage 5.

5.

Save the scan settings and use them in a Fortify WebInspect scan.

Important! You must watch for the pop-ups to enter the form value as needed.