Using the Mobile Scan Template

Using the Mobile Scan template to create a mobile Web site scan allows you to scan the mobile version of a Web site using the desktop version of your browser from within Fortify WebInspect or Fortify WebInspect Enterprise.

A Mobile Scan is nearly identical to a Web site scan and mirrors the settings options you will find when using one of the Predefined templates to do a Standard, Thorough, or Quick scan. The only difference is that you need to select a user agent header to allow your browser to emulate a mobile browser.

Fortify WebInspect and Fortify WebInspect Enterprise come with four mobile user agent options to choose from, but you can create a custom option and create a user agent for another version of Android, Windows Phone, or other mobile device. For information creating a user agent header, see Creating a Custom User Agent Header.

Recommendation

Fortify recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the Fortify WebInspect host.

Launching a Mobile Scan

To launch a Mobile Scan:

  1. Start a Guided Scan:

    1. For Fortify WebInspect, click Start a Guided Scan on the Fortify WebInspect Start page.

    2. For Fortify WebInspect Enterprise, click Guided Scan under Actions on the Web Console.

  2. Select Mobile Scan from the Mobile Templates section.

  3. Click the Mobile Client icon in the tool bar.

  4. Select the Rendering Engine you want to use. The rendering engine you select determines which Web Macro Recorder is opened when recording a new macro or editing an existing macro while configuring a Guided Scan. The rendering engine options are:

    • Session-based – Selecting this option designates the Session-based Web Macro Recorder, which uses Internet Explorer browser technology.

    • Macro Engine 7.1 (recommended) – Selecting this option designates the Web Macro Recorder with Macro Engine 7.1, which uses TruClient and Firefox technology.

  5. Select the User Agent that represents the agent string you want your rendering engine to present to the site. If you created your own user string, it will appear as Custom. If the user agent is not listed, you can create a custom user agent. See Creating a Custom User Agent Header.

The Guided Scan wizard displays the first step in the Native Mobile Stage: Verify Web Site.

Creating a Custom User Agent Header

Fortify WebInspect and Fortify WebInspect Enterprise include user agents for Android, Windows, and iOS devices. If you are using one of these options, you do not need to create a custom user agent header. If you want your Web browser to identify itself as a different mobile device or a specific OS version, create a custom user agent header.

To create a custom user agent:

  1. Click the Advanced icon in the Guided Scan tool bar.

  2. The Scan Settings window appears.

  3. In the Scan Settings column, select Cookies/Headers.

  4. In the Append Custom Headers section of the settings area, double-click the User-Agent string.

    The Specify Custom Header box appears.

  5. Type in User-Agent: followed by the user agent header string for the desired device.

  6. Click OK.

    The new custom user agent will now be available to select as your Mobile Client.

About the Site Stage

During the Site stage, you will:

Verifying Your Web Site

To verify your Web site:

  1. In the Start URL box, type or select the complete URL or IP address of the site to scan.

    If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify WebInspect or Fortify WebInspect Enterprise will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the Allowed Hosts setting).

    An invalid URL or IP address results in an error. If you want to scan from a certain point in your hierarchical tree, append a starting point for the scan, such as http://www.myserver.com/myapplication/.

    Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative paths).

    Fortify WebInspect and Fortify WebInspect Enterprise support both Internet Protocol version 4 (IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets.

    Note: Fortify WebInspect supports Internet Protocol version 6 (IPv6) addresses in web site and web service scans. When you specify the Start URL, you must enclose the IPv6 address in brackets. For example:

    • http://[::1]

      Fortify WebInspect scans "localhost."

    • http://[fe80::20c:29ff:fe32:bae1]/subfolder/

      Fortify WebInspect scans the host at the specified address starting in the "subfolder" directory.

    • http://[fe80::20c:29ff:fe32:bae1]:8080/subfolder/

      Fortify WebInspect scans a server running on port 8080 starting in "subfolder."

  2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and then select one of the following options from the list:

    • Directory only (self). Fortify WebInspect and Fortify WebInspect Enterprise will crawl and/or audit only the URL you specify. For example, if you select this option and specify a URL of www.mycompany/one/two/, Fortify WebInspect or Fortify WebInspect Enterprise will assess only the "two" directory.

    • Directory and subdirectories. Fortify WebInspect or Fortify WebInspect Enterprise will begin crawling and/or auditing at the URL you specify, but will not access any directory that is higher in the directory tree.

    • Directory and parent directories. Fortify WebInspect or Fortify WebInspect Enterprise will begin crawling and/or auditing at the URL you specify, but will not access any directory that is lower in the directory tree.

    For information about limitations to the Restrict to folder scan option, see Restrict to Folder Limitations.

  3. Click Verify.

    If the website is set up to be authenticated with a client certificate using a common access card (CAC), then Guided Scan will prompt you with the following message:

    The site <URL> is requesting a client certificate. Would you like to configure one now?

    To configure a client certificate using a CAC:

    1. Click Yes.

      The Select a Client Certificate window appears.

    2. Under Certificate Store, select Current User.

      A list of available certificates appears in the Certificate area.

    3. Locate and select a certificate that is prefixed with “(SmartCard)”.

      Details about the certificate and a PIN field appear in the Certificate Information area.

    4. If a PIN is required, type the PIN for the CAC in the PIN field, and then click Test.

      Note: If a PIN is required and you do not enter the PIN at this point, you must enter the PIN in the Windows Security window each time it prompts you for it during the scan.

  4. If you must access the target site through a proxy server, click Proxy in the lower left of the main screen to display the Proxy Settings area, and then select an option from the Proxy Settings list:

    • Direct Connection (proxy disabled)

    • Auto detect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig file and use this to configure the browser's Web proxy settings.

    • Use System proxy settings: Import your proxy server information from the local machine.

    • Use Firefox proxy settings: Import your proxy server information from Firefox.

    • Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the PAC.

    • Explicitly configure proxy settings: Specify proxy server settings as indicated. If you select this option, enter the proxy information in the fields provided.

    Note: Electing to use browser proxy settings does not guarantee that you will access the Internet through a proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected, then a proxy server is not used.

    When a screenshot of the Web site or directory structure appears, you have successfully verified your connection to the Start URL.

  5. Click Next.

    The Choose Scan Type window appears.

Choosing a Scan Type

  1. Type in a name for your scan in the Scan Name box.

  2. Select one of the following scan types:

    • Standard: Fortify WebInspect or Fortify WebInspect Enterprise perform an automated analysis, starting from the target URL. This is the normal way to start a scan.

    • Workflows: If you select this option, an additional Workflows stage is added to the Guided scan.

  3. In the Scan Method area, select one of the following scan methods:

    • Crawl Only: This option completely maps a site's hierarchical data structure. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities.

    • Crawl and Audit: Fortify WebInspect or Fortify WebInspect Enterprise map the site’s hierarchical data structure and audits each resource (page). Depending on the default settings you select, the audit can be conducted as each resource is discovered or after the entire site is crawled. For information regarding simultaneous vs. sequential crawl and audit, see Crawl and Audit Mode.

    • Audit Only: Fortify WebInspect or Fortify WebInspect Enterprise apply the methodologies of the selected policy to determine vulnerability risks, but does not crawl the Web site. No links on the site are followed or assessed.

  4. In the Policy area, select a policy from the Policy list. For information about managing policies, see the Policy Manager chapter in the Micro Focus Fortify WebInspect Tools Guide.

  5. In the Crawl Coverage area, select the level of coverage you want using the Crawl Coverage slider. For more information on crawl coverage levels, see Coverage and Thoroughness.

  6. In the Single-Page Applications area, select an option for crawling and auditing single-page applications (SPAs). When enabled, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events. Options for Single-Page Applications are:

    • Automatic - If Fortify WebInspect detects a SPA framework, it automatically switches to SPA-support mode.

    • Enabled - Indicates that SPA frameworks are used in the target application.

      Caution! SPA support should be enabled for single-page applications only. Enabling SPA support to scan a non-SPA website will result in a slow scan.

    • Disabled - Indicates that SPA frameworks are not used in the target application.

    For more information, see About Single-page Application Scans.

  7. Click the Next button.

    The Login stage appears with Network Authentication highlighted in the left pane.

About the Login Stage

If the application you intend to scan requires login credentials, you can use the login stage to either select a pre-existing login macro or record one for use with the scan.

If your application does not require login credentials, you can skip this section of the Guided Scan wizard by clicking through the options without assigning values, or clicking Application in the Guided Scan tree to skip to the next stage.

In this stage you can:

Network Authentication Step

If your application requires either network or application level authentication, you can assign it here.

Configuring Network Authentication

If your network requires user authentication, you can configure it here. If your network does not require user authentication, click the Next navigation button or the next appropriate step in the Guided Scan tree to continue on.

To configure network authentication:

  1. Click the Network Authentication checkbox.

  2. Select a Method from the drop-down list of authentication methods. The authentication methods are:

    • ADFS CBT

    • Automatic

    • Basic

    • Digest

    • Kerberos

    • Negotiate

    • NT LAN Manager (NTLM)

  3. To use a client certificate for network authentication, select Client Certificate.

    Note: You can add a client certificate to a Windows phone, but the only way to subsequently remove it is to restore the phone to its default settings.

  4. In the Certificate Store area, select one of the following, and then select either the My or Root radio button:

    • Local Machine. Fortify WebInspect uses a certificate on the local machine based on your selection in the Certificate Store area.

    • Current User. Fortify WebInspect uses a certificate for the current user based on your selection in the Certificate Store area.

  5. To view certificate details in the Certificate Information area, select a certificate.

  6. Click the Next button.

    The Application Authentication page appears.

Application Authentication Step

If your site requires authentication, you can use this step to create, select, or edit a login macro to automate the login process and increase the coverage of your site. A login macro is a recording of the activity that is required to access and log in to your application, typically by entering a user name and password and clicking a button such as Log In or Log On.

If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is successful. If the macro is invalid and fails to log in to the application, the scan stops and an error message is written in the scan log file. For more information and troubleshooting tips, see Testing Login Macros.

Important! If you use a macro that includes Two-factor Authentication, then you must configure the Two-factor Authentication Application settings before starting the scan. For more information, see Application Settings: Two-Factor Authentication.

The following options are available for login macros:

Masked Values Supported

If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Guided Scan in Fortify WebInspect.

Using a Login Macro without Privilege Escalation

To use a login macro:

  1. Select the Use a login macro for this site check box.

  2. Do one of the following:

    • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

    • To edit an existing login macro shown in the Login Macro field, click Edit.

    • To record a new macro, click Create.

    For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

  3. Click the Next button.

    If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

Using Login Macros for Privilege Escalation

If you selected the Privilege Escalation policy or another policy that includes enabled Privilege Escalation checks, at least one login macro for a high-privilege user account is required. For more information, see About Privilege Escalation Scans.

To use login macros:

  1. Select the High-Privilege User Account Login Macro check box. This login macro is for the higher-privilege user account, such as a Site Administrator or Moderator account.

  2. Do one of the following:

    • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

    • To edit an existing login macro shown in the Login Macro field, click Edit.

    • To record a new macro, click Create.

    For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

    After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege Login Macro" prompt appears.

  3. Do one of the following:

    • To perform the scan in authenticated mode, click Yes. For more information, see About Privilege Escalation Scans.

      Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege login macro. Continue to Step 4.

    • To perform the scan in unauthenticated mode, click No. For more information, see About Privilege Escalation Scans.

      The Application Authentication Step is complete. If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

  4. Select the Low-Privilege User Account Login Macro check box. This login macro is for the lower-privilege user account, such as a viewer or consumer of the site content.

  5. Do one of the following:

    • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

    • To edit an existing login macro shown in the Login Macro field, click Edit.

    • To record a new macro, click Create.

    For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

  6. After recording or selecting the second macro, click the Next button.

    If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

Using a Login Macro when Connected to Fortify WebInspect Enterprise

For a Fortify WebInspect that is connected to Fortify WebInspect Enterprise, you can download and use a login macro from the Fortify WebInspect Enterprise macro repository.

To download a macro:

  1. Select the Use a login macro for this site check box.

  2. Click Download.

    The Download a Macro from Fortify WebInspect Enterprise window appears.

  3. Select the Application and Version from the drop-down lists.

  4. Select a repository macro from the Macro drop-down list.

  5. Click OK.

Note: Selecting a repository macro automatically syncs the Application and Version on the Final Review page under Automatically Upload Scan to WIE.

Automatically Creating a Login Macro

You can enter a username and password and have Fortify WebInspect create a login macro automatically.

Note: You cannot automatically create login macros for privilege-escalation and multi-user login scans or for any scan using the Session-based rendering engine.

To automatically create a login macro:

  1. Select Auto-gen Login Macro.

  2. Type a username in the Username field.

  3. Type a password in the Password field.

Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before advancing to the next stage in the Guided Scan wizard. If you need to cancel the validation test prior to completion, click Cancel.

If the macro is invalid and fails to log in to the application, an error message appears. For more information and troubleshooting tips, see Testing Login Macros.

About the Workflows Stage

The Workflows stage only appears if you selected Workflows as the Scan Type in the Site stage. If you chose Standard, the Workflows stage will not appear.

You can create a Workflow macro to ensure Fortify WebInspect audits the pages you specify in the macro. Fortify WebInspect audits only those URLs included in the macro and does not follow any hyperlinks encountered during the audit.

You can create multiple Workflow macros; one for each use case on your site. A logout signature is not required. This type of macro is used most often to focus on a particular subsection of the application. If you select multiple macros, they will all be included in the same scan. In addition to allowing you to select multiple macros, you can also import Burp proxy captures and .har files, and add them to your scan.

Important! If you use a login macro in conjunction with a workflow macro or startup macro or both, all macros must be of the same type: all .webmacro files or all Burp Proxy captures or all .har files. You cannot use different types of macros in the same scan.

To complete the Workflows settings, click any of the following in the Workflows table:

After you specify and play a workflow macro, it appears in the Workflows table and its Allowed Hosts are added to the Guided Scan > Workflows > Workflows > Manager Workflow page. You can enable or disable access to particular hosts. For more information, see Scan Settings: Allowed Hosts.

Adding Burp Proxy Results

If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a Workflows macro, reducing the time it would otherwise take to rescan the same areas.

Adding Burp Proxy Results

To add Burp Proxy results to a workflow macro:

  1. If you are not on the Workflows screen, click on the Manage Workflows step in the Guided Scan tree.

  2. Click the Import button.

    The Import Macro file selector appears.

  3. Change the file type box filter from Web Macro (*.webmacro) to Burp Proxy (*.*).

  4. Navigate to your Burp Proxy files and select the desired file.

  5. Click Open.

About the Active Learning Stage

During the Active Learning stage:

Using the Profiler

The WebInspect Profiler conducts a preliminary examination of the target Web site to determine if certain settings should be modified. If changes appear to be required, the Profiler returns a list of suggestions, which you may accept or reject.

For example, the Profiler may detect that authorization is required to enter the site, but you have not specified a valid user name and password. Rather than proceed with a scan that would return significantly diminished results, you could follow the Profiler’s suggestion to configure the required information before continuing.

Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found" detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client requests a resource that does not exist (they may instead return a status "200 OK," but the response contains a message that the file cannot be found). If the Profiler determines that such a scheme has been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to accommodate this feature.

To launch the Profiler:

  1. Click Profile.

    The Profiler runs. For more information, see Server Profiler.

    Results appear in the Optimize scan for box in the Settings section .

  2. If necessary, provide any requested information.

  3. Click the Next button.

Several options may be presented even if you do not run the Profiler, as described in the following sections.

Autofill Web Forms

Select Auto-fill Web forms during crawl if you want Fortify WebInspect to submit values for input controls on forms it encounters while scanning the target site. Fortify WebInspect will extract the values from a prepackaged default file or from a file that you create using the Web Form Editor. See the Web Form Editor chapter in the Micro Focus Fortify WebInspect Tools Guide. You may:

  1. Click the browser button  to locate and load a file.

  2. Click Edit to edit the selected file (or the default values) using the Web Form Editor.

  3. Click Create to open the Web Form Editor and create a file.

Add Allowed Hosts

Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses multiple domains, add those domains here. For more information, see Scan Settings: Allowed Hosts.

To add allowed domains:

  1. Click Add.

  2. In  the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and click OK.

Reuse Identified False Positives

Select scans containing vulnerabilities that were changed to false positives. If those false positives match vulnerabilities detected in this scan, the vulnerabilities will be changed to false positives. For more information, see False Positives.

To reuse identified false positives:

  1. Select Import False Positives.

  2. Click Select Scans.

  3. Select one or more scans containing false positives from the same site you are now scanning.

  4. Click OK.

Apply Sample Macro

Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login. If you scan this site, select Apply sample macro to run the prepackaged macro containing the login script.

Traffic Analysis

Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by Fortify WebInspect and the responses returned by the target server.

While scanning a Web site, Fortify WebInspect displays in the navigation pane only those sessions that reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect adds the Traffic Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by Fortify WebInspect and the associated HTTP response received from the server.

Message

If the Profiler does not recommend changes, the Guided Scan wizard displays the message "No settings changes are recommended. Your current scan settings are optimal for this site."

Click Next.

The Final Review page appears with Configure Detailed Options highlighted in the left pane.

About the Settings Stage

To configure detailed options, specify any of the following settings.

Reuse Identified False Positives

Select the False Positives box to reuse false positives that Fortify WebInspect has already identified.

Traffic Analysis

  1. To use the Web Proxy tool, select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by Fortify WebInspect and the responses returned by the target server.

    Web Proxy is a stand-alone, self-contained proxy server that you can configure and run on your desktop. Web Proxy allows you to monitor traffic from a scanner, a Web browser, or any other tool that submits HTTP requests and receives responses from a server. Web Proxy is a tool for a debugging and penetration scan; you can view every request and server response while browsing a site.

  2. Select the Traffic Monitor box to display and review each HTTP request sent by Fortify WebInspect and the associated HTTP response received from the server.

    While scanning a Web site, Fortify WebInspect displays only those sessions that reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect allows you to display and review each HTTP request sent by Fortify WebInspect and the associated HTTP response received from the server.

  3. Click Next.

    The Validate Settings and Start Scan page appears with Configure Detailed Options highlighted in the left pane.

Validate Settings and Start Scan

Options on this page allow you to save the current scan settings and, if WebInspect is integrated with WebInspect Enterprise, to interact with WebInspect Enterprise.

  1. To save your scan settings as an XML file, select Click here to save settings. Use the standard Save as window to name and save the file.

  2. If WebInspect is integrated with WebInspect Enterprise, a Templates section appears in the toolbar. Continue according to the following table.

    If you want to… Then…

    Save the current scan settings as a template in the WebInspect Enterprise database

    Note: When editing an existing template, the Save is actually an update. You can save any edits to settings and change the Template Name. However, you cannot change the Application, Version, or Global Template settings.

    1. Do one of the following:

      • Click Save in the Templates section of the toolbar.

      • Select Click here to save template.

      The Save Template window appears.

    2. Select an application from the Application drop-down list.

    3. Select an application version from the Version drop-down list.

    4. Type a name in the Template field.

    Load scan settings from a template

    1. Click Load in the Templates section of the toolbar.

      A confirmation message appears advising that your current scan settings will be lost.

    2. Click Yes.

      The Load Template window appears.

    3. Select an application from the Application drop-down list.

    4. Select an application version from the Version drop-down list.

    5. Select the template from the Template drop-down list.

    6. Click Load.

    Guided Scan returns to the Site Stage for you to verify the Web site and step through the settings from the template.

  3. If WebInspect is integrated with WebInspect Enterprise, the WebInspect Enterprise section appears on this page. You can interact with WebInspect Enterprise as follows:

    1. Select an application from the Application drop-down list.

    2. Select an application version from the Version drop-down list.

    3. Continue according to the following table.

      To run the scan… Then…
      With a sensor in WebInspect Enterprise

      1. Select Run in WebInspect Enterprise.

      2. Select a sensor from the Sensor drop-down list.

      3. Select a Priority for the scan.

      In WebInspect

      1. Select Run in WebInspect.

      2. If you want to automatically upload the scan results to the specified application and version in WebInspect Enterprise, select Auto Upload to WebInspect Enterprise.

        Note: If the scan does not complete successfully, it will not be uploaded to WebInspect Enterprise.

  4. In the Scan Now area, review your scan settings, and then click Start Scan to begin the scan.

Importing Micro Focus Unified Functional Testing (UFT) Files in a Guided Scan

If you have the Micro Focus Unified Functional Testing application installed, Fortify WebInspect detects it and allows you to import a UTF file (.usr) into your workflow scan to enhance the thoroughness and attack surface of your scan. For more information, see Unified Functional Testing on the Micro Focus Web site.

To import a UTF (.usr) file into a Fortify WebInspect Guided Scan:

  1. Launch a Guided Scan, and then select Workflows Scan as the Scan Type. Additional text appears under the Workflows scan option: Micro Focus Unified Functional Testing has been detected. You can import scripts to improve the thoroughness of your security test.

  2. Click the Next button.

  3. In the Authentication section, Application Authentication is automatically selected. Complete the fields as indicated.

  4. On the Manage Workflows screen, click Import. The Import Scripts dialog box appears. On the Import Scripts dialog box, you may:

    • Type the filename.

    • Browse to your file by clicking to locate your file with a .usr extension. Select Micro Focus Unified Functional Testing from the drop-down file type, and then navigate to the file.

    • Click Edit to launch the Micro Focus Unified Functional Testing application.

  5. (Optional) On the Import Scripts dialog box, you may select either of the following options:

    • Show Micro Focus Unified Functional Testing UI during import

    • Open script result after import

  6. Select the file to import, and then click Import. After your file is successfully imported, the file appears in the Workflows table.

  7. Select one of the following from the Workflows table:

    • Record - launches the Web Macro Recorder. For more information, see the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

    • Edit - allows you to modify the file using the Web Macro Recorder. See the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

    • Delete - deletes the script from the Workflows table.

    • Import - imports another file.

    • Export - saves a file in .webmacro format with the name and location you specify

  8. Click the Next button.

    When the first .usr script file is added to the list, its name (or default name) appears in the Workflows table and an Allowed Hosts table is added to the pane.

    Adding another .usr script file can add more allowed hosts. Any host that is enabled is available to all the listed workflow .usr script files, not just the workflow.usr file for which it was added. The Guided Scan will play all the listed workflow files and make requests to all the listed allowed hosts, whether or not their check boxes are selected. If a check box for an allowed host is selected, Fortify WebInspect will crawl or audit the responses from that host. If a check box is not selected, Fortify WebInspect will not crawl or audit the responses from that host. In addition, if a particular workflow .usr script uses parameters, a Macro Parameters table is displayed when that workflow macro is selected in the list. Edit the values of the parameters as needed.

  9. After you have completed changes or additions to the Workflows table, proceed in the Guided Scan wizard to complete your settings and run the scan. For more information about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the Micro Focus Fortify WebInspect Tools Guide.

See Also

Guided Scan Overview