Running a Basic Scan (Web Site Scan)

The options displayed by default on this and subsequent windows are extracted from the Fortify WebInspect default settings. Any changes you make will be used for this scan only. If you click Settings (Default) at the bottom of the window to access the full complement of Fortify WebInspect settings, any selections you make are also temporary. To change the default settings, you must select Default Scan Settings from the Edit menu. For more information, see Default Scan Settings.

Recommendation

Fortify recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the Fortify WebInspect host.

Basic Scan Options

1. In the Scan Name box, enter a name or brief description of the scan.

2. Select one of the following scan modes:

   • Crawl Only: Completely map a site's hierarchical data structure. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities.

   • Crawl and Audit: Map the site's hierarchical data structure and audit each resource (page). Depending on the default settings you select, the audit can be conducted as each resource is discovered or after the entire site is crawled. For information regarding simultaneous vs. sequential crawl and audit, see Crawl and Audit Mode.

   • Audit Only: Apply the methodologies of the selected policy to determine vulnerability risks, but do not crawl the Web site. No links on the site are followed or assessed.

   • Manual: Allows you to navigate manually to whatever sections of your application you choose to visit, using TruClient with Firefox. Fortify WebInspect does not crawl the entire site, but records information only about those resources that you encounter while manually navigating the site. This feature is used most often to enter a site through a Web form logon page or to define a discrete subset or portion of the application that you want to investigate. Once you finish navigating through the site, you can audit the results to assess the security vulnerabilities related to that portion of the site that you recorded.

     Note: Manual mode is not available when scheduling a scan.

3. Select a rendering engine from the Rendering Engine drop-down list. The rendering engine you select determines which Web Macro Recorder is opened when recording a new macro or editing an existing macro while configuring a scan. Options are as follows:

   • Macro Engine 7.1 (recommended) – Selecting this option designates the Web Macro Recorder with Macro Engine 7.1, which uses TruClient with Firefox technology.

   • Session-based – Selecting this option designates the Session-based Web Macro Recorder, which uses Internet Explorer browser technology.

   Note: You cannot configure the Rendering Engine for Manual mode. Manual mode uses the TruClient with Firefox technology.

4. Select one of the following scan types:

   • Standard Scan: Perform an automated analysis, starting from the target URL. This is the normal way to start a scan.

   • Manual Scan: (also known as Step Mode) allows you to navigate manually to whatever sections of your application you choose to visit, using TruClient with Firefox. This choice appears only if you select the Manual Scan mode.

   • List-Driven Scan: Perform a scan using a list of URLs to be scanned. Each URL must be fully qualified and must include the protocol (for example, http:// or https://). You can use a text file, formatted as comma-separated list or one URL per line.

     • To import a list, click Import.

     • To build or edit a list using the Site List Editor, click Manage. For more information, see Using the Site List Editor.

   • Workflow-Driven Scan: Audit only those URLs included in the macro that you previously recorded and does not follow any hyperlinks encountered during the audit. A logout signature is not required. This type of macro is used most often to focus on a particular subsection of the application. If you select multiple macros, they will all be included in the same scan. You can use .webmacro files, Burp Proxy captures, or .har files. For more information, see Selecting a Workflow Macro .

     Important! If you use a login macro in conjunction with a workflow macro or startup macro or both, all macros must be of the same type: all .webmacro files or all Burp Proxy captures or all .har files. You cannot use different types of macros in the same scan.

5. Continue according to the following table.

   If you selected...	Then follow these instructions...
   Standard Scan	In the Start URL box, type or select the complete URL or IP address of the site you want to examine. If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, Fortify WebInspect will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the Allowed Hosts setting). An invalid URL or IP address will result in an error. If you want to scan from a certain point in your hierarchical tree, append a starting point for the scan, such as http://www.myserver.com/myapplication/. Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative paths). Fortify WebInspect supports both Internet Protocol version 4 (IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets. For more information, see Internet Protocol Version 6. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from the drop-down list. The choices are: Directory only - Fortify WebInspect will crawl and/or audit only the URL you specify. For example, if you select this option and specify a URL of www.mycompany/one/two/, Fortify WebInspect will assess only the "two" directory. Directory and subdirectories - Fortify WebInspect will begin crawling and/or auditing at the URL you specify, but will not access any directory that is higher in the directory tree. Directory and parent directories - Fortify WebInspect will begin crawling and/or auditing at the URL you specify, but will not access any directory that is lower in the directory tree. For information about limitations to the Restrict to folder scan option, see Restrict to Folder Limitations.
   Manual Scan	Enter a Start URL and, if desired, select Restrict to folder. See Standard Scan described previously. Note: You cannot configure the Rendering Engine for Manual mode. Manual mode uses the TruClient with Firefox technology.
   List-Driven Scan	Do one of the following: Click Import and select a text file or XML file containing the list of URLs you want to scan. Click Manage to create or modify a list of URLs.
   Workflow-Driven Scan	Do one of the following: Click Manage to select, edit, record, import, export, or remove a macro. Click Record and create a macro. Note: You can include more than one macro in a scan.




6. Click Next.

Authentication and Connectivity

1. If you need to access the target site through a proxy server, select Network Proxy and then choose an option from the Proxy Profile list:

   • Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig file and use this to configure the browser's Web proxy settings.

   • Use System Proxy: Import your proxy server information from the local machine.

   • Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the PAC. For more information, see Configuring the Proxy Profile.

   • Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit to enter proxy information. For more information, see Configuring the Proxy Profile.

   • Use Mozilla Firefox: Import your proxy server information from Firefox.

   Note: Electing to use browser proxy settings does not guarantee that you will access the Internet through a proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the Internet Explorer setting "Use a proxy server for your LAN" is not selected, then a proxy server will not be used.

2. Select Network Authentication if server authentication is required. Then select an authentication method and enter your network credentials. The authentication methods are:

   • ADFS CBT

   • Automatic

   • Basic

   • Digest

   • Kerberos

   • Negotiate

   • NT LAN Manager (NTLM)

3. To configure a client certificate for a website, click Settings > Authentication and continue as follows:

1. In the Client Certificates area, select the Enable check box.

2. Click Select.

   The Client Certificates window opens.

3. Do one of the following:

   • To use a certificate that is local to the computer and is global to all users on the computer, select Local Machine.

   • To use a certificate that is local to a user account on the computer, select Current User.

     Note: Certificates used by a common access card (CAC) reader are user certificates and are stored under Current User.

4. Do one of the following:

   • To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down list.

   • To select a trusted root certificate, select Root from the drop-down list.

5. Does the website use a CAC reader?

   • If yes, do the following:

     1. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.

        Information about the selected certificate and a PIN field appear in the Certificate Information area.

     2. If a PIN is required, type the PIN for the CAC in the PIN field.

     Note: If a PIN is required and you do not enter the PIN at this point, you must enter the PIN in the Windows Security window each time it prompts you for it during the scan.

     3. Click Test.

        If you entered the correct PIN, a Success message appears.

   • If no, select a certificate from the Certificate list.

     Information about the selected certificate appears below the Certificate list.

6. Click OK.

4. Select Site Authentication to use a recorded macro containing one or more usernames and passwords that allows you to log in to the target site. The macro must also contain a "logout condition," which indicates when an inadvertent logout has occurred so Fortify WebInspect can rerun this macro to log in again.

   If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Basic Scan in Fortify WebInspect.

   If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login macro, Fortify WebInspect tests the login macro at the start of the scan to ensure that the log in is successful. If the macro is invalid and fails to log in to the application, the scan stops and an error message is written in the scan log file. For more information and troubleshooting tips, see Testing Login Macros.

   Important! If you use a macro that includes Two-factor Authentication, then you must configure the Two-factor Authentication Application settings before starting the scan. For more information, see Application Settings: Two-Factor Authentication.

   Continue according to the following table.

   To...	Then...
   Use a pre-recorded Web Macro Recorder macro	Click the ellipsis button (...) to select a macro. If, after selecting the macro, you want to modify it using the Web Macro Recorder, click Edit. Tip: To erase the macro name, clear the Site Authentication check box.
   Create a new macro	Click Record. The Web Macro Recorder opens. Note: For more information about using the Web Macro Recorder, see the Web Macro Recorder Help.
   Automatically create a login macro Note: You cannot automatically create login macros for privilege-escalation and multi-user login scans.	Select Auto-gen Login Macro. Type a username in the Username field. Type a password in the Password field. Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before advancing to the next stage in the Scan wizard. If you need to cancel the validation test prior to completion, click Cancel. If the macro is invalid and fails to log in to the application, an error message appears. For more information and troubleshooting tips, see Testing Login Macros.

5. Click Next.

Coverage and Thoroughness

1. To optimize settings for an application built using either Oracle Application Development Framework Faces components or IBM WebSphere Portal, select Framework and then choose Oracle ADF Faces or WebSphere Portal from the Optimize scan for list. Fortify may develop other settings overlays and make them available through Smart Update.

   For more information about scanning a WebSphere portal, see WebSphere Portal FAQ .

2. Use the CrawlCoverage slider to specify the crawler settings.

   This slider may or may not be enabled, depending on the scan mode you selected. The label associated with this slider also depends on your selection. If enabled, the slider allows you to select one of four crawl positions. Each position represents a specific collection of settings, as represented by the following labels:

   Thorough

   A Thorough crawl is an automated crawl that uses the following settings:

   • Redundant Page Detection: OFF

   • Maximum Single URL Hits: 10

   • Maximum Web Form Submissions: 7

   • Maximum Script Events Per Page: 2000

   • Number of Dynamic Forms Allowed Per Session: Unlimited

   • Include Parameters In Hit Count: True

   Default

   A Default crawl is an automated crawl that uses the following (default scan) settings:

   • Redundant Page Detection: OFF

   • Maximum Single URL Hits: 5

   • Maximum Web Form Submissions: 3

   • Maximum Script Events Per Page: 1000

   • Number of Dynamic Forms Allowed Per Session:  Unlimited

   • Include Parameters In Hit Count: True

   Moderate

   A Normal crawl is an automated crawl that uses the following settings:

   • Redundant Page Detection: OFF

   • Maximum Single URL Hits: 5

   • Maximum Web Form Submissions: 2

   • Maximum Script Events Per Page: 300

   • Number of Dynamic Forms Allowed Per Session: 1

   • Include Parameters In Hit Count: False

   Quick

   A Quick crawl uses the following settings

   • Redundant Page Detection: ON

   • Maximum Single URL Hits: 3

   • Maximum Web Form Submissions: 1

   • Maximum Script Events Per Page: 100

   • Number of Dynamic Forms Allowed Per Session: 0

   • Include Parameters In Hit Count: False

   If you click Settings (to open the Advanced Settings dialog box) and change a setting that conflicts with any setting established by one of the four slider positions, the slider creates a fifth position labeled Customized Coverage Settings. 

3. Select a policy from the Audit Depth (Policy) list.

   This list may or may not be enabled, depending on the scan mode you selected in Step 1 of the Scan Wizard. For descriptions of policies, see Fortify WebInspect Policies.

4. Click Next.

Detailed Scan Configuration

Profiler

Fortify WebInspect conducts a preliminary examination of the target Web site to determine if certain settings should be modified. If changes appear to be required, the Profiler returns a list of suggestions, which you may accept or reject.

For example, the Server Profiler may detect that authorization is required to enter the site, but you have not specified a valid user name and password. Rather than proceed with a scan that would return significantly diminished results, you could follow the Server Profiler's suggestion to configure the required information before continuing.

Similarly, your settings may specify that Fortify WebInspect should not conduct "file-not-found" detection. This process is useful for Web sites that do not return a status "404 Not Found" when a client requests a resource that does not exist (they may instead return a status "200 OK," but the response contains a message that the file cannot be found). If the Profiler determines that such a scheme has been implemented in the target site, it would suggest that you modify the Fortify WebInspect setting to accommodate this feature. 

To launch the Profiler each time you access this page, select Run Profiler Automatically.

To launch the Profiler manually, click Profile. For more information, see Server Profiler.

Results appear in the Settings section.

Settings

1. Accept or reject the suggestions. To reject, clear the associated check box.

2. If necessary, provide the requested information.

3. Click Next.

Several options may be presented even if you do not run the Profiler. They include:

• Auto fill Web forms

• Add allowed hosts

• Reuse identified false positives

• Apply sample macro

• Traffic analysis

Auto Fill Web Forms

Select Auto-fill Web forms during crawl if you want Fortify WebInspect to submit values for input controls on forms it encounters while scanning the target site. Fortify WebInspect will extract the values from a prepackaged default file or from a file that you create using the Web Form Editor. You may:

• Click the ellipsis button to locate and load a file.

• Click Edit to edit the selected file (or the default values) using the Web Form Editor.

• Click Create to open the Web Form Editor and create a file.

Add Allowed Hosts

Use the Allowed Host settings to add domains to be crawled and audited. If your Web presence uses multiple domains, add those domains here. For more information, see Scan Settings: Allowed Hosts.

To add allowed domains:

1. Click Add.

2. On the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and click OK. 

For more information about adding or editing Allowed Hosts, see Specifying Allowed Hosts.

Reuse Identified False Positives

Select scans containing vulnerabilities that were changed to false positives. If those false positives match vulnerabilities detected in this scan, the vulnerabilities will be changed to false positives. For more information, see False Positives.

To reuse identified false positives:

1. Select Import False Positives.

2. Click SelectScans.

3. Select one or more scans containing false positives from the same site you are now scanning.

4. Click OK.

Sample Macro

Fortify WebInspect’s example banking application, zero.webappsecurity.com, uses a Web form login. If you scan this site, select Apply sample macro to run the sample macro containing the login script.

Traffic Analysis

Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by Fortify WebInspect and the responses returned by the target server.

While scanning a Web site, Fortify WebInspect displays in the navigation pane only those sessions that reveal the hierarchical structure of the Web site, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, Fortify WebInspect adds the Traffic Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by Fortify WebInspect and the associated HTTP response received from the server.

Message

If the profiler does not recommend changes, the Scan Wizard displays the message, "No settings changes are recommended. Your current scan settings are optimal for this site."

Congratulations

The contents of this window vary, depending your choices and configuration.

Upload to Fortify WebInspect Enterprise Scan Template

When connected to an enterprise server (Fortify WebInspect Enterprise), you can send the settings for this scan to Fortify WebInspect Enterprise, which will create a scan template. However, you must be assigned to a role that allows you to create scan templates.

Save Settings

You can save the settings you configured for this scan, which would allow you to reuse the settings for a future scan.

Generate Reports

If you are scheduling a scan, you can instruct Fortify WebInspect to generate a report when the scan completes.

1. Select Generate Reports.

2. Click the Select reports hyperlink.

3. (Optional) Select a report from the Favorites list.

   A "favorite" is simply a named collection of one or more reports and their associated parameters. To create a favorite once you have selected reports and parameters, click the Favorites list and select Add to favorites.

4. Select one or more reports.

5. Provide information for any parameters that may be requested. Required parameters are outlined in red.

6. Click Next.

7. If you select Automatically Generate Filename, the name of the report file will be formatted as <reportname> <date/time>.<extension>.  For example, if creating a compliance report in pdf format and the report is generated at 6:30 on April 5, the file name would be "Compliance Report 04_05_2022 06_30.pdf." This is useful for recurring scans.

   Reports are written to the directory specified for generated reports in the Application settings.

8. If you did not select Automatically Generate Filename, enter a name for the file in the Filename box.

9. Select the report format from the Export Format list.

10. If you selected multiple reports, you can combine then all into one report by selecting Aggregate reports into one report.

11. Select a template that defines the headers and footers used for the report and, if necessary, provide the requested parameters.

12. Click Finished.

13. Click Schedule.