Using the Mobile Scan template

Using the Mobile Scan template to create a mobile website scan enables you to scan the mobile version of a website using the desktop version of your browser from within OpenText DAST or Fortify WebInspect Enterprise.

A Mobile Scan is nearly identical to a website scan and mirrors the settings options you will find when using one of the Predefined templates to do a Standard, Thorough, or Quick scan. The only difference is that you need to select a user agent header to allow your browser to emulate a mobile browser.

OpenText DAST and Fortify WebInspect Enterprise come with four mobile user agent options to choose from, but you can create a custom option and create a user agent for another version of Android, Windows Phone, or other mobile device. For information creating a user agent header, see Creating a custom user agent header.

Recommendation

OpenText recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the OpenText DAST host.

Launching a Mobile Scan

To launch a Mobile Scan:

1. Start a Guided Scan:

   1. For OpenText DAST, click Start a Guided Scan on the OpenText DAST Start page.

   2. For Fortify WebInspect Enterprise, click Guided Scan under Actions on the Web Console.

2. Select Mobile Scan from the Mobile Templates section.

3. Click the Mobile Client icon in the tool bar.

4. Select the Rendering Engine you want to use. The rendering engine you select determines which Web Macro Recorder is opened when recording a new macro or editing an existing macro while configuring a Guided Scan. The rendering engine options are:

   • Session-based – Selecting this option designates the Session-based Web Macro Recorder, which uses Internet Explorer browser technology.

   • Event-based (preferred) – Selecting this option designates the Event-based Web Macro Recorder, which uses TruClient and Firefox technology.

5. Select the User Agent that represents the agent string you want your rendering engine to present to the site. If you created your own user string, it will appear as Custom. If the user agent is not listed, you can create a custom user agent. See Creating a custom user agent header.

The Guided Scan wizard displays the first step in the Native Mobile Stage: Verify website.

Creating a custom user agent header

OpenText DAST and Fortify WebInspect Enterprise include user agents for Android, Windows, and iOS devices. If you are using one of these options, you do not need to create a custom user agent header. If you want your web browser to identify itself as a different mobile device or a specific OS version, create a custom user agent header.

To create a custom user agent:

1. Click the Advanced icon in the Guided Scan tool bar.

2. The Scan Settings window appears.

3. In the Scan Settings column, select Cookies/Headers.

4. In the Append Custom Headers section of the settings area, double-click the User-Agent string.

   The Specify Custom Header box appears.

5. Type in User-Agent: followed by the user agent header string for the desired device.

6. Click OK.

   The new custom user agent will now be available to select as your Mobile Client.

Verifying your website

To verify your website:

1. In the Start URL box, type or select the complete URL or IP address of the site to scan.

   If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, OpenText DAST or Fortify WebInspect Enterprise will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the Allowed Hosts setting).

   An invalid URL or IP address results in an error. If you want to scan from a certain point in your hierarchical tree, append a starting point for the scan, such as http://www.myserver.com/myapplication/.

   Scans by IP address do not pursue links that use fully qualified URLs (as opposed to relative paths).

   OpenText DAST and Fortify WebInspect Enterprise support both Internet Protocol version 4 (IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets.

   Note: OpenText DAST supports Internet Protocol version 6 (IPv6) addresses in website and web service scans. When you specify the Start URL, you must enclose the IPv6 address in brackets. For example:

   • http://[::1]

     OpenText DAST scans "localhost."

   • http://[fe80::20c:29ff:fe32:bae1]/subfolder/

     OpenText DAST scans the host at the specified address starting in the "subfolder" directory.

   • http://[fe80::20c:29ff:fe32:bae1]:8080/subfolder/

     OpenText DAST scans a server running on port 8080 starting in "subfolder."

2. (Optional) To limit the scope of the scan to an area, select the Restrict to Folder check box, and then select one of the following options from the list:

   • Directory only (self). OpenText DAST and Fortify WebInspect Enterprise will crawl and/or audit only the URL you specify. For example, if you select this option and specify a URL of www.mycompany/one/two/, OpenText DAST or Fortify WebInspect Enterprise will assess only the "two" directory.

   • Directory and subdirectories. OpenText DAST or Fortify WebInspect Enterprise will begin crawling and/or auditing at the URL you specify, but will not access any directory that is higher in the directory tree.

   • Directory and parent directories. OpenText DAST or Fortify WebInspect Enterprise will begin crawling and/or auditing at the URL you specify, but will not access any directory that is lower in the directory tree.

   For information about limitations to the Restrict to folder scan option, see Restrict to folder limitations.

3. Click Verify.

   If the website is set up to be authenticated with a client certificate using a common access card (CAC) or a certificate that is password protected, then Guided Scan will prompt you with the following message:

   The site <URL> is requesting a client certificate. Would you like to configure one now?

   To configure a client certificate that uses a CAC or a certificate that is password protected:

   1. Click Yes.

      The Select a Client Certificate window appears.

   2. Under Certificate Store, select Current User.

      A list of available certificates appears in the Certificate area.

   3. Locate and select a certificate that is prefixed with “(Protected)”.

      Information about the selected certificate and a Password/PIN field appear in the Certificate Information area.

   4. If a password or PIN is required, type it in the Password/PIN field.

      Note: If a password or PIN is required and you do not enter it at this point, you must enter the password or PIN in the Windows Security window each time it prompts you during the scan.

      Important! By default, OpenText DAST uses OpenSSL. If you are using a specific SSL/TLS protocol rather than OpenSSL, the Profiler portion of scan configuration may not work with certificates that are protected with a password.

   5. Click Test.

4. If you must access the target site through a proxy server, click Proxy in the lower left of the main screen to display the Proxy Settings area, and then select an option from the Proxy Settings list:

   • Direct Connection (proxy disabled)

   • Auto detect proxy settings: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig file and use this to configure the browser's web proxy settings.

   • Use System proxy settings: Import your proxy server information from the local machine.

   • Use Firefox proxy settings: Import your proxy server information from Firefox.

   • Configure proxy settings using a PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the PAC.

   • Explicitly configure proxy settings: Specify proxy server settings as indicated. If you select this option, enter the proxy information in the fields provided.

   Important! Socks4 proxy servers do not support authentication. When using a Socks proxy server that requires authentication, you must use a Socks5 proxy.

   Note: Electing to use browser proxy settings does not guarantee that you will access the Internet through a proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the Windows setting "Use a proxy server for your LAN" is not selected, then a proxy server is not used.

   When a screenshot of the website or directory structure appears, you have successfully verified your connection to the Start URL.

5. Click Next.

   The Choose Scan Type window appears.

Choosing a scan type

1. Type in a name for your scan in the Scan Name box.

2. Select one of the following scan types:

   • Standard: OpenText DAST or Fortify WebInspect Enterprise perform an automated analysis, starting from the target URL. This is the normal way to start a scan.

   • Workflows: If you select this option, an additional Workflows stage is added to the Guided scan.

3. In the Scan Method area, select one of the following scan methods:

   • Crawl Only: This option completely maps a site's hierarchical data structure. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities.

   • Crawl and Audit: OpenText DAST or Fortify WebInspect Enterprise map the site’s hierarchical data structure and audits each resource (page). Depending on the default settings you select, the audit can be conducted as each resource is discovered or after the entire site is crawled. For information regarding simultaneous vs. sequential crawl and audit, see Crawl and audit mode.

   • Audit Only: OpenText DAST or Fortify WebInspect Enterprise apply the methodologies of the selected policy to determine vulnerability risks, but does not crawl the website. No links on the site are followed or assessed.

4. In the Policy area, select a policy from the Policy list. For information about managing policies, see the Policy Manager chapter in the OpenText™ Dynamic Application Security Testing Tools Guide.

5. In the Crawl Coverage area, select the level of coverage you want using the Crawl Coverage slider. For more information on crawl coverage levels, see Configuring crawl coverage and thoroughness.

6. In the Single-Page Applications area, select an option for crawling and auditing single-page applications (SPAs). When enabled, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events. Options for Single-Page Applications are:

   • Automatic - If OpenText DAST detects a SPA framework, it automatically switches to SPA-support mode.

   • Enabled - Indicates that SPA frameworks are used in the target application.

     Caution! SPA support should be enabled for single-page applications only. Enabling SPA support to scan a non-SPA website will result in a slow scan.

   • Disabled - Indicates that SPA frameworks are not used in the target application.

   For more information, see About single-page application scans.

7. Click the Next button.

   The Login stage appears with Network Authentication highlighted in the left pane.

Configuring network authentication

If your network requires user authentication, you can configure it here. If your network does not require user authentication, click the Next navigation button or the next appropriate step in the Guided Scan tree to continue on.

To configure network authentication:

1. Click the Network Authentication checkbox.

2. Select a Method from the drop-down list of authentication methods. The authentication methods are:

   • ADFS CBT

   • Automatic

   • Basic

   • Digest

   • Kerberos

   • Negotiate

   • NT LAN Manager (NTLM)

   • OAuth 2.0 Bearer

3. Do one of the following:

   • For all authentication methods except OAuth 2.0 Bearer, type a user ID in the User Name box and the user's password in the Password box.

   • For the OAuth 2.0 Bearer method, click Configure and continue with Configuring OAuth 2.0 bearer credentials.

Using client certificates

To use client certificates for network authentication:

1. To use a client certificate for network authentication, select Client Certificate.

   Note: You can add a client certificate to a Windows phone, but the only way to subsequently remove it is to restore the phone to its default settings.
   

2. In the Certificate Store area, select one of the following, and then select either the My or Root radio button:

   • Local Machine. OpenText DAST uses a certificate on the local machine based on your selection in the Certificate Store area.

   • Current User. OpenText DAST uses a certificate for the current user based on your selection in the Certificate Store area.

3. To view certificate details in the Certificate Information area, select a certificate.

4. Click the Next button.

   The Application Authentication page appears.

Configuring application authentication

If your site requires authentication, you can use this step to create, select, or edit a login macro to automate the login process and increase the coverage of your site. A login macro is a recording of the activity that is required to access and log in to your application, typically by entering a user name and password and clicking a button such as Log In or Log On.

If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login macro, OpenText DAST tests the login macro at the start of the scan to ensure that the log in is successful. If the macro is invalid and fails to log in to the application, the scan stops and an error message is written in the scan log file. For more information and troubleshooting tips, see Testing login macros.

The following options are available for login macros:

• Using a login macro without privilege escalation

• Using login macros for privilege escalation

• Using a login macro when connected to Fortify WebInspect Enterprise

Masked values supported

If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Guided Scan in OpenText DAST.

Using a login macro without privilege escalation

To use a login macro:

1. Select the Use a login macro for this site check box.

2. Do one of the following:

   • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

   • To edit an existing login macro shown in the Login Macro field, click Edit.

   • To record a new macro, click Create.

   For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the OpenText™ Dynamic Application Security Testing Tools Guide.

3. Click the Next button.

   If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

Using login macros for privilege escalation

If you selected the Privilege Escalation policy or another policy that includes enabled Privilege Escalation checks, at least one login macro for a high-privilege user account is required. For more information, see About privilege escalation scans.

To use login macros:

1. Select the High-Privilege User Account Login Macro check box. This login macro is for the higher-privilege user account, such as a Site Administrator or Moderator account.

2. Do one of the following:

   • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

   • To edit an existing login macro shown in the Login Macro field, click Edit.

   • To record a new macro, click Create.

   For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the OpenText™ Dynamic Application Security Testing Tools Guide.

   After recording or selecting the first macro and clicking the next arrow, a "Configure Low Privilege Login Macro" prompt appears.

3. Do one of the following:

   • To perform the scan in authenticated mode, click Yes. For more information, see About privilege escalation scans.

     Guided Scan returns to the Select Login Macro window for you to create or select a low-privilege login macro. Continue to Step 4.

   • To perform the scan in unauthenticated mode, click No. For more information, see About privilege escalation scans.

     The Application Authentication Step is complete. If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

4. Select the Low-Privilege User Account Login Macro check box. This login macro is for the lower-privilege user account, such as a viewer or consumer of the site content.

5. Do one of the following:

   • To use a pre-recorded login macro, click the ellipsis button (...) to browse for a saved macro.

   • To edit an existing login macro shown in the Login Macro field, click Edit.

   • To record a new macro, click Create.

   For details about recording a new login macro or using an existing login macro, see the Web Macro Recorder chapters in the OpenText™ Dynamic Application Security Testing Tools Guide.

6. After recording or selecting the second macro, click the Next button.

   If you selected a Standard scan, the Optimization Tasks page appears. If you selected a Workflows scan, the Manage Workflows page appears.

Using a login macro when connected to Fortify WebInspect Enterprise

For an OpenText DAST that is connected to Fortify WebInspect Enterprise, you can download and use a login macro from the Fortify WebInspect Enterprise macro repository.

To download a macro:

1. Select the Use a login macro for this site check box.

2. Click Download.

   The Download a Macro from Fortify WebInspect Enterprise window appears.

3. Select the Application and Version from the drop-down lists.

4. Select a repository macro from the Macro drop-down list.

5. Click OK.

Automatically creating a login macro

You can enter a username and password and have OpenText DAST create a login macro automatically.

To automatically create a login macro:

1. Select Auto-gen Login Macro.

2. Type a username in the Username field.

3. Type a password in the Password field.

Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before advancing to the next stage in the Guided Scan wizard. If you need to cancel the validation test prior to completion, click Cancel.

If the macro is invalid and fails to log in to the application, an error message appears. For more information and troubleshooting tips, see Testing login macros.

About the Workflows stage

The Workflows stage only appears if you selected Workflows as the Scan Type in the Site stage. If you chose Standard, the Workflows stage will not appear.

You can create a Workflow macro to ensure OpenText DAST audits the pages you specify in the macro. OpenText DAST audits only those URLs included in the macro and does not follow any hyperlinks encountered during the audit.

You can create multiple Workflow macros; one for each use case on your site. A logout signature is not required. This type of macro is used most often to focus on a particular subsection of the application. If you select multiple macros, they will all be included in the same scan. In addition to allowing you to select multiple macros, you can also import Burp proxy captures and .har files, and add them to your scan.

To complete the Workflows settings, click any of the following in the Workflows table:

• Record. Opens the Web Macro Recorder, allowing you to create a macro.

• Edit. Opens the Web Macro Recorder and loads the selected macro.

• Delete. Removes the selected macro (but does not delete it from your disk).

• Import. Opens a standard file-selection window, allowing you to select a previously recorded .webmacro file, Burp Proxy captures, or .har file.

  Note: If you have installed OpenText Unified Functional Testing (UFT One) on your computer, then OpenText DAST detects this automatically and displays an option to import a UFT .usr file.

  For more information, see Importing Functional Testing files in a Guided Scan.

• Export a recorded macro. After a macro is selected or recorded, you may optionally specify allowed hosts. Opens a standard file-selection window, allowing you to save a recorded macro.

After you specify and play a workflow macro, it appears in the Workflows table and its Allowed Hosts are added to the Guided Scan > Workflows > Workflows > Manager Workflow page. You can enable or disable access to particular hosts. For more information, see Scan settings: Allowed Hosts.

Adding Burp Proxy results

If you have run Burp Proxy security tests, the traffic collected during those tests can be imported into a Workflows macro, reducing the time it would otherwise take to rescan the same areas.

To add Burp Proxy results to a workflow macro:

1. If you are not on the Workflows screen, click on the Manage Workflows step in the Guided Scan tree.

2. Click the Import button.

   The Import Macro file selector appears.

3. Change the file type box filter from Web Macro (*.webmacro) to Burp Proxy (*.*).

4. Navigate to your Burp Proxy files and select the desired file.

5. Click Open.

Using the Profiler

The OpenText DAST Profiler conducts a preliminary examination of the target website to determine if certain settings should be modified. If changes appear to be required, the Profiler returns a list of suggestions, which you may accept or reject.

For example, the Profiler may detect that authorization is required to enter the site, but you have not specified a valid user name and password. Rather than proceed with a scan that would return significantly diminished results, you could follow the Profiler’s suggestion to configure the required information before continuing.

Similarly, your settings may specify that OpenText DAST should not conduct "file-not-found" detection. This process is useful for websites that do not return a status "404 Not Found" when a client requests a resource that does not exist (they may instead return a status "200 OK," but the response contains a message that the file cannot be found). If the Profiler determines that such a scheme has been implemented in the target site, it would suggest that you modify the OpenText DAST setting to accommodate this feature.

To launch the Profiler:

1. Click Profile.

   The Profiler runs. For more information, see Server Profiler.

   Results appear in the Optimize scan for box in the Settings section .

2. If necessary, provide any requested information.

3. Click the Next button.

Several options may be presented even if you do not run the Profiler, as described in the following sections.

Autofill web forms

Select Auto-fill Web forms during crawl if you want OpenText DAST to submit values for input controls on forms it encounters while scanning the target site. OpenText DAST will extract the values from a prepackaged default file or from a file that you create using the Web Form Editor. See the Web Form Editor chapter in the OpenText™ Dynamic Application Security Testing Tools Guide. You may:

1. Click the browser button  to locate and load a file.

2. Click Edit to edit the selected file (or the default values) using the Web Form Editor.

3. Click Create to open the Web Form Editor and create a file.

Add allowed hosts

Use the Allowed Host settings to add domains to be crawled and audited. If your web presence uses multiple domains, add those domains here. For more information, see Scan settings: Allowed Hosts.

To add allowed domains:

1. Click Add.

2. In  the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and click OK.

Reuse identified Suppressed Findings

You can import vulnerabilities that were changed to false positive or ignored in previous scans. If those false positive or ignored items match vulnerabilities detected in the current scan, the vulnerabilities will be changed to false positive or ignored. You can import suppressed findings from existing scans or suppressed findings files. For more information, see Suppressed findings.

To reuse identified suppressed findings:

1. Select Import Suppressed Findings.

2. Continue according to the following table.

   To use...	Then...
   Existing scans	Click Click here to import suppressed findings from scans. The Select a Scan to Import Suppressed Findings dialog opens. Select one or more scans containing suppressed findings from the same site you are now scanning. Click OK.
   Suppressed findings files	Click Click here to import suppressed findings from a file. A standard Windows file selection dialog box opens. Select the file to import, and then click Open. Optionally, repeat Steps a and b to select additional files.

Apply sample macro

OpenText’s example banking application, zero.webappsecurity.com, uses a web form login. If you scan this site, select Apply sample macro to run the prepackaged macro containing the login script.

Traffic analysis

Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by OpenText DAST and the responses returned by the target server.

While scanning a website, OpenText DAST displays in the navigation pane only those sessions that reveal the hierarchical structure of the website, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, OpenText DAST adds the Traffic Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by OpenText DAST and the associated HTTP response received from the server.

Message

If the Profiler does not recommend changes, the Guided Scan wizard displays the message "No settings changes are recommended. Your current scan settings are optimal for this site."

Click Next.

The Final Review page appears with Configure Detailed Options highlighted in the left pane.

Configuring additional options

To configure detailed options, specify any of the following settings.

Reuse identified False Positives

Select the False Positives box to reuse false positives that OpenText DAST has already identified.

Traffic analysis

1. To use the Web Proxy tool, select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by OpenText DAST and the responses returned by the target server.

   Web Proxy is a stand-alone, self-contained proxy server that you can configure and run on your desktop. Web Proxy enables you to monitor traffic from a scanner, a web browser, or any other tool that submits HTTP requests and receives responses from a server. Web Proxy is a tool for a debugging and penetration scan; you can view every request and server response while browsing a site.

2. Select the Traffic Monitor box to display and review each HTTP request sent by OpenText DAST and the associated HTTP response received from the server.

   While scanning a website, OpenText DAST displays only those sessions that reveal the hierarchical structure of the website, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, OpenText DAST enables you to display and review each HTTP request sent by OpenText DAST and the associated HTTP response received from the server.

3. Click Next.

   The Validate Settings and Start Scan page appears with Configure Detailed Options highlighted in the left pane.

Validating settings and starting the scan

Options on this page allow you to save the current scan settings and, if OpenText DAST is integrated with Fortify WebInspect Enterprise, to interact with Fortify WebInspect Enterprise.

1. To save your scan settings as an XML file, select Click here to save settings. Use the standard Save as window to name and save the file.

2. If OpenText DAST is integrated with Fortify WebInspect Enterprise, a Templates section appears in the toolbar. Continue according to the following table.

   If you want to…	Then…
   Save the current scan settings as a template in the Fortify WebInspect Enterprise database Note: When editing an existing template, the Save is actually an update. You can save any edits to settings and change the Template Name. However, you cannot change the Application, Version, or Global Template settings.	Do one of the following: Click Save in the Templates section of the toolbar. Select Click here to save template. The Save Template window appears. Select an application from the Application drop-down list. Select an application version from the Version drop-down list. Type a name in the Template field.
   Load scan settings from a template	Click Load in the Templates section of the toolbar. A confirmation message appears advising that your current scan settings will be lost. Click Yes. The Load Template window appears. Select an application from the Application drop-down list. Select an application version from the Version drop-down list. Select the template from the Template drop-down list. Click Load. Guided Scan returns to the Site Stage for you to verify the website and step through the settings from the template.

3. If OpenText DAST is integrated with Fortify WebInspect Enterprise, the Fortify WebInspect Enterprise section appears on this page. You can interact with Fortify WebInspect Enterprise as follows:

   1. Select an application from the Application drop-down list.

   2. Select an application version from the Version drop-down list.

   3. Continue according to the following table.

      To run the scan…	Then…
      With a sensor in Fortify WebInspect Enterprise	Select Run in WebInspect Enterprise. Select a sensor from the Sensor drop-down list. Select a Priority for the scan.
      In OpenText DAST	Select Run in DAST. If you want to automatically upload the scan results to the specified application and version in Fortify WebInspect Enterprise, select Auto Upload to WebInspect Enterprise. Note: If the scan does not complete successfully, it will not be uploaded to Fortify WebInspect Enterprise.

4. In the Scan Now area, review your scan settings, and then click Start Scan to begin the scan.

See also

Guided Scan overview