.

Webinspect scanning

<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon May 02, 2011 9:53 am

Webinspect scanning

I just found out, I'll be taking over doing the web app scanning at work. They use WebInspect, and one thing I've heard is it takes forever to run (2 weeks + in some cases).

Not having done much web scanning, or knowing much about the product, I thought I'd turn here and get some help.

Anyone have any useful links to books / articles to get up to speed. Any tips and tricks on how to run scans.
OSWP, Sec+
<<

millwalll

Post Tue May 03, 2011 1:19 pm

Re: Webinspect scanning

You may want to look at http://cirt.net/nikto2 also Syngress  do books on web attacks and u get 20% off using 50467
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue May 03, 2011 2:10 pm

Re: Webinspect scanning

Sadly it has to be WebInspect. We used to use something else, but one of our larger customers insisted we use WebInsepct so they could import the reports, or they'd pull the account.
OSWP, Sec+
<<

millwalll

Post Tue May 03, 2011 4:33 pm

Re: Webinspect scanning

HI I miss read your post I don't know anything off top my head but if I come across anything will let you know.

It might be worth spending some time on Google looking for tutorials or something.
<<

HansE

Newbie
Newbie

Posts: 1

Joined: Wed May 04, 2011 10:16 am

Post Wed May 04, 2011 10:53 am

Re: Webinspect scanning

You should avail yourself of the free training materials and resources already offered by HP's Application Security Center.  (Full disclosure:  I work there as part of HP ASC Fortify.)

User Forums and Researcher Blogs:  http://h30501.www3.hp.com/t5/HP-Applica ... /ct-p/sc01
- Requires a free HP Passport account to Post messages.

ASC Support Portal:  http://support.openview.hp.com/
- Also uses HP Passport account.
- This portal gives you 24/7 access to the WebInspect KB, as well as the ability to submit/manage support cases.  Great for pre-populating your case with all details and data rather than trying to get first-level support to type it in for you over the phone!  Wait 20 minutes and call in with your assigned Case# to get routed directly to the person who picked up that case.
- The Support Portal requires that you link your HP Passport account with your "Entitlement" or "Contract", known as the SAID number.  Since you have WebInspect in front of you, the SAID number is displayed under the "About WebInspect" menu item.

Semi-monthly technical demo on using WebInspect (free registration):  http://techdemos.com/
- Every other Friday at 1 PM EDT.

Your HP Sales representative:
- Chances are your company's/area's HP Sales rep is keen to try to sell you or your boss new stuff, but knows very little about the security product line.  Lean on them to put you in touch with someone who can actually really help you, and then fend off their free lunches as long as possible.  ;-)


Regarding scans taking two weeks, that sounds crazy.  You seriously need to review the actual scan results and the available scan settings, with an expert if possible.  Anytime I hear of a scan taking more than overnight I just *know* there is some setting to change that can make it more efficient.  The guy before you probably ran the product with the default settings, which is only a good baseline for what might be found in the real world.  Your site may require increased script parsing, redundant page detection, custom state-keeping or navigational parameters, or other "shaping" controls and limitations for the crawler.


Enjoy!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed May 04, 2011 11:48 am

Re: Webinspect scanning

HansE,

Welcome to the forum. And THANKS, that's a good deal of information for me to work with. Especially knowing that more than 24 hours could be an issue.

Do need to double check your link though. Techdemos seems to be one of those place holder ad sites you see on the net.

However 15 seconds on google led me to this site: http://www.hp.com/go/techdemos

I look forward to that class next week, and hope that between the stuff you gave me, the books I ordered, and the User Guide, I have a feeling I might be able to improve things a bit.
OSWP, Sec+
<<

Florin

Newbie
Newbie

Posts: 29

Joined: Thu May 03, 2007 8:57 am

Post Wed May 04, 2011 1:56 pm

Re: Webinspect scanning

I second HansE on the opinion that something is probably orrectly incorrectly in the application - two weeks for scanning a single target, especialy that you will be doing internal scans, it's way too much.
Actually this is the "secret" in using a vulnerability scanner correctly: make sure that the setup/profile/plug-ins used are designed to match your needs.

Regarding which resources to use, I think that HansE already pointed you to the right direction.

Good luck with your new task!
Security+, OSCP, CISM, CISSP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed May 04, 2011 3:22 pm

Re: Webinspect scanning

chrisj wrote:Anyone have any useful links to books / articles to get up to speed. Any tips and tricks on how to run scans.


Outside of the links provided by hansE, the pseudo-short answer is... Check your parameters and variables.

For starters, if you're going to use the scan wizard (depending on which version you have), there is a setting in "Test Options" called "Use Adaptive Testing based on application behavior", make sure it is checked.

Second, go to tools, "User Defined Tests", click on "add test", infrastructure test (or whatever scan you need to perform) and click next. On the next page you can define specific URLs which minimizes going through non important directories. For example, lets suppose you have an "images" directory with nothing more than images, why bother wasting time going through the motions? Doing a test as such (custom) allows you to specify DIRECT directories, applications, scripts, etc., as opposed to letting Webinspect go through the motions of *everything*

Another alternative would be to exclude directories. When you run the scan configuration option, you can choose which directories and or files to exclude. Another option would be to decrease the timeouts in communications and proxy however, depending on your parameters, you *could* end up crashing something if not careful. You could also raise the number of threads to 10.

Lastly back to "test options," you can also increase the phases to your maximum (I believe it is 10), in "Allow Multiphase Scanning." ... Hope that helps
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed May 04, 2011 3:37 pm

Re: Webinspect scanning

Thanks guys. Sil I'm surprised I was expecting much longer reply from you. :)  I figured you and H1tM0nk3y would have the best input (why I started the thread).

Definitely have things to look into.
OSWP, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed May 04, 2011 3:55 pm

Re: Webinspect scanning

I thought about making it a longer post, but figured someone would want to kick me. Since its tool based, I decided not to ;) Webinspect can be brutally noisy, I choose to use it ONLY when I have run out of options ;) As is the case with other tools, Canvas, Core and so on. I actually like going through manual motions
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu May 05, 2011 7:22 am

Re: Webinspect scanning

sil's point is very valid.  Pre-canned tools will often give you good results, but you ALWAYS have to weigh the outcome against costs.  If you're simply testing your own company, and stealth is not an issue, then you should evaluate with as many tools and tests as possible.  But if you're contracted to test in a more covert manner, you're much better tailoring your testing to be more stealthy.

Pay close attention to the parameters that he pointed out, if you plan to continue to use the tool, as by learning to tweak the performance and stealth options, you'll get a better understanding of things.  sil has (as have I, and assuredly many others here on EH) spent time with these tools in the lab, where he could analyze results of various testing methods and parameters.  It goes a long way in helping you get better at what you do!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu May 05, 2011 1:41 pm

Re: Webinspect scanning

I have to be careful with my words here. Don't want to say anything that gives away where I work, what they do, etc.

I'd love the time to do the manual testing. I'd like to learn those skills too. I'd like to have multiple tools to use as well. However that's not likely to happen any time soon.

We have to use WebInspect because it was dictated by a customer. Due to cost, we use it for all the scanning. We can be noisy, because it's a requested vulnerability scan.
OSWP, Sec+
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Thu May 05, 2011 2:23 pm

Re: Webinspect scanning

Your not working  for (or for a subsiduary of) sony are you?
Net+ Sec+ More to come
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 05, 2011 8:23 pm

Re: Webinspect scanning

chrisj wrote:I have to be careful with my words here. Don't want to say anything that gives away where I work, what they do, etc.


Understood @ sensitivity. I've actually an idea about the environment and likely the company... Anyhow, if that's what the client wants, then there is a likelihood you're following pre-defined testing a-la CYA (Cover Your Ass) in which ultimately the client perceives a scanner as due diligence.

If they're not worried about the outcome of raping a webserver's resource, then I would actually fire away using the most extreme parameters. It's their money and the likelihood of them actually caring about security is low. In these case, who care how you test, ultimately they don't.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu May 05, 2011 10:53 pm

Re: Webinspect scanning

If it was just the one client, and they accepted the time, I'd be good with it. But  we have to do more than just that client, and there in lies the problem.

Sil, Actually, I'm curious who you think it is I work for. PM me. Wouldn't surprise me if you do know who.

I try to keep my current employer and my connection limited on the net, partially to make it harder to be an SE target.  But I'm overly cautious about saying where I work currently, because of an event that happened at work. My supervisor got very strange when I already knew other people that worked there.
Last edited by rattis on Thu May 05, 2011 10:58 pm, edited 1 time in total.
OSWP, Sec+
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software