Vous êtes sur la page 1sur 3

Hybrid Scanning

WebInspect 9.10 and Fortify SecurityScope 3.1


The integration of WebInspect 9.10 with HP Fortify SecurityScope combines dynamic and runtime application testing to deliver the next generation of application security. This conjunctive approach yields improved security testing, reduces the effort required to validate vulnerabilities, and allows developers to find and fix problems quickly. Start by installing and configuring SecurityScope on the target server. Installation instructions and operator guides are available from Fortify at https://customerportal.fortify.com/download?id=1343. Next, launch WebInspect and enable the SecurityScope feature. Click Edit and select Application Settings. In the General category, select Use SecurityScope information when encountered on the target site. It's also advisable to select Automatically group by duplicate vulnerabilities in vulnerability window.

Then start your scan.

Visual Confirmation
A new feature on the WebInspect dashboard informs you when SecurityScope is running on the target server.

201 Hewlett-Packard Development Company, L.P. 1

Page 1

Increased Attack Surface


SecurityScope responds to WebInspect's initial inquiry by downloading a list of all application URLs, which WebInspect subsequently uses to populate the site tree. This increases the attack surface by eliminating the possibility that WebInspect might fail to detect a resource through the normal crawl-and-audit process. Partial Site Tree without SecurityScope Partial Site Tree with SecurityScope Integrated

When not using SecurityScope, the Pages folder in the site tree contains only two entries: CareerDetails.jst and the folder named "web."

When SecurityScope is integrated with WebInspect, more resources can be identified. Note the enlarged content of the Pages folder (which is only partially shown).

Detection and Confirmation


During the scan, SecurityScope interacts with WebInspect to detect the following vulnerabilities: SQL Injection Arbitrary File Upload Command Execution

SecurityScope is also employed to confirm the following vulnerabilities detected by WebInspect: Cross-Site Scripting Arbitrary Remote File Include Local File Inclusion/Reading Vulnerability

When acting alone, WebInspect relies entirely on the server's reaction to determine if the attacks are successful. For example, WebInspect may check for a "command execution" vulnerability by sending an HTTP request that includes a "directory list" command ("ls" in Unix or "dir" in Windows). The server may actually execute the command, but the server's HTTP response will not include any indication that the attack was successful, and the vulnerability will not be flagged. However, when SecurityScope is running on the target server, it can determine that the server executed the command and inform WebInspect that the attack was successful.

201 Hewlett-Packard Development Company, L.P. 1

Page 2

Visual Indicators - Stack Trace and Triggers


You can easily identify vulnerabilities detected or confirmed by SecurityScope. The Vulnerabilities tab on the WebInspect Summary pane contains a "Stack" column which, if populated with a check mark, indicates SecurityScope involvement. Click the vulnerability to highlight the corresponding session in the Navigation pane site tree and then select Stack Traces from the Session Info panel. The following illustration depicts a SQL injection vulnerability detected by SecurityScope. WebInspect did not detect the vulnerability because it occurred in a database type (HSQL) that is not supported by WebInspect.

The SecurityScope trigger identifies the event that implicated the vulnerability, such as an error message, SQL command, or the cross-site scripting payload. The first line of text below "start of user application code" identifies the source of the vulnerability. All other vulnerabilities that derive from the same source are categorized as duplicates, which can all be remediated by fixing this portion of the code. The Vulnerability tab illustrated below groups vulnerabilities by duplicates (as indicated in the upper left corner of the pane).

201 Hewlett-Packard Development Company, L.P. 1

Page 3