Tuesday, January 5, 2010

HP WebInspect and proxy daisy-chaining

This is my inaugural posting, so here goes. I am all new to this, and yadda yadda yadda, let's get started. (disclaimer) I have worked with and supported WebInspect, QAInspect, DevInspect, and the Assessment Management Platform for several years. If I abbreviate these products in any postings as WI, DI, QAI, or AMP, you will just have to forgive and read on. Also, I like to share.

HP WebInspect is an advanced penetration testing tool used solely for auditing and exposing vulnerabilities in web sites. It works on the HTTP/S protocol only, for any active port on the target server. One useful technique that is often over-looked by WebInspect users is the ability to daisy-chain the tool through various HTTP intercept proxies. This can be the included Web Proxy ("SPI Proxy") tool, Paros Proxy, BURP Suite, Charles proxy, et al. The value in doing this activity is usually to monitor the scanner's traffic in real-time, or to trouble-shoot when the site is behaving strangely and you need to find out why in order to adjust the scan settings.

The most basic process for configuring this daisy-chain is detailed below. These instructions are based on using the included HP Web Proxy, and the exact setting details can be found within its Help guide. This should also be adequate detail to guide the configuration of your alternative proxy tool of choice.

1. Open the Web Proxy tool (from the Start Menu or WebInspect) > Edit menu > Options.

2. Web Proxy defaults to listening on Verify that here, or change it, and Save. If you need to use a network proxy to reach the target, configure that on the Proxy Servers tab, and then Save.

3. Start the proxy service using the "Play" icon in the toolbar. Minimize or resize the Web Proxy tool as desired.

4. Open WebInspect > Edit menu > Default Scan Settings > Proxy panel.

5. Configure the scanner's proxy to match the port that is listening, e.g.

6. Save the scan settings and run your scan. Verify the traffic is being captured within Web Proxy window. Web Proxy offers a Scroll Lock button to help with its scrolling display.

Representation for our example:

WebInspect (localhost) > HP Web Proxy ( > network proxy ( > target server (

The one trouble with daisy-chaining WebInspect is that now the intercept proxy is the weakest link in your assessment. If the scan will take 8 hours and will parse many megabytes of traffic, it is probable your proxy engine will fail and halt the WebInspect scan prematurely (default and configurable setting). No worries, you can always restart your proxy tool and Resume the scan, but that situation can be a pain. The good news is that if you only wish to monitor a small part of the scan, that is also possible. To do this, Pause the assessment > click on the Edit menu > Current Scan Settings (not the Default Scan Settings) > Proxy panel > alter the proxy setting to NO longer use your intercept proxy > Save settings > Resume the scan > verify that now no traffic is being captured in your proxy window.

This sort of daisy-chaining can go all day, so long as you use different ports for all of the services. For example, we could configure the Proxy Server options within Web Proxy to go to another "upstream" proxy tool (local or remote), such as Paros Proxy or a second instance of Web Proxy. Just remember to keep their ports separated if running all of them on the local machine, such as using for Web Proxy #1 and for Web Proxy #2. Why would you want to do this multiple proxy hopping? There are various trouble-shooting reasons which I will not detail now, but the capability is there if you need it.

No comments:

Post a Comment