Tuesday, January 12, 2010

WebInspect's Manual Step-Mode and daisy-chained proxies

This post is a follow-on from the prior post on how to daisy-chain WebInspect with an intercept proxy.

A powerful penetration testing feature of WebInspect is its Manual Step-Mode crawl, suited for very complicated web applications. When this style of crawling is used rather than the automated crawling methods, WebInspect is actually spawning a hidden instance of the included tool, HP Web Proxy, offering even more daisy-chaining fun for the security expert. During this time, WebInspect listens on a dynamically set port on localhost ( and opens an instance of MSIE pre-configured to that port. This Manual crawl is very similar to how some freeware web scanners operate, with the professional manually driving the scanner via their browser and the tool parsing and auditing the captured sessions in the background. WebInspect's dynamic port behavior for Manual Step-Mode can also be changed to use a static (expected or known) port rather than a dynamic port, which is very useful if you want to use an alternative browser. When doing this, you must leave the triggered MSIE window open (minimized) because that is what WebInspect actively hooks into and signifies to WebInspect that it is in "Manual mode". However, you can then launch and configure your favored alternative browser to the static port (proxy port) you set previously. The scenario below will detail this further.

Let's look at an advanced configuration. I had a call from a counterpart who was on-site with his client. The WebInspect machine they provided him had MSIE 8 installed, and no matter what he did, the development application they were testing crashed that browser, and it simply refused to work with any non-Microsoft browsers. This would normally not affect WebInspect's automated scanning methods as WebInspect operates as its own stand-alone browser. However, this site was completely ActiveX with browser plug-ins and client-within-a-browser configurations that required a human to use the Manual Step-Mode of WebInspect to "crawl" the site by hand with a plug-in enabled browser. Since he could not downgrade the MSIE browser on the workstation nor automate the scan, he called me and here is what resolved the trouble.

In addition to the WebInspect workstation, the tester was provided RDP access to a second machine which still had MSIE 7 on it. This version of MSIE worked great for browsing the development application without any crashing as had been experienced with MSIE 8, but the machine lacked WebInspect. To audit the application we daisy-chained the two workstations across the LAN, using the little-known static port setting for Manual Step-Mode and then opening the Web Proxy to the LAN rather than just the localhost, as follows.

1. On workstation1, open WebInspect's Edit menu > Application Settings > Step-Mode panel > set it to use a static port not currently in use, e.g. 8081. Leave the IP address field as localhost (

2. Start the Step-Mode Manual crawl assessment in WebInspect for the target site, and once it is running Manual mode leave WebInspect and the resulting MSIE8 window alone.

3. Now open HP Web Proxy on the same workstation1.
* Within the Proxy Server settings, configure Web Proxy to use the Manual Step-Mode proxy server that is "upstream" at
* Within the General settings, configure Web Proxy to listen on workstation1's actual network IP and port 8080, e.g.
* Save these settings and now start the Web Proxy service/listener from its toolbar. The lower left-hand corner of the Web Proxy window will show that it is now Listening and the port being used.

4. RDP to workstation2, open MSIE7 there, configure MSIE7 to use the proxy server at workstation1, e.g.

5. Browse the test application from MSIE7 on workstation2, verifying that the WebInspect window on workstation1 is showing captured/audited traffic within its Navigation Pane (Site Tree view).

6. When finished testing from workstation2, return to workstation1, close the MSIE8 window that popped up previously, and click the "Finish" (Step-Mode) button found at the top of WebInspect's Navigation Pane. This halts the Manual Step-Mode crawl. It can be Resumed if needed.
* WebInspect is now ready to proceed to Auditing, if you had the Step-Mode set to "Manual Audit" mode.

Representation for our example:

MSIE7 browser (on > HP Web Proxy ( > HP WebInspect ( > network proxy ( > target server (

What about serving Manual Step-Mode directly to workstation2?

If you read my previous article on daisy-chaining WebInspect and Web Proxy, I must point out here that the Manual Step-Mode settings do permit the local LAN to be served directly if the localhost IP address is replaced with the workstation's own live LAN IP address. However, in this scenario, we wanted the ability to monitor the browser traffic from workstation2 within the Web Proxy window on workstation1. This would help diagnose and connectivity troubles, if that traffic was not able to pass through WebInspect and then back from the test application. This offered the added bonus that the captured Web Proxy sessions could be saved as a proxy sessions file (*.PSF) for review at a later time. Those sessions could also be saved as a Start Macro which could be used later in an attempt to run the WebInspect audit automatically rather than manually. Sometimes this automated trick works, sometimes it does not, depending on the application itself, but having the option to try is very useful.

1 comment:

  1. You can also change the port configuration of the proxy by clicking Edit > Default Settings > Proxy. If you like the manual scan but you might want to test the same sessions more than once then consider the workflow macro option using the Event Based Web Macro Recorder. You can record a workflow macro and then audit using various different policies (sql,xss,assault).