Friday, February 4, 2011

WebInspect Data Expansion

There were two hidden settings added back during the WebInspect 7.7 release which can provide the expert user more details within a scan. The first is a developer's Memo header, which is now a little more exposed to the user in the more recent releases. The second is an expansion of the existing Details panel found under the Session Detail area.

1. Memo header:

From the Help Guide:
If you select this option, WebInspect includes a "Memo:" header in the HTTP request containing information that can be used by support personnel to diagnose problems. Although the format and content is subject to change without notice, the information may assist advanced users. Two of the more useful constructions are illustrated below.
Previously this header could only be enabled by manually editing the saved scan settings file (XML) prior to performing the assessment, changing the value from "false" to "true". Now it is just a check box found within the scan settings > General panel, and it is enabled by default.

The data shown in this custom header is mostly for the benefit of the HP ASC developers and Customer Support, as it is in their programming lingo. The standard user will be able to get a rough idea of why this HTTP Request was queued up, such as it was part of the recorded Login Macro, part of the Crawl, or triggered by one of the Audit Engines..

The Help Guide also provides these samples to help decipher the provided information.
  • Attack memo header example
  • Memo: 197:Auditor.SendAsyncronousRequest:Attack(CID:123:AS:2,

  • Explanation of memo contents
  • Requestor thread id handling request:197
  • Originating function in scanner: SendAsyncronousRequest
  • CheckID:123
  • Attack Sequence: 2
  • Originating engine:1354e211-9d7d-4cc1-80e6-4de3fd128002
  • Session Type: AuditAttack
  • Attack Type: PostParamManipulation
  • Attack descriptor (what was attacked): username ‘param’ was attacked, it is parameter (1,0) in collection
  • Smart Mode: 2
  • Attack Session ID: FDF074B3AC41D4ABE4114B3C1A114160
  • Parent Session ID :DDAA45FB26C9149DB15AF2D8DDFD5D3A

  • Crawl memo header example
  • Memo: 180:ProcessSession:Crawler.CreateStateRequest:

  • Explanation of memo contents
  • Requestor thread id handling request:180
  • Originating function in scanner: ProcessSession:Crawler.CreateStateRequest
  • Session Type: Crawl
  • Crawl Link Type: HTML
  • Session ID: 2BC3FC705779A6F201810A1E64F7CF83
  • Parent Session ID : A77674B6A5BF9B3B3CEDAEF583C08262

2. Details Expanded

This is my favorite secret, as it is always available with no need to enable it prior to any assessment. Unfortunately, it is disabled by default and can only be toggled in WebInspect via a modified user.config file. The good news is that action enables this feature for all scans being reviewed within the UI, not just the selected scan. This feature is also known as the "EnableSupportUI" feature, since it primarily aids the Support team when reviewing customer scans for issues.

1. Close WebInspect.
2. Make a back-up copy of the user.config file located at:
* Win7: C:\Users\%CURRENTUSER%\Local Settings\Application Data\SPI Dynamics\WebInspect\7.0\
* XP: C:\Documents and Settings\%CURRENTUSER%\Local Settings\Application Data\SPI Dynamics\WebInspect\7.0\
3. Modify the user.config so that the appropriate setting tag entry has its Value set to "true" rather than "false".
* For WebInspect 8.x, this tag is "EnableSupportUI".
* For WebInspect 7.7, this tag is "DisplayCompleteSessionDetails".
* If you are missing this setting name, you can just insert it at the end of the other tags.
4. Save and exit user.config.
5. Launch WebInspect, open any scan (new or old), select a session, click on the Details session link, see all the gory details.

So you can see what this feature offers, I have attached before and after screen shots for the same session.

~~ Habeas Data

No comments:

Post a Comment