Wednesday, August 8, 2012

Disabling all discovery checks in WebInspect

In an earlier posting about limiting WebInspect's scan reach, I mentioned the following complaint regarding the scan Policies.  I wanted to use this posting to explain this further and detail a solution.

<< The Audit-Only scan method sounds good, but it is not foolproof.  Currently most of the scan Policies you may use for your Audit will perform a variety of forceful browsing and discovery checks.  To completely disable this possible expansion of your scan target, you will need to make a custom copy of your desired scan Policy.  I will detail that in a separate posting. >>

 The Audit policies utilized by HP WebInspect (currently at version 9.20) are templates that dictate what quantity of the available attack database will be used against your target during this particular scan.  Even when using the Audit-Only scan method, there are still several ways that WebInspect will bypass your desired limitation and perform some crawling/discovery of the site.

To prevent this, the user will need to use a custom scan Policy.  Open the included Policy Manager tool, then click File > New > {select desired HP policy} > and then save this for your own use.  You may want to annotate the Description to remind yourself what makes this custom copy different.  In this custom Policy you will want to disable the following features.

1. Open the Attack Groups view, then expand the Audit Engines branch.  Disable the following engines underneath it.
    • Directory Enumeration
    • File Extension
    • File Prefix
    • Fixed Checks
    • Known Vulnerabilities
    • Local File Include
    • Site Search

2. Within the same Audit Engines branch, locate and expand the Audit Options sub-branch.  Disable the following options found there.  These parsers do not directly request these specific resources, but they would fully investigate them if they were found during the scan.
    • CVS entries parser
    • Robots.txt parser
    • ws_ftp.log parser

3. Move up the top of the Attack Groups tree listing and disable the Web Site Discovery branch, a peer of the Audit Engines branch.

Based on how HP (or SPI Dynamics) originally designed the Audit Policies mechanism, it is difficult to fully disable all crawling even for Audit-Only scans.  Their development team has been contacted about this and understands why it should offer a cleaner method, but until that arrives we must use this work around.

~~~~ Habeas Data

No comments:

Post a Comment