Trouble using client certificate in WebInspect</h1> <article> <h1>Trouble using client certificate in WebInspect</h1> <p>csgale — Fri, 13 Nov 2009 19:24:33 GMT</p> <p>Hello, I've tried to search around to see if anyone has posted anything about this, but haven't turned anything up.</p> <p>I'm presently assessing a web application that uses client certificates. I see that I should be able to use them in Webinspect (both from the help file, and the user manual), but after following the procedure laid out, My scan is still stopping immediately after starting and giving me a "No credentials are available in the security package" error.</p> <p>This is what I've done (which I hope is correct):</p> <p>I go into Edit -> Default Scan Setting -> Authentication and check the box for Enable client certificates. I then select the certificate (which shows up in the drop down list) and click ok. </p> <p>I've also done it for Current Scan Settings (as I assume that takes precedence over Default).</p> <p>I assume the error is that it somehow isn't using the certificate to access the site.</p> <p>If should be said that for now, I'm not even worrying about logging into the site, I just want to verify that I can connect to the main page.</p> <p>Anybody have any ideas, thanks?</p><div style="clear:both;"></div> </article> <article> <h1>Attempt to generate aggregate reports consistently failing</h1> <p>whips04r — Mon, 07 Sep 2009 05:48:44 GMT</p> <p>Am trying to generate Aggregate, Executive Summary (aggregated), False Positive, and Compliance reports for 6x scans however each attempt yeilds only the cover page for each report and a lengthy dump to the Output Console. Howe3ver, if I only generate the Aggregate Report (i.e. 1 report at a time) I mostly (*) get a desirable outcome (i.e. a full report!), though this makes the reporting process rather time expensive experience.</p> <p>*see below this Output Console dump for Error Details of a WI crash after attempting to close an aggregated Executive Summary report.</p> <p>The Output Console dump is along the lines of:</p> <p> </p> <p>[9/7/2009 2:13:47 PM]: Report Failed System.Data.SqlClient.SqlException: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.<br /> at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)<br /> at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)<br /> at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)<br /> at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)<br /> at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)<br /> at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)<br /> at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()<br /> at gy.a(IDbConnection A_0, String A_1)<br /> at gy.a(String A_0, Int32 A_1)<br /> at HP.AppSec.Reporting.ReportsDB.b(ReportsDB A_0, SqlCeConnection A_1)<br /> at HP.AppSec.Reporting.ReportsDB.UpdateCache()<br /> at HP.AppSec.Reporting.DataProviders.ScanDataProvider.GetData(IQuery queryDescriptor, Boolean topZeroFlag, IRtfFontToFieldMapper rtfFontMapper, IPropertyToFieldMapper propertyMapper)<br /> at HP.AppSec.Reporting.ReportDataSource.getReportData(IQuery queryDescriptor, Boolean topZeroFlag, IRtfFontToFieldMapper rtfFontMapper, IPropertyToFieldMapper propertyMapper)<br /> at HP.AppSec.Reporting.ReportDataSource.GetReportData(IQuery queryDescriptor, IRtfFontToFieldMapper rtfFontMapper, IPropertyToFieldMapper propertyMapper)<br /> at HP.AppSec.Reporting.ReportDescriptor.getReportRunInstance(ActiveReport3 clonedReport, ReportDescriptor mainReport)<br /> at HP.AppSec.Reporting.ReportEventHandlers.SubReportFormatHandler.a(SubReport A_0, Section A_1)<br /> at HP.AppSec.Reporting.ReportEventHandlers.SubReportFormatHandler.d(Object A_0, EventArgs A_1)<br /> at System.EventHandler.Invoke(Object sender, EventArgs e)<br /> at DataDynamics.ActiveReports.Section.#7kf()<br /> at DataDynamics.ActiveReports.Section.#Clf(ActiveReport3 report)<br /> at #kyd.#TD.#1mf(Section section)<br /> at #kyd.#TD.#Nqf()<br /> at #kyd.#TD.#Iqf(Page newPage, Single left, Single top, Single right, Single bottom, UInt32 flags, UInt32& status)<br /> at DataDynamics.ActiveReports.Section.#wlf(ActiveReport3 parentReport, #Oaf rData)<br /> at #kyd.#Haf.#Ukf(Int32 pieceIndex)<br /> at #kyd.#Haf.#Skf()<br /> at #kyd.#Haf.#lW(Section section, Int32 insPos)<br /> at #kyd.#Haf.#lW(Section section)<br /> at #kyd.#TD.#Nqf()<br /> at #kyd.#TD.#Iqf(Page newPage, Single left, Single top, Single right, Single bottom, UInt32 flags, UInt32& status)<br /> at DataDynamics.ActiveReports.ActiveReport3.#Smf()<br /> at DataDynamics.ActiveReports.ActiveReport3.Run(Boolean syncDocument)<br /> at HP.AppSec.Reporting.ReportDescriptor.runReport(Boolean syncDocument)</p> <p> </p> <p>WebInspect crashed with following Error Details after I'd generated a solo Aggregate Report, saved and closed that report, then generated an aggregated Executive Summary report:</p> <p>System.Threading.Thread<br />Build:8.1.524.2<br /><br />Index was out of range. Must be non-negative and less than the size of the collection.<br />Parameter name: index<br /><br /> at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index)<br /> at #gwd.#nAd.get_Item(Int32 index)<br /> at DataDynamics.ActiveReports.Document.Page.Draw(Graphics graphics, RectangleF bounds, TextRenderingHint textRenderHint, Single scaleFactorX, Single scaleFactorY, Boolean printing)<br /> at DataDynamics.ActiveReports.Document.Page.Draw(Graphics graphics, RectangleF bounds, Single scaleFactorX, Single scaleFactorY)<br /> at DataDynamics.ActiveReports.Document.Page.Draw(Graphics graphics, RectangleF bounds)<br /> at #Cwd.#oAd.OnPaint(PaintEventArgs e)<br /> at System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs e, Int16 layer, Boolean disposeEventArgs)<br /> at System.Windows.Forms.Control.WmPaint(Message& m)<br /> at System.Windows.Forms.Control.WndProc(Message& m)<br /> at System.Windows.Forms.ScrollableControl.WndProc(Message& m)<br /> at #Cwd.#oAd.WndProc(Message& m)<br /> at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)<br /> at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)<br /> at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)</p> <p>...resulting in WI closing. And immediately another Error was reported with following Error Details:</p> <p>System.ArgumentOutOfRangeException<br /><br />Index was out of range. Must be non-negative and less than the size of the collection.<br />Parameter name: index<br /><br /> at SPI.UI.ErrorForm.a(Object A_0, Exception A_1)<br /> at SPI.UI.ErrorForm.a(Object A_0, ThreadExceptionEventArgs A_1)<br /> at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)<br /> at System.Windows.Forms.Control.WndProcException(Exception e)<br /> at System.Windows.Forms.Control.ControlNativeWindow.OnThreadException(Exception e)<br /> at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)<br /> at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)<br /> at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)<br /> at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)<br /> at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)<br /> at System.Windows.Forms.Application.Run(Form mainForm)<br /> at aba.h()</p><div style="clear:both;"></div> </article> <article> <h1>Not able to access the AMP Manager running on localhost from different machine</h1> <p>sutapa.hp — Wed, 11 Nov 2009 11:24:14 GMT</p> <p>Hi,</p> <p>I have successfully installed and initialized AMP Manager and AMP Console. I can access both AMP Console and AMP Web Console from the VM in which I have installed the manager.</p> <p>But I am not able to access the Web console from other remote systems with the hostname/IP.</p> <p>Please suggest a way out.</p> <p>Thanks and Regards,</p> <p>Sutapa</p> <p> </p><div style="clear:both;"></div> </article> <article> <h1>Error:Connectivity issue, Reason:ServerConsecutive, Server:<domain_name>.com</h1> <p>jaugustin@ti.com — Sat, 31 Oct 2009 00:30:16 GMT</p> <p>Hi All,</p> <p>Webinspect keeps throwing this error: Error:Connectivity issue, Reason:ServerConsecutive, Server:<domain_name>.com</p> <p>where domain_name is an external third party site and is already rejected in the session exclusion in scan settings.</p> <p>Anyone knows how circumvent that? I have regular expressions matching the domain_name in the session exclusion as both host and url. I am using version 8.0.753. Thanks!</p><div style="clear:both;"></div> </article> <article> <h1>No updates</h1> <p>dssq-di — Thu, 05 Nov 2009 11:04:29 GMT</p> <p>Hello,</p> <p>I've updated webinspect to the latest SP. After that I get this message every time I clik on the Smart Update button :</p> <p>"Smart update complete. There were no new updates found"</p> <p>Before installing this SP, webinspect was updated every day oy even few times a day, have you chage the update policy?</p> <p> </p> <p>Regards</p> <p>Paulo</p><div style="clear:both;"></div> </article> <article> <h1>Cannot connect to web service to retrieve the license</h1> <p>marilyndaum — Tue, 16 Jun 2009 00:48:53 GMT</p> <p>I recently upgraded to WebInspect 8. Since that time, Smart Update has not run successfully for me. Attempts to do so yield a popup error "Cannot connect to web service to retrieve the license." Hopefully I'm just missing something simple, but I can't figure out what the problem is. Any suggestions?</p> <p>WebInspect is version 8.0.548.0.</p> <p>Thanks.</p><div style="clear:both;"></div> </article> <article> <h1>WebInspect 8.0.625.1 Patch available via Support</h1> <p>HansEnders — Wed, 24 Jun 2009 21:17:59 GMT</p> <p><<<br /><br />HP Development is releasing this special build to Customer Support to be used as a patch for WebInspect 8.0. This build has had limited testing, limited to the "HotFix CRs" listed below. An addition, other CRs have been included in this build which may or may not have been verified by QA. This patch should only be provided to customers to address those items listed under "Defects Fixed".<br /><br />Build #: 8.0.625.1<br /></p> <p>Notes: This build is a stand-alone build and is not included or available in any SmartUpdate to the current release, WebInspect 8.0.548.0.</p> <p>>><br /><br />This build will still receive the large SmartUpdate1 package from earlier in June 2009 that included new Reporting items, as referenced here: http://www.communities.hp.com/securitysoftware/forums/t/8323.aspx<br /><br />Release Notes are attached to this posting. </p><div style="clear:both;"></div> </article> <article> <h1>WebInspect 8.0.687.0 Patch available via Support</h1> <p>HansEnders — Fri, 04 Sep 2009 15:17:59 GMT</p> <p><<</p> <p>HP ASC Development is releasing this build to the ASC Customer Support team to be used as a Patch for WebInspect 8.0. This build includes all fixes from previous WebInspect 8.0 HotFixes, Patches and SmartUpdates. Testing for this build has been limited to the CRs listed. Therefore, provide this patch ONLY to those customers experiencing the below issues (or issues from previous WebInspect 8.0 HotFixes, Patches and SmartUpdates).</p> <p>>></p> <p>This August release is a cumulative patch including the public release 8.0.548 and all fixes or patches released since April 2009. This version is only available if you are experiencing one of the issues detailed in the Release Notes for those build(s). Anyone applying this version to their installation may need to manually install the next public release as this special version may not automatically SmartUpdate whenever that version is released.</p> <p><b>Release Notes are attached to this posting. </b></p><div style="clear:both;"></div> </article> <article> <h1>WebInspect 8.0.753 Service Pack 1 available via SmartUpdate</h1> <p>HansEnders — Fri, 23 Oct 2009 17:48:55 GMT</p> <p>The WebInspect 8.0 Service Pack 1, version 8.0.753, was released on October 20th 2009. There had been advance notices regarding this release posted to the Messages section of WebInspect's Start Page tab.</p> <p>While there have been changes to the binaries and its factory Default Scan Settings, the upgrade or reinstall will not damage or affect your custom data (scan files, macros, web form files, settings files, et al). Since our upgrades leave your personal defaults alone, you may need to open the Default Scan Settings screen and use the Load Factory Defaults button/link to reset these to the latest values.</p> <p> </p> <p>If you are currently on the public release version 8.0.548, SmartUpdate will upgrade you to this version automatically. It may require a reboot.</p> <p>If you instead have a Support-Only build numbered between 8.0.548 and 8.0.753, then you may not be able to SmartUpdate and receive this new release. If this is your situation, you should download the 8.0.753 install file directly (link below), uninstall your current version from the Control Panel, reboot, install this newest version, and then reboot one final time.</p> <p> <a href="https://download.hpsmartupdate.com/webinspect/WebInspectSetup.exe">https://download.hpsmartupdate.com/webinspect/WebInspectSetup.exe</a></p> <p>The following error indicates you will have to manually install this new version:</p> <p>"Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing versionof this product, use Add/Remove Programs on the Control Panel."</p> <p> </p> <p>Lastly, the product documentation bundle has also been updated. It can be retrieved from this URL: <a href="https://download.hpsmartupdate.com/webinspect">https://download.hpsmartupdate.com/webinspect</a></p> <p> </p> <p><strong>Release Notes are attached to this posting. </strong></p><div style="clear:both;"></div> </article> <article> <h1>Documentation</h1> <p>jason.gorman — Wed, 30 Sep 2009 18:48:38 GMT</p> <p>Is there any better documenation that the User Guide and Getting Started guide? I would like some advanced info on exactly what QAInspect is testing for/on when running tests such as SQL Injection, etc.</p><div style="clear:both;"></div> </article> <article> <h1>Vista 64-bit and WebInspect 8 installation recommendations</h1> <p>HansEnders — Fri, 16 Oct 2009 14:49:53 GMT</p> <p>WebInspect 8.0.548 supports 64-bit Vista OS, but it requires certain adjustments.</p> <p> * Disable User account Control (UAC).</p> <p> * Disable themes.</p> <p> * When installing, make sure that you run as Administrator. </p> <p> * Best practice is to manually install both the 32-bit and 64-bit versions of Microsoft SQL Compact Edition (CE) 3.5 SP1.</p> <p> </p> <p>Some users have experienced trouble with the SmartUpdate, as demonstrated by the following error.</p> <p> SmartUpdate<br /> Exception has been thrown by the target of an invocation<br /> An attempt was made to load a program with an incorrect format. (Exception from HRESULT:0x8007000B)</p> <p>This is a symptom that indicates the SQL CE product needs to be updated per the steps below. The cause of this is that WebInspect incorporates a 32-bit installation of Microsoft SQL Compact Edition (CE), but not a 64-bit version. Even if the 64-bit version is already installed, that same Microsoft's article suggests the 32-bit version may be necessary.</p> <p> </p> <p>This is the link we currently use and provide for installing SQL CE 3.5 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=DC614AEE-7E1C-4881-9C32-3A6CE53384D9&displaylang=en#filelist<br /><br /> (Reference source: https://download.hpsmartupdate.com/webinspect/ )<br /> <br /> <br />Steps:<br /> <br />1. Download the 32-bit install file "SSCERuntime-ENU-x86.msi"<br /> <br />2. Download the 64-bit install file "DSSCERuntime-ENU-x64.msi"<br /> <br />3. Install using SSCERuntime-ENU-x86.msi.<br /> <br />4. Reboot.<br /> <br />5. Install using DSSCERuntime-ENU-x64.msi<br /> <br />6. Reboot.<br /> <br />7. Open WebInspect and verify the SmartUpdate no longer fails with this "incorrect format" error.</p> <p>8. Done.</p> <p> </p> <p> </p> <p>Reference regarding the need for 32-bit CE on 64-bit Vista: http://www.microsoft.com/downloads/details.aspx?FamilyId=DC614AEE-7E1C-4881-9C32-3A6CE53384D9&displaylang=en#filelist</p> <p><<Due to changes in SQL Server Compact SP1 and additional 64-bit version support, centrally installed and mixed mode environments of 32-bit version of SQL Server Compact 3.5 and 64-bit version of SQL Server Compact 3.5 SP1 can create what appear to be intermittent problems. To minimize the potential for conflicts, and to enable platform neutral deployment of managed client applications, centrally installing the 64-bit version of SQL Server Compact 3.5 SP1 using the Windows Installer (MSI) file also requires installing the 32-bit version of SQL Server Compact 3.5 SP1 MSI file. For applications that only require native 64-bit, private deployment of the 64-bit version of SQL Server Compact 3.5 SP1 can be utilized.>></p><div style="clear:both;"></div> </article> <article> <h1>Server Error Reponses</h1> <p>mpgoug — Wed, 07 Oct 2009 21:05:17 GMT</p> <p>Is there anyway to disable a check once a audit is underway?</p> <p>Very often we test webservers who have incorrect error handling - so for every malformed request WI sends to the server it recives a 500* Server Error in return. This can dramtically fill the scan with False Positves and slow the assessment considerably. We will still advise the client of the issue however we do not need to see 000's of 'Server Error Responses' in the report.</p> <p>I cannot see a way to disable a check once the audit is running?</p> <p>Also how do I save a crawl so I can audit it serveral times?</p> <p>Kind Regards, Matt Gough UK</p><div style="clear:both;"></div> </article> <article> <h1>HP WebInspect End of Life Policy</h1> <p>michaelspaulding — Thu, 08 Oct 2009 18:42:07 GMT</p> <p>How long after a major release of WebInspect does HP EOL the previous version? Also, is there a date set for 9.X? Even a rough one for an estimate?</p> <p>Thanks,</p> <p>Mike</p><div style="clear:both;"></div> </article> <article> <h1>Smart Update Note Working</h1> <p>bukpu — Tue, 13 Oct 2009 18:29:07 GMT</p> <p>I just upgraded my version 7.7 WebInspect to version8 using my enterprise license. The upgrade was successful but the Smart update is not woking on the WebInspect 8. when I click on Smart update or try to update through the pup up update window I'm getting this error: "cannot connect to web service to retrieve the license." What do have to do to fix this issue?</p> <p>Bukpu</p><div style="clear:both;"></div> </article> <article> <h1>Test of web services that requires authentication</h1> <p>o_pedersen — Thu, 27 Aug 2009 12:34:09 GMT</p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-GB" style="mso-bidi-font-family:Verdana;mso-ansi-language:EN-GB;"><span style="font-family:Verdana;">I’m not sure this is the right place to ask this question, but now I’m trying.</span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-GB" style="mso-bidi-font-family:Verdana;mso-ansi-language:EN-GB;"><span style="font-family:Verdana;"> </span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-GB" style="mso-bidi-font-family:Verdana;mso-ansi-language:EN-GB;"><span style="font-family:Verdana;">I’m trying to test a web service that requires authentication. The credential has to be send as header in the SOAP request, the problem is that the authentication header isn’t defined in the WSDL file and it seems that Webinspect is only capable of testing values defined here. I hoped to be able to modify the request that Webinspect uses by means of the function “Auto-fill SOAP messages during crawl” and the SOAP-tool.<span style="mso-spacerun:yes;"> </span>That is apparently not possible. I can however successfully modify a request with the HTTP editor, but that can’t be used by the automatic test engine. </span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-GB" style="mso-bidi-font-family:Verdana;mso-ansi-language:EN-GB;"><span style="font-family:Verdana;"> </span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-GB" style="mso-bidi-font-family:Verdana;mso-ansi-language:EN-GB;"><span style="font-family:Verdana;">How can I do this in Webinspect?</span></span></p><div style="clear:both;"></div> </article> <article> <h1>General Report Questions</h1> <p>corkrejl — Tue, 06 Oct 2009 21:39:51 GMT</p> <p>I'm going to start this by asking a questions to determine if my problem is a installation issure or a complete lack of understanding of how the application works. I'm running a trial version Webinspect Version 8.0 .1.548 </p> <p> In Report Designer I open the Compliance Report under Scan Reports, I then select preview, chose one of the available scans then select the "OWASP Top 10" for the compliance template. Everythings works as expected.</p> <p>I go back to design tab and save the report under a new name, creating a new custom report, and then select the preview tab the report will only show the top level report, the subreport data is not there even though the report contains the subreports controls. Even restarting Report Designer made no difference.</p> <p>Should the copy of the report have produced the same results? If not could someone please recommend a good book so that I may get a better understanding of how the Report Designer works.</p> <p>Thanks,</p><div style="clear:both;"></div> </article> <article> <h1>AMP 8.0.643 now supports SQL 2008 server</h1> <p>HansEnders — Fri, 09 Oct 2009 21:03:48 GMT</p> <p>AMP 8.0.643 now supports Microsoft SQL Server 2008 for its database. Previously it only supported SQL Server 2005 (SP3 or SP2). The documentation is being updated at this time.</p> <p> Ref: <a href="https://download.hpsmartupdate.com/amp/">https://download.hpsmartupdate.com/amp/</a></p> <p>This change only affects the AMP Server's database. The AMP Sensors (as well as WebInspect and QAInspect) still only support SQL Server 2005, either Express or full, as their scan repositories and/or reporting workspace.</p><div style="clear:both;"></div> </article> <article> <h1>WebInspect shortcomings</h1> <p>brite_crawler — Wed, 07 Oct 2009 15:30:26 GMT</p> A few gripes to hopefully server to improve the product WebInspect: 1) Identifying the same issue multiple times. Particularly I am referring to XSS where there is the same base URI and vulnerable parameter (although often there are slight changes to the query string). Seem to me that if you have the same base URI and vulnerable parameter, you have the same vulnerability. Also, WebInspect likes to think that and are different in the mentioned case. 2) Blind SQL Injection (confirmed) false positive and/or SQL Injection reported by WebInspect is declared not possible by SQL Injector. You would think WebInspect and SQL Injector would use the same engine/logic but that does not appear to be the case. 3) Blind SQL Injection reporting is insufficient. Already discussed here: http://www.communities.hp.com/securitysoftware/forums/t/7870.aspx. Basically it is impossible to verify blind SQL injection without having multiple requests and responses but WebInspect only provides a single request and response. 4) Trouble adding arbitrary page to the site list/tree. A lot of times I discover issues that WebInspect doesn't and I want to add the vulnerabilities to WebInspect. The product allows you to add vulnerabilities but only to specific pages in the site that it has identified. If it hasn't identified it, there is no appropriate place to add it. There doesn't seem to be the ability to add an arbitrary page. Even operating in Step Mode and manually visiting the page, WebInspect has trouble picking up on it. 5) False negatives. Using other products like Burp Suite I find a significantly higher number of common issues like XSS and SQL injection. 6) Automatic crawling failures. Often, WebInspect fails to fully cover a site, leaving portions untested. This is largely due to complex javascript and other Web 2.0 atrocities that are out there. 7) Never ending scans. Most of the scans I do never finish. Again, largely due to Web 2.0 bloatware. 8) Clicking the "Save and Close" button in the Web macro Recorder prompts you with a dialog asking if you want to save. I think, "Really? Of course I want to save otherwise I wouldn't have pressed the "Save and Close" button". (Yes, I know I'm being pedantic.) 9) WebInspect runs on Windows only. it uses the .NET framework so porting it to other operating systems is non-trivial. 10) Frequent lockups and/or crashes. Crashing WebInspect is a way of life for me.<div style="clear:both;"></div> </article> <article> <h1>DataBase Full on 2005 MS SQL Express</h1> <p>retroj100 — Tue, 22 Sep 2009 16:22:11 GMT</p> <p>Has anyone come across an issue of a large file filling DB to capacity?</p><div style="clear:both;"></div> </article> <article> <h1>Where is the users manual?</h1> <p>asterix2112 — Tue, 29 Sep 2009 16:12:04 GMT</p> <p>Does anyone know where uou can download the 8.0 users manual?</p> <p>Thanks,</p> <p>- John Connor</p><div style="clear:both;"></div> </article> <article> <h1>Passive Check fails (freezes crawl and audit) in some sites, seems to do with JavaScript sessions</h1> <p>whips04r — Fri, 11 Sep 2009 01:46:38 GMT</p> <p>I've submitted the following to HP ASC Support, case ID 4603600629 and uploaded with that case an exported scan that manifests the problem. Posting here coz I respect the Freedom of Information act ;)</p> <p>In various websites I've been scanning over the past months, the crawler has failed, essentially freezing yet the scan can be paused and restarted but does not proceed from the point at which it freezes. This only occurs when 'Follow JavaScript links' checkbox is checked, perhaps indicating that a certain JavaScript file is yeilding the problem. This occurs for Crawl Only and Audits, during the Audit the scanner tends to freeze during the following check (indicated in the Status Bar at bottom-left of UI):<br /><br />DOS Filename Source Disclosure<br /><br />I have tested this on various instances of WebInspect 8.0, running on Windows XP and Windows Server 2003. Previously I was experiencing this along with many OutOfMemory errors, so I thought it was just a side-effect of the OutOfMemory problem, however now expierencing this problem without OutOfMemory.<br /><br />Am running WebInspect 8.0 updated by SmartUpdate only (i.e. I have not installed any manual patches). I do not see anything in release notes for the various recent manual patch builds that relate to this problem, except one for AMP:<br /><br />From release notes for build 8.0.589.1:<br />10195 AMP 8.0 - Scan never completes and is not sending out any requests, even though it can be controlled (pause/stop/restart).<br /><br />But since I'm experiencing this with WebInspect I don't see the need to install the manual patch.</p><div style="clear:both;"></div> </article> <article> <h1>Local Scan</h1> <p>campioncheng — Mon, 21 Sep 2009 02:59:51 GMT</p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family:Times New Roman;font-size:small;">Dear Support, </span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family:Times New Roman;font-size:small;">The situation is that I am hosting a server for web applications. I have to scan each of them before they go on production. Is it possible to scan them locally before they can go live. (may be host them under localhost?)</span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family:Times New Roman;font-size:small;">The other question is that is it possible to scan the files that are going to host in the webserver w/ webinspect locally. What I mean is not a static source code scan since I do not host those sources code. Can I scan those files/web apps (i.e. some compiled code ) for vulnerabilities?</span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family:Times New Roman;font-size:small;">If webinspect can scan locally, is it possible to scan thoroughly if the login user name and password is not provided. </span></span></p> <p class="MsoNormal" style="margin:0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family:Times New Roman;font-size:small;">Thanks for your time</span></span></p><div style="clear:both;"></div> </article> <article> <h1>Crawl not Working as Expected</h1> <p>sfink16 — Mon, 21 Sep 2009 13:16:50 GMT</p> <p>Good morning,</p> <p>I have been using Webinspect 8.0 for several months after taken over for the person who left. I had limited training/instructions of about 15 minutes. Recently I had further instructions from another user in the organization as a result switching from automatic crawl/audit to manual mode. Until now I have been mostly successful.</p> <p>My latest crawl included 4 different logons that I successfully achieved running through each area of the web site I could test in the crawl.</p> <p>When I finished, clicking the Audit button expecting the scan to take hours to complete, it completed in a few minutes instead. Running the Crawled URLs report confirm that the scan did NOT crawl the desired pages.</p> <p>What am I doing wrong? Does this have anything to do with the fact that it is not scanning on port 80, instead scanning on port 8000? Further, the site is using http instead of https, is this a problem?</p> <p>Thanks!</p> <p>Steve</p><div style="clear:both;"></div> </article> <article> <h1>Web Form Editor auto-populating values</h1> <p>brite_crawler — Thu, 24 Sep 2009 18:40:55 GMT</p> <p>I always thought it would be nice if the Web Form Editor would auto-populate all values for you when you browse thru it. Any idea as to why this functionality does not exist? It seems that a few get populated but it is the ones I don't need....</p><div style="clear:both;"></div> </article> <article> <h1>Unable to load scan list from SQL Express</h1> <p>seremoth — Tue, 01 Sep 2009 14:45:42 GMT</p> <p>Hi</p> <p>I get this everytime I start WebInspect 8. I managed to configure webinspect to running scans again. I have to switch to using SQL Server in the configuration instead of default (SQL Express).I'm using SQL Express 2005.</p> <p>It looks like webinspect is running fine except for the error msg but I'm not sure. Anyone have a idea of whats is going on?</p> <p>"Unable to load scan list from SQL Express<br />Failed to generate a user instance of SQL Server due to a failure in starting the process for the user instances. The connection will be closed"</p> <p>I also tried to delete c:\Documents and Settings\<user>\Application Data\...\SQL Server Data\SQLEXPRESS folder but that just give me another error msg at startup.</p> <p>Thanks in advance</p> <p>Kim</p><div style="clear:both;"></div> </article> </main></body></html>