Re: Getting XSS Stats out of AMP (142 Views)
Reply
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 1 of 5 (197 Views)
Accepted Solution

Getting XSS Stats out of AMP

Hi,

 

I have over 3x years worth of scans stored in AMP, from which im wanting to pull out various statistics.

 

In particular I'm wanting to find a way to report on which of my sites have ever had any form of Cross Site Scripting, as this is one of the biggest issues faced by my workplace.

 

Through the Dashboard's Top 5 Vulnerabilities WebPart I am able to determine which sites currently have XSS, based on the results from the most recent scan, where XSS is considered any of the following:

  • Cross Site Scripting
  • Filter Evasion Cross Site Scripting
  • HTML Tag Injection
  • JSON Hijacking/Injection
  • Cross-Frame Scripting

... and possibly more

 

I would like to produce a similar report, which takes into account all of a site's previous scans, not just the most recent.

I don't require this to be available via the Dashboard and have also have read access to the AMP Database, so a SQL Query to retrieve this information would suffice.

 

Many thanks,

 

Dan

 

 

Please use plain text.
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 2 of 5 (168 Views)

Re: Getting XSS Stats out of AMP

Hey Guys, any advice you can give on this one?

 

Much appreciated.

 

Cheers,

 

Dan

Please use plain text.
Respected Contributor
HansEnders
Posts: 585
Registered: ‎07-01-2008
Message 3 of 5 (152 Views)

Re: Getting XSS Stats out of AMP

I posed this question to our Dev team two weeks ago, and I have resubmitted that question today.  You might get a more direct response by submitting a Support case (https://support.fortify.com).


-- Habeas Data
Please use plain text.
Respected Contributor
HansEnders
Posts: 585
Registered: ‎07-01-2008
Message 4 of 5 (142 Views)

Re: Getting XSS Stats out of AMP

Fortify Support (Dev) could better answer this, but maybe you can run a SQL Query against both the AMP and/or WebInspect Enterprise databases such as:

select * from scan_stats_checks where CheckID =45    (or whatever the CheckID is for the vulnerability you are seeking)

This will return ScanID, CheckID, Count.


-- Habeas Data
Please use plain text.
Frequent Advisor
AutoDan
Posts: 48
Registered: ‎12-11-2011
Message 5 of 5 (98 Views)

Re: Getting XSS Stats out of AMP

Hi Hans,

 

Sorry for my late reply.

Working from scan_stats_checks, I was able to retrieve the statistics I was after.

 

Many thanks for all your help.

 

Regards,

 

Dan

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation