Tips and Tricks: Adding Manual/External Vulnerabilities to WebInspect

For WebInspect 8.1

 

Security professionals frequently conduct manual PEN testing in addition to performing automated security testing with WebInspect.  When new locations and vulnerabilities are found, the question becomes “How do I make WebInspect include these vulnerabilities in the scan results?”  There is currently no easy way to do this (stay tuned to future releases), but it can still be done, assuming the vulnerability is tied to a specific location.  

 

Step 1 – Setup


I performed a “Crawl Only” of HP’s public test site, zero.webappsecurity.com and turned off “Discovery (Path Truncation), which is an option on the 4th step of the scan wizard. Turning this option off will artificially reduce the coverage of the site.  For this example, I want to demonstrate a location that was missed during a scan, but which can be found manually.  Notice that the “Stats” directory is not listed in the “Site Tree” (the area on the left). This directory would normally be found by an audit probe, but since the scan was configured as a crawl only then the Stats directory was missed.

 

1.png

 

Step 2 – Manually add the location

Next, I’ll use “Step Mode” to add the missed location to the scan.  Follow the steps below on using Step Mode.

 

1.            Click the Step Mode bar.

2.            Enable recording by pressing the red button.

3.            Click the Browse button.

4.            Type the URL to the missing location, or use the browser to navigate to the location if the location requires multiple steps before it can be accessed.

5.            In the Step Mode window uncheck all the undesired locations and click “finished”.

 

2.png

 

3.png

 

Step 4 – Add a custom vulnerability

Now that the location exists in the “site tree” you can right click it and select the “Add Vulnerability” option.  Once the dialog is displayed you can click the “Add Custom” button and specify the severity and description of the custom vulnerability. Each time the “Add Custom” button is clicked then a new vulnerability is added to the location.  The newly created vulnerability will be viewable in all the standard locations that the other vulnerabilities can be seen (reports, vulnerability grid, etc…).

4.png

 

Additional TIP – Adding your own vulnerability to a location that is already vulnerable

If you would like to add a vulnerability to a location that already exists and has vulnerabilities, select the “Edit Vulnerability’ context menu item to launch the same dialog described above. 

From this dialog you can also modify WebInspect reported vulnerabilities.  This could be useful if there is specific information you would like to include for the vulnerability when you generate a report.

 

5.png

 

Conclusion

I hope you found this topic helpful.  I plan to continue a series for WebInspect tips and tricks.  If there is a topic that you feel would be helpful, please feel free to email me directly at brianmiller@hp.com.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation