12-18-2013 08:21 AM
I have started testing a new application which allows users to select one or more PDF files(up to a max size of 1 MB) and upload them to a server for processing. I have recorded the upload of particular PDF files to use.
I want to find out if there is a way to abstract the details of the particular file(s) recorded and rather have WebInspect target any number of files available in a specific location/directory. Is it possible to parameterize a WebInspect test similar to the way LoadRunner scripts can be abstracted.
I am new to WebInspect and appreciate the help in advance.
09-15-2014 12:26 PM
Hello, I am representing a abstract management company which helps you to abstract files. You can use One World Presentation Management Ltd. abstract management sytem or software. Although not sute with your mentioned app.
09-17-2014 08:34 AM
I'm not sure you would want to do this with WebInspect. By default, WebInspect avoids downloading most static office files, as you can find under the Default Scan Settings (Edit menu > Default Scan Settings > Session Exclusions panel). Specific MIME types and file extensions are avoided, because WebInspect is not a virus or malware scanner and would just bloat the security scan with those file downloads. The Sessions exclusions settings dove-tail with the Session Storage settings, so review those as well.
WebInspect is interested in fuzzing the actions performed by the web application, so you would want it to be aware of the upload/download action. By default it performs PUT Method Uploads and similar file tests, although these tend to generate a plain TXT file created via the HTTP Request. Look on the target system for file artifacts such as "Created by WebInspect*.TXT" or "*WebInspect*.TXT". Open the F1 Help guide and look under Gettings Started > Preparing for Audit to gather more details on this. You can also data mine the attack database usin gthe Policy Manager tool > Search feature.
If you were to record the PDF upload as a Workflow Macro, this would guide WebInspect to see the process and it would then fuzz all of the inputs there. Have you already run initial scans without such a Workflow to see if WebInspect already manages this process? It does not generally matter if this process is tested for one upload or for all listed files, since it is the action and inputs that are being audited, not the specific files.
That being said, if the contents of the file are legible via HTTP Response, you might find simple issues such as SSN, Credit Card Numbers, Internal IP Disclosure, et al. In addition, there is a Scan Setting (Edit menu > Default Scan Settings >Requestor panel) that defaults the HTTP Response size to 1,000KB, so if you really wanted the full file downloaded you may need to alter that. Just remember that altering settings to be more Thorough can cause an increase in Scan Time, and vice versus.
WebInspect offers some parametrization in the Login Macro, but that is for re-using the Macro in slightly different configurations, not running through a listing. If you simply had to iterate all those files, I wold generate a script to Request each of them using something such as CURL and record that traffic with the included HP Web Proxy. I used to do this with a BAT file, FOR-DO loop, and an input TXT file, but if you have LoadRunner you could probably use that.
Once you have run the script, remove any unwanted sessions and then use the Proxy's File menu to Create A Macro (Start Macro). This artifact (*.webmacro) could then be specified in the Scan Settings later, or Imported as a Workflow in the Guided Scan Wizard. Bear in mind that selecting "Workflow Scan" will alter the scan type to "Audit-Only", yet you can reset that radio button back to Crawl-and-Audit.
-- Habeas Data