12-26-2012 10:20 AM - edited 12-26-2012 10:23 AM
I'm trying to determine if WebInspect stores its database login account passwords in clear text anywhere. I'm also trying verify if WebInspect always sends password to SQL Server encrypted. Finally, I'm also trying to determine if WebInspect has any command-line tools where passwords are passed as visible parameters. So far I haven't been successful in finding this information in HP's notes on WebInspect. Hopefully, someone can point me in the right direction or knows the answers to my questions. Thanks!
01-03-2013 09:28 AM
Here are the answers for your three questions.
Yes, the credentials for WebInspect's SQL connection are encrypted and they are stored within its user.config file, under the tag <SPI.WebInspect.DatabaseSettings>. I believe that WebInspect simply uses the workstation's configured Microsoft Windows encryption methods and controls to decrypt and use this data. This file's location differs depending on whether this is a XP-based or Vista-based OS, as follows.
Windows 7 sample location: %USERPROFILE%\AppData\Local\HP\HP WebInspect\user.config
Windows 2003 sample location: %USERPROFILE%\Local Settings\Application Data\SPI Dynamics\WebInspect\7.0\user.config
Here is a sample of a SQL configuration from user.config for a local installation of SQL Server 2005 with WebInspect 9.30.93, with two SQL databases specified, named "WebInspect8" and "WI9DB".
<setting name="DatabaseProfiles" serializeAs="Xml">
<setting name="settingsVersion" serializeAs="String">
When WebInspect connects to its remote SQL Server, it does so using the ODBC client-server configuration of its Windows OS. By default, this is standard SQL TCP communication on the default SQL port 1433. It is possible this is not secure enough for your needs. If so, you would need to enable SQL encryption on the SQL Server and also within your workstation's ODBC client-server configuration. WebInspect will use the defined ODBC connection regardless of the presence of encryption on the pipe, as this factor is outside of our product.
During any WebInspect scan, it is possible that passwords are passed in the HTTP Request, and so this may be the plain-text you are seeking. In fact, WebInspect has security checks that will high-light that fact if passwords were used in the clear. If you wished to intercept this traffic, you would want to parse the scanner through an intercept web-traffic proxy, such as the included Web Proxy tool, and then search that data afterwards. If you used the Traffic Monitor feature instead, it may not offer you the search function required, and if you omitted its sub-option to encrypt the Traffic Monitor log then you may have an additional resource to search.
I do not see how the CLI version of WebInspect (see its Help guide for details) would change this for you, since both types of scanner interface (UI or CLI) simply make HTTP protocol Requests. You would see none of the actual traffic within the CLI window.
The only place I can think of where the credentials would definitely be visible, barring any exposures by the targeted web application, is within the Login Macro. Anyone with access to this *.webmacro file and the Web Macro Recorder tool would be able to review its recorded sessions and details. Also, if you added this Login Macro to a saved scan settings file (XML), anyone who had WebInspect could open that file (Edit menu > Manage Settings) and then open the macro's stored copy from within that settings file (Authentication panel > Edit Macro link).
If your concern is that the credentials supplied for use in the scan may be captured in the scan results, this information can be sanitized. To do this properly you would need to know the offending text. Export the entire scan, enabling the available scrubbers or adding your own literal or regex data scrubbers, then import that scan file back into WebInspect (replacing or duplicating the existing scan). Consider Renaming the scan under Manage Scans if you are keeping both copies of it, scrubbed and original. You can then safely share/export/upload that sanitized scan or generate your desired Reports from it.
-- Habeas Data