Does Webinspect Supports Testing Post Back Frameworks Like JSF/ADF

New Member.

Does Webinspect Supports Testing Post Back Frameworks Like JSF/ADF



Can you please let me know is there any document, that details about the tool(Webinspect) supports Post Back frameworks like JSF/ADF.


Thanks & Regards,


Acclaimed Contributor.

Re: Does Webinspect Supports Testing Post Back Frameworks Like JSF/ADF

I am unsure of the full coverage, but WebInspect already includes a scan settings template for ADF Server Faces, visible in the scan wizard.  This drops in customized settings our developers have identified for that sort of environment.


While it does not name JSF or ADF, the Release Notes for 10.0 (and 10.10 do indicate advancements in our scripting engine that may apply.  The only caveat I know for this is that if you happen to be using an older, saved, scan settings file, this new JS engine will not be enabled in your scan.  You must enable it yourself within the scan settings, at the bottom of the display screen for the Content-Analyzers panel > Javascript.  New, fresh scans in WebInspect 10.0 or 10.10 should have the new engine enabled by default.




Source:  Release Notes (English) - https://download.hpsmartupdate.com/webinspect/WebInspectReleaseNotes.htm



Enhanced support for modern applications


The technologies used to build modern, "Web 2.0" applications are continually evolving. More and more web applications make use of extensive JavaScript frameworks and AJAX for core capabilities, significantly expanding the attack surface of applications and increasing the complexity of testing them. The dynamic nature of modern applications makes it a challenge to automatically crawl and therefore properly perform security tests.


HP WebInspect 10.0 responds to this challenge by introducing Adaptive Component Recognition (ACR). Instead of indiscriminately "clicking" hyperlinks and blindly processing interactable elements, ACR technology recognizes structural patterns in a web application to organize it into logical units. For example, instead of simply analyzing a page for hyperlinks, span, and div tags with associated script events, these elements together can be recognized as grid controls and list controls. Furthermore, they can be recognized as controls for specific frameworks like jQuery and extJS, enabling a better understanding of the application and ultimately resulting in the most comprehensive application security analysis of your applications.


Enhancements for specific frameworks and components include JQuery (multiple versions), Ext-JS, ARIA, and DOJO. The ACR capabilities include detection of frameworks and are automatically performed as part of using WebInspect; no additional configuration is needed.ACR more accurately processes the content of web applications and finds more locations that are potentially vulnerable to attack. Note that performing more attacks can result in scans taking longer to run.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify