TITLE:
CLI command-line options for WebInspect scans


OVERVIEW:
To show the CLI summary while the WebInspect™ GUI is closed, use the {-?} command option in the Windows command-line interface (DOS window). For example, enter the following in the application directory:

WI.exe ?

With WebInspect 7.0 installed, you will receive the following results:
---------------------------
wi.exe -u url [-s file] [-ps policyID | -pc path] [-ab|an|am|ad|aa|ak {creds}]
[-o|c] [-n name] [-e file] [-x] [-l[nfewid]] [-b file] [-v] [-?]
[-r report_name -f report_export_file [-t compliance_template_file]]

General ---------------------------------------------------------

-? show usage
-u {url} url (or IP Address)
-s {settings file} settings file
-o audit only (requires policy -p)
-c crawl only
-x restrict to root folder
-n {name} scan name
-b {filepath} use given SecureBase file

Audit Policy ----------------------------------------------------

-ps {policy ID} policy for audit
1 Standard
2 Assault
3 SOAP
4 Quick
5 Safe
6 Development
7 Blank
16 QA
17 Application
18 Platform

-pc {policy path} custom policy file path

Authentication --------------------------------------------------

-ab "userid:pwd" basic authentication mode
-an "userid:pwd" NTLM authentication mode
-ad "userid:pwd" digest authentication mode
-ak "userid:pwd" kerberos authentication mode
-aa "userid:pwd" automatic authentication mode
-am {macro path} web macro authentication mode

Output ----------------------------------------------------------

-e {filepath} export scan in full XML format

-ln log none
-lf log fatal
-le log errors
-lw log warning
-li log info
-ld log debug

-v verbose output

Reports ----------------------------------------------------------

-r {report_name} name of the report to run

Executive Summary
Vulnerability
Alert View
QA Summary
Crawled URLs
Attack Status
Developer Reference
Trend
Aggregate
Comparison
Compliance
Scan Log

-f {export_file} where to export the report pdf file (file path and file name)

-gp export report as pdf

-gh export report as zipped up html

-t {filepath} use given compliance template file


DETAILS:
When using these options in scripts, there are a few notes to keep in mind:

- The file name used must use permitted characters. This may be a risk if the url (-u) is fed as a variable from a text file and it is used as part of the file name. If that is the case, you must ensure that the source does not include any items such as http://, https://, :80, or :443, since the slash and colon characters are illegal for file names. This is not an issue if the hostname variable is not used in the file name.

- Scripted scans may fail quietly if a hyphen (-) is used in a file name being specified by any of the options.
For example, if the {-f} option includes a hyphen in the file name, the SPA file will be created, but the export file will not. This is also true if the path includes hyphens. The WebInspect CLI will interpret hyphens as further command options.

- If the folder specified in an option does not exist, the scan will end prematurely with no data and no errors.

{-o}:
This runs an Audit-Only, so it requires a specified policy option.


APPLIES TO:
WebInspect 7.x

Is there any more documentation or information available regarding the userid/password detection?

 Authentication --------------------------------------------------

-ab "userid:pwd" basic authentication mode
-an "userid:pwd" NTLM authentication mode
-ad "userid:pwd" digest authentication mode
-ak "userid:pwd" kerberos authentication mode
-aa "userid:pwd" automatic authentication mode
-am {macro path} web macro authentication mode

 What is WebInspect looking for?  Do the userid and password fields have to be named a certain way?  I am trying to use this feature but don't seem to be having any success.

   Chris Gillham
   Maritz Inc.

Chris;

 I don't have an answer for you off the top of my head so I'm going to have to ping my resources here for a bit.  I will update this thread once I have further details.
 

Protocol based authentication: 

-ab "userid:pwd" basic authentication mode
-an "userid:pwd" NTLM authentication mode
-ad "userid:pwd" digest authentication mode
-ak "userid:pwd" kerberos authentication mode
-aa "userid:pwd" automatic authentication mode

Web based authentication: 

-am {macro path} web macro authentication mode

 

Chris, if you want to authenticate via HTML FORMs then use a web macro. When you record the macro you will have defined the FORM fields that it is looking for. Another method is to setup your authentication fields with their corresponding values in the Web Form Editor (Tools->WebFormEditor), but that's an ugly way to do things (macro = better).
Have a look at this page, it explains basic authentication well: http://httpd.apache.org/docs/1.3/howto/auth.html
 

---

http://www.thefreedictionary.com/whipsaw

For Basic authentication, the userid and password fields do not have to be named in any certain way.