HP WebInspect REST API Unauthorized Access

high Nessus Plugin ID 84196

Synopsis

WebInspect's REST API can be accessed without authentication.

Description

HP WebInspect, a web application security testing tool, is installed on the remote Windows host and running the REST API used for integration and access.
By default the REST API is not configured to use authentication to control access. A remote attacker could access the API to gain information about the system and potentially modify WebInspect's settings and configuration.

Solution

Either limit incoming traffic to this port or enable authentication.

See Also

http://www.nessus.org/u?d4b1d900

Plugin Details

Severity: High

ID: 84196

File Name: hp_webinspect_noauth_api.nbin

Version: 1.86

Type: remote

Family: CGI abuses

Published: 6/15/2015

Updated: 7/17/2024

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:hp:web_inspect