WebInspect 10.4 Smart Audited and XSS
We just upgraded one of our WebInspect machines from 10.2 to 10.4 (we skipped 10.3) after seeing the release notes on the Fortify Blog http://h30499.www3.hp.com/t5/Fortify-Application-Security/bg-p/application-security-fortify-on-demand. I'm pretty impressed and excited about all the new features, so many of the things i always wished WebInspect could do have now been implemented.
Of the new features (compared to 10.2) is the re-designed Dashboard and new progress bars. From the few test scans I have run the "Audited" and "Smart Audited" bars always show the same number? Is this Smart Audited bar only supposed to reflect the number of checks specific to the WebServer detected or all the technologies? Is the only pre-requisite that 'Smart Scan' is enabled under Audit Settings?
Under the WI Help the "Verified" progress bar says "When persistent XSS auditing is enabled...." does this just mean a policy is being used that includes Persistent XSS or does this need to be enabled somewhere else in the settings? This is showing a number, but Reflection Audited is blank?
Here are details I have gleaned from earlier discussions.
The older Audit bar was expanded recently to offer more fine-grained understanding of which audits have run, but this initially only made sense for the HP Dev team who knew these separate processes/engines. The Smart Audited progress bar refers to those checks that have their individual Smart Scan flag enabled. Smart Scan is the scan setting where:
IF the check is specific to only a single technology
AND the researcher enabled/set the Smart Scan Flag inside our attack database,
AND the target does not match that technology (See Server Info tab in the Summary Info panel),
THEN the check is automatically disabled from the current Policy.
Smart Scan settings can be augmented by the user if WebInspect is failing to fingerprint the server's technology properly. It can also be disabled if you want all enabled checks in your Policy to run regardless of their correctness for the current target. The Smart Scan setting is meant to save time and focus the audit for the appropriate technology.
Bear in mind that many, many other checks are "agnostic" and do not have the Smart Scan flag enabled.
Reading the coloring guide, I note that if most of the bar is Light Green, that indicates that many individual Sessions (not checks) were not tested for that bar/category during this displayed scan, whether due the listed Session producing a null Response, or Session Exclusions scan settings, or Crawler Details settings (click depth, et al), or Restrict To Folder setting, etcetera. The same sorts of entries you might see under the Session Storage scan settings panel.
From the Help guide.
Progress Bar Descriptions
The following table describes the progress bars:
Number of sessions crawled / total number of sessions to crawl.
Number of sessions audited / total number of sessions to audit.
The total number includes all checks except those pertaining to server type, which are handled by smart audit.
Number of sessions audited using smart audit / total number of sessions for smart audit.
For smart audit, WebInspect detects the type of server on which the Web application is hosted. WebInspect runs checks that are specific to the server type and avoids checks that are not valid for the server type.
Number of persistent XSS vulnerable sessions verified / total number of persistent XSS vulnerable sessions to verify.
When persistent XSS auditing is enabled, WebInspect sends a second request to all vulnerable sessions and examines all responses for probes that WebInspect previously made. When probes are located, WebInspect will record links between those pages internally.
Number of persistent XSS vulnerable linked sessions audited / total number of persistent XSS vulnerable linked sessions to audit.
When persistent XSS auditing is enabled, this represents the work required for auditing the linked sessions found in the verification step for persistent XSS.
Progress Bar Colors
1. Dark green indicates sessions that have been processed.
2. Light green indicates excluded, aborted, or rejected sessions (sessions that were considered for processing, but were skipped due to settings or other reasons).
3. Light gray indicates the unprocessed sessions.
The Reflection Audit bar is active whenever persistent parameters are discovered and then audited by the XSS engine.
I do not believe the Verified phase is exclusively associated with Persistent XSS as it was an older, existing measurement before that particular engine was added/updated.
The old Audit progress bar incorporated all of these "new" audit bars into one single bar, so it was impossible to tell which phase was currently operating, and the progress of that phase. The "new" bars are simply new exposures of the existing records to directly represent the status of each phase in processing a session. They are actually derived directly by the corresponding scan database session status columns.
There was no change in WebInspect 10.30 with regard to the actual processing. The new bars are just more informative because they display information that was not visible with a single bar.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify