New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
298 views

WebInspect - Persistent XSS Vulnerable Sessions Verified and Reflection Audited - How to Enable

Jump to solution

In the WebInspect scan visualization, there two status bars, "Verified" and "Reflection Audited". These never show any activity other than something similar to "Verified: 0 of 200". 

We typically use the "Standard" scan policy with WebInspect. We are using version 19.2.

How are these checks enabled so that the Persistent and Reflected XSS are retested and audited?

Thanks!

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Persistent is not enabled by default in the Standard policy. If you change the policy to Cross-Site Scripting (or enable in the Standard Policy) you will see values...as long as the site is vulnerable as well:

ebell_0-1588017542743.png

Here is a screenshot of the Standard policy showing where this is disabled:

ebell_0-1588017866677.png 

ebell_1-1588017918729.png

 

 

View solution in original post

0 Likes
4 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

According to the documentation, here is a description of those values:

Verified

Number of persistent XSS vulnerable sessions verified / total number of persistent XSS vulnerable sessions to verify.

When persistent XSS auditing is enabled, Fortify WebInspect sends a second request to all vulnerable sessions and examines all responses for probes that Fortify WebInspect previously made. When probes are located, Fortify WebInspect will record links between those pages internally.

Reflection Audited

Number of persistent XSS vulnerable linked sessions audited / total number of persistent XSS vulnerable linked sessions to audit.

When persistent XSS auditing is enabled, this represents the work required for auditing the linked sessions found in the verification step for persistent XSS.

0 Likes
Highlighted
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
Hello, I do understand what they represent. I've never found a way to enable these checks. The auditing for these two progress bars is always zero for our scans. How to I enable these tests? I can't find anything in the scan settings. Are they enabled via a policy, or some other means?
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Persistent is not enabled by default in the Standard policy. If you change the policy to Cross-Site Scripting (or enable in the Standard Policy) you will see values...as long as the site is vulnerable as well:

ebell_0-1588017542743.png

Here is a screenshot of the Standard policy showing where this is disabled:

ebell_0-1588017866677.png 

ebell_1-1588017918729.png

 

 

View solution in original post

0 Likes
Highlighted
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
So, it's enabled in the policy. Thanks! That is what I needed to know!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.