Are there any plans to add detection capability to WebInspect to determine, at least a basic level, if website suffer from session fixation/hijacking vulnerabilities? We are seeing this as a growing issue and finding on manually perform VA tests.
Chris GillhamMaritz Inc.
Hey Chris, if you open up Policy Manager, go to the search view, and search for 'session' in the summary of checks you'll find some that are for session hijacking vulnerabilities for particular systems. E.g.: Check #3277 'Sun NetDynamics ndCGI.exe Session Hijacking'. I think there's too many possibilities for generic session hijacking/fixation checks to test against so that's something best left for manual analysis and penetration testing (with aid from the Toolkit)...if a particular system is found to be vulnerable due to particular behaviour/functionality then there's cause for a check to be made to address the potential vulnerability.
I don't work for HP ASC, so expect a better answer from them ;)