Re: WebInspect 10.1: How to determine state from URL
When there is a part of the URI that determines state, that is generally not handled by the Custom State-Keeping setting. For that situation, you would instead look to the HTTP Parsing panel of the scan settings, at the center field for "Determine State From URL Path". There are some ancient, sample signatures already defined there, such as for ASP.NET 1.1. This field generally requires a regex to help identify the portion of the URI that is state-keeping. The Regular Expression Editor tool can be helpful in formulating the necessary regex.
However, with your particular Request/Response data, this field would not necessarily be appropriate for you.
Since there is a clearly named parameter holding the state-keeping value, you would normally proceed with using the field at the top of the HTTP PArsing panel, for "HTTP Parameters Used For State". Simply put in the parameter's name, such as "p" (no quotes), and WebInspect will honor and utilize whatever value the target server assigns for it, even if the server reassigns it to a new value mid-scan. Note that you may also need to mark this same custom state-keeping parameter within your Login Macro so that it Plays fine, i.e. the macro dynamically updates the value rather than replaying the originally recorded value.
If you were unsure if you had a custom or standard state-keeping parameter, you could go down to the scan settings panel for Attack Exclusions. Here you will find all of the standard state-keeping parameters we have identified in the wild and declared them to WebInspect as being off-limits to auditing. It is possible you will want to add your custom state-keeping parameter's name here as well. The reason being, items declared on the HTTP Parsing panel are managed intelligently by WebInspect, but may still be audited "lightly". If any amount of auditing will cause you scan state issues, then adding the same parameter name to the Attack Exclusions prevents any and all fuzzing for that item.
Now, let's review the parameter you have in the Request/Response data. The first thing that worried me was that the value of the parameter "p" has colons in it. I am unsure if WebInspect will identify those characters as separators and as separate parameters (bad), or if the entire value will be accepted for "p" (good). You may need to contact Fortify Support to verify this. However, after you add the "p" parameter to HTTP Parsing, you could simply review the Traffic Monitor capture within a test/short scan to see if the value is used intact or not. So for this parameter, I would simply Add the name, "p" (no quote marks), to the HTTP Parsing field for state-keeping parameters. Since I am lazy, I would enable this entry for both POST and Query data so it will cover all the bases possible during the scan.
Unfortunately, I see in the HTTP Response that a portion of the value of "p=7700:LOGIN:1758023415424" may be reused for other parameters. Examples of this include "p_instance=1758023415424", and possibly "p_request=LOGIN" and "p_flow_id=7700". It is possible that these are additional state-keeping parameters which collect their value from the value assigned to "p". If so, simply adding "p" to HTTP Parsing may not manage those other parameters.
For starters, you could try adding "p_instance" and "p_flow_id" to the HTTP Parsing scan setting just as you had added "p". The application might push or suggest the field value to WebInspect, and then WebInspect would carry it forward in subsequent HTTP Requests. If entering these into HTTP Parsing does not manage it, you may need to build a Custom Parameter scan setting for these. I was recently involved in a Support case where the value from one parameter had to be assigned to a second parameter simultaneously, and the Developer on duty was able to make that happen with some script used in the Custom Parameter scan setting.
If you have investigated these items and are still at an impasse, you may need to contact Fortify Support (support.fortify.com) to dig into it further.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify