HP WebInspect may be able to do it with some serious tweaking of configuration. Without having the web application on hand to experiment with (or for that matter access to WebInspect at the moment, or having last worked with it a while back), the following is a rough guess of how you may be able to change configuration to make it work:
- Change crawler mode from depth-first to breadth-first. This would force crawler and auditor to retrace the path from root of scan (start url) to the page being requested. Be warned that this substantially increases the number of requests to be made and can really slow down the scan (so you may need to limit the scan to just that path). You may also need to couple it with http parsing settings by marking that url segment as a 'state parameter'. This will instruct WebInspect to recognize the URL, and substitute the last seen value in from the one that was originally noted.
- Use workflow macro (again coupled with 'state parameters' parsing). This will limit scan to exactly what's recorded in the maco and thus may help avoid using breadth-first crawler (and thus be faster).
- Since I last worked with it, the 10.xx releases now include user interaction based workflows rather than traffic replay workflows. This may help with continuations (since it's no longer navigating urls, but rather recorded user interactions with web application) as well (in fact, I'd try it first).
But with enough tenacity, I think it can be accomplished. Use built-in traffic monitor or a proxy to see what it is doing to see how your settings changes are affecting it and to see if it is properly using the latest value in the form url.
