March 2020 Update for Invicti Standard 5.7

This blog post announces the March 2020 update for Invicti Standard 5.7. The highlights of this release are form validation errors in the knowledge base, CVSS 3.1 support, and query-based navigation in the Scan Policy Editor. Other new features are three new security checks, hash crawling support and an improved BREACH Attack template.

March 2020 Update for Invicti Standard 5.7

We’re delighted to announce the release of Netsparker Standard 5.7. The highlights of this release are:

  • Form Validation Errors in Knowledge Base
  • CVSS 3.1 Support
  • Query-Based Navigation in the Scan Policy Editor

We have also added new security checks and improvements.

Form Validation Errors in Knowledge Base

During the scanning process, Netsparker Standard successfully validates web forms as part of the crawling stage. However, due to validation errors, some web forms were unable to be submitted, meaning that they were not displayed in scan reports. With this update, all validation errors that are encountered during the scan will be listed in a new Form Validation Errors node in the Knowledge Base section of scan reports.

Form Validation Errors in Knowledge Base

For further information, see Knowledge Base Nodes.

CVSS 3.1 Support

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing security staff managing detected issues to prioritize responses and resources according to the potential threat. We have added version 3.1 scores to vulnerabilities reported by Netsparker.

CVSS 3.1 Support

For further information, see Vulnerability.

Query-Based Navigation in Scan Policy Editor

We have added a new Enable Query-based Navigation checkbox to the Crawling tab of the Scan Policy Editor for Query-parameters only. Parameters used for navigation can be Query parameters in GET requests or POST parameters in the body of POST requests. This new option captures the navigation in Query parameters only; parameters in POST requests are not considered navigation parameters during scans. This option is disabled by default.

Query-Based Navigation in Scan Policy Editor

For further information, see Crawling.

New Security Checks

We have added three new security checks:

  • Login Page Identified
  • Content Delivery Networks
  • Reverse Proxies

All are accessible from the A-Z list of Security Checks in the tab in the Scan Policy Editor dialog.

Login Page Identified

This security check will report Information level vulnerabilities where a web page containing a login form is encountered during a scan. This allows organisations with lots of websites to determine which of them require Form Authentication configuration.

Login Page Identified

Content Delivery Networks (CDN)

These new security checks are passive checks that have been added into the Signatures security check group. They detect whether the scanned website is using any known CDN services to speed up the loading of source files or images.

Content Delivery Networks (CDN)

Reverse Proxy Detection

This new security check detects where any reverse proxies are being used in the scanned website.They are reported as Information level vulnerabilities.

Reverse Proxy Detection

Hash Crawling Support

A fragment is an internal page reference, usually appearing at the end of a URL and beginning with a hash (#) character followed by an identifier. It refers to a section within a web page. Netsparker is now able to crawl fragments, which increases the crawling and scanning capabilities of Netsparker Standard leading to enhanced scan coverage on sites that use hash-based routing (#name=value) such as example.com/#page=home.

Improved BREACH Attack Template

We have added reflected parameter names and sensitive keywords to the BREACH Attack’s vulnerability template.

For further information, see BREACH Attack.

Further Information

For a complete list of what is new, improved and fixed in this update, refer to the Netsparker Standard Changelog.