Support
Scan Policies

Scanning Parameter-Based Navigation Websites

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Parameter-based navigation websites use the same URL and parameter – but different parameter values – to either serve different content or do different things in general.

Parameter-Based Navigation in PHP Websites

In these examples, a different parameter value is used in the URL to display different content. For example, when the value of the parameter page is 'home', the home or page is loaded. When the value of the same parameter page is 'support', the support page is loaded.

  • http://example.com/index.php?page=home
  • http://example.com/index.php?page=support

Each parameter value triggers the execution of different code branches to return the relevant content.

Parameter-Based Navigation in ASP.NET Websites

ASP.NET Web Forms have a process mechanism called Postback, which is used to control server-side events. It allows the execution of different code branches depending on the __EVENTTARGET parameter's value. Here are a few examples.

This will execute LinkButton1's click event handler on the server-side.

Parameter-based navigation sample in ASP.NET

On the other hand, this will execute LinkButton2's click event handler on the server-side.

Parameter-based navigation code sample in ASP.NET

Crawling Options

There are two relevant crawling options in the Scan Policy (explained in the Crawling table):

  • Maximum Signature Limit
  • Maximum Page Visits

These options optimize the crawling of similar pages. However, if the target website uses parameter-based navigation, these settings will prevent Invicti from crawling and scanning the entire website properly.

If you increase these values, you will prolong the scan duration. Also, workarounds have limitations, because the Invicti scanners will only attack the first instance of the page and ignore the rest, as explained in this example:

  • Invicti will crawl the above page and its parameters page and id.
    • http://example.com/index.php?page=product&id=1
  • Invicti will ignore this version of the page since it has the same URL and parameters (page and id), which it has already crawled and scanned. Therefore it is ignoring the parameter value, which in parameter-based navigation is used to trigger different code that needs to be scanned.
    • http://example.com/index.php?page=pricing&id=2

How to Configure Scanning of Parameter-Based Navigation Websites in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies, then New Scan Policy. The New Scan Policy window is displayed.

  1. Select the Crawling tab. The Crawling window is displayed.

  1. In the Parameter-Based Navigation section, select the Enable Parameter-Based Navigation checkbox.

Configuring Parameter-Based Navigation Options in Invicti Cloud

  1. Check the Enable Query-based Navigation option if you want only string parameters recognized as navigation parameters.
  2. In the Navigational Parameter RegEx field, enter the RegEx.
  3. In the Maximum Page Visits field, enter a value.
  4. Complete the remaining fields as required.
  5. Click Save.

How to Configure Scanning of Parameter-Based Navigation Websites in Invicti Standard

  1. Open Invicti Standard.
  2. From the Home tab, click Scan Policy Editor. The Scan Policy Editor dialog is displayed.

  1. Select the Crawling tab.

  1. Click New. The Parameter-Based Navigation fields are enabled.
  1. In the Parameter-Based Navigation section, select the Enable Parameter-Based Navigation checkbox.
    • Enable Query-based Navigation: If enabled, only query string parameters will be recognized as navigation parameters. Navigational Parameter RegEx won't match POST or other parameter types.
    • Navigational Parameter RegEx: This option has a regular expression that is used to match the parameters' name. Therefore when a parameter name matches this regular expression it will be considered as a navigation parameter. The parameter can be either a GET or a POST parameter unless Enable Query-based Navigation is not selected. The default RegEx both Invicti scanners are configured with is:
      • ^(page|redirect|goto|ctrl|content|__EVENTTARGET)$
    • Maximum Page Visits: The maximum number of times the scanner should visit such a page. This number should be greater than the number of different values there are for a navigational parameter. The default value is 999. It should be between 1 and 100,000.

  1. In the Navigational Parameter RegEx field, enter the RegEx.
  2. In the Maximum Page Visits field, enter a value.
  3. Complete the remaining fields as required.
  4. Click OK.