Netsparker now Invicti field Notes
November 20, 2022The new features automatic configuration of URL rewrite rules and Scan Policy Optimizer will automate more of the pre-scan process for you, making the scanning of hundreds and thousands of websites an easier task. We are also introducing the new proof of exploitation, which will definitely ease the post scan process for you, as explained further down in this post.
These new updates also include a number of new web security checks and several internal product improvements, such as the fully responsive the Cloud dashboard. Below is a highlight of the main features.
Automated Configuration of URL Rewrite Rules in the Web Security Scanners
The scanners no longer require you to configure URL rewrite rules. The new web security scanners will automatically configure the URL rewrite rules needed to scan all the parameters in URLs. Configured URL rewrite rules also mean more efficient scans.
If you wish to manually configure URL rewrite rules in the scanners it is still possible. Though if you do not have detailed knowledge of the target website’s setup, or have to scan hundreds, or thousands of websites you do not need to get bogged down in such pre-scan task. Read the whitepaper automating the Configuration of URL Rewrite Rules in the Web Application Security Scanners for more detailed information on this new unique technology.
Scan Policy Optimizer for Shorter & More Efficient Web Security Scans
Optimized scan policies mean shorter and more efficient scans, though not everyone has the time or knowledge to manually optimize web security scan policies. For this reason, our automation obsessed engineers came up with the Scan Policy Optimizer; a wizard based optimizer that enables you to optimize scan policies according to your target website, within just a minute.
Proof of Exploitation, So You Do Not Have To Verify All the Scanner Findings
Automatic exploitation of identified vulnerabilities is something we pioneered with the first release of the web application security scanner. With such technology you do not have to manually verify all of the scanner’s findings, easing off the post scan process.
Ever since we have been continuously improving this unique technology, and with this new release we are announcing a major improvement; proof of exploitation. Therefore upon automatically exploiting a vulnerability, the scanner will also generate a proof of the exploit. For example in case of a Command Injection, the scanner will send certain commands and show the server’s response to the command injection in the vulnerability report.
Beside of the fact the marks the vulnerability as “CONFIRMED”, now provides conclusive proof as well.
Export Identified Web Security Flaws as Issues into Github and Team Foundation Server with just a Click.
You can now configure Send To actions in the web application security scanner to migrate identified security flaws to Github and Team Foundation Server with just a single mouse click. All you need to do is configure the credentials and projects.
Then simply right click an identified vulnerability and select the server you would like to automatically add it to as an issue in your projects.
Responsive the Cloud Dashboard for Mobile and Tablet Users
The new updated the Cloud dashboard is fully responsive. Now you can check the status of your web application security scans from your mobile phone or tablet. There is no difference to accessing the Cloud from your portable device or your computer; you can still review scan results, assign vulnerabilities as tasks and launch new web application security scans.
New Web Security Checks in the Desktop & the Cloud
Here are some of the new web security checks included in the latest version of the web security scanners:
- Check for outdated and possible vulnerable JavaScript libraries
- Hidden directory checks for detection of admin panels
- Security checks for Windows short file/folder name disclosure
- Ruby on Rails and RubyGems security checks such as:
- checks for database configuration files
- checks for version in HTTP responses
- check if version is out of date
- check for status of development mode
- Backdoor checks for MOF Web Shell and DAws.
- New attack patterns for “boot.ini” LFI checks.
- MySQL “LIMIT” injection attack patterns.
- MSSQL error based SQLi attack payloads.
- New knowledge base nodes for SSL issues, CSS and slow pages
Improved Security Checks
- MySQL “LIMIT” injection attack patterns.
- MSSQL error based SQLi attack payloads.
- New template for HIPAA compliance report
- Windows 10 support
- Added syntax highlighting in HTTP request and response viewers for XML, JSON, CSS, JavaScript etc
- Several performance and memory management improvements