January 2021 Update for Invicti Standard 6.0

We’re delighted to announce the January 2021 update for Netsparker Standard 6.0. The highlights of this release are Netsparker Shark (IAST), new passive security checks, forced browsing, and new compliance report templates. We have also added other improvements and fixes.

Netsparker Shark (IAST)

With the addition of Shark, Netsparker Standard becomes an Interactive Application Security Testing (IAST) solution. Netsparker provides industry-leading dynamic application security testing (DAST) capabilities to help you find vulnerabilities in the target web application. By adding IAST capabilities with Shark, Netsparker provides the following benefits:

• Showing the exact location of the issue and reporting debug information
• Providing additional details to help security teams uncover more vulnerabilities
• Complementing existing Proof-based Scanning™ functionality to automatically prove even more vulnerabilities and simplify remediation efforts
• Ensuring that the entire web application is scanned, including any hidden and unlinked locations that may be inaccessible to the crawler

To use Shark in your application testing, please start by contacting us to enable the feature. You can then download and deploy the Netsparker Shark sensor in your application environment. Shark can be deployed in PHP, .NET, and Java environments. For technical information and detailed deployment instructions, please visit Deploying Netsparker Shark.

New Compliance Report Templates

Netsparker has added three new report templates: NIST SP 800-53, DISA STIG, and OWASP ASVS. NIST SP 800-53 defines information security standards and guidelines for federal information systems and organizations. Anyone that does business with US federal agencies is also required to follow this guideline. The aim of NIST SP 800-53 is to protect organizational operations and assets, individuals, and other organizations from hostile attacks, natural disasters, and human errors.

For further information, see NIST SP 800-53 Report. The Defense Information Systems Agency (DISA) under the US Department of Defense publishes the Security Technology Implementation Guidelines (STIG). Via STIGs, DISA creates and maintains security standards for computer systems and networks that connect to the Defense Department. In order to connect to the department’s network, systems must be STIG-compliant.

For further information, see DISA STIG Report. The OWASP ASVS 4.0 standard defines a strict and explicitly defined security checklist that aims to help in the design, development, and maintenance of secure web applications. The corresponding report lists issues that arise from the lack of controls specified by OWASP ASVS and provides technical details on each vulnerability. This helps you to fix any issues.

For further information, see OWASP ASVS 4.0 Compliance Report.

Report Customization

In addition to these new report templates, Netsparker now allows you to customize reports. You can add customized information that will appear in the header and footer section of the report.

Dozens of New Security Checks

We have added dozens of new security checks, as can be seen under the New Security Checks heading in the changelog. Thus, we will be able to detect many more technologies and report the version of those technologies and known security vulnerabilities of those versions.

Forced Browsing

Netsparker Standard now features an improved directories security check. Formerly known as Common Directories, Forced Browsing in Netsparker Standard allows you to edit the Wordlist Entries in the program. Previously, you could find this word list in the C:\Users\[Username]\Documents\Netsparker\Resources\Configuration\Folders.txt file. Netsparker used this file to access additional links and find more vulnerabilities. If resources such as backup files and admin portals are discovered, they could assist an attacker to craft an attack against your website.

For further information, see Forced Browsing.