Easy authenticated scanning with Invicti’s custom script editor

The challenges of authenticated scanning

Dynamic application security testing (DAST) tools such as Invicti, also called black-box vulnerability scanners, work by checking for vulnerabilities across all accessible parts of a web application. To do this, the scanner first needs to identify the attack surface of the target application by visiting every link it finds in web pages and making requests to all input points in detected web assets. This includes the URLs used to reach these assets.  While crawling web pages that are accessible to all users is relatively easy, password-protected web pages have always posed a challenge for security scanners due to the variety of methods used to authorize page access. Beyond basic login forms, sites may use OAuth, set custom session cookies, require single sign-on (SSO), and so on. Even with form-based authentication, the login form may, for example, use non-standard form elements, require additional fields (maybe to select a department from a drop-down list), use Captcha verification, or span multiple pages. And if the scanner can’t log in, it can’t test the page for vulnerabilities.

Do you really need to scan websites that require authentication?

The question may arise, though, how important it really is to run authenticated web security scans. Back in the days of static web pages, anything that needed the user to log in may have been considered inherently secure simply because it wasn’t publicly accessible. Nowadays, we have complex web applications that require authentication to access most (or all) of their functionality. Authenticated scans can add important value to your overall security, revealing exploitable vulnerabilities and other issues, such as missing patches, weak sharing permissions, and general misconfigurations. In a sense, authenticated scans reveal the real security status of your web application. Even more importantly, the reason for adding authentication in the first place is to protect access to something valuable, like personal data, admin operations, or financial information. Far from being less attractive to cybercriminals, protected resources are actually prime targets for attackers, so it is critical to configure your scanner to crawl and test all web pages that malicious hackers may try to breach.

Easy custom form authentication

To make it easier to automate the authentication process and ensure maximum scan coverage, Invicti has updated its custom script feature. The new script editor has an editor panel and an embedded browser view. You can use the editor to write scripts in any HTML, JavaScript, or DOM API supported by modern browsers. You can also use additional helper functions provided by Invicti in the netsparker.auth namespace.  The custom script editor is intuitive and interactive. The authentication page is loaded in the embedded browser and you can right-click page elements to insert their corresponding CSS code directly into the editor panel. After that, you can modify the code as necessary.

 

Authentication forms that span multiple pages are a common challenge when configuring scanners. For example, you might have one page to enter the user name and then another page to provide the password. The script editor handles this easily, allowing you to define separate pages to match the login sequence. On the first page, you would instruct the script editor to insert a username and then click the submit button. On the second page, you can then direct the editor to insert a password and click the button to finish the login sequence.

What you see is what you scan

The conventional process of testing authentication would be to enter credentials and then monitor crawling results or even individual HTTP requests and responses to spot errors or omissions. Having a hands-on visual interface for custom scripting makes work easier, quicker, and more accurate. With immediate feedback in the embedded browser, you can refine and test authentication scripts in minutes and be sure that login and logout sequences work as expected. The automatic CSS code generator is also a massive time-saver compared to manually inspecting page code to extract the right selectors. This is especially important for pages that use non-standard form elements or display the login form in a popup. By working with the actual page elements in the embedded browser, you can see in real time if the script works and what Invicti will see during authenticated scanning.

Leave no page untested

Good scan coverage is vital for getting real security benefits from a DAST solution. After all, if a vulnerability scanner skips some pages in a web application because it can’t authenticate, you only get limited information about your current security status – and someone will have to test these pages manually. As an industry leader, Invicti aims to maximize vulnerability testing coverage with advanced crawling and authentication across all types of modern websites and applications. The custom authentication script editor makes it much easier and quicker to ensure that Invicti crawls and scans every part of the target web application. Combined with Proof-Based Scanning detection technology that can confirm 94% of direct-impact vulnerabilities with 99.98% accuracy, this gives you a true picture of all the issues you need to remedy to protect your websites and applications from cybercriminals.  For more information and FAQs related to form authentication in Invicti, see our support page on custom authentication scripting.