July 2016 Netsparker Enterprise Update – REST Support, SRI Security Checks and a New Reporting Tool

In this July 2016 update of Netsparker Enterprise we announce full support for REST APIs, therefore you can now automatically scan and find vulnerabilities in RESTful web services. We also introduced a new Reporting tool and implemented new security checks for Subresource Integrity (SRI), SameSite cookies attribute and more.

You might have noticed that we did not announce a Netsparker Enterprise update in June 2016. Though we were not on holiday, even though Summer is in full swing! We were busy working on the new web security checks, features and the Reporting tool of our online web vulnerability scanner. Below is an overview of what is new and improved:

Automated Scanning of RESTful Web Services and APIs

Netsparker Enterprise can now automatically scan and identify vulnerabilities in REST web services. Read the article Automatically Finding vulnerabilities in RESTful Web Services with a Vulnerability Scanner for more information on this subject.

New Reporting Tool

In this update of Netsparker Enterprise we included a new Reporting tool which you can use to generate a variety of statistics report about a group of websites or all the websites which you scan with Netsparker Enterprise. For more information read the Reporting tool and built-in web application security reports in Netsparker Enterprise.

New Web Security Checks

Subresource Integrity security checks: Netsparker Enterprise will issue an alert if your web application is hosted on a CDN or third party service and Subresource Integrity (SRI) is not implemented. Netsparker Enterprise will also alert you if a Subresource Integrity (SRI) hash is invalid. Subresource Integrity (SRI) is a mechanism that checks the integrity of a resource hosted by third parties such as Content Delivery Networks (CDNs).

Reverse Tabnabbing security check: For this security check the scanner will check if an attackers can craft a possible phishing attack through a Reverse Tabnabbing vulnerability; in which a browser tab opened from a trusted source displays an attacker-controlled website and uses window.opener.location.assign() to replace the content with malicious content, potentially tricking the victim into a phishing attack.

SameSite Cookie Attribute security check: In this security check the scanner will check if the target web application sets the SameSite cookie attribute to the website cookies. The SameSite cookie attribute is is used to disable third party usage of the cookies, thus preventing CSRF vulnerability attacks.        

Improved Usage of URL Rewrite Rules During a Web Security Scan

Until now you could only use either the manually configured URL rewrite rules or the ones which are heuristically generated by the scanner during a web security scan. Now you can use both of them; you can manually configure the URL rewrite rules and at the same time the scanner will still try to automatically identify any potential URL rewrites on the target web application. Therefore should you fail to configure, or you don't have the details of some URL rewrites on the target, the scanner will still automatically crawl and scan all the parameters for security flaws.

Other Online Web Security Scanner Improvements and Changelog

Apart from all the new fancy features, we also worked on several under-the-hood improvements, such as better memory handling, better handling of larger websites and much more. If you are interested in all the geeky staff take a look at the Netsparker Enterprise changelog entry 20160630.

About the Author

Ferruh Mavituna - Founder, Strategic Advisor

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.