After a longer-than-usual development cycle, Netsparker 2.1 is finally ready to ship. This release marks some fundamental enhancements to Netsparker’s internal architecture and not only brings with it an enticing selection of new security and productivity features, but also lays the foundation for many more innovations in the pipeline.
Prior to version 2.1, one of our users’ greatest pain points was trying to scan web applications that use complex form authentication mechanisms. Although Netsparker was capable of automated login, it lacked the flexibility to handle difficult scenarios like multi-step authentication, single-sign-on, 2-factor authentication and CAPTCHA.
We recognized that this challenge needed a radical solution, so we re-engineered our authentication architecture from scratch. Netsparker now uses a built-in HTTP macro recorder to faithfully capture every step of even the most complex login sequence. And, for sign-on sequences that require some special runtime action, like CAPTCHA input or the assignment of dynamic token values, we’ve added a user scripting interface that promises a solution to even the most complex challenge.
Whilst developing our scripting support for authentication, we realized that there are many other aspects of Netsparker’s operation that could also benefit from user-defined customization. So, we implemented extensibility in the most open and flexible way possible, enabling Netsparker to expose a scriptable interface to virtually any aspect of the scanning process.
In the current release, the scripting feature only ships with extensibility points to support authentication, but we’re committed to expanding this capability across the entire scanning cycle in future releases. Why not let us know what you want to be scriptable for version 2.2?
Netsparker now provides detailed real-time feedback about the scan in progress and even lets you modify its runtime settings in mid-session.
The scan summary dashboard provides at-a-glance information about the active scan session, including a graphical summary of the detected issues and details of the current action in progress on each of Netsparker’s active threads.
During a scan, you may also modify key scan session settings, including the number of concurrent HTTP connections, the selection of security tests that will be used for attacking and the use of custom request cookies. Changes entered via the dashboard take effect immediately.
Netsparker’s report template suite has been extended to include a powerful new analysis capability: comparison reporting. This allows the current scan session to be compared against one or more historic scan sessions, enabling a graphical summary of the evolution of an application’s security status. It also includes a detailed vulnerability list, showing how the status of individual issues has progressed over time.
Netsparker now attacks more injection points, such as HTTP headers, paths and unusual injection points in the URL. This was previously available only for Cross-site Scripting Security Tests. Now coverage has been increased and new injection points added for all required security tests.
Improved Search: The search feature in Netsparker’s HTTP response pane now includes a preemptive look-up feature (incremental search), enabling search results to be highlighted as you type.
Improved Encoding Panel: Netsparker’s built-in encoding tool has been revamped, enhancing its usability with a new intuitive layout and the addition of buttons for quick copy / paste operations.
Netsparker’s runtime data files are now stored in a more structured directory tree within the user’s Documents directory, enabling easier access to user-customizable files and more coherent storage of scan results.
Netsparker’s application settings dialog now allows the definition of custom rules for applying arbitrary values to form parameters or excluding specific named HTTP parameters from being attacked. For maximum flexibility, parameters may be identified using Regex / wildcard patterns and ignored parameters may be applied selectively, according to the HTTP request method.
Netsparker now stores its scan session data in a single compact file, enabling it to be safely archived and allowing scan results to be easily passed between co-workers.
Netsparker now installs as a native 64-bit application (on 64-bit machines) enabling it to take advantage of larger amounts of installed memory. This has been a critical element in a number of the stability improvements that come with version 2.1.
Netsparker now runs on the Microsoft .NET Framework 4.0. This pre-requisite is handled automatically by the installer / upgrade process and enables Netsparker to benefit from Microsoft’s latest bug fixes and enhancements, as well as providing an essential foundation to many of Netsparker’s own enhancements.
Crash Recovery: In the event of an application crash or an unexpected computer reboot, Netsparker is now able, in most cases, to recover and continue scanning.
Memory Improvements: Netsparker’s memory management has been overhauled for version 2.1, bringing measurable improvements in stability, especially during extended scanning sessions.
If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check Updates" to update to Netsparker 126.96.36.199