You might have noticed that we did not announce a Netsparker Cloud update in June 2016. Though we were not on holiday, even though Summer is in full swing! We were busy working on the new web security checks, features and the Reporting tool of our online web vulnerability scanner. Below is an overview of what is new and improved:
Netsparker Cloud can now automatically scan and identify vulnerabilities in REST web services. Read the article Automatically Finding vulnerabilities in RESTful Web Services with a Vulnerability Scanner for more information on this subject.
In this update of Netsparker Cloud we included a new Reporting tool which you can use to generate a variety of statistics report about a group of websites or all the websites which you scan with Netsparker Cloud. For more information read the Reporting tool and built-in web application security reports in Netsparker Cloud.
Subresource Integrity security checks: Netsparker Cloud will issue an alert if your web application is hosted on a CDN or third party service and Subresource Integrity (SRI) is not implemented. Netsparker Cloud will also alert you if a Subresource Integrity (SRI) hash is invalid. Subresource Integrity (SRI) is a mechanism that checks the integrity of a resource hosted by third parties such as Content Delivery Networks (CDNs).
Reverse Tabnabbing security check: For this security check the scanner will check if an attackers can craft a possible phishing attack through a Reverse Tabnabbing vulnerability; in which a browser tab opened from a trusted source displays an attacker-controlled website and uses window.opener.location.assign() to replace the content with malicious content, potentially tricking the victim into a phishing attack.
SameSite Cookie Attribute security check: In this security check the scanner will check if the target web application sets the SameSite cookie attribute to the website cookies. The SameSite cookie attribute is is used to disable third party usage of the cookies, thus preventing CSRF vulnerability attacks.
Until now you could only use either the manually configured URL rewrite rules or the ones which are heuristically generated by the scanner during a web security scan. Now you can use both of them; you can manually configure the URL rewrite rules and at the same time the scanner will still try to automatically identify any potential URL rewrites on the target web application. Therefore should you fail to configure, or you don’t have the details of some URL rewrites on the target, the scanner will still automatically crawl and scan all the parameters for security flaws.
Apart from all the new fancy features, we also worked on several under-the-hood improvements, such as better memory handling, better handling of larger websites and much more. If you are interested in all the geeky staff take a look at the Netsparker Cloud changelog entry 20160630.