This is the 8th update this year (except minor releases). We added bunch of new checks, new features and done lots of improvements. We are really happy about this one. We added full support PostgreSQL and MS Access in SQL Injection engine. Now just like SQL Server, MySQL and ORACLE it's possible for Netsparker to find, confirm and exploit SQL Injection vulnerabilities when backend database is PostgreSQL or MS Access.
We added 5 new checks, 2 new features and lots of other improvements, if you have a valid Netsparker subscription Netsparker will automatically update itself or you can manually click "Help > Check Updates" to get this update.
New Feature : Controlled Scan
We added a quite cool new feature called "Controlled Scan". Choose a page and parameters to scan from Sitemap, choose engines that you want to scan with and click "Scan". This way you can do quick scans or very specific scans without worrying about scope restrictions.
This is a great feature to combine with Netsparker's Internal Proxy feature. Use Netsparker's proxy, browse the website, choose parameters you want to test and click "Scan".
New Feature : Retest
You told us that you need to Retest issues and as usual we listened. Choose a vulnerability from a loaded scan and click Retest to confirm whether that issue has been addressed correctly or not.
Retest is not enabled for all vulnerability types yet, when you click an issue from the sitemap or Issues List GUI will inform you whether it's possible to retest for that selected issue or not.
- Silverlight Open Access Policy / Silverlight Access Policy Identified Checks Added
- Django Stack Trace Disclosure Check Added
- MySQL Username Disclosure Check added
- New Backup File Checks added
- X-XSS-Protection Check added
We’ve improved several checks;
- CSV Report format added
- XSL added to XML reports so when you open XML report they'll look better!
- Several usability & GUI improvements in export report / save dialogs
- Sorting in the reports and Issues List improved
- Now generated HTML Reports are W3C validated
- New Double Encoded checks added
- MS Access support added, including confirmation & exploitation
- PostgreSQL support completed. Including confirmation & exploitation
- A bug in LFI confirmation via /proc/version and similar checks fixed. This was breaking the LFI confirmation in some applications
- New Double Encoded checks added
- XSS Engine now detects and confirms XSS vulnerabilities in <style> blocks
- A bug fixed and confirmation support added to remote .CSS injection for XSS
- New Double Encoded checks added to XSS
- New XSS Checks added to cover some more corner cases
- URL Based XSS attacks optimised, some bugs addressed
- Null Byte + XSS checks added
- A missing confirmation added in an ASP.NET expression bypass XSS attack
- Windows Internal Path Leakage detection improved
- MS Office Information Disclosure Checks now add extracted user information to the report
- Robots.txt, Sitemap.xml results weren't crawled successfully since the 220.127.116.11. Now Netsparker parses them correctly and follows the identified links
- ASP.NET 4 Version Disclosure added
- Started to check for .inc files
- Ability to change ignored extensions (Settings > Scope)
Other Improvements & Bug Fixes
- Severities of several vulnerabilities changed
- XML reports now filters null bytes and some other restricted characters to ensure compatibility with strict XML parsers
- Log Based LFI Code Execution vulnerability template updated to reflect new confirmation support for this vulnerability
- User friendly error message added when user try to configure a form authentication for an empty URL
- Some tooltip updated and new tooltips added Form Authentication
- PHP Source Code Disclosure check improved
- Netsparker was doing some requests twice, this issue has been addressed
- Resource Finder was doing same requests more than once
- A detection pattern related bug fixed in the GUI
- Extra Information was incorrectly reported in some internal path leakage and IP disclosures issues
- Numbers added to Logging Window
- Incorrect Custom 404 detection in URL Based XSS attacks on IIS servers addressed
- Recent Files 10 files limitation bug fixed
- When running Netsparker from Command Line it will no longer generate PDF files for XML reports
- Several other minor fixes & improvements