We've been frantically working on the new version of Netsparker. We addressed lots of minor issues, added some new features, improved many of the engines but most importantly fixed all memory related problems.
Better memory management
We received some bug reports regarding that our users were getting "Out of Memory" exceptions in big websites. Yes, almost all other web application security scanners crash in big websites, it might be acceptable for them but not for us.
So we fixed all memory related problems. It doesn't matter how big the HTTP response is, 10kB or 4096kB, it doesn't matter that Netsparker needs to do 100 requests to 2 million requests it will work just fine and won't cost you more than 300MB of memory. You might still experience some problems if you need to do more than 5 million requests due to our storage and optimisation design, however I'm pretty sure 5 million attacks will cover almost all websites and when you in doubt you can always scan folders separately and then Netsparker can merge the scan results from "File > Open" for you.
Permanent/Stored Cross-site Scripting Improvements
We improved the detection and reporting of Permanent Cross-site Scripting issues. Now you can see the details of the injection request as well as the output point. This way you can simply spot the vulnerable location.
Unfortunately Permanent XSS engine doesn't support confirmation yet but we are working on it.
Better Cross-site Scripting (XSS) Confirmation Engine
As you know Netsparker is the first and only scanner which can confirm vulnerabilities to eliminate false positives. We massively increased confirmation in XSS engine to provide one click proof of concepts to our users. Now the extra confirmation engine will try to find the easiest XSS exploit before going to more obscure ones.
Some attacks are revised and many attacks to bypass WAF/IDS added.
New Settings Interface
Even though Netsparker tries to do everything for you, detecting URL Rewrites, custom 404 page patterns, best exploitation speed etc. sometimes you want to go into details and fine tune the settings for a web application test.
Our previous settings interface was hideous so we replaced it with a new shiny interface:
Netsparker still hides some advanced settings as 99% of users don't really need to change them, however if you are really curious and somehow know what you are doing you can hold "Ctrl" button while clicking to "File > Settings > Settings" and get the advanced and still "hideous" settings interface.
If you mess up the configuration go to "Settings" and click "Reset Settings".
We received bug reports about NetsparkerHelper was crashing in some websites. These issues addressed and fail-safe check added to NetsparkerHelper as it'll recover itself silently so your scan can continue as it supposed to even when there is something unexpected.
Local File Inclusion (LFI) Engine Improvement
LFI is a still common and dangerous vulnerability. We fixed some problems in the confirmation engine. It wasn't confirming some LFI vulnerabilities in *nix systems.
We added new attacks to bypass blacklisting filters, IDS/WAFs. Exploitation improved and many minor bugs addressed.
In the previous version there were some bugs when you try to load an unfinished scan and try to resume. We addressed these bugs so you can save a scan in the middle of crawling, attacking or anything else and then load and continue later on.
Better Time Based Blind SQL Injection Detection
It's clear that Netsparker has the best SQL Injection detection engine when it comes to MySQL, ORACLE and SQL Server. Unlike other scanners Netsparker doesn't just to "OR 1=1" it analysis the backend database, carries out many specific test to find SQL Injections in many situations then confirm the SQL Injection by safely exploiting it and finally do the post-exploitation attacks to find more issues such as database user has administrator priviliges.
In this new version we updated the Blind SQL Injection to make it even better. Now Blind SQL Injection engine analysis server responses, identifies required wait times and this means even when the responses from the server is unusually slow or the application is a bit unreliable Netsparker still can identify and confirm the SQL Injection.
Old School Changelog
- Issue reports quality increased by adding and refining the content
- There is a new option for waiting all static resource attacks before skipping to the attacking phase. By default Netsparker will not wait to find all directories to skip the Crawling phase, you can override this from the settings.
- URL Based XSS attack patterns improved.
- Permanent/Stored Cross-site Scripting (XSS) reports are not much better. It shows the injection point, output point and all other required details in the report.
- LFI Engine is improved. Couple of bugs fixed, we add IDS/WAF evasion techniques, new attacks a new confirmation to confirm more LFI issues.
- Minor form authentication related bugs fixed.
- A new vulnerability check added that converts limited LFI attacks to Cross-site Scripting.
- LFI exploitation related bugs fixed.
- In the last update due to some internal changes we had to remove Cross-site Scripting detection in "script" blocks. Now it's back with confirmation.
- Support for XSS in HTML comments is back with confirmation.
- Report threshold increased for possible SQL Injections. Means less [Possible] reports.
- A new check added to report if the configured Form Authentication doesn't seem to work and extra checks added to avoid recursive loops in incorrect form authentication settings.
- Some bugs addressed related ViewState decoding and ViewState analysis now supports .NET Framework 1.x ViewState.
- GUI performance increased, even when more than 100 vulnerability reported per second GUI stays responsive.
- Overall performance increased, now Netsparker can process more than 500 requests per second in a Core i7.
- We massively decreased the usage of memory in Netsparker. You can test really big websites which takes days to scan and millions of requests to attack and Netsparker will manage to finish the scan and won't use too much memory.
- Data Length bug in SQL Injection exploitation addressed.
- Incorrect figures in dashboard during the Recrawling phase issue addressed.
- A bug in getting a reverse shell from boolean based SQL Injections addressed.
- A theme problem addressed in message boxes.
- Merge scan was causing losing old issues from the issues panel during the load and new scans.
- There were some bugs about resuming a loaded scan. Now Netsparker can resume scanning from any previously saved scan. So you can start scanning and then save it in the middle of a scan. Load it later on and continue.
- One of the XSS attacks was missing from the Permanent/Stored XSS detection. This issue has been addressed.
- Blind SQL Injection confirmation is improved. In new confirmation engine Netsparker can analyse the server request performance and tweak attacks to perfectly server overhead and confirm Blind SQL Injections even in really slow or unstable connections.
- A problem in Static Checks addressed. This was causing to miss some hidden directories if the initial requested directory returns 3xx code.
- Some bugs in heuristic URL Rewrite detection in big websites addressed.
- A bug was causing crawling stage to stuck in last 1 or 2 requests addressed. This was happening only 1 in 100 scans.
- Licence Loader theme changed to native OS theme for Windows 7/Vista.
- New settings interface introduced. It explains all the important settings and allows you to configure them easily. If you know what you are doing and want to access all advanced settings click to hold "Ctrl" and click to "Settings" this will open the advanced settings panel instead of the new settings panel.
- A bug in saved login scripts addressed.
- Request Monitor removed. If you need similar functionality please refer to How to see all HTTP Requests and Responses topic.