Download Netsparker

Anti-CSRF token support in new Netsparker v1.8.3.3

Category: Releases - Tags: netsparker monthly , new features , bug fixes , netsparker improvements , anti csrf tokens - Fri, 11 Apr 2014, by Ferruh Mavituna

After releasing 7 updates in 2010 in total of 16 security checks and 15 new features, here is the first Netsparker update of 2011.

Anti-CSRF Token Support

If you ever tried to test a website with strict anti-CSRF manually or automatically, you would know how irritating it can get. It is also very hard to exploit vulnerabilities in these applications where many tools do not support Anti-CSRF tokens.

Netsparker comes with Anti-CSRF token support in detection, confirmation and exploitation.

By default, it automatically works with the following frameworks / languages:

  • Struts2
  • ColdFusion
  • PHP (Symfony,CodeIgniter,Zend)

You can go to ”Settings (F4) > Attacking“ to configure it according to your custom applications.


Brute Force Support

Now when Netsparker sees a resource that requires Basic, NTLM or Digest Authentication, it automatically tries a list of known username and passwords and reports if it manages to find a valid credential. You can change Brute Force related settings from “Settings (F4) > Brute Force”

New Checks

  • Frame Injection
  • Possible Sensitive Files Detection (Categories: Log, Stats, Installation,Configuration,Administration, Database)
  • Backdoor Detection
  • Tomcat Source Code Disclosure
  • Tomcat Default Pages Identification

Form Authentication Improvements

  • AJAX support added to Form Authentication (Netsparker supported AJAX in crawling since the first release however it wasn’t supported in From Authentication and we finally addressed this issue)
  • RegEx option added to Signatures
  • New Source Code View added
  • Logged In/Out Views improved
  • Addressed an issue that where some characters such as (') cause problems in Configure Authentication if they are used in usernames or passwords

Other Improvements

  • Heuristic Binary Response Detection added. This will increase the speed and coverage of scans.
  • Extension Blacklisting slightly changed. Now Netsparker determines automatically whether a URL is static or a dynamic file.
  • New checks added to XSS Engine
  • Confirmation added to external JS injection in XSS Engine
  • An advanced Negative Match option added to Advanced Settings click to "Settings" while holding down "Ctrl" to enable Negative Matching option in Configure Form Authentication
  • Minor charset related bugs addressed
  • Basic Authentication issues were not reported if the user manually entered a Basic Authentication
  • Vulnerable parameter was reported incorrectly in Permanent XSS issues
  • If there is a Path or Internal IP Disclosures in HTTP Headers, Netsparker will report those as well
  • Some issues were not reported if they were in 404 pages.
  • Several other minor changes and improvements

If you have a valid Netsparker Professional or Standard license, then all you need to do is, to click "Help > Check Updates" to update to Netsparker’s latest version.


Netsparker Wep Application Security Scanner Find and Exploit vulnerabilities in Web Applications with Netsparker

Request Demo version of Netsparker ProfessionalorBuy Netsparker Professional

Follow us