Everyone in our team is really happy to announce the release of Netsparker version 3.1. As you will see in these release notes, this new version is jampacked with new features, new functionality and new web application security checks. Most of the new security features are targeted to help penetration testers, web application security experts and developers do a better job in uncovering all type of vulnerabilities in all of the web applications they are securing, including modern Web 2.0 and HTML5 web applications.
This new version of Netsparker is also able to extract much more details about the target web application which if unnoticed could potentially help malicious hackers craft malicious attacks against the web application. Such information will enable Netsparker users to better understand the target web application so they can attack it better themselves and uncover all security issues. Following is the list of what is new and improved in Netsparker version 3.1.
Netsparker is now able to launch advanced web security checks against web 2.0 applications by identifying, parsing and attacking HTTP request bodies which contain JSON and XML data. If the target web application uses JSON as its payload while performing AJAX requests, Netsparker will intercept that and attack each of the property values. A sample attack below shows that Netsparker performs a Command Injection attack to a parameter value in a JSON payload:
In Netsparker version 3 we introduced Scan Policies, enabling users to specify the type of vulnerabilities a web application should be checked for. In version 3.1 we went a step further by moving most of the global Netsparker settings to the Scan Policy editor. This allows you to create scan policies with different set of settings. For example if a security consultant works with different customers and one of them requires the consultant to connect to a proxy while scanning their websites, the security consultant can create a new Scan Policy specifically for that customer with the required settings and load it up each time he needs to launch a scan, rather than reconfiguring such settings.
This new version of Netsparker now fully supports HTML5 web applications. The all new HTML5 engine allows Netsparker to properly crawl HTML5 web applications and identify all attack surfaces that could be susceptible to exploitable vulnerabilities.
Netsparker also detects improperly sandboxed or insecure inline frames. iframe sandboxing enables a set of extra restrictions for the content in the inline frame. When inline frame is sandboxed, the iframe content is treated as being from a unique origin and sandboxed content is re-hosted in the browser with the following restrictions:
When the sandbox attribute is not set or its value contains one or more of the below listed values for an external URL, Netsparker will report it:
Overall Netsparker will report to you anything that is wrong with the embedded iframe and also recommends several remediations.
With the release of Netsparker 3.1 we are also introducing 4 new Knowledge Base nodes where Netsparker will report more findings about the target web application. Such information allows web application security professionals to better understand the web application they are scanning thus helping them do a more complete web application security audit. The 4 new Knowledge Base nodes are;
The new version 3.1 of Netsparker will detect possible Cross-site Request Forgery (CSRF) vulnerabilities automatically during a web application security scan.
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which the user is currently authenticated. With a little help of social engineering, for example by sending a malicious link via email or chat, the attacker may trick the victim into executing actions of the attacker's choosing. A successful CSRF attack can compromise end user data and operation in case of normal user. If the targeted victim is the administrator account, this can compromise the entire web application.
Netsparker is also capable of automatically detect forms which are not vulnerable to CSRF attacks, for example search forms, forms with CAPTCHA etc. This detection mechanism will eliminate false-positive cases.
Because the impact of this vulnerability is decreased significantly however it might still be dangerous in certain situations. In this kind of attack, the attacker will send a link containing html as simple as the following in which attacker's username and password is attached.
<form method="POST" action="http://honest.site/login">
<input type="text" name="user" value="h4ck3r" />
<input type="password" name="pass" value="passw0rd" />
When the victim clicks the malicious link, the form will be submitted automatically to the legitimate website and exploitation is successful. The victim will be logged in as the attacker and consequences will depend on the website behavior.
Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review the personal saved search history. Search queries may contain sensitive details about the user’s interests and activities and could be used by the attacker to craft an attack against the user to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.
Merchant sites allow their customers to save the credit card details in their online profile. In a login CSRF attack, when the user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account should the CSRF attack be successful.
Apart from the above noticeable changes that will definitely allow you to be more productive and detect more vulnerabilities in your modern web applications, Netsparker version 3.1 contains a lot more changes and bug fixes which are listed in the Netsparker Web Application Security Scanner change log.
Netsparker makes web application security an easy task! It only takes a couple of minutes to launch a security scan with Netsparker and identify vulnerabilities and security issues in your web applications. Download the 15 Day trial edition of Netsparker today and see for yourself!
If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can always click on Check for Updates from the Help drop down menu to force manual updates as well.
If you have any queries, get in touch with our awesome support team by sending us an email on firstname.lastname@example.org