Netsparker 3.2 Released – New Features Overview

Netsparker Web Application Security Scanner Version 3.2 allows Netsparker users to scan and identify vulnerabilities and security issues automatically in SOAP web services. This version of the false positive free web vulnerability scanner also includes new request and response viewers, a number of improvements that make web vulnerability scans more efficient and a number of bug fixes.

We are happy to announce version 3.2 of the false positive free Netsparker Web Application Security Scanner. The new version includes several new features, improvements that make web vulnerability scans more efficient and also a number of bug fixes. The main highlight of this version is the web services scanner; Netsparker users can now scan and identify vulnerabilities and security issues in web services automatically and easily with Netsparker.

Read this article for more information about all of the new features in Netsparker version 3.2.

Identify Vulnerabilities and Security Issues in SOAP Web Services

Netsparker 3.2 brings one of the long awaited features SOAP Web Services scanning to the table. Your much loved web vulnerability scanner Netsparker is now capable of crawling WSDL files and generate proper HTTP requests for the SOAP operations discovered to identify security issues and vulnerabilities in them. Scanning a web service with Netsparker is as easy as scanning a web application; just point Netsparker to your WSDL link and click the Start Scan button. The following screenshot shows a Boolean SQL Injection identified in a SOAP request on the target web service implementation.

Boolean SQL Injection identified in a SOAP request on the target web service implementation

Scanning a Web Application and Web Service Automatically in a Single Scan - Hybrid Scanning

Netsparker also supports what we call Hybrid Scanning of web applications and web services in a single scan. You can point Netsparker to root of your web site and if the crawler identifies a WSDL file, it will also start scanning the identified web service in the same security scan. One of the benefits of this scanning style is, if an attack to your web service endpoint surfaces on some other part of your web site, i.e. as a permanent XSS vulnerability, Netsparker will report it.

Import Offline WSDL Files to Start a Web Service Security Scan

The WSDL files do not necessarily need to be served on the target server for Netsparker to be able to scan a web service. If you have disabled WSDL generation on your production servers due to security concerns, you can import the WSDL file from your disk to Netsparker before starting the scan. Netsparker will parse the imported WSDL document and add the necessary SOAP requests to the crawler. WSDL files can be imported using the familiar interface of previous Fiddler, Paros, etc. importers on Start a New Scan dialog.

New Knowledge Base Node for Web Services

SOAP web services discovered during the security scan will also be reported in a new separate Knowledge Base node. You can see each operation of the discovered web services under Web Services (SOAP) node.

Web Services Standards Supported by Netsparker v3.2

At its current incarnation, Netsparker supports the following web service standards:

New Request and Response Viewers for New HTTP Request Formats

With the increase of different HTTP request formats that Netsparker supports on its recent versions, the need to representing these requests and response using better viewers has arisen. To resolve this issue, Netsparker 3.2 introduces the much improved request and response viewers which can render JSON and XML documents in tree views. The following screenshot shows a SOAP request and response using the XML viewers:

New request and response viewers in Netsparker show SOAP requests and responses using the XML viewers

AJAX Knowledge Base Node

Netsparker now also reports any AJAX (XMLHttpRequest) requests under a new knowledge base node:

Ajax Knowledge Base node where AJAX and XML HTTP requests will be listed on Netsparker

Complete Change Log for Netsparker 3.2

For a complete detailed changelog of what is new and improved in the latest version of Netsparker please visit the Netsparker Change Log.

About the Author

Ferruh Mavituna - Founder, Strategic Advisor

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.