We are happy to announce the new Netsparker Web Application Security Scanner version 3.5. It has been quite awhile since you have heard the news of a new major version update from us, which is not normal. Typically we release new major updates much more frequently, though as you will notice in this version we implemented a new crawling engine and several other new features, which are no small feat. So even if it might have taken us some time to release this new version, we are still very happy with the outcome and we are sure you will be as well.
Netsparker Cross-site Scripting engine already scans websites for XSS vulnerabilities that can be exploited by sending payloads through HTTP requests. With this new version of Netsparker the scanning engine can now also detect another category of Cross-site Scripting vulnerabilities; DOM based cross-site scripting. These vulnerabilities are usually exploited by setting an XSS payload at the web page’s location hash value. If the page doesn’t validate this input, chances are, a DOM based vulnerability may lay there. From this version on, Netsparker will scan your web pages against DOM Based Cross-site Scripting vulnerabilities. If your website makes use of location hash values for various purposes, scanning your web site against DOM Based Cross-site Scripting vulnerabilities is crucial.
The DOM Based Cross-site Scripting tests can take quite some time to complete, especially when scanning pages with lots of elements. Therefore the default scan policy in Netsparker has DOM Based Cross-site Scripting off but you can always scan your site using Extensive Security Checks policy or create your own policy to find out DOM Based Cross-site Scripting vulnerabilities. In the meantime we are already working on several improvements to ensure DOM based XSS tests are as fast as all other security checks.
Read the article DOM based Cross-site Scripting Vulnerabilities for a more detailed explanation of this vulnerability variant.
Websites today are making use of the technique called URL Rewrite to have more readable URLs and have higher search engine ranking. Using URL Rewrite, websites replace the ugly looking regular GET parameters in URLs with more readable URL path segments. Previous versions of Netsparker was trying to automatically detect if the site being scanned has URL Rewrite in place. This version of Netsparker introduces Custom URL Rewrite Configuration which allows you to configure the scanner by providing the URL rewrite patterns on the target web site. Once configured Netsparker will be able to attack URL segments which play role of a parameter. Also, this helps in reducing the number of attacks for the URLs with the same patterns.
Read URL Rewrite Rules and Web Vulnerability Scanners for more detailed information on URL rewrites and check out Configuring URL Rewrite Rules in Netsparker Web application Security Scanner to see how easy it is to configure URL rewrite rules in Netsparker to scan parameters in the URL.
You may want to exclude a specific vulnerability from a scan result so it won’t appear in the reports. These could be the kind of vulnerabilities that are informational and make the report too verbose, or you believe that the vulnerability doesn’t exist any more. Using this new feature, you can ignore a vulnerability from a specific scan by right clicking it from the sitemap tree as shown in the below screen shot.
The new crawling and web browser engine opens a number of new opportunities for Netsparker and we will continue developing on it to ensure that Netsparker can automatically crawl and scan a wider variety of web applications built with different technologies.
For a complete detailed changelog of what is new and improved in the latest version of Netsparker please visit the Netsparker Web Application Security Scanner Change Log.