Today we are announcing the release of Netsparker Desktop 4.1. This new version includes a number of new web application security checks and improvements, as explained below.
Web form hijacking is the exploitation of a vulnerable form that allows the attacker to steal the content of a form. For a successful attack the attacker leads the victim to access and populate the form using a specially crafted URL that exploits the vulnerability. Once exploited the form POST data will go to the attacker’s controlled server, thus allowing him to access such data.
In this version we also improved the scanner’s detection of backup files on websites. As such backup files do not have a direct impact on the security of a website, as in they are not like a SQL Injection vulnerability that if exploited it allows the attacker to access the backend database. Though if discovered, some of them might have some information that can help attackers better craft their attack. So it is all good to know about them as well.
We also moved the Backup Files signatures in the Scan Policy Editor, thus allowing users to modify the list of signatures and easily add their own signatures as well as shown in the below screenshot.
Similar to backup files, common directories do not have a direct impact on the security of a website though they can definitely ease an attacker’s job. For example an attacker would give more attention to a directory called /admin/ rather than a directory called /samples/.
The above are just the major highlights for this version of Netsparker. For a complete list of all that has been improved and fixed refer to the Netsparker Desktop changelog.
If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.
If you have problems with the upgrade or product related queries, get in touch with our awesome support team by sending us an email on firstname.lastname@example.org.