November 2016 Netsparker Enterprise Update

Category: Releases - Last Updated: Thu, 03 Nov 2016 - by Ferruh Mavituna

We have just updated Netsparker Enterprise, the cloud-based edition of our web application security scanner. Below is a quick overview of what is new and improved.

Technical Check for the HTTP Header set-cookie

In this update we included a new check for the HTTP header set-cookie. The scanner checks and will alert you if multiple cookies are attached in the same set-cookie header, as shown in the below screenshot.

Some web applications set multiple cookies in the same HTTP headers 

As such having multiple cookies attached to the same HTTP header set-cookie is not a security issue per se, but according to section 3 of the RFC 6265;

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

We still implemented this check because attaching multiple cookies in the same set-cookie header could lead to a number of technical problems. For example most browsers will only accept the first cookie. Below is a screenshot of the alert that the scanner will issue in the case it detects multiple cookies:

A Netsparker Cloud alert of multiple cookies in the same HTTP header set-cookie

Improved Security Checks

In this update we also added some improvements to the Content Security Policy check, and improved the coverage of the BlinD SQL Injection engine.

Complete List of Changes

We also fixed several bugs with this update. For a complete detailed list of all the fixes etc please refer to the Netsparker Enterprise 20161102 changelog entry.


Keep up with the latest web security
content with weekly updates.