Netsparker Enterprise Change Log
Netsparker Enterprise Update - 1st October 2020 (v1.9.1.977)

NEW FEATURES

  • Added support for alternate email for SSO login
  • Form authentication Hashicorp Vault integration added ( https://www.netsparker.com/support/integrating-netsparker-enterprise-hashicorp-vault/)
  • Technologies chart added to the global dashboard and website dashboard pages
  • Test credential API endpoint added for scan profiles
  • Added Form Auth Custom Scripting feature to the New Scan page
  • Login page has been redesigned
  • The SSO help text area in the SSO settings page has been redesigned
  • Added an API endpoint for Updating Issue States
  • Travis CI integration has been added
  • Jira integration now supports custom Resolved statuses
  • Kenna integration now supports Asset Application Identifier
  • Agents can now be installed using Linux and a Linux Agent button has been added to the Configure New Agent page (On-Demand Only)
  • Upgraded the Netsparker scanning engine to version 5.9.027701. 

NEW SECURITY CHECKS

  • Added Out-of-date security checks for the Liferay portal
  • Added Version Disclosure and Out-of-date security checks for Jolokia
  • Added Nested XSS security checks
  • Added an ASP.NET Razor SSTI security check
  • Added a Java Pebble SSTI security check
  • Added a Thymeleaf SSTI security check
  • Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

  • Added an Issue Update API swagger model improvement
  • Docker installation link has been added to the Configure New Agent page (On-Demand Only)
  • New password criterion of a minimum of 15 characters has been imposed on admin and top-level users.
  • Improvements have been made to the Form Authentication Test Script screen

FIXES

  • Fixed the problem of a slowVulnerable Websites per Period report on the Reporting
  • Fixed the file uploading problem on Imported Links
  • Fixed the Knowledge Base Report's exporting problem
  • Fixed the Yukon time zone problem.
  • Fixed the Imported Links problem.
  • Fixed the problem where the wrong time zone was displaying in Report Templates
  • Moved the Scan Profile Test Credentials API post method fields to the body element
  • Fixed a db file error in the Report Policy Editor
  • Fixed the issue where report policy user changes were not applied when reset.
  • Fixed the Vulnerability Detail page responsiveness problem
  • Fixed the Sitemap treeview responsiveness problem
  • Fixed the highlighted code focus problem
  • Added help text to the HashiCorp vault integration page
  • Fixed the bug that occurred when another team member updated the shared profile
  • Fixed a bug that occured when non-admin users updated profiles
  • The Report policy Editor CVSS scores fields now accept empty values
  • Fixed a server error that occured while saving a cloned Scan Policy
  • Fixed the problem that occurred when reconfirming the Verify Login and Logout settings

Netsparker Enterprise Update - 12th August 2020 (v1.8.0.960)

NEW FEATURES

  • Added IdP initiated SAML
  • Upgraded the Netsparker scanning engine to version 5.8.2.27669
  • Added Pivotal Tracker integration
  • Added support for SAML Assertion Encryption while configuring SSO

NEW SECURITY CHECKS

  • Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
  • Added out of date checks for Apache Traffic Server
  • Added version disclosure for Undertow Server
  • Added out of date checks for Undertow Server
  • Added version disclosure for Jenkins
  • Added out of date checks for Jenkins
  • Added signature detection for Kestrel
  • Added detection for Tableau Server
  • Added detection for Bomgar Remote Support Software
  • Added version disclosure for Apache Traffic Server

IMPROVEMENTS

  • A new Reset Agent Token button has been added to the Configure New Agent window
  • The Status field has been removed from the "api/1.0/discovery/ignorebyfilter" endpoint
  • Special characters (()[]#&%! " ') are now allowed in the Scan Policy name field
  • Windows and Linux Agent download buttons have been added to the Configure New Agent window
  • A Null check has been added for the ImporterType in the Update Scan Profile endpoint

FIXES

  • Fixed the Server Error that occured during the deletion of multiple websites
  • Fixed a bug where an optimized Scan Policy did not clone properly

Netsparker Enterprise Update - 25nd June 2020 (V1.7.1.952)

NEW FEATURES

  • Added resetting token support for agents

FIXES

  • Fixed an issue where Authentication Verification was failing to verify in the Scan Profile

Netsparker Enterprise Update - 22nd June 2020 (V1.7.0.948)

NEW FEATURES

  • Added Mattermost integration
  • Upgraded the Netsparker scanning engine to version 5.8.1.27665
  • Added API support for the Discovery service

NEW SECURITY CHECKS

  • Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

  • Added support for Admin users to log in with Netsparker Enterprise credentials when SSO is enforced
  • Added extra information about issues to the Jira Integration
  • Added control for Target Url field to disable Scan Settings if it's empty
  • Added Timezone information to Scan Time Window section in the New Scan window
  • The Netsparker API icon has been changed on the Integrations window
  • Added Manage Issues (Restricted) to the Permission Matrix
  • Added a Website Groups filter to the New Team Member window
  • Added a notification for Login Failed situation during scans
  • Added a Website Group filter to the Recent Technologies window

FIXES

  • Fixed the More information link in the New Website window
  • Fixed a bug where email notifications about Technologies were not being sent as expected
  • Fixed an issue where date filters were not working as expected
  • Fixed a bug in the website authentication process in the GitLab integration
  • Fixed an issue where the Internal Agent automatic update process was hanging
  • Fixed an issue in scans that are exported from Netsparker Standard into Netsparker Enterprise
  • Fixed an issue where Mark as Read was not working in Application Notifications
  • Fixed a bug where Imported Links and files were not returned for ongoing scans on the '/scans/list-scheduled' API endpoint
  • Fixed a bug that occurred when adding an internal website in the '/websites/new' API endpoint
  • Fixed an issue where Excluded Path was not saved in the Scan Profile save action
  • Fixed an issue where Preferred Agent was not saved in the Scan Profile save action
  • Fixed an issue where issue counts were duplicated in the Annual issue chart

Netsparker Enterprise Update - 28th April 2020 (v1.6.0.937)

NEW FEATURES

  • Added support for U2F (Universal 2nd Factor Authentication)
  • Added support for disabling API Access for a Team Member
  • Added issue synchronization support for Azure DevOps and ServiceNow
  • Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports
  • Added CVSS 3.1 support, to help with vulnerability scores
  • Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor
  • Added support for sending scan reports as email attachments on scan completed notification
  • Upgraded the Netsparker scanning engine to version 5.7.2.27798

IMPROVEMENTS

  • Improved Integration categories and New Integration pages to provide a better user experience
  • Added support for Windows Authentication (Integrated Security) for database connections (On-Premises only)
  • Updated the Terms of Service page
  • Added Technical Contact information to the 'websites/list' API endpoint
  • Added start-end date filters to the '/scans/listbystate' and '/auditlogs/export' API endpoints
  • Added an 'excludeAddressedIssues' filter to the '/scans/report/' API endpoint
  • Added a Failure Reason option to the Reason filter for failed scans
  • Added additional help text to the Issues' Detail window for groupable issues
  • Added support for Admin users to manage their Team Member's Report Policies
  • Added Profile ID information to the response of the '/scans/detail' API endpoint

NEW SECURITY CHECKS

  • Added a Login Page Identifier security check
  • Added a Content Delivery Networks (CDN) security check
  • Added a Reverse Proxies security check

BUG FIXES

  • Fixed a bug where issue counts were not returned for ongoing scans on the '/scans/detail' API endpoint
  • Fixed an issue where validation errors were shown for custom cookies
  • Fixed an issue where Technologies were not reported if a scan was completed in a short time
  • Fixed a browser compatibility issue that occurred while testing OAuth2 credentials
  • Fixed a bug where the Scan Time Window settings were not applied in Scheduled Incremental scans
  • Fixed an issue where pre-request scripts were not being sent to the scanner as expected
  • Fixed an issue where preferred Agent Group was not populated in the New Scan window
  • Fixed a bug where JavaScript settings were not set as expected for optimized Scan Policies

Netsparker Enterprise Update - 25th February 2020 (v1.5.0.929)

NEW FEATURES

  • Added a new Sitemap section to scan reports which shows crawled URLs and identified issues
  • Added a new in-app notification section called What's New which informs for important announcements
  • Added out of the box issue tracking integration for Freshservice, YouTrack, and Splunk
  • Added facility to send New Scan notifications using the Microsoft Teams integration
  • Added Pre-Request Script feature which helps to configure HMAC Authentication on New Scan page (On-Premises only)
  • Added new API endpoints for managing technologies
  • Upgraded the Netsparker scanning engine to version 5.6.3.27318

IMPROVEMENTS

  • Redesigned Scan Summary section on Scan Report page
  • Improved scan queue scheduling process which prevents multiple scans with same settings to be queued
  • Improved Out-of-Date technologies email template for mobile clients
  • Improved rendering for large fields on the scan report template
  • Improved help text for Enable/Disable Agent actions on Manage Agents page
  • Security Check Groups are now arranged into sub-groups in the New Scan Policy
  • Set current user as the default technical contact on New Website page

NEW SECURITY CHECKS

  • Added version disclosure and out-of-date checks for Telerik Web UI
  • Added detection and out-of-date checks for Java and GlassFish

BUG FIXES

  • Fixed a bug where filtering is not working as expected on the Report Policies page
  • Fixed an error that was thrown during generating the Mod Security WAF Rules Report
  • Fixed an issue where testing basic authentication credentials were not working as expected
Netsparker Enterprise Update - 17th January 2020 (v1.4.1.925)

NEW FEATURES

  • Added out of the box issue tracking integration for Kenna
  • Added OTP support to the Form Authentication tab in the New Scan window
  • Added filtering support to the New Notification window, which means you can filter the issues that will be sent for a Scan Completed event
  • Upgraded the Netsparker scanning engine to version 5.5.4.26863

IMPROVEMENTS

  • Added a new setting, Max Uploaded File Size, to the General Settings window (On-Premises only)
  • Improved the UI design of the Scan Summary section on the Report window
  • A Time Zone option has been added to the Scan Time Window tab
  • Improved the Azure DevOps integration to support email addresses for the Assigned To setting
  • Improved the Scan Completed event template's SMS notification text
  • Added an About page to display VDB and app versions, available by clicking your name (On-Premises only)
  • Added the ability to filter using Website Group names for various API endpoints
  • A detailed error message is now displayed if an imported file is invalid
  • Improved GitHub integration to support the GitHub Enterprise edition

BUG FIXES

  • Fixed an issue where Imported Links were not being saved when the Target URL was empty
  • Fixed an issue where all proofs were not displayed for Stored Cross-Site Scripting vulnerabilities
  • Fixed a bug where the 'Do not stop scan when maximum logout is exceeded' setting was not working as expected

Netsparker Enterprise Update - 2nd December 2019 (v1.3.12.189)

NEW FEATURES

  • Introduced Technologies feature which finds and lists the technologies used in web applications and reports on problems
  • Added out of the box issue tracking integration for PagerDuty, Clubhouse, Trello, Asana, Webhook, Microsoft Teams, and CircleCI
  • Added new API endpoints for managing Team Members and listing Activity Logs
  • Added a new Scan Profiles page in the Scans menu
  • Added a new Comments box to the New Scan window, accessible while launching scans
  • Added facility to send New Scan notifications using the Slack integration
  • Upgraded the Netsparker scanning engine to version 5.5.1.26518

NEW SECURITY CHECKS

  • Added a new Security Check – HTTP Parameter Pollution (HPP)
  • Added a new Security Check – BREACH Attack Detection
  • Added Out-of-Date checks for Ext JS
  • Added Oracle Cloud and Packet Cloud SSRF attack patterns
  • Added a Web Cache Deception engine to the list of Security Checks
  • Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
  • Added new attack patterns for DOM based XSS
  • Added new attack patterns for Remote Code Execution in Ruby
  • Added new attack patterns for Out-of-Band Remote Code Execution in Ruby
  • Added new attack patterns for Remote Code Execution in Python
  • Added new attack patterns for an Open Redirect security check
  • Added an email validation bypass payload for XSS
  • Added a header injection XSS pattern
  • Added a security check to determine whether an HTTP website has been implemented with SSL/TLS
  • Added a security check for File Content Disclosure in Ruby on Rails by exploiting an Accept header
  • Added mutation XSS patterns
  • Fixed the SSRF confirmation problem
  • Added Apple’s App-Site Association file detection
  • Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
  • Added new LFI attack patterns for the access.log file
  • Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
  • Added support for detecting Python Remote Code Execution
  • Added RFC compatible SSRF IPv6 patterns
  • Improved the Apache Struts (CVE-2013-2251) attack pattern
  • Added PHP Injection Fixed One Time Referrer attack
  • Updated the attack value of the PHP Injection Fixed One Time Attack pattern to use short notation instead of the print function
  • Improved the Regex pattern of the WebLogic Version Disclosure pattern
  • Added a PoC pattern for Apache Struts (CVE-2013-2251)
  • Added Out-of-Date checks for the Slick JavaScript library
  • Added Out-of-Date checks for the ScrollReveal JavaScript library
  • Added Out-of-Date checks for the MathJax JavaScript library
  • Added Out-of-Date checks for the Rickshaw JavaScript library
  • Added Out-of-Date checks for the Highcharts JavaScript library
  • Added Out-of-Date checks for the Snap.svg JavaScript library
  • Added Out-of-Date checks for the Flickity JavaScript library
  • Added Out-of-Date checks for the D3.js JavaScript library
  • Added Out-of-Date checks for the Google Charts JavaScript library
  • Added Out-of-Date checks for the Hiawatha and Cherokee server
  • Added Out-of-Date checks for the Oracle WebLogic server
  • Added Out-of-Date check for IIS
  • Added Version Disclosure detection for the Hiawatha Server
  • Added Version Disclosure detection for the Cherokee Server
  • Added Source Code Disclosure checks for Java Servlets
  • Added Source Code Disclosure checks for Java Server Pages
  • Added New Source Code Disclosure patterns for Java
  • Added detection for .htaccess file Identified
  • Added detection for Opensearch.xml files
  • Added detection for SQLite error messages
  • Added detection for security.txt files
  • Added detection for swagger.json files
  • Added detection for Open Search files

IMPROVEMENTS

  • Added the ability to create custom fields for ServiceNow integration
  • Added auto-detection of the Time zone during the sign up process
  • Improved Jira integration to support raw values for complex custom field types
  • Added a new format option to the Date and Time Format dropdown in the Change Account Settings window
  • Improved the text in Email Notifications
  • Improved the Category field's option names in the New ServiceNow Integration window
  • Improved the Issue template for Azure DevOps integrations
  • Added capability to add User Mapping for hosted Jira systems
  • Added more details to the CSV report which can be generated from the Activity Logs window
  • Added ongoing scan information for the target agent in the Manage Agents window
  • Added the capability to disable the Maximum Scan Duration field in the New Scan window (On-Premises only)

BUG FIXES

  • Fixed an inaccurate warning message that was displayed when canceling a scan
  • Fixed an issue where the Technical Contact was not set as expected in the Edit Website window
  • Fixed an issue where a website could not be added if the target URL contained a hyphen character
  • Fixed an issue where the configured Scan Profile was not used in Azure DevOps integrations
  • Fixed various browser compatibility issues with Safari
  • Fixed a bug where validation was not working as expected for the Hawk settings in the Scan Policy window
Netsparker Enterprise Update - 13th September 2019 (v1.2.4.181)

NEW FEATURES

  • Added support for using internal agents along with AWS cloud integration (On-Premises only)
  • Added out of the box Issue tracking integration for Redmine, Bugzilla and Kafka
  • Added support for bulk operations on the Recent Scans page. It's now easier to cancel, pause, or delete multiple scans at the same time.
  • Added new API endpoints for managing agents
  • Added an option to change the Technical Contact for each website in a group in the Edit Website Group page
  • Added support for exporting data on Activity Logs and Manage Team pages
  • Added the ability to convert a completed scan into a Scheduled Scan
  • Upgraded the Netsparker scanning engine to v5.3-hf7(5.3.0.24998)

NEW SECURITY CHECKS

  • Added a new security engine named Malware Analyzer which detects any web malware injected into websites (Scanner Agent's operation system should be Windows Server 2016 or above)

IMPROVEMENTS

  • Improved support for scenarios where OAuth2 is used in conjunction with Basic Authentication
  • Improved the status text displayed for delayed scans
  • Set the account owner's Data and Time Format as the default for new team members
  • Added Scan Owner information to various scan reports and API endpoints
  • Improved the response message for the /scans/delete API endpoint
  • Added all issue content to the /issues/allissues API endpoint
  • Added a Mark all as Read option for notifications that are shown inside the application on the Application Notifications page
  • Added Technical Contact information to files exported from the Websites page
  • Added Vulnerability Severity Level for the selected issue in the Technical Report
  • Upgraded Bootstrap, jQuery and Knockout.js dependencies to the latest versions
  • Added Create Invitation (team member invitations) into the Activity Log
  • Improved the API docs by adding sample values for request and response messages
  • Added support for filtering by Target URL to the /scans/listbywebsite API endpoint
  • Added a Clone option to the Scheduled Scans page

BUG FIXES

  • Fixed a bug where agents were sometimes hanging after failed API requests
  • Fixed an issue where the Technical Contact was not displayed for non-Admin users on the New Website page
  • Fixed an issue where an incorrect error message was shown during the configuration of a Scheduled Scan
  • Fixed a problem on the JIRA webhook where the JSON could not be serialized as expected
  • Fixed an issue where a Scan Policy could not be used on a scanner agent if it had a long name
  • Fixed a bug where the Authentication Verifier was sometimes hanging if an internal exception was thrown (On-Premises only)
  • Fixed the default value for the Agent Data Path setting (On-Premises only)
  • Fixed a bug where two-way Jira integration was not working as expected in retest scenarios
  • Fixed an issue where a cancelled PCI scan could not be deleted
  • Fixed an issue where a web application could not connect to a newly-created SQL Server database immediately (On-Premises only)
  • Fixed a bug where scans launched via JIRA integration were sometimes not starting with the configured Scan Policy
  • Fixed an issue where the temporary Scan Policy file was not deleted on scan completion on the scanner Agent

Known Issues

  • Automatic updates may fail for the On-Premises scanner Agents with an error message in the Agent's log: 'Agent couldn't find AgentAutoUpdater.exe'. To resolve this issue, first upgrade Netsparker Enterprise Web Application and copy the '[Web App Installation Folder]\App_Data\Agents\AgentAutoUpdater.exe' file to the folder where the target Agent is installed. If you need further help, please contact support@netsparker.com.
Netsparker Enterprise Update - 13th June 2019

IMPROVEMENTS

  • Added scan owner information to scan results and reports
  • Improved Internet Explorer support on several pages
  • Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
  • No longer reporting Missing X-Frame-Options header in redirect responses
  • No longer reporting Missing X-XSS protection on redirect responses
  • No longer reporting CSP Not Implemented for redirect responses
  • No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

  • Fixed an issue where the Target Website could not be deleted
  • Fixed an issue where the Preferred Agent in Scan Profile could not be changed
  • Added several fixes for OAuth2 Authentication
  • Fixed a bug where Netsparker might mistakenly report some cookies as Not Secure
  • Fixed an issue where connection problems on the Target Website were causing high CPU usage
Netsparker Enterprise Update - 13th May 2019

NEW FEATURES

  • Added auto update support for scanner agents
  • Improved the Manage Agents page to support filtering and allow the running of commands
  • Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
  • Added new API endpoints for managing issues
  • Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added an option to report only confirmed issues while generating reports
  • Added an option to exclude addressed issues while generating reports
  • Added F5 WAF rule generation
  • Added RESTful API Modeling Language (RAML) link import support
  • Added the ability to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

  • Added new XSS pattern that injects the attack payload into the HREF attribute
  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added a Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injections
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added a config.json check to the Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
  • Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
  • Improved the responsive design for several pages
  • Changed some wording for vulnerability details to use same wording as Netsparker Standard
  • All clicked external links now open in a new window
  • The Target website URL cannot also be added as an Additional Website on the New Scan page
  • New logo has been added to the top bar
  • Improved Resource Finder step on the Scan Policy Optimization Wizard
  • Jira issues are now assigned to the person who started the scan
  • Improved the queue performance for scans running on cloud scanner agents
  • Improved the layout for reports where no vulnerabilities are detected
  • Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
  • Added Reporter (account id type) to the JIRA integration page
  • Updated SSRF ipv6 pattern names
  • Improved Scan performance by allocating computer resources better
  • Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
  • Updated Code Evaluation (PHP) attack patterns
  • Improved DOM Simulation performance and fixed several issues
  • Improved React JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added support for attacking the name of POST parameters
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
  • Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS in text and XML content types
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added a Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • References to 'Manuscript' have been replaced with 'FogBugz'
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

  • Notifications tab appears empty when the Target URL is not selected on the New Scan page
  • Removed client side console logs from several pages
  • Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
  • Fixed an issue where the Discovery Settings page was not working properly for low resolution views
  • Fixed an issue where the Authentication Verifier was not capturing authentication settings
  • Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
  • Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
  • Removed the Contains filter option for numeric fields
  • Fixed an issue where scans configured with a Scantime Window were blocking other scans
  • Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
  • Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
  • Fixed a validation issue in the Header Authorization settings in the New Scan page
  • Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
  • Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
  • Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
  • Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
  • Fixed a stuck scan issue on websites using the React JavaScript framework
  • Fixed a Postman file importing issue where the response was not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed the value of double encoded null byte in LFI and XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation
Netsparker Enterprise Update - 20th February 2019

BUG FIXES

  • Fixed an issue with setting up a new Team Member when SSO was enforced.
  • Fixed an issue which was occurring during re-installing previously terminated agent.
Netsparker Enterprise Update - 5th February 2019

NEW FEATURES

  • Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

  • Account Owner or users with Administrator permission can now delete other Team Members' policies.
  • Updated some third-party libraries to the latest version.
  • Added OWASP 2017 classification data to the Executive Summary report.
  • SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

  • Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
  • Fixed an issue that was thrown when deleting an account.
  • Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

Netsparker Enterprise Update - 17th January 2019

NEW FEATURES

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js Out-of-date Version detection
  • Added Axios Out-of-date Version detection
  • Added Fingerprintjs2 Out-of-date Version detection
  • Added XRegExp Out-of-date Version detection
  • Added DataTables Out-of-date Version detection
  • Added Lazy.js Out-of-date Version detection
  • Added FancyBox Out-of-date Version detection
  • Added Underscore.js Out-of-date Version detection
  • Added Lightbox Out-of-date Version detection
  • Added JBoss application server Out-of-date Version detection
  • Added SweetAlert2 Out-of-date Version detection
  • Added Lodash Out-of-date Version detection
  • Added Bluebird Out-of-date Version detection
  • Added Polymer Out-of-date Version detection

IMPROVEMENTS

  • Added Content Security Policy (CSP) to the Netsparker Enterprise web application
  • Changed enum values to display in alphabetical order in the Value column in the Filter popup
  • Added an Audit Log for Rate Limited requests
  • Highlighted selected option for JavaScript section on the New Scan Policy page
  • Highlighted relevant tabs for validation errors on the New Scan Policy page
  • Improved the Report Policy page to make it more responsive and added a scroll bar
  • Improved help text for Application and Service Discovery pages
  • Added a Check/Uncheck by Severity filtering option on the Report Policy page
  • Added PHP extension attack for Nginx vulnerability to the File Upload engine
  • Added File Upload patterns for the Nginx Parsing vulnerability
  • Added settings to the File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 Proxy Authentication error handling
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
  • Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved Swagger Document Format detection
  • The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

  • Fixed the issue where Authentication did not work when retesting
  • Fixed the issue where the Swagger importer generated an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in the CSP engine where it reported an incorrect vulnerability
  • Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed a bug in cookie handling code during Form Authentication
  • Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans
Netsparker Enterprise Update - 27th November 2018

NEW FEATURES

IMPROVEMENTS

  • Improved colors for the app menu to follow WCAG guidelines
  • New scheduled scans are not added to the queue if a delayed one already exists
  • Improved validatation for SSO configuration pages
  • Updated EULA and TOS pages
  • Added support for deleting agents on the Manage Agents page
  • Readjusted API rate limits
  • Added a Data Protection Policy page
  • Account admins can now disable other team members' 2FA settings
  • Improved the wording on several pages
  • Improved JIRA integration to prevent reopening the same issue twice in JIRA
  • Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
  • Attack Pattern' renamed as 'Payload' in the Send To integration templates
  • Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

  • Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
  • Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan's initiation time
  • Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page
Netsparker Enterprise Update - 19th September 2018

NEW FEATURES

  • Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
  • Added out of the box integration for Slack and ServiceNow
  • Introduced Report Policy Editor which allows to customize Scan Report results
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah Go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Configured scanner agent's service options to recover automatically if it stops
  • Improved display order of vulnerabilities in several reports
  • Improved the wording in OWASP and Trend Matrix reports
  • Updated the licensing model
  • Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
  • Scheduled Scans will not be queued if a delayed one already exists in scan queue
  • Improved Agent List page to display unavailable agents
  • Improved the wording in Website and Global Dashboard pages
  • Improved '/websites/get' API endpoint to allow filtering by URL
  • Improved validation messages for SSO settings
  • Improved styling of Permission Matrix on New Team Member page
  • Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
  • Updated .NET Framework version requirement to 4.7.2
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Improved SQL Injection proof data by stripping HTML tags
  • Improved CSRF token detection in cookie values

BUG FIXES

  • Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
  • Fixed pagination problem on Scheduled Scans and Website Group pages
  • Fixed a bug where screenshots are displayed for Scans run by Internal Agents
  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
  • Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed broken case sensitivity check for crawled links
  • Fixed FormatException that occurred while parsing cookies
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed parsing URLs with encoded chars
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed the issue where a Swagger YAML file cannot be imported
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate
Netsparker Enterprise Update - 25th July 2018

IMPROVEMENT

  • Updated terms of services document

BUG FIXES

  • Fixed a bug where XML reports can not be exported
  • Fixed a bug where Jenkins integration was not working as expected
  • Fixed an issue where "Check for Updates" was not displaying correct result for team member users
  • Fixed a bug where sorting was not working on Scheduled Scans page
Netsparker Enterprise Update - 23rd July 2018

NEW FEATURE

IMPROVEMENTS

  • Improved text shown after deleting a website
  • Improved text shown on Authentication Verifier Settings page
  • Improved help text for Recaptcha setting shown on Service Settings page
  • Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
  • Improved timer behaviour of validation code shown on SMS Settings page 
  • Improved order of vulnerabilities in several reports
  • Response content will not be rendered if it's higher than 10MB, instead response data can be downloaded from scan results page
  • Refactored and improved performance of reports which can be exported from Scan Results page
  • Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
  • Improved validation messages for JIRA integration
  • Improved samples for new website API documentation
  • Changed wording on General Settings page
  • Simplified endpoint format for Authentication Verifier settings

BUG FIXES

  • Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
  • Fixed a bug where imported Swagger file was not parsed during scanning
  • Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
  • Fixed an issue where Agent could not be disabled on Manage Agents page
  • Fixed an issue where Jenkins icon was not displaying properly on IE
  • Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
  • Fixed a bug where product update links were not displaying correctly
  • Fixed a bug where configured Scan Policies' user agent was not used in Authentication Verifier
  • Fixed documentation links for SSO providers
  • Fixed API authorization error thrown on notification endpoints for Team Members
  • Fixed an issue where custom reports were not displayed on Scan Results page
  • Fixed an issue where Knowledge Base data was not saved properly
Netsparker Enterprise Update - 29th June 2018

BUG FIXES

  • Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
  • Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
  • Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)