Netsparker Enterprise Change Log
Netsparker Enterprise Update - 13th June 2019

IMPROVEMENTS

  • Added scan owner information to scan results and reports
  • Improved Internet Explorer support on several pages
  • Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
  • No longer reporting Missing X-Frame-Options header in redirect responses
  • No longer reporting Missing X-XSS protection on redirect responses
  • No longer reporting CSP Not Implemented for redirect responses
  • No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

  • Fixed an issue where the Target Website could not be deleted
  • Fixed an issue where the Preferred Agent in Scan Profile could not be changed
  • Added several fixes for OAuth2 Authentication
  • Fixed a bug where Netsparker might mistakenly report some cookies as Not Secure
  • Fixed an issue where connection problems on the Target Website were causing high CPU usage
Netsparker Enterprise Update - 13th May 2019

NEW FEATURES

  • Added auto update support for scanner agents
  • Improved the Manage Agents page to support filtering and allow the running of commands
  • Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
  • Added new API endpoints for managing issues
  • Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added an option to report only confirmed issues while generating reports
  • Added an option to exclude addressed issues while generating reports
  • Added F5 WAF rule generation
  • Added RESTful API Modeling Language (RAML) link import support
  • Added the ability to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

  • Added new XSS pattern that injects the attack payload into the HREF attribute
  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added a Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injections
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added a config.json check to the Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
  • Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
  • Improved the responsive design for several pages
  • Changed some wording for vulnerability details to use same wording as Netsparker Standard
  • All clicked external links now open in a new window
  • The Target website URL cannot also be added as an Additional Website on the New Scan page
  • New logo has been added to the top bar
  • Improved Resource Finder step on the Scan Policy Optimization Wizard
  • Jira issues are now assigned to the person who started the scan
  • Improved the queue performance for scans running on cloud scanner agents
  • Improved the layout for reports where no vulnerabilities are detected
  • Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
  • Added Reporter (account id type) to the JIRA integration page
  • Updated SSRF ipv6 pattern names
  • Improved Scan performance by allocating computer resources better
  • Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
  • Updated Code Evaluation (PHP) attack patterns
  • Improved DOM Simulation performance and fixed several issues
  • Improved React JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added support for attacking the name of POST parameters
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
  • Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS in text and XML content types
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added a Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • References to 'Manuscript' have been replaced with 'FogBugz'
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

  • Notifications tab appears empty when the Target URL is not selected on the New Scan page
  • Removed client side console logs from several pages
  • Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
  • Fixed an issue where the Discovery Settings page was not working properly for low resolution views
  • Fixed an issue where the Authentication Verifier was not capturing authentication settings
  • Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
  • Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
  • Removed the Contains filter option for numeric fields
  • Fixed an issue where scans configured with a Scantime Window were blocking other scans
  • Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
  • Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
  • Fixed a validation issue in the Header Authorization settings in the New Scan page
  • Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
  • Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
  • Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
  • Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
  • Fixed a stuck scan issue on websites using the React JavaScript framework
  • Fixed a Postman file importing issue where the response was not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed the value of double encoded null byte in LFI and XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation
Netsparker Enterprise Update - 20th February 2019

BUG FIXES

  • Fixed an issue with setting up a new Team Member when SSO was enforced.
  • Fixed an issue which was occurring during re-installing previously terminated agent.
Netsparker Enterprise Update - 5th February 2019

NEW FEATURES

  • Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

  • Account Owner or users with Administrator permission can now delete other Team Members' policies.
  • Updated some third-party libraries to the latest version.
  • Added OWASP 2017 classification data to the Executive Summary report.
  • SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

  • Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
  • Fixed an issue that was thrown when deleting an account.
  • Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

Netsparker Enterprise Update - 17th January 2019

NEW FEATURES

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js Out-of-date Version detection
  • Added Axios Out-of-date Version detection
  • Added Fingerprintjs2 Out-of-date Version detection
  • Added XRegExp Out-of-date Version detection
  • Added DataTables Out-of-date Version detection
  • Added Lazy.js Out-of-date Version detection
  • Added FancyBox Out-of-date Version detection
  • Added Underscore.js Out-of-date Version detection
  • Added Lightbox Out-of-date Version detection
  • Added JBoss application server Out-of-date Version detection
  • Added SweetAlert2 Out-of-date Version detection
  • Added Lodash Out-of-date Version detection
  • Added Bluebird Out-of-date Version detection
  • Added Polymer Out-of-date Version detection

IMPROVEMENTS

  • Added Content Security Policy (CSP) to the Netsparker Enterprise web application
  • Changed enum values to display in alphabetical order in the Value column in the Filter popup
  • Added an Audit Log for Rate Limited requests
  • Highlighted selected option for JavaScript section on the New Scan Policy page
  • Highlighted relevant tabs for validation errors on the New Scan Policy page
  • Improved the Report Policy page to make it more responsive and added a scroll bar
  • Improved help text for Application and Service Discovery pages
  • Added a Check/Uncheck by Severity filtering option on the Report Policy page
  • Added PHP extension attack for Nginx vulnerability to the File Upload engine
  • Added File Upload patterns for the Nginx Parsing vulnerability
  • Added settings to the File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 Proxy Authentication error handling
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
  • Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved Swagger Document Format detection
  • The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

  • Fixed the issue where Authentication did not work when retesting
  • Fixed the issue where the Swagger importer generated an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in the CSP engine where it reported an incorrect vulnerability
  • Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed a bug in cookie handling code during Form Authentication
  • Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans
Netsparker Enterprise Update - 27th November 2018

NEW FEATURES

IMPROVEMENTS

  • Improved colors for the app menu to follow WCAG guidelines
  • New scheduled scans are not added to the queue if a delayed one already exists
  • Improved validatation for SSO configuration pages
  • Updated EULA and TOS pages
  • Added support for deleting agents on the Manage Agents page
  • Readjusted API rate limits
  • Added a Data Protection Policy page
  • Account admins can now disable other team members' 2FA settings
  • Improved the wording on several pages
  • Improved JIRA integration to prevent reopening the same issue twice in JIRA
  • Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
  • Attack Pattern' renamed as 'Payload' in the Send To integration templates
  • Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

  • Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
  • Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan's initiation time
  • Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page
Netsparker Enterprise Update - 19th September 2018

NEW FEATURES

  • Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
  • Added out of the box integration for Slack and ServiceNow
  • Introduced Report Policy Editor which allows to customize Scan Report results
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah Go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Configured scanner agent's service options to recover automatically if it stops
  • Improved display order of vulnerabilities in several reports
  • Improved the wording in OWASP and Trend Matrix reports
  • Updated the licensing model
  • Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
  • Scheduled Scans will not be queued if a delayed one already exists in scan queue
  • Improved Agent List page to display unavailable agents
  • Improved the wording in Website and Global Dashboard pages
  • Improved '/websites/get' API endpoint to allow filtering by URL
  • Improved validation messages for SSO settings
  • Improved styling of Permission Matrix on New Team Member page
  • Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
  • Updated .NET Framework version requirement to 4.7.2
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Improved SQL Injection proof data by stripping HTML tags
  • Improved CSRF token detection in cookie values

BUG FIXES

  • Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
  • Fixed pagination problem on Scheduled Scans and Website Group pages
  • Fixed a bug where screenshots are displayed for Scans run by Internal Agents
  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
  • Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed broken case sensitivity check for crawled links
  • Fixed FormatException that occurred while parsing cookies
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed parsing URLs with encoded chars
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed the issue where a Swagger YAML file cannot be imported
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate
Netsparker Enterprise Update - 25th July 2018

IMPROVEMENT

  • Updated terms of services document

BUG FIXES

  • Fixed a bug where XML reports can not be exported
  • Fixed a bug where Jenkins integration was not working as expected
  • Fixed an issue where "Check for Updates" was not displaying correct result for team member users
  • Fixed a bug where sorting was not working on Scheduled Scans page
Netsparker Enterprise Update - 23rd July 2018

NEW FEATURE

IMPROVEMENTS

  • Improved text shown after deleting a website
  • Improved text shown on Authentication Verifier Settings page
  • Improved help text for Recaptcha setting shown on Service Settings page
  • Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
  • Improved timer behaviour of validation code shown on SMS Settings page 
  • Improved order of vulnerabilities in several reports
  • Response content will not be rendered if it's higher than 10MB, instead response data can be downloaded from scan results page
  • Refactored and improved performance of reports which can be exported from Scan Results page
  • Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
  • Improved validation messages for JIRA integration
  • Improved samples for new website API documentation
  • Changed wording on General Settings page
  • Simplified endpoint format for Authentication Verifier settings

BUG FIXES

  • Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
  • Fixed a bug where imported Swagger file was not parsed during scanning
  • Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
  • Fixed an issue where Agent could not be disabled on Manage Agents page
  • Fixed an issue where Jenkins icon was not displaying properly on IE
  • Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
  • Fixed a bug where product update links were not displaying correctly
  • Fixed a bug where configured Scan Policies' user agent was not used in Authentication Verifier
  • Fixed documentation links for SSO providers
  • Fixed API authorization error thrown on notification endpoints for Team Members
  • Fixed an issue where custom reports were not displayed on Scan Results page
  • Fixed an issue where Knowledge Base data was not saved properly
Netsparker Enterprise Update - 29th June 2018

BUG FIXES

  • Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
  • Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
  • Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)
Netsparker Enterprise Update - 6th June 2018

IMPROVEMENTS

  • Improved audit logs' contents.

BUG FIXES

  • Fixed an issue in "/scans/new" API endpoint.
  • Fixed an issue where SMTP settings was not persisted as expected.
  • Fixed an issue in IP restriction settings.
  • Fixed an issue where vulnerabilities' request/response details were not displayed properly.

Netsparker Enterprise Update - 29th May 2018

NEW FEATURES

  • Added SSO (Single Sign-On) support (onpremises only)
  • Added an option to "Scan Policy > HTTP Request" settings to capture HTTP Requests
  • Added installation wizard for onpremises installation (onpremises only)
  • New plugin for integration with Bamboo
  • Added code highlighting support for vulnerability request and response
  • Added "Scans per Website Group" report type to Reporting page
  • Added an option to general settings to configure retention period for raw scan files (onpremises only)
  • Netsparker Desktop integration: ability to import and export scans between the scanners.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.
  • Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

  • Added elapsed time information for ongoing scans
  • Added an option to scan reports page for hiding addressed issues
  • Improved Agents page to display configured agents' versions (onpremises only)
  • Added CVSS score to JSON vulnerabilities report
  • Improved user profile to display trial expiration date
  • Improved response status messages on the API documentation
  • Added Netsparker Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
  • Improved help text for schedule scan's license errors
  • Allowed team members to manage their own notification settings
  • Added "Copy to Clipboard" functionality for API settings
  • Improved Incremental Scan page to configure maximum scan duration
  • Added an icon for scans launched by continuous integration systems
  • Added "LookupId" unique identifier for vulnerabilities to "/scans/report" API endpoint
  • Added "FirstSeenDate" and "LastSeenDate" fields for vulnerabilities to "/scans/report" API endpoint
  • Added "CreatedAt" and "UpdatedAt" fields for "/websites/list" API endpoint
  • Added "/vulnerability/list" API endpoint to list vulnerability templates
  • Improved logs for client certificate validation errors
  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Added support for parsing swagger documents in yaml format.
  • Added support for parsing relative meta refresh URLs.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date versions.
  • Renamed FogBugz send to action to its new name Manuscript.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
  • Improved MySQL double encoded string attacks.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added "Disallowed HTTP Methods" settings to scope options on the new scan page.

BUG FIXES

  • Fixed an issue where empty value was not accepted for Excluded URLs
  • Fixed an issue where invitation was not deleted after an account deleted
  • Fixed font size for highlighted fields on vulnerability details
  • Fixed an issue where validation was not working as expected for Netsparker Hawk settings
  • Fixed an issue where VDB update date was not persisted as expected
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
Netsparker Enterprise Update - 18th April 2018

BUG FIXES

  • Fixed a bug where crawling is not working as expected.
  • Fixed a security vulnerability in form authentication verification.

Netsparker Enterprise Update - 6th March 2018

NEW FEATURES

IMPROVEMENTS

  • Improved XML and date samples displayed in API documentation.
  • Improved input validation in the reporting page.
  • Improved on-premises installation document for customers using load balancer.
  • Renamed FogBugz integration to Manuscript.
  • Improved validation of custom cookies.
  • New scans launched outside scan window will be automatically queued
  • Increased character limit for website name.
  • Added more details to scanner agent's startup log.
  • Improved installation error message of internal scanner agent.
  • Improved vulnerability request/response data page performance.
  • Improved the navigation of issues and scans. 
  • Improved validation of custom 404 settings in the Scan Policy.
  • Added a "Copy to Clipboard" button for cURL samples in API documentation.
  • Improved API documentation to show request details.
  • Changed date/time format from 24-hour clock to 12-hour clock.

BUG FIXES

  • Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
  • Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
  • Fixed an issue where loading icon does not rendering correctly in IE11.
  • Fixed a font size problem in the PCI DSS reports.
  • Fixed the info messages that were not fitting in the screen on small resolutions.
  • Fixed an issue in which scan profiles could be created with same name.
  • Fixed a bug with website verification emails which were not being sent.
  • Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.
Netsparker Enterprise Update - 31th January 2018

NEW FEATURES

  • Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
  • New API endpoints for getting website and website group details.

IMPROVEMENTS

  • Changed Netpsparker Enterprise application's loading icon.
  • Added an icon to indicate external links.

BUG FIXES

  • Fixed an issue where scans are not launched on on-premises AWS scanner agents.
  • Fixed an issue where realtime scan results are not displayed correctly in IE11.
  • Fixed an issue where proofs are not displayed correctly on vulnerability details section.
Netsparker Enterprise Update - 13th December 2017

NEW FEATURES

  • Realtime scan results
  • Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
  • Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
  • New API endpoint for launching group scans.
  • Scheduling for incremental scans both from the web UI and API.
  • New API endpoint for generating custom scan reports.
  • New scan policy setting to define Web (Session and Local) Storage.
  • New Header Authentication settings to manually add request headers with authentication information.
  • Added support to import links from CSV files.
  • Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

  • Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
  • Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

  • Scan Time Window setting is now available to new group scans page.
  • Improved scan stability and performance.
  • Improved default Form Values settings.
  • Updated external references for several vulnerabilities.
  • Updated default User-Agent HTTP request header string.
  • Changed API endpoints to return 201-Created response status code for new resources.
  • Added several UI improvements for WCAG guidelines compliance.
  • Improved the email template that reports issues.
  • Added "Attack Parameters" information to Scanned URLs report.
  • Renamed the "Important" vulnerability severity to "High".
  • Added Form Authentication performance data to Scan Performance knowledge base node.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
  • Improved CSP engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added --batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Updated the Accept HTTP header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Email disclosure will not be reported for email addresses used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Added more information about HTML forms and input for vulnerabilities found in HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Added Parameter Value column to the Vulnerabilities List report in CSV format.
  • Added match by HTML element id for form values.
  • Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

  • Fixed an issue where AutoSave filename is missing during resuming a scan.
  • Fixed an issue where "Test" button of authentication settings does not work as expected.
  • Fixed an issue where model binding does not work as expected for scan profile API endpoints.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed the wrong URLs added with only extension values.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed form authentication not triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.
Netsparker Enterprise Update - 26th September 2017

NEW SECURITY CHECK

  • Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).
Netsparker Enterprise Update - 19th September 2017

NEW FEATURES

  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
  • Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
  • Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
  • Added IIS 10.0 Version Disclosure checks.
  • Added WordPress Setup Configuration File checks.

IMPROVEMENTS

  • Improved design of the group scan email template.
  • Improved accessibility of several pages to follow WCAG guidelines.
  • Optimized compression time while archiving the raw scan files.
  • Added support for allowing users to launch scheduled scans manually.
  • Disabled scheduled scans if the license is expired.
  • Updated the links to several external references.
  • Improved JavaScript and CSS resource parsing.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Improved .sql file detection signature.
  • Added extra confirmation for weak credentials detection.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added form value for password input types to default scan policy.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
  • Improved LFI attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved Blind Command Injection detection on Linux systems.
  • Improved resource finder to find more hidden resources.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

  • Fixed a NullReferenceException which may have been thrown while editing settings of an user.
  • Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
  • Fixed an issue which may have been thrown while deleting an account.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixes an issue where blacklisted Netsparker attacks prevent further source code disclosures in HTML response.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the missing content for Site Profile section of Knowledge Base report.
Netsparker Enterprise Update - 21st July 2017

NEW FEATURES

IMPROVEMENTS

  • Decreased scan results' registration time by optimazing database queries.
  • Added several improvements for running Netsparker Enterprise on-premises on AWS.
  • Added more information (such as Total Requests and Average Speed) to the detailed scan report.
  • Improved code samples used in API documentation.
  • Improved help text and messages. 
  • Added delete button to website edit page.
  • Improved scanner agent's startup script to ensure agent is started properly.
  • Improved sign-in/logout flow to make user sessions more secure.
  • Reviewed and fixed duplicate IDs in HTML elements.
  • Improved design of the email templates.
  • Updated AWS SDK to the latest version.
  • Added Korean support to scan report API endpoint. 
  • Added support for setting preferred agent name via API.
  • Added status information to preferred agent section on the new scan page.

FIXES

  • Fixed an issue with the archiving of raw scan files.
  • Fixed the total website count which was incorrect on manage website groups page.
  • Fixed the user's date format that was not used while selecting dates on account settings page.
  • Fixed the account settings page which was not displayed properly in high-DPI screens.
  • Fixed a bug where issue counts were not displayed correctly on website dashboard page.
  • "JavaScript - Elements To Skip" setting was is now set properly in new scan policy page.
  • Expired license error is now returned properly in API endpoints.
  • Fixed issues with the order of the websites in the  "Websites That Have Shortest Fix Time" widget.
  • Fixed an error which was being thrown when adding a website via API in Netsparker Enterprise on-premises.
  • Fixed CVE links in scan report page.
  • Fixed a bug in website verification API endpoint.
  • Fixed a NRE which was being thrown during exporting CSV reports.
  • Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
  • Fixed an error which was being thrown during deleting a scan profile.
  • Fixed a bug in website verification API endpoint.