Netsparker Enterprise Update - 20th February 2019
- Fixed an issue with setting up a new Team Member when SSO was enforced.
- Fixed an issue which was occurring during re-installing previously terminated agent.
Netsparker Enterprise Update - 5th February 2019
- Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.
- Account Owner or users with Administrator permission can now delete other Team Members' policies.
- Updated some third-party libraries to the latest version.
- Added OWASP 2017 classification data to the Executive Summary report.
- SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).
- Fixed an issue that was thrown when deleting an account.
- Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.
Netsparker Enterprise Update - 17th January 2019
NEW SECURITY CHECKS
- Added a new pattern for CherryPy Version Disclosure
- Added an LFI attack pattern for WEB-INF/web.xml
- Added Ruby Error Disclosure detection
- Added WP Engine Configuration File detection
- Added CherryPy Stack Trace Disclosure detection
- Added Intro.js Out-of-date Version detection
- Added Axios Out-of-date Version detection
- Added Fingerprintjs2 Out-of-date Version detection
- Added XRegExp Out-of-date Version detection
- Added DataTables Out-of-date Version detection
- Added Lazy.js Out-of-date Version detection
- Added FancyBox Out-of-date Version detection
- Added Underscore.js Out-of-date Version detection
- Added Lightbox Out-of-date Version detection
- Added JBoss application server Out-of-date Version detection
- Added SweetAlert2 Out-of-date Version detection
- Added Lodash Out-of-date Version detection
- Added Bluebird Out-of-date Version detection
- Added Polymer Out-of-date Version detection
- Added Content Security Policy (CSP) to the Netsparker Enterprise web application
- Changed enum values to display in alphabetical order in the Value column in the Filter popup
- Added an Audit Log for Rate Limited requests
- Highlighted relevant tabs for validation errors on the New Scan Policy page
- Improved the Report Policy page to make it more responsive and added a scroll bar
- Improved help text for Application and Service Discovery pages
- Added a Check/Uncheck by Severity filtering option on the Report Policy page
- Added PHP extension attack for Nginx vulnerability to the File Upload engine
- Added File Upload patterns for the Nginx Parsing vulnerability
- Added settings to the File Upload engine for configuring upload folders
- Added errorlog.axd detection support
- Improved elmah.axd detection
- The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
- Improved SSTI PHP Smarty attack detection
- Improved the Swagger link importer to handle additional properties with integer and string value types
- Improved the Expect-CT engine by only reporting a vulnerability once for each host
- Improved RSA key confirmation by handling OpenPGP format
- Increased the HSTS Not Enabled vulnerability severity from Information to Low
- Improved HTTP 407 Proxy Authentication error handling
- Added classifications to the HSTS Not Enabled vulnerability
- Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
- Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
- Improved JSON format detection
- Replaced Unicode replacement characters with question marks in responses
- Added a Scan Policy option to attack cookies
- Improved element click DOM simulation for various element types
- SRI Not Implemented will no longer be reported for localhost URLs
- Improved ASP.NET error message detection
- Added descriptions to PCI categories in the PCI Compliance Report
- Improved Boolean SQL Injection detection
- Improved the Blind Command Injection attack patterns
- Improved the representation of Report Template compilation errors
- Misconfigured X-Frame-Options Header is now reported separately
- Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
- Improved WADL document parsing by ignoring DTDs
- Improved Open Redirect DOM based confirmation performance
- Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
- Cookie vulnerabilities report where the cookie is set from
- Improved Swagger Document Format detection
- The file upload engine now detects new links in the response after the file is uploaded
- Fixed the issue where Authentication did not work when retesting
- Fixed the issue where the Swagger importer generated an invalid JSON request body
- Fixed the ArgumentException thrown while performing Heartbleed security checks
- Fixed the issue where the wrong version was identified for Drupal
- Fixed a disallowed HTTP method issue where some methods were still being allowed
- Fixed a typo in the CSP Not Implemented vulnerability details
- Fixed a Form Authentication issue that occured on some React-based websites
- Fixed signature detection for links found via the crawler
- Fixed an issue in the CSP engine where it reported an incorrect vulnerability
- Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
- Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
- Fixed duplicate parsing source field values reported for IFrame vulnerabilities
- Fixed an issue where Apache MultiViews could not be detected in the target server
- Fixed the incorrect Cookie Expire Date set during Form Authentication
- Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
- Fixed a Content-Type parsing issue in Form Authentication
- Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
- Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
- Fixed a bug in cookie handling code during Form Authentication
- Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
- Fixed an ArgumentOutOfRangeException thrown on some long scans
Netsparker Enterprise Update - 27th November 2018
- Improved colors for the app menu to follow WCAG guidelines
- New scheduled scans are not added to the queue if a delayed one already exists
- Improved validatation for SSO configuration pages
- Updated EULA and TOS pages
- Added support for deleting agents on the Manage Agents page
- Readjusted API rate limits
- Added a Data Protection Policy page
- Account admins can now disable other team members' 2FA settings
- Improved the wording on several pages
- Improved JIRA integration to prevent reopening the same issue twice in JIRA
- Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
- Attack Pattern' renamed as 'Payload' in the Send To integration templates
- Added tooltip for Scan and Report Policies options on the New Scan page
- Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
- Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan's initiation time
- Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page
Netsparker Enterprise Update - 19th September 2018
- Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
- Added out of the box integration for Slack and ServiceNow
- Introduced Report Policy Editor which allows to customize Scan Report results
- Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities
NEW SECURITY CHECKS
- Added Out of Band Server Side Template Injection security checks
- Added signature detection check for Caddy web server
- Added signature detection check for aah Go server
- Added signature detection check for JBoss application server
- Added CakePHP framework detection
- Added CakePHP version disclosure detection
- Added CakePHP out-of-date version detection
- Added CakePHP Stack Trace Disclosure
- Added CakePHP default page detection
- Added Out of Date checks for CKEditor 5
- Configured scanner agent's service options to recover automatically if it stops
- Improved display order of vulnerabilities in several reports
- Improved the wording in OWASP and Trend Matrix reports
- Updated the licensing model
- Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
- Scheduled Scans will not be queued if a delayed one already exists in scan queue
- Improved Agent List page to display unavailable agents
- Improved the wording in Website and Global Dashboard pages
- Improved '/websites/get' API endpoint to allow filtering by URL
- Improved validation messages for SSO settings
- Improved styling of Permission Matrix on New Team Member page
- Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
- Updated .NET Framework version requirement to 4.7.2
- All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
- Added Label field for JIRA Send To actions
- Added Tags field for Manuscript (FogBugz) Send To actions
- Improved SQL Injection proof data by stripping HTML tags
- Improved CSRF token detection in cookie values
- Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
- Fixed pagination problem on Scheduled Scans and Website Group pages
- Fixed a bug where screenshots are displayed for Scans run by Internal Agents
- Fixed the incorrect Content-Type header sent during Form Authentication requests
- Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
- Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
- Fixed the error where the ExpectCT header was reported as an interesting header
- Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
- Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
- Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
- Fixed an incorrect possible LFI vulnerability when the response was redirected
- Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
- Fixed broken case sensitivity check for crawled links
- Fixed FormatException that occurred while parsing cookies
- Fixed a JsonReaderException that occured while trying to parse a Swagger document
- Fixed parsing URLs with encoded chars
- Fixed hanging Open Redirect checks caused by binary responses
- Fixed the issue where a Swagger YAML file cannot be imported
- Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
- Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate
Netsparker Enterprise Update - 25th July 2018
- Updated terms of services document
- Fixed a bug where XML reports can not be exported
- Fixed a bug where Jenkins integration was not working as expected
- Fixed an issue where "Check for Updates" was not displaying correct result for team member users
- Fixed a bug where sorting was not working on Scheduled Scans page
Netsparker Enterprise Update - 23rd July 2018
- Improved text shown after deleting a website
- Improved text shown on Authentication Verifier Settings page
- Improved help text for Recaptcha setting shown on Service Settings page
- Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
- Improved timer behaviour of validation code shown on SMS Settings page
- Improved order of vulnerabilities in several reports
- Response content will not be rendered if it's higher than 10MB, instead response data can be downloaded from scan results page
- Refactored and improved performance of reports which can be exported from Scan Results page
- Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
- Improved validation messages for JIRA integration
- Improved samples for new website API documentation
- Changed wording on General Settings page
- Simplified endpoint format for Authentication Verifier settings
- Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
- Fixed a bug where imported Swagger file was not parsed during scanning
- Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
- Fixed an issue where Agent could not be disabled on Manage Agents page
- Fixed an issue where Jenkins icon was not displaying properly on IE
- Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
- Fixed a bug where product update links were not displaying correctly
- Fixed a bug where configured Scan Policies' user agent was not used in Authentication Verifier
- Fixed documentation links for SSO providers
- Fixed API authorization error thrown on notification endpoints for Team Members
- Fixed an issue where custom reports were not displayed on Scan Results page
- Fixed an issue where Knowledge Base data was not saved properly
Netsparker Enterprise Update - 29th June 2018
- Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
- Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
- Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)
Netsparker Enterprise Update - 6th June 2018
- Improved audit logs' contents.
- Fixed an issue in "/scans/new" API endpoint.
- Fixed an issue where SMTP settings was not persisted as expected.
- Fixed an issue in IP restriction settings.
- Fixed an issue where vulnerabilities' request/response details were not displayed properly.
Netsparker Enterprise Update - 29th May 2018
- Added SSO (Single Sign-On) support (onpremises only)
- Added an option to "Scan Policy > HTTP Request" settings to capture HTTP Requests
- Added installation wizard for onpremises installation (onpremises only)
- New plugin for integration with Bamboo
- Added code highlighting support for vulnerability request and response
- Added "Scans per Website Group" report type to Reporting page
- Added an option to general settings to configure retention period for raw scan files (onpremises only)
- Netsparker Desktop integration: ability to import and export scans between the scanners.
- Added Server-Side Template Injection (SSTI) vulnerability checks.
- Added the OWASP 2017 Top Ten classifications report template.
NEW SECURITY CHECKS
- Expect-CT security checks.
- Added various new web applications in the application version database.
- Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.
- Added elapsed time information for ongoing scans
- Added an option to scan reports page for hiding addressed issues
- Improved Agents page to display configured agents' versions (onpremises only)
- Added CVSS score to JSON vulnerabilities report
- Improved user profile to display trial expiration date
- Improved response status messages on the API documentation
- Added Netsparker Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
- Improved help text for schedule scan's license errors
- Allowed team members to manage their own notification settings
- Added "Copy to Clipboard" functionality for API settings
- Improved Incremental Scan page to configure maximum scan duration
- Added an icon for scans launched by continuous integration systems
- Added "LookupId" unique identifier for vulnerabilities to "/scans/report" API endpoint
- Added "FirstSeenDate" and "LastSeenDate" fields for vulnerabilities to "/scans/report" API endpoint
- Added "CreatedAt" and "UpdatedAt" fields for "/websites/list" API endpoint
- Added "/vulnerability/list" API endpoint to list vulnerability templates
- Improved logs for client certificate validation errors
- Crawler can now parse multiple sitemaps in a robots.txt file.
- Added support for parsing swagger documents in yaml format.
- Added support for parsing relative meta refresh URLs.
- Improved parsing of websites using React framework.
- Content-Security-Policy-Report-Only header is not reported as an interesting header.
- Variations are retested before starting an incremental scan.
- Renamed FogBugz send to action to its new name Manuscript.
- GitHub Send to action now works with organization accounts and private repositories.
- Added support for handling HTTP 307 redirects.
- DS_STORE files are discovered and parsed.
- Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
- Improved MySQL double encoded string attacks.
- New Extensions scan policy settings to specify which extensions should be crawled and attacked.
- Added "Disallowed HTTP Methods" settings to scope options on the new scan page.
- Fixed an issue where empty value was not accepted for Excluded URLs
- Fixed an issue where invitation was not deleted after an account deleted
- Fixed font size for highlighted fields on vulnerability details
- Fixed an issue where validation was not working as expected for Netsparker Hawk settings
- Fixed an issue where VDB update date was not persisted as expected
- Fixed some possible vulnerabilities missing [Possible] indicator in title.
- Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
- Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
- Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
- Fixed Hawk validation error by not following redirects.
- Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
- Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
- Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
- Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
- Fixed the SSL check hang on HTTP only hosts.
- Fixed LFI engine by not analyzing source code disclosure on binary responses.
- Fixed a validation issue for some Swagger documents.
- Fixed the issue where CSP keywords are not reported when used without single quotes.
- Fixed incorrect source code disclosures reported in binary responses.
- Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
- Fixed out of date version reporting behavior when no ordinal is found in version database.
- Fixed Lighttpd version disclosure detection signatures.
- Fixed a Swagger parsing issue.
Netsparker Enterprise Update - 18th April 2018
- Fixed a bug where crawling is not working as expected.
- Fixed a security vulnerability in form authentication verification.
Netsparker Enterprise Update - 6th March 2018
- Improved XML and date samples displayed in API documentation.
- Improved input validation in the reporting page.
- Improved on-premises installation document for customers using load balancer.
- Renamed FogBugz integration to Manuscript.
- Improved validation of custom cookies.
- New scans launched outside scan window will be automatically queued
- Increased character limit for website name.
- Added more details to scanner agent's startup log.
- Improved installation error message of internal scanner agent.
- Improved vulnerability request/response data page performance.
- Improved the navigation of issues and scans.
- Improved validation of custom 404 settings in the Scan Policy.
- Added a "Copy to Clipboard" button for cURL samples in API documentation.
- Improved API documentation to show request details.
- Changed date/time format from 24-hour clock to 12-hour clock.
- Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
- Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
- Fixed an issue where loading icon does not rendering correctly in IE11.
- Fixed a font size problem in the PCI DSS reports.
- Fixed the info messages that were not fitting in the screen on small resolutions.
- Fixed an issue in which scan profiles could be created with same name.
- Fixed a bug with website verification emails which were not being sent.
- Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.
Netsparker Enterprise Update - 31th January 2018
- Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
- New API endpoints for getting website and website group details.
- Changed Netpsparker Enterprise application's loading icon.
- Added an icon to indicate external links.
- Fixed an issue where scans are not launched on on-premises AWS scanner agents.
- Fixed an issue where realtime scan results are not displayed correctly in IE11.
- Fixed an issue where proofs are not displayed correctly on vulnerability details section.
Netsparker Enterprise Update - 13th December 2017
- Realtime scan results
- Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
- Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
- New API endpoint for launching group scans.
- Scheduling for incremental scans both from the web UI and API.
- New API endpoint for generating custom scan reports.
- New scan policy setting to define Web (Session and Local) Storage.
- New Header Authentication settings to manually add request headers with authentication information.
- Added support to import links from CSV files.
- Added support for parsing of gzipped sitemaps.
NEW SECURITY CHECKS
- Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
- Check for Remote Code Execution in Apache Struts (CVE-2017-5638).
- Scan Time Window setting is now available to new group scans page.
- Improved scan stability and performance.
- Improved default Form Values settings.
- Updated external references for several vulnerabilities.
- Updated default User-Agent HTTP request header string.
- Changed API endpoints to return 201-Created response status code for new resources.
- Added several UI improvements for WCAG guidelines compliance.
- Improved the email template that reports issues.
- Added "Attack Parameters" information to Scanned URLs report.
- Renamed the "Important" vulnerability severity to "High".
- Added Form Authentication performance data to Scan Performance knowledge base node.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
- Improved CSP engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added --batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Updated the Accept HTTP header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Email disclosure will not be reported for email addresses used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Added more information about HTML forms and input for vulnerabilities found in HTML forms.
- Added Parameter Value column to the Vulnerabilities List report in CSV format.
- Added match by HTML element id for form values.
- Improved Windows Short Filename vulnerability details Remedy section.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
- Fixed an issue where AutoSave filename is missing during resuming a scan.
- Fixed an issue where "Test" button of authentication settings does not work as expected.
- Fixed an issue where model binding does not work as expected for scan profile API endpoints.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed huge parameter value deserialization memory usage.
- Fixed the wrong URLs added with only extension values.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed form authentication not triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.
Netsparker Enterprise Update - 26th September 2017
NEW SECURITY CHECK
- Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).
Netsparker Enterprise Update - 19th September 2017
- Added scan policy settings for CSRF security checks.
- Added ability to use custom HTTP headers during scan.
- Added attacking optimization option for recurring parameters on different pages.
- Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.
NEW SECURITY CHECKS
- Added Referrer Policy security checks.
- Added markdown injection XSS patterns.
- Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
- Added Database Name Disclosure security checks for MS SQL and MySQL.
- Added Remote Code Evaluation (Node.js) security checks.
- Added SSRF detection with server-status.
- Added user controllable cookie detection.
- Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
- Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
- Added IIS 10.0 Version Disclosure checks.
- Added WordPress Setup Configuration File checks.
- Improved design of the group scan email template.
- Improved accessibility of several pages to follow WCAG guidelines.
- Optimized compression time while archiving the raw scan files.
- Added support for allowing users to launch scheduled scans manually.
- Disabled scheduled scans if the license is expired.
- Updated the links to several external references.
- Added DOM simulation options to scan policy optimizer wizard.
- Improved Mixed Content vulnerability reporting by separating them according to resource types.
- Improved boolean SQL injection detection for redirect responses.
- Improved WSDL parsing for files that contain optional extensions.
- Improved .sql file detection signature.
- Added extra confirmation for weak credentials detection.
- Added scan policy option to allow XHR requests during DOM simulation.
- Added form value for password input types to default scan policy.
- Improved the send to JIRA error message.
- Added maximum number of option elements per select element to simulate scan policy setting.
- Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
- Improved error based SQLi exploitation by generating prefix/suffix dynamically.
- Improved command injection vulnerability detection by prepending original parameter value to attack payload.
- Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
- Improved LFI attack patterns.
- Improved DOM XSS attack patterns.
- Improved the performance of email address disclosure detection.
- Improved the performance of database connection string disclosure detection.
- Improved the performance of RoR database configuration detection.
- Improved Blind Command Injection detection on Linux systems.
- Improved resource finder to find more hidden resources.
- Improved support for simulating customized select elements.
- Improved NTLM, Digest and Kerberos authentication support.
- Improved DOM simulation stability and performance.
- Improved the default parameter name list for Parameter Based Navigation.
- Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
- Improved boolean and blind SQL injection checks for MySQL databases.
- Improved blind SQL injection checks for PostgreSQL databases.
- Improved reflected and stored XSS detection.
- HSTS checks now reports missing preload directives.
- Updated Korean translation.
- Improved JSON response parsing.
- Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
- Improved email disclosure checks by checking host names against to public suffix list.
- Fixed a NullReferenceException which may have been thrown while editing settings of an user.
- Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
- Fixed an issue which may have been thrown while deleting an account.
- Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
- Fixed the duplicate import link issue.
- Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
- Fixed crawling of URLs on pages where base element points to some other URL.
- Fixes an issue where blacklisted Netsparker attacks prevent further source code disclosures in HTML response.
- Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
- Fixed an issue where signature fails to match MS SQL username in error messages.
- Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
- Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
- Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
- Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
- Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
- Fixed directory listing is not reported issues on some IIS versions.
- Fixed the issue where comments in CSS files are not parsed.
- Fixed the incorrect URL found in CSS comments.
- Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
- Fixed an IndexOutOfRangeException caused by CSP checks.
- Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
- Fixed markdown XSS attack patterns causing incorrect findings.
- Fixed incorrect "Interesting Header" reports for some headers.
- Fixed the incorrect http protocol displayed for SSL vulnerabilities.
- Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
- Fixed the maximum crawled URL limit exceeded issue.
- Fixed duplicate resource finder requests.
- Fixed the WADL import issue where the operation fails for responses with no status codes.
- Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
- Fixed the incorrect missing object-src report on CSP checks.
- Fixed an issue where default crawled value is double-encoded instead of single.
- Fixed the missing content for Site Profile section of Knowledge Base report.
Netsparker Enterprise Update - 21st July 2017
- Decreased scan results' registration time by optimazing database queries.
- Added several improvements for running Netsparker Enterprise on-premises on AWS.
- Added more information (such as Total Requests and Average Speed) to the detailed scan report.
- Improved code samples used in API documentation.
- Improved help text and messages.
- Added delete button to website edit page.
- Improved scanner agent's startup script to ensure agent is started properly.
- Improved sign-in/logout flow to make user sessions more secure.
- Reviewed and fixed duplicate IDs in HTML elements.
- Improved design of the email templates.
- Updated AWS SDK to the latest version.
- Added Korean support to scan report API endpoint.
- Added support for setting preferred agent name via API.
- Added status information to preferred agent section on the new scan page.
- Fixed an issue with the archiving of raw scan files.
- Fixed the total website count which was incorrect on manage website groups page.
- Fixed the user's date format that was not used while selecting dates on account settings page.
- Fixed the account settings page which was not displayed properly in high-DPI screens.
- Fixed a bug where issue counts were not displayed correctly on website dashboard page.
- Expired license error is now returned properly in API endpoints.
- Fixed issues with the order of the websites in the "Websites That Have Shortest Fix Time" widget.
- Fixed an error which was being thrown when adding a website via API in Netsparker Enterprise on-premises.
- Fixed CVE links in scan report page.
- Fixed a bug in website verification API endpoint.
- Fixed a NRE which was being thrown during exporting CSV reports.
- Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
- Fixed an error which was being thrown during deleting a scan profile.
- Fixed a bug in website verification API endpoint.
Netsparker Enterprise Update - 7th April 2017
- A wizard to assist first time users add a new website and setup a web security scan
- Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Netsparker Hawk)
New Security Checks
- Improved Boolean SQL Injection detection.
- Updated the Local File Inclusion vulnerability classifications.
- Improved Trace/Track security checks.
- Improved coverage of XSS engine in redirects.
- Added policy optimization support for SSRF security checks.
- Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
- Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
- Added VDB support to Blind & Boolean SQLi post exploitation.
- Added support for checking Open Redirection vulnerability on Refresh response header.
- Added the XPath information of the element that causes the DOM XSS vulnerability.
- Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
- Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
- Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
- Changed severity numbers' style on scan result pages.
- Added support for editing scan time window settings for running scans.
- Highlighted special fields of vulnerability notes on the scan report page.
- Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
- Improved notifications email templates.
- Improved help text by adding netsparker.com article links to relevant sections.
- Improved input validation for request rate limit settings on the scan policy page.
- Added support for remembering previously entered filters on list pages.
- Allowing users to select CSV separator while export scan reports.
- Added support to allow users to re-verify logout settings on the form authentication verification dialog.
- Fixed several issues related to DOM parsing and simulation.
- Fixed a NullReferenceException thrown by HTTP Methods checks.
- Fixed a StackOverflowException caused by JSON responses with too many nested elements.
- Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
- Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
- Fixed an issue where scan is paused when an additional host is unreachable.
- Fixed typos in CSP vulnerability templates.
- Fixed an issue where ignored emails are still reported as knowledge base issue.
- Fixed an issue where source code disclosure is reported in JS and CSS files.
- Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
- Fixed a Text Parser issue where single quote characters were being captured as part of links.
- Fixed the incorrect path disclosure caused by the Shellshock attack.
- Fixed missing SSRF proofs under Proofs knowledge base.
- Fixed incorrect encoded parameter names for multipart/form-data forms.
- Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
- Fixed the incorrect CR LF encoding issues on proof URLs.
- Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
- Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
- Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
- Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
- Fixed a filtering issue on the Manage Team page.
Netsparker Enterprise Update - 26th January 2017
- Authentication & session verification for form based authentication.
- Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
- Support for the Netsparker Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
- Added HTTP request rate limiting options to Scan Policy.
- Added "Ignored Email Addresses" section in Scan Policy.
- Added accept and reject options for untrusted SSL certificates.
- Added an option to disable automatic detection of 404 error pages.
- Support for importation of Postman files.
New Security Checks
- Improved the performance of several link importers.
- Added "Bearer Token" support for form authentication.
- Added confirmation for Frame Injection vulnerabilities.
- Added http: and https: checks for CSP vulnerability detection.
- Improved link importers - redundant CONNECT requests are now excluded.
- Optimized attacker performance for links containing single parameter.
- Optimized crawling parser by skipping DOM simulation on pages with static content.
- Improved coverage of CORS security check with extra attacks.
- Removed GWT attacks from file upload security checks.
- Improved DOM simulation performance.
- Improved CSS parsing which now follows CSS import directives.
- Improved coverage of open redirect security checks by adding/updating attacks patterns.
- Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.
- Added CVSS information to more vulnerabilities.
- Updated vulnerability database.
- Added URL Rewrite mode to Detailed Scan Report.
- Added support for configuring websites on manage groups page.
- Improved the UI & UX of several pages.
- Fixed an issue where a “multiple cookies issue” should not be reported.
- Fixed a JSON parsing issue with text parser.
- Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
- Fixed an issue where a false positive file upload vulnerability might be reported.
- Fixed several DOM simulation issues on pages that have many iframe elements.
- Fixed a NullReferenceException while performing an internal MD5 encoding operation.
- Fixed an encoding issue on a proof URL of an XSS vulnerability.
- Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
- Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
- Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
- Fixed incorrect protocol detection for protocol-relative URLs.
- Fixed an issue which occurs during importing websites with unix line endings.
- Fixed a retest issue which occurs if vulnerable URL contains a dash character.
- Fixed an issue where SSL details were not shown properly on knowledge base report.