Netsparker Enterprise Change Log
Netsparker Enterprise Update - 19th September 2017

NEW FEATURES

  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
  • Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
  • Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
  • Added IIS 10.0 Version Disclosure checks.
  • Added WordPress Setup Configuration File checks.

IMPROVEMENTS

  • Improved design of the group scan email template.
  • Improved accessibility of several pages to follow WCAG guidelines.
  • Optimized compression time while archiving the raw scan files.
  • Added support for allowing users to launch scheduled scans manually.
  • Disabled scheduled scans if the license is expired.
  • Updated the links to several external references.
  • Improved JavaScript and CSS resource parsing.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Improved .sql file detection signature.
  • Added extra confirmation for weak credentials detection.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added form value for password input types to default scan policy.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
  • Improved LFI attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved Blind Command Injection detection on Linux systems.
  • Improved resource finder to find more hidden resources.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

  • Fixed a NullReferenceException which may have been thrown while editing settings of an user.
  • Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
  • Fixed an issue which may have been thrown while deleting an account.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixes an issue where blacklisted Netsparker attacks prevent further source code disclosures in HTML response.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the missing content for Site Profile section of Knowledge Base report.
Netsparker Enterprise Update - 21st July 2017

NEW FEATURES

IMPROVEMENTS

  • Decreased scan results' registration time by optimazing database queries.
  • Added several improvements for running Netsparker Enterprise on-premises on AWS.
  • Added more information (such as Total Requests and Average Speed) to the detailed scan report.
  • Improved code samples used in API documentation.
  • Improved help text and messages. 
  • Added delete button to website edit page.
  • Improved scanner agent's startup script to ensure agent is started properly.
  • Improved sign-in/logout flow to make user sessions more secure.
  • Reviewed and fixed duplicate IDs in HTML elements.
  • Improved design of the email templates.
  • Updated AWS SDK to the latest version.
  • Added Korean support to scan report API endpoint. 
  • Added support for setting preferred agent name via API.
  • Added status information to preferred agent section on the new scan page.

FIXES

  • Fixed an issue with the archiving of raw scan files.
  • Fixed the total website count which was incorrect on manage website groups page.
  • Fixed the user's date format that was not used while selecting dates on account settings page.
  • Fixed the account settings page which was not displayed properly in high-DPI screens.
  • Fixed a bug where issue counts were not displayed correctly on website dashboard page.
  • "JavaScript - Elements To Skip" setting was is now set properly in new scan policy page.
  • Expired license error is now returned properly in API endpoints.
  • Fixed issues with the order of the websites in the  "Websites That Have Shortest Fix Time" widget.
  • Fixed an error which was being thrown when adding a website via API in Netsparker Enterprise on-premises.
  • Fixed CVE links in scan report page.
  • Fixed a bug in website verification API endpoint.
  • Fixed a NRE which was being thrown during exporting CSV reports.
  • Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
  • Fixed an error which was being thrown during deleting a scan profile.
  • Fixed a bug in website verification API endpoint.
Netsparker Enterprise Update - 7th April 2017

New Features

  • A wizard to assist first time users add a new website and setup a web security scan
  • Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Netsparker Hawk)

New Security Checks

Improvements

  • Improved Boolean SQL Injection detection.
  • Updated the Local File Inclusion vulnerability classifications.
  • Improved Trace/Track security checks.
  • Improved coverage of XSS engine in redirects.
  • Added policy optimization support for SSRF security checks.
  • Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
  • Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
  • Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
  • Added VDB support to Blind & Boolean SQLi post exploitation.
  • Added support for checking Open Redirection vulnerability on Refresh response header.
  • Added the XPath information of the element that causes the DOM XSS vulnerability.
  • Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
  • Added a JavaScript scan policy option to reduce triggered event count during the simulation.
  • Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
  • Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
  • Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
  • Changed severity numbers' style on scan result pages.
  • Added support for editing scan time window settings for running scans.
  • Highlighted special fields of vulnerability notes on the scan report page.
  • Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
  • Improved notifications email templates.
  • Improved help text by adding netsparker.com article links to relevant sections.
  • Improved input validation for request rate limit settings on the scan policy page.
  • Added support for remembering previously entered filters on list pages.
  • Allowing users to select CSV separator while export scan reports.
  • Added support to allow users to re-verify logout settings on the form authentication verification dialog.

Bug Fixes

  • Fixed several issues related to DOM parsing and simulation.
  • Fixed a NullReferenceException thrown by HTTP Methods checks.
  • Fixed a StackOverflowException caused by JSON responses with too many nested elements.
  • Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
  • Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
  • Fixed an issue where scan is paused when an additional host is unreachable.
  • Fixed typos in CSP vulnerability templates.
  • Fixed an issue where ignored emails are still reported as knowledge base issue.
  • Fixed an issue where source code disclosure is reported in JS and CSS files.
  • Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
  • Fixed a Text Parser issue where single quote characters were being captured as part of links.
  • Fixed the incorrect path disclosure caused by the Shellshock attack.
  • Fixed missing SSRF proofs under Proofs knowledge base.
  • Fixed incorrect encoded parameter names for multipart/form-data forms.
  • Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
  • Fixed the incorrect CR LF encoding issues on proof URLs.
  • Fixed DOM Parser clearInterval JavaScript function simulation.
  • Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
  • Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
  • Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
  • Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
  • Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
  • Fixed a filtering issue on the Manage Team page.
Netsparker Enterprise Update - 26th January 2017

New Features

  • Authentication & session verification for form based authentication.
  • Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
  • Support for the Netsparker Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added "Ignored Email Addresses" section in Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.
  • Support for importation of Postman files.

New Security Checks

Improvements

  • Improved the performance of several link importers.
  • Added "Bearer Token" support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers - redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.
  • Added CVSS information to more vulnerabilities.
  • Updated vulnerability database.
  • Added URL Rewrite mode to Detailed Scan Report.
  • Added support for configuring websites on manage groups page.
  • Improved the UI & UX of several pages.

Bug Fixes

  • Fixed an issue where a “multiple cookies issue” should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
  • Fixed an issue where a false positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
  • Fixed incorrect protocol detection for protocol-relative URLs.
  • Fixed an issue which occurs during importing websites with unix line endings.
  • Fixed a retest issue which occurs if vulnerable URL contains a dash character.
  • Fixed an issue where SSL details were not shown properly on knowledge base report.

Netsparker Enterprise Update - 1st December 2016

New Feature

Improvements

  • Description in Scan Status have been improved to give a better overview.
  • Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled.
  • Improved the names of the exported reports by adding the report type as prefix in filename.

Bug Fixes

  • Fixed an issue where the target website screenshot was not being captured.
  • Fixed the CSS styles in some knowledge base items in the scan report page.
  • Fixed an issue where the Upload client certificate button was not working.

Netsparker Enterprise Update - 17th November 2016

Fixes

  • Fixed a licensing bug in a third-party library.

Netsparker Enterprise Update - 2nd November 2016

New Technical Check

  • Added "Cookie Header Contains Multiple Cookies" check

Improvements

  • Improved the Content Security Policy (CSP) and "Misconfigured Access-Control-Allow-Origin Header" vulnerability templates.
  • Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
  • Improved the coverage of the boolean SQL injection vulnerability engine.

Fixes

  • Fixed an issue which was preventing the deletion of multiple websites.
  • Fixed the External CSS, Script and Frame Knowledge Base items which were not considering the port during checks.
  • Fixed an issue in the Open Redirect detection where incorrect URLs may also be reported.
  • Fixed an issue related to the form authentication which prevents logout detection during attacking phase.
  • Fixed an Local File Inclusion (LFI) vulnerability detection issue when attacked with a FullUrl payload.
  • Fixed an incorrect retest result which occurs when the target website is not reachable.
  • Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
Netsparker Enterprise Update - 18th October 2016

New Features

New Web Security Checks

Improvements

  • Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
  • Renamed "Permanent XSS" vulnerability to "Stored XSS".
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Improved DOM simulation by simulating "contextmenu" events.
  • Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.

Bug Fixes

  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
  • Fixed duplicate "Email Address Disclosure" reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.
Netsparker Enterprise Update - 21st September 2016

New Features

Improvements

Bug Fixes

  • Fixed wrong websites threat levels (they were just representing the last scan's threat level).
  • Fixed the security overview chart which was showing only the last scan's threat level for each website.
Netsparker Enterprise Update - 30th June 2016

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to better handle large websites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of Local File Inclusion security check engine.
  • Improved the automatic form authentication script to click the "button" HTML elements if no suitable button is found.
  • Improved the "HTML Base Tag Hijacking" vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of "Redirect Body Too Large" vulnerability.

BUG FIXES

  • Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability, which was not being confirmed automatically.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
  • Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue in which XSS proof URL was missing alert function call.
  • Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed cURL login sample in API documentation.
Netsparker Enterprise Update - 5th May 2016

NEW SECURITY CHECKS

Netsparker Enterprise Update - 4th May 2016

New Features

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI "Long attack - boot.ini" attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the "MIME Types" knowledge base list by ordering items alphabetically.
  • Added "Extract static resources" option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication "Override Target URL with authenticated page" issue which caused a wrong URL to be identified as the "Target URL".
  • Fixed a highlighting issue where the URL for "Insecure Frame (External)" vulnerability is partially highlighted.
  • Fixed an incorrect "Source Code Disclosure" vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed a broken link in XSS vulnerability templates.

Netsparker Enterprise Update - 11th April 2016

New Features

New Security Checks

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

Improvements

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Improved "Not Found Analyzer" to better handle binary responses and long strings.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved DOM parser to skip redirect responses.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.
  • Improved UI of the scan policy optimized wizard.
  • API authentication method updated for backward compatibility.

Bug Fixes

  • Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability fix is reported by mistake.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue that occurs while performing JavaScript library security checks.
  • Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target website - auth API has been moved to "netsparker" namespace preserving the "ns" backward compatibility.
  • Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
  • Fixed a form values issue - empty form values should not set any default values for parameters.
  • Fixed an issue during which the setting of the Connection request header failed.
Netsparker Enterprise Update - 17th March 2016

Improvements

  • Increased severity of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability to Important
  • Added support for adding several more request HTTP headers including the "Host" header
Netsparker Enterprise Update - 11th March 2016

New Features

  • Scan profiles can now be shared with all team members
  • Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one

New Web Security Checks

  • Added security check for the new DROWN SSL/TLS vulnerability
  • Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
  • Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
  • Added version checks for OpenCart web application

Improvements

  • Improved JavaScript/DOM simulation for better DOM XSS security checks
  • Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
  • Authentication settings moved from website to scan launch screen to be included in scan profile
  • Scan scheduling operations seperated from scan launch screen
  • Changed the "Configure a new scan" page to a more ergonomic interface
  • Users with admin permission can no longer see team member's API token
  • Added endpoint type field to activity logs. (API or Web UI)
  • Added a new scan policy setting section for JavaScript related settings
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

Bug Fixes

  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Netsparker was making requests to addresses that are generated by its own attacks
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledge base while doing manual crawling
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Netsparker are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
  • Fixed the broken HIPAA classification link
Netsparker Enterprise Update - 29th January 2016

New Features

  • Added "Fixed Vulnerabilities" chart to website and global dashboard
  • Added vulnerability list to website dashboard

Improvements

  • Improved support for Single Page Applications (SPA) and dynamic web applications by rewriting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added trend report support for all scan groups
  • Improved cookie validation on the new scan page
  • Removed web application fingerprint step from the Scan Policy Optimizer wizard
  • Added tooltips for URL rewrite settings on the new scan page
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added proof of concept for the blind SQLi vulnerabilities
  • Added "Proofs" knowledge base nodes
  • Improved "Remember Me" functionality on the login page
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter's meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added .svg to default set of ignored extensions on the policy settings

Bug Fixes

  • Fixed documentation of conditionally required fields in API
  • Fixed editing issues on collective editor of vulnerability tasks
  • Disabled website verification for on-premises installations
  • Fixed a bug which could occur while taking a screenshot during the scan
  • Fixed a bug that occurs when a proof of concept is empty
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Netsparker's latest version
  • Fixed the slow performance issue which occurs when "Automatically Detect Settings" proxy setting is enabled
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
Netsparker Enterprise Update - 15th January 2016

FIXES

  • Fixed a bug where vulnerability evidence was not persisted as expected
Netsparker Enterprise Update - 7th January 2016

FEATURES

NEW SECURITY CHECKS

  • Added Windows Short File Name security checks
  • Added several new backup file checks
  • Added web.config pattern for LFI checks
  • Added boot.ini pattern for LFI checks
  • Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
  • Added a signature which checks against an error message generated by regexp function at MySQL database
  • Added DAws web backdoor check
  • Added MOF Web Shell backdoor check
  • Added RoR database configuration file detection
  • Added RoR version disclosure detection
  • Added RoR out-of-date version detection
  • Added RoR Stack Trace Disclosure
  • Added RubyGems version disclosure detection
  • Added RubyGems out-of-date version detection
  • Added Ruby out-of-date version detection
  • Added Python out-of-date version detection
  • Added Perl out-of-date version detection
  • Added RoR Development Mode Enabled detection
  • Added Django version disclosure detection
  • Added Django out-of-date version detection
  • Added Django Development Mode Enabled detection
  • Added PHPLiteAdmin detection
  • Added phpMoAdmin detection
  • Added DbNinja detection
  • Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
  • Added Adminer detection
  • Added Microsoft IIS Log File detection
  • Added Laravel Configuration File detection
  • Added Laravel Debug Mode Enabled detection
  • Added Laravel Stack Trace Disclosure
  • Added S/FTP Config File detection

IMPROVEMENTS 

  • Improved calculating algorithm of vulnerability fix times
  • Manage team permission replaced with "Admin" permission
  • Added support to see website dashboard without scan group filter
  • Added scan type information to "Detailed Scan Report"
  • Added paging support for scan policy list
  • Improved new user email template
  • Increased website verification failure limit
  • Changed vulnerability chart's colors on the dashboard page
  • Added icons for displaying vulnerability status on the vulnerability task page
  • Knowledgebase items are expanded by default if they contain a single item
  • Added retestable information to vulnerability detail on the scan report page
  • Users are redirected to scan group create page if no scan group is found on new scan
  • Added a warning message if target path does not end with a trailing slash on the new scan
  • Added first seen date information to vulnerabilities page
  • Several scan performance improvements to reduce memory usage
  • Improved credit card detection to eliminate false positives
  • HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
  • SSL cipher support check code has been rewritten to support more cipher suites
  • SSL checks are now made for target URLs even when protocol is HTTP
  • Updated embedded chrome based browser engine to version 41
  • Added more ignored parameters for ASP.NET web applications
  • Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
  • Improved LFI pattern that matches win.ini files
  • Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
  • Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
  • Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
  • Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software has an important vulnerability
  • Improved Ruby version disclosure detection
  • Improved SQL injection vulnerability template by adding remedy information for more development environments
  • Improved common directory checks by adding more known directory names
  • Updated default user agent
  • Improved the default Anti-CSRF token name list
  • Improved database error messages vulnerability detection for Informix
  • Added new XSS attack pattern for title tag in which JavaScript execution is not possible
  • Improved XHTML attacks to check against XSS vulnerabilities
  • Optimized confirmation of Boolean SQLi
  • Added exploitation for Remote Code Evaluation via ASP vulnerability
  • Revamped DOM based XSS vulnerability detail with a table showing XPath column
  • Changed SQLi attack patterns specific to MSSQL database with shorter ones
  • Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
  • DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
  • Improved the "Name" form value pattern to match more inputs
  • Improved confirmation of Expression Language Injection vulnerability
  • Improved Frame Injection vulnerability details
  • Added .phtml extension to detect code execution via file upload
  • Improved blind SQL injection detection on some INNER JOIN cases
  • Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
  • Added retest support for several vulnerability types
  • Improved Apache Tomcat detection patterns
  • Increased the number of sensitive comments reported
  • Improved text parser improvements
  • Added separate checks in scan policy for each supported web app fingerprint application

FIXES

  • Fixed an issue where imported relative links were not set correctly
  • Fixed an issue where scheduled scan names were duplicated
  • Fixed URL rewrite analysis to respect case sensitivity settings
  • Fixed a form authentication issue which image submit elements were not clicked
  • Fixed an issue occurs when the HTTP response body starts with unicode BOM
  • Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
  • Fixed static resource finder where it was not following a redirect
  • Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
  • Fixed slow XSS highlights on some responses
  • Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
  • Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
  • Fixed a bug where generated XSS exploit did not work due to incorrect encoding
  • Fixed a bug where a false-positive file upload vulnerability was reported
  • Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
  • Fixed ""Missing Content-Type"" reporting issue where redirected responses should not be reported
  • Fixed an issue where send failures were not being handled while making HTTP requests
  • Fixed credit card reporting issue where the value specified in default form values section should not be reported
  • Fixed the trimmed parameter name issue on controlled scan panel
  • Fixed documentation for nginx vulnerability template that explains how to fix the issue
  • Fixed HSTS support for form authentication HTTP requests
  • Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
  • Fixed a bug where an attribute based attack could not be confirmed as XSS
  • Fixed a bug where an injection with ""javascript:"" protocol for XSS attacks occurs after a new line
  • Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
  • Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
  • Fixed an issue where a Groovy RCE is reported as Perl RCE
  • Fixed a WSDL parsing issue where reference parameters were not handled correctly
  • Fixed a WSDL parsing issue where XML types were not handled correctly
  • Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
  • Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
  • Fixed the misleading content in basic authentication over clear text vulnerability

Netsparker Enterprise Update - 14th September 2015

FEATURES

  • Mobile friendly UI with a lot of design improvements
  • Added support for sending notification email for canceled scans

IMPROVEMENTS 

  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation
  • Replaced scan finish dates with scan urls in global dashboard
  • Permissions can be entered while inviting user
  • Added icon for scheduled scan items
  • Optimized instance launch times for AWS agents
  • Improved API documentation for scan policy and website endpoints
  • Improved website address validation rules
  • Improved website selection on the new scan page
  • Added tooltips to scan policy and new scan pages
  • Added Enable Content Type Checks setting to scan policy scope section
  • Improved validation for scan profile names
  • Improved notification email templates

FIXES

  • Scheduled scan's target url's scheme could not be changed
  • Fixed tooltip text for completed scans
  • Fixed a bug where entered URL rewrite rule was overridden on focusing to regex input
  • Fixed an issue where Ignore These Content Types setting was not set correctly
  • Fixed an issue where scan policy names were duplicated
  • Fixed an issue where form authentication settings were not initialized correctly for group scans
  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled

Netsparker Enterprise Update - 14th July 2015

FEATURES

  • Policy Settings Permission Change: In order to manage Policy Settings, "Start New Scan" permission is required now
  • Added Two Factor Authentication Support - Account admins can enforce 2FA to team members
  • Added weekly intervals support to trend report in the website dashboards
  • Added support for displaying pending tasks on the website dashboard
  • Mobile-friendly UI with a lot of design improvements

IMPROVEMENTS

  • Added weekly interval support to dashboard trend
  • Added pending vulnerability tasks to website dashboard
  • "Your account" page split into four pages
  • Team member disable support
  • Improved scan data cleanup to remove raw scan files
  • Improved email sending process to ensure emails are sent for correct actions
  • Added status change logs for vulnerability tasks
  • Added an email button to Team Invitation page
  • Users can resend invitations with this button
  • Improved error messages when email fails to send

FIXES

  • Fixed Browser Compatibility Warning shown in Chrome on iPhone.
  • Fixed an error which occurs while deleting a scan policy
  • Fixed target URL link on scan report page