Netsparker Enterprise On-Premises Update - 19th August 2021 (v2.1)

NEW FEATURES

• Added GitHub Actions CI/CD integration.
• Added Authentication Profiles feature to be able to define shared authentication once and utilize them on many scans without explicitly configuring Form Authentication for websites utilizing the same authentication procedure.
• Added UrbanCode Deploy
• Added Azure Pipeline Extensions
• Added the ability to tag issues
• Added a new Scope option for Scan Groups of Websites while configuring notifications to be able to better scope notifications for web applications/APIs under a website.
• Added State filter to notifications which you can use issue states like Fixed, Revived, New, etc. as filtering options.
• Added Choose Scan Profile while scheduling from API
• Added support for TLS 1.3 protocol

IMPROVEMENTS

• Removed the scan report selection from notification events that do not produce any reports.
• Added account-based option to display authentication credentials on API responses.
• Improved time zone calculations to handle new time zones.
• Improved configuration validation error messages for Privileged Access Management integrations.
• Added an option to specify a scan profile while scheduling scans through API.
• Added support for Form Authentication Custom Scripts for cases when a Privileged Access Management integration is used.
• Added support for 11 digit phone numbers while inviting a new member.
• Added an option to ServiceNow integration to specify if the incident should be set to Closed when the vulnerability is fixed.
• The Category selection for ServiceNow integration is editable.
• Added a field to specify the user’s Single Sign-On email address while creating a new team member using the API.
• Improved configuration options for Jenkins.
• Added the option to fail Jenkins build for only confirmed vulnerabilities
• The login process redirects the Single Sign-On users to their providers
• Added NIST, DISA STIG, and ASVS classifications to Report Policy
• Added support for importing links from multiple RAML files from a ZIP file (include directive support).
• Improved Azure AD Single Sign-On in-app help text.
• Removed the Current Password field for admin users (logged in with Single Sign-On) while editing a member.
• Added “Maximum URL Rewrite Signature” Scan Policy Crawling option.
• Improved role assignment for website groups while inviting new members
• Added IgnoreSslCertificateErrors option to Docker agent.
• Improved GitLab CI/CD script failure conditions.

FIXES

• Adding a title to the API field in the edit team member page
• Fixed an issue that occurs with updating scan profile
• Fixed an issue with Imported Links getting updated to Null while using Update ScanProfiles API
• Fixed the validation problem
• Fixed some bugs for the Sitemap
• Fixed an issue that getting an error which caused by connection problem with authentication verification hub on scheduled scan
• Fixed the problem of not being able to delete the scan with a profile
• Fixed the forgot password issue for Single Sign-On
• Fixed an issue where the Launch button does not get enabled on the New Scan page after you enable the IAST scanning and download the sensor files.
• Fixed an issue where a notification that is sent to an external email address was not displayed on the audit logs.
• Fixed an issue where starting a PCI scan via using API could not start the scan.
• Fixed an issue where a new notification created via API does not add the specified integration(s) to the new notification.
• Fixed an issue where a team member was not created in API if the auto-generated password is enabled.
• Fixed an issue where the custom value of FormAuthPageLoadTimeout was being overridden by its default value.
• Fixed validation error messages on the Email Settings page.
• Fixed some of the swagger API validation errors reported for the REST API
• Fixed an agent scan stuck issue while archiving
• Fixed a retest problem where some issues could not be retested
• Fixed an agent auto-update issue
• Fixed an issue with the GitLab integration script where builds were not failing when they were supposed to fail
• Fixed an issue where the “Add Attachment Report” section was missing while adding a new notification
• Fixed a mismatching type issue on /scanprofiles/list API response model
• Fixed an issue where a failed scan sends an excessive amount of email notifications
• Fixed an issue where Exclude Authentication Page configuration resets when another scan is performed
• Fixed agent auto-update issues
• Fixed an unhandled ArgumentNullException which causes some authenticated scans to fail
• Fixed an error that occurs while trying to mark an issue as false positive
• Fixed an internal server error that happens while using the /api/1.0/scanprofiles/update API endpoint for some profiles
• Fixed an issue where a deleted issue tracker integration was still keeping the old issues IDs referenced
• Fixed an issue where the helper NHS service is unexpectedly terminated on environments with multiple agents running

NEW FEATURES

• Added Netsparker Shark that enables Interactive Application Security Testing (IAST)
• Added the ability to execute Custom Scripts for Security Checks
• Added the ability to edit wordlist entries in the Forced Browsing
• Added the integration with CyberArk Enterprise Password Vault
• Added the Scan Profile column to the Recent Scans window

IMPROVEMENTS

• Improved the visual elements of the dashboard
• Improved the performance of the Technology Dashboard
• Added the ability to create new SSO users via API
• Added the ability to get a team member's last login timestamp via API
• Added the Website URL filter to the Scheduled Scans page
• Improved the performance of the Sitemap
• Updated the Name Id Policy value for SAML as the email
• Added the ability to delete the Website Groups with ID API Endpoint
• Added the Next Execution Time tooltip to the scheduled scan
• Added the Scan Profile Name information to the Scan Task Groups in the Website Dashboard
• Added the ability to save the Privileged Access Management integrations without testing
• Fixed the scan failed errors
• Added the title fields for Vulnerability List items
• The delete button is disabled for system notifications on the Notifications page
• Added the ability to assign scans to internal agents via scheduling
• Removed all (encrypted and cleartext) authentication credentials on the API responses
• Minor revision changes will also trigger agent auto-updates
• The downloaded agent log file is named agentlogs.zip
• Improved the stabilization of the agent state transitions

FIXES

• Added Script Engine Type to the Authentication Verifier
• Fixed the request agent logs bug
• Fixed handling authentication tokens while executing the form authentication
• Fixed the issue where the wrong vulnerability database version was displayed in the agent info
• Fixed the scan session null error
• Fixed the bug in the scan policy optimizer wizard tree
• Fixed the issue where users cannot create a custom script in a three-legged OAuth2 Authentication
• Notification events require appropriate permission
• Added Scan Profiles, Scans, and Scheduled Scans' links while deleting the scan policy
• Fixed XSS for Jira and Pivotal Tracker integrations
• Fixed the responsiveness of the ServiceNow category selection drop-down
• Fixed NullReferenceException while exporting scans from Netsparker Standard to Netsparker Enterprise
• Fixed an issue about a scan that is not matching with the agent which is in the selected agent group
• Fixed the scan policy cloning bug
• Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under the Scan Permission are not saved while creating new members
• Fixed the text problem in the information of the Technologies Dashboard User Interface
• Fixed an issue where users cannot save an empty Excluded URL field
• Fixed an issue where scan policy and report policy drop-down appear blank while editing the scheduled group scan
• Fixed a bug that occurs while deleting the scan profile
• Fixed the form authentication fields encryption
• Fixed the loading problem of default scan profile selection
• Fixed the Pre-Request Script Error on Scheduling Scan
• Fixed Exclude Addressed Issues on the Export Report
• Fixed usage report page style problem

IMPROVEMENTS

• Added the option to provision a new member with SSO in the New Team Member addition screen.
• SSO Email requirement is not necessary for SSO-enabled accounts without enforcement
• Renewed PCI Compliance Report template 
• Added scan profile and scan profile URL to scan report.
• Added the option to add a customized header text on the Account Settings page
• Improved issue severity sorting. Issues will be sorted as Critical, High, Medium, Low, Best Practice, Information Alerts on all pages.
• Redesigned Scan Time Window
• Improved design of important information, such as email and name, in dialogs
• Updated descriptions on edit and signup web pages
• Changed "Enable Limitless Scan" option under the General Settings to "Allow scanning without a duration limit"
• Redesigned Basic Authentication Form
• Added advanced script feature for the Azure Pipelines integration
• Updated related RegEx to let users using parentheses with the website name and profile name
• Added silent mode installation for Web Application
• Added phone number confirmation countdown timer
• Added the document link for Linux Agent installation on the New Agent page.
• Improved the speed of page loading on the Custom Script screen
• Improved the agent stability to prevent scans from being stuck
• Added the possibility to add non-registered emails in notifications
• Added SANS Top 25 report
• The Target URL will be displayed instead of the website URL in the scan reports

FIXES

• Fixed JSON Serialization problem in the scan profile
• Fixed typos in Netsparker Rest API Endpoint explanation
• Fixed the validation message on the password change page
• Fixed the validation message for admin password on the password change page
• Fixed the Bugzilla operating system field's name 
• Fixed warning message for the Website Groups Update API
• Fixed undeleted scan files (which belong to completed scans) issue
• Disable status error fixed for Linux Agent 
• Resolved Chromium's auto select certificate problem. So, the problem of not being authenticated with the client certificate was solved.
• Fixed empty exported XML issue in F5 BIG-IP ASM Rules Report
• Fixed an issue where "Password Transmitted over HTTP" issues were reported for HTTPS requests.

NEW FEATURES

• Added the Stop the Scan if the Build fails option in GitLab CI/CD
• Added the Fail the Build if one of the selected scan severity is detected option in GitLab CI/CD
• Upgraded the Netsparker scanning engine to version 5.9.1.27722.

NEW SECURITY CHECKS

• Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
• Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

IMPROVEMENTS

• Added the Scan Group selection combo box to Trend Matrix Report
• Added WASC Threat Classification Report
• Added the Export Unconfirmed option in the report generation screen
• Added the info box to Custom Scripts window for the Form Authentication 
• Added URL Rewrite Rules while a file is being imported
• Added Uniqueness Controls on the new integration wizard
• Added validations of new integration wizard
• Added Swagger JSON link API document's index
• Added the Exclude Authentication Pages checkbox when the Form Authentication option is enabled
• Improved the Discovery Page’s performance
• Improved the performance of generating reports that contain a large number of vulnerabilities
• Improved the custom script’s performance 
• Improved the website preview image resolution on the Verify Login & Logout screen
• Refactored the Report Policy Migrator 
• Disabled auto-complete in the login page inputs.
• Changed the data protection policy link 
• Changed the issue email template's website URL 
• Admin users can now set the maximum number of websites a member can add
• Excluded usage tracker list can now be added from the new scan page

FIXES

• Fixed a bug when scheduled scan with an imported file is edited by a different user
• Fixed a bug in the Custom Cookie process
• Fixed imported file bug on scan profile saving
• Added minimum agent selection control for Agent Group
• Fixed Agents Scanning tooltip 
• Fixed the auto-scaling problem that occurred while using Cloud Provider in Netsparker Enterprise On-Premises
• Fixed the First Seen Date parameter in the Kenna integration
• Fixed Burp XML file import problem. Users can import Burp XML file
• Fixed report validation export problem. Users will not get an empty file
• Fixed the error related to exporting for customers who have many websites.
• The websites belonging to the filtered website group have been provided to be exported.
• Users can now add a new URL Rewrite Rule without losing the existing ones

IMPROVEMENTS

• Added a 'Generate optimized CSS code path' feature to the Authentication Verifier
• Improved the Minimum Security Level area on the Reporting page
• Added a detailed issue template option to the template field in the ServiceNow integration
• HIPAA will be displayed instead of OWASP in the scan summary
• Added scan folder path change option for internal agents

FIXES

• Fixed the issue where the IP addresses of websites listed on the Discovered Website page were ignored
• Fixed the issue where SAML files failed to download on MAC devices
• Fixed the problem that occurred during verification of the form authentication API endpoint where it returned the same result after the first request
• Fixed the problem that occurred while configuring email notifications
• Fixed the problem that occurred while canceling stalled scans
• Fixed the connection problem that occurred while using a proxy in internal agents
• Fixed the autoscale problem in internal agents

NEW FEATURES

• Added support for alternate email for SSO login
• Added form authentication Hashicorp Vault integration ( https://www.netsparker.com/support/integrating-netsparker-enterprise-hashicorp-vault/)
• Added technologies chart to the global dashboard and website dashboard pages
• Added test credential API endpoint for scan profiles
• Added Form Auth Custom Scripting feature to the New Scan page
• Redesigned the login page 
• Redesigned the SSO help text area in the SSO settings page 
• Added an API endpoint for the Updating Issue States
• Added Travis CI integration 
• Jira integration now supports custom Resolved statuses
• Kenna integration now supports Asset Application Identifier
• Agents can now be installed using Linux and a Linux Agent button has been added to the Configure New Agent page (On-Demand Only)
• Upgraded the Netsparker scanning engine to version 5.9.027701. 

NEW SECURITY CHECKS

• Added Out-of-date security checks for the Liferay portal
• Added Version Disclosure and Out-of-date security checks for Jolokia
• Added Nested XSS security checks
• Added an ASP.NET Razor SSTI security check
• Added a Java Pebble SSTI security check
• Added a Thymeleaf SSTI security check
• Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

• Added an Issue Update API swagger model improvement
• Docker installation link has been added to the Configure New Agent page (On-Demand Only)
• New password criterion of a minimum of 15 characters has been imposed on admin and top-level users.
• Improvements have been made to the Form Authentication Test Script screen

FIXES

• Fixed the problem of a slowVulnerable Websites per Period report on the Reporting
• Fixed the file uploading problem on Imported Links
• Fixed the Knowledge Base Report's exporting problem
• Fixed the Yukon time zone problem.
• Fixed the Imported Links problem.
• Fixed the problem where the wrong time zone was displaying in Report Templates
• Moved the Scan Profile Test Credentials API post method fields to the body element
• Fixed a db file error in the Report Policy Editor
• Fixed the issue where report policy user changes were not applied when reset.
• Fixed the Vulnerability Detail page responsiveness problem
• Fixed the Sitemap treeview responsiveness problem
• Fixed the highlighted code focus problem
• Added help text to the HashiCorp vault integration page
• Fixed the bug that occurred when another team member updated the shared profile
• Fixed a bug that occured when non-admin users updated profiles
• The Report policy Editor CVSS scores fields now accept empty values
• Fixed a server error that occured while saving a cloned Scan Policy
• Fixed the problem that occurred when reconfirming the Verify Login and Logout settings

NEW FEATURES

• Added IdP initiated SAML
• Upgraded the Netsparker scanning engine to version 5.8.2.27669
• Added Pivotal Tracker integration
• Added support for SAML Assertion Encryption while configuring SSO

NEW SECURITY CHECKS

• Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
• Added out of date checks for Apache Traffic Server
• Added version disclosure for Undertow Server
• Added out of date checks for Undertow Server
• Added version disclosure for Jenkins
• Added out of date checks for Jenkins
• Added signature detection for Kestrel
• Added detection for Tableau Server
• Added detection for Bomgar Remote Support Software
• Added version disclosure for Apache Traffic Server

IMPROVEMENTS

• A new Reset Agent Token button has been added to the Configure New Agent window
• The Status field has been removed from the "api/1.0/discovery/ignorebyfilter" endpoint
• Special characters (()[]#&%! " ') are now allowed in the Scan Policy name field
• Windows and Linux Agent download buttons have been added to the Configure New Agent window
• A Null check has been added for the ImporterType in the Update Scan Profile endpoint

FIXES

• Fixed the Server Error that occured during the deletion of multiple websites
• Fixed a bug where an optimized Scan Policy did not clone properly

NEW FEATURES

• Added resetting token support for agents

FIXES

• Fixed an issue where Authentication Verification was failing to verify in the Scan Profile

NEW FEATURES

• Added Mattermost integration
• Upgraded the Netsparker scanning engine to version 5.8.1.27665
• Added API support for the Discovery service

NEW SECURITY CHECKS

• Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

• Added support for Admin users to log in with Netsparker Enterprise credentials when SSO is enforced
• Added extra information about issues to the Jira Integration
• Added control for Target Url field to disable Scan Settings if it's empty
• Added Timezone information to Scan Time Window section in the New Scan window
• The Netsparker API icon has been changed on the Integrations window
• Added Manage Issues (Restricted) to the Permission Matrix
• Added a Website Groups filter to the New Team Member window
• Added a notification for Login Failed situation during scans
• Added a Website Group filter to the Recent Technologies window

FIXES

• Fixed the More information link in the New Website window
• Fixed a bug where email notifications about Technologies were not being sent as expected
• Fixed an issue where date filters were not working as expected
• Fixed a bug in the website authentication process in the GitLab integration
• Fixed an issue where the Internal Agent automatic update process was hanging
• Fixed an issue in scans that are exported from Netsparker Standard into Netsparker Enterprise
• Fixed an issue where Mark as Read was not working in Application Notifications
• Fixed a bug where Imported Links and files were not returned for ongoing scans on the '/scans/list-scheduled' API endpoint
• Fixed a bug that occurred when adding an internal website in the '/websites/new' API endpoint
• Fixed an issue where Excluded Path was not saved in the Scan Profile save action
• Fixed an issue where Preferred Agent was not saved in the Scan Profile save action
• Fixed an issue where issue counts were duplicated in the Annual issue chart

NEW FEATURES

• Added support for U2F (Universal 2nd Factor Authentication)
• Added support for disabling API Access for a Team Member
• Added issue synchronization support for Azure DevOps and ServiceNow
• Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports
• Added CVSS 3.1 support, to help with vulnerability scores
• Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor
• Added support for sending scan reports as email attachments on scan completed notification
• Upgraded the Netsparker scanning engine to version 5.7.2.27798

IMPROVEMENTS

• Improved Integration categories and New Integration pages to provide a better user experience
• Added support for Windows Authentication (Integrated Security) for database connections (On-Premises only)
• Updated the Terms of Service page
• Added Technical Contact information to the 'websites/list' API endpoint
• Added start-end date filters to the '/scans/listbystate' and '/auditlogs/export' API endpoints
• Added an 'excludeAddressedIssues' filter to the '/scans/report/' API endpoint
• Added a Failure Reason option to the Reason filter for failed scans
• Added additional help text to the Issues' Detail window for groupable issues
• Added support for Admin users to manage their Team Member's Report Policies
• Added Profile ID information to the response of the '/scans/detail' API endpoint

NEW SECURITY CHECKS

• Added a Login Page Identifier security check
• Added a Content Delivery Networks (CDN) security check
• Added a Reverse Proxies security check

BUG FIXES

• Fixed a bug where issue counts were not returned for ongoing scans on the '/scans/detail' API endpoint
• Fixed an issue where validation errors were shown for custom cookies
• Fixed an issue where Technologies were not reported if a scan was completed in a short time
• Fixed a browser compatibility issue that occurred while testing OAuth2 credentials
• Fixed a bug where the Scan Time Window settings were not applied in Scheduled Incremental scans
• Fixed an issue where pre-request scripts were not being sent to the scanner as expected
• Fixed an issue where preferred Agent Group was not populated in the New Scan window
• Fixed a bug where JavaScript settings were not set as expected for optimized Scan Policies

NEW FEATURES

• Added a new Sitemap section to scan reports which shows crawled URLs and identified issues
• Added a new in-app notification section called What's New which informs for important announcements
• Added out of the box issue tracking integration for Freshservice, YouTrack, and Splunk
• Added facility to send New Scan notifications using the Microsoft Teams integration
• Added Pre-Request Script feature which helps to configure HMAC Authentication on New Scan page (On-Premises only)
• Added new API endpoints for managing technologies
• Upgraded the Netsparker scanning engine to version 5.6.3.27318

IMPROVEMENTS

• Redesigned Scan Summary section on Scan Report page
• Improved scan queue scheduling process which prevents multiple scans with same settings to be queued
• Improved Out-of-Date technologies email template for mobile clients
• Improved rendering for large fields on the scan report template
• Improved help text for Enable/Disable Agent actions on Manage Agents page
• Security Check Groups are now arranged into sub-groups in the New Scan Policy
• Set current user as the default technical contact on New Website page

NEW SECURITY CHECKS

• Added version disclosure and out-of-date checks for Telerik Web UI
• Added detection and out-of-date checks for Java and GlassFish

BUG FIXES

• Fixed a bug where filtering is not working as expected on the Report Policies page
• Fixed an error that was thrown during generating the Mod Security WAF Rules Report
• Fixed an issue where testing basic authentication credentials were not working as expected

NEW FEATURES

• Added out of the box issue tracking integration for Kenna
• Added OTP support to the Form Authentication tab in the New Scan window
• Added filtering support to the New Notification window, which means you can filter the issues that will be sent for a Scan Completed event
• Upgraded the Netsparker scanning engine to version 5.5.4.26863

IMPROVEMENTS

• Added a new setting, Max Uploaded File Size, to the General Settings window (On-Premises only)
• Improved the UI design of the Scan Summary section on the Report window
• A Time Zone option has been added to the Scan Time Window tab
• Improved the Azure DevOps integration to support email addresses for the Assigned To setting
• Improved the Scan Completed event template's SMS notification text
• Added an About page to display VDB and app versions, available by clicking your name (On-Premises only)
• Added the ability to filter using Website Group names for various API endpoints
• A detailed error message is now displayed if an imported file is invalid
• Improved GitHub integration to support the GitHub Enterprise edition

BUG FIXES

• Fixed an issue where Imported Links were not being saved when the Target URL was empty
• Fixed an issue where all proofs were not displayed for Stored Cross-Site Scripting vulnerabilities
• Fixed a bug where the 'Do not stop scan when maximum logout is exceeded' setting was not working as expected

NEW FEATURES

• Introduced Technologies feature which finds and lists the technologies used in web applications and reports on problems
• Added out of the box issue tracking integration for PagerDuty, Clubhouse, Trello, Asana, Webhook, Microsoft Teams, and CircleCI
• Added new API endpoints for managing Team Members and listing Activity Logs
• Added a new Scan Profiles page in the Scans menu
• Added a new Comments box to the New Scan window, accessible while launching scans
• Added facility to send New Scan notifications using the Slack integration
• Upgraded the Netsparker scanning engine to version 5.5.1.26518

NEW SECURITY CHECKS

• Added a new Security Check – HTTP Parameter Pollution (HPP)
• Added a new Security Check – BREACH Attack Detection
• Added Out-of-Date checks for Ext JS
• Added Oracle Cloud and Packet Cloud SSRF attack patterns
• Added a Web Cache Deception engine to the list of Security Checks
• Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
• Added new attack patterns for DOM based XSS
• Added new attack patterns for Remote Code Execution in Ruby
• Added new attack patterns for Out-of-Band Remote Code Execution in Ruby
• Added new attack patterns for Remote Code Execution in Python
• Added new attack patterns for an Open Redirect security check
• Added an email validation bypass payload for XSS
• Added a header injection XSS pattern
• Added a security check to determine whether an HTTP website has been implemented with SSL/TLS
• Added a security check for File Content Disclosure in Ruby on Rails by exploiting an Accept header
• Added mutation XSS patterns
• Fixed the SSRF confirmation problem
• Added Apple’s App-Site Association file detection
• Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
• Added new LFI attack patterns for the access.log file
• Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
• Added support for detecting Python Remote Code Execution
• Added RFC compatible SSRF IPv6 patterns
• Improved the Apache Struts (CVE-2013-2251) attack pattern
• Added PHP Injection Fixed One Time Referrer attack
• Updated the attack value of the PHP Injection Fixed One Time Attack pattern to use short notation instead of the print function
• Improved the Regex pattern of the WebLogic Version Disclosure pattern
• Added a PoC pattern for Apache Struts (CVE-2013-2251)
• Added Out-of-Date checks for the Slick JavaScript library
• Added Out-of-Date checks for the ScrollReveal JavaScript library
• Added Out-of-Date checks for the MathJax JavaScript library
• Added Out-of-Date checks for the Rickshaw JavaScript library
• Added Out-of-Date checks for the Highcharts JavaScript library
• Added Out-of-Date checks for the Snap.svg JavaScript library
• Added Out-of-Date checks for the Flickity JavaScript library
• Added Out-of-Date checks for the D3.js JavaScript library
• Added Out-of-Date checks for the Google Charts JavaScript library
• Added Out-of-Date checks for the Hiawatha and Cherokee server
• Added Out-of-Date checks for the Oracle WebLogic server
• Added Out-of-Date check for IIS
• Added Version Disclosure detection for the Hiawatha Server
• Added Version Disclosure detection for the Cherokee Server
• Added Source Code Disclosure checks for Java Servlets
• Added Source Code Disclosure checks for Java Server Pages
• Added New Source Code Disclosure patterns for Java
• Added detection for .htaccess file Identified
• Added detection for Opensearch.xml files
• Added detection for SQLite error messages
• Added detection for security.txt files
• Added detection for swagger.json files
• Added detection for Open Search files

IMPROVEMENTS

• Added the ability to create custom fields for ServiceNow integration
• Added auto-detection of the Time zone during the sign up process
• Improved Jira integration to support raw values for complex custom field types
• Added a new format option to the Date and Time Format dropdown in the Change Account Settings window
• Improved the text in Email Notifications
• Improved the Category field's option names in the New ServiceNow Integration window
• Improved the Issue template for Azure DevOps integrations
• Added capability to add User Mapping for hosted Jira systems
• Added more details to the CSV report which can be generated from the Activity Logs window
• Added ongoing scan information for the target agent in the Manage Agents window
• Added the capability to disable the Maximum Scan Duration field in the New Scan window (On-Premises only)

BUG FIXES

• Fixed an inaccurate warning message that was displayed when canceling a scan
• Fixed an issue where the Technical Contact was not set as expected in the Edit Website window
• Fixed an issue where a website could not be added if the target URL contained a hyphen character
• Fixed an issue where the configured Scan Profile was not used in Azure DevOps integrations
• Fixed various browser compatibility issues with Safari
• Fixed a bug where validation was not working as expected for the Hawk settings in the Scan Policy window

NEW FEATURES

• Added support for using internal agents along with AWS cloud integration (On-Premises only)
• Added out of the box Issue tracking integration for Redmine, Bugzilla and Kafka
• Added support for bulk operations on the Recent Scans page. It's now easier to cancel, pause, or delete multiple scans at the same time.
• Added new API endpoints for managing agents
• Added an option to change the Technical Contact for each website in a group in the Edit Website Group page
• Added support for exporting data on Activity Logs and Manage Team pages
• Added the ability to convert a completed scan into a Scheduled Scan
• Upgraded the Netsparker scanning engine to v5.3-hf7(5.3.0.24998)

NEW SECURITY CHECKS

• Added a new security engine named Malware Analyzer which detects any web malware injected into websites (Scanner Agent's operation system should be Windows Server 2016 or above)

IMPROVEMENTS

• Improved support for scenarios where OAuth2 is used in conjunction with Basic Authentication
• Improved the status text displayed for delayed scans
• Set the account owner's Data and Time Format as the default for new team members
• Added Scan Owner information to various scan reports and API endpoints
• Improved the response message for the /scans/delete API endpoint
• Added all issue content to the /issues/allissues API endpoint
• Added a Mark all as Read option for notifications that are shown inside the application on the Application Notifications page
• Added Technical Contact information to files exported from the Websites page
• Added Vulnerability Severity Level for the selected issue in the Technical Report
• Upgraded Bootstrap, jQuery and Knockout.js dependencies to the latest versions
• Added Create Invitation (team member invitations) into the Activity Log
• Improved the API docs by adding sample values for request and response messages
• Added support for filtering by Target URL to the /scans/listbywebsite API endpoint
• Added a Clone option to the Scheduled Scans page

BUG FIXES

• Fixed a bug where agents were sometimes hanging after failed API requests
• Fixed an issue where the Technical Contact was not displayed for non-Admin users on the New Website page
• Fixed an issue where an incorrect error message was shown during the configuration of a Scheduled Scan
• Fixed a problem on the JIRA webhook where the JSON could not be serialized as expected
• Fixed an issue where a Scan Policy could not be used on a scanner agent if it had a long name
• Fixed a bug where the Authentication Verifier was sometimes hanging if an internal exception was thrown (On-Premises only)
• Fixed the default value for the Agent Data Path setting (On-Premises only)
• Fixed a bug where two-way Jira integration was not working as expected in retest scenarios
• Fixed an issue where a cancelled PCI scan could not be deleted
• Fixed an issue where a web application could not connect to a newly-created SQL Server database immediately (On-Premises only)
• Fixed a bug where scans launched via JIRA integration were sometimes not starting with the configured Scan Policy
• Fixed an issue where the temporary Scan Policy file was not deleted on scan completion on the scanner Agent

Known Issues

• Automatic updates may fail for the On-Premises scanner Agents with an error message in the Agent's log: 'Agent couldn't find AgentAutoUpdater.exe'. To resolve this issue, first upgrade Netsparker Enterprise Web Application and copy the '[Web App Installation Folder]\App_Data\Agents\AgentAutoUpdater.exe' file to the folder where the target Agent is installed. If you need further help, please contact support@netsparker.com.

IMPROVEMENTS

• Added scan owner information to scan results and reports
• Improved Internet Explorer support on several pages
• Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
• No longer reporting Missing X-Frame-Options header in redirect responses
• No longer reporting Missing X-XSS protection on redirect responses
• No longer reporting CSP Not Implemented for redirect responses
• No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

• Fixed an issue where the Target Website could not be deleted
• Fixed an issue where the Preferred Agent in Scan Profile could not be changed
• Added several fixes for OAuth2 Authentication
• Fixed a bug where Netsparker might mistakenly report some cookies as Not Secure
• Fixed an issue where connection problems on the Target Website were causing high CPU usage

NEW FEATURES

• Added auto update support for scanner agents
• Improved the Manage Agents page to support filtering and allow the running of commands
• Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
• Added new API endpoints for managing issues
• Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
• Added OAuth2 Authentication support
• Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
• Added an option to report only confirmed issues while generating reports
• Added an option to exclude addressed issues while generating reports
• Added F5 WAF rule generation
• Added RESTful API Modeling Language (RAML) link import support
• Added the ability to exclude certain URLs from URL Rewrite Detection
• Added support for importing links from WordPress REST API files
• Added a Scan Policy for OWASP Top 10 vulnerabilities
• Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

• Added new XSS pattern that injects the attack payload into the HREF attribute
• Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
• Added a Unicode Transformation (Best-Fit Mapping) security check
• Added detection for possible Header Injections
• Added out-of-date detection for Oracle Database Server
• Added out-of-date detection for Mithril
• Added out-of-date detection for ef.js
• Added out-of-date detection for Match.js
• Added out-of-date detection for List.js
• Added out-of-date detection for RequireJS
• Added out-of-date detection for Riot.js
• Added out-of-date detection for Inferno
• Added out-of-date detection for Marionette.js
• Added out-of-date detection for GSAP
• Added a config.json check to the Resource Finder
• Added detection support for TS Web access
• Added detection support for .travis.yml

IMPROVEMENTS

• Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
• Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
• Improved the responsive design for several pages
• Changed some wording for vulnerability details to use same wording as Netsparker Standard
• All clicked external links now open in a new window
• The Target website URL cannot also be added as an Additional Website on the New Scan page
• New logo has been added to the top bar
• Improved Resource Finder step on the Scan Policy Optimization Wizard
• Jira issues are now assigned to the person who started the scan
• Improved the queue performance for scans running on cloud scanner agents
• Improved the layout for reports where no vulnerabilities are detected
• Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
• Added Reporter (account id type) to the JIRA integration page
• Updated SSRF ipv6 pattern names
• Improved Scan performance by allocating computer resources better
• Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
• Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
• Updated Code Evaluation (PHP) attack patterns
• Improved DOM Simulation performance and fixed several issues
• Improved React JavaScript framework support on Form Authentication
• HTML Select elements without event listeners are simulated in DOM Simulation
• The File Upload engine searches newly discovered file names in the upload response and in the upload folders
• Improved operating system detection by the Site Profile node in the Knowledge Base
• Added support for attacking the name of POST parameters
• Improved the External References for several vulnerabilities
• Added ISO 27001 information to the Executive Summary Report
• CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
• Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
• Added support for exploiting XSS in text and XML content types
• Out of Date SQL vulnerabilities are reported as Confirmed
• Added a Cookie Whitepaper reference to cookie vulnerability templates
• Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
• Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
• More commands are executed in the Code Evaluation exploitation to generate proofs
• References to 'Manuscript' have been replaced with 'FogBugz'
• Improved RFI confirmation for URL Rewrite parameters
• Improved signatures of Nginx Version Disclosure patterns
• Optimized the attack speed of XSS and LFI engines
• Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
• Cookie checks will analyze session cookie names to detect platform-specific default session names
• Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
• Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

• Notifications tab appears empty when the Target URL is not selected on the New Scan page
• Removed client side console logs from several pages
• Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
• Fixed an issue where the Discovery Settings page was not working properly for low resolution views
• Fixed an issue where the Authentication Verifier was not capturing authentication settings
• Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
• Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
• Removed the Contains filter option for numeric fields
• Fixed an issue where scans configured with a Scantime Window were blocking other scans
• Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
• Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
• Fixed a validation issue in the Header Authorization settings in the New Scan page
• Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
• Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
• Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
• Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
• Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
• Fixed a stuck scan issue on websites using the React JavaScript framework
• Fixed a Postman file importing issue where the response was not base64 encoded
• Fixed a NullReferenceException thrown while checking mutations on DOM
• Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
• Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
• Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
• Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
• Fixed HTTP 400 errors raised by the ServiceNow Send To integration
• Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
• Fixed incorrect nonce detected without matching script block vulnerability
• Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
• Fixed an issue that caused FP Insecure Reflected Content to be reported
• Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
• Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
• Fixed the value of double encoded null byte in LFI and XSS attack patterns
• Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
• Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
• Fixed the value of the double encoded null byte in the Header Injection pattern
• Fixed the encoding of the % sign in the base64 payload in XSS attacks
• Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
• Fixed the encoding issue in the SQL Injection confirmation attack
• Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
• Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
• Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
• Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation

BUG FIXES

• Fixed an issue with setting up a new Team Member when SSO was enforced.
• Fixed an issue which was occurring during re-installing previously terminated agent.

NEW FEATURES

• Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

• Account Owner or users with Administrator permission can now delete other Team Members' policies.
• Updated some third-party libraries to the latest version.
• Added OWASP 2017 classification data to the Executive Summary report.
• SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

• Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
• Fixed an issue that was thrown when deleting an account.
• Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

NEW FEATURES

• Added issue synchronization support for Jira and Manuscript issue trackers
• Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
• Upgraded the Netsparker scanning engine to v5.2-hf2 (5.2.0.22027)
• Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
• Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
• Added support for Swagger 3/OpenAPI link import
• Added support for importing links in the IOdocs file format
• Added Retest support for several Cookie vulnerabilities
• Added a new Knowledge Base item for Not Found pages
• Added ISO 27001 vulnerability classifications and report template
• Added custom field support for Issue tracking integrations
• Added Azure DevOps Continuous Integration system integration
• Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
• Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js Out-of-date Version detection
• Added Axios Out-of-date Version detection
• Added Fingerprintjs2 Out-of-date Version detection
• Added XRegExp Out-of-date Version detection
• Added DataTables Out-of-date Version detection
• Added Lazy.js Out-of-date Version detection
• Added FancyBox Out-of-date Version detection
• Added Underscore.js Out-of-date Version detection
• Added Lightbox Out-of-date Version detection
• Added JBoss application server Out-of-date Version detection
• Added SweetAlert2 Out-of-date Version detection
• Added Lodash Out-of-date Version detection
• Added Bluebird Out-of-date Version detection
• Added Polymer Out-of-date Version detection

IMPROVEMENTS

• Added Content Security Policy (CSP) to the Netsparker Enterprise web application
• Changed enum values to display in alphabetical order in the Value column in the Filter popup
• Added an Audit Log for Rate Limited requests
• Highlighted selected option for JavaScript section on the New Scan Policy page
• Highlighted relevant tabs for validation errors on the New Scan Policy page
• Improved the Report Policy page to make it more responsive and added a scroll bar
• Improved help text for Application and Service Discovery pages
• Added a Check/Uncheck by Severity filtering option on the Report Policy page
• Added PHP extension attack for Nginx vulnerability to the File Upload engine
• Added File Upload patterns for the Nginx Parsing vulnerability
• Added settings to the File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 Proxy Authentication error handling
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Misconfigured X-Frame-Options Header is now reported separately
• Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
• Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved Swagger Document Format detection
• The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

• Fixed the issue where Authentication did not work when retesting
• Fixed the issue where the Swagger importer generated an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed the issue where the wrong version was identified for Drupal
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed signature detection for links found via the crawler
• Fixed an issue in the CSP engine where it reported an incorrect vulnerability
• Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed a bug in cookie handling code during Form Authentication
• Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans