Netsparker Change Log
Netsparker 5.3.0.24330 - 2nd July 2019

IMPROVEMENT

  • Improved stability of scan by dynamically adjusting the thread count according to system resources

FIXES

  • Fixed high CPU usage caused by connectivity issues that were occurring during a scan
  • Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses
  • Fixed the issue where CSP Not Implemented was being reported for redirect responses
  • Fixed the issue where Missing X-XSS Protection was being reported for redirect responses
  • Fixed the issue where Missing X-Frame-Options Header was being reported for redirect responses
  • Fixed a bug where cookies were reported as not secure in authenticated scans
  • Fixed an automatic Logout Detection issue during form authentication verification, where the login required URL was requested with an HTTP POST method
  • Fixed clearing internal web browser's cache while executing authentication process
  • Fixed the broken Crawled and Scanned URLs List (JSON) Report Templates
  • Fixed the incorrect error message that was displayed while generating a Comparison Report with no selected scan files
  • Fixed the Browser View that stayed open when a non-HTML response was selected
  • Fixed the incorrect severity colors on Comparison Reports
  • Fixed an issue where some of the toolbar items were not displayed on the Sitemap and Issues panels
  • Fixed the broken ModSecurity WAF Rules Report Template
  • Fixed a time based security check issue occurs when the target web server is not accessible
  • Fixed the bug on issues panel where the number of vulnerabilities displayed next to severity group node was incorrect
  • Fixed the incorrect send to icon size on high DPI screens
  • Fixed an issue where browser viewer could not show content when content type of request was text/html
  • Fixed an issue where React controlled fields may not be updated during  Form Authentication
  • Fixed an issue where Netsparker Enterprise options are displayed while trying to import a scan file on back stage view
  • Fixed a bug on issue panel where group node was shown as ignored when child node is ignored
  • Fixed an issue on sitemap tree where number of nodes are reported incorrect when it is grouped
  • Fixed an InvalidCastException thrown while browsing a response

Netsparker 5.3.0.23731 - 15th May 2019

IMPROVEMENT

  • Improved Source Code Disclosure (ColdFusion) attack pattern

FIXES

  • Fixed multiple logout detection popups being unnecessarily shown
  • Fixed an issue that was causing Scheduled Scans to run slower than regular scans
  • Fixed an issue where redundant scan folders are created when scans are auto saved
  • Fixed a performance issue caused in scans with excessive amount captured links
  • Fixed a NullReferenceException thrown by Expect CT security checks
  • Fixed an ArgumentNullException thrown by Expect CT security checks
  • Fixed a NullReferenceException thrown by Sitemap tree
  • Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command
Netsparker 5.3.0.23657 - 8th May 2019

FIXES

  • Fixed an InvalidOperationException thrown from several operations during scan
  • Fixed the incorrect favicon rendered on Sitemap tree
Netsparker 5.3.0.23622 - 3rd May 2019

FIX

  • Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree
Netsparker 5.3.0.23556 - 26th April 2019

NEW FEATURES

  • Added "Do not differentiate HTTP and HTTPS protocols" option to scope settings
  • Added 3-Legged Token flow for OAuth2 authentication
  • Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

  • Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

  • Added reporter account id to JIRA Send To
  • Updated SSRF ipv6 pattern names
  • Improved the visibility of Resume button while performing a Manual Crawling
  • Improved the error message displayed while importing Swagger links

FIXES

  • Fixed retrying getting OAuth2 token
  • Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
  • Fixed an UnhandledException thrown during DOM Simulation in some rare cases
  • Fixed pausing scan when OAuth2 authentication failed
  • Fixed logging OAuth2 error messages
  • Fixed showing context menu for activity viewer's group rows
  • Fixed a NullReferenceException thrown when mouse is moved over sitemap
  • Fixed the missing space character on Best Practice severity text on issues panel
  • Fixed the incorrect position of Force Pause button on high DPI screens
  • Fixed the white screen flashed on dark theme while navigating between KB screens
  • Fixed the tiny progress animation on license popup dialog
  • Fixed the dark theme issues on Advanced Settings screen
  • Fixed a KeyNotFoundException thrown when the scan has finished
  • Fixed the issue where ignoring first vulnerability variation ignores all variations
  • Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
  • Fixed an issue where DOM simulation might conflict with some JS frameworks
  • Fixed the broken Ignore From this Scan context menu action on Sitemap panel
  • Fixed a NullReferenceException thrown from Netsparker Assistant
  • Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
  • Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
  • Fixed an issue where multiple persona could be selected on Form Authentication settings
  • Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
  • Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
  • Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
  • Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
  • Fixed an XmlException while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
  • Fixed an unhandled NullReferenceException thrown from Sitemap
  • Fixed parsing OAuth2 response regardless of the response content type
  • Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
  • Fixed performance issues caused by excessive logging when Activity Tracking is enabled
  • Fixed a stuck scan issue on web sites using React JavaScript framework
  • Fixed a Postman file importing issue where the response is not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed an unhandled "InvalidOperationException: Object is currently in use elsewhere" error
  • Fixed an error where XML and JSON responses could not be rendered on response viewers
  • Fixed an unhandled NullReferenceException thrown from Assistant
  • Fixed several NullReferenceException errors thrown while viewing knowledgebase items
  • Fixed an issue where the current ongoing scan could be deleted from Local Scans section
  • Fixed an InvalidOperationException "Database is not open" error
Netsparker 5.3.0.23162 - 28th March 2019

NEW FEATURES

  • Added Netsparker Assistant, a smart scan assistant that will guide you through a Scan
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added Azure DevOps Send To integration
  • Added an option to report only Confirmed vulnerabilities while generating reports
  • Added Redmine Send To integration
  • Added Bugzilla Send To integration
  • Added F5 WAF rule generation
  • Added Dark UI theme
  • Added RESTful API Modeling Language (RAML) link import support
  • Added facility to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities
  • Added support for deleting a Scan from Local Scan files

NEW SECURITY CHECKS

  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injection
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added config.json check to Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved Scan performance by allocating computer resources better
  • Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Out-of-date server-side apps are highlighted in the Site Profile
  • Clicking on links displayed in Knowledge Base items will navigate to the related node
  • Added URL to the Email List Knowledge Base
  • Added URL to the request which cookie is set on Cookies Knowledge Base
  • Custom URL Rewrite Rules can be sorted by clicking the column header
  • Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base
  • The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base
  • Added an option to prevent the operating system from going to sleep while there is a scan in progress
  • Added an Exploit context menu item to the Sitemap and Issues nodes
  • Vulnerable parameters are now highlighted in the Sitemap and Issues nodes
  • Updated Code Evaluation (PHP) attack patterns
  • Due Date setting has been replaced with Due Days on some of the Send To integrations
  • Improved the icons used in the Sitemap and Issues nodes
  • Removed deleted scan files from the File Import list
  • Improved DOM Simulation performance and fixed several issues
  • Improved react JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • Improved the performance of the Activity pane's viewer
  • Added a Copy URL context menu item to the Activity viewer
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added Activity Status information to the Sitemap nodes
  • Added support for attacking the name of POST parameters
  • Improved the layout for Reports on scans that detected zero vulnerabilities
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
  • Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS on text and XML content types
  • Users can now resize the Activity Viewer columns
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities
  • Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access
  • All security engines are checked when the Controlled Scan panel is manually opened
  • Added Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • Added support for highlighting input elements that are used to send passwords over query strings
  • Improved rendering performance of the Knowledge Base's Comments page when there are too many comments
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • Improved Out of Band SSTI attack payloads
  • Added automatic selection in the Form Authentication dialog when all fields are filled up
  • Added case sensitive search for Raw Response viewer
  • Added an overlay to display longer scans are being imported, to block user activity and show progress
  • Added Show/Hide Password button in Form Authentication settings
  • Added an information dialog displayed when a scan is finished and Netsparker window is in the background
  • Improved highlight function for detected JavaScript libraries
  • Improved reports to display the product version on which the Scan is performed
  • Improved the HTTP Request Builder panel to display generic headers
  • Manuscript has been renamed FogBugz
  • Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved adding Out of Date Information Database information to the Site Profile
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements
  • Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved
  • Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019

FIXES

  • Fixed failing VDB update when multiple instances were running
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions
  • Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings
  • Fixed an issue where JavaScript file parsing might take longer than expected in some occasions
  • Fixed a NullReferenceException that was thrown while saving the layout of panes
  • Fixed an ObjectDisposedException that was thrown when cancelling a Retest
  • Fixed the Listening Port so that it is no longer set for the next Manual Crawl
  • Fixed the issue where Finished Scans were displayed a Paused Scan icon
  • Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed the incorrect order of the vulnerabilities in the Issues panel
  • Fixed the Trial Licence dialog that was popping up twice
  • Fixed the issue where data from a previous scan was displaying in the Activity panel
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks
  • Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration
  • Fixed the issue where the status bar displayed the incorrect number of remaining trial days
  • Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high
  • Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter
  • Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar
  • Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process
  • Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
  • Fixed the problem where the application was hanging on shutdown
  • Fixed missing Authentication cookies in the Knowledge Base
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable
  • Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high
  • Fixed the issue where cookies were sent during the request for the Favicon image of the target URL      
  • Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details
  • Fixed the high DPI issues in the Bulk Export to Enterprise panel
  • Fixed the issue where the uninstall process was interrupted if a Netsparker instance was still running
  • Fixed high DPI issues in the Local Scans panel during Import
  • Fixed a NullReferenceException that occurred while rendering Vulnerability Details
  • Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities
  • Fixed the Knowledge Base Report's header, where the image, title and severity level were overlapping
  • Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared
  • Fixed the issue where vulnerability fields were not updated after a Retest
  • Fixed the value of double encoded null byte in LFI, XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive
  • Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder
  • Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder
  • Fixed an issue where an imported link could be saved without correcting the errors in the Request form
  • Fixed an issue where links generated in Netsparker attacks were added to the Sitemap
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities
  • Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog
  • Fixed the selection issue in the filtered Security Checks of the Scan Policy panel
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed the validation issue of the Send to Action configuration
  • Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree
  • Fixed the grouping issue on vulnerability variations and instances
  • Fixed HTTP method icons in the Sitemap
  • Fixed issues caused by language changes
  • Fixed the scrolling problem in the Vulnerability viewer
  • Fixed the confusion over which persona was used during Form Authentication verification
  • Fixed an order issue in the Sitemap tree
  • Fixed the incorrect variation count presentation issue in the Issues tree
  • Fixed the broken tab key in the Request Builder panel
  • Fixed the incorrect Remaining Day presentation in the License reminder
  • Fixed the issue where the Back button was clickable during the Bulk Export to Netsparker Enterprise, causing the export to fail
  • Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks
  • Fixed the wrong proxy display after resetting settings to the default
  • Fixed a performance issue that occurred while exporting a large Scan to Netsparker Enterprise
  • Fixed duplicate cookie names that were reported on a Cookie vulnerability
  • Fixed a high DPI issue in the message box
  • Fixed visual issues in the binary Response viewer
  • Fixed an issue where the DOM engine failed to restart on some occasions
  • Fixed an issue where Local/SessionStorage values were not persisting throughout the scan
  • Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS
  • Fixed a NullReferenceException that was sometimes thrown while saving Scan data
  • Fixed HTML form simulation for cases where the form did not have an element with the Submit type
  • Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements
  • Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute
  • Fixed an issue where Netsparker sometimes prevented Windows from shutting down while a Scan was running
  • Fixed an issue where NTLM Authentication was being ignored during Logout Detection
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue
  • Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan
  • Fixed an issue where an incorrect "Subresource Integrity (SRI) Hash Invalid" vulnerability was reported because of hash miscalculation
Netsparker 5.2.0.22027 - 27th December 2018

FIXES

  • Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
  • Fixed the clipboard format of Knowledgebase URL Rewrite List item
  • Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used
Netsparker 5.2.0.21991 - 26th December 2018

IMPROVEMENTS

  • Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
  • Added Retest support for several cookie vulnerabilities
  • Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

  • Fixed the Retest All button also retests the issues on additional web sites too
  • Fixed the popup hide issue on custom form authentication script dialog
  • Fixed a few unexpected NullReferenceException issues
  • Fixed the broken arrow key navigation on Sitemap and Issues panels
  • Fixed the incorrect vulnerability count reported on Issues panel tree groups
  • Fixed the representation of fixed vulnerability on Issues panel
  • Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
  • Fixed the issue where Issues panel were not being refreshed when retest is finished
  • Fixed the initial panel shown by changing it from Progress panel to Activity panel
  • Fixed the process cannot access the file issue while updating VDB
  • Fixed a bug in cookie handling code during form authentication
  • Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans
  • Fixed an InvalidOperationException thrown while closing the application
  • Fixed the incorrect Filter menu state on Sitemap panel

Netsparker 5.2.0.21893 - 18th December 2018

NEW FEATURES

  • Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
  • Added vulnerability families feature where similar types of vulnerabilities are not reported separately
  • Added support for Swagger 3 / OpenAPI link import
  • Added support for 64-bit smart card drivers for authentication
  • Added GitLab Send To integration
  • Added Bitbucket Send To integration
  • Added Unfuddle Send To integration
  • Added Zapier Send To integration
  • Added Azure DevOps Send To integration
  • Added support for importing links from IOdocs file format
  • Added automatic upload to Netsparker Enterprise option
  • Added copy to clipboard buttons to request and response viewers
  • Added a new Knowledge Base item for Not Found pages
  • Added a hex view for binary responses in reports
  • Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
  • Added Uncheck by Severity context menu item to the Report Policy editor
  • Added ISO 27001 vulnerability classifications and report template
  • Added raw value support for Send To custom fields
  • Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js out-of-date version detection
  • Added Axios out-of-date version detection
  • Added Fingerprintjs2 out-of-date version detection
  • Added XRegExp out-of-date version detection
  • Added DataTables out-of-date version detection
  • Added Lazy.js out-of-date version detection
  • Added FancyBox out-of-date version detection
  • Added Underscore.js out-of-date version detection
  • Added Lightbox out-of-date version detection
  • Added JBoss application server out-of-date version detection
  • Added SweetAlert2 out-of-date version detection
  • Added Lodash out-of-date version detection
  • Added Bluebird out-of-date version detection
  • Added Polymer out-of-date version detection

IMPROVEMENT

  • Separated the Scan Activity panel and Progress chart into their own dock panels below
  • Added a button to the Reporting tab for creating new Custom Report Templates
  • Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
  • Ordered several Knowledge Base items alphabetically
  • Concurrent Connection count of imported scans can be modified
  • Changed default Issue type to Story in JIRA Send To integration
  • Changed CallerId field to optional in ServiceNow Send To integration
  • Added PHP extension attack for Nginx vulnerability to File Upload engine
  • Added File Upload patterns for Nginx parsing vulnerability
  • Added settings to File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Retest All can now be started when the scan is paused
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Added a Statistics tab to the HTTP response viewer
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 proxy authentication error handling
  • Improved missing license handling for non-interactive Windows sessions
  • Controlled scan is now cancelled when a new scan is imported
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
  • New certificate imported for Client Certificate Authentication is automatically selected
  • Improved JSON request/response viewer performance for large documents
  • Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Updated HTTP response data of vulnerabilities after retest
  • Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Removed the dependency of Object Model Installer for using TFS Send To integration
  • Improved the language used in Retest and Controlled Scan results
  • Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved source code disclosure checks to prevent reporting JavaScript template pages
  • The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
  • Status code, status description and content length information have been added to the Slowest Pages knowledge base node
  • Retest activities are marked on the Scan Activity panel
  • Added the list of failed vulnerabilities to retest results dialog
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved the multi-line representation of LFI Exploitation data
  • Removed the redundant scan save confirmation dialog displayed when closing the app
  • Improved Swagger Document Format detection
  • Options dialog now remembers its location and size
  • File upload engine now detects new links in the response after the file is uploaded

FIXES

  • Fixed double URL encoding problem in various Report Templates
  • Fixed parsing issue that occurs when the upload folder contains a slash
  • Fixed the issue where authentication does not work when retesting
  • Fixed an exception thrown prior to scan when the language is set to Korean
  • Fixed the incorrect license holder name displayed on application title
  • Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
  • Fixed Jira send to custom field values by HTML encoding them
  • Fixed double HTML encoding problem in TFS Send To template
  • Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
  • Fixed a NullReferenceException thrown when a link label is clicked in a dialog
  • Fixed display of Post Scan ribbon group's caption text
  • Fixed the issue where the Swagger importer generates an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed visibility of fixed vulnerabilities in Report Templates
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
  • Fixed an InvalidCastException thrown while loading the panel layout
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
  • Fixed a NullReferenceException thrown in Retest
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in CSP engine where it reported an incorrect vulnerability
  • Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
  • Fixed the URL decoding issue when the URL was copied in the Issues panel
  • Fixed the comments that were injected via Netsparker attacks reported in the Knowledge Base Comment node
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed a corrupted PDF report
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed an Out of Memory issue that occurred while trying to view a large document
Netsparker 5.1.0.20874 - 21st September 2018

IMPROVEMENT

  • Improves licensing diagnostics mode

FIXES

  • Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
  • Fixed an issue that causes Netsparker to fail to add certain pages to the sitemap when using the Manual Crawling
Netsparker 5.1.0.20862 - 19th September 2018

FIXES

  • Fixed the issues on computers where FIPS compliancy is required
  • Fixed the incorrect button positions on Website Checker dialog displayed during license activation
Netsparker 5.1.0.20817 - 13th September 2018

IMPROVEMENT

  • Improved the list of resources discovered by the resource finder.

FIXES

  • Fixed an issue that caused legacy trial license activation failure.
  • Fixed a FormatException thrown when a scan was started using a trial license.
  • Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
  • Fixed an XPathException caused by an input node with special characters.
  • Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
  • Fixed a NullReferenceException thrown by the DOM parser component.
  • Fixed the problem where manually crawled pages were not updated in the Sitemap.
Netsparker 5.1.0.20794 - 12th September 2018

NEW FEATURES

  • Added Bulk Export to Cloud feature
  • Added Scan Speed graph
  • Added Send To integration support for ServiceNow
  • Added custom field support for Send To fields
  • Added an encoder for JavaScript fromCharCode format
  • Added Go to Identification Page button to Go to Parent link of current selected link
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Updated the licensing model
  • Updated .NET Framework version requirement to 4.7.2.
  • Improved the user interface by reducing the number of borders between panels
  • Added more information to the window where Cloud integration is conducted
  • Improved the design of vulnerability details
  • Added a link to Cloud scan URL when a scan is exported to the Cloud
  • Improved the list of resources found by the Resources Finder
  • Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
  • Added Hawk configuration validation to the Scan Optimizer
  • The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
  • Dialog locations and sizes are remembered each time you reopen Netsparker
  • Added Request Method column to the Vulnerabilities List CSV report
  • Added vulnerability severity to email Send To action template
  • Added URL validation to Target URL textbox in the Start a New Scan dialog
  • Updated Vulnerabilities List CSV report template to display attack parameter only
  • Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
  • A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
  • Added cookie analyzer checks for cookies added using JavaScript
  • Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
  • Variation count is included in the total vulnerability count in Detailed Scan Report
  • Improved LFI Exploitation panel usability
  • Added tokenized deletion using Ctrl + Backspace to Target URL text box
  • Variation count included in the total count in report templates
  • Improved the error message displayed when the retest fails if Form Authentication fails
  • Added Link Count to the Scan Summary dashboard
  • Added not found Link Count to the Scan Summary dashboard
  • Controlled scan shows the detected vulnerability count on parameters after it's finished
  • Improved the error message displayed when an incorrect command line argument is supplied
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Added WorkItem Tags field for TFS Send To actions
  • Added Disable Resource Finder button to the Scan Policy Editor
  • Added a Max Fail limit to Retest All so it does not abort after one retest has failed
  • Ignored vulnerabilities are excluded from Retest All
  • Improved SQL Injection proof data by stripping HTML tags
  • Controlled scan can be started for vulnerabilities that have no parameters
  • Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
  • Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
  • Added Copy and Copy Value context menu items to Headers' request and response viewers
  • Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
  • Improved CSRF token detection in cookie values
  • Improved the error details displayed when link import fails

FIXES

  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
  • Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
  • Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
  • Fixed several usability issues on the Short File Names exploitation panel
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Multiple File Open Dialog high DPI issues
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect number on the Detailed Scan report template's instance column
  • Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
  • Fixed the issue that the Controlled Scan won't start on a link node
  • Fixed high DPI issues on Scan Policy Optimizer wizard
  • Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
  • Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
  • Fixed the report templates that included ignored vulnerabilities in statistics
  • Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
  • Fixed several dock panel issues
  • Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
  • Fixed the Critical Vulnerability Count in report templates
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed a highlighting issue for vulnerabilities that display multiple responses
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
  • Fixed the broken case sensitivity check for crawled links
  • Fixed a smartcard driver issue that occured when the path contained space characters
  • Fixed a FormatException that occurred while parsing cookies
  • Fixed several incorrect Source Code Disclosure reports
  • Fixed the issue where cookies that were set by JavaScript were not highlighted
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed an ObjectDisposedException thrown when a tooltip was closing
  • Fixed an ArgumentOutOfRangeException thrown while generating reports
  • Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
  • Fixed a double HTML encoding problem in the generated exploit template
  • Fixed adding multiple empty rows to Additional Website settings
  • Fixed parsing URLs with encoded chars
  • Fixed the problem where scans could not be resumed when paused during the Recrawling phase
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed double HTML encoding problem in the URL in the Detailed scan report template
  • Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
  • Fixed redundant Encode use in the report templates that caused double HTML encoding
  • Fixed InvalidOperationException thrown when using Manual Crawling
  • Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
  • Fixed incorrect count of Proof List knowledge base
  • Fixed the issue where XSS via RFI could not be detected with a certain payload
  • Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
  • Fixed the issue where a Swagger YAML file could not be imported
  • Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
  • Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
  • Fixed the error where the activity time was not being updated during the extra confirmation phase
Netsparker 5.0.0.20026 - 21st June 2018

FIXES

  • Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
  • Fixed an XmlException thrown while trying to restore UI layout.
  • Fixed missing cookies on form authentication when they are set from JavaScript context.
  • Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
  • Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
  • Fixed CORS security check retest issue where old response data were being used.
  • Fixed a UriFormatException caused by an incorrect cloud integration server URL.
  • Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.
Netsparker 5.0.0.19876 - 7th June 2018

UPDATE

  • Updated the Reporting API documentation.

FIXES

  • Fixed a DirectoryNotFoundException thrown while trying to restore layout.
  • Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
  • Fixed a highlighting related exception when there are no matches in the source code.
  • Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.
Netsparker 5.0.0.19747 - 25th May 2018

FIXES

  • Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
  • Fixed incorrect time and duration information of cloud scans.
  • Fixed empty request/response issue for scans exported to cloud.
  • Fixed the issue that the controlled scan won't start for selected links on sitemap.

Netsparker 5.0.0.19640 - 17th May 2018

IMPROVEMENTS

  • Improved confirmation on time-based attacks.

FIXES

  • Fixed the percent encoding issue on Detailed Scan Report.
  • Fixed the stale custom report template buttons which were removed from the disk.
  • Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
  • Fixed a NullReferenceException while generating sitemap tree.
  • Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
  • Fixed the selection issue on scan policy user agent settings.
  • Fixed the FormatException when HTTP rate limits are set on a scan policy.
Netsparker 5.0.0.19557 - 10th May 2018

FIXES

  • Fixed an issue where old scan files fail to import.
  • Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
  • Fixed disabled UI where Cloud is not reachable.
  • Fixed blocked UI during VDB update check.
  • Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
  • Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
  • Fixed hiding backstage when export file dialog is canceled.
  • Fixed an incorrect encoded space character on Detailed Scan Report.
  • Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.
Netsparker 5.0.0.19526 - 9th May 2018

FEATURES

  • Netsparker Cloud integration: ability to import and export scans between the scanners.
  • New user interface with new skin and improved usability.
  • Smart Card authentication support.
  • Attack Radar panel that shows detailed attacking progress of security checks.
  • Added the OWASP 2017 Top Ten classifications report template.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Improved the representation of POST, JSON and XML parameters on sitemap.
  • Added support for opening links in all web browsers installed on the computer.
  • Improved high DPI support.
  • Improved sorting on Issues panel.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added activity status text for XSS and Open Redirect confirmation phases.
  • Added target link address to status bar on vulnerability descriptions.
  • Added "Import from Scan Session" option to populate form values based on an existing scan.
  • Added support for parsing swagger documents in yaml format.
  • Added Open Redirect and XSS confirmation timeout settings.
  • Added support for parsing relative meta refresh URLs.
  • Moved Knowledge base items to own panel.
  • Improved the vulnerability summary section of Detailed Scan Report.
  • Added "Copy to Clipboard" link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
  • Improved the usability of User Agent scan policy settings.
  • Favicon of the target website shown to sitemap tree.
  • Search capability in the Knowledge base details.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Added support for sending text to Encoder panel from other panels in the application.
  • Added save report button to Knowledge base.
  • Added "Ignore Authentication" option to Request builder.
  • Added a hotkey to "Ignore from This Scan" menu.
  • Added "Force User Agent" setting to force the selected User Agent value on scan policy.
  • Added support for Postman v2.1 version.
  • Scan logs in Logs panel are now saved along with scan file.
  • Added an extra consistency check to ROBOT attacks.
  • Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
  • Improved the "Interesting Header" list support.
  • Added anti-CSRF token support for Blind SQL Injection exploitation.
  • Removed BOM from JSON and XML report templates.
  • Improved the numbers reported on dashboard.
  • Added summary table to several reports.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date checks.
  • Added multi-thread support to Controlled Scan.
  • Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
  • Added command line auto update option.
  • Renamed FogBugz send to action to its new name Manuscript.
  • Testing Send To actions now creates issues on target systems.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Scan Policy and Report Policy editor dialogs remember their locations and sizes.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Improved MySQL double encoded string attacks.

FIXES

  • Fixed scheduled scans to prevent incorrect settings to be saved.
  • Fixed the overflow issue of "Maximum 404 Signatures" scan policy setting.
  • Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
  • Fixed the incorrect "Exclude Branch" icon.
  • Fixed the missing Host header issue on Request Builder.
  • Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
  • Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
  • Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
  • Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
  • Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
  • Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
  • Fixed the issue where a variation node is not added to the Issues panel.
  • Fixed incorrect average speed calculation on Detailed Scan Report.
  • Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
  • Fixed the issue where same post parameters appears twice in the request builder form.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed the issue where cookie header in raw request not added to the sqlmap command.
  • Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
  • Fixed broken proxy chaining in manual crawl mode.