Netsparker Standard Change Log
Netsparker Standard 6.0.2.30446 - 7th April 2021

NEW FEATURES

  • Added TLS 1.3 support
  • Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
  • Added the Common Vulnerability Scoring System field to the known vulnerabilities
  • Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

  • Improved IPv6 support to cover all SSL checks
  • Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
  • Added the redirect navigation support for DOM Parser
  • Fixed Ghost Chromium problems and DOM simulation leaks
  • Added multiple ISO Classification support
  • Added alphabetical order to the Knowledge Base nodes
  • Updated Netsparker Shark (IAST) licensing
  • Improved WAF Identification checks to prevent false positives
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
  • Improved Open Redirection checks
  • Updated Capture Group for OpenResty Version Disclosure
  • Updated DS_Store File Found Report Template
  • Changed the Referrer-Policy Report Template names to be more accurate
  • Refined Possible Stored XSS Vulnerability template
  • Added missing external references to SSL Templates that are removed after the merge
  • Added IAST suffix to titles of vulnerability detected by Netsparker Shark
  • Updated OpenSSL regex
  • Updated OpenSSL version disclosure regex
  • Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

  • Added Short XSS Attack to bypass character limit checks
  • Added Revoked SSL Certificate check
  • Added SSL Certificate's Name and Hostname Mismatch security check
  • Added SSL Certificate is not signed by a trusted root certification authority security check
  • Added Daiquiri Identified security check
  • Added Expired SSL Certificate security check
  • Added ZSH History File Detected
  • Added DOM XSS pattern for the script SRC Injection

FIXES

  • Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
  • Fixed unexpected error when saving parse from URL in form values screen
  • Fixed the Chrome address bar displaying in different resolutions on the verify login form
  • Fixed the detected logout status when an unreachable link is given
  • Fixed the customization menu at the form authentication's custom script dialog
  • Fixed unsupported browser issue for Headless Chromium
  • Fixed weak ciphers not reported for additional websites issue
  • Fixed ignoring weak ciphers check because of the ROBOT attack
  • Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
  • Updated Netsparker Updater icons
  • Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
  • Updated requester not to send Accept-Language header if it is not enabled in a scan policy
  • Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
  • Fixed a synchronization problem while creating puppeteer instances
  • Fixed an issue where external schema was not added when importing WSDL
  • Fixed the Write Lock Leak in LinkPool
  • Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
  • Fixed the typo in the jQuery validation out-of-date vulnerability type
  • Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
  • Fixed the issue that the wrong version was reported in the web app fingerprinting
  • Fixed False Positive weak credentials vulnerability
  • Fixed the issue that logs were not correctly formatted in the Logs panel
  • Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
  • Fixed the issue that authenticated link was not crawled
  • Fixed the issue that the proof URL was not added to XSS
  • Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
  • Removed the logging for the replacing control characters in headers
  • Changed the log level of DOM simulation timeout from Error to Warning
  • Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
  • Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
  • Fixed the issue that URI fragment was parsed incorrectly
  • Fixed OpenSSL version disclosure regex
  • Fixed WS_FTP Log check
  • Fixed F5 BIG-IP WAF detection
  • Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
  • Fixed Extractor for Lodash in repository.json by adding a new function
  • Fixed WildFly regex for the WildFly Application Server Identified
  • Fixed Whoops Error Handling framework signature
  • Fixed the signature for Liferay Portal Identified
  • Fixed Version Disclosure for Artifactory by adding missing custom field tag
  • Fixed regex of Grafana Version Disclosure
  • Fixed OpenResty regex for Version Disclosure
  • Fixed the regex of Liferay Portal Version Disclosure pattern

Netsparker Standard 6.0.1.29866 - 11th February 2021

IMPROVEMENTS

  • Added IAST suffix to titles of vulnerabilities identified by Netsparker Shark 

FIXES

  • Fixed the issue that custom fields were removed when a vulnerability was cached
  • Fixed a typo in the Netsparker Shark dialog
  • Fixed the issue that Netsparker Shark responses were reported as comments in the Knowledge Base
  • Fixed the issue that Netsparker Shark engines were not enabled on old scan policies
  • Fixed renaming default scan profile while using the Netsparker Shark configuration with test websites
  • Fixed setting explicit logout URL from the authentication verification dialog
  • Fixed an NRE that occurred while opening the Netsparker Enterprise options panel in Netsparker Standard
Netsparker Standard 6.0.0.29750 - 28th January 2021

NEW FEATURES

  • Added NIST SP 800-53 compliance classification and report template.
  • Added DISA STIG compliance classification and report template.
  • Added the OWASP ASVS 4.0 classification and report template.
  • Added header and footer section to customize reports.
  • Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

  • Added PHP magic_quotes_gpc Is Disabled security check.
  • Added PHP register_globals Is Enabled security check.
  • Added PHP display_errors Is Enabled security check.
  • Added PHP allow_url_fopen Is Enabled security check.
  • Added PHP allow_url_include Is Enabled security check.
  • Added PHP session.use_trans_sid Is Enabled security check.
  • Added PHP open_basedir Is Not Configured security check.
  • Added PHP enable_dl Is Enabled security check.
  • Added ASP.NET Tracing Is Enabled security check.
  • Added ASP.NET Cookieless Session State Is Enabled security check.
  • Added ASP.NET Cookieless Authentication Is Enabled security check.
  • Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
  • Added ASP.NET Login Credentials Stored In Plain Text security check.
  • Added ASP.NET ValidateRequest Is Globally Disabled security check.
  • Added ASP.NET ViewStateUserKey Is Not Set security check.
  • Added ASP.NET CustomErrors Is Disabled security check.
  • Added PHP session.use_only_cookies Is Disabled security check.
  • Added new Blind SQL Injection attack pattern.
  • Added Jinjava SSTI security check.
  • Added Whoops Framework Detected security check.
  • Added CrushFTP server detected security check.
  • Added database error message signature pattern for Hibernate.
  • Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
  • Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
  • Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
  • Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
  • Added Version Disclosure and Out-of-date security checks for Liferay Portal.
  • Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
  • Added detection for Varnish HTTP Cache Server.
  • Added detection for SonicWall VPN.
  • Added detection for Play Web Framework.
  • Added detection for Private Burp Collaborator Server.
  • Added detection for LiteSpeed Web Server.
  • Added detection for JBoss Enterprise Application Platform.
  • Added detection for JBoss Core Services.
  • Added detection for WildFly Application Server.
  • Added detection for Oracle HTTP Server.
  • Added version disclosure Daiquiri security check.

IMPROVEMENTS

  • Added Wordlist Entries feature to the Resource Finder security check group
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
  • Improved Open Redirect attack patterns.
  • Improved TLS 1.0 issue remediation reference.
  • Added WCF service support to WSDL importer.
  • Added a fix to reduce the possibility of an out-of-memory problem.
  • Added authentication support to system proxy for PAC file.
  • Verification dialog remembers old logout keywords.
  • Added scan profile information and URL to all reports.
  • Added bypass list for scan policy settings.
  • Added scan scope variables to the Pre-Request Scripts.
  • Added information label to the Pre-Request Script settings panel
  • Added a fail tolerance to Puppeteer launch.
  • Improved Tomcat signature patterns.
  • Improved authenticator not to store the plain password in the request data
  • Added HTTP Request Logger to authentication
  • Added Canada region to the Netsparker Enterprise settings
  • Added tooltip to the Excluded Usage Trackers feature.
  • Removed X-Scanner header from default scan policies
  • Added new sensitive comment patterns.
  • Revised the description of the Resource Finder checks option.
  • Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
  • Added Incremental Scan to Knowledge Base reports.
  • Updated Netsparker Standard splash screen.

FIXES

  • Fixed Lodash Identified security check signature.
  • Fixed WebLogic Version Disclosure security check signature.
  • Fixed Whoops Error Handling Framework Identified security check signature.
  • Fixed Zope Web Server Version Disclosure security check signature.
  • Fixed Grafana Version Disclosure security check signature.
  • Fixed ASP.NET MVC Version Disclosure security check signature.
  • Fixed Telerik Version Disclosure vulnerability severity to be low.
  • Fixed IIS Version Disclosure vulnerability severity to be low.
  • Fixed the grammar issues at the CSP Not Implemented report template.
  • Hide the scope tooltip at the manual authentication panel.
  • Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
  • Fixed the issue "link stuck error" was repeated many times in the scan logs.
  • Fixed the typo in the Pre-Request Scripts Menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed validating WAF settings before trying to test WAF connection
  • Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
  • Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
  • Fixed directory modifiers limit usage
  • Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
  • Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
  • Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
  • Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
  • Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
  • Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
  • Fixed an issue that caused DOM simulation to fail because of the null windows and elements
  • Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
  • Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
  • Fixed an issue that causes raw request created without cookies
  • Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
  • Fixed the order of classification report ribbon menu.
  • Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
  • Fixed the tooltip of Send To Tasks button at the ribbon
  • Fixed unwanted warning on the auto authenticator
  • Fixed date and time zone problem on Swagger file.
  • Fixed null reference exception on excluded URL check.
  • Fixed multiple instance knowledge base render problem.
  • Fixed reporting style issues.
  • Fixed relativity of the charts in the Comparison Report.
  • Fixed grid showing on the logout detection screen.
  • Fixed scan resuming problem on unavailable host.
  • Fixed pop-up problem on the DOM simulation for better performance.
  • Fixed the logo at the Knowledge Base render error page.
  • Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
  • Fixed internet connection problem at test site configuration dialog.
  • Added information label to the Azure Configuration wizard.
  • Fixed request and response results in out-of-band vulnerabilities.
  • Fixed Blind SQL Injection cache issue.
  • Fixed wrong expiry time for cookie which occurs at DOM simulation.
  • Fixed the null reference exception while checking the source type.
  • Fixed the Basic Authentication header problem for chromium requests.
  • Fixed the null reference exception while getting authorization tokens.
  • Fixed an issue where XSLT requests are not intercepted.
  • Fixed Netsparker Helper Service dll not found issue.
  • Fixed the client certificate selection issue while logging in to the target website.
  • Fixed session storage problem at DOM simulation.
  • Fixed upload request problem that creates false positive at LFI engine.
  • Fixed chromium errors at authentication
  • Fixed the unhandled multiple choices redirect status code at requester.
  • Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
  • Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
  • Fixed an issue where the form value parser was not working.
  • Fixed unauthorized request handling in the license view.
  • Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
  • Fixed maximum logout detection issue.
  • Fixed the typo in the Pre-request Scripts menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed the issue that email disclosure was reported without identified email addresses.
  • Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
  • Removed URL signature field from the phpinfo detection pattern.
  • Fixed Perl version disclosure pattern.
  • Fixed the issue that movable type cannot be detected because the app name contained whitespace.
  • Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
  • Fixed the custom script dialog title.
  • Fixed the signature of Python version disclosure pattern.
  • Fixed the issue that charset error was repeated many times in the logs.
  • Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
  • Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
  • Fixed the request parsing error in TCP Requester.
  • Fixed the issue that header and footer were mixed up in the reports.
  • Fixed info icons position in the Knowledge Base reports.
  • Fixed the issue XSS payload was not highlighted correctly.
  • Fixed the typo in the base scan CLI argument.
  • Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
  • Fixed the inconsistencies in the summary page of Asana configuration wizard.
  • Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
  • Fixed the issue that search results were not highlighted correctly.
  • Fixed the issue that URL was not correctly encoded in Send To Action templates.
  • Fixed the issue request.Headers was empty in custom script API.
  • Fixed the issue Mithril version could not be detected.
  • Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
  • Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
  • Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
  • Fixed Swagger parser that caused importing object with a parent node while the object is inside an array

Netsparker Standard 5.9.1.29030 - 6th of November 2020

NEW SECURITY CHECKS

  • Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
  • Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)
Netsparker Standard 5.9.0.28895 - 30th of September 2020

NEW FEATURES

  • Added a new signature limit for URL Rewrite matched links
  • Added a crawling limit for Not found (404) links
  • Added a WASC Classification Report template
  • Added an option to exclude authentication pages and removed authentication related regexes from the default settings

NEW SECURITY CHECKS

  • Added Out-of-date security checks for the Liferay portal
  • Added Version Disclosure and Out-of-date security checks for Jolokia
  • Added Nested XSS security checks
  • Added an ASP.NET Razor SSTI security check
  • Added a Java Pebble SSTI security check
  • Added a Theymeleaf SSTI security check
  • Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

  • Improved custom scripting to send raw requests
  • Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
  • Added an Auto Follow Redirect setting to the Advanced settings
  • Added request and response details to Out of Band vulnerabilities
  • Improved logging for timed out regexes in the Javascript Library Checker
  • Updated signature of Stack Trace/Custom Stack Trace (Python)
  • Improved the memory consumption on long running scans

FIXES

  • Fixed an error that was caused when parsing duplicate response content-type headers
  • Updated Netsparker logos, splash screen and icons
  • Fixed reporting of Crawl Performance for crawl-only scans
  • Fixed an issue where Form Value Errors were occurring after simulation was finished
  • Fixed the Maximum Body Length exceeded log message
  • Fixed the log level of the Dom Parser's ignored link message
  • Fixed the Jira Send To application description
  • Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
  • Fixed an issue where the custom Comparison Report was not generated
  • Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
  • Disabled the LFI button for possible xxe
  • Fixed a certificate error problem on the new ssl checker
  • Fixed the timezone problem on reports
  • Fixed the Executive Summary Report title
  • Fixed an ArgumentException that was thrown when the URI was empty
  • Fixed HIPAA classification links
  • Fixed the issue where the Netsparker session importer did not import all links from the session
  • Fixed the bug where the URL was split incorrectly when a segment contained the file extension
  • Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
  • Fixed the HIPAA classification link when there are multiple classifications
  • Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
  • Fixed NRE in the static detection engine
  • Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array

Netsparker Standard 5.8.2.28358 - 10th of July 2020

IMPROVEMENTS

  • Added a highlight icon to the attack parameters on the vulnerability reports
  • Added a report URL to the scheduled reports

FIXES

  • Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
  • Fixed a NRE that occurred when exporting a report from a scheduled scan
  • Fixed an issue caused when the login page identifier was disabled in the Scan Policy
  • Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
  • Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
  • Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
  • Fixed the list of enabled security checks on reports
  • Changed the Sans Top 25 classification name to CWE on reports

NEW SECURITY CHECKS

  • Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
  • Added out of date checks for Apache Traffic Server
  • Added version disclosure for Undertow Server
  • Added out of date checks for Undertow Server
  • Added version disclosure for Jenkins
  • Added out of date checks for Jenkins
  • Added signature detection for Kestrel
  • Added detection for Tableau Server
  • Added detection for Bomgar Remote Support Software
  • Added version disclosure for Apache Traffic Server

Netsparker Standard 5.8.1.28119 - 4th of June 2020

IMPROVEMENTS

  • Added Request API to Form Authentication's Custom Script
  • Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
  • Improved the Jira Send To Action to include a new Components field
  • Improved the SSL security check implementation
  • Improved the design of default Report Templates

FIXES

  • Fixed a memory leak in the Attacking phase
  • Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
  • Fixed an Attacker issue that caused a memory leak
  • Fixed a Null Reference Exception that occurred during crawling
  • Fixed the parsing of duplicate content-type headers

Netsparker Standard 5.8.0.27987 - 14th of May 2020

NEW FEATURES

  • Added Pivotal Tracker Send To integration
  • Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
  • Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
  • Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog

NEW SECURITY CHECKS

  • Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

  • Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
  • Improved the Jira Send To Action to include Epic Key and Epic Name fields
  • Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
  • Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
  • Improved the scan performance with memoization of Passive Security Checks
  • Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
  • Optimized signature detection to avoid executing unnecessary Regex checks
  • Improved the attack payload of the Open - Integer (MySQL) pattern

FIXES

  • Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
  • Fixed a typo in the XSS vulnerability template
  • Fixed a typo in Expect-CT engine error message
  • The WAF Identified dialog is no longer displayed when Netsparker is started from the command line in Silent Mode
  • Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
  • Fixed the visibility of the scan search bar
  • Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
  • Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
  • Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
  • Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
  • Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
  • Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
  • Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Netsparker Assistant changed the Scan Settings
  • Fixed a NullReferenceException in the Custom Scripts panel
  • Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
  • Fixed a NRE that occurred when a Retest was performed on an imported scan
  • Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
  • Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates
Netsparker 5.7.2.27749 - 9th of April 2020

IMPROVEMENTS

  • Added an image injection pattern to the Blind Cross-site Scripting security check
  • Added Script Type information to the comment section of the Custom Security Check scripts
  • Added the ability to show the Custom Scripts Panel without opening a scan

FIXES

  • Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Netsparker Assistant
  • Fixed an issue where the web proxy was not being used while connecting to Netsparker Enterprise
  • Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
  • Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication
Netsparker 5.7.1.27675 - 25th of March 2020

FIXES

  • Fixed a case sensitivity issue in Imported Links which caused Content-Type headers to be sent without requests
  • Fixed an issue where the WAF Identification notification dialog was occasionally unclickable
  • Fixed issue links for the Azure Send To Action to match Azure's new link scheme
  • Fixed an issue that caused the computer to go into Sleep mode even when the advanced PreventSleepModeDuringScan setting was enabled
Netsparker 5.7.0.27591 - 12th of March 2020

NEW FEATURES

  • Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors
  • Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog
  • Added CVSS 3.1 support, to help with vulnerability scores
  • Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor


NEW SECURITY CHECKS

  • Added a Login Page Identified security check
  • Added a Content Delivery Networks (CDN) security check
  • Added a Reverse Proxies security check

IMPROVEMENTS

  • Added two new settings to the list available in the Advanced tab of the Options dialog, including DisableRequestParametersReordering (to disable the reordering of query parameters) and DisableIriParsing (to change the IRI parsing configuration of the .NET framework) 
  • Improved the ability to crawl URLs with fragments
  • Added reflected parameter names and sensitive keywords to the BREACH Attack's report template
  • Added a metadata section to the Custom Security Check scripting templates in the Custom Script Checks section of the Security Checks tab in the Scan Policy Editor
  • Added extra information to error reports
  • Added a check for the vulnerability GUIDs used to create vulnerabilities in Custom Security Check scripts

FIXES

  • Fixed the tab order in the Scan Profile settings in the Start a New Website or Web Service Scan dialog
  • Resized the Type column in the Logs panel
  • Added a scrollbar to the Get Shell panel
  • Fixed an issue that prevented a backspace key from working in Save Profile As dialog's name editor
  • Fixed the issue where vulnerabilities' Fixed states were not updated following a Controlled scan
  • Fixed an issue that prevented custom fields from being rendered for the YouTrack Send To Action
  • Added missing tooltips to the Enabled check box of the Script Settings and Manual Authentication settings panels
  • Added a Frame Injection XSS pattern
  • Fixed a typo in the Copy to Clipboard tooltip
  • Fixed the issue where POST parameters were not parsed correctly in the HAR importer
  • Fixed the location of the Override Version vulnerability severities ch
  • Fixed the typo in the description of the NotifiedExpiringLicenses setting
  • Fixed an issue in the JSON Response panel that caused the Address textbox to be editable instead of read-only
  • Fixed an localization issue that occurred while displaying severities in the Vulnerability Editor dialog in the Report Policy Editor
  • Fixed escaping Form Authentication's Custom Script username and password.
  • Fixed the problem where day-long scan durations were not displaying correctly in the Knowledge Base reports and screens
  • Fixed a couple of design problems in reports
  • Fixed the usage of the '/v' command line parameter
  • Updated the default User-Agent
  • Fixed the scheduling of Incremental Scans to be consistent with the regular Incremental Scan, so that the system checks for the current session and offers the option to use it as the base scan before trying to open a scan file
  • Fixed typos in the tooltips in URL Rewrite tab of the Start a New Website or Web Service Scan dialog
  • Fixed problem caused by a missing obfuscation exclusion in the License validation process
  • Fixed the issue where the wrong engine was selected in Controlled Scans when a vulnerability was detected by a Custom Script
  • Fixed the issue where localized values were not displayed for some custom fields
  • Fixed the issue where duplicate notifications were displayed following the import and export of scans
  • Fixed a Null Reference Exception that was caused when Basic, NTLM/Kerberos Authentication settings were null in old profile files 
  • Fixed an issue where the default values were not set for the Scan Policy Optimizer options' properties while deserializing a Scan Policy
  • Fixed an issue that caused the same Authentication method to be added twice in the Basic, NTLM/Kerberos Authentication settings
  • Updated OpenAPI.NET to 1.1.4 version to support the latest Swagger files
  • Fixed the issue where single engines were not working in the Import Only scan mode
  • Fixed an issue where the Request body was encoded improperly, caused an error following the sending of requests
  • Fixed some typos in the WAF Identified dialog, along with some refactorings
  • Fixed the issue where Incremental Scan caused unnecessary DOM simulations

Netsparker 5.6.3.27318 - 20th of February 2020

IMPROVEMENT

  • Null values have been changed to an empty string on text-based reports to avoid integration problems

FIXES

  • Updated the Singular Scripting Check's script template
  • Fixed an issue where migrating old Scan Profiles files failed to produce authentication information
  • Fixed an issue where cookie domains were not set for cookies that were set in a JavaScript context and captured during DOM simulation
  • Fixed an Out of Memory exception that was caused when the target web application had HTML attributes with long string values
  • Fixed the issue where the text was trimmed when it contained null bytes when copied from the Raw Request/Response panels to the clipboard 
  • Fixed an issue where the value of the cookie source custom field was incorrect
  • Cookies are no longer analyzed if the Cookie checks are disabled in the Scan Policy
  • Fixed an issue where an error message was not shown for empty fields while using the Create Samples Issue feature in the TFS Send To Actions panel
  • Fixed a NullReferenceException that was thrown during Manual Proxy scans when the 'Do not expect challenge' option was enabled in the Basic, NTLM/Kerberos Authentication tab
  • Fixed an incorrect 'Login confirmation has failed' log
  • Fixed a NullReferenceException that was thrown in the Keyword Based logout detection

Netsparker 5.6.2.27204 - 6th of February 2020

IMPROVEMENTS

  • Added a new field to the Out-of-date Vulnerabilities that specifies end of life date for abandoned branches
  • Added missing tooltips to the Enabled check box of Script Settings and Manual Authentication Settings panels
  • Added missing XML documentations to the Custom Scripting templates

FIXES

  • Updated Youtrack Send To action to render custom fields
  • Fixed an issue where dock panels were not properly initialized when a command line argument was provided and autopilot mod was off
  • Fixed an issue that caused a rendering problem in the login/logout detection and the custom script panels
  • Fixed duplicate listing of authentication types in OAuth2 settings panel
  • Fixed an issue where the Sitemap sorting method was not being applied when None method was selected

Netsparker 5.6.1.27091 - 23rd January 2020

IMPROVEMENTS

  • Added Reflected Parameter and matched sensitive keyword names to the Breach Attack vulnerability report
  • Additional websites information will now display 'None' in reports when there are no additional websites set for a scan

FIXES

  • Fixed the JSON Metadata Regex check  to match the whole JSON object instead of each part separately
  • Fixed responses with a '201' status code so that they are ignored by the  OAuth2 authentication flow
  • Fixed an issue where ignored parameters were displayed as attack parameters in reports
  • Fixed an issue where reporting options were not being applied in scheduled scans
  • Fixed a memory and GDI object leak in the Imported Links dialog
  • Fixed an OutOfMemoryException that was thrown while generating reports
  • Fixed an ArgumentOutOfRangeException in CsrfEngine that was thrown when form instance contained a negative start index
  • Fixed an issue where incorrect links were being captured from JavaScript contexts
Netsparker 5.6.0.27019 - 16th January 2020

NEW FEATURES

  • Added Netsparker Enterprise Integration to the license activation dialog which enables the activation of a license using the Netsparker Enterprise Information
  • Added a WAF Identification feature that detects whether the target website is using a Web Application Firewall that blocks Netsparker attacks, and warns the user about it
  • Added a SANS Top 25 Scan Policy and report
  • Added login confirmation to ensure that Netsparker was able to acquire an authentication session after conducting the login sequence, in order to notify users in case of any failure due to changed credentials
  • Added an Auto Export feature which enables the automatic export of all old session files not previously uploaded to Netsparker Enterprise when connected to its servers
  • Added FortiWeb WAF integration
  • Added YouTrack Send To integration
  • Added Freshservice Send To integration

NEW SECURITY CHECKS

  • Added version disclosure and out-of-date checks for Telerik Web UI
  • Added detection and out-of-date checks for Java and GlassFish

IMPROVEMENTS

  • Improved the Postman importer to generate URL Rewrite rules automatically from the postman file
  • Added a new logout confirmation request to the Logout Detection process
  • Updated the AttackUsage properties of mXSS patterns to increase scan performance
  • Added a text field to the Report Policy Editor for displaying GUID values of custom vulnerabilities
  • Added a Copy Rules button to the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
  • Added Region information to the new Netsparker Enterprise Information section in the Netsparker Enterprise tab
  • Added search tags and a shortcut key to the Search tab on the ribbon
  • Added the ability to sort the Name and Value grid view in the OAuth2 tab
  • Added a warning about unsupported settings in the OTP column in the Form authentication tab
  • Added a transparency feature to the Scan Search, accessed by pressing CTRL
  • Added a URL to provide extra information to help distinguish similar results in the Raw Requests and Responses tabs
  • Improved vulnerability summary suggestions to recommend that only confirmed vulnerabilities should be fixed immediately in the Executive Summary Report
  • Improved the Report Policy using the CWE and SANS top 25 standards
  • Added a new Max Response Headers Length option to the Advanced tab

FIXES

  • Fixed an issue where the RedirectBodyTooLarge vulnerability was being falsely reported when the redirect location was triple encoded
  • Fixed a NullReferenceException that was thrown in the ReflectedParameterAnalyzer component
  • Fixed an issue where Netsparker Assistant retains generated optimized Scan Policies even if it has been disabled
  • Fixed the Pre-Request Script tab's Presets button's enabled state
  • Fixed a visual text wrapping issue that occured when all Resource Finder options were selected in the Scan Policy Optimizer dialog
  • Fixed an issue where the Proxy Authentication fields in Proxy tab of the Scan Policy Editor was not being disabled when the Use Current User’s Windows Credentials checkbox was selected
  • Fixed an issue that caused Netsparker to freeze when the Scan Finished dialog was displayed while another dialog was open
  • Fixed the signature of the nginx.conf pattern
  • Fixed an issue that caused the Total Vulnerability Count not to be updated when a vulnerability was removed from the Issues panel
  • Fixed an issue that caused the wrong information to be copied about the node when Ctrl+C was used in the Issue and Sitemap panels
  • Fixed an issue that caused the Context button to overlay the Vulnerability Counts icons in the Local Scans files tab
  • Fixed an issue where the Import From File dropdown in the Imported Links tab was not displaying the last opened folder
  • Fixed an issue that showed the wrong exception message in the Test Credentials dialog for the authentication tabs, when the website was unreachable
  • Fixed WAF button display names in the Vulnerability tab on the ribbon
  • Fixed a validation problem that occured in mandatory fields in the WAF settings tab
  • Fixed an issue that caused the scrollbar color not to be applied in the request/response panel.
  • Fixed an issue that showed the wrong tooltip in the  Form Authentication tab's verified settings
  • Fixed an issue that caused vulnerability counts to be calculated incorrectly when grouping the Issue panel by URL
  • Fixed an issue that caused some 404 nodes to not be visible when a filter was applied using search text
  • Fixed a problem that caused the generation of empty Comparison Reports 
  • Fixed an issue where version vulnerabilities could not be fetched from the database when application names contained space characters
  • Fixed an issue that caused inconsistent sorting results for the Sitemap nodes.
  • Fixed an issue that caused an ArgumentException in the CORS Checker
  • Fixed an issue that caused the Exploit LFI panel to not display its content when the height was set too small
  • Fixed the Extracted Version of Java Servlet Version Disclosure vulnerability so that it no longer includes a slash
  • Fixed an issue where the WebLogic Server was occasionally being incorrectly reported as the Application server of the target website
  • Fixed an issue where the XSS attack file had been overwritten, which caused the wrong injection request to be displayed when reporting Stored XSS vulnerabilities
  • Changed the notifications icons, and removed unnecessary extra space from the unread Notifications button
  • Fixed a NullReferenceException in the XSS Analyzer
  • Fixed a scope issue in the Resource Finders and in the Drupal RCE Engine
  • Fixed a subdomain problem in the Phishing by Navigating Tabs vulnerability
  • Removed a context menu from the Send To Actions tab
  • Fixed an issue that caused the template not to be applied in the Subscriptions context menu
  • Fixed a grammatical error in a Netsparker Assistant notification
  • Fixed issues in the Blind SQL injection confirmation for redirects and timeouts
  • Fixed an issue that caused OTP settings to be applied when Persona information was missing in the Form Authentication tab
  • Fixed an issue that prevented the Local Scans' file's context buttons from being clicked when the scroll bar was displayed.
  • Fixed the issue where Custom Field values were incorrectly displayed in older scans
  • Fixed the signature patterns of the ASP.NET and Apache Module version disclosures so that they capture the version correctly
  • Fixed the handling of null Responses in Requests made using the Pre-Request Script feature.
  • Fixed a problem where a horizontal scrollbar was displayed in the search dialog
  • Refactored the JSON Regex to eliminate excessive backtracking
  • Fixed an issue where the Internal Proxy was updating headers that already had default values
  • Fixed a problem in Report Templates where custom logos were incorrectly aligned 
  • Fixed a NullReferenceException error that was thrown when a Theme was not selected in the General tab of the Options dialog
  • Fixed the Send To Action panel to display default names with normal font instead of bold
  • Fixed an issue that caused a crash when an internal server error occurred during the export of a scan to Netsparker Enterprise.
  • Fixed the width of the grid view in the Report Policy Editor 
  • Fixed the focus back on the Sitemap and Issues panels after their search boxes are cleared
  • Fixed a race condition in the parsing of the Finish Time calculation which caused an exception to be thrown
  • Fixed a couple of localization problems in the Knowledge Base Report.
  • Fixed URL alignment in reports
Netsparker 5.5.4.26863 - 2nd January 2020

IMPROVEMENTS

  • Added sort functionality to the grid view of the OAuth2 settings tab in the Start a New Website or Website Service New Scan dialog
  • The default selected tab is now the first one in the Manual Authentication settings tab in the Start a New Website or Website Service New Scan dialog

FIXES

  • Fixed an issue where empty Comparison Reports were still created even when report generation was canceled
  • Fixed several visual defects in generated reports
  • Fixed a race condition issue with DOM Simulation
  • Fixed an issue where expired cookies were not being removed properly when they were set in a JavaScript context
  • Fixed some Azure DevOps error messages
  • Fixed an issue with GWT parsing where a request without a body was causing an exception
  • Fixed a concurrency issue that was causing several exceptions that slowed down the overall scan performance
  • Fixed an issue where the incorrect estimated finish time was shown in the progress panel
  • Fixed an issue where DOM XSS attacks were failing on pages that had a POST request on the same page
  • Fixed a NullReferenceException error that was thrown in the XSS analyzer
  • Fixed an issue with SSL checks by improving the ClientHello structure with additional extensions

Netsparker 5.5.3.26691 - 19th December 2019

IMPROVEMENTS

  • Added a QR Code feature to OTP settings that captures the settings from the QR code on the web page
  • The Known Vulnerabilities list for Out-of-date Version vulnerability reports can now be expanded
  • The Enabled Engines list on scan reports is now sorted alphabetically

FIXES

  • Fixed an issue where importing the I/O Docs specifications from a zip file was not working properly
  • Fixed a memory leak that was causing several issues with scans
  • Fixed an issue where Referer headers were not being sent to DOM simulations

Netsparker 5.5.2.26644 - 13th December 2019

IMPROVEMENTS

  • Improved GitHub Send To Action for GitHub Enterprise

FIXES

  • Fixed several issues with scan reports
  • Fixed an ArgumentException that was thrown when invalid characters were entered in the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
  • Fixed an issue in the Database Connection String Detected vulnerability report
  • Fixed a NullReferenceException that was thrown during Progress bar updates
  • Fixed an issue where the Logout Detection mechanism was occasionally triggered unnecessarily
  • Fixed an issue where DOM XSS window.name attacks were not being detected properly
  • Fixed the order of URLs in MIME Type node in the Knowledge Base
  • Fixed an issue where ignored vulnerabilities were causing the vulnerability counter to increase
  • Fixed an issue where the Content Type header was occasionally not sent
  • Fixed an ArgumentNullException that was thrown while deserializing issues in Jira
Netsparker 5.5.1.26518 - 28th November 2019

IMPROVEMENTS

  • Added Kenna Send To Action integration
  • Added a database error signature pattern for Apache Derby databases
  • Updated missing WASC and CWE values for vulnerabilities in the Default Report Policy
  • Improved XXE vulnerability templates to provide more detailed information

FIXES

  • Fixed an issue with the HTTP Request Builder where attack headers were being duplicated
  • Fixed an issue where invalid version numbers were being added to the Site Profile node in the Knowledge Base
  • Removed unnecessary customization and picture edit context menus from the What's New panel
  • Fixed an issue where JavaScript cookies set in the context of popup windows that open during the login sequences of some websites were not being captured during Form Authentication
  • Fixed an issue where recurring parameter optimization was causing non-recurring parameters to be marked as recurring