Netsparker Change Log
Netsparker 5.4.2.25632 - 11th October 2019

IMPROVEMENTS

  • Added Authentication mode and Scheduled Scan information to new reports
  • Added Include and Exclude pattern difference information to new reports

FIXES

  • Fixed an issue where local scans got lost when the Netsparker root directory was changed
  • Fixed an issue where the Dark theme was not applied in the Comparison Report dialog
  • Fixed an issue where true responses could not be processed correctly because of the '00' suffix
  • Fixed the cookie parser by removing the whitespace and disallowed character checks for cookie names
  • Fixed typos in the HSTS warning and error template
  • Fixed a NullReferenceException that was thrown during Authentication verification
  • Fixed a NullReferenceException that was thrown while the scan is moving from one phase to the next
  • Fixed a NullReferenceException that was thrown when a new root node was being added to the Sitemap
  • Fixed an issue where headers were duplicated in the Swagger importer
  • Fixed an issue where 201 (Created) responses occasionally caused incorrect redirects during Form Authentication and DOM simulation
  • Fixed an issue where the Update button icon was not changing when the download started
  • Fixed the problem where PDF reports did not generate when exporting reports on a network share path
  • Fixed the problem where it was not possible to change the default logo to a custom logo on new reports
  • Fixed the Summary information alignment on PDF reports
  • Fixed the problem of empty response information in XML reports
  • Fixed various localization problems in reports
Netsparker 5.4.1.25400 - 27th September 2019

FIXES

  • Fixed duplicate report templates when updated from an older version
  • Fixed Axway XXE payload injected to the wrong position
  • Fixed the incorrect Edition displayed on About dialog
  • Fixed several dark theme issues for messages displayed when an invalid value set to an option
  • Fixed IIS capitalization problem in the Site Profile Knowledge Base
Netsparker 5.4.0.25374 - 26th September 2019

NEW FEATURES

  • Added the ability to create custom Security Checks via a Scripting feature
  • Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests
  • Added custom Vulnerability creation support to the Report Policy Editor
  • Added a new 3-Legged Token flow type for OAuth2 authentication
  • Added Microsoft Teams Send To integration
  • Added Webhook Send To Integration
  • Added Clubhouse Send To Integration
  • Added Trello Send To Integration and configuration wizard
  • Added Asana Send To Integration and configuration wizard
  • Added a configuration wizard to the Jira Send To Action
  • Added a Configuration Wizard to the Redmine Send To Action
  • Added an option to the Save Report dialog for including and excluding Unconfirmed vulnerabilities
  • Added an option to configure the file upload folder that the File Upload Engine attacks to find uploaded files
  • Added information about SSL implementation in the Target Website to the Site Profile node in the Knowledge Base
  • Added support for importing authentication settings from Postman files
  • Added support for importing pre-request scripts from Postman files
  • Added an 'Enable or Disable logging recurring parameter detection' option to the Advanced tab in the Options dialog
  • Added a Delete button to the 'Start a New Website or Web Service Scan' dialog to enable the deletion of the current profile
  • Added support for importing multiple IO/docs files from a zip file

NEW SECURITY CHECKS

  • Added Web Cache Deception engine to the list of Security Checks
  • Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
  • Added new attack patterns for DOM based XSS
  • Added new attack patterns for Remote Code Execution in Ruby
  • Added new attack patterns for Out-of-band Remote Code Execution in Ruby
  • Added new attack patterns for Remote Code Execution in Python
  • Added new attack patterns for Open Redirect security check
  • Added an email validation bypass payload for XSS
  • Added a header injection XSS pattern
  • Added a security check to determine whether an http website has implemented SSL/TLS
  • Added a security check for File Content Disclosure in Ruby on Rails via exploiting Accept header
  • Added mutation XSS patterns
  • Fixed the SSRF confirmation problem
  • Added Apple’s App-Site Association file detection
  • Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
  • Added new LFI attack patterns for the access.log file
  • Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
  • Added support for detecting Python remote code execution
  • Added RFC compatible SSRF IPv6 patterns
  • Improved the Apache Struts (CVE-2013-2251) attack pattern
  • Added PHP Injection fixed one time Referrer attack
  • Updated the attack value of the PHP Injection fixed one time attack pattern to use short notation instead of the print function
  • Improved the regex pattern of the WebLogic version disclosure pattern
  • Added a PoC pattern for Apache Struts (CVE-2013-2251)
  • Added out-of-date checks for the Slick JavaScript library
  • Added out-of-date checks for the ScrollReveal JavaScript library
  • Added out-of-date checks for the MathJax JavaScript library.
  • Added out-of-date checks for the Rickshaw JavaScript library
  • Added out-of-date checks for the Highcharts JavaScript library
  • Added out-of-date checks for the Snap.svg JavaScript library
  • Added out-of-date checks for the Flickity JavaScript library
  • Added out-of-date checks for the D3.js JavaScript library
  • Added out-of-date checks for the Google Charts JavaScript library
  • Added out-of-date checks for the Hiawatha and Cherokee server
  • Added out-of-date checks for the Oracle WebLogic server
  • Added out-of-date check for IIS
  • Added version disclosure detection for the Hiawatha Server
  • Added version disclosure detection for the Cherokee Server
  • Added source code disclosure checks for Java Servlets
  • Added source code disclosure checks for Java Server Pages
  • Added new source code disclosure patterns for Java
  • Added detection for .htaccess file Identified
  • Added detection for Opensearch.xml files
  • Added detection for SQLite error messages
  • Added detection for security.txt files
  • Added detection for swagger.json files
  • Added detection for OpenSearch files

IMPROVEMENTS

  • Redesigned all HTML reports
  • Updated browser engine to Chromium v70
  • Added support for array parameters in GET and POST requests
  • Security Check Groups are now arranged into sub-groups in the Scan Policy Editor dialog
  • Moved the vulnerability severity level, Best Practice, so that it takes precedence over the Information level
  • Implemented scrolling to the bottom of the page after each DOM simulation completes
  • Added support for generating HTML element code from select elements in the Form Authentication Custom Script Editor dialog
  • Added the ability to search for Netsparker Enterprise scans using the Target URL
  • Changed the Password field to Token in the Jira Send To Actions integration
  • Added scrollbar annotations to the Sitemap to indicate vulnerability locations
  • Added Vulnerability Export Options to the Schedule Scan dialog
  • Improved the accuracy of the scan progress calculation displayed in the Progress panel
  • Added Postman variable support to the Postman Importer
  • Added an option to the Advanced tab of the Options dialog to configure the maximum number of variations that will be reported
  • Improved the Site Profile node in the Knowledge Base to display Database name and username information
  • Improved the Site Profile node in the Knowledge Base to information about whether the exploited Database user has admin privileges
  • Moved the Accept header's related options to the Custom Headers panel
  • Improved the error message displayed when an invalid Swagger file is imported
  • Added an improvement to the application's 'remember last opened folders' feature
  • Optimized the size of late confirmation files to improve disk space consumption
  • Added a new Netsparker Assistant check to handle an excessive amount of application logs
  • Added an application level notification to remind the user to restart the scan after profile or policy switch operations
  • Updated the Ruby on Rails File Content Disclosure (CVE-2019-5418) vulnerability template
  • Added generated proof data to the RoR File Content Disclosure report
  • Improved the Proof list in the Knowledge Base to display multiple proofs with different values for the same website
  • Improved the MimeType list to display request mime types
  • Improved the display format of the redirect URL in the Open Redirect (DOM based) vulnerability
  • Improved the Weak Ciphers Enabled vulnerability description
  • Added zone.js support to the DOM simulation
  • Removed Jira (Legacy) Send To Actions integration
  • Changed the Unfuddle Send To Action's create issue method's request body data format from XML to JSON
  • Updated the progress message displayed when multiple vulnerabilities are being sent via the Send To Action
  • Improved TFS and Azure Send To Action to send issue details according to the Work Item type, and the Repro Steps field is set for bugs, while the Description field is set for issues or features
  • Added a code block view to the Report Template viewer
  • Added an information message to be displayed when closing Netsparker if a Send To Action task is still executing
  • Added custom field support to the ServiceNow Send To Action
  • Added a message to be displayed if the Send To Actions settings have been configured incorrectly
  • Updated the Remedy section of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability template
  • Added a RAML option to the Enter Links/HTTP Requests dialog
  • Optimized attack patterns environments to enable the Scan Policy Optimizer to produce more optimized policies
  • Added a log to display when a vulnerability is discarded due to the Vulnerability Families feature
  • Added an update to the progress warning on application closing
  • Improved the calculation of attack possibilities of DNS-based SSRF attacks to prevent unnecessary attacks
  • Included Ruby and Python RCE vulnerabilities in the vulnerability family
  • Added a web server field to the access.log patterns for optimization
  • Included SSRF vulnerabilities in the vulnerability family
  • Improved the XSS vulnerability report to be more explicit about the data shown
  • Added 'Do not expect challenge (Basic Authentication)' option to Form Authentication logout detection
  • Updated the Impact sections of all Cross-site Scripting vulnerability templates
  • Added ISO27001 information to the Vulnerabilities List (Detailed) XML report
  • Added an injection prefix to the attack parameter and value name in the vulnerability templates when the vulnerability has an injection request and response
  • Moved Code Execution via SSTI vulnerabilities to the Code Evaluation family
  • Added highlighting to Stored XSS
  • Improved User Agent settings in the Scan Policy editor
  • Added missing environment information for attack patterns
  • Increased the Start New Scan dialog's default height to prevent showing the inner scroll bars
  • Added logs for URL Rewrite settings
  • Added logs for Form Authentication settings
  • Added a warning message to be displayed a used Scan Policy is deleted
  • Added the attack pattern name to the debug header information
  • Updated the Remedy sections of all Cross-site Scripting vulnerability templates
  • Added command search capability to the application's main menu
  • Improved the Update Available dialog
  • Improved the X-Frame-Options header check to report misconfiguration when two different settings are used at the same time
  • Improved parsing in nested JSON OAuth2 token responses
  • Added missing HIPAA classifications to Out-of-Date vulnerability templates.
  • Added an explanation to the Controlled Scan Summary popup about vulnerability families
  • Improved the Swagger parser to read multipart/form-data mime types
  • Improved system registry related Remedy sections in the vulnerability templates
  • Added drag and drop capability to URL Rewrite settings
  • Added verification to Authentication settings
  • Added an additional External Reference to the IIS Out of Date vulnerability template
  • Added a default initial directory to Imported Links and the scan Import dialog box
  • Updated the Save Report dialog UI
  • Updated broken reference links in the Report Policy
  • Added validation that checks empty Header Authentication settings
  • Set the default folder of the Open File dialog to Netsparker Scans during the importing of a scan

FIXES

  • Fixed an ObjectDisposedException that was thrown when activities were cancelled in the Activity Panel
  • Fixed the capitalization of server-side applications in the Site Profile
  • Fixed an issue where all Proofs were not listed in the Knowledge Base node
  • Fixed an exception that occurred when updating the Proof data in the Site Profile
  • Fixed an issue in the exploitation of the Code Evaluation vulnerability where a wrong proof was generated.
  • Fixed an issue where the Proof Of Exploit title was displayed on the vulnerability template when there was no proof
  • Fixed a double encoding issue in the Generate Exploit template for XSS
  • Fixed an encoding issue in the confirmation phase of PHP wrapper-based LFI attacks
  • Fixed incorrect behavior in the Internal Proxy
  • Fixed VDB update requests that don't use the upstream proxy issue
  • Fixed a Code Evaluation pattern that attacks URL Rewrite parameters
  • Fixed an issue where similar kinds of SQL Injection vulnerabilities were being reported in the same URL Rewrite parameter
  • Fixed an issue where the value of the Accept-Language header of the Imported Links were overwritten during a scan
  • Fixed an issue where the Cache-Control header was added by default to Imported Links
  • Fixed an issue causing Report Policy Editor to fail while saving new template references.
  • Fixed duplicate template references in the Default Report Policy
  • Fixed the problem of the Progress dialog not displaying while importing links from CSV files
  • Fixed an issue that occured when the re-crawling phase was skipped
  • Fixed the Suggested Action for the Best Practice severity in the report templates
  • Fixed the problem of the progress not being updated in the Link Importer
  • Fixed the problem of the progress not being displayed correctly while importing links from a Netsparker session file
  • Fixed the Remedy and External References links in the Vulnerability Viewer so that they open in the default browser
  • Fixed a problem where the value of the User-Agent header was overwritten for imported link requests
  • Fixed an issue where Netsparker was attacking the HTTP endpoint of a URL instead of attacking the HTTPS protocol
  • Fixed various typos in the vulnerability templates
  • Fixed several Cookie related issues by updating Cookie parsing and storage according to the latest RFC 6265
  • Fixed an issue in the Sitemap where it was displaying 404 pages
  • Fixed the attack payload of the Function - End Comment - Double Quote - Encoded pattern
  • Fixed the issue where the header values of the Imported Links were not prioritized over header policy settings
  • Fixed an issue where the Base64 payload was not being encoded properly during the confirmation of PHP wrapper-based attacks
  • Fixed a CVSS scores rendering issue in the Vulnerability panel
  • Fixed the issue where the plus character was not encoded in PHP cookie attacks
  • Fixed the Double Encoding problem in the Static Resource Finder attacks
  • Fixed the URL Encode problem in the Static Resource Finder attacks
  • Fixed an issue where variations were not shown in the report when a vulnerability was ignored
  • Prevented the attacker from attacking the Sitemap.xml file
  • Fixed an issue where Resource Finder requests were not carried out when the server returned a 403 Forbidden error
  • Fixed a NullReferenceException that was thrown during the execution of the late confirmation phase
  • Fixed the Double Encoding problem in PHP Wrapper Confirmation attacks
  • Fixed the problem where the request was loaded to the request builder following injection and identification requests
  • Fixed a problem in the filtered Issues panel that prevented vulnerabilities from being ignored
  • Fixed an issue where the Force Pause button icon and label were overlying each other
  • Fixed the custom field names in the Version Disclosure templates
  • Fixed the problem where an AppDomainUnloadedException was sometimes thrown when the Custom dialog was closing
  • Fixed an ObjectDisposedException that was sometimes thrown when Netsparker was closing
  • Fixed the escaping of forward slashes in custom scripts
  • Fixed the Not operand issue in the Sitemap filter function
  • Fixed an issue where the favicon of the scanned website was not updated in the Sitemap
  • Fixed the problem where the attack payload was not properly encoded during the Code Execution check
  • Fixed an issue where a vulnerability that was found in a different parameter on the same link was discarded due to Vulnerability Families
  • Fixed an issue that caused vulnerabilities that came from static resources to be added to the wrong parent in the Sitemap
  • Fixed the Proof generation for the Ruby Remote Code Execution vulnerability
  • Fixed a bug in the XSS vulnerability confirmation
  • Fixed the empty message displayed in the Sitemap where the filtered view did not display any data on loading
  • Fixed the localization issue on scans that occured when the application language was modified
  • Fixed inconsistent reporting of DNS-based SSRF
  • Fixed the format of the confirmation attack payload in XSS to be hex-based
  • Fixed the XSS exploitation template to handle injection request
  • Fixed the CSS selector generation inside iframes in the Custom Script dialog
  • Fixed the XSS confirmation that failing with a Base64 payload
  • Fixed an exception that was thrown by displaying a warning message when a read-only Scan Policy file is used
  • Fixed the issue where the responses of Full URL attacks were not parsed for links
  • Fixed an issue where the Too Many Logouts error messages were displayed even when Form Authentication was disabled
  • Fixed the problem where invalid Send To Action settings were removed from the Options dialog
  • Fixed the problem where the Hawk test results were cleared during Scan Policy optimization
  • Fixed an issue where Netsparker was mistakenly making requests to Excluded URLs even when they were JS or CSS files
  • Fixed an issue where Ignored Parameters were not ignored while analyzing recurring parameters
  • Fixed the incorrect Sitemap root node size for high DPI screens
  • Fixed a bug in the XSS vulnerability confirmation where the name of the triggered JS function was incorrect
  • Fixed an issue with code generation in the Custom Script dialog while the IDs of input elements contained username or password literals
  • Fixed a NullReferenceException that was thrown from the Internal Proxy
  • Fixed the problem of light toolbars displayed when the Dark Theme was configured
  • Fixed the argument exception in the File menu
  • Fixed the grammar error in the Trial License error message
  • Fixed auto start problem that occurred following installation
  • Fixed the inconsistent state of the Start a New Website or Web Service Scan dialog where an unauthorized Scan Policy file exists
  • Removed the 'ps aux' command from exploitation process
  • Fixed an issue where the Netsparker UI tabs were occasionally throwing exceptions
  • Fixed a NullReferenceException that was caused during the handling of XHR requests in DOM simulation
  • Fixed a comparison error that occured when the Sitemap panel attempted to order its nodes
  • Fixed an issue that occurred with the Exclude This Branch From Attack option that caused missing operations during authenticated scans
  • Fixed the problem where previous session data was cleared during Form Authentication
  • Fixed the problem of an empty file name in the LFI proof data
  • Fixed the issue where the cloud settings dialog was displayed repeatedly on the Scan Import screen
  • Fixed the Sitemap and Issues panel's button paddings
  • Fixed an issue where the error logs in the Swagger importer were displayed twice
  • Fixed an issue in the Request Builder where the request method changed to POST while a PATH request was being edited
  • Fixed an issue where cookies that were set in a JavaScript context were not being captured properly
  • Fixed an issue where Netsparker was occasionally conducting requests with stale cookie values
  • Fixed the resetting of the Activity Viewer's column sizes layout reset
  • Fixed a persistence issue in the Netsparker Assistant notifications
  • Fixed the customization menu displayed in the Auto Send to Settings panel.
  • Fixed an issue where the attack payload was not carried out for some URL Rewrite attacks
  • Fixed an Insecure HTTP use reported on a redirected response
  • Fixed the activation of the Progress Panel displayed after the resumption of a scan
  • Fixed an issue where the Authorization header was duplicated when it was provided via Imported Links
  • Fixed the column sizes in the Request Builder
  • Fixed a bug that occurred while parsing the favicon image source of the Target Website.
  • Fixed the issue where the default Content-Type was treated as text/html when no Content-Type was specified
  • Fixed an issue that caused the Exclude by CSS Selector field to be cleared in the JavaScript section of the Scan Policy Editor dialog when loading preset values
  • Fixed the grouped node's count in the Sitemap panel
  • Fix the attack value that was not implemented correctly in RFI confirmation attacks
  • Fixed the issue where the request identifier could not be detected due to invalid characters in the JSON value
  • Fixed the GET icon that was displayed for POST requests in the Issues panel
  • Fixed an issue where a confirmed vulnerability was removed because of Vulnerability Family checks
  • Fixed an issue where an eval block was treated as a non-executable block in XSS confirmation
  • Fixed an issue where some links were treated as the same when parameter-based navigation was configured
  • Made the Progress panel's percentage label more precise
  • Fixed some character encoding problems in the Request Builder
  • Fixed an exception that occurred when updating the Site Profile node in the Knowledge Base panel
  • Updated the Send To Action template files in order to render vulnerability fields properly
  • Fixed the grouped node filter issue in the Sitemap panel
  • Fixed several stability issues with the browser engine
  • Fixed a NullReferenceException in the Content Security Policy engine
  • Fixed some Korean text
  • Fixed the problem where the JavaScript settings tab scrollbar was not displaying properly in the Scan Policy Editor
  • Fixed an issue where the Content-Type header was not always set properly for POST requests
  • Fixed the Knowledge Base Viewer search issue where adding a space and clearing caused a loss of styles in the report
  • Fixed a validation error in the Swagger Importer
  • Fixed the bug where the XXE engine made a confirmation attack using the same payload
  • Fixed an issue that caused a NullReferenceException to be thrown when a filter was applied on the Sitemap
  • Fixed the problem where an obsolete column was deleted during migration of an old Report policy
  • Fixed a typo in the WASC classification link
  • Fixed the issue where the database username was being added incompletely to the Site Profile node of the Knowledge Base
  • Fixed an issue where obsolete vulnerability types were listed in the Report Policy Editor
  • Fixed setting OAuth2 label to unmodified state while using the default Scan Profile
  • Fixed the problem where the user-agent was not set for requests when the user agent was forced in the Scan Policy Editor
  • Fixed the issue where Request Builder columns were not resized correctly in high DPI environments
  • Fixed the default height of the Browser View panel which caused inconsistent scrollbar behaviour
  • Fixed the digit color in the HTTP Request/Response panel
  • Fixed an issue that caused a NullReferenceException to be thrown when accessing the Identification node in the sSitemap
  • Fixed an issue that prevented the Cookie Analyzer Engine settings from being reset
  • Fixed a JavaScript exception from being thrown during the simulation of React websites
  • Fixed an issue that caused the Target URL to also be scanned when a scan was configured for Imported Links only
  • Fixed an issue that allowed duplicate headers in the Scan Policy Editor
  • Fixed an issue where removed vulnerability types were still listed in the Vulnerability ProfileEditor dialog
  • Fixed the precedence values of Possible SSRF vulnerabilities
  • Fixed the signature pattern of the IIS Version Disclosure template
  • Fixed the culture-specific date format used in the Vulnerability List Report templates
  • Fixed the custom report's duplicate name extension problem
  • Fixed an issue that caused vulnerabilities to be reported on 404 pages
  • Fixed an issue that allowed invalid characters to be entered in the Target Website or Web Service URL field
  • Fixed a KeyNotFoundException that was sometimes thrown when a request's Content-Type was not set
  • Fixed an issue concerning the auto-complete behaviour of the SQL Injection panel
  • Fixed the issue where proof generation did not work correctly for redirected URLs in Boolean SQL Injection engine
  • Fixed an issue where the SSL Checker engine stopped working when. the user unchecked the 'Do not differentiate HTTP and HTTPS protocols' option in the Scope settings
  • Fixed the problem where the SQL injection exploitation continued indefinitely
  • Fixed the padding of dialogs where users are using the application within high DPI screens
  • Fixed the default width of the Activity Viewer's columns
  • Fixed an issue where some engines were not working in Controlled Scan because some attacks are skipped due to Vulnerability Families
  • Fixed an issue that prevented the Custom 404 Analyzer from detecting 404 pages
  • Fixed an issue where the Netsparker Assistant-generated Scan Policy file name was exceeding the length limit
  • Fixed an Internal Proxy error caused by the PATCH method
  • Fixed a NullReferenceException that was causing the Controlled Scan to continue indefinitely
  • Fixed a confirmation bug in the SQL engine
  • Fixed the problem caused when users were importing links with the authentication header by overriding the existing OAuth2 token
  • Fixed an issue that caused an update error when multiple Netsparker Standard instances were opened
  • Fixed an issue where the selected policy showed Default Security Checks after restarting the scan via the Netsparker Assistant
  • Fixed an issue in the CSRF engine where non-hidden inputs could be treated as anti CSRF tokens
  • Fixed a duplicate link creation issue in the Report Policy editor when you update and save the remedy section
  • Fixed the problem that occured while sending hidden vulnerabilities via the Auto Send To feature
  • Fixed the failure of the Auto Send To feature that occured when the Send To Action values had been changed
  • Fixed the width of Activity Viewer columns for high DPI screens
  • Fixed the setting of the OAuth2 token name while using a fixed token type
  • Fixed the setting of the OAuth2 token to override empty authentication headers while importing links
  • Fixed an issue where empty headers were added to requests imported from Postman
  • Fixed the problem of the hanging progress bar that occurred during scanning
  • Fixed an issue where a request with an empty body was treated as a JSON request
  • Fixed an issue where an XSS vulnerability was reported inside of non-executable HTML tags
  • Fixed an issue where the scan folder was deleted after deleting a scan from the Local Scans folder
  • Fixed a NullReferenceException that was thrown when running a Controlled Scan after importing a scan file
  • Fixed a bug where a Link not Selected error was shown, even though it was selected in the Controlled Scan panel
  • Fixed an issue where Netsparker was missing passive vulnerability checks for endpoints that occured as XmlHttpRequests
  • Fixed a bug where Controlled Scans could not be started for the selected nodes
  • Fixed an issue that caused an ArgumentException to be thrown when activating a license
  • Fixed the button height in the Controlled Scan panel to remove an empty area
  • Fixed the problem where the OAuth2 refresh token timer stopped after a scan was finished
  • Fixed an issue that caused the PathTooLongException when checking effective scope at start new scan dialog.
  • Fixed the newline in the Regex Pattern of SVN disclosures
  • Fixed an issue where the URL Rewrite settings panel was not highlighted when a setting had been changed
  • Fixed the issue where the Controlled Scan was stuck when the scan state had been paused
  • Fixed the status of the taskbar icon following the end of a Retest scan
  • Resource Finder activities will now be stopped faster when the scan is paused
  • Fixed a bug that occurred during the parsing of the refresh token of Implicit OAuth2 flow's response
  • Fixed the problem where it was impossible to get a new OAuth2 token if refresh token was not set
  • Fixed the problem that occurred when navigating the Sitemap and Knowledge Base nodes with the keyboard
  • Disabled the Save option in the Default profile in the Start New Website or Web Service Scan dialog
  • Fixed a bug that occurred when setting the Scan Profile before testing OAuth2 credentials
  • Fixed an issue where no warnings were displayed when Basic/NTLM authentication settings were left empty
  • Fixed the Vulnerability Severity Level order in the Report Policy Editor's context menu
  • Fixed the Best Practice severity level's caption in the Report Policy Editor's context menu
  • Fixed the Vulnerability Severity Level's order in the profile list in the Report Policy Editor dialog
  • Fixed an ArgumentNullException that was thrown when the F9 key was pressed
  • Fixed an issue that caused an invalid file name error in the ave Report dialog
  • Fixed the issue where a Base64 value could not be decoded due to an invalid length in the Encoder panel
  • Fixed the proxy authentication problem in manual crawling when a custom proxy is configured
  • Fixed an issue to prevent the ampersand character from being encoded in an XML attack
  • Fixed the Azure DevOps Send To Action to enable it to send vulnerabilities to the TFS
  • Fixed an issue where the attack parameter was not shown for some vulnerabilities in the Detailed Scan Report
  • Fixed an issue where redundant logs were written for enforced Basic Authentication setting
  • Fixed the issue where auto-complete enabled was not reported when there was only one password input
  • Fixed the issue where auto-complete was treated as enabled when the attribute value was 'new-password'
  • Fixed the problem where multiple OAuth2 refresh token requests were sent while refreshing tokens
  • Fixed the stale activities still remaining on the list at the end of the scan
  • Fixed the broken order function of External References in the Report Policy Editor
  • Fixed an unhandled UnauthorizedAccessException that was occasionally thrown while closing the Form Authentication Custom Script dialog
  • Fixed the issue where some special XML chars were encoded when the parameter was already encoded

Netsparker 5.3.0.24388 - 8th July 2019

FIXES

  • Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation
  • Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends
  • Fixed an issue where form authentication might fail to execute in some React websites
  • Fixed an issue where the process may crash due to a NullReferenceException

Netsparker 5.3.0.24330 - 2nd July 2019

IMPROVEMENT

  • Improved stability of scan by dynamically adjusting the thread count according to system resources

FIXES

  • Fixed high CPU usage caused by connectivity issues that were occurring during a scan
  • Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses
  • Fixed the issue where CSP Not Implemented was being reported for redirect responses
  • Fixed the issue where Missing X-XSS Protection was being reported for redirect responses
  • Fixed the issue where Missing X-Frame-Options Header was being reported for redirect responses
  • Fixed a bug where cookies were reported as not secure in authenticated scans
  • Fixed an automatic Logout Detection issue during form authentication verification, where the login required URL was requested with an HTTP POST method
  • Fixed clearing internal web browser's cache while executing authentication process
  • Fixed the broken Crawled and Scanned URLs List (JSON) Report Templates
  • Fixed the incorrect error message that was displayed while generating a Comparison Report with no selected scan files
  • Fixed the Browser View that stayed open when a non-HTML response was selected
  • Fixed the incorrect severity colors on Comparison Reports
  • Fixed an issue where some of the toolbar items were not displayed on the Sitemap and Issues panels
  • Fixed the broken ModSecurity WAF Rules Report Template
  • Fixed a time based security check issue occurs when the target web server is not accessible
  • Fixed the bug on issues panel where the number of vulnerabilities displayed next to severity group node was incorrect
  • Fixed the incorrect send to icon size on high DPI screens
  • Fixed an issue where browser viewer could not show content when content type of request was text/html
  • Fixed an issue where React controlled fields may not be updated during  Form Authentication
  • Fixed an issue where Netsparker Enterprise options are displayed while trying to import a scan file on back stage view
  • Fixed a bug on issue panel where group node was shown as ignored when child node is ignored
  • Fixed an issue on sitemap tree where number of nodes are reported incorrect when it is grouped
  • Fixed an InvalidCastException thrown while browsing a response

Netsparker 5.3.0.23731 - 15th May 2019

IMPROVEMENT

  • Improved Source Code Disclosure (ColdFusion) attack pattern

FIXES

  • Fixed multiple logout detection popups being unnecessarily shown
  • Fixed an issue that was causing Scheduled Scans to run slower than regular scans
  • Fixed an issue where redundant scan folders are created when scans are auto saved
  • Fixed a performance issue caused in scans with excessive amount captured links
  • Fixed a NullReferenceException thrown by Expect CT security checks
  • Fixed an ArgumentNullException thrown by Expect CT security checks
  • Fixed a NullReferenceException thrown by Sitemap tree
  • Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command
Netsparker 5.3.0.23657 - 8th May 2019

FIXES

  • Fixed an InvalidOperationException thrown from several operations during scan
  • Fixed the incorrect favicon rendered on Sitemap tree
Netsparker 5.3.0.23622 - 3rd May 2019

FIX

  • Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree
Netsparker 5.3.0.23556 - 26th April 2019

NEW FEATURES

  • Added "Do not differentiate HTTP and HTTPS protocols" option to scope settings
  • Added 3-Legged Token flow for OAuth2 authentication
  • Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

  • Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

  • Added reporter account id to JIRA Send To
  • Updated SSRF ipv6 pattern names
  • Improved the visibility of Resume button while performing a Manual Crawling
  • Improved the error message displayed while importing Swagger links

FIXES

  • Fixed retrying getting OAuth2 token
  • Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
  • Fixed an UnhandledException thrown during DOM Simulation in some rare cases
  • Fixed pausing scan when OAuth2 authentication failed
  • Fixed logging OAuth2 error messages
  • Fixed showing context menu for activity viewer's group rows
  • Fixed a NullReferenceException thrown when mouse is moved over sitemap
  • Fixed the missing space character on Best Practice severity text on issues panel
  • Fixed the incorrect position of Force Pause button on high DPI screens
  • Fixed the white screen flashed on dark theme while navigating between KB screens
  • Fixed the tiny progress animation on license popup dialog
  • Fixed the dark theme issues on Advanced Settings screen
  • Fixed a KeyNotFoundException thrown when the scan has finished
  • Fixed the issue where ignoring first vulnerability variation ignores all variations
  • Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
  • Fixed an issue where DOM simulation might conflict with some JS frameworks
  • Fixed the broken Ignore From this Scan context menu action on Sitemap panel
  • Fixed a NullReferenceException thrown from Netsparker Assistant
  • Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
  • Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
  • Fixed an issue where multiple persona could be selected on Form Authentication settings
  • Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
  • Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
  • Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
  • Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
  • Fixed an XmlException while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
  • Fixed an unhandled NullReferenceException thrown from Sitemap
  • Fixed parsing OAuth2 response regardless of the response content type
  • Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
  • Fixed performance issues caused by excessive logging when Activity Tracking is enabled
  • Fixed a stuck scan issue on web sites using React JavaScript framework
  • Fixed a Postman file importing issue where the response is not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed an unhandled "InvalidOperationException: Object is currently in use elsewhere" error
  • Fixed an error where XML and JSON responses could not be rendered on response viewers
  • Fixed an unhandled NullReferenceException thrown from Assistant
  • Fixed several NullReferenceException errors thrown while viewing knowledgebase items
  • Fixed an issue where the current ongoing scan could be deleted from Local Scans section
  • Fixed an InvalidOperationException "Database is not open" error
Netsparker 5.3.0.23162 - 28th March 2019

NEW FEATURES

  • Added Netsparker Assistant, a smart scan assistant that will guide you through a Scan
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added Azure DevOps Send To integration
  • Added an option to report only Confirmed vulnerabilities while generating reports
  • Added Redmine Send To integration
  • Added Bugzilla Send To integration
  • Added F5 WAF rule generation
  • Added Dark UI theme
  • Added RESTful API Modeling Language (RAML) link import support
  • Added facility to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities
  • Added support for deleting a Scan from Local Scan files

NEW SECURITY CHECKS

  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injection
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added config.json check to Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved Scan performance by allocating computer resources better
  • Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Out-of-date server-side apps are highlighted in the Site Profile
  • Clicking on links displayed in Knowledge Base items will navigate to the related node
  • Added URL to the Email List Knowledge Base
  • Added URL to the request which cookie is set on Cookies Knowledge Base
  • Custom URL Rewrite Rules can be sorted by clicking the column header
  • Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base
  • The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base
  • Added an option to prevent the operating system from going to sleep while there is a scan in progress
  • Added an Exploit context menu item to the Sitemap and Issues nodes
  • Vulnerable parameters are now highlighted in the Sitemap and Issues nodes
  • Updated Code Evaluation (PHP) attack patterns
  • Due Date setting has been replaced with Due Days on some of the Send To integrations
  • Improved the icons used in the Sitemap and Issues nodes
  • Removed deleted scan files from the File Import list
  • Improved DOM Simulation performance and fixed several issues
  • Improved react JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • Improved the performance of the Activity pane's viewer
  • Added a Copy URL context menu item to the Activity viewer
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added Activity Status information to the Sitemap nodes
  • Added support for attacking the name of POST parameters
  • Improved the layout for Reports on scans that detected zero vulnerabilities
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
  • Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS on text and XML content types
  • Users can now resize the Activity Viewer columns
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities
  • Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access
  • All security engines are checked when the Controlled Scan panel is manually opened
  • Added Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • Added support for highlighting input elements that are used to send passwords over query strings
  • Improved rendering performance of the Knowledge Base's Comments page when there are too many comments
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • Improved Out of Band SSTI attack payloads
  • Added automatic selection in the Form Authentication dialog when all fields are filled up
  • Added case sensitive search for Raw Response viewer
  • Added an overlay to display longer scans are being imported, to block user activity and show progress
  • Added Show/Hide Password button in Form Authentication settings
  • Added an information dialog displayed when a scan is finished and Netsparker window is in the background
  • Improved highlight function for detected JavaScript libraries
  • Improved reports to display the product version on which the Scan is performed
  • Improved the HTTP Request Builder panel to display generic headers
  • Manuscript has been renamed FogBugz
  • Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved adding Out of Date Information Database information to the Site Profile
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements
  • Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved
  • Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019

FIXES

  • Fixed failing VDB update when multiple instances were running
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions
  • Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings
  • Fixed an issue where JavaScript file parsing might take longer than expected in some occasions
  • Fixed a NullReferenceException that was thrown while saving the layout of panes
  • Fixed an ObjectDisposedException that was thrown when cancelling a Retest
  • Fixed the Listening Port so that it is no longer set for the next Manual Crawl
  • Fixed the issue where Finished Scans were displayed a Paused Scan icon
  • Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed the incorrect order of the vulnerabilities in the Issues panel
  • Fixed the Trial Licence dialog that was popping up twice
  • Fixed the issue where data from a previous scan was displaying in the Activity panel
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks
  • Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration
  • Fixed the issue where the status bar displayed the incorrect number of remaining trial days
  • Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high
  • Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter
  • Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar
  • Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process
  • Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
  • Fixed the problem where the application was hanging on shutdown
  • Fixed missing Authentication cookies in the Knowledge Base
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable
  • Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high
  • Fixed the issue where cookies were sent during the request for the Favicon image of the target URL      
  • Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details
  • Fixed the high DPI issues in the Bulk Export to Enterprise panel
  • Fixed the issue where the uninstall process was interrupted if a Netsparker instance was still running
  • Fixed high DPI issues in the Local Scans panel during Import
  • Fixed a NullReferenceException that occurred while rendering Vulnerability Details
  • Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities
  • Fixed the Knowledge Base Report's header, where the image, title and severity level were overlapping
  • Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared
  • Fixed the issue where vulnerability fields were not updated after a Retest
  • Fixed the value of double encoded null byte in LFI, XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive
  • Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder
  • Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder
  • Fixed an issue where an imported link could be saved without correcting the errors in the Request form
  • Fixed an issue where links generated in Netsparker attacks were added to the Sitemap
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities
  • Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog
  • Fixed the selection issue in the filtered Security Checks of the Scan Policy panel
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed the validation issue of the Send to Action configuration
  • Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree
  • Fixed the grouping issue on vulnerability variations and instances
  • Fixed HTTP method icons in the Sitemap
  • Fixed issues caused by language changes
  • Fixed the scrolling problem in the Vulnerability viewer
  • Fixed the confusion over which persona was used during Form Authentication verification
  • Fixed an order issue in the Sitemap tree
  • Fixed the incorrect variation count presentation issue in the Issues tree
  • Fixed the broken tab key in the Request Builder panel
  • Fixed the incorrect Remaining Day presentation in the License reminder
  • Fixed the issue where the Back button was clickable during the Bulk Export to Netsparker Enterprise, causing the export to fail
  • Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks
  • Fixed the wrong proxy display after resetting settings to the default
  • Fixed a performance issue that occurred while exporting a large Scan to Netsparker Enterprise
  • Fixed duplicate cookie names that were reported on a Cookie vulnerability
  • Fixed a high DPI issue in the message box
  • Fixed visual issues in the binary Response viewer
  • Fixed an issue where the DOM engine failed to restart on some occasions
  • Fixed an issue where Local/SessionStorage values were not persisting throughout the scan
  • Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS
  • Fixed a NullReferenceException that was sometimes thrown while saving Scan data
  • Fixed HTML form simulation for cases where the form did not have an element with the Submit type
  • Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements
  • Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute
  • Fixed an issue where Netsparker sometimes prevented Windows from shutting down while a Scan was running
  • Fixed an issue where NTLM Authentication was being ignored during Logout Detection
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue
  • Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan
  • Fixed an issue where an incorrect "Subresource Integrity (SRI) Hash Invalid" vulnerability was reported because of hash miscalculation
Netsparker 5.2.0.22027 - 27th December 2018

FIXES

  • Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
  • Fixed the clipboard format of Knowledgebase URL Rewrite List item
  • Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used
Netsparker 5.2.0.21991 - 26th December 2018

IMPROVEMENTS

  • Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
  • Added Retest support for several cookie vulnerabilities
  • Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

  • Fixed the Retest All button also retests the issues on additional web sites too
  • Fixed the popup hide issue on custom form authentication script dialog
  • Fixed a few unexpected NullReferenceException issues
  • Fixed the broken arrow key navigation on Sitemap and Issues panels
  • Fixed the incorrect vulnerability count reported on Issues panel tree groups
  • Fixed the representation of fixed vulnerability on Issues panel
  • Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
  • Fixed the issue where Issues panel were not being refreshed when retest is finished
  • Fixed the initial panel shown by changing it from Progress panel to Activity panel
  • Fixed the process cannot access the file issue while updating VDB
  • Fixed a bug in cookie handling code during form authentication
  • Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans
  • Fixed an InvalidOperationException thrown while closing the application
  • Fixed the incorrect Filter menu state on Sitemap panel

Netsparker 5.2.0.21893 - 18th December 2018

NEW FEATURES

  • Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
  • Added vulnerability families feature where similar types of vulnerabilities are not reported separately
  • Added support for Swagger 3 / OpenAPI link import
  • Added support for 64-bit smart card drivers for authentication
  • Added GitLab Send To integration
  • Added Bitbucket Send To integration
  • Added Unfuddle Send To integration
  • Added Zapier Send To integration
  • Added Azure DevOps Send To integration
  • Added support for importing links from IOdocs file format
  • Added automatic upload to Netsparker Enterprise option
  • Added copy to clipboard buttons to request and response viewers
  • Added a new Knowledge Base item for Not Found pages
  • Added a hex view for binary responses in reports
  • Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
  • Added Uncheck by Severity context menu item to the Report Policy editor
  • Added ISO 27001 vulnerability classifications and report template
  • Added raw value support for Send To custom fields
  • Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js out-of-date version detection
  • Added Axios out-of-date version detection
  • Added Fingerprintjs2 out-of-date version detection
  • Added XRegExp out-of-date version detection
  • Added DataTables out-of-date version detection
  • Added Lazy.js out-of-date version detection
  • Added FancyBox out-of-date version detection
  • Added Underscore.js out-of-date version detection
  • Added Lightbox out-of-date version detection
  • Added JBoss application server out-of-date version detection
  • Added SweetAlert2 out-of-date version detection
  • Added Lodash out-of-date version detection
  • Added Bluebird out-of-date version detection
  • Added Polymer out-of-date version detection

IMPROVEMENT

  • Separated the Scan Activity panel and Progress chart into their own dock panels below
  • Added a button to the Reporting tab for creating new Custom Report Templates
  • Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
  • Ordered several Knowledge Base items alphabetically
  • Concurrent Connection count of imported scans can be modified
  • Changed default Issue type to Story in JIRA Send To integration
  • Changed CallerId field to optional in ServiceNow Send To integration
  • Added PHP extension attack for Nginx vulnerability to File Upload engine
  • Added File Upload patterns for Nginx parsing vulnerability
  • Added settings to File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Retest All can now be started when the scan is paused
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Added a Statistics tab to the HTTP response viewer
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 proxy authentication error handling
  • Improved missing license handling for non-interactive Windows sessions
  • Controlled scan is now cancelled when a new scan is imported
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
  • New certificate imported for Client Certificate Authentication is automatically selected
  • Improved JSON request/response viewer performance for large documents
  • Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Updated HTTP response data of vulnerabilities after retest
  • Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Removed the dependency of Object Model Installer for using TFS Send To integration
  • Improved the language used in Retest and Controlled Scan results
  • Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved source code disclosure checks to prevent reporting JavaScript template pages
  • The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
  • Status code, status description and content length information have been added to the Slowest Pages knowledge base node
  • Retest activities are marked on the Scan Activity panel
  • Added the list of failed vulnerabilities to retest results dialog
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved the multi-line representation of LFI Exploitation data
  • Removed the redundant scan save confirmation dialog displayed when closing the app
  • Improved Swagger Document Format detection
  • Options dialog now remembers its location and size
  • File upload engine now detects new links in the response after the file is uploaded

FIXES

  • Fixed double URL encoding problem in various Report Templates
  • Fixed parsing issue that occurs when the upload folder contains a slash
  • Fixed the issue where authentication does not work when retesting
  • Fixed an exception thrown prior to scan when the language is set to Korean
  • Fixed the incorrect license holder name displayed on application title
  • Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
  • Fixed Jira send to custom field values by HTML encoding them
  • Fixed double HTML encoding problem in TFS Send To template
  • Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
  • Fixed a NullReferenceException thrown when a link label is clicked in a dialog
  • Fixed display of Post Scan ribbon group's caption text
  • Fixed the issue where the Swagger importer generates an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed visibility of fixed vulnerabilities in Report Templates
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
  • Fixed an InvalidCastException thrown while loading the panel layout
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
  • Fixed a NullReferenceException thrown in Retest
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in CSP engine where it reported an incorrect vulnerability
  • Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
  • Fixed the URL decoding issue when the URL was copied in the Issues panel
  • Fixed the comments that were injected via Netsparker attacks reported in the Knowledge Base Comment node
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed a corrupted PDF report
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed an Out of Memory issue that occurred while trying to view a large document
Netsparker 5.1.0.20874 - 21st September 2018

IMPROVEMENT

  • Improves licensing diagnostics mode

FIXES

  • Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
  • Fixed an issue that causes Netsparker to fail to add certain pages to the sitemap when using the Manual Crawling
Netsparker 5.1.0.20862 - 19th September 2018

FIXES

  • Fixed the issues on computers where FIPS compliancy is required
  • Fixed the incorrect button positions on Website Checker dialog displayed during license activation
Netsparker 5.1.0.20817 - 13th September 2018

IMPROVEMENT

  • Improved the list of resources discovered by the resource finder.

FIXES

  • Fixed an issue that caused legacy trial license activation failure.
  • Fixed a FormatException thrown when a scan was started using a trial license.
  • Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
  • Fixed an XPathException caused by an input node with special characters.
  • Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
  • Fixed a NullReferenceException thrown by the DOM parser component.
  • Fixed the problem where manually crawled pages were not updated in the Sitemap.
Netsparker 5.1.0.20794 - 12th September 2018

NEW FEATURES

  • Added Bulk Export to Cloud feature
  • Added Scan Speed graph
  • Added Send To integration support for ServiceNow
  • Added custom field support for Send To fields
  • Added an encoder for JavaScript fromCharCode format
  • Added Go to Identification Page button to Go to Parent link of current selected link
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Updated the licensing model
  • Updated .NET Framework version requirement to 4.7.2.
  • Improved the user interface by reducing the number of borders between panels
  • Added more information to the window where Cloud integration is conducted
  • Improved the design of vulnerability details
  • Added a link to Cloud scan URL when a scan is exported to the Cloud
  • Improved the list of resources found by the Resources Finder
  • Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
  • Added Hawk configuration validation to the Scan Optimizer
  • The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
  • Dialog locations and sizes are remembered each time you reopen Netsparker
  • Added Request Method column to the Vulnerabilities List CSV report
  • Added vulnerability severity to email Send To action template
  • Added URL validation to Target URL textbox in the Start a New Scan dialog
  • Updated Vulnerabilities List CSV report template to display attack parameter only
  • Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
  • A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
  • Added cookie analyzer checks for cookies added using JavaScript
  • Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
  • Variation count is included in the total vulnerability count in Detailed Scan Report
  • Improved LFI Exploitation panel usability
  • Added tokenized deletion using Ctrl + Backspace to Target URL text box
  • Variation count included in the total count in report templates
  • Improved the error message displayed when the retest fails if Form Authentication fails
  • Added Link Count to the Scan Summary dashboard
  • Added not found Link Count to the Scan Summary dashboard
  • Controlled scan shows the detected vulnerability count on parameters after it's finished
  • Improved the error message displayed when an incorrect command line argument is supplied
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Added WorkItem Tags field for TFS Send To actions
  • Added Disable Resource Finder button to the Scan Policy Editor
  • Added a Max Fail limit to Retest All so it does not abort after one retest has failed
  • Ignored vulnerabilities are excluded from Retest All
  • Improved SQL Injection proof data by stripping HTML tags
  • Controlled scan can be started for vulnerabilities that have no parameters
  • Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
  • Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
  • Added Copy and Copy Value context menu items to Headers' request and response viewers
  • Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
  • Improved CSRF token detection in cookie values
  • Improved the error details displayed when link import fails

FIXES

  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
  • Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
  • Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
  • Fixed several usability issues on the Short File Names exploitation panel
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Multiple File Open Dialog high DPI issues
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect number on the Detailed Scan report template's instance column
  • Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
  • Fixed the issue that the Controlled Scan won't start on a link node
  • Fixed high DPI issues on Scan Policy Optimizer wizard
  • Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
  • Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
  • Fixed the report templates that included ignored vulnerabilities in statistics
  • Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
  • Fixed several dock panel issues
  • Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
  • Fixed the Critical Vulnerability Count in report templates
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed a highlighting issue for vulnerabilities that display multiple responses
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
  • Fixed the broken case sensitivity check for crawled links
  • Fixed a smartcard driver issue that occured when the path contained space characters
  • Fixed a FormatException that occurred while parsing cookies
  • Fixed several incorrect Source Code Disclosure reports
  • Fixed the issue where cookies that were set by JavaScript were not highlighted
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed an ObjectDisposedException thrown when a tooltip was closing
  • Fixed an ArgumentOutOfRangeException thrown while generating reports
  • Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
  • Fixed a double HTML encoding problem in the generated exploit template
  • Fixed adding multiple empty rows to Additional Website settings
  • Fixed parsing URLs with encoded chars
  • Fixed the problem where scans could not be resumed when paused during the Recrawling phase
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed double HTML encoding problem in the URL in the Detailed scan report template
  • Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
  • Fixed redundant Encode use in the report templates that caused double HTML encoding
  • Fixed InvalidOperationException thrown when using Manual Crawling
  • Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
  • Fixed incorrect count of Proof List knowledge base
  • Fixed the issue where XSS via RFI could not be detected with a certain payload
  • Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
  • Fixed the issue where a Swagger YAML file could not be imported
  • Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
  • Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
  • Fixed the error where the activity time was not being updated during the extra confirmation phase
Netsparker 5.0.0.20026 - 21st June 2018

FIXES

  • Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
  • Fixed an XmlException thrown while trying to restore UI layout.
  • Fixed missing cookies on form authentication when they are set from JavaScript context.
  • Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
  • Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
  • Fixed CORS security check retest issue where old response data were being used.
  • Fixed a UriFormatException caused by an incorrect cloud integration server URL.
  • Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.
Netsparker 5.0.0.19876 - 7th June 2018

UPDATE

  • Updated the Reporting API documentation.

FIXES

  • Fixed a DirectoryNotFoundException thrown while trying to restore layout.
  • Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
  • Fixed a highlighting related exception when there are no matches in the source code.
  • Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.