Netsparker 18.104.22.16891 - 26th December 2018
- Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
- Added Retest support for several cookie vulnerabilities
- Moved the target URL to the first position on Site Profile Knowledgebase
- Fixed the Retest All button also retests the issues on additional web sites too
- Fixed the popup hide issue on custom form authentication script dialog
- Fixed a few unexpected NullReferenceException issues
- Fixed the broken arrow key navigation on Sitemap and Issues panels
- Fixed the incorrect vulnerability count reported on Issues panel tree groups
- Fixed the representation of fixed vulnerability on Issues panel
- Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
- Fixed the issue where Issues panel were not being refreshed when retest is finished
- Fixed the initial panel shown by changing it from Progress panel to Activity panel
- Fixed the process cannot access the file issue while updating VDB
- Fixed a bug in cookie handling code during form authentication
- Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
- Fixed an ArgumentOutOfRangeException thrown on some long scans
- Fixed an InvalidOperationException thrown while closing the application
- Fixed the incorrect Filter menu state on Sitemap panel
Netsparker 22.214.171.12493 - 18th December 2018
- Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
- Added vulnerability families feature where similar types of vulnerabilities are not reported separately
- Added support for Swagger 3 / OpenAPI link import
- Added support for 64-bit smart card drivers for authentication
- Added GitLab Send To integration
- Added Bitbucket Send To integration
- Added Unfuddle Send To integration
- Added Zapier Send To integration
- Added Azure DevOps Send To integration
- Added support for importing links from IOdocs file format
- Added automatic upload to Netsparker Enterprise option
- Added copy to clipboard buttons to request and response viewers
- Added a new Knowledge Base item for Not Found pages
- Added a hex view for binary responses in reports
- Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
- Added Uncheck by Severity context menu item to the Report Policy editor
- Added ISO 27001 vulnerability classifications and report template
- Added raw value support for Send To custom fields
- Added option to report variations of vulnerabilities
NEW SECURITY CHECKS
- Added a new pattern for CherryPy Version Disclosure
- Added an LFI attack pattern for WEB-INF/web.xml
- Added Ruby Error Disclosure detection
- Added WP Engine Configuration File detection
- Added CherryPy Stack Trace Disclosure detection
- Added Intro.js out-of-date version detection
- Added Axios out-of-date version detection
- Added Fingerprintjs2 out-of-date version detection
- Added XRegExp out-of-date version detection
- Added DataTables out-of-date version detection
- Added Lazy.js out-of-date version detection
- Added FancyBox out-of-date version detection
- Added Underscore.js out-of-date version detection
- Added Lightbox out-of-date version detection
- Added JBoss application server out-of-date version detection
- Added SweetAlert2 out-of-date version detection
- Added Lodash out-of-date version detection
- Added Bluebird out-of-date version detection
- Added Polymer out-of-date version detection
- Separated the Scan Activity panel and Progress chart into their own dock panels below
- Added a button to the Reporting tab for creating new Custom Report Templates
- Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
- Ordered several Knowledge Base items alphabetically
- Concurrent Connection count of imported scans can be modified
- Changed default Issue type to Story in JIRA Send To integration
- Changed CallerId field to optional in ServiceNow Send To integration
- Added PHP extension attack for Nginx vulnerability to File Upload engine
- Added File Upload patterns for Nginx parsing vulnerability
- Added settings to File Upload engine for configuring upload folders
- Added errorlog.axd detection support
- Improved elmah.axd detection
- The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
- Improved SSTI PHP Smarty attack detection
- Retest All can now be started when the scan is paused
- Improved the Swagger link importer to handle additional properties with integer and string value types
- Improved the Expect-CT engine by only reporting a vulnerability once for each host
- Improved RSA key confirmation by handling OpenPGP format
- Added a Statistics tab to the HTTP response viewer
- Increased the HSTS Not Enabled vulnerability severity from Information to Low
- Improved HTTP 407 proxy authentication error handling
- Improved missing license handling for non-interactive Windows sessions
- Controlled scan is now cancelled when a new scan is imported
- Added classifications to the HSTS Not Enabled vulnerability
- Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
- New certificate imported for Client Certificate Authentication is automatically selected
- Improved JSON request/response viewer performance for large documents
- Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
- Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
- Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
- Updated HTTP response data of vulnerabilities after retest
- Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
- Improved JSON format detection
- Replaced Unicode replacement characters with question marks in responses
- Added a Scan Policy option to attack cookies
- Improved element click DOM simulation for various element types
- SRI Not Implemented will no longer be reported for localhost URLs
- Improved ASP.NET error message detection
- Added descriptions to PCI categories in the PCI Compliance Report
- Improved Boolean SQL Injection detection
- Improved the Blind Command Injection attack patterns
- Improved the representation of Report Template compilation errors
- Removed the dependency of Object Model Installer for using TFS Send To integration
- Improved the language used in Retest and Controlled Scan results
- Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
- Misconfigured X-Frame-Options Header is now reported separately
- The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
- Status code, status description and content length information have been added to the Slowest Pages knowledge base node
- Retest activities are marked on the Scan Activity panel
- Added the list of failed vulnerabilities to retest results dialog
- Improved WADL document parsing by ignoring DTDs
- Improved Open Redirect DOM based confirmation performance
- Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
- Cookie vulnerabilities report where the cookie is set from
- Improved the multi-line representation of LFI Exploitation data
- Removed the redundant scan save confirmation dialog displayed when closing the app
- Improved Swagger Document Format detection
- Options dialog now remembers its location and size
- File upload engine now detects new links in the response after the file is uploaded
- Fixed double URL encoding problem in various Report Templates
- Fixed parsing issue that occurs when the upload folder contains a slash
- Fixed the issue where authentication does not work when retesting
- Fixed an exception thrown prior to scan when the language is set to Korean
- Fixed the incorrect license holder name displayed on application title
- Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
- Fixed Jira send to custom field values by HTML encoding them
- Fixed double HTML encoding problem in TFS Send To template
- Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
- Fixed a NullReferenceException thrown when a link label is clicked in a dialog
- Fixed display of Post Scan ribbon group's caption text
- Fixed the issue where the Swagger importer generates an invalid JSON request body
- Fixed the ArgumentException thrown while performing Heartbleed security checks
- Fixed visibility of fixed vulnerabilities in Report Templates
- Fixed the issue where the wrong version was identified for Drupal
- Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
- Fixed a disallowed HTTP method issue where some methods were still being allowed
- Fixed a typo in the CSP Not Implemented vulnerability details
- Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
- Fixed an InvalidCastException thrown while loading the panel layout
- Fixed a Form Authentication issue that occured on some React-based websites
- Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
- Fixed a NullReferenceException thrown in Retest
- Fixed signature detection for links found via the crawler
- Fixed an issue in CSP engine where it reported an incorrect vulnerability
- Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
- Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
- Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
- Fixed the URL decoding issue when the URL was copied in the Issues panel
- Fixed the comments that were injected via Netsparker attacks reported in the Knowledge Base Comment node
- Fixed duplicate parsing source field values reported for IFrame vulnerabilities
- Fixed a corrupted PDF report
- Fixed an issue where Apache MultiViews could not be detected in the target server
- Fixed the incorrect Cookie Expire Date set during Form Authentication
- Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
- Fixed a Content-Type parsing issue in Form Authentication
- Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
- Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
- Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
- Fixed an Out of Memory issue that occurred while trying to view a large document
Netsparker 126.96.36.19974 - 21st September 2018
- Improves licensing diagnostics mode
- Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
- Fixed an issue that causes Netsparker to fail to add certain pages to the sitemap when using the Manual Crawling
Netsparker 188.8.131.5262 - 19th September 2018
- Fixed the issues on computers where FIPS compliancy is required
- Fixed the incorrect button positions on Website Checker dialog displayed during license activation
Netsparker 184.108.40.20617 - 13th September 2018
- Improved the list of resources discovered by the resource finder.
- Fixed an issue that caused legacy trial license activation failure.
- Fixed a FormatException thrown when a scan was started using a trial license.
- Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
- Fixed an XPathException caused by an input node with special characters.
- Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
- Fixed a NullReferenceException thrown by the DOM parser component.
- Fixed the problem where manually crawled pages were not updated in the Sitemap.
Netsparker 220.127.116.1194 - 12th September 2018
- Added Bulk Export to Cloud feature
- Added Scan Speed graph
- Added Send To integration support for ServiceNow
- Added custom field support for Send To fields
- Added Go to Identification Page button to Go to Parent link of current selected link
- Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities
NEW SECURITY CHECKS
- Added Out of Band Server Side Template Injection security checks
- Added signature detection check for Caddy web server
- Added signature detection check for aah go server
- Added signature detection check for JBoss application server
- Added CakePHP framework detection
- Added CakePHP version disclosure detection
- Added CakePHP out-of-date version detection
- Added CakePHP Stack Trace Disclosure
- Added CakePHP default page detection
- Added Out of Date checks for CKEditor 5
- Updated the licensing model
- Updated .NET Framework version requirement to 4.7.2.
- Improved the user interface by reducing the number of borders between panels
- Added more information to the window where Cloud integration is conducted
- Improved the design of vulnerability details
- Added a link to Cloud scan URL when a scan is exported to the Cloud
- Improved the list of resources found by the Resources Finder
- Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
- Added Hawk configuration validation to the Scan Optimizer
- The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
- All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
- Dialog locations and sizes are remembered each time you reopen Netsparker
- Added Request Method column to the Vulnerabilities List CSV report
- Added vulnerability severity to email Send To action template
- Added URL validation to Target URL textbox in the Start a New Scan dialog
- Updated Vulnerabilities List CSV report template to display attack parameter only
- Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
- A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
- Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
- Variation count is included in the total vulnerability count in Detailed Scan Report
- Improved LFI Exploitation panel usability
- Added tokenized deletion using Ctrl + Backspace to Target URL text box
- Variation count included in the total count in report templates
- Improved the error message displayed when the retest fails if Form Authentication fails
- Added Link Count to the Scan Summary dashboard
- Added not found Link Count to the Scan Summary dashboard
- Controlled scan shows the detected vulnerability count on parameters after it's finished
- Improved the error message displayed when an incorrect command line argument is supplied
- Added Label field for JIRA Send To actions
- Added Tags field for Manuscript (FogBugz) Send To actions
- Added WorkItem Tags field for TFS Send To actions
- Added Disable Resource Finder button to the Scan Policy Editor
- Added a Max Fail limit to Retest All so it does not abort after one retest has failed
- Ignored vulnerabilities are excluded from Retest All
- Improved SQL Injection proof data by stripping HTML tags
- Controlled scan can be started for vulnerabilities that have no parameters
- Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
- Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
- Added Copy and Copy Value context menu items to Headers' request and response viewers
- Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
- Improved CSRF token detection in cookie values
- Improved the error details displayed when link import fails
- Fixed the incorrect Content-Type header sent during Form Authentication requests
- Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
- Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
- Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
- Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
- Fixed several usability issues on the Short File Names exploitation panel
- Fixed the error where the ExpectCT header was reported as an interesting header
- Fixed the Multiple File Open Dialog high DPI issues
- Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
- Fixed the incorrect number on the Detailed Scan report template's instance column
- Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
- Fixed the issue that the Controlled Scan won't start on a link node
- Fixed high DPI issues on Scan Policy Optimizer wizard
- Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
- Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
- Fixed the report templates that included ignored vulnerabilities in statistics
- Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
- Fixed several dock panel issues
- Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
- Fixed the Critical Vulnerability Count in report templates
- Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
- Fixed a highlighting issue for vulnerabilities that display multiple responses
- Fixed an incorrect possible LFI vulnerability when the response was redirected
- Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
- Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
- Fixed the broken case sensitivity check for crawled links
- Fixed a smartcard driver issue that occured when the path contained space characters
- Fixed a FormatException that occurred while parsing cookies
- Fixed several incorrect Source Code Disclosure reports
- Fixed a JsonReaderException that occured while trying to parse a Swagger document
- Fixed an ObjectDisposedException thrown when a tooltip was closing
- Fixed an ArgumentOutOfRangeException thrown while generating reports
- Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
- Fixed a double HTML encoding problem in the generated exploit template
- Fixed adding multiple empty rows to Additional Website settings
- Fixed parsing URLs with encoded chars
- Fixed the problem where scans could not be resumed when paused during the Recrawling phase
- Fixed hanging Open Redirect checks caused by binary responses
- Fixed double HTML encoding problem in the URL in the Detailed scan report template
- Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
- Fixed redundant Encode use in the report templates that caused double HTML encoding
- Fixed InvalidOperationException thrown when using Manual Crawling
- Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
- Fixed incorrect count of Proof List knowledge base
- Fixed the issue where XSS via RFI could not be detected with a certain payload
- Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
- Fixed the issue where a Swagger YAML file could not be imported
- Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
- Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
- Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
- Fixed the error where the activity time was not being updated during the extra confirmation phase
Netsparker 18.104.22.16826 - 21st June 2018
- Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
- Fixed an XmlException thrown while trying to restore UI layout.
- Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
- Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
- Fixed CORS security check retest issue where old response data were being used.
- Fixed a UriFormatException caused by an incorrect cloud integration server URL.
- Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.
Netsparker 22.214.171.12476 - 7th June 2018
- Updated the Reporting API documentation.
- Fixed a DirectoryNotFoundException thrown while trying to restore layout.
- Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
- Fixed a highlighting related exception when there are no matches in the source code.
- Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.
Netsparker 126.96.36.19947 - 25th May 2018
- Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
- Fixed incorrect time and duration information of cloud scans.
- Fixed empty request/response issue for scans exported to cloud.
- Fixed the issue that the controlled scan won't start for selected links on sitemap.
Netsparker 188.8.131.5240 - 17th May 2018
- Improved confirmation on time-based attacks.
- Fixed the percent encoding issue on Detailed Scan Report.
- Fixed the stale custom report template buttons which were removed from the disk.
- Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
- Fixed a NullReferenceException while generating sitemap tree.
- Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
- Fixed the selection issue on scan policy user agent settings.
- Fixed the FormatException when HTTP rate limits are set on a scan policy.
Netsparker 184.108.40.20657 - 10th May 2018
- Fixed an issue where old scan files fail to import.
- Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
- Fixed disabled UI where Cloud is not reachable.
- Fixed blocked UI during VDB update check.
- Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
- Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
- Fixed hiding backstage when export file dialog is canceled.
- Fixed an incorrect encoded space character on Detailed Scan Report.
- Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.
Netsparker 220.127.116.1126 - 9th May 2018
- Netsparker Cloud integration: ability to import and export scans between the scanners.
- New user interface with new skin and improved usability.
- Smart Card authentication support.
- Attack Radar panel that shows detailed attacking progress of security checks.
- Added the OWASP 2017 Top Ten classifications report template.
- Added Server-Side Template Injection (SSTI) vulnerability checks.
- Expect-CT security checks.
- Added various new web applications in the application version database.
- Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.
- Crawler can now parse multiple sitemaps in a robots.txt file.
- Improved the representation of POST, JSON and XML parameters on sitemap.
- Added support for opening links in all web browsers installed on the computer.
- Improved high DPI support.
- Improved sorting on Issues panel.
- New Extensions scan policy settings to specify which extensions should be crawled and attacked.
- Added activity status text for XSS and Open Redirect confirmation phases.
- Added target link address to status bar on vulnerability descriptions.
- Added "Import from Scan Session" option to populate form values based on an existing scan.
- Added support for parsing swagger documents in yaml format.
- Added Open Redirect and XSS confirmation timeout settings.
- Added support for parsing relative meta refresh URLs.
- Moved Knowledge base items to own panel.
- Improved the vulnerability summary section of Detailed Scan Report.
- Added "Copy to Clipboard" link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
- Improved the usability of User Agent scan policy settings.
- Favicon of the target website shown to sitemap tree.
- Search capability in the Knowledge base details.
- Improved parsing of websites using React framework.
- Content-Security-Policy-Report-Only header is not reported as an interesting header.
- Added support for sending text to Encoder panel from other panels in the application.
- Added save report button to Knowledge base.
- Added "Ignore Authentication" option to Request builder.
- Added a hotkey to "Ignore from This Scan" menu.
- Added "Force User Agent" setting to force the selected User Agent value on scan policy.
- Added support for Postman v2.1 version.
- Scan logs in Logs panel are now saved along with scan file.
- Added an extra consistency check to ROBOT attacks.
- Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
- Improved the "Interesting Header" list support.
- Added anti-CSRF token support for Blind SQL Injection exploitation.
- Removed BOM from JSON and XML report templates.
- Improved the numbers reported on dashboard.
- Added summary table to several reports.
- Variations are retested before starting an incremental scan.
- Added multi-thread support to Controlled Scan.
- Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
- Added command line auto update option.
- Renamed FogBugz send to action to its new name Manuscript.
- Testing Send To actions now creates issues on target systems.
- GitHub Send to action now works with organization accounts and private repositories.
- Scan Policy and Report Policy editor dialogs remember their locations and sizes.
- Added support for handling HTTP 307 redirects.
- DS_STORE files are discovered and parsed.
- Improved MySQL double encoded string attacks.
- Fixed scheduled scans to prevent incorrect settings to be saved.
- Fixed the overflow issue of "Maximum 404 Signatures" scan policy setting.
- Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
- Fixed some possible vulnerabilities missing [Possible] indicator in title.
- Fixed the exception that occurs when importing scan file because the path has invalid chars.
- Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
- Fixed the incorrect "Exclude Branch" icon.
- Fixed the missing Host header issue on Request Builder.
- Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
- Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
- Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
- Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
- Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
- Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
- Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
- Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
- Fixed the issue where a variation node is not added to the Issues panel.
- Fixed incorrect average speed calculation on Detailed Scan Report.
- Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
- Fixed the issue where same post parameters appears twice in the request builder form.
- Fixed Hawk validation error by not following redirects.
- Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
- Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
- Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
- Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
- Fixed the SSL check hang on HTTP only hosts.
- Fixed LFI engine by not analyzing source code disclosure on binary responses.
- Fixed a validation issue for some Swagger documents.
- Fixed the issue where CSP keywords are not reported when used without single quotes.
- Fixed the issue where cookie header in raw request not added to the sqlmap command.
- Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
- Fixed incorrect source code disclosures reported in binary responses.
- Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
- Fixed out of date version reporting behavior when no ordinal is found in version database.
- Fixed Lighttpd version disclosure detection signatures.
- Fixed a Swagger parsing issue.
- Fixed broken proxy chaining in manual crawl mode.
Netsparker 18.104.22.16849 - 18th April 2018
Netsparker 22.214.171.12423 - 8th March 2018
- Added support for importing Postman v2.1 files.
- Added certificate extension aliases support to Client Certificate Authentication.
- Fixed certificates not listing in the client certificates dropdown list issue.
- Fixed Netsparker Hawk validation issue.
Netsparker 126.96.36.19939 - 2nd February 2018
- Added a new report template - Detailed Vulnerabilities List in XML.
- Optimized ROBOT attack check performance.
- Improved React Controlled Field coverage in form authentication custom scripts.
- Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
- Fixed the disabled Retest menu item for vulnerabilities on Issues tree.
Netsparker 188.8.131.5282 - 28th December 2017
- Fixed perhost certificate generation issue which renders manual crawling unusable.
- Fixed an ArgumentNullException thrown from DOM simulation.
Netsparker 184.108.40.20602 - 22nd December 2017
NEW SECURITY CHECK
Netsparker 220.127.116.1167 - 13th December 2017
- Fixed the empty target URL text box on start new scan window on initial load.
- Fixed the hang issue caused by popup windows during form authentication.
- Fixed the exception that occurs when root directory node is excluded in sitemap.
- Fixed an exception thrown while shutting down the application.
- Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
- Fixed a serialization exception issue occurs while trying to load older scan files.
- Fixed the broken tooltip message on Custom Form Authentication Script dialog.
- Fixed the exception that occurs when importing scan file because the path has invalid chars.
- Fixed duplicate activities displayed while analyzing crawled pages.
Netsparker 18.104.22.16870 - 24th November 2017
- Users can now preconfigure local/session web storage data for a website.
- Added a new send to action to send e-mails.
- Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
- Added CSV file link importer.
- Parsing of form values from a specified URL.
- Added custom root certificate support for manual crawling.
- Added gzipped sitemap parsing support.
NEW SECURITY CHECKS
- Added reflected "Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
- Added "Remote Code Execution in Apache Struts" security check. (CVE-2017-5638).
- Renamed "Important" severity name to "High".
- Updated external references for several vulnerabilities.
- Improved default Form Values settings.
- Improved scan stability and performance.
- Added Form Authentication performance data to Scan Performance knowledgebase node.
- Added "Run only when user is logged on" option to the scan scheduling.
- Added a warning before the scan starting if there are out of scope links in imported links.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added "Alternates", "Content-Location" and "Refresh" response header parsing.
- Removed "Disable IE ESC" requirement on Windows server operating systems.
- Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added --batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Filtered out irrelevant certificates generated by Netsparker from client certificate selection dropdown on Client Certificate Authentication settings.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Added an option to export only PDF reports without HTML.
- Added -nohtml argument to CLI to create only pdf reports.
- Updated the Accept header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added scan start time information to the dashboard.
- Skip Phase button is disabled if the phase cannot be skipped.
- Added validation messages for invalid entries on start new scan dialog sections.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Added highlight support for password transmitted over HTTP vulnerabilities.
- Email disclosure will not be reported for email address used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Uninstaller now checks for any running instances.
- Internal proxy now serves the certificate used through HTTP echo page.
- Added spell checker for Report Policy Editor.
- Added an error page if any internal proxy exception occurs.
- Added more information about the HTML form and input for vulnerabilities found on HTML forms.
- Extensions on the URLs are handled by the custom URL rewrite rule wizard.
- Added Parameter Value column to Vulnerabilities List CSV report.
- Added match by HTML element id for form values.
- Improved Windows Short Filename vulnerability details Remedy section.
- Improved scan policy security check filtering by supporting short names of security checks.
- Improved Burp file import dialog by removing the file extension filter.
- Improved table column widths on several reports.
- Updated default User-Agent HTTP request header string.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
- Fixed the InvalidOperationException on application exit.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect progress bar value displayed when a scan is imported.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed up/down movement issue on Form Values when multiple rows are selected.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
- Fixed a NullReferenceException when an invalid raw request is entered in request builder.
- Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
- Fixed the issue where the response URL is displayed in the vulnerability details.
- Fixed the issue where some links were not excluded from scan from sitemap.
- Fixed enabled security check group with all security checks within are disabled.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed certificate search in store by subject name returns matches without exact subject names.
- Fixed ESC key handling on message dialogs.
- Fixed huge parameter value deserialization memory usage.
- Fixed an issue with Load New License occurs when the source and destination license files are same.
- Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
- Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
- Fixed the wrong URLs added with only extension values.
- Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
- Fixed the message overflow issue in the out of scope link warning dialog.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed the incorrect Skip Current Phase button state when scan phase is changed
- Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
- Fixed an issue in which the form authentication is not being triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed the empty request/response displayed for some sitemap nodes with 404 response.
- Fixed the autocomplete issue in Content-Type header in Request builder
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed show/hide issue for Dashboard and Sitemap panels.
- Fixed the issue where Retest All button disappears after a Retest.
- Fixed the issue where the dollar sign in imported URL is encoded after scan.
- Fixed the empty request/response header issue for links discovered during attacking.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.
- Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.