Netsparker 3.1.1 - 20th November 2013

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Added support for parsing and attacking JSON and XML request payloads

  • CSRF engine is added

  • HTML5 engine is added

  • Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, Wordpress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)

  • Added Dynamic Payload - Slash/Backslash LFI patterns

NEW FEATURES

  • Added support for new HTML5 input types

  • Most of the global settings now moved to scan policy and they can be set per scan basis

  • Added a new knowledge base item where all out of scope links in current scan are listed with the reasons

  • Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted

  • Added a new knowledge base item where frames with external URLs are reported

  • Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported

  • Added support for cookies set by meta tags

  • Added support for generating multiple reports at a time using command line

  • Added support for updating vulnerability database without requiring to update the application

  • Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

  • DOM parser simulation is improved

  • Attack possibility calculation is improved

  • Rendering in severity bar chart in scan summary dashboard is improved

  • Added late confirmation support for Blind Command Injection engine

  • DOM parser print dialog prevention improved

  • Browser View tab now shows XML responses in a tree view

  • Tweaked sleep tolerance value of time based engines

  • Improved the impact sections of most of the vulnerability templates

  • Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor

  • Form inputs listed under knowledge base are now grouped by their types

  • Improved PHP Source Code Disclosure pattern

  • Improved DOM parser to extract textarea elements

  • Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags

  • Improved LFI confirmation patterns

  • Improved XSS confirmation for Full URL and Full Query String attacks

  • Optimized XSS confirmation phase to skip redundant patterns

  • Improved binary response detection

  • Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items

  • Default user agent string is set to the one used in IE8

  • Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests

  • Improved multipart/form-data request parsing

  • Improved threading code in DOM parser and made DOM parser run in multiple processes

  • Improved Knowledge base user interface

  • Improved form value pattern for URL inputs

  • Add vulnerability database version information to related vulnerability templates

  • Configure Form Authentication wizard clears persistent cookies when started

  • Added detailed crawling/attacking activity information to Scan Summary Dashboard

  • Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

  • Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file

  • Fixed a bug where reports generated after an auto pilot scan may contain missing items

  • Fixed a bug where Netsparker was telling "Scan Finished" even though Recrawling was still in progress

  • Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines

  • Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file

  • Fixed an issue where Error dialog was showing in autopilot mode

  • Fixed an issue where Auto Update dialog was showing in autopilot mode

  • Fixed a bug where DOM parser was failing to trigger click event for button elements

  • Fixed a bug where DOM parser was failing to extract value attribute for button elements

  • Fixed a bug where Possible LFI is reported for a binary file

  • Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders

  • Fixed a DOM parser issue where forms with empty action values are not captured

  • Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked

  • Fixed typo in "Only Entered Url" section of User Manual

  • Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons

  • Fixed a DOM parser issue where button element with empty value is parsed

  • Fixed scan policy editor to reject policies with empty names

  • Fixed include/exclude URLs list to reject empty patterns

  • Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel

  • Fixed a scan policy bug where cloning a policy doesn't copy the database type of Boolean SQL Injection engine

  • Fixed Burp importer where \r\n occurrences were normalized to \n chars.

  • Fixed Burp importer which was failing to parse headers properly

  • Fixed Burp importer which was failing with base64 encoded requests

  • Fixed Paros importer which was failing to parse POST request bodies with multiple lines

  • Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS

  • Fixed misleading status message in dashboard after file import

  • Fixed a bug in fingerprinting which was causing a NullReferenceException

  • Fixed an issue where Anti-CSRF token extraction didn't work in crawling

 

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.