Netsparker 4.5.8.10229 - 9th March 2016

SECURITY CHECKS

    • Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
    • Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
    • Added version checks for OpenCart web application

IMPROVEMENTS

  • Improved JavaScript/DOM simulation and DOM XSS attacks
  • Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added support for specifying client certificate authentication certificate for manual crawling
  • Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
  • Added "Custom Not Found Analysis" activities to UI
  • Improved "Open in Browser" for XSS vulnerabilities and produced a vulnerable link with alert function
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Improved the loading performance of Start New Scan dialog
  • Added support for reordering form values to denote precedence
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

FIXES

  • Fixed an out of disk space issue which occurs while writing logs
  • Fixed the "scan will be paused" warning for a scan that is already paused
  • Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
  • Fixed the issued requests which gets a timeout do not display any details on "HTTP Request / Response" tab
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Netsparker was making requests to addresses that are generated by its own attacks
  • Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledgebase while doing manual crawling
  • Fixed the issue of unsigned eowp.exe shipped with installer
  • Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
  • Fixed the stacked severity bar chart on "Detailed Scan Report" gets split and overflows to the second page
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Netsparker are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
  • Fixed some Korean vulnerability templates which are wrong formatted
  • Fixed the broken HIPAA classification link