Netsparker Standard Change Log
Netsparker 5.0.0.19557 - 10th May 2018

FIXES

  • Fixed an issue where old scan files fail to import.
  • Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
  • Fixed disabled UI where Cloud is not reachable.
  • Fixed blocked UI during VDB update check.
  • Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
  • Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
  • Fixed hiding backstage when export file dialog is canceled.
  • Fixed an incorrect encoded space character on Detailed Scan Report.
  • Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.
Netsparker 5.0.0.19526 - 9th May 2018

FEATURES

  • Netsparker Enterprise integration: ability to import and export scans between the scanners.
  • New user interface with new skin and improved usability.
  • Smart Card authentication support.
  • Attack Radar panel that shows detailed attacking progress of security checks.
  • Added the OWASP 2017 Top Ten classifications report template.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Improved the representation of POST, JSON and XML parameters on sitemap.
  • Added support for opening links in all web browsers installed on the computer.
  • Improved high DPI support.
  • Improved sorting on Issues panel.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added activity status text for XSS and Open Redirect confirmation phases.
  • Added target link address to status bar on vulnerability descriptions.
  • Added "Import from Scan Session" option to populate form values based on an existing scan.
  • Added support for parsing swagger documents in yaml format.
  • Added Open Redirect and XSS confirmation timeout settings.
  • Added support for parsing relative meta refresh URLs.
  • Moved Knowledge base items to own panel.
  • Improved the vulnerability summary section of Detailed Scan Report.
  • Added "Copy to Clipboard" link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
  • Improved the usability of User Agent scan policy settings.
  • Favicon of the target website shown to sitemap tree.
  • Search capability in the Knowledge base details.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Added support for sending text to Encoder panel from other panels in the application.
  • Added save report button to Knowledge base.
  • Added "Ignore Authentication" option to Request builder.
  • Added a hotkey to "Ignore from This Scan" menu.
  • Added "Force User Agent" setting to force the selected User Agent value on scan policy.
  • Added support for Postman v2.1 version.
  • Scan logs in Logs panel are now saved along with scan file.
  • Added an extra consistency check to ROBOT attacks.
  • Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
  • Improved the "Interesting Header" list support.
  • Added anti-CSRF token support for Blind SQL Injection exploitation.
  • Removed BOM from JSON and XML report templates.
  • Improved the numbers reported on dashboard.
  • Added summary table to several reports.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date checks.
  • Added multi-thread support to Controlled Scan.
  • Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
  • Added command line auto update option.
  • Renamed FogBugz send to action to its new name Manuscript.
  • Testing Send To actions now creates issues on target systems.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Scan Policy and Report Policy editor dialogs remember their locations and sizes.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Improved MySQL double encoded string attacks.

FIXES

  • Fixed scheduled scans to prevent incorrect settings to be saved.
  • Fixed the overflow issue of "Maximum 404 Signatures" scan policy setting.
  • Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
  • Fixed the incorrect "Exclude Branch" icon.
  • Fixed the missing Host header issue on Request Builder.
  • Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
  • Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
  • Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
  • Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
  • Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
  • Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
  • Fixed the issue where a variation node is not added to the Issues panel.
  • Fixed incorrect average speed calculation on Detailed Scan Report.
  • Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
  • Fixed the issue where same post parameters appears twice in the request builder form.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed the issue where cookie header in raw request not added to the sqlmap command.
  • Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
  • Fixed broken proxy chaining in manual crawl mode.
Netsparker 4.9.5.19049 - 18th April 2018

FIX

Netsparker 4.9.5.18523 - 8th March 2018

IMPROVEMENTS

  • Added support for importing Postman v2.1 files.
  • Added certificate extension aliases support to Client Certificate Authentication.

FIXES

  • Fixed certificates not listing in the client certificates dropdown list issue.
  • Fixed Netsparker Hawk validation issue.
Netsparker 4.9.5.18039 - 2nd February 2018

IMPROVEMENTS

  • Added a new report template - Detailed Vulnerabilities List in XML.
  • Optimized ROBOT attack check performance.
  • Improved React Controlled Field coverage in form authentication custom scripts.

FIXES

  • Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
  • Fixed the disabled Retest menu item for vulnerabilities on Issues tree.

Netsparker 4.9.5.17582 - 28th December 2017

FIXES

  • Fixed perhost certificate generation issue which renders manual crawling unusable.
  • Fixed an ArgumentNullException thrown from DOM simulation.
Netsparker 4.9.5.17502 - 22nd December 2017

NEW SECURITY CHECK

IMPROVEMENTS

  • Improved performance of huge JavaScript file parsing.
  • Improved custom form authentication scripting support for pages using React JavaScript framework.
Netsparker 4.9.5.17367 - 13th December 2017

NEW FEATURE

  • Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.

IMPROVEMENT

  • Improved the parsing of large JavaScript files.

FIXES

  • Fixed the empty target URL text box on start new scan window on initial load.
  • Fixed the hang issue caused by popup windows during form authentication.
  • Fixed the exception that occurs when root directory node is excluded in sitemap.
  • Fixed an exception thrown while shutting down the application.
  • Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
  • Fixed a serialization exception issue occurs while trying to load older scan files.
  • Fixed the broken tooltip message on Custom Form Authentication Script dialog.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed duplicate activities displayed while analyzing crawled pages.
Netsparker 4.9.5.17070 - 24th November 2017

NEW FEATURES

  • Users can now preconfigure local/session web storage data for a website.
  • Added a new send to action to send e-mails.
  • Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
  • Added CSV file link importer.
  • Parsing of form values from a specified URL.
  • Added custom root certificate support for manual crawling.
  • Added gzipped sitemap parsing support.

NEW SECURITY CHECKS

  • Added reflected "Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
  • Added "Remote Code Execution in Apache Struts" security check. (CVE-2017-5638).

IMPROVEMENTS

  • Renamed "Important" severity name to "High".
  • Updated external references for several vulnerabilities.
  • Improved default Form Values settings.
  • Improved scan stability and performance.
  • Added Form Authentication performance data to Scan Performance knowledgebase node.
  • Added "Run only when user is logged on" option to the scan scheduling.
  • Added a warning before the scan starting if there are out of scope links in imported links.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added "Alternates", "Content-Location" and "Refresh" response header parsing.
  • Removed "Disable IE ESC" requirement on Windows server operating systems.
  • Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added --batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Filtered out irrelevant certificates generated by Netsparker from client certificate selection dropdown on Client Certificate Authentication settings.
  • Added highlighting for detected out of date JavaScript libraries.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Added an option to export only PDF reports without HTML.
  • Added -nohtml argument to CLI to create only pdf reports.
  • Updated the Accept header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added scan start time information to the dashboard.
  • Skip Phase button is disabled if the phase cannot be skipped.
  • Added validation messages for invalid entries on start new scan dialog sections.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Added highlight support for password transmitted over HTTP vulnerabilities.
  • Email disclosure will not be reported for email address used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Uninstaller now checks for any running instances.
  • Internal proxy now serves the certificate used through HTTP echo page.
  • Added spell checker for Report Policy Editor.
  • Added an error page if any internal proxy exception occurs.
  • Added more information about the HTML form and input for vulnerabilities found on HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Extensions on the URLs are handled by the custom URL rewrite rule wizard.
  • Added Parameter Value column to Vulnerabilities List CSV report.
  • Added match by HTML element id for form values.
  • Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • Improved scan policy security check filtering by supporting short names of security checks.
  • Improved Burp file import dialog by removing the file extension filter.
  • Improved table column widths on several reports.
  • Updated default User-Agent HTTP request header string.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

FIXES

  • Fixed the InvalidOperationException on application exit.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect progress bar value displayed when a scan is imported.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed up/down movement issue on Form Values when multiple rows are selected.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
  • Fixed a NullReferenceException when an invalid raw request is entered in request builder.
  • Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
  • Fixed the issue where the response URL is displayed in the vulnerability details.
  • Fixed the issue where some links were not excluded from scan from sitemap.
  • Fixed enabled security check group with all security checks within are disabled.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed certificate search in store by subject name returns matches without exact subject names.
  • Fixed ESC key handling on message dialogs.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed an issue with Load New License occurs when the source and destination license files are same.
  • Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
  • Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
  • Fixed the wrong URLs added with only extension values.
  • Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
  • Fixed the message overflow issue in the out of scope link warning dialog.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed the incorrect Skip Current Phase button state when scan phase is changed
  • Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
  • Fixed an issue in which the form authentication is not being triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed the empty request/response displayed for some sitemap nodes with 404 response.
  • Fixed the autocomplete issue in Content-Type header in Request builder
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed show/hide issue for Dashboard and Sitemap panels.
  • Fixed the issue where Retest All button disappears after a Retest.
  • Fixed the issue where the dollar sign in imported URL is encoded after scan.
  • Fixed the empty request/response header issue for links discovered during attacking.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.
  • Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.
Netsparker 4.9.1.16896 - 11th November 2017

NEW SECURITY CHECK

  • Added more Command Injection and Blind Command Injection patterns for Windows systems.
Netsparker 4.9.1.16523 - 11th October 2017

IMPROVEMENT

  • Updated vulnerability database to latest version.
Netsparker 4.9.1.16500 - 9th October 2017

FIX

  • Fixed the incorrect percentage encoding on Detailed Scan Report template.
Netsparker 4.9.1.16476 - 6th October 2017

NEW SECURITY CHECK

  • Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).

IMPROVEMENTS

  • Improved the stability of DOM and JavaScript simulation.
  • Improved report templates.
Netsparker 4.9.1.16290 - 22nd September 2017

NEW SECURITY CHECK

  • Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).
Netsparker 4.9.1.16145 - 18th September 2017

FIX

  • Fixed an out of memory issue.
Netsparker 4.9.1.16090 - 13th September 2017

IMPROVEMENTS

  • Improved the form authentication element click API by providing the mouse coordinates.

FIXES

  • Fixed an object leak causing performance issues during scans.
  • Fixed a backup file check where scan policy selections were not honoured.
  • Fixed the broken Basic, NTLM/Kerberos "Test Credentials" button.
  • Fixed the unencrypted credentials saved with profile files.
  • Fixed the JavaScript parsing issue by checking the mime type of the script tags.
  • Fixed the broken email disclosure detection which was not able to match multiple emails.
  • Fixed the incorrect links parse on JavaScript source map files.
Netsparker 4.9.1.15947 - 24th August 2017

NEW FEATURES

  • New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
  • Checks for WordPress Setup Configuration File.
  • Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

  • Improved Local File Inclusion (LFI) attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved Blind Command Injection detection on Linux systems.
  • Added response compression and length information to HTTP Request Builder.
  • Displaying times in 24-hour format on scan reports.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved "Enter Links" dialog by adding format selection for all the supported import formats.
  • Added parameter type information to nodes on "Issues" panel.
  • Improved scan import performance significantly.
  • Added context menu item for sitemap root node to open the scan folder.
  • Improved resource finder to find more hidden resources.
  • Time zone information added to reports.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
  • Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
  • Added out of scope links count information to the knowledge base.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Added excluded URLs list to the detailed scan report.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Added XML report types for Crawled URLs List and Scanned URLs List reports.
  • Added toolbar to open and copy URLs for Browser View tab.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

FIXES

  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed the missing activities while performing a controlled scan.
  • Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
  • Fixed the incorrect total security check count while performing controlled scans on activity list.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed the redundant extra headers added to requests while using request builder.
  • Fixed the disabled "Start Proxy" button when Netsparker is opened after an application crash.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed page break issues on reports.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed the double quote encoding issue on generated sqlmap commands.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the incorrect progress report during controlled scans.
  • Fixed the encoding issue on reported DOM XSS stack traces.
  • Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
  • Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
  • Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed CSS escaping in CSS selector generation.
  • Fixed the failing error report when the unexpected exception title is too long.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed incorrect cURL and sqlmap commands when basic authentication is used.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the problem where the unique links added twice while importing Postman files.
  • Fixed the "Property set method not found" that occurs while using FogBugz send to action
  • Fixed the missing content for Site Profile section of Knowledge Base report.
  • Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.
Netsparker 4.9.0.15474 - 19th July 2017

IMPROVEMENTS

  • Enhanced and fixed several DOM simulations.
  • Removed redundant SSL logs caused by HSTS security checks.
  • Improved localization capabilities of Report Policy Editor.
Netsparker 4.9.0.15101 - 12th of June 2017

NEW FEATURES

  • Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
  • Added /generatereport CLI argument for report generation from scan session files.
  • Added hex editor view for requests on request builder.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

  • Updated the links to several external references.
  • Added cancellation of ongoing attack activities when excluded from site map.
  • Improved JavaScript and CSS resource parsing.
  • Added exploitation for XXE vulnerabilities.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved the CSS query selector generation on form authentication custom script dialog.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Added current scan profile, scan policy and report policy names to status bar.
  • Improved .sql file detection signature.
  • Improved the highlighting of patterns on HTTP responses.
  • Added extra confirmation for weak credentials detection.
  • Added POST parameters to crawling activities on scan activity list.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added response statistics to request builder.
  • Added form value for password input types to default scan policy.
  • Added status column to the request history in request builder.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

  • Fixed the incorrect imported link count when search panel is active on the grid view.
  • Fixed the "Open in Browser" context menu action broken for root nodes on site map.
  • Fixed the undefined password value issue on form authentication custom script dialog.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed request builder issues on parsing query string and encoding.
  • Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixed some missing vulnerabilities on site map.
  • Fixed the slow performing certificate load operation on start new scan dialog.
  • Fixed the incorrect vulnerability severity counts on bar chart and status bar.
  • Fixes an issue where blacklisted Netsparker attacks prevent further source code disclosures in HTML response.
  • Fixed the splash screen which stays open when Netsparker is started from command line.
  • Fixed the focus stealing issue when HTML response contains the autofocus attribute.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed missing response on request builder when the request is loaded from history list.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
Netsparker 4.8.1.14376 - 6th April 2017

New Security Check

  • Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

  • Added JSON format option for "Crawled URL(s) List", "Scanned URL(s) List" and "Vulnerabilities List" report templates.
  • Improved Blind SQL Injection detection for MySQL databases.

Fixes

  • Fixed the incorrect weak signature algorithms reported for root certificates.
  • Fixed the broken editing capabilities on report policy editor.
  • Fixed the empty activity list issue during scans.
  • Fixed the missing custom cookie issue on imported scans.