Netsparker Standard Change Log
Netsparker 4.8.0.13481 - 8th February 2017

FIXES

  • Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load.
  • Fixed a form authentication issue where cookies with same names were not updated.
  • Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible.
  • Fixed a compatibility issue occurs while trying to load an old scan session file.
Netsparker 4.8.0.13394 - 31st January 2017

FIX

  • Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.
Netsparker 4.8.0.13372 - 27th January 2017

Fixes

  • Fixed an InvalidOperationException which occurs on some specific setups.
  • Fixed several scan activity list issues and enhanced performance.
Netsparker 4.8.0.13253 - 19th January 2017

IMPROVEMENTS

  • Added CVSS information to more vulnerabilities.
  • Updated vulnerability database.

FIXES

  • Fixed a crash which occurs when too many elements are nested in the HTTP response.
  • Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
  • Fixed incorrect protocol detection for protocol-relative URLs.
Netsparker 4.8.0.13134 - 12th January 2017

New Features

  • Included support for the Netsparker Hawk infrastructure for detection of SSRF and OOB vulnerabilities.
  • Support for importation of Postman files.
  • Added "Copy as cURL" context menu item to sitemap.
  • Added "Copy sqlmap Payload" context menu item for SQL Injection vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added "Ignored Email Addresses" section for Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.

New Security Checks

  • New security checks for Server Side Request Forgery (SSRF) vulnerability
  • New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
  • Added "Missing object-src in CSP Declaration" vulnerability detection.
  • Added "Apache Multiple Choices" vulnerability detection.
  • Added "Stored DOM based XSS" vulnerability detection.

Improvements

  • Improved the message displayed when trying to open an invalid session file.
  • Added /nopdf command line switch to prevent generating PDF reports while performing automated scans.
  • Added AttackPattern.GetAllEngines() and AttackPattern.GetAllPatterns() methods to reporting API to get the list of engine and pattern IDs.
  • Added "Test Credentials" support for Basic, NTLM/Kerberos authentication configuration screen.
  • Added progress dialog for importing links.
  • Improved the performance of several link importers.
  • Added global proxy options under Tools > Options to configure an application wide proxy.
  • Added "Bearer Token" support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers where redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Added SSL protocol selection for scan policies.
  • Added context menu items to the Report Policy Editor to multiple selected vulnerabilities by severity.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.

Bug Fixes

  • Fixed an issue where a multiple cookies issue should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed a request builder issue where the credentials on URL were not preserved.
  • Fixed a request builder issue where the port number change is not reflected to raw request tab.
  • Fixed a NullReferenceException which may have been thrown while closing the splash screen.
  • Fixed a NullReferenceException which may have been thrown while updating activities on scan summary dashboard.
  • Fixed clipped texts on several windows while using higher DPI settings.
  • Fixed a request builder issue where the port on pasted URL is not parsed.
  • Fixed a request builder issue where Cookie request header is not sent.
  • Fixed a request builder issue where Cache-Control request header value was being duplicated.
  • Fixed an HTTP response reading issue where the response could not be read when only BOM bytes are sent on first read attempt.
  • Fixed the list on LFI exploitation panel where the same files were being duplicated.
  • Fixed an issue in report policy editor that causes CVSS editing controls to disappear.
  • Fixed a NullReferenceException on scan policy editor dialog thrown while clicking select inverse context menu on some security check groups.
  • Fixed an issue where a false-positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an issue where the vulnerabilities found on a scan lingers to the next scan started.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed a hang issue occurs when too many email addresses found on the response.
  • Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
  • Fixed a scan profile load issue occurs when a link with binary body is imported.
  • Fixed the table layout on comparison report which was having too wide columns when the URLs were too long.
  • Fixed the duplicate request issue on "AJAX / XML HTTP Requests" knowledge base report.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed an ArgumentOutOfRangeException thrown while trying to match the redirected URL to configured logout detection pattern.
Netsparker 4.7.1.12478 - 11th November 2016

FIXES

  • Fixed a hang issue occurs on some configurations.

Netsparker 4.7.1.12400 - 2nd November 2016

FIXES

  • Fixed an issue that occurs during the attacking phase where all threads cannot be utilized.
  • Fixed handling of blob: protocol on DOM simulation.

Netsparker 4.7.1.12382 - 1st November 2016

New Technical Check

Improvements

  • Improved the Content Security Policy (CSP) and "Misconfigured Access-Control-Allow-Origin Header" vulnerability templates.
  • Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
  • Team Foundation Server Send To action now populates severity and repro steps fields.
  • Improved report generation dialog by remembering the last used settings separately for each report type.
  • Added "Copy as cURL" context menu item to site map.
  • Added support for HTTP POST method while using Open in Browser site map context menu option.
  • Added support for attacking to User-Agent and Referer request headers.
  • Improved scan session export dialog by suggesting default file names.
  • Improved the coverage of the boolean SQL injection vulnerability engine.
  • Improved GitHub send to configuration by check the existence of the specified repository.

Fixes

  • Fixed various encoding issues on request builder.
  • Fixed the splash screen issue where it opens on wrong monitor on multi monitor setups.
  • Fixed External CSS, Script and Frame knowledge base items which do not consider the port while performing checks.
  • Fixed the missing method values on vulnerability summary table of reports.
  • Fixed the missing dashboard statistics when a scan session is imported.
  • Fixed the site map Copy URL issue for some nodes which were missing URL information.
  • Fixed a hang that may occur when windows gets locked, goes to sleep or hibernation.
  • Fixed an issue with auto save where scan is not saved during the extra confirmation phase.
  • Fixed an issue in open redirect detection where incorrect URLs may also be reported.
  • Fixed the zero progress bar issue on loaded scan files.
  • Fixed various CSP vulnerability highlight issues.
  • Fixed an issue related with form authentication which prevents logout detection during attacking phase.
  • Fixed an issue related with temp file generation.
  • Fixed an Local File Inclusion vulnerability detection issue when attacked with a FullUrl payload.
  • Fixed an extra tab on Scanned URLs List (CSV) report template.
  • Fixed the size of scan policy editor dialog on screens with high DPI.
  • Fixed the incorrect severity icon on site map when a vulnerability is selected.
  • Fixed an incorrect retest result occurs when the target web site is not reachable.
  • Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
  • Fixed the remaining registry keys after uninstall.
Netsparker 4.7.0.12284 - 21st October 2016

IMPROVEMENTS

  • Improved vulnerability templates.
  • Added support for sending vulnerabilities to JIRA when JIRA is homed at a path instead of the root.
  • Added support for detecting requests made to blob-schemed URIs during DOM simulation.

FIXES

  • Fixed missing external references on some vulnerability templates.

Netsparker 4.7.0.12177 - 12th October 2016

FIXES

  • Fixed the issue where HTTPS protocol is enforced while using JIRA Send To action.
  • Fixed an issue where print dialogs could be displayed during scans.
  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.

Netsparker 4.7.0.12133 - 7th October 2016

FIXES

  • Fixed an issue where some scan files from older versions cannot be opened with the latest version.
  • Fixed an issue with TFS Send To action when the project name contains spaces.

Netsparker 4.7.0.12092 - 5th October 2016

FIXES

  • Fixed an issue which prevents resource files (report templates, etc.) updates.

Netsparker 4.7.0.12081 - 3rd October 2016

NEW FEATURES

NEW SECURITY CHECKS

IMPROVEMENTS

  • Improved XSS security checks coverage.
  • Improved the Report Policy Editor.
  • Improved the default filename of generated exploits.
  • Renamed "Permanent XSS" vulnerability to "Stored XSS".
  • Authentication credentials are now stored encrypted in profile files.
  • Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
  • Added an option to follow redirects for the HTTP Request Builder.
  • Added auto completion support to Scan Policy > Headers grid for well-known request headers.
  • Added the version information of Netsparker to the reports.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
  • Added editing support for imported links.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Added JavaScript dialog support for form authentication verification dialog.
  • Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
  • Improved DOM simulation by simulating "contextmenu" events.
  • Added "Attacked Parameters" column to "Scanned URLs List" report.
  • Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
  • Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Added tooltips for long texts shown on activity dashboard.
  • Added current DOM XSS attack information to activity pane.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
  • Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the position of clipped auto update notification.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
  • Fixed the duplicate log printed for same WSDLs.
  • Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
  • Fixed the blurred message dialog icons on high DPI screens.
  • Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
  • Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
  • Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
  • Fixed duplicate "Email Address Disclosure" reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed an issue where current OS UI language was not being selected automatically upon first start.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.

Netsparker 4.6.1.11435 - 26th July 2016

FIXES

  • Fixed an issue in which Netsparker crashes when using the Korean interface and trying to start a scan or load a scan file.

Netsparker 4.6.1.11314 - 13th July 2016

FIXES

  • Fixed a NullReferenceException thrown during late confirmation.
  • Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
  • Fixed a Request Builder issue where response is incorrectly reported as binary.
  • Fixed a Request Builder issue where "Enable Raw Request Body" option is initially selected when a GET request is dropped on the builder.

Netsparker 4.6.1.11262 - 30nd June 2016

NEW FEATURES

  • Added the HTTP Request Builder penetration testing tool.
  • Added a button on start new scan dialog to open target URL on default web browser.
  • Added a new activity type group called "Passive Analysis" which shows the analysis activity of attack responses.

IMPROVEMENTS

  • Improved the "HTML Base Tag Hijacking" vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of "Redirect Body Too Large" vulnerability.

FIXES

  • Fixed an issue in which the editing of a report policy can cause some external references to be removed unintentionally.
  • Fixed an issue in which multiple tabs on the web browser could be opened while trying to open a vulnerability URL.
  • Fixed a comparison report issue in which charts were not being generated according to selected report policy.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed a report policy editor bug where clicking check all/none affects the vulnerability types that are not currently displayed.
  • Fixed an issue where the vulnerability types disabled on current report policy were affecting the number of vulnerability count on "Issues" panel title.

Netsparker 4.6.0.11151 - 22nd June 2016

IMPROVEMENTS

  • Improved the automatic form authentication script to click "button" HTML elements if no suitable button is found.

FIXES

  • Fixed the clipped dialog buttons on "Report Policy Editor".
  • Fixed the incompatibility issues of "Report Policy Editor" on some Windows 8/8.1 systems with Internet Explorer 10.
  • Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
  • Fixed scope related bugs in SRI checks.

Netsparker 4.6.0.11104 - 16th June 2016

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to handle large web sites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of LFI engine.
  • Added name completion for profile save as dialog.
  • Updated missing localized text for Korean translation.

FIXES

  • Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Netsparker instance for a new scan.
  • Fixed the incorrect progress bar while performing a controlled scan.
  • Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
  • Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
  • Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
  • Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
  • Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
  • Fixed the error reporting issue occurs when log file collection and/or compression fails.
  • Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
  • Fixed the ObjectDisposedException thrown on form authentication verification dialog.
  • Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue where some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue where XSS proof URL was missing alert function call.
  • Fixed a typo on "Base Tag Hijacking" vulnerability template.
  • Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.

Netsparker 4.5.10.10777 - 11th May 2016

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2
Netsparker 4.5.10.10702 - 5th May 2016

NEW SECURITY CHECK

  • Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)