Netsparker Standard Change Log
Netsparker 4.9.1.16090 - 13th September 2017

IMPROVEMENTS

  • Improved the form authentication element click API by providing the mouse coordinates.

FIXES

  • Fixed an object leak causing performance issues during scans.
  • Fixed a backup file check where scan policy selections were not honoured.
  • Fixed the broken Basic, NTLM/Kerberos "Test Credentials" button.
  • Fixed the unencrypted credentials saved with profile files.
  • Fixed the JavaScript parsing issue by checking the mime type of the script tags.
  • Fixed the broken email disclosure detection which was not able to match multiple emails.
  • Fixed the incorrect links parse on JavaScript source map files.
Netsparker 4.9.1.15947 - 24th August 2017

NEW FEATURES

  • New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
  • Checks for WordPress Setup Configuration File.
  • Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

  • Improved Local File Inclusion (LFI) attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved Blind Command Injection detection on Linux systems.
  • Added response compression and length information to HTTP Request Builder.
  • Displaying times in 24-hour format on scan reports.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved "Enter Links" dialog by adding format selection for all the supported import formats.
  • Added parameter type information to nodes on "Issues" panel.
  • Improved scan import performance significantly.
  • Added context menu item for sitemap root node to open the scan folder.
  • Improved resource finder to find more hidden resources.
  • Time zone information added to reports.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
  • Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
  • Added out of scope links count information to the knowledge base.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Added excluded URLs list to the detailed scan report.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Added XML report types for Crawled URLs List and Scanned URLs List reports.
  • Added toolbar to open and copy URLs for Browser View tab.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

FIXES

  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed the missing activities while performing a controlled scan.
  • Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
  • Fixed the incorrect total security check count while performing controlled scans on activity list.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed the redundant extra headers added to requests while using request builder.
  • Fixed the disabled "Start Proxy" button when Netsparker is opened after an application crash.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed page break issues on reports.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed the double quote encoding issue on generated sqlmap commands.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the incorrect progress report during controlled scans.
  • Fixed the encoding issue on reported DOM XSS stack traces.
  • Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
  • Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
  • Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed CSS escaping in CSS selector generation.
  • Fixed the failing error report when the unexpected exception title is too long.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed incorrect cURL and sqlmap commands when basic authentication is used.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the problem where the unique links added twice while importing Postman files.
  • Fixed the "Property set method not found" that occurs while using FogBugz send to action
  • Fixed the missing content for Site Profile section of Knowledge Base report.
  • Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.
Netsparker 4.9.0.15474 - 19th July 2017

IMPROVEMENTS

  • Enhanced and fixed several DOM simulations.
  • Removed redundant SSL logs caused by HSTS security checks.
  • Improved localization capabilities of Report Policy Editor.
Netsparker 4.9.0.15101 - 12th of June 2017

NEW FEATURES

  • Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
  • Added /generatereport CLI argument for report generation from scan session files.
  • Added hex editor view for requests on request builder.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

  • Updated the links to several external references.
  • Added cancellation of ongoing attack activities when excluded from site map.
  • Improved JavaScript and CSS resource parsing.
  • Added exploitation for XXE vulnerabilities.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved the CSS query selector generation on form authentication custom script dialog.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Added current scan profile, scan policy and report policy names to status bar.
  • Improved .sql file detection signature.
  • Improved the highlighting of patterns on HTTP responses.
  • Added extra confirmation for weak credentials detection.
  • Added POST parameters to crawling activities on scan activity list.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added response statistics to request builder.
  • Added form value for password input types to default scan policy.
  • Added status column to the request history in request builder.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

  • Fixed the incorrect imported link count when search panel is active on the grid view.
  • Fixed the "Open in Browser" context menu action broken for root nodes on site map.
  • Fixed the undefined password value issue on form authentication custom script dialog.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed request builder issues on parsing query string and encoding.
  • Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixed some missing vulnerabilities on site map.
  • Fixed the slow performing certificate load operation on start new scan dialog.
  • Fixed the incorrect vulnerability severity counts on bar chart and status bar.
  • Fixes an issue where blacklisted Netsparker attacks prevent further source code disclosures in HTML response.
  • Fixed the splash screen which stays open when Netsparker is started from command line.
  • Fixed the focus stealing issue when HTML response contains the autofocus attribute.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed missing response on request builder when the request is loaded from history list.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
Netsparker 4.8.1.14376 - 6th April 2017

New Security Check

  • Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

  • Added JSON format option for "Crawled URL(s) List", "Scanned URL(s) List" and "Vulnerabilities List" report templates.
  • Improved Blind SQL Injection detection for MySQL databases.

Fixes

  • Fixed the incorrect weak signature algorithms reported for root certificates.
  • Fixed the broken editing capabilities on report policy editor.
  • Fixed the empty activity list issue during scans.
  • Fixed the missing custom cookie issue on imported scans.
Netsparker 4.8.1.14104 - 16th March 2017

New Security Checks

  • New security check that detects insecure targets in Content Security Policy.
  • Added checks for exposure of trace.axd in ASP.NET applications.
  • New security check for Time Based Server-Side Request Forgery.
  • Added Markdown Injection attack pattern to XSS engine.
  • Added a Code Evaluation check for Apache Struts framework.

Improvements

  • Improved Boolean SQL Injection detection.
  • Updated the Local File Inclusion vulnerability classifications.
  • Improved Trace/Track security checks.
  • Improved coverage of XSS engine in redirects.
  • Added policy optimization support for SSRF security checks.
  • Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
  • Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
  • Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
  • Added type ahead search box for Security Check Groups on Scan Policy Editor.
  • Added "Send to Request Builder" context menu item for activities on scan activity pane.
  • Added input validation for placeholder patterns on Custom URL rewrite grid.
  • Added scheduling support for Incremental Scan feature.
  • Added the number of crawled links next to scanned host names on sitemap tree.
  • Improved code generation for form authentication custom scripts.
  • Improved proxy options UI. Now proxy address inputs can be pasted along with user credentials and port.
  • Added VDB support to Blind & Boolean SQLi post exploitation.
  • Added an info message to Browser View tab that tells this view is a limited preview.
  • Added file parameter type support to Request Builder.
  • Added support for multiple report exporting to Scheduled Scans.
  • Added the number of vulnerability severities of current scan to status bar.
  • Added Copy URL and Copy as cURL context menu items to Imported Links grid.
  • Added pause scan button to interactive login dialog.
  • Improved sqlmap command generation by adding database server type parameter.
  • Start New Scan dialog is made resizable.
  • Added Search feature to Imported Links.
  • Added Cancel button for Request Builder.
  • Added support for checking Open Redirection vulnerability on Refresh response header.
  • Added the XPath information of the element that causes the DOM XSS vulnerability.
  • Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
  • Added database specific queries for the selected SQLi vulnerability on exploitation panel.
  • Added a JavaScript scan policy option to filter events that are attached to "document" by name to a constant set of mousedown, keyup etc. to reduce triggered event count during the simulation.
  • Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
  • Added finding vulnerabilities which sink into window.name capability for DOM XSS security checks.
  • Improved coverage of Local File Inclusion engine so that a vulnerability can be found in a full url attack.

Bug Fixes

  • Fixed several issues related to DOM parsing and simulation.
  • Fixed a NullReferenceException thrown by HTTP Methods checks.
  • Fixed a StackOverflowException caused by JSON responses with too many nested elements.
  • Fixed PoC generation during post exploitation for time based SQLi checks.
  • Fixed incorrect bearer token log message on verify dialog even when bearer token detection is disabled.
  • Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
  • Fixed several issues related with splash screen to make sure it is hidden when the application is loaded.
  • Fixed a NullReferenceException thrown by logout detection while trying to close the application.
  • Fixed an issue where scan is paused when an additional host is unreachable.
  • Fixed an issue where the new link nodes added under an excluded branch on sitemap tree were not excluded.
  • Fixed the misleading message that is shown when a manual crawling scan is started, Form Authentication feature no more requires installing a certificate to your computer.
  • Fixed IndexOutOfRangeException thrown while trying to open Scan Policy Editor dialog if the UI language is set to Korean.
  • Fixed keyboard tab order on Form Authentication settings.
  • Fixed an issue where injection HTTP response displays an empty string because deserialized file does not contain the HTML response of the attack.
  • Fixed typos in CSP vulnerability templates.
  • Fixed the broken impacts table on Executive Summary Report PDF when the table spans 2 pages.
  • Fixed several issues related with report policy naming when the name is invalid or too long.
  • Fixed generated blank pages on PDF reports.
  • Fixed OperationCanceledException thrown during extra confirmation.
  • Fixed UI glitches on form authentication Custom Script dialog caused when splitters are resized.
  • Fixed several Request Builder issues.
  • Fixed Test Credentials button on basic authentication settings which does not send Authorization request header if Do Not Expect Challange check box is checked.
  • Fixed the ignored email are still reported on knowledge base issue.
  • Fixed a bug where double encoded attacks are not exploitable in browser when proof URL is clicked.
  • Fixed an issue where source code disclosure is reported in JS and CSS files.
  • Fixed an SQL exploitation issue where executing a SQL query which expects an integer result is no longer giving failure for PostgreSQL database.
  • Fixed a Text Parser issue where single quote characters were being captured as part of links.
  • Fixed the incorrect path disclosure caused by the Shellshock attack.
  • Fixed a TargetInvocationException thrown when a new license is trying to be loaded using Help > Load New License menu item.
  • Fixed missing SSRF proofs under Proofs knowledge base.
  • Fixed an ArgumentException thrown by DOM XSS checks when the web site is crawled using manual crawling mode.
  • Fixed incorrect encoded parameter names for multipart/form-data forms.
  • Fixed the incorrect auto update notification even when you have a more up-to-date version of the application.
  • Fixed the large right margin on Knowledge Base Report (PDF) summary page.
  • Fixed the splash screen that is shown in front of the trial popup message.
  • Fixed the performance issues of recrawling related to DOM XSS checks on web sites with lots of links.
  • Fixed the incorrect CR LF encoding issues on proof URLs.
  • Fixed a retest issue where all parameters of the link were being retested whereas only the vulnerable parameter must be retested.
  • Fixed the visual glitch occurs on Imported Links section upon importing new links.
  • Fixed DOM Parser clearInterval JavaScript function simulation.
  • Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
  • Fixed an issue where Boolean SQLi vulnerability is missed due to crawled parameter value.
  • Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
  • Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
Netsparker 4.8.0.13634 - 16th February 2017

FIXES

  • Fixed a Web App Fingerprinter issue causing degraded performance.
Netsparker 4.8.0.13588 - 14th February 2017

FIXES

  • Fixed a form authentication issue where the URL in Location response header is followed even if status code is not a redirection status code.

Netsparker 4.8.0.13481 - 8th February 2017

FIXES

  • Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load.
  • Fixed a form authentication issue where cookies with same names were not updated.
  • Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible.
  • Fixed a compatibility issue occurs while trying to load an old scan session file.
Netsparker 4.8.0.13394 - 31st January 2017

FIX

  • Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.
Netsparker 4.8.0.13372 - 27th January 2017

Fixes

  • Fixed an InvalidOperationException which occurs on some specific setups.
  • Fixed several scan activity list issues and enhanced performance.
Netsparker 4.8.0.13253 - 19th January 2017

IMPROVEMENTS

  • Added CVSS information to more vulnerabilities.
  • Updated vulnerability database.

FIXES

  • Fixed a crash which occurs when too many elements are nested in the HTTP response.
  • Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
  • Fixed incorrect protocol detection for protocol-relative URLs.
Netsparker 4.8.0.13134 - 12th January 2017

New Features

  • Included support for the Netsparker Hawk infrastructure for detection of SSRF and OOB vulnerabilities.
  • Support for importation of Postman files.
  • Added "Copy as cURL" context menu item to sitemap.
  • Added "Copy sqlmap Payload" context menu item for SQL Injection vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added "Ignored Email Addresses" section for Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.

New Security Checks

  • New security checks for Server Side Request Forgery (SSRF) vulnerability
  • New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
  • Added "Missing object-src in CSP Declaration" vulnerability detection.
  • Added "Apache Multiple Choices" vulnerability detection.
  • Added "Stored DOM based XSS" vulnerability detection.

Improvements

  • Improved the message displayed when trying to open an invalid session file.
  • Added /nopdf command line switch to prevent generating PDF reports while performing automated scans.
  • Added AttackPattern.GetAllEngines() and AttackPattern.GetAllPatterns() methods to reporting API to get the list of engine and pattern IDs.
  • Added "Test Credentials" support for Basic, NTLM/Kerberos authentication configuration screen.
  • Added progress dialog for importing links.
  • Improved the performance of several link importers.
  • Added global proxy options under Tools > Options to configure an application wide proxy.
  • Added "Bearer Token" support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers where redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Added SSL protocol selection for scan policies.
  • Added context menu items to the Report Policy Editor to multiple selected vulnerabilities by severity.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.

Bug Fixes

  • Fixed an issue where a multiple cookies issue should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed a request builder issue where the credentials on URL were not preserved.
  • Fixed a request builder issue where the port number change is not reflected to raw request tab.
  • Fixed a NullReferenceException which may have been thrown while closing the splash screen.
  • Fixed a NullReferenceException which may have been thrown while updating activities on scan summary dashboard.
  • Fixed clipped texts on several windows while using higher DPI settings.
  • Fixed a request builder issue where the port on pasted URL is not parsed.
  • Fixed a request builder issue where Cookie request header is not sent.
  • Fixed a request builder issue where Cache-Control request header value was being duplicated.
  • Fixed an HTTP response reading issue where the response could not be read when only BOM bytes are sent on first read attempt.
  • Fixed the list on LFI exploitation panel where the same files were being duplicated.
  • Fixed an issue in report policy editor that causes CVSS editing controls to disappear.
  • Fixed a NullReferenceException on scan policy editor dialog thrown while clicking select inverse context menu on some security check groups.
  • Fixed an issue where a false-positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an issue where the vulnerabilities found on a scan lingers to the next scan started.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed a hang issue occurs when too many email addresses found on the response.
  • Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
  • Fixed a scan profile load issue occurs when a link with binary body is imported.
  • Fixed the table layout on comparison report which was having too wide columns when the URLs were too long.
  • Fixed the duplicate request issue on "AJAX / XML HTTP Requests" knowledge base report.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed an ArgumentOutOfRangeException thrown while trying to match the redirected URL to configured logout detection pattern.
Netsparker 4.7.1.12478 - 11th November 2016

FIXES

  • Fixed a hang issue occurs on some configurations.

Netsparker 4.7.1.12400 - 2nd November 2016

FIXES

  • Fixed an issue that occurs during the attacking phase where all threads cannot be utilized.
  • Fixed handling of blob: protocol on DOM simulation.

Netsparker 4.7.1.12382 - 1st November 2016

New Technical Check

Improvements

  • Improved the Content Security Policy (CSP) and "Misconfigured Access-Control-Allow-Origin Header" vulnerability templates.
  • Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
  • Team Foundation Server Send To action now populates severity and repro steps fields.
  • Improved report generation dialog by remembering the last used settings separately for each report type.
  • Added "Copy as cURL" context menu item to site map.
  • Added support for HTTP POST method while using Open in Browser site map context menu option.
  • Added support for attacking to User-Agent and Referer request headers.
  • Improved scan session export dialog by suggesting default file names.
  • Improved the coverage of the boolean SQL injection vulnerability engine.
  • Improved GitHub send to configuration by check the existence of the specified repository.

Fixes

  • Fixed various encoding issues on request builder.
  • Fixed the splash screen issue where it opens on wrong monitor on multi monitor setups.
  • Fixed External CSS, Script and Frame knowledge base items which do not consider the port while performing checks.
  • Fixed the missing method values on vulnerability summary table of reports.
  • Fixed the missing dashboard statistics when a scan session is imported.
  • Fixed the site map Copy URL issue for some nodes which were missing URL information.
  • Fixed a hang that may occur when windows gets locked, goes to sleep or hibernation.
  • Fixed an issue with auto save where scan is not saved during the extra confirmation phase.
  • Fixed an issue in open redirect detection where incorrect URLs may also be reported.
  • Fixed the zero progress bar issue on loaded scan files.
  • Fixed various CSP vulnerability highlight issues.
  • Fixed an issue related with form authentication which prevents logout detection during attacking phase.
  • Fixed an issue related with temp file generation.
  • Fixed an Local File Inclusion vulnerability detection issue when attacked with a FullUrl payload.
  • Fixed an extra tab on Scanned URLs List (CSV) report template.
  • Fixed the size of scan policy editor dialog on screens with high DPI.
  • Fixed the incorrect severity icon on site map when a vulnerability is selected.
  • Fixed an incorrect retest result occurs when the target web site is not reachable.
  • Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
  • Fixed the remaining registry keys after uninstall.
Netsparker 4.7.0.12284 - 21st October 2016

IMPROVEMENTS

  • Improved vulnerability templates.
  • Added support for sending vulnerabilities to JIRA when JIRA is homed at a path instead of the root.
  • Added support for detecting requests made to blob-schemed URIs during DOM simulation.

FIXES

  • Fixed missing external references on some vulnerability templates.

Netsparker 4.7.0.12177 - 12th October 2016

FIXES

  • Fixed the issue where HTTPS protocol is enforced while using JIRA Send To action.
  • Fixed an issue where print dialogs could be displayed during scans.
  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.

Netsparker 4.7.0.12133 - 7th October 2016

FIXES

  • Fixed an issue where some scan files from older versions cannot be opened with the latest version.
  • Fixed an issue with TFS Send To action when the project name contains spaces.

Netsparker 4.7.0.12092 - 5th October 2016

FIXES

  • Fixed an issue which prevents resource files (report templates, etc.) updates.