Netsparker Standard Change Log
Netsparker 4.6.0.11104 - 16th June 2016

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to handle large web sites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of LFI engine.
  • Added name completion for profile save as dialog.
  • Updated missing localized text for Korean translation.

FIXES

  • Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Netsparker instance for a new scan.
  • Fixed the incorrect progress bar while performing a controlled scan.
  • Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
  • Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
  • Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
  • Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
  • Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
  • Fixed the error reporting issue occurs when log file collection and/or compression fails.
  • Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
  • Fixed the ObjectDisposedException thrown on form authentication verification dialog.
  • Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue where some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue where XSS proof URL was missing alert function call.
  • Fixed a typo on "Base Tag Hijacking" vulnerability template.
  • Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.

Netsparker 4.5.10.10777 - 11th May 2016

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2
Netsparker 4.5.10.10702 - 5th May 2016

NEW SECURITY CHECK

  • Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

Netsparker 4.5.10.10675 - 3rd May 2016

NEW FEATURES

  • Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI "Long attack - boot.ini" attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the "MIME Types" knowledge base list by ordering items alphabetically.
  • Added "Extract static resources" option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication "Override Target URL with authenticated page" issue which caused a wrong URL to be identified as the "Target URL".
  • Fixed a highlighting issue where the URL for "Insecure Frame (External)" vulnerability is partially highlighted.
  • Fixed an incorrect "Source Code Disclosure" vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
  • Fixed a broken link in XSS vulnerability templates.

Netsparker 4.5.9.10494 - 11th April 2016

FIXES

  • Fixed an exception that happens when reordering form values.
  • Fixed the hidden URL text box on custom URL rewrite settings.
  • Fixed the clipped automatic update notification label.

Netsparker 4.5.9.10486 - 8th April 2016

NEW FEATURES

NEW SECURITY TESTS

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved "Not Found Analyzer" to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Netsparker data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.

FIXES

  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript "Load Preset Values" combo where selecting a preset value may revert the combo value to "(Custom)".
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target web site (authentication API has been moved to "netsparker" namespace preserving the "ns" backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Netsparker installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.
Netsparker 4.5.8.10271 - 17th March 2016

IMPROVEMENTS

  • Increased severity of "Insecure Transportation Security Protocol Supported (SSLv2)" vulnerability to "Important"
  • Added support for adding several more request headers including the "Host" header

FIXES

  • Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

Netsparker 4.5.8.10229 - 9th March 2016

SECURITY CHECKS

  • Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
  • Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
  • Added version checks for OpenCart web application

IMPROVEMENTS

  • Improved JavaScript/DOM simulation and DOM XSS attacks
  • Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added support for specifying client certificate authentication certificate for manual crawling
  • Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
  • Added "Custom Not Found Analysis" activities to UI
  • Improved "Open in Browser" for XSS vulnerabilities and produced a vulnerable link with alert function
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Improved the loading performance of Start New Scan dialog
  • Added support for reordering form values to denote precedence
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

FIXES

  • Fixed an out of disk space issue which occurs while writing logs
  • Fixed the "scan will be paused" warning for a scan that is already paused
  • Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
  • Fixed the issued requests which gets a timeout do not display any details on "HTTP Request / Response" tab
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Netsparker was making requests to addresses that are generated by its own attacks
  • Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledgebase while doing manual crawling
  • Fixed the issue of unsigned eowp.exe shipped with installer
  • Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
  • Fixed the stacked severity bar chart on "Detailed Scan Report" gets split and overflows to the second page
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Netsparker are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
  • Fixed some Korean vulnerability templates which are wrong formatted
  • Fixed the broken HIPAA classification link
Netsparker 4.5.7.10205 - 3rd March 2016

Improvements

  • Added "DROWN Attack" reporting
Netsparker 4.5.7.10053 - 15th February 2016

Fixes

  • Fixed an issue that causes auto update process to hang after restarting Netsparker for the update
Netsparker 4.5.7.9915 - 29th January 2016

Bug Fixes

  • Fixed an issue with form authentication verification dialog where you may get a blank web page on left
  • Fixed a cookie parsing issue where Netsparker may fail to read some cookies on HTTP responses
Netsparker 4.5.7 - 28th January 2016

IMPROVEMENTS

  • Improved support for Single Page Applications (SPA) by rewritting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added icons to scan policy combo box to denote optimized platforms for policies
  • Improved Korean language support
  • Attached proof for the blind SQLi vulnerabilities
  • Added "Proofs" knowledge base nodes
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added link to TFS API download page for Send To extension
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter's meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added .svg to default set of ignored extensions
  • Removed DOM XSS security checks from default built-in policy
  • Added a new built-in scan policy that includes DOM XSS security checks
  • Added a new scan policy setting section for JavaScript related settings
  • Removed outdated PCI 2.0, PCI 3.0 and OWASP Top Ten 2010 classifications and report templates

Bug Fixes

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
  • Fixed the horizontal scroll bar that is shown while adding a new URL rewrite parameter
  • Fixed an issue with comparison report where two reports were showing the same date even if the latter one has been retested
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed a ThreadInterruptedException thrown by DOM XSS scanner while trying to close application
  • Fixed an UnauthorizedAccessException occurs while cleaning the scan temporary directory
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed a CannotUnloadAppDomainException occurs while trying to close form authentication verifier dialog
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Netsparker's latest version
  • Fixed the slow performance issue which occurs when "Automatically Detect Settings" proxy setting is enabled
  • Fixed the broken proceed button on trial popup dialog
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed an issue with OWASP reports where vulnerabilities in same category were not being grouped together
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
  • Fixed a broken compatibility issue which occurs while loading scan files exported with previous versions
Netsparker 4.5.4 - 21st December 2015

FIXES

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
Netsparker 4.5.2 - 17th December 2015

FEATURES

NEW SECURITY CHECKS

  • Added Windows Short File Name security checks
  • Added several new backup file checks
  • Added web.config pattern for LFI checks
  • Added boot.ini pattern for LFI checks
  • Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
  • Added a signature which checks against an error message generated by regexp function at MySQL database
  • Added DAws web backdoor check
  • Added MOF Web Shell backdoor check
  • Added RoR database configuration file detection
  • Added RoR version disclosure detection
  • Added RoR out-of-date version detection
  • Added RoR Stack Trace Disclosure
  • Added RubyGems version disclosure detection
  • Added RubyGems out-of-date version detection
  • Added Ruby out-of-date version detection
  • Added Python out-of-date version detection
  • Added Perl out-of-date version detection
  • Added RoR Development Mode Enabled detection
  • Added Django version disclosure detection
  • Added Django out-of-date version detection
  • Added Django Development Mode Enabled detection
  • Added PHPLiteAdmin detection
  • Added phpMoAdmin detection
  • Added DbNinja detection
  • Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
  • Added Adminer detection
  • Added Microsoft IIS Log File detection
  • Added Laravel Configuration File detection
  • Added Laravel Debug Mode Enabled detection
  • Added Laravel Stack Trace Disclosure
  • Added S/FTP Config File detection

IMPROVEMENTS

  • Several performance improvements to reduce memory usage
  • Improved credit card detection to eliminate false positives
  • HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
  • SSL cipher support check code has been rewritten to support more cipher suites
  • SSL checks are now made for target URLs even when protocol is HTTP
  • Improved logging code to decrease the performance overhead
  • Updated embedded chrome based browser engine to version 41
  • Improved logging when an error occurs if Netsparker was started from command line with arguments
  • Added more ignored parameters for ASP.NET web applications
  • Improved JIRA send to action to support both old and new versions
  • Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
  • Improved authentication verifier to include keywords from alt and title attributes
  • Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
  • Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
  • Improved LFI pattern that matches win.ini files
  • Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
  • Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
  • Added descriptions for advanced settings
  • Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
  • Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
  • Increased static resource finder limit from 75 to 100
  • Added several text parser settings to advanced settings
  • Improved Ruby version disclosure detection
  • Improved SQL injection vulnerability template by adding remedy information for more development environments
  • Improved common directory checks by adding more known directory names
  • Updated default user agent
  • Improved the default Anti-CSRF token name list
  • Improved database error messages vulnerability detection for Informix
  • Added new XSS attack pattern for title tag in which JavaScript execution is not possible
  • Improved XHTML attacks to check against XSS vulnerabilities
  • Missing Content-Type vulnerability is not reported when status code returns 304
  • Optimized confirmation of Boolean SQLi
  • Added exploitation for Remote Code Evaluation via ASP vulnerability
  • Revamped DOM based XSS vulnerability detail with a table showing XPath column
  • Changed SQLi attack patterns specific to MSSQL database with shorter ones
  • Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
  • DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
  • Improved the "Name" form value pattern to match more inputs
  • Improved confirmation of Expression Language Injection vulnerability
  • Improved Frame Injection vulnerability details
  • Added .phtml extension to detect code execution via file upload
  • Improved blind SQL injection detection on some INNER JOIN cases
  • Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
  • Added retest support for several vulnerability types
  • Improved import link user interface
  • Improved CSRF engine
  • Displaying installer links for cases where auto update fails or auto updating is not possible
  • Improved Apache Tomcat detection patterns
  • Improved the message on "Reset to Defaults" dialog
  • Added severity column for Vulnerabilities List (CSV) report template
  • Increased the number of sensitive comments reported
  • Added exploitation support for "RCE via Perl" vulnerability
  • Added project selection to FogBugz send to action
  • Improved text parser improvements
  • Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
  • Added the passive engine names which are currently running to scan summary dashboard
  • Added separate checks in scan policy for each supported web app fingerprint application

FIXES

  • Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
  • Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
  • Fixed authentication verifier to omit empty keywords for keyword based authentication
  • Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
  • Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
  • Fixed URL rewrite analysis to respect case sensitivity settings
  • Fixed a form authentication issue which image submit elements were not clicked
  • Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
  • Fixed a form authentication verification issue which may crash when username and/or password is empty
  • Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
  • Fixed custom reporting sample code on user manual to match the latest reporting API
  • Fixed an issue occurs when the HTTP response body starts with unicode BOM
  • Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
  • Fixed fiddler logging where form authentication requests were not being captured
  • Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
  • Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
  • Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
  • Fixed slow XSS highlights on some responses
  • Fixed disk space detection on cases when there are no space left on disk where Netsparker documents folder resides
  • Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
  • Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
  • Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
  • Fixed a bug where generated XSS exploit did not work due to incorrect encoding
  • Fixed a bug where a false-positive file upload vulnerability was reported
  • Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
  • Fixed "Missing Content-Type" reporting issue where redirected responses should not be reported
  • Fixed Set-Cookie response headers being merged issue on response viewers
  • Fixed an issue where send failures were not being handled while making HTTP requests
  • Fixed credit card reporting issue where the value specified in default form values section should not be reported
  • Fixed the trimmed parameter name issue on controlled scan pane
  • Fixed ignore vulnerability issue function where it was not working for comparison reports
  • Fixed documentation for nginx vulnerability template that tells how to fix the issue
  • Fixed HSTS support for form authentication HTTP requests
  • Fixed a bug which prevents attacking from resuming when an existing session is imported
  • Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
  • Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
  • Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
  • Fixed a DOM XSS scanner issue that crashes Netsparker when a long URL is parsed
  • Fixed a bug where an attribute based attack could not be confirmed as XSS
  • Fixed a bug where an injection with "javascript:" protocol for XSS attacks occurs after a new line
  • Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
  • Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
  • Fixed an issue where importing links to an existing profile with imported links was failing
  • Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
  • Fixed an unhandled ArgumentException raised from permanent XSS detection
  • Fixed the issue that Netsparker hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
  • Fixed an issue where a Groovy RCE is reported as Perl RCE
  • Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
  • Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
  • Fixed a WSDL parsing issue where reference parameters were not handled
  • Fixed a WSDL parsing issue where XML types were not handled
  • Fixed a visual bug where "Security Check Groups" description text was clipped
  • Fixed a bug where illegal characters were causing invalid XML reports
  • Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
  • Fixed an issue with auto complete input reporting where highlighting was not correct
  • Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
  • Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
  • Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
  • Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
  • Fixed the misleading content in basic authentication over clear text vulnerability
Netsparker 4.1.4 - 26th June 2015

IMPROVEMENTS

  • Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
  • DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner's advanced settings
  • Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled
Netsparker 4.1.0 - 12th May 2015

NEW SECURITY TESTS

  • Form Hijacking Security Checks added
  • Base Tag Hijacking Security Checks added

IMPROVEMENTS

  • Added several new backup file checks to improve the coverage
  • Improved the number of combinations that Common Directory checks find
  • Added support for using digits in custom URL rewrite parameter names
  • Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
  • Added HTTP POST method support for Open Redirection security tests
  • Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
  • Improved detection of XSS vulnerabilities in CSS blocks
  • Improved vulnerability template for Open Redirection vulnerabilities
  • Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
  • Set default maximum vulnerability report limit to 1000 for active engines
  • Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

  • Fixed a race condition issue which occurs while adding new links on DOM simulation
  • Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
  • Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
  • Fixed a vulnerability template generation issue where temporary files were being kept on disk
  • Fixed installer to handle .NET framework versions released after 4.5.2
  • Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
  • Fixed "Maximum 404 Pages to Attack" scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option
Netsparker 4.0.4 - 21st April 2015

NEW SECURITY CHECKS

  • Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check

IMPROVEMENTS

  • Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer
  • Improved Auto Complete Enabled vulnerability report by displaying all the matching input names
  • Improved PCI reporting by adding PCI 3.1 data to vulnerabilities

FIXES

  • Fixed the wrong highlighting of selected row on custom URL rewrite rule editor while testing rules
Netsparker 4.0.2 - 20th April 2015

NEW SECURITY CHECKS

  • Added RSA Private Key Detected vulnerability check

IMPROVEMENTS

  • Improved Credit Card Disclosure detection
  • Reporting cookie name in "Cookie values used in Anti-CSRF token" issue
  • Improved "Delegated event" simulation in DOM Parser
  • Improved comment order in knowledgebase by displaying comments having sensitive keywords first
  • Improved the wording at "ViewState is not Encrypted" vulnerability report template
  • Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
  • Improved Exclude/Include patterns to match parameter names and values in addition to the URL
  • Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
  • Improved logging of regex timeout issues with additional parameter name and URL information
  • Improved reporting API documentation by including more types

FIXES

  • Fixed "Options Method Enabled" vulnerability reporting by adding status code checks
  • Fixed a NullReferenceException issue that occurs when Netsparker is started using command line
  • Fixed an encoding issue for parameter names in multipart/form-data requests
  • Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
  • Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
  • Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
  • Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
  • Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
  • Fixed an issue with "Out of Scope" links reported under knowledgebase where the links discovered in DOM Parser are not reported
  • Fixed a report template customization issue where modifying a report template while Netsparker is running was causing it to fail during report generation
  • Fixed a multipart/form-data request issue where "filename" attribute was not submitted for file upload parameters
  • Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
  • Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
  • Fixed custom URL rewrite test interface where only visible rows were being tested before
Netsparker 4.0.1 - 26th March 2015

IMPROVEMENTS

  • Improved coverage of DOM based XSS engine
  • Improved the search on raw response viewer
  • Improved form authentication API click functions to mark/unmark checkbox elements
  • Improved "Insecure transportation security protocol (SSLv3)" vulnerability template
  • Added the page URL and the number of the page as a log to verification dialog while executing custom scripts
  • Added the number of custom script pages to the hint on verification dialog and the hint now has a tooltip that displays the custom script code
  • Improved DOM parser to handle both on and off states of checkbox elements
  • Improved the message on cases where File > Import fails due to old scan file format
  • Added TextParserRegexTimeout advanced setting to modify the timeout value of pattern matching in Text Parser
  • Added the request URL as a log to tell which request has a response that matches current logout pattern of form authentication
  • Improved memory handling to prevent Out-of-memory issues during long scans
  • Improved the pattern match logs to be issued once to prevent the clutter

FIXED

  • Fixed a crash that occurs during application close while trying to log a message to UI
  • Fixed report templates to include correct lower-case versions of image file names to display them correctly on case-sensitive OS file systems
  • Fixed a crash in form authentication verification where missing persona causes issues during logout detection
  • Fixed custom script execution in form authentication to skip execution of auto login script on pages where script is deliberately left blank
  • Fixed a few crashes that occur when the custom script window is closed while the page was loading
  • Fixed an issue with logout detection where invalid URLs could be accepted as overridden login required URL
  • Fixed creation of redundant Documents\Netsparker\Credential folder on new installations
  • Fixed random missing developer tools pane on custom script window
  • Fixed a crash that happens when the form authentication verification dialog is closed during logout keyword detection
  • Fixed several memory issues where redundant object instances were not reclaimed
  • Fixed a memory issue where long parameter values causing large memory allocations
  • Fixed signature generation for URL Rewrite links
Netsparker 4.0.0 - 18th March 2015

BREAKING CHANGES

  1. Netsparker 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Netsparker 4.
  2. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
  3. The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
  4. The default profiles shipped with Netsparker have been removed. Please use the default Scan Policies instead.
  5. URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to contact our support at support@netsparker.com

FEATURES

  • Redesigned the "Start a New Scan" dialog window - now it is even easier than before to configure new scans
  • New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
  • Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
  • Added "Incremental Scanning" feature - perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
  • Added "Retest All" functionality to perform one-click retest on all vulnerabilities found
  • Added support for Remote File Inclusion (RFI) Exploitation
  • Added support for Remote Code Execution via LFI (PHP) Exploitation
  • Added new Executive Summary Report template
  • Added support for importing HTTP Archive (HAR) files

SECURITY CHECKS

Added new security checks in Netsparker to identify the below vulnerabilities and security flaws:

  • Cross Frame Scripting vulnerability check
  • Missing Content-Type and X-Content-Type-Options header checks
  • Cross-Origin Resource Sharing check
  • Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
  • XML External Entity (XXE) Engine
  • File Upload Engine
  • Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
  • Misconfigured Access-Control-Allow-Origin header
  • Credit Card Disclosure

IMPROVEMENTS

  • Improved DOM XSS attack patterns
  • Increased coverage for Open Redirection vulnerabilities
  • Improved Internal Path Disclosure detection patterns for Windows and *nix
  • Improved Connection String detection to cover more cases and run faster
  • Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
  • Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
  • Improved sensitive keyword list for Comments Knowledge base item
  • Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
  • Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
  • Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
  • Improved wording for Auto Complete Enabled vulnerability template
  • Improved Open Redirect detection to include redirects performed by JavaScript code
  • Added an option to perform DOM simulation when necessary in Open Redirect engine
  • Reduced the number of requests made to detect Not Found pages
  • Included Static Resource Finder requests in activity pane
  • Improved CVS file detection pattern
  • Improved the error message displayed on start up to provide more details
  • Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
  • Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
  • Separated HTML5 engine checks in scan policy to provide granular selection chance
  • Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
  • Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
  • Added retest support for RoR RCE vulnerabilities
  • Added scan policy settings to ignore certain Content Type values
  • Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
  • Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
  • Exposed Signature property for Vulnerability instances in Reporting API
  • Added classification information for Possible Reflected File Download vulnerability
  • Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
  • Changed request timeout setting's unit from milliseconds to seconds in the policy setting UI
  • Improved SSN detection
  • Improved link parsing in Text Parser
  • Added HTTP method and attack parameter names to activity pane
  • Improved LFI confirmation using web.config file
  • Added extra GET requests for the ones having non-GET HTTP methods
  • Added referer checks for DOM XSS
  • Improved binary detection for font requests
  • Added Nginx configuration information for HSTS Not Enabled vulnerability template
  • Improved GIT detected vulnerability template
  • Auto save message is now displaying the time scan is saved
  • Revised Interesting Headers list to filter some well-known headers
  • Added form name and action as custom field in CSRF engine
  • Improved the error message text shown when a PDF report cannot be overwritten
  • Added Save button to save changes on current profile
  • Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
  • Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
  • Improved how disk full cases are handled during a scan
  • Improved the order of how vulnerabilities are listed in reports
  • Improved phpMyAdmin detection
  • Improved Stack Trace Disclosure (Java) detection

FIXES

  • Fixed Content-Type header parsing where any quotes should be removed from charset attribute
  • Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
  • Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
  • Fixed parameter encoding issue in Reverse Shell feature
  • Fixed a space character encoding issue in exploit generation
  • Fixed the generated code in exploits to include calls to alert function instead of netsparker function
  • Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
  • Fixed an issue that crashes Netsparker if a Standard edition license contains an invalid URL
  • Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
  • Fixed DOM parser simulation to select non-default values in select elements
  • Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
  • Fixed an issue where WebDav engine could not perform a retest correctly
  • Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
  • Fixed the tooltip on Add New client certificate button by correcting the supported file extension
  • Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
  • Fixed duplicate confirmation issue during retest
  • Fixed the performance issue with Custom Cookies text box to handle large values
  • Fixed an issue with Tab key when the focus is on a list and does not move away to next control
  • Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
  • Fixed the Start Scan button text when Pause Scan After Crawling is checked
  • Fixed the configuration sample in Tomcat Directory Listing vulnerability template
  • Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
  • Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn't start with a dot was being ignored
  • Fixed issues with Version = 1 cookies
  • Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
  • Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
  • Fixed a DOM XSS performance issue on pages using custom fonts
  • Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
  • Fixed trimmed activity duration in activity pane for large values
  • Fixed a StackOverflowException thrown by LFI exploitation
  • Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
  • Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
  • Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
  • Fixed a bug occurs when Netsparker tries to read the URL from clipboard and clipboard is open by another application
  • Fixed trimmed security test names in controlled scan
  • Fixed a bug where the max number of parameters to attack is not handled correctly
  • Fixed a bug in DOM simulation to provide correct target element when events are simulated
  • Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
  • Fixed a cookie parsing bug occurs when port attribute value is not quoted
  • Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
  • Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
  • Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
  • Fixed a log message issue reporting when Find Hidden Resources finishes
  • Fixed a high DPI text issue on Retest message dialog
  • Fixed a cookie parsing issue when Expires attribute contains a comma
  • Fixed a link parsing issue where parameters with empty names are added
  • Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
  • Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation