Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
Added license load option to Help menu.
Improved "Not Found Analyzer" to better handle binary responses and long strings.
Changed the default settings of JIRA Send to Action for better out of the box support.
Added a link to the proof URL for XSS vulnerabilities.
Added link generation to Text Parser for all select element options.
Improved the DOM parser to skip redirect responses.
Added an option to allow the user to move the Netsparker data directory to a different location.
Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
Improved the coverage of file upload security checks.
Improved the coverage of XSS security checks.
Fixed an issue where LFI attack patterns are reported as internal path disclosure.
Fixed the incorrect raw response representing SSL connections.
Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
Fixed cross-domain document access errors on DOM parser and XSS scanner.
Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
Fixed form values target setting to use Name as the default value when a Target is not selected.
Fixed a file extension parsing issue related with File Extension List knowledgebase item.
Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target web site (authentication API has been moved to "netsparker" namespace preserving the "ns" backward compatibility)
Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
Fixed misplaced certainty label on vulnerability details for trial editions.
Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
Fixed a resource deployment issue occurs on Netsparker installations with custom application data path.
Fixed a form values issue where empty form values should not set any default values for parameters.
Fixed an issue where trying to set Connection request header fails.
Netsparker 22.214.171.12471 - 17th March 2016
Increased severity of "Insecure Transportation Security Protocol Supported (SSLv2)" vulnerability to "Important"
Added support for adding several more request headers including the "Host" header
Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer
Netsparker 126.96.36.19929 - 9th March 2016
Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
Added version checks for OpenCart web application
Rewritten HSTS security checks
Added evidence information to vulnerabilities list XML report
Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
Added the file name information for the local file inclusion evidence
Added support for specifying client certificate authentication certificate for manual crawling
Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
Added "Custom Not Found Analysis" activities to UI
Improved "Open in Browser" for XSS vulnerabilities and produced a vulnerable link with alert function
Several performance improvements to reduce memory usage
Improved credit card detection to eliminate false positives
HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
SSL cipher support check code has been rewritten to support more cipher suites
SSL checks are now made for target URLs even when protocol is HTTP
Improved logging code to decrease the performance overhead
Updated embedded chrome based browser engine to version 41
Improved logging when an error occurs if Netsparker was started from command line with arguments
Added more ignored parameters for ASP.NET web applications
Improved JIRA send to action to support both old and new versions
Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
Improved authentication verifier to include keywords from alt and title attributes
Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
Improved LFI pattern that matches win.ini files
Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
Added descriptions for advanced settings
Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
Increased static resource finder limit from 75 to 100
Added several text parser settings to advanced settings
Improved Ruby version disclosure detection
Improved SQL injection vulnerability template by adding remedy information for more development environments
Improved common directory checks by adding more known directory names
Updated default user agent
Improved the default Anti-CSRF token name list
Improved database error messages vulnerability detection for Informix
Improved XHTML attacks to check against XSS vulnerabilities
Missing Content-Type vulnerability is not reported when status code returns 304
Optimized confirmation of Boolean SQLi
Added exploitation for Remote Code Evaluation via ASP vulnerability
Revamped DOM based XSS vulnerability detail with a table showing XPath column
Changed SQLi attack patterns specific to MSSQL database with shorter ones
Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
Improved the "Name" form value pattern to match more inputs
Improved confirmation of Expression Language Injection vulnerability
Improved Frame Injection vulnerability details
Added .phtml extension to detect code execution via file upload
Improved blind SQL injection detection on some INNER JOIN cases
Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
Added retest support for several vulnerability types
Improved import link user interface
Improved CSRF engine
Displaying installer links for cases where auto update fails or auto updating is not possible
Improved Apache Tomcat detection patterns
Improved the message on "Reset to Defaults" dialog
Added severity column for Vulnerabilities List (CSV) report template
Increased the number of sensitive comments reported
Added exploitation support for "RCE via Perl" vulnerability
Added project selection to FogBugz send to action
Improved text parser improvements
Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
Added the passive engine names which are currently running to scan summary dashboard
Added separate checks in scan policy for each supported web app fingerprint application
Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
Fixed authentication verifier to omit empty keywords for keyword based authentication
Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
Fixed URL rewrite analysis to respect case sensitivity settings
Fixed a form authentication issue which image submit elements were not clicked
Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
Fixed a form authentication verification issue which may crash when username and/or password is empty
Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
Fixed custom reporting sample code on user manual to match the latest reporting API
Fixed an issue occurs when the HTTP response body starts with unicode BOM
Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
Fixed fiddler logging where form authentication requests were not being captured
Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
Fixed slow XSS highlights on some responses
Fixed disk space detection on cases when there are no space left on disk where Netsparker documents folder resides
Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
Fixed a bug where generated XSS exploit did not work due to incorrect encoding
Fixed a bug where a false-positive file upload vulnerability was reported
Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
Fixed "Missing Content-Type" reporting issue where redirected responses should not be reported
Fixed Set-Cookie response headers being merged issue on response viewers
Fixed an issue where send failures were not being handled while making HTTP requests
Fixed credit card reporting issue where the value specified in default form values section should not be reported
Fixed the trimmed parameter name issue on controlled scan pane
Fixed ignore vulnerability issue function where it was not working for comparison reports
Fixed documentation for nginx vulnerability template that tells how to fix the issue
Fixed HSTS support for form authentication HTTP requests
Fixed a bug which prevents attacking from resuming when an existing session is imported
Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
Fixed a DOM XSS scanner issue that crashes Netsparker when a long URL is parsed
Fixed a bug where an attribute based attack could not be confirmed as XSS
Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
Fixed an issue where importing links to an existing profile with imported links was failing
Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
Fixed an unhandled ArgumentException raised from permanent XSS detection
Fixed the issue that Netsparker hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
Fixed an issue where a Groovy RCE is reported as Perl RCE
Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
Fixed a WSDL parsing issue where reference parameters were not handled
Fixed a WSDL parsing issue where XML types were not handled
Fixed a visual bug where "Security Check Groups" description text was clipped
Fixed a bug where illegal characters were causing invalid XML reports
Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
Fixed an issue with auto complete input reporting where highlighting was not correct
Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
Fixed the misleading content in basic authentication over clear text vulnerability
Netsparker 4.1.4 - 26th June 2015
Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner's advanced settings
Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
Improved resource finder checks for websites which have custom 404 pages
Increased the default value of Maximum 404 Signature setting to be store more signatures
Improved timeout calculation for vulnerability checks which require late confirmation
Fixed DOM simulation issue where all delegated events on an elements were not being called
Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled