Netsparker Standard Change Log
Netsparker 4.7.0.12081 - 3rd October 2016

NEW FEATURES

NEW SECURITY CHECKS

IMPROVEMENTS

  • Improved XSS security checks coverage.
  • Improved the Report Policy Editor.
  • Improved the default filename of generated exploits.
  • Renamed "Permanent XSS" vulnerability to "Stored XSS".
  • Authentication credentials are now stored encrypted in profile files.
  • Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
  • Added an option to follow redirects for the HTTP Request Builder.
  • Added auto completion support to Scan Policy > Headers grid for well-known request headers.
  • Added the version information of Netsparker to the reports.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
  • Added editing support for imported links.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Added JavaScript dialog support for form authentication verification dialog.
  • Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
  • Improved DOM simulation by simulating "contextmenu" events.
  • Added "Attacked Parameters" column to "Scanned URLs List" report.
  • Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
  • Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Added tooltips for long texts shown on activity dashboard.
  • Added current DOM XSS attack information to activity pane.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
  • Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the position of clipped auto update notification.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
  • Fixed the duplicate log printed for same WSDLs.
  • Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
  • Fixed the blurred message dialog icons on high DPI screens.
  • Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
  • Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
  • Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
  • Fixed duplicate "Email Address Disclosure" reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed an issue where current OS UI language was not being selected automatically upon first start.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.

Netsparker 4.6.1.11435 - 26th July 2016

FIXES

  • Fixed an issue in which Netsparker crashes when using the Korean interface and trying to start a scan or load a scan file.

Netsparker 4.6.1.11314 - 13th July 2016

FIXES

  • Fixed a NullReferenceException thrown during late confirmation.
  • Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
  • Fixed a Request Builder issue where response is incorrectly reported as binary.
  • Fixed a Request Builder issue where "Enable Raw Request Body" option is initially selected when a GET request is dropped on the builder.

Netsparker 4.6.1.11262 - 30nd June 2016

NEW FEATURES

  • Added the HTTP Request Builder penetration testing tool.
  • Added a button on start new scan dialog to open target URL on default web browser.
  • Added a new activity type group called "Passive Analysis" which shows the analysis activity of attack responses.

IMPROVEMENTS

  • Improved the "HTML Base Tag Hijacking" vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of "Redirect Body Too Large" vulnerability.

FIXES

  • Fixed an issue in which the editing of a report policy can cause some external references to be removed unintentionally.
  • Fixed an issue in which multiple tabs on the web browser could be opened while trying to open a vulnerability URL.
  • Fixed a comparison report issue in which charts were not being generated according to selected report policy.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed a report policy editor bug where clicking check all/none affects the vulnerability types that are not currently displayed.
  • Fixed an issue where the vulnerability types disabled on current report policy were affecting the number of vulnerability count on "Issues" panel title.

Netsparker 4.6.0.11151 - 22nd June 2016

IMPROVEMENTS

  • Improved the automatic form authentication script to click "button" HTML elements if no suitable button is found.

FIXES

  • Fixed the clipped dialog buttons on "Report Policy Editor".
  • Fixed the incompatibility issues of "Report Policy Editor" on some Windows 8/8.1 systems with Internet Explorer 10.
  • Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
  • Fixed scope related bugs in SRI checks.

Netsparker 4.6.0.11104 - 16th June 2016

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to handle large web sites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of LFI engine.
  • Added name completion for profile save as dialog.
  • Updated missing localized text for Korean translation.

FIXES

  • Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Netsparker instance for a new scan.
  • Fixed the incorrect progress bar while performing a controlled scan.
  • Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
  • Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
  • Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
  • Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
  • Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
  • Fixed the error reporting issue occurs when log file collection and/or compression fails.
  • Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
  • Fixed the ObjectDisposedException thrown on form authentication verification dialog.
  • Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue where some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue where XSS proof URL was missing alert function call.
  • Fixed a typo on "Base Tag Hijacking" vulnerability template.
  • Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.

Netsparker 4.5.10.10777 - 11th May 2016

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2
Netsparker 4.5.10.10702 - 5th May 2016

NEW SECURITY CHECK

  • Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

Netsparker 4.5.10.10675 - 3rd May 2016

NEW FEATURES

  • Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI "Long attack - boot.ini" attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the "MIME Types" knowledge base list by ordering items alphabetically.
  • Added "Extract static resources" option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication "Override Target URL with authenticated page" issue which caused a wrong URL to be identified as the "Target URL".
  • Fixed a highlighting issue where the URL for "Insecure Frame (External)" vulnerability is partially highlighted.
  • Fixed an incorrect "Source Code Disclosure" vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
  • Fixed a broken link in XSS vulnerability templates.

Netsparker 4.5.9.10494 - 11th April 2016

FIXES

  • Fixed an exception that happens when reordering form values.
  • Fixed the hidden URL text box on custom URL rewrite settings.
  • Fixed the clipped automatic update notification label.

Netsparker 4.5.9.10486 - 8th April 2016

NEW FEATURES

NEW SECURITY TESTS

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved "Not Found Analyzer" to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Netsparker data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.

FIXES

  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript "Load Preset Values" combo where selecting a preset value may revert the combo value to "(Custom)".
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target web site (authentication API has been moved to "netsparker" namespace preserving the "ns" backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Netsparker installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.
Netsparker 4.5.8.10271 - 17th March 2016

IMPROVEMENTS

  • Increased severity of "Insecure Transportation Security Protocol Supported (SSLv2)" vulnerability to "Important"
  • Added support for adding several more request headers including the "Host" header

FIXES

  • Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

Netsparker 4.5.8.10229 - 9th March 2016

SECURITY CHECKS

  • Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
  • Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
  • Added version checks for OpenCart web application

IMPROVEMENTS

  • Improved JavaScript/DOM simulation and DOM XSS attacks
  • Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added support for specifying client certificate authentication certificate for manual crawling
  • Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
  • Added "Custom Not Found Analysis" activities to UI
  • Improved "Open in Browser" for XSS vulnerabilities and produced a vulnerable link with alert function
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Improved the loading performance of Start New Scan dialog
  • Added support for reordering form values to denote precedence
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

FIXES

  • Fixed an out of disk space issue which occurs while writing logs
  • Fixed the "scan will be paused" warning for a scan that is already paused
  • Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
  • Fixed the issued requests which gets a timeout do not display any details on "HTTP Request / Response" tab
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Netsparker was making requests to addresses that are generated by its own attacks
  • Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledgebase while doing manual crawling
  • Fixed the issue of unsigned eowp.exe shipped with installer
  • Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
  • Fixed the stacked severity bar chart on "Detailed Scan Report" gets split and overflows to the second page
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Netsparker are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
  • Fixed some Korean vulnerability templates which are wrong formatted
  • Fixed the broken HIPAA classification link
Netsparker 4.5.7.10205 - 3rd March 2016

Improvements

  • Added "DROWN Attack" reporting
Netsparker 4.5.7.10053 - 15th February 2016

Fixes

  • Fixed an issue that causes auto update process to hang after restarting Netsparker for the update
Netsparker 4.5.7.9915 - 29th January 2016

Bug Fixes

  • Fixed an issue with form authentication verification dialog where you may get a blank web page on left
  • Fixed a cookie parsing issue where Netsparker may fail to read some cookies on HTTP responses
Netsparker 4.5.7 - 28th January 2016

IMPROVEMENTS

  • Improved support for Single Page Applications (SPA) by rewritting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added icons to scan policy combo box to denote optimized platforms for policies
  • Improved Korean language support
  • Attached proof for the blind SQLi vulnerabilities
  • Added "Proofs" knowledge base nodes
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added link to TFS API download page for Send To extension
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter's meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added .svg to default set of ignored extensions
  • Removed DOM XSS security checks from default built-in policy
  • Added a new built-in scan policy that includes DOM XSS security checks
  • Added a new scan policy setting section for JavaScript related settings
  • Removed outdated PCI 2.0, PCI 3.0 and OWASP Top Ten 2010 classifications and report templates

Bug Fixes

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
  • Fixed the horizontal scroll bar that is shown while adding a new URL rewrite parameter
  • Fixed an issue with comparison report where two reports were showing the same date even if the latter one has been retested
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed a ThreadInterruptedException thrown by DOM XSS scanner while trying to close application
  • Fixed an UnauthorizedAccessException occurs while cleaning the scan temporary directory
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed a CannotUnloadAppDomainException occurs while trying to close form authentication verifier dialog
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Netsparker's latest version
  • Fixed the slow performance issue which occurs when "Automatically Detect Settings" proxy setting is enabled
  • Fixed the broken proceed button on trial popup dialog
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed an issue with OWASP reports where vulnerabilities in same category were not being grouped together
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
  • Fixed a broken compatibility issue which occurs while loading scan files exported with previous versions
Netsparker 4.5.4 - 21st December 2015

FIXES

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
Netsparker 4.5.2 - 17th December 2015

FEATURES

NEW SECURITY CHECKS

  • Added Windows Short File Name security checks
  • Added several new backup file checks
  • Added web.config pattern for LFI checks
  • Added boot.ini pattern for LFI checks
  • Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
  • Added a signature which checks against an error message generated by regexp function at MySQL database
  • Added DAws web backdoor check
  • Added MOF Web Shell backdoor check
  • Added RoR database configuration file detection
  • Added RoR version disclosure detection
  • Added RoR out-of-date version detection
  • Added RoR Stack Trace Disclosure
  • Added RubyGems version disclosure detection
  • Added RubyGems out-of-date version detection
  • Added Ruby out-of-date version detection
  • Added Python out-of-date version detection
  • Added Perl out-of-date version detection
  • Added RoR Development Mode Enabled detection
  • Added Django version disclosure detection
  • Added Django out-of-date version detection
  • Added Django Development Mode Enabled detection
  • Added PHPLiteAdmin detection
  • Added phpMoAdmin detection
  • Added DbNinja detection
  • Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
  • Added Adminer detection
  • Added Microsoft IIS Log File detection
  • Added Laravel Configuration File detection
  • Added Laravel Debug Mode Enabled detection
  • Added Laravel Stack Trace Disclosure
  • Added S/FTP Config File detection

IMPROVEMENTS

  • Several performance improvements to reduce memory usage
  • Improved credit card detection to eliminate false positives
  • HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
  • SSL cipher support check code has been rewritten to support more cipher suites
  • SSL checks are now made for target URLs even when protocol is HTTP
  • Improved logging code to decrease the performance overhead
  • Updated embedded chrome based browser engine to version 41
  • Improved logging when an error occurs if Netsparker was started from command line with arguments
  • Added more ignored parameters for ASP.NET web applications
  • Improved JIRA send to action to support both old and new versions
  • Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
  • Improved authentication verifier to include keywords from alt and title attributes
  • Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
  • Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
  • Improved LFI pattern that matches win.ini files
  • Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
  • Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
  • Added descriptions for advanced settings
  • Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
  • Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
  • Increased static resource finder limit from 75 to 100
  • Added several text parser settings to advanced settings
  • Improved Ruby version disclosure detection
  • Improved SQL injection vulnerability template by adding remedy information for more development environments
  • Improved common directory checks by adding more known directory names
  • Updated default user agent
  • Improved the default Anti-CSRF token name list
  • Improved database error messages vulnerability detection for Informix
  • Added new XSS attack pattern for title tag in which JavaScript execution is not possible
  • Improved XHTML attacks to check against XSS vulnerabilities
  • Missing Content-Type vulnerability is not reported when status code returns 304
  • Optimized confirmation of Boolean SQLi
  • Added exploitation for Remote Code Evaluation via ASP vulnerability
  • Revamped DOM based XSS vulnerability detail with a table showing XPath column
  • Changed SQLi attack patterns specific to MSSQL database with shorter ones
  • Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
  • DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
  • Improved the "Name" form value pattern to match more inputs
  • Improved confirmation of Expression Language Injection vulnerability
  • Improved Frame Injection vulnerability details
  • Added .phtml extension to detect code execution via file upload
  • Improved blind SQL injection detection on some INNER JOIN cases
  • Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
  • Added retest support for several vulnerability types
  • Improved import link user interface
  • Improved CSRF engine
  • Displaying installer links for cases where auto update fails or auto updating is not possible
  • Improved Apache Tomcat detection patterns
  • Improved the message on "Reset to Defaults" dialog
  • Added severity column for Vulnerabilities List (CSV) report template
  • Increased the number of sensitive comments reported
  • Added exploitation support for "RCE via Perl" vulnerability
  • Added project selection to FogBugz send to action
  • Improved text parser improvements
  • Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
  • Added the passive engine names which are currently running to scan summary dashboard
  • Added separate checks in scan policy for each supported web app fingerprint application

FIXES

  • Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
  • Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
  • Fixed authentication verifier to omit empty keywords for keyword based authentication
  • Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
  • Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
  • Fixed URL rewrite analysis to respect case sensitivity settings
  • Fixed a form authentication issue which image submit elements were not clicked
  • Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
  • Fixed a form authentication verification issue which may crash when username and/or password is empty
  • Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
  • Fixed custom reporting sample code on user manual to match the latest reporting API
  • Fixed an issue occurs when the HTTP response body starts with unicode BOM
  • Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
  • Fixed fiddler logging where form authentication requests were not being captured
  • Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
  • Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
  • Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
  • Fixed slow XSS highlights on some responses
  • Fixed disk space detection on cases when there are no space left on disk where Netsparker documents folder resides
  • Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
  • Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
  • Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
  • Fixed a bug where generated XSS exploit did not work due to incorrect encoding
  • Fixed a bug where a false-positive file upload vulnerability was reported
  • Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
  • Fixed "Missing Content-Type" reporting issue where redirected responses should not be reported
  • Fixed Set-Cookie response headers being merged issue on response viewers
  • Fixed an issue where send failures were not being handled while making HTTP requests
  • Fixed credit card reporting issue where the value specified in default form values section should not be reported
  • Fixed the trimmed parameter name issue on controlled scan pane
  • Fixed ignore vulnerability issue function where it was not working for comparison reports
  • Fixed documentation for nginx vulnerability template that tells how to fix the issue
  • Fixed HSTS support for form authentication HTTP requests
  • Fixed a bug which prevents attacking from resuming when an existing session is imported
  • Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
  • Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
  • Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
  • Fixed a DOM XSS scanner issue that crashes Netsparker when a long URL is parsed
  • Fixed a bug where an attribute based attack could not be confirmed as XSS
  • Fixed a bug where an injection with "javascript:" protocol for XSS attacks occurs after a new line
  • Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
  • Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
  • Fixed an issue where importing links to an existing profile with imported links was failing
  • Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
  • Fixed an unhandled ArgumentException raised from permanent XSS detection
  • Fixed the issue that Netsparker hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
  • Fixed an issue where a Groovy RCE is reported as Perl RCE
  • Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
  • Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
  • Fixed a WSDL parsing issue where reference parameters were not handled
  • Fixed a WSDL parsing issue where XML types were not handled
  • Fixed a visual bug where "Security Check Groups" description text was clipped
  • Fixed a bug where illegal characters were causing invalid XML reports
  • Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
  • Fixed an issue with auto complete input reporting where highlighting was not correct
  • Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
  • Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
  • Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
  • Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
  • Fixed the misleading content in basic authentication over clear text vulnerability
Netsparker 4.1.4 - 26th June 2015

IMPROVEMENTS

  • Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
  • DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner's advanced settings
  • Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled