Netsparker Standard Change Log
Netsparker 4.1.4 - 26th June 2015

IMPROVEMENTS

  • Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
  • DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner's advanced settings
  • Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled
Netsparker 4.1.0 - 12th May 2015

NEW SECURITY TESTS

  • Form Hijacking Security Checks added
  • Base Tag Hijacking Security Checks added

IMPROVEMENTS

  • Added several new backup file checks to improve the coverage
  • Improved the number of combinations that Common Directory checks find
  • Added support for using digits in custom URL rewrite parameter names
  • Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
  • Added HTTP POST method support for Open Redirection security tests
  • Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
  • Improved detection of XSS vulnerabilities in CSS blocks
  • Improved vulnerability template for Open Redirection vulnerabilities
  • Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
  • Set default maximum vulnerability report limit to 1000 for active engines
  • Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

  • Fixed a race condition issue which occurs while adding new links on DOM simulation
  • Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
  • Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
  • Fixed a vulnerability template generation issue where temporary files were being kept on disk
  • Fixed installer to handle .NET framework versions released after 4.5.2
  • Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
  • Fixed "Maximum 404 Pages to Attack" scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option
Netsparker 4.0.4 - 21st April 2015

NEW SECURITY CHECKS

  • Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check

IMPROVEMENTS

  • Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer
  • Improved Auto Complete Enabled vulnerability report by displaying all the matching input names
  • Improved PCI reporting by adding PCI 3.1 data to vulnerabilities

FIXES

  • Fixed the wrong highlighting of selected row on custom URL rewrite rule editor while testing rules
Netsparker 4.0.2 - 20th April 2015

NEW SECURITY CHECKS

  • Added RSA Private Key Detected vulnerability check

IMPROVEMENTS

  • Improved Credit Card Disclosure detection
  • Reporting cookie name in "Cookie values used in Anti-CSRF token" issue
  • Improved "Delegated event" simulation in DOM Parser
  • Improved comment order in knowledgebase by displaying comments having sensitive keywords first
  • Improved the wording at "ViewState is not Encrypted" vulnerability report template
  • Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
  • Improved Exclude/Include patterns to match parameter names and values in addition to the URL
  • Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
  • Improved logging of regex timeout issues with additional parameter name and URL information
  • Improved reporting API documentation by including more types

FIXES

  • Fixed "Options Method Enabled" vulnerability reporting by adding status code checks
  • Fixed a NullReferenceException issue that occurs when Netsparker is started using command line
  • Fixed an encoding issue for parameter names in multipart/form-data requests
  • Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
  • Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
  • Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
  • Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
  • Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
  • Fixed an issue with "Out of Scope" links reported under knowledgebase where the links discovered in DOM Parser are not reported
  • Fixed a report template customization issue where modifying a report template while Netsparker is running was causing it to fail during report generation
  • Fixed a multipart/form-data request issue where "filename" attribute was not submitted for file upload parameters
  • Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
  • Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
  • Fixed custom URL rewrite test interface where only visible rows were being tested before
Netsparker 4.0.1 - 26th March 2015

IMPROVEMENTS

  • Improved coverage of DOM based XSS engine
  • Improved the search on raw response viewer
  • Improved form authentication API click functions to mark/unmark checkbox elements
  • Improved "Insecure transportation security protocol (SSLv3)" vulnerability template
  • Added the page URL and the number of the page as a log to verification dialog while executing custom scripts
  • Added the number of custom script pages to the hint on verification dialog and the hint now has a tooltip that displays the custom script code
  • Improved DOM parser to handle both on and off states of checkbox elements
  • Improved the message on cases where File > Import fails due to old scan file format
  • Added TextParserRegexTimeout advanced setting to modify the timeout value of pattern matching in Text Parser
  • Added the request URL as a log to tell which request has a response that matches current logout pattern of form authentication
  • Improved memory handling to prevent Out-of-memory issues during long scans
  • Improved the pattern match logs to be issued once to prevent the clutter

FIXED

  • Fixed a crash that occurs during application close while trying to log a message to UI
  • Fixed report templates to include correct lower-case versions of image file names to display them correctly on case-sensitive OS file systems
  • Fixed a crash in form authentication verification where missing persona causes issues during logout detection
  • Fixed custom script execution in form authentication to skip execution of auto login script on pages where script is deliberately left blank
  • Fixed a few crashes that occur when the custom script window is closed while the page was loading
  • Fixed an issue with logout detection where invalid URLs could be accepted as overridden login required URL
  • Fixed creation of redundant Documents\Netsparker\Credential folder on new installations
  • Fixed random missing developer tools pane on custom script window
  • Fixed a crash that happens when the form authentication verification dialog is closed during logout keyword detection
  • Fixed several memory issues where redundant object instances were not reclaimed
  • Fixed a memory issue where long parameter values causing large memory allocations
  • Fixed signature generation for URL Rewrite links
Netsparker 4.0.0 - 18th March 2015

BREAKING CHANGES

  1. Netsparker 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Netsparker 4.
  2. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
  3. The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
  4. The default profiles shipped with Netsparker have been removed. Please use the default Scan Policies instead.
  5. URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to contact our support at support@netsparker.com

FEATURES

  • Redesigned the "Start a New Scan" dialog window - now it is even easier than before to configure new scans
  • New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
  • Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
  • Added "Incremental Scanning" feature - perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
  • Added "Retest All" functionality to perform one-click retest on all vulnerabilities found
  • Added support for Remote File Inclusion (RFI) Exploitation
  • Added support for Remote Code Execution via LFI (PHP) Exploitation
  • Added new Executive Summary Report template
  • Added support for importing HTTP Archive (HAR) files

SECURITY CHECKS

Added new security checks in Netsparker to identify the below vulnerabilities and security flaws:

  • Cross Frame Scripting vulnerability check
  • Missing Content-Type and X-Content-Type-Options header checks
  • Cross-Origin Resource Sharing check
  • Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
  • XML External Entity (XXE) Engine
  • File Upload Engine
  • Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
  • Misconfigured Access-Control-Allow-Origin header
  • Credit Card Disclosure

IMPROVEMENTS

  • Improved DOM XSS attack patterns
  • Increased coverage for Open Redirection vulnerabilities
  • Improved Internal Path Disclosure detection patterns for Windows and *nix
  • Improved Connection String detection to cover more cases and run faster
  • Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
  • Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
  • Improved sensitive keyword list for Comments Knowledge base item
  • Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
  • Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
  • Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
  • Improved wording for Auto Complete Enabled vulnerability template
  • Improved Open Redirect detection to include redirects performed by JavaScript code
  • Added an option to perform DOM simulation when necessary in Open Redirect engine
  • Reduced the number of requests made to detect Not Found pages
  • Included Static Resource Finder requests in activity pane
  • Improved CVS file detection pattern
  • Improved the error message displayed on start up to provide more details
  • Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
  • Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
  • Separated HTML5 engine checks in scan policy to provide granular selection chance
  • Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
  • Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
  • Added retest support for RoR RCE vulnerabilities
  • Added scan policy settings to ignore certain Content Type values
  • Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
  • Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
  • Exposed Signature property for Vulnerability instances in Reporting API
  • Added classification information for Possible Reflected File Download vulnerability
  • Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
  • Changed request timeout setting's unit from milliseconds to seconds in the policy setting UI
  • Improved SSN detection
  • Improved link parsing in Text Parser
  • Added HTTP method and attack parameter names to activity pane
  • Improved LFI confirmation using web.config file
  • Added extra GET requests for the ones having non-GET HTTP methods
  • Added referer checks for DOM XSS
  • Improved binary detection for font requests
  • Added Nginx configuration information for HSTS Not Enabled vulnerability template
  • Improved GIT detected vulnerability template
  • Auto save message is now displaying the time scan is saved
  • Revised Interesting Headers list to filter some well-known headers
  • Added form name and action as custom field in CSRF engine
  • Improved the error message text shown when a PDF report cannot be overwritten
  • Added Save button to save changes on current profile
  • Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
  • Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
  • Improved how disk full cases are handled during a scan
  • Improved the order of how vulnerabilities are listed in reports
  • Improved phpMyAdmin detection
  • Improved Stack Trace Disclosure (Java) detection

FIXES

  • Fixed Content-Type header parsing where any quotes should be removed from charset attribute
  • Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
  • Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
  • Fixed parameter encoding issue in Reverse Shell feature
  • Fixed a space character encoding issue in exploit generation
  • Fixed the generated code in exploits to include calls to alert function instead of netsparker function
  • Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
  • Fixed an issue that crashes Netsparker if a Standard edition license contains an invalid URL
  • Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
  • Fixed DOM parser simulation to select non-default values in select elements
  • Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
  • Fixed an issue where WebDav engine could not perform a retest correctly
  • Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
  • Fixed the tooltip on Add New client certificate button by correcting the supported file extension
  • Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
  • Fixed duplicate confirmation issue during retest
  • Fixed the performance issue with Custom Cookies text box to handle large values
  • Fixed an issue with Tab key when the focus is on a list and does not move away to next control
  • Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
  • Fixed the Start Scan button text when Pause Scan After Crawling is checked
  • Fixed the configuration sample in Tomcat Directory Listing vulnerability template
  • Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
  • Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn't start with a dot was being ignored
  • Fixed issues with Version = 1 cookies
  • Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
  • Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
  • Fixed a DOM XSS performance issue on pages using custom fonts
  • Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
  • Fixed trimmed activity duration in activity pane for large values
  • Fixed a StackOverflowException thrown by LFI exploitation
  • Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
  • Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
  • Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
  • Fixed a bug occurs when Netsparker tries to read the URL from clipboard and clipboard is open by another application
  • Fixed trimmed security test names in controlled scan
  • Fixed a bug where the max number of parameters to attack is not handled correctly
  • Fixed a bug in DOM simulation to provide correct target element when events are simulated
  • Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
  • Fixed a cookie parsing bug occurs when port attribute value is not quoted
  • Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
  • Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
  • Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
  • Fixed a log message issue reporting when Find Hidden Resources finishes
  • Fixed a high DPI text issue on Retest message dialog
  • Fixed a cookie parsing issue when Expires attribute contains a comma
  • Fixed a link parsing issue where parameters with empty names are added
  • Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
  • Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation
Netsparker 3.5.16 - 17th December 2014

BUG FIXES

  • Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed

  • Fixed a bug in recrawler where the current concurrent connection count isn't honored

  • Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly

  • Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present

  • Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET

  • Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached

  • Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body

  • Fixed an issue where Content-Length header is not set to 0 with empty request bodies

  • Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests

  • Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing

  • Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States

Netsparker 3.5.14 - 11th November 2014

BUG FIXES

  • Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.

  • Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

Netsparker 3.5.12 - 15th October 2014

NEW WEB SECURITY TEST

BUG FIXES

  • Fixed a specific issue where generic email addresses were not being reported.

  • Fixed form authentication configuration wizard problem where it couldn't handle pages with popups.

  • Fixed an issue where Netsparker was crashing when the application is closed during report generation.

  • Fixed a crash which occurs on systems where Trebuchet MS font is missing

  • Fixed 2 Heartbleed engine bugs.

Netsparker 3.5.11 - 26th September 2014

NEW WEB SECURITY TEST

  • Added Bash Command Injection Vulnerability (Shellshock Bug) check.

NEW FEATURE

  • Added exploitation support for Remote Code Evaluation and Command Injection engines.

FIX

  • Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

Netsparker 3.5.5 - 13th August 2014

Read the blog post for more details about this version

NEW FEATURE

  • New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

  • Improved the performance of the DOM Parser

  • Improved the performance of the DOM cross-site scripting scanner

  • Optimized DOM XSS Scanner to avoid scanning pages with same source code

  • Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string

  • Improved selected element simulation for select HTML elements

  • Added new patterns for Open Redirect engine

BUG FIXES

  • Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag

  • Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response

  • Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed

  • Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates

  • Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested

  • Fixed a bug in DOM Parser where events are not simulated for elements inside frames

  • Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response

Netsparker 3.5.3 - 15th July 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • DOM based cross-site scripting vulnerability scanning

  • Scanning of parameters in URLs

  • Nginx web server Out-of-date version check

  • Perl possible source code disclosure

  • Python possible source code disclosure

  • Ruby possible source code disclosure

  • Java possible source code disclosure

  • Nginx Web Server identification

  • Apache Web Server identification

  • Java stack trace disclosure

NEW FEATURES

  • Chrome based web browser engine for DOM parsing

  • URL rewrite rules configuration wizard to scan parameters in URLs

  • "Ignore Vulnerability from Scan" option to exclude vulnerabilities from reports

IMPROVEMENTS

  • Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities

  • Improved cross-site scripting vulnerability confirmation patterns

  • Added support for viewing JSON arrays in document roots in request/response viewers

  • Added support for Microsoft Office ACCDB database file detection

  • Improved DOM parser to exclude non-HTML files

  • Improved PHP Source Code Disclosure vulnerability detection

  • Improved Nginx Version Disclosure vulnerability template

  • Improved IIS 8 Default Page detection

  • Improved Email List knowledgebase report to include generic email addresses

  • Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser

  • Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication

  • Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS

  • Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests

  • Added status bar label which displays current VDB version and VDB version update notifications

  • Added login activity indicator to Scan Summary Dashboard

  • Added a new knowledgebase out-of-scope reason for links which exceed maximum depth

  • Updated external references in cross-site scripting vulnerability templates

  • Improved DOM parser by providing current cookies and referer to DOM/JavaScript context

  • Added several new DOM events to simulate including keyboard events

  • Improved the parsing of "Anti-CSRF token field names" setting by trimming each individual token name pattern

  • Added support for simulating DOM events inside HTML frames/iframes

  • Consolidated XSS exploitation function name (netsparker()) throughout all the areas reported

  • Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings

  • Changed default user-agent string to mimic a Chrome based browser

  • Improved LFI extraction file list to extract files from target system according to detected OS

  • Removed outdated PCI 1.2 classifications

BUG FIXES

  • Fixed indentation problem of bullets in knowledgebase reports

  • Fixed path disclosure reports in MooTools JavaScript file

  • Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked

  • Fixed NullReferenceException thrown from Boolean SQL Injection Engine

  • Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method

  • Fixed a bug where LFI exploitation does not work for double encoded paths

  • Fixed a bug in Export file dialog where .nss extension isn't appended if file name ends with a known file extension

  • Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly

  • Fixed a bug which occurs while retesting with CSRF engine

  • Fixed a bug where retest does not work after loading a saved scan session

  • Fixed a bug where Netsparker reports out of date PHP even though PHP is up to date

  • Fixed a UI hang where Netsparker tries to display a binary response in Browser View tab

  • Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability

  • Fixed a bug where Netsparker makes requests to DTD URIs in XML documents

  • Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated

  • Fixed a typo in ViewState MAC Not Enabled vulnerability template

  • Fixed a bug in auto updater where the updater doesn't honour the AutoPilot and Silent command line switches

  • Fixed XSS exploit generation code to handle cases where input name is "submit"

  • Fixed a bug that prevents Netsparker.exe process from closing if you try to close Netsparker immediately after starting a new scan

  • Fixed a UI hang happens when the highlighted text is huge in response source code

  • Fixed issues with decoded HTML attribute values in text parser

  • Fixed session cookie path issues according to how they are implemented in modern browsers

  • Fixed scan stuck at re-crawling issue for imported scan sessions

  • Fixed highlighting issues for possible XSS vulnerabilities

  • Fixed a crash due to empty/missing URL value for form authentication macro requests

  • Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header

  • Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing

Netsparker 3.2.7 - 21st April 2014

BUG FIXES

  • Fixed a bug where application hangs in Heartbleed engine

  • Fixed SOAP WSDL parser to parse web services containing .NET System.Data references

  • Fixed SOAP WSDL parser to parse web services containing array parameters

Netsparker 3.2.5 - 15th April 2014

BUG FIX

  • Fixed SocketException error which occurs during Heartbleed check

Netsparker 3.2.3 - 11th April 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • OpenSSL Heartbleed checks added

Netsparker 3.2.1 - 23rd January 2014

BUG FIX

  • Fixed an issue where an imported NSS file containing multiple version vulnerabilities was throwing exceptions during report generation

Netsparker 3.2 - 22nd January 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Added attack patterns for LFI vulnerability which is revealed with only backslashes in file path

  • Added Programming Error Message vulnerability detection for SOAP faults

  • Added AutoComplete vulnerability for password inputs

  • NuSOAP version disclosure

  • NuSOAP version check

NEW FEATURES

  • SOAP Web Services scanning - ability to scan SOAP web services for security issues and vulnerabilities

  • Request and Response viewers to view HTTP requests/responses like XML and JSON tree views

  • New knowledge base node that will include all AJAX/XML HTTP Requests

  • New value matching options for form values other than regex pattern (exact, contains, starts, ends)

  • New report template for parsing source information Crawled URLs List (CSV)

IMPROVEMENTS

  • Improved XSS vulnerability confirmation

  • Improved Generic Source Code Disclosure security check by excluding JavaScript and CSS resources

  • Added latest version custom field for the version vulnerabilities

  • Added standard context menus to text editors

  • Sitemap tree will display nodes of JSON, XML and SOAP requests and responses with no parameters

  • Added force option to form value settings to enforce user specified values

  • Optimized attack patterns for JSON and XML attacks by reducing attack requests

  • Optimized Common Directories list and removed the limit for Extensive Security Checks policy

  • Improved the license dialog to show whether a license is missing or expired

FIXES

  • Fixed update dialog to not show in autopilot mode

  • Fixed an interim auto update crash

  • Fixed typo in Out of Scope Links knowledge base report template

  • Fixed an issue in LFI exploiter where XML tags with namespace prefixes was preventing exploitation

  • Fixed Controlled Scan button disabled issue for some sitemap nodes

  • Fixed parameter anchors in Vulnerability Summary table of Detailed Scan Report template

  • Fixed form authentication wizard to use user agent set on currently selected policy

  • Fixed zero response time issue for some sitemap nodes

  • Fixed dashboard progress bar showing 100%

  • Fixed random crashes on license dialog while loading license file or closing dialog

  • Fixed Microsoft Anti-XSS Library links on vulnerability references

Netsparker 3.1.7 - 10th December 2013

Read the blog post for more details about this version

NEW FEATURES

  • Added classifications for PCI DSS Version 3.0 to vulnerability details

  • Added new PCI Version 3.0 report template

BUG FIX

  • Fixed an issue on Configure Form Authentication wizard where token, custom header and proxy settings weren't used from selected scan policy

Netsparker 3.1.6 - 3rd December 2013

FIXES

  • Fixed an InvalidCastException occurs on DOM Parser on some configurations

  • Fixed some incorrect UI control sizes and locations

Netsparker 3.1.4 - 29th November 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Moved Scan Policy settings from Settings dialog to Scan Policy Editor dialog

  • Added "debug" keyword to default sensitive comment keyword list

  • Improved Scan Policy Editor dialog to default to unique policy names when a new policy is created or cloned

  • Improved Custom 404 RegEx validation to prevent empty patterns

  • Improved HTML5 engine to ignore non-HTTP protocols on iframe sources

  • Improved Configure Form Authentication wizard to use the selected Scan Policy settings (Custom headers, proxy, user-agent, etc.) on Start a New Scan dialog

  • Improved Cross-site Scripting vulnerability template

BUG FIXES

  • Fixed wrong PDF scaling issue which causes fonts to be rendered very small for report templates

  • Fixed DOM Parser InvalidCastException crashes while trying to cast option tags on some cases

  • Fixed form "action" value reported wrong on vulnerability details

  • Fixed Internal Proxy port value setting upper bound to 65535

  • Fixed incorrect attack possibility calculation for XSS confirmation requests

  • Fixed dialog sizes on various screen resolutions and DPIs

  • Fixed some issues in XSS detecting within script blocks

  • Fixed XML attacks where reserved "xmlns" attribute values were being modified

  • Fixed a DOM Parser issue on HTML pages with nested form tags