Netsparker Standard Change Log
Netsparker 4.0.0 - 18th March 2015

BREAKING CHANGES

  1. Netsparker 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Netsparker 4.
  2. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
  3. The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
  4. The default profiles shipped with Netsparker have been removed. Please use the default Scan Policies instead.
  5. URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to contact our support at support@netsparker.com

FEATURES

  • Redesigned the "Start a New Scan" dialog window - now it is even easier than before to configure new scans
  • New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
  • Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
  • Added "Incremental Scanning" feature - perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
  • Added "Retest All" functionality to perform one-click retest on all vulnerabilities found
  • Added support for Remote File Inclusion (RFI) Exploitation
  • Added support for Remote Code Execution via LFI (PHP) Exploitation
  • Added new Executive Summary Report template
  • Added support for importing HTTP Archive (HAR) files

SECURITY CHECKS

Added new security checks in Netsparker to identify the below vulnerabilities and security flaws:

  • Cross Frame Scripting vulnerability check
  • Missing Content-Type and X-Content-Type-Options header checks
  • Cross-Origin Resource Sharing check
  • Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
  • XML External Entity (XXE) Engine
  • File Upload Engine
  • Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
  • Misconfigured Access-Control-Allow-Origin header
  • Credit Card Disclosure

IMPROVEMENTS

  • Improved DOM XSS attack patterns
  • Increased coverage for Open Redirection vulnerabilities
  • Improved Internal Path Disclosure detection patterns for Windows and *nix
  • Improved Connection String detection to cover more cases and run faster
  • Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
  • Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
  • Improved sensitive keyword list for Comments Knowledge base item
  • Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
  • Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
  • Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
  • Improved wording for Auto Complete Enabled vulnerability template
  • Improved Open Redirect detection to include redirects performed by JavaScript code
  • Added an option to perform DOM simulation when necessary in Open Redirect engine
  • Reduced the number of requests made to detect Not Found pages
  • Included Static Resource Finder requests in activity pane
  • Improved CVS file detection pattern
  • Improved the error message displayed on start up to provide more details
  • Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
  • Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
  • Separated HTML5 engine checks in scan policy to provide granular selection chance
  • Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
  • Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
  • Added retest support for RoR RCE vulnerabilities
  • Added scan policy settings to ignore certain Content Type values
  • Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
  • Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
  • Exposed Signature property for Vulnerability instances in Reporting API
  • Added classification information for Possible Reflected File Download vulnerability
  • Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
  • Changed request timeout setting's unit from milliseconds to seconds in the policy setting UI
  • Improved SSN detection
  • Improved link parsing in Text Parser
  • Added HTTP method and attack parameter names to activity pane
  • Improved LFI confirmation using web.config file
  • Added extra GET requests for the ones having non-GET HTTP methods
  • Added referer checks for DOM XSS
  • Improved binary detection for font requests
  • Added Nginx configuration information for HSTS Not Enabled vulnerability template
  • Improved GIT detected vulnerability template
  • Auto save message is now displaying the time scan is saved
  • Revised Interesting Headers list to filter some well-known headers
  • Added form name and action as custom field in CSRF engine
  • Improved the error message text shown when a PDF report cannot be overwritten
  • Added Save button to save changes on current profile
  • Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
  • Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
  • Improved how disk full cases are handled during a scan
  • Improved the order of how vulnerabilities are listed in reports
  • Improved phpMyAdmin detection
  • Improved Stack Trace Disclosure (Java) detection

FIXES

  • Fixed Content-Type header parsing where any quotes should be removed from charset attribute
  • Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
  • Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
  • Fixed parameter encoding issue in Reverse Shell feature
  • Fixed a space character encoding issue in exploit generation
  • Fixed the generated code in exploits to include calls to alert function instead of netsparker function
  • Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
  • Fixed an issue that crashes Netsparker if a Standard edition license contains an invalid URL
  • Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
  • Fixed DOM parser simulation to select non-default values in select elements
  • Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
  • Fixed an issue where WebDav engine could not perform a retest correctly
  • Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
  • Fixed the tooltip on Add New client certificate button by correcting the supported file extension
  • Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
  • Fixed duplicate confirmation issue during retest
  • Fixed the performance issue with Custom Cookies text box to handle large values
  • Fixed an issue with Tab key when the focus is on a list and does not move away to next control
  • Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
  • Fixed the Start Scan button text when Pause Scan After Crawling is checked
  • Fixed the configuration sample in Tomcat Directory Listing vulnerability template
  • Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
  • Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn't start with a dot was being ignored
  • Fixed issues with Version = 1 cookies
  • Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
  • Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
  • Fixed a DOM XSS performance issue on pages using custom fonts
  • Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
  • Fixed trimmed activity duration in activity pane for large values
  • Fixed a StackOverflowException thrown by LFI exploitation
  • Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
  • Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
  • Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
  • Fixed a bug occurs when Netsparker tries to read the URL from clipboard and clipboard is open by another application
  • Fixed trimmed security test names in controlled scan
  • Fixed a bug where the max number of parameters to attack is not handled correctly
  • Fixed a bug in DOM simulation to provide correct target element when events are simulated
  • Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
  • Fixed a cookie parsing bug occurs when port attribute value is not quoted
  • Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
  • Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
  • Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
  • Fixed a log message issue reporting when Find Hidden Resources finishes
  • Fixed a high DPI text issue on Retest message dialog
  • Fixed a cookie parsing issue when Expires attribute contains a comma
  • Fixed a link parsing issue where parameters with empty names are added
  • Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
  • Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation
Netsparker 3.5.16 - 17th December 2014

BUG FIXES

  • Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed

  • Fixed a bug in recrawler where the current concurrent connection count isn't honored

  • Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly

  • Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present

  • Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET

  • Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached

  • Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body

  • Fixed an issue where Content-Length header is not set to 0 with empty request bodies

  • Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests

  • Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing

  • Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States

Netsparker 3.5.14 - 11th November 2014

BUG FIXES

  • Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.

  • Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

Netsparker 3.5.12 - 15th October 2014

NEW WEB SECURITY TEST

BUG FIXES

  • Fixed a specific issue where generic email addresses were not being reported.

  • Fixed form authentication configuration wizard problem where it couldn't handle pages with popups.

  • Fixed an issue where Netsparker was crashing when the application is closed during report generation.

  • Fixed a crash which occurs on systems where Trebuchet MS font is missing

  • Fixed 2 Heartbleed engine bugs.

Netsparker 3.5.11 - 26th September 2014

NEW WEB SECURITY TEST

  • Added Bash Command Injection Vulnerability (Shellshock Bug) check.

NEW FEATURE

  • Added exploitation support for Remote Code Evaluation and Command Injection engines.

FIX

  • Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

Netsparker 3.5.5 - 13th August 2014

Read the blog post for more details about this version

NEW FEATURE

  • New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

  • Improved the performance of the DOM Parser

  • Improved the performance of the DOM cross-site scripting scanner

  • Optimized DOM XSS Scanner to avoid scanning pages with same source code

  • Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string

  • Improved selected element simulation for select HTML elements

  • Added new patterns for Open Redirect engine

BUG FIXES

  • Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag

  • Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response

  • Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed

  • Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates

  • Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested

  • Fixed a bug in DOM Parser where events are not simulated for elements inside frames

  • Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response

Netsparker 3.5.3 - 15th July 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • DOM based cross-site scripting vulnerability scanning

  • Scanning of parameters in URLs

  • Nginx web server Out-of-date version check

  • Perl possible source code disclosure

  • Python possible source code disclosure

  • Ruby possible source code disclosure

  • Java possible source code disclosure

  • Nginx Web Server identification

  • Apache Web Server identification

  • Java stack trace disclosure

NEW FEATURES

  • Chrome based web browser engine for DOM parsing

  • URL rewrite rules configuration wizard to scan parameters in URLs

  • "Ignore Vulnerability from Scan" option to exclude vulnerabilities from reports

IMPROVEMENTS

  • Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities

  • Improved cross-site scripting vulnerability confirmation patterns

  • Added support for viewing JSON arrays in document roots in request/response viewers

  • Added support for Microsoft Office ACCDB database file detection

  • Improved DOM parser to exclude non-HTML files

  • Improved PHP Source Code Disclosure vulnerability detection

  • Improved Nginx Version Disclosure vulnerability template

  • Improved IIS 8 Default Page detection

  • Improved Email List knowledgebase report to include generic email addresses

  • Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser

  • Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication

  • Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS

  • Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests

  • Added status bar label which displays current VDB version and VDB version update notifications

  • Added login activity indicator to Scan Summary Dashboard

  • Added a new knowledgebase out-of-scope reason for links which exceed maximum depth

  • Updated external references in cross-site scripting vulnerability templates

  • Improved DOM parser by providing current cookies and referer to DOM/JavaScript context

  • Added several new DOM events to simulate including keyboard events

  • Improved the parsing of "Anti-CSRF token field names" setting by trimming each individual token name pattern

  • Added support for simulating DOM events inside HTML frames/iframes

  • Consolidated XSS exploitation function name (netsparker()) throughout all the areas reported

  • Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings

  • Changed default user-agent string to mimic a Chrome based browser

  • Improved LFI extraction file list to extract files from target system according to detected OS

  • Removed outdated PCI 1.2 classifications

BUG FIXES

  • Fixed indentation problem of bullets in knowledgebase reports

  • Fixed path disclosure reports in MooTools JavaScript file

  • Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked

  • Fixed NullReferenceException thrown from Boolean SQL Injection Engine

  • Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method

  • Fixed a bug where LFI exploitation does not work for double encoded paths

  • Fixed a bug in Export file dialog where .nss extension isn't appended if file name ends with a known file extension

  • Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly

  • Fixed a bug which occurs while retesting with CSRF engine

  • Fixed a bug where retest does not work after loading a saved scan session

  • Fixed a bug where Netsparker reports out of date PHP even though PHP is up to date

  • Fixed a UI hang where Netsparker tries to display a binary response in Browser View tab

  • Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability

  • Fixed a bug where Netsparker makes requests to DTD URIs in XML documents

  • Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated

  • Fixed a typo in ViewState MAC Not Enabled vulnerability template

  • Fixed a bug in auto updater where the updater doesn't honour the AutoPilot and Silent command line switches

  • Fixed XSS exploit generation code to handle cases where input name is "submit"

  • Fixed a bug that prevents Netsparker.exe process from closing if you try to close Netsparker immediately after starting a new scan

  • Fixed a UI hang happens when the highlighted text is huge in response source code

  • Fixed issues with decoded HTML attribute values in text parser

  • Fixed session cookie path issues according to how they are implemented in modern browsers

  • Fixed scan stuck at re-crawling issue for imported scan sessions

  • Fixed highlighting issues for possible XSS vulnerabilities

  • Fixed a crash due to empty/missing URL value for form authentication macro requests

  • Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header

  • Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing

Netsparker 3.2.7 - 21st April 2014

BUG FIXES

  • Fixed a bug where application hangs in Heartbleed engine

  • Fixed SOAP WSDL parser to parse web services containing .NET System.Data references

  • Fixed SOAP WSDL parser to parse web services containing array parameters

Netsparker 3.2.5 - 15th April 2014

BUG FIX

  • Fixed SocketException error which occurs during Heartbleed check

Netsparker 3.2.3 - 11th April 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • OpenSSL Heartbleed checks added

Netsparker 3.2.1 - 23rd January 2014

BUG FIX

  • Fixed an issue where an imported NSS file containing multiple version vulnerabilities was throwing exceptions during report generation

Netsparker 3.2 - 22nd January 2014

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Added attack patterns for LFI vulnerability which is revealed with only backslashes in file path

  • Added Programming Error Message vulnerability detection for SOAP faults

  • Added AutoComplete vulnerability for password inputs

  • NuSOAP version disclosure

  • NuSOAP version check

NEW FEATURES

  • SOAP Web Services scanning - ability to scan SOAP web services for security issues and vulnerabilities

  • Request and Response viewers to view HTTP requests/responses like XML and JSON tree views

  • New knowledge base node that will include all AJAX/XML HTTP Requests

  • New value matching options for form values other than regex pattern (exact, contains, starts, ends)

  • New report template for parsing source information Crawled URLs List (CSV)

IMPROVEMENTS

  • Improved XSS vulnerability confirmation

  • Improved Generic Source Code Disclosure security check by excluding JavaScript and CSS resources

  • Added latest version custom field for the version vulnerabilities

  • Added standard context menus to text editors

  • Sitemap tree will display nodes of JSON, XML and SOAP requests and responses with no parameters

  • Added force option to form value settings to enforce user specified values

  • Optimized attack patterns for JSON and XML attacks by reducing attack requests

  • Optimized Common Directories list and removed the limit for Extensive Security Checks policy

  • Improved the license dialog to show whether a license is missing or expired

FIXES

  • Fixed update dialog to not show in autopilot mode

  • Fixed an interim auto update crash

  • Fixed typo in Out of Scope Links knowledge base report template

  • Fixed an issue in LFI exploiter where XML tags with namespace prefixes was preventing exploitation

  • Fixed Controlled Scan button disabled issue for some sitemap nodes

  • Fixed parameter anchors in Vulnerability Summary table of Detailed Scan Report template

  • Fixed form authentication wizard to use user agent set on currently selected policy

  • Fixed zero response time issue for some sitemap nodes

  • Fixed dashboard progress bar showing 100%

  • Fixed random crashes on license dialog while loading license file or closing dialog

  • Fixed Microsoft Anti-XSS Library links on vulnerability references

Netsparker 3.1.7 - 10th December 2013

Read the blog post for more details about this version

NEW FEATURES

  • Added classifications for PCI DSS Version 3.0 to vulnerability details

  • Added new PCI Version 3.0 report template

BUG FIX

  • Fixed an issue on Configure Form Authentication wizard where token, custom header and proxy settings weren't used from selected scan policy

Netsparker 3.1.6 - 3rd December 2013

FIXES

  • Fixed an InvalidCastException occurs on DOM Parser on some configurations

  • Fixed some incorrect UI control sizes and locations

Netsparker 3.1.4 - 29th November 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Moved Scan Policy settings from Settings dialog to Scan Policy Editor dialog

  • Added "debug" keyword to default sensitive comment keyword list

  • Improved Scan Policy Editor dialog to default to unique policy names when a new policy is created or cloned

  • Improved Custom 404 RegEx validation to prevent empty patterns

  • Improved HTML5 engine to ignore non-HTTP protocols on iframe sources

  • Improved Configure Form Authentication wizard to use the selected Scan Policy settings (Custom headers, proxy, user-agent, etc.) on Start a New Scan dialog

  • Improved Cross-site Scripting vulnerability template

BUG FIXES

  • Fixed wrong PDF scaling issue which causes fonts to be rendered very small for report templates

  • Fixed DOM Parser InvalidCastException crashes while trying to cast option tags on some cases

  • Fixed form "action" value reported wrong on vulnerability details

  • Fixed Internal Proxy port value setting upper bound to 65535

  • Fixed incorrect attack possibility calculation for XSS confirmation requests

  • Fixed dialog sizes on various screen resolutions and DPIs

  • Fixed some issues in XSS detecting within script blocks

  • Fixed XML attacks where reserved "xmlns" attribute values were being modified

  • Fixed a DOM Parser issue on HTML pages with nested form tags

Netsparker 3.1.1 - 20th November 2013

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Added support for parsing and attacking JSON and XML request payloads

  • CSRF engine is added

  • HTML5 engine is added

  • Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, Wordpress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)

  • Added Dynamic Payload - Slash/Backslash LFI patterns

NEW FEATURES

  • Added support for new HTML5 input types

  • Most of the global settings now moved to scan policy and they can be set per scan basis

  • Added a new knowledge base item where all out of scope links in current scan are listed with the reasons

  • Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted

  • Added a new knowledge base item where frames with external URLs are reported

  • Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported

  • Added support for cookies set by meta tags

  • Added support for generating multiple reports at a time using command line

  • Added support for updating vulnerability database without requiring to update the application

  • Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

  • DOM parser simulation is improved

  • Attack possibility calculation is improved

  • Rendering in severity bar chart in scan summary dashboard is improved

  • Added late confirmation support for Blind Command Injection engine

  • DOM parser print dialog prevention improved

  • Browser View tab now shows XML responses in a tree view

  • Tweaked sleep tolerance value of time based engines

  • Improved the impact sections of most of the vulnerability templates

  • Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor

  • Form inputs listed under knowledge base are now grouped by their types

  • Improved PHP Source Code Disclosure pattern

  • Improved DOM parser to extract textarea elements

  • Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags

  • Improved LFI confirmation patterns

  • Improved XSS confirmation for Full URL and Full Query String attacks

  • Optimized XSS confirmation phase to skip redundant patterns

  • Improved binary response detection

  • Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items

  • Default user agent string is set to the one used in IE8

  • Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests

  • Improved multipart/form-data request parsing

  • Improved threading code in DOM parser and made DOM parser run in multiple processes

  • Improved Knowledge base user interface

  • Improved form value pattern for URL inputs

  • Add vulnerability database version information to related vulnerability templates

  • Configure Form Authentication wizard clears persistent cookies when started

  • Added detailed crawling/attacking activity information to Scan Summary Dashboard

  • Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

  • Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file

  • Fixed a bug where reports generated after an auto pilot scan may contain missing items

  • Fixed a bug where Netsparker was telling "Scan Finished" even though Recrawling was still in progress

  • Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines

  • Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file

  • Fixed an issue where Error dialog was showing in autopilot mode

  • Fixed an issue where Auto Update dialog was showing in autopilot mode

  • Fixed a bug where DOM parser was failing to trigger click event for button elements

  • Fixed a bug where DOM parser was failing to extract value attribute for button elements

  • Fixed a bug where Possible LFI is reported for a binary file

  • Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders

  • Fixed a DOM parser issue where forms with empty action values are not captured

  • Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked

  • Fixed typo in "Only Entered Url" section of User Manual

  • Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons

  • Fixed a DOM parser issue where button element with empty value is parsed

  • Fixed scan policy editor to reject policies with empty names

  • Fixed include/exclude URLs list to reject empty patterns

  • Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel

  • Fixed a scan policy bug where cloning a policy doesn't copy the database type of Boolean SQL Injection engine

  • Fixed Burp importer where \r\n occurrences were normalized to \n chars.

  • Fixed Burp importer which was failing to parse headers properly

  • Fixed Burp importer which was failing with base64 encoded requests

  • Fixed Paros importer which was failing to parse POST request bodies with multiple lines

  • Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS

  • Fixed misleading status message in dashboard after file import

  • Fixed a bug in fingerprinting which was causing a NullReferenceException

  • Fixed an issue where Anti-CSRF token extraction didn't work in crawling

 

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.

 

Netsparker 3.0.15.0 - 24th September 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Updated known web applications vulnerability database (Apache, MySQL, WordPress, osCommerce, MediaWiki)

Netsparker 3.0.14.0 - 21st August 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Updated vulnerability database (PHP, osCommerce, Python).

BUG FIXES

  • Fixed a critical bug where some report templates weren't printing all vulnerability instances.
  • Fixed a bug on DOM/JavaScript Parser that causes some ASP.NET postback links to be not crawled.
Netsparker 3.0.12.0 - 21st August 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Updated known web applications vulnerability database (Drupal, PHP)

Netsparker 3.0.11.0 - 7th August 2013

IMPROVEMENTS

  • Added OWASP Top Ten 2013 Report template

  • Updated vulnerability database (MySQL, WordPress, Joomla)