Netsparker Standard Change Log
Netsparker 3.0.2.0 - 17th June 2013

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Ruby on Rails Remote Code Execution vulnerability

  • Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)

  • Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server

  • Identification of phpMyAdmin and Webalizer

  • Detection of SHTML error messages that could disclose sensitive information

  • New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities

  • Server-Side Includes (SSI) Injection checks.

NEW FEATURES

  • Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.

  • Oracle CHR encoding and decoding facility in the Encoder pane

  • Support for multiple exclude and include URL patterns which can also be specified in REGEX

  • Knowledge base node where additional information about the scanned website is reported to the user

  • New PCI Compliance Report template.

IMPROVEMENTS

  • Default include and exclude URL pattern has been improved

  • DOM Parser now supports proxies and client certification support

  • The performance of the Controlled Scan user interface has been improved

  • HTTP Response text editor automatically scrolls to the first highlighted text when viewed

  • Improved vulnerability classifications

  • Vulnerability templates text has been improved

  • Updated the look and feel of the vulnerability templates

  • Version vulnerability database updated with new web applications version for better finger printing

  • Cross-site scripting exploit generation improved

  • Improved confirmed vulnerability representation on Detailed Scan Report

  • Internal Path Disclosure for Windows and Unix security tests have been improved

  • Improved version disclosure security tests for Perl and ASP.NET MVC

  • Start a Scan user interface by moving rarely used settings to Netsparker general settings

  • Improved the performance of security scans which are started using the same Netsparker process

  • Scope documentation text has been updated

  • Updated WASC links to point to the exact threat classification page

  • Improved custom 404 detection on sites where the start URL is redirected.

BUG FIXES

  • Fixed a bug in XSS report templates where plus char encoding was wrong

  • Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval

  • Fixed a bug where "Auto Complete Enabled" isn't reported

  • Fixed a bug where Community Edition was asking for exporting sessions

  • Fixed a bug causes redundant responses to be stored on redirects

  • Fixed a bug causing a NullReferenceException during reporting

  • Fixed a bug where custom cookies are not preserved when an exported session is imported

  • Fixed a bug on report templates where extra fields were missing when there are multiple fields

  • Fixed the radio button overlap issue on Encoder panel for high DPIs

  • Fixed an issue where CSRF tokens weren't applied for time based (blind) engines in late confirmation

  • Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present

  • Fixed an issue where some logouts occurred on attack phase couldn't be detected

  • Fixed a bug which causes requests to URLs containing text HTMLElementInputClass

  • Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags

  • Fixed the size of the Configure Authentication wizard for higher DPIs

  • Fixed an issue with CLI interpretation where built-in profiles couldn't be specified

  • Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()

  • Fixed clipped text issue on scan summary dashboard severity bar chart

  • Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template

  • Fixed incorrect buttons sizes on message dialogs on high DPI settings

  • Fixed a startup crash which occurs on systems where "Use FIPS compliant algorithms for encryption, hashing, and signing" group policy setting is enabled

  • Fixed click sounds on vulnerability view tab

  • Fixed an issue where find next button was not working on HTTP Request / Response tab

  • Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.


Note: Due to major updates to the scan files, Netsparker version 3 cannot open scans exported with previous versions of Netsparker (.nss files).

Netsparker 2.5.3.0 - 21st March 2013

Read the blog post for more details about this version

IMPROVEMENTS

  • Vulnerability Database Update

  • Configure Authentication user interface enhancements.

BUG FIX

  • Fixed issues in Form authentication logout detection.

Netsparker 2.5.1.0 - 18th February 2013

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • HTTP Strict Transport Security (HSTS) Test

  • Shell Script Found detection

  • XHTML XSS Attack

  • Database Connection String Found vulnerability

  • Possible Administration Page Found Issue

  • UNC Server and Share Disclosure.

NEW FEATURES

  • Integration with Bug Tracking Tools and Send To Feature

  • Generate Exploit Feature

  • OWASP Top Ten Report.

IMPROVEMENTS

  • Vulnerability Database Update

  • Performance Improvements.

Netsparker 2.4.5.0 - 19th December 2012

Read the blog post for more details about this version

NEW FEATURES

  • Windows 8/Server 2012 Support.

IMPROVEMENT

  • Vulnerability Database Update.

Netsparker 2.4.2.0 - 5th December 2012

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Possible Windows Username Disclosure

  • LigHTTPD Directory Listing

  • Nginx Directory Listing

  • LiteSpeed Directory Listing

  • Generic Email Address Disclosure

  • LigHTTPD Version Disclosure

  • Nginx Version Disclosure

  • SharePoint Version Disclosure

  • IIS 8 Default Page Detection

  • Struts2 Development Mode Enabled.

NEW FEATURES

  • Seamless Update Support

  • Error Reporting and Help Desk Integration

  • Custom HTTP Header Support.

Netsparker 2.3.0.0 - 23rd August 2012

Read the blog post for more details about this version

NEW FEATURE

  • Improved PDF reports.

IMPROVEMENT

  • Increased performance.

Netsparker 2.2.0.0 - 19th July 2012

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Detect web statistic applications

  • Web.config check added

  • WS_FTP log check added

  • Perl RCE (Remote Code Evaluation) checks added.

NEW FEATURES

  • Ability to scan much bigger websites with high performance

  • Faster scans

  • 2 New scan reports added.

Netsparker 2.1.0.39 - 2nd February 2012

Read the blog post for more details about this version

NEW WEB SECURITY CHECKS

  • Expression Language Injection check added

  • MyFaces Stack Trace Disclosure check added

  • Mongrel Server Version Disclosure check added

  • Password over GET check added

  • WebLogic Detection check added

  • Elmah.axd Detection check added

  • OpenSSL vulnerabilities added to Vulnerability Database

  • PHP vulnerabilities added to Vulnerability Database.

NEW FEATURES

  • New Authentication System (SSO, Multiple-step Authentication, Extensibility)

  • New Injection Points added

  • Comparison Reports added

  • New dashboard

  • Complete x64 Support

  • Ability to scan large websites (2M+ requests without any problems).

Netsparker 2.0.0.0 - 25th July 2011

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • SSL Checks added

  • Tomcat default files check added

  • ASP.NET MVC version disclosure check added

  • Mongrel and Nginx version disclosure checks added.

NEW FEATURES

  • Added the Vulnerability Database

  • Simultaneous Crawl & Attack.

Netsparker 1.9.0.5 - 19th April 2011

Read the blog post for more details about this version

NEW WEB SECURITY TEST

  • Redirect BODY is too large and Redirect includes 2 Responses.

NEW FEATURE

  • MS Live ID, SSO Authentication Support.

Netsparker 1.8.3.3 - 10th February 2011

Read the blog post for more details about this version

NEW FEATURE

  • Anti-CSRF Token Support.

NEW WEB SECURITY TESTS

  • Brute Force Support

  • Tomcat Source Code Disclosure

  • Default Tomcat Page Identified

  • Frame Injection

  • Backdoor Detection

  • Sensitive Files Detection.

Netsparker 1.7.0.0 - 2nd December 2010

Read the blog post for more details about this version

NEW FEATURES

  • Controlled Scan

  • Retest single vulnerability.

NEW WEB SECURITY TESTS

  • Silverlight Open Access Policy / Silverlight Access Policy Found Checks

  • Django Stack Trace Disclosure Check

  • MySQL Username Disclosure Check

  • New Backup File Checks

  • X-XSS-Protection Check.

Netsparker 1.6.0.0 - 7th October 2010

Read the blog post for more details about this version

NEW FEATURES

  • Client Certificate Authentication Support

  • Vulnerability Classification data reported the GUI and reports

  • New Save / Load Files.

NEW WEB SECURITY TEST

  • Blind Command Injection.

Netsparker 1.5.0.0 - 15th June 2010

Read the blog post for more details about this version

NEW FEATURES

  • Import / Enter Proxy Logs and HTTP Requests

  • Manual Crawling / Internal Proxy / Proxy Mode

  • Ability to Include & Exclude links

Netsparker 1.4.0.0 - 24th May 2010

Read the blog post for more details about this version

NEW FEATURES

  • New reporting format

  • New Security Tests

  • Open Redirection.

Netsparker 1.3.7.38 - 21st April 2010

Engines & Exploitation

  • Experimental Second Order SQL Injection support added. Doesn't support confirmation or exploitation yet.
  • Confirmation added to Permanent Cross-site Scripting Engine
  • SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle.
  • SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can't find the correct search string. This issue is fixed and works regardless of the found default string.
  • URI Based Cross-site Scripting Confirmation added
  • URI Based issues were reported more than once, this problem fixed
  • LFI Engine and exploitation works better now. Several minor bugs addressed.
  • Many possible SQL Injections issues removed as we are now sure they are not vulnerable
  • XSS Confirmation now bypasses more blacklists
  • Content-Type based XSS detection added and ratings changed
  • Email disclosure check improved
  • Minor bugs addressed in Unix and Windows Internal Path Disclosure issues. Windows Internal Path Disclosure improved.

Proxy

  • Proxy settings moved to global settings
  • Now you can see the active proxy settings in the status bar
  • Netsparker now support NTLM, Basic, Digest, Kerberos and Negotiation Authentication for Proxy

GUI

  • New Community menu added for easier access to Netsparker Blog and Request a Feature
  • All message boxes use the correct theme now
  • Attack Possibility in the dashboard is now more accurate
  • Some typos and missing tooltips addressed

Form Authentication

  • Several minor bugs addressed and features improved
  • Now it's possible to use use Form Authentication even when the website requires NTLM, Basic, Digest, Kerberos and Negotiation Authentication as well
  • Now it's possible to use Form Authentication even when server uses an invalid SSL certificate

Parsers

  • Text parser works better now

Installer

  • Installer simplified
  • Extra checks added for .NET Framework 3.5 SP1 check and installation

Other Fixes & Improvements

  • Extra runtime checking and error handling added for .NET Framework 3.5 SP1 and SQL Server CE dependencies
  • Static and Backup tests weren't working when Netsparker launched from CLI in auto-pilot mode
  • LFI Panel crashes fixed
  • Full HTTP Response added XML Reports
  • XML reports doesn't show attack parameter anymore if the vulnerability identified passively such as Server Version Disclosure
  • Several other minor bug fixes and improvements
Netsparker 1.3.0.0 - 22nd March 2010

Read the blog post for more details about this version

NEW FEATURES

  • New Settings Interface

  • Resume Support

  • Better GUI for Permanent XSS vulnerabilities.

NEW WEB SECURITY TEST

  • Second Order SQL Injection.

Netsparker 1.1.5.57 - 28th January 2010

Read the blog post for more details about this version

NEW FEATURES

  • Scheduling Support

  • Command Line Automation Support

  • ViewState Panel.

NEW WEB SECURITY TESTS

  • ASP.NET Viewstate Analyzer

  • Confirmation for Remote code evaluation

  • Confirmation for Remote file inclusion

  • Confirmation for Command Injection.

Netsparker 1.1.2.3 - 12th January 2010

Read the blog post for more details about this version

NEW FEATURES

  • Encoder

  • Custom Reporting API

  • New Security Tests

  • Confirmation for RCE

  • Confirmation for CI via LFI.

Netsparker 1.0.0.0 - 09 December 2009

Read the blog post for more details about this version

 

  • First public release.