[Netsparker v3.2] Web Application Security Scanner

Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

The main highlight of this version is the web services scanner; now scan and identify vulnerabilities and security issues in web services automatically and easily.

Changelog v3.2

New Features

• Ability to scan SOAP web services for security issues and vulnerabilities
• Request and Response viewers to view HTTP requests/responses like XML and JSON tree views
• New knowledge base node that will include all AJAX/XML HTTP Requests
• New value matching options for form values other than regex pattern (exact, contains, starts, ends)
• New report template for parsing source information Crawled URLs List (CSV)

New Security Checks

• Added attack patterns for LFI vulnerability which is revealed with only backslashes in file path
• Added Programming Error Message vulnerability detection for SOAP faults
• Added AutoComplete vulnerability for password inputs
• NuSOAP version disclosure
• NuSOAP version check

Improvements

• Improved XSS vulnerability confirmation
• Improved Generic Source Code Disclosure security check by excluding JavaScript and CSS resources
• Added latest version custom field for the version vulnerabilities
• Added standard context menus to text editors
• Sitemap tree will displan nodes of JSON, XML and SOAP requests and responses with no parameters
• Added force option to form value settings to enforce user specified values
• Optimized attack patterns for JSON and XML attacks by reducing attack requests
• Optimized Common Directories list and removed the limit for Extensive Security Checks policy
• Improved the license dialog to show whether a license is missing or expired

Fixes

• Fixed update dialog to not show on autopilot mode
• Fixed an interim auto update crash
• Fixed typo in Out of Scope Links knowledge base report template
• Fixed an issue in LFI exploiter where XML tags with namespace prefixes was preventing exploitation
• Fixed Controlled Scan button disabled issue for some sitemap nodes
• Fixed parameter anchors in Vulnerability Summary table of Detailed Scan Report template
• Fixed form authentication wizard to use user agent set on currently selected policy
• Fixed zero response time issue for some sitemap nodes
• Fixed dashboard progress bar showing 100%
• Fixed random crashes on license dialog while loading license file or closing dialog
• Fixed Microsoft Anti-XSS Library links on vulnerability references

Download Netsparker v3.2

[Netsparker v3.0.2.0 Community Edition] Web Application Security Scanner

Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

Changelog v3.0.2.0

New Features

• Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.
• Oracle CHR encoding and decoding facility in the Encoder pane
• Support for multiple exclude and include URL patterns which can also be specified in REGEX
• Knowledge base node where additional information about the scanned website is reported to the user
• New PCI Compliance Report template

New Security Tests

• Ruby on Rails Remote Code Execution vulnerability
• Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)
• Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server
• Identification of phpMyAdmin and Webalizer
• Detection of SHTML error messages that could disclose sensitive information
• New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities
• Server-Side Includes (SSI) Injection checks

Improvements

• Default include and exclude URL pattern has been improved
• DOM Parser now supports proxies and client certification support
• The performance of the Controlled Scan user interface has been improved
• HTTP Response text editor automatically scrolls to the first highlighted text when viewed
• Improved vulnerability classifications
• Vulnerability templates text has been improved
• Updated the look and feel of the vulnerability templates
• Version vulnerability database updated with new web applications version for better finger printing
• Cross-site scripting exploit generation improved
• Improved confirmed vulnerability representation on Detailed Scan Report
• Internal Path Disclosure for Windows and Unix security tests have been improved
• Improved version disclosure security tests for Perl and ASP.NET MVC
• Start a Scan user interface by moving rarely used settings to Netsparker general settings
• Improved the performance of security scans which are started using the same Netsparker process
• Scope documentation text has been updated
• Updated WASC links to point to the exact threat classification page
• Improved custom 404 detection on sites where the start URL is redirected

Bug Fixes

• Fixed a bug in XSS report templates where plus char encoding was wrong
• Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval
• Fixed a bug where “Auto Complete Enabled” isn’t reported
• Fixed a bug where Community Edition was asking for exporting sessions
• Fixed a bug causes redundant responses to be stored on redirects
• Fixed a bug causing a NullReferenceException during reporting
• Fixed a bug where custom cookies are not preserved when an exported session is imported
• Fixed a bug on report templates where extra fields were missing when there are multiple fields
• Fixed the radio button overlap issue on Encoder panel for high DPIs
• Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation
• Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present
• Fixed an issue where some logouts occurred on attack phase couldn’t be detected
• Fixed a bug which causes requests to URLs containing text HTMLElementInputClass
• Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags
• Fixed the size of the Configure Authentication wizard for higher DPIs
• Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified
• Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()
• Fixed clipped text issue on scan summary dashboard severity bar chart
• Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template
• Fixed incorrect buttons sizes on message dialogs on high DPI settings
• Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled
• Fixed click sounds on vulnerability view tab
• Fixed an issue where find next button was not working on HTTP Request / Response tab
• Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names

Note: Due to major updates to the scan files, Netsparker version 3 cannot open scans exported with previous versions of Netsparker (.nss files).

Full Changelog: here

Download Netsparker v3.0.2.0