After a longer-than-usual development cycle, Netsparker 2.1 is finally ready to ship. This release marks some fundamental enhancements to Netsparker’s internal architecture and not only brings with it an enticing selection of new security and productivity features, but also lays the foundation for many more innovations in the pipeline.
All-new Authentication System
Prior to version 2.1, one of our users’ greatest pain points was trying to scan web applications that use complex form authentication mechanisms. Although Netsparker was capable of automated login, it lacked the flexibility to handle difficult scenarios like multi-step authentication, single-sign-on, 2-factor authentication and CAPTCHA.
We recognized that this challenge needed a radical solution, so we re-engineered our authentication architecture from scratch. Netsparker now uses a built-in HTTP macro recorder to faithfully capture every step of even the most complex login sequence. And, for sign-on sequences that require some special runtime action, like CAPTCHA input or the assignment of dynamic token values, we’ve added a user scripting interface that promises a solution to even the most complex challenge.
User Extensibility via Scripting
Whilst developing our scripting support for authentication, we realized that there are many other aspects of Netsparker’s operation that could also benefit from user-defined customization. So, we implemented extensibility in the most open and flexible way possible, enabling Netsparker to expose a scriptable interface to virtually any aspect of the scanning process.
In the current release, the scripting feature only ships with extensibility points to support authentication, but we’re committed to expanding this capability across the entire scanning cycle in future releases. Why not let us know what you want to be scriptable for version 2.2?
Scan Summary Dashboard
Netsparker now provides detailed real-time feedback about the scan in progress and even lets you modify its runtime settings in mid-session.
The scan summary dashboard provides at-a-glance information about the active scan session, including a graphical summary of the detected issues and details of the current action in progress on each of Netsparker’s active threads.
During a scan, you may also modify key scan session settings, including the number of concurrent HTTP connections, the selection of security tests that will be used for attacking and the use of custom request cookies. Changes entered via the dashboard take effect immediately.
Comparison Reporting
Netsparker’s report template suite has been extended to include a powerful new analysis capability: comparison reporting. This allows the current scan session to be compared against one or more historic scan sessions, enabling a graphical summary of the evolution of an application’s security status. It also includes a detailed vulnerability list, showing how the status of individual issues has progressed over time.
New Security Tests
Expression Language Injection
Netsparker now finds Expression Language Injection issues in your web applications.
MyFaces Stack Trace Disclosure check added.
Mongrel Server Version Disclosure check added.
Password over GET check added.
WebLogic Detection check added.
Elmah.axd Detection check added.
Vulnerability Database Updates
OpenSSL vulnerabilities added.
PHP vulnerabilities added.
Security Test Improvements
Boolean SQL Injection performance improved by decreasing the number of required requests.
More edge cases for MySQL in Boolean SQL Injections is now covered.
HTTP Header Injection checks improved, now bypasses more blacklists.
Local File Inclusion (LFI) checks improved for FreeBSD / OSX systems.
Added new checks for MySQL Error Based SQL Injections.
Extra blacklist bypass checks added to Frame Injection / Open Redirection checks.
Windows Internal Path Leakage checks improved.
LFI engine improved to cover more edge cases.
Protocol based XSS attacks significantly improved.
New Injection Points
Netsparker now attacks more injection points, such as HTTP headers, paths and unusual injection points in the URL. This was previously available only for Cross-site Scripting Security Tests. Now coverage has been increased and new injection points added for all required security tests.
Tool and Productivity Enhancements
Improved Search: The search feature in Netsparker’s HTTP response pane now includes a preemptive look-up feature (incremental search), enabling search results to be highlighted as you type.
Improved Encoding Panel: Netsparker’s built-in encoding tool has been revamped, enhancing its usability with a new intuitive layout and the addition of buttons for quick copy / paste operations.
New Resource / Directory System
Netsparker’s runtime data files are now stored in a more structured directory tree within the user’s Documents directory, enabling easier access to user-customizable files and more coherent storage of scan results.
New Settings: Values & Ignored Parameters
Netsparker’s application settings dialog now allows the definition of custom rules for applying arbitrary values to form parameters or excluding specific named HTTP parameters from being attacked. For maximum flexibility, parameters may be identified using Regex / wildcard patterns and ignored parameters may be applied selectively, according to the HTTP request method.
New Session Data Storage Format
Netsparker now stores its scan session data in a single compact file, enabling it to be safely archived and allowing scan results to be easily passed between co-workers.
Complete x64 support
Netsparker now installs as a native 64-bit application (on 64-bit machines) enabling it to take advantage of larger amounts of installed memory. This has been a critical element in a number of the stability improvements that come with version 2.1.
.NET Framework 4.0 Update
Netsparker now runs on the Microsoft .NET Framework 4.0. This pre-requisite is handled automatically by the installer / upgrade process and enables Netsparker to benefit from Microsoft’s latest bug fixes and enhancements, as well as providing an essential foundation to many of Netsparker’s own enhancements.
Improved Stability
Crash Recovery: In the event of an application crash or an unexpected computer reboot, Netsparker is now able, in most cases, to recover and continue scanning.
Memory Improvements: Netsparker’s memory management has been overhauled for version 2.1, bringing measurable improvements in stability, especially during extended scanning sessions.
How to Update
If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check Updates" to update to Netsparker 2.1.0.39
Minor Improvements & Bug Fixes
GUI
Encoding bug fixed in “Copy URL”
Copy URL and Open in Browser menu options added to root node of sitemap.
A minor bug addressed in the auto suggested name of the reports when user scans more than 1 website in on session.
Browsing the issues and pages in Netsparker is now more optimized, previously it was lagging sometimes when the HTTP Response too large.
Response time moved to the title of the HTTP Response instead of the response textbox.
Inconsistent styling in some GUI elements changed.
Error messages in PDF generation is now looks better.
Reporting
XML Reports are now just uses CDATA instead of CDATA + Encoding.
Certainty added to Detailed Scan Reports
Known vulnerabilities added to XML reports.
Extracted data hilighting improved.
Hilighting in reports and GUI significantly improved. Now it'll be instantly obvious where was the problem in many more vulnerability reports. This is still not possible for some vulnerabilities, such as Boolean SQL Injection, where the vulnerability is not directly related with any part of the HTTP Response.
Reporting menu is not disapearing after Reset Layout anymore.
Crawler
JavaScript Parser improved for handling complex forms.
image/jpeg binary detection improved.
TextParser performance and quality significantly improved.
Accept-Language header added to all request based on the current culture and can be overwritten from the settings.
Memory issues in some very big web application addressed. Performance is more obvious in x64 systems.
Netsparker now simulates IE9 (or the most up to date browser in the system) more successfully.
Pause now pauses Resource Finder immediately.
Security Checks
Some bugs that causing Static Tests to send excessive requests addressed.
Scheduling
Scheduling improved to address potential issues when user chooses "Previous Profile" for the scheduled scan task.
Storage & Logging
Data storage performance improved and now stored data files size is smaller.
Logs are now includes better timestamps and special split characters for easier parsing.