Netsparker - "Automate That" Release v1.1.5.0057

by

In: Application Scanner , Netsparker , Vulnerability Scanner

28 January 2010

Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

Netsparker has been identified as the most promising commercial software for 2009 - 2010 in our survey Best IT Security Tools for 2009

JPEG - 5.7 kb

What’s new in this release :

Netsparker’s new “Automate That†[1] release is ready. It’s not just about bug fixes or improvements, we’ve also got two great new features and two big improvements. Command Line Support to automate and integrate your scans with other tools. Schedule Support so that you can scan stuff overnight or scan your application weekly and obtain reports. We decreased the request count during the attacking phase without sacrificing our coverage and added a bunch of new confirmation engines.

  • Schedule Support : One of the most requested features was Scheduling Support, finally we added it. It doesn’t require an extra service to install and will integrate itself to “Windows Task Scheduler†. It works correctly under Windows XP, Windows 2003, Windows Vista, Windows 7.
  • Command Line Support : Command line can be used to call Netsparker from another application for manual scanning, for example internally we’ve got a Firefox test extension which launches Netsparker with the current page’s URL by using the following command line.
  • Performance Improvements
  • Amount of requests to identify vulnerabilities drastically decreased. We optimised all of our attacks, combined some attacks into one and in the end we started to send 35% less requests and we opened some space to make our coverage even better by decreasing the amount of requests . This means shorter attacking phase.
  • Smart caching added to some detection engines to decrease CPU usage. If you have a powerful system you might not notice this at all. It’s an increase of about 2-3%.
  • New Security Checks
  • ASP.NET ViewState analysis added
    • ViewState is not signed
    • ViewState is not encrypted
    • ViewState view panel. When you go to “HTTP Request/Response†, if the page has ViewState in it, this panel will be visible automatically. If the ViewState is not encrypted, then you can see the data in it.
  • New Confirmation Engines

Confirmation engines ensure that you won’t have a false-positive and you will see less [Possible] vulnerabilities. When these vulnerabilities get confirmed you’ll see Netsparker’s famous Confirmation Confirmed icon!

  • RCE (Remote Code Evaluation) confirmation engine added.
  • RFI (Remote File Inclusion) confirmation engine added.
  • Command (Remote File Inclusion) confirmation engine added.

More changelog

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Application Scanner
Netsparker
Vulnerability Scanner