Netsparker 1.3.0.0 in the wild

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

Netsparker has been identified as the most promising commercial software for 2009 - 2010 in our survey Best IT Security Tools for 2009

What’s new:

• Issue reports quality increased by adding and refining the content
• There is a new option for waiting all static resource attacks before skipping to the attacking phase. By default Netsparker will not wait to find all directories to skip the Crawling phase, you can override this from the settings.
• URL Based XSS attack patterns improved.
• Permanent/Stored Cross-site Scripting (XSS) reports are not much better. It shows the injection point, output point and all other required details in the report.
• LFI Engine is improved. Couple of bugs fixed, we add IDS/WAF evasion techniques, new attacks a new confirmation to confirm more LFI issues.
• Minor form authentication related bugs fixed.
• A new vulnerability check added that converts limited LFI attacks to Cross-site Scripting.
• LFI exploitation related bugs fixed.
• In the last update due to some internal changes we had to remove Cross-site Scripting detection in "script" blocks. Now it’s back with confirmation.
• Support for XSS in HTML comments is back with confirmation.
• Report threshold increased for possible SQL Injections. Means less [Possible] reports.
• A new check added to report if the configured Form Authentication doesn’t seem to work and extra checks added to avoid recursive loops in incorrect form authentication settings.
• Crashes in JavaScript parser (NetsparkerHelper) addressed also extra checks added to recover itself in case of a crash.
• Some bugs addressed related ViewState decoding and ViewState analysis now supports .NET Framework 1.x ViewState.
• GUI performance increased, even when more than 100 vulnerability reported per second GUI stays responsive.
• Overall performance increased, now Netsparker can process more than 500 requests per second in a Core i7.
• We massively decreased the usage of memory in Netsparker. You can test really big websites which takes days to scan and millions of requests to attack and Netsparker will manage to finish the scan and won’t use too much memory.
• Data Length bug in SQL Injection exploitation addressed.
• In some Windows XP systems JavaScript parser crash addressed.
• During the JavaScript analysis XMLHTTP Requests scope bypass addressed. (was bypassing include/exclude rules and scan scope).
• Incorrect figures in dashboard during the Recrawling phase issue addressed.
• A bug in getting a reverse shell from boolean based SQL Injections addressed.
• A theme problem addressed in message boxes.
• Merge scan was causing losing old issues from the issues panel during the load and new scans.
• There were some bugs about resuming a loaded scan. Now Netsparker can resume scanning from any previously saved scan. So you can start scanning and then save it in the middle of a scan. Load it later on and continue.
• One of the XSS attacks was missing from the Permanent/Stored XSS detection. This issue has been addressed.
• Blind SQL Injection confirmation is improved. In new confirmation engine Netsparker can analyse the server request performance and tweak attacks to perfectly server overhead and confirm Blind SQL Injections even in really slow or unstable connections.
• A problem in Static Checks addressed. This was causing to miss some hidden directories if the initial requested directory returns 3xx code.
• Some bugs in heuristic URL Rewrite detection in big websites addressed.
• A bug was causing crawling stage to stuck in last 1 or 2 requests addressed. This was happening only 1 in 100 scans.
• Licence Loader theme changed to native OS theme for Windows 7/Vista.
• New settings interface introduced. It explains all the important settings and allows you to configure them easily. If you know what you are doing and want to access all advanced settings click to hold "Ctrl" and click to "Settings" this will open the advanced settings panel instead of the new settings panel.
• A bug in saved login scripts addressed.
• Request Monitor removed. If you need similar functionality please refer to How to see all HTTP Requests and Responses topic.

Release submitted by Ferruh Mavituna (Netsparker author)