Netsparker New Release v1.1.2.3

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

Netsparker has been identified as the most promising commercial software for 2009 - 2010 in our survey Best IT Security Tools for 2009

What’s new in v1.1.2.3

• Encoder : We added a new panel called “Encoder†which allows you to encode and decode the data entered in various encodings as well as we added couple of common hashing algorithms. During a web assessment, for attacking or just for analysing you can use this tool quickly.

• Custom Reporting API : Now, Custom Reporting API documentation comes with the new installer. We also updated the sample XML report. I’ll write more about custom reports in the blog.

New Confirmation Engines

In this release we focused on confirmation engines and tried to ship all confirmation engines so you won’t see “[High Possibility]†issues anymore and you can keep your report false positive free.

• Remote Code Evaluation (RCE) Confirmation Engine Added : Now, Netsparker can confirm RCE issues.

• Code Injection (CI) via LFI (Local File Inclusion) Confirmation Added :An attacker can use a LFI vulnerability and local resources (such as Apache error logs) or “/proc/ *†tricks to inject a piece of PHP code and then include and execute it. This is not new, but now Netsparker can confirm the PHP execution as well.

Improvements

• Less requests in SQL Injection engines. We tried to optimise the SQL Injection and Command Injection engines. They should produce about 15% less requests.
• SQL Injection engine now has a light scan option. This will disable checks for Boolean/Blind SQL Injection in with 2 groups. However it’ll speed up the scan. LightScan is enabled by default. You can disable by setting "Advanced Settings > LightSQLInjectionChecks" to "False"
• Less CPU usage during passive analysis
• Coverage improved. Netsparker will try to access the website without cookie support to find the special “Your browser doesn’t support cookies†page.
• Mod_Negotiation engine updated. Now Netsparker has far smarter checks to identify Mod_Negotiation issues.
• Cross-site scripting issues are now reported with alert() proof of concepts

Bug Fixes and Other Stuff

• Parsing issues with some relative links addressed. This was affecting links beginning with a question mark (?) without a path.
• Extra "&" characters in some GET requests fixed.
• Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
• An encoding problem addressed in SQL Injection exploitation. This was causing Netsparker not to encode the user’s input in SQL Injection which works with POST.
• Other minor fixes.

Update submitted by Ferruh Mavituna (the lead developer of Netsparker)