Integration with Bug Tracking Tools and Send To Feature
Integrating Netsparker to other systems was one of the most requested features. We have tried to solve it by introducing this so called Send To feature. The idea is similar to the Send to file context menu item of Windows Explorer where you right click a file and send it to one of the predefined targets like Mail Recipient, Desktop, etc. Whereas in Netsparker, you can now right click a vulnerability on Sitemap or Issues panel and send it to a bug tracking system like FogBugz. With this version we are going to ship two Send To targets for popular bug/issue tracking systems FogBugz and JIRA. One of the best parts of this feature is that it is extensible and you are free to add your own target system with a bit of coding. There is an API for this feature and also we have a small tutorial to get you started.
HTTP Strict Transport Security (HSTS) Test
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. If your web application uses HTTPS and doesn’t take advantage of HSTS (or misconfigured), Netsparker will report this. You can read more about HSTS on ScanToSecure blog.
Generate Exploit Feature
Sometimes it’s nice to have a proof of concept for issues like Cross-site Scripting. This new feature allows you to generate an HTML Proof of Concept file to exploit an XSS identified by Netsparker just by clicking the Generate Exploit button, so you don’t have to spend your valuable time to this.
OWASP Top Ten Report
Ask and you shall receive! We now include one of the most requested report templates. You can see if your scan has vulnerabilities that are listed in OWASP Top Ten vulnerability list.
Windows 8 Certification
As of this version, Netsparker meets all the Windows 8 client app certification requirements and officially entitled to use Windows 8 Compatible logo.
Performance Improvements
Netsparker now keeps track of all responses and won’t run unnecessary checks more than once when the response is exactly same. This is enabled by default, can be disabled using Advanced Settings.
In certain websites this will significantly decrease the CPU load and will improve the performance of the scan.
New Security Checks
- Shell Script Found detection
- XHTML XSS Attack
- Database Connection String Found vulnerability
- Possible Administration Page Found Issue
- UNC Server and Share Disclosure
Security Check Improvements
- Vulnerability database with new version checks
- Oracle admin check
- SSN checks
- ASP.NET detection
- Elmah detection
- Basic Authorization Required detection
- Internal Path Leakage detection
- File Upload Functionality detection
- Generic E-Mail Address Disclosure detection
Other Improvements
- Improved vulnerability templates by fixing typos and adding more reference/remedy content
- Low quality icons on settings window
- Settings windows by adding links to file/folder references on disk
- API docs and User Manual
- Settings user interface
- Scan control by removing the Stop button and implementing a dirty tracking mechanism
- Scan scheduling and added support for blank passwords
- User agent selection behavior on HTTP Request settings screen
- Reliability of session auto save
- The naming consistency of vulnerabilities
- Information, confirmation and error messages now uses Task Dialogs instead of regular Message Boxes
Bugs Fixed
- A bug occurs on component dispose
- The issue of momentarily black UI portions when minimized main window is restored
- Long parameter value issue on Detailed Scan Report by trimming long values
- A bug where Netsparker fails to open scan files (.nss) where extension contains upper-case letters
- The broken text foldings on text editor for XSS vulnerabilities
- Double encoded HTML output responses in Permanent XSS vulnerabilities
- An issue with Burp importer where some files weren't recognized before
- Wrong tab orders on various UI controls
- A character encoding bug in SQL Injection Exploitation
- A scan scheduling bug which occurs on non-English operating systems
- Configure Authentication wizard recording step fixed and now it uses the configured user agent string on requests
- JavaScript/AJAX parser fixed and now it uses the configured user agent string on requests
- An issue which plays navigation sounds on systems where Explorer navigation sound is enabled
- The incorrect CWE assignment of Invalid SSL Certificate vulnerability
- An issue where retest was failing on first attempt
Update
If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.5.