A new version of Netsparker is here! It took us a while to get this one out and there are many minor & major changes, updates, engine improvements and a new engine. As usual it's free for all current subscribers and all you need to do is clicking to “Help > Check for Updates” to update your Netsparker Professional / Standard edition.
New Engine - Blind Command Injection
We added a new engine to detect Command Injection when output of the command is not visible in the HTTP Response.
Test Improvements
Better SQL Injection Tests
We heavily focused on SQL Injection coverage and increasing it in this release. Improved Error BasedSQL Injection and Blind SQL Injection Engines a lot. Now they'll find more corner cases including SQL Injections in INSERTs, UPDATEs, COLUMN fields, TABLE fields and lots of other not-so-common places.
Error based SQL Injection exploitation now supports MSSQL, MySQL, ORACLE and Postgres databases.
Post-exploitation checks "Database User has Admin Privileges" issues now support MSSQL, MySQL, ORACLE and Postgres.
New Features
Client Certificate Authentication Support
Now you can test Client Certificate required applications and it's integrated to Windows Certificate Store.
Vulnerability Classification
Netsparker now maps all identified vulnerabilities with PCI 1.2, OWASP Top 10 - 2010, WASC, CWE and CAPEC. Related references can be found in vulnerability view, PDF, XML and HTML reports.
New Save Files
Now you can double click Netsparker Save Files and open previously saved scans, while doing this we also added that now all Auto-saved scans stored in the recent file. Now you can easily access your previous scans.
Test Improvements
- Internal IP Disclosure checks improved
- XSS vulnerabilities in 302 responses now reported as [Possible] due to exploitation limitations in real world with some special note
- LFI engine improved, new checks added
- Tomcat Error Disclosure Test Added
- Internal Path Leakage tests improved to be more accurate
- Directory Listing Identified tests improved and new tests added
- PHP Source Code Disclosure test improved
Old School Changelog
- Many minor bug fixes and improvements in the GUI and several other places.
- Fixed a bug that caused Netsparker to carry out the same attack twice in certain conditions
- A bug fixed in the Settings interface, now it some settings like User Agent doesn't require user to restart Netsparker
- A bug in Collapse All fixed
- A bug in LFI Exploitation fixed, now Export Selected Files works as expected
- Netsparker save files now registered to Netsparker, drag & drop, double click etc. will allow you to open Netsparker files
- NTLM/Basic Auth now can be saved into profiles
- Several bugs fixed in HTTP Import features
- Netsparker's Proxy now works correctly with SSL websites
- Non UTF-8 HTTP Responses now rendered in the GUI correctly
- Binary file detection added, so Netsparker will not download some binary files anymore
- A bug caused Netsparker to miss "Upload Identified" issues addressed
- Sitemap doesn't show detected custom 404 pages any more
- NTLM Authentication added CLI
Don't forget to tell us what you want for the releases.