Between Netsparker 1.0 and Netsparker 2.0 we added lots of stuff. To be more precise, 7 major updates were added, 16 new security checks, 15 new features and tons of minor improvements. We are now ready to release Netsparker 2.0; even better and faster with new features.
As if adding lots of new features is not enough, we even added a new dramatic splash screen. You can’t beat that!
Vulnerability Database
We want our users to spend less time on security testing. Netsparker 2.0 introduces Vulnerability Database, which stores a list of known vulnerabilities for commonly-used systems and components. When Netsparker identifies one of these systems by detecting its version, it’ll reference the database and report all known vulnerabilities for that particular version with severity and required references (such as exploit and CVE references).
With Netsparker’s unique Post Exploitation features the following is now possible:
1. Netsparker identifies an SQL Injection
2. It exploits it safely to confirm the vulnerability
3. It tells you the version and database type
4. Then it tells you all the missing patches for that database server
So, instead of checking vulnerability databases manually, you can spend your time on more important activities. Another tedious job to check off from your list.
The initial release of Vulnerability Database is fairly limited in its range of supported systems. We’ll add more servers, components and web applications to this list over the coming months:
- Apache
- Tomcat
- MSSQL
- MySQL
Simultaneous Crawl & Attack
Previous versions of Netsparker always completed their crawling phase before before starting to identify vulnerabilities, such as SQL Injection. Netsparker v2.0 introduces the ability to crawl and attack simultaneously, which can save valuable minutes when scanning large applications.
With v2.0 you can start a scan and, literally within minutes, you can start identifying, fixing and reporting bugs. Hence getting the results quicker will help you to be more productive.
New Security Checks
- SSL Checks added
Now Netsparker will report weak ciphers, self-signed SSLs and similar SSL / Certificate related issues - Tomcat default files check added
- ASP.NET MVC version disclosure check added
- Mongrel and Nginx version disclosure checks added
Improvements
Reporting & Automation
- Vulnerability summary table added to detailed reports.
- All vulnerability classifications added to reports
- Reports are now highlighted to help you easily spot relevant section of the HTTP response in a much quicker way
- Custom reporting API updated. New custom reports are not completely compatible with old version. You’ll need to update some references. If you run into any problems while updating your old custom reports, drop our support team an email.
- CLI /silent option improved. Now, when the /silent flag is used, the GUI will suppress all dialogs. Related information will be written to logs instead and Netsparker will take the default action.
- Internal Path Leakage checks improved both for *nix and Windows OSes.
Engine Improvements
- Improved Signature based SQL Injection detection
- LFI checks improved and coverage increased
- Attribute-based XSS checks improved
- PHP source code disclosure checks improved
- Protocol-based XSS attacks significantly improved
- ASP.NET / .NET Framework 4 Viewstate support added. MAC Enabled and Encryption issues will also be reported correctly in .NET Framework 4 systems
- ORACLE SQL Injection checks improved
Other
- Several Form Authentication related bugs addressed
- Some CPU-related crawling bugs addressed, performance improved
- Localization support added
- Binary detection improved
- Manual crawling improved. Some minor bugs addressed.
- If an error happens while importing links, Netsparker will explain the problem in detail to the user rather than suppressing it.
- Hilighting bugs in LFI exploitation addressed.
- Ability to ignore certain error messages added. For example when there's a problem with DNS, rather than displaying the error repeatedly, you can ignore it and let Netsparker deal with it internally.
- License conflicts when a previous installation exist are addressed.
- Imports from proxy logs improved.
- Several GUI-related changes made to improve usability and visuals
- Several minor threading-related bugs addressed.
- Cookie handling improved. Custom cookies now overwrite server-set cookies, even when their path is different.
- Encoding in parameters name fixed and now correctly visible in the sitemap.
- Experimental Attack Pattern Editor added which allows users to add / edit custom attacks.
- Caching in Form Authentication disabled.
- Issue graph dock removed, as new features made it deprecated.
- Quick startup page updated.
- Global database dependency removed and better x64 support added for x64 systems for storage access.
Breaking Changes
We have implemented some major changes for the greater good, but some of them will break backward compatibility with v1.x files. From now until the release of Netsparker 3.0, we’ll maintain backward compatibility. As in 1.x releases, all 2.x releases will be backward compatible.
- Custom Reporting API changed. You need to update your old reports.
- v2.0 introduces lots of new structural changes and we updated the save file formats as well. v2.0 is not able to open v1.x save files. If you need to work with old save files in parallel you can install v2.0 to a different directory and use 2 versions at the same time. If you need any help or need to download the old version to open save files you can tell us and we’ll help you.
- Saved logins and Profiles from v1.x are not compatible with v2.0.
Update
If you have a valid Netsparker Professional or Standard license then all you need to do is clicking "Help > Check Updates" to update to Netsparker 2.0.0.0