After releasing 7 updates in 2010 in total of 16 security checks and 15 new features, here is the first Netsparker update of 2011.
Anti-CSRF Token Support
If you ever tried to test a website with strict anti-CSRF manually or automatically, you would know how irritating it can get. It is also very hard to exploit vulnerabilities in these applications where many tools do not support Anti-CSRF tokens.
Netsparker 1.8.3.3 comes with Anti-CSRF token support in detection, confirmation and exploitation.
By default, it automatically works with the following frameworks / languages:
- ASP.NET and ASP.NET MVC
- Struts2
- ColdFusion
- PHP (Symfony,CodeIgniter,Zend)
You can go to ”Settings (F4) > Attacking“ to configure it according to your custom applications.
Enjoy!
Brute Force Support
Now when Netsparker sees a resource that requires Basic, NTLM or Digest Authentication, it automatically tries a list of known username and passwords and reports if it manages to find a valid credential. You can change Brute Force related settings from “Settings (F4) > Brute Force”
New Checks
- Frame Injection
- Possible Sensitive Files Detection (Categories: Log, Stats, Installation,Configuration,Administration, Database)
- Backdoor Detection
- Tomcat Source Code Disclosure
- Tomcat Default Pages Identification
Form Authentication Improvements
- AJAX support added to Form Authentication (Netsparker supported AJAX in crawling since the first release however it wasn’t supported in From Authentication and we finally addressed this issue)
- RegEx option added to Signatures
- New Source Code View added
- Logged In/Out Views improved
- Addressed an issue that where some characters such as (') cause problems in Configure Authentication if they are used in usernames or passwords
Other Improvements
- Heuristic Binary Response Detection added. This will increase the speed and coverage of scans.
- Extension Blacklisting slightly changed. Now Netsparker determines automatically whether a URL is static or a dynamic file.
- New checks added to XSS Engine
- Confirmation added to external JS injection in XSS Engine
- An advanced Negative Match option added to Advanced Settings click to "Settings" while holding down "Ctrl" to enable Negative Matching option in Configure Form Authentication
- Minor charset related bugs addressed
- Basic Authentication issues were not reported if the user manually entered a Basic Authentication
- Vulnerable parameter was reported incorrectly in Permanent XSS issues
- If there is a Path or Internal IP Disclosures in HTTP Headers, Netsparker will report those as well
- Some issues were not reported if they were in 404 pages.
- Several other minor changes and improvements
If you have a valid Netsparker Professional or Standard license, then all you need to do is, to click "Help > Check Updates" to update to Netsparker’s latest version.