We released a new version of Netsparker, mostly improvements and bug fixes.
Use “Help > Check Updates” to get the latest version.
What’s new?
- Encoder
We added a new panel called “Encoder” which allows you to encode and decode the data entered in various encodings as well as we added couple of common hashing algorithms.
During a web assessment, for attacking or just for analysing you can use this tool quickly.
![Netsparker Encoders]()
- Custom Reporting API
Now, Custom Reporting API documentation comes with the new installer. We also updated the sample XML report. I’ll write more about custom reports in the blog.
New Confirmation Engines
In this release we focused on confirmation engines and tried to ship all confirmation engines so you will see much less “[High Possibility]” issues and you can keep your report false positive free.
Remote Code Evaluation (RCE) Confirmation Engine Added
Now, Netsparker can confirm RCE issues.
Code Injection (CI) via LFI (Local File Inclusion) Confirmation Added
An attacker can use a LFI vulnerability and local resources (such as Apache error logs) or “/proc/ *” tricks to inject a piece of PHP code and then include and execute it.
This is not new, but now Netsparker can confirm the PHP execution as well.
Improvements
- Less requests in SQL Injection engines. We tried to optimise the SQL Injection and Command Injection engines. They should produce about 15% less requests.
- SQL Injection engine now has a light scan option. This will disable checks for Boolean/Blind SQL Injection in with 2 groups. However it'll speed up the scan. LightScan is enabled by default. You can disable by setting "Advanced Settings > LightSQLInjectionChecks" to "False"
- Less CPU usage during passive analysis
- Coverage improved. Netsparker will try to access the website without cookie support to find the special “Your browser doesn’t support cookies” page.
- Mod_Negotiation engine updated. Now Netsparker has far smarter checks to identify Mod_Negotiation issues.
- Cross-site scripting issues are now reported with alert() proof of concepts
Bug Fixes and Other Stuff
- Parsing issues with some relative links addressed. This was affecting links beginning with a question mark (?) without a path.
- Extra "&" characters in some GET requests fixed.
- Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
- An encoding problem addressed in SQL Injection exploitation. This was causing Netsparker not to encode the user's input in SQL Injection which works with POST.
- Other minor fixes.