This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
A few weeks ago we released update 184.108.40.20601 of Netsparker Desktop web application security scanner. This update is a major one, we have included a good number of new web security checks, new features and also a good number of improvements and bug fixes.
Read this blog post for an overview of what is new and improved. For a more detailed list please refer to the Netsparker Desktop changelog.
New Web Security Checks
Referrer Policy Security Checks
The Referrer Policy, a W3C Candidate Recommendation since January of this year, is used by web applications to control the value used in the Referer HTTP header. The Referer HTTP header, which is sent with a HTTP request contains the URL of the previously browsed page.
During a web vulnerability scan, the Netsparker scanner checks if the web application is setting the correct Referrer Policy, to ensure that for example no information is leaked during cross-site, or when navigating from a HTTPS to a HTTP site. There are several other Referrer Policy security checks that Netsparker does during the scan, and the above is just an example.
Other Web Security Checks
In this update, we also included several other security checks, such as:
- Remote Code Evaluation checks for web applications built on Node.js framework,
- Database name disclosure security checks for Microsoft SQL and MySQL,
- Cross-site scripting vulnerability checks for Markdown syntax.
- Security checks for configured custom HTTP headers.
New Features in Netsparker Desktop
Below is just an overview of some of the new features in Netsparker Desktop web application security scanner:
- Improved Netsparker’s Proxy: The Netsparker proxy that is used during a manual crawl of a web application has been rewritten and now it supports protocols such as TLS 1.1 and 1.2.
- Hex Editor in Request Builder: Now you can view a HTTP request in the HTTP Request Builder in Hex format.
- New attacking optimization option for parameters that are shown on multiple pages: Web pages are made up of a number of components, such as a search widget, a newsletter subscription form and some other forms. Such components are used on multiple pages and by default the scanner will attack the component’s parameter every time it crawls it through a different page, thus slowing down the scan. In the new update of Netsparker, we introduced a new option Optimize Attacks to Recurring Parameters which you can enable and configure a limit of how many times the scanner attacks the same parameter, even when crawled through different pages.
- New CSRF Settings in Scan Policy: We have added a new CSRF node in the Scan Policy Editor in which you can specify the name of a form, action or component that should not be checked for CSRF checks. Since search forms or forms with CAPTCHA cannot be vulnerable to CSRF, you can exclude them to optimize the scan speed and duration. So in this option, you can specify the CAPTCHA indicators etc, as seen in the below screenshot.
- Site Profile Knowledge Base Node: In the new Site Profile knowledge base node you will find information about the target website, such as the Operating System of the web server, the web server software etc.
Other New Features and Improvements
Apart from the above, we have included several other new features and improvements in the latest update of the dead accurate web application security scanner, such as:
- Added proof of exploitation for XXE vulnerabilities,
- Improved the WSDL (web services) parsing,
- Improved the highlighting of patterns in HTTP responses,
- Improved the Local File Inclusion vulnerability detection checks,
- And many others!
For a detailed and complete list please refer to the changelog. You will be prompted that an update of Netsparker Desktop is available the next time you start the scanner. Should you need any assistance with the update, or have any questions do not hesitate to get in touch.
Your Information will be kept private.