The New Netsparker Web Security Scanners: Automated Configuration of URL Rewrite Rules, Scan Policy Optimizer and Proof of Exploitation

We are happy to announce a new version of Netsparker Desktop and a new Netsparker Enterprise update. These updates include several new features and product updates and mostly focus on automating more of the pre-scan tasks, allowing you to easily get started with scanning hundreds and thousands of websites.

We are excited to announce the release of a Netsparker Desktop version 4.5.2, and Netsparker Enterprise web application security scanning service update 20160107. There are quite a few new features to talk about, so let's get started.

The new features automatic configuration of URL rewrite rules and Scan Policy Optimizer will automate more of the pre-scan process for you, making the scanning of hundreds and thousands of websites an easier task. We are also introducing the new proof of exploitation, which will definitely ease the post scan process for you, as explained further down in this post.

These new updates also include a number of new web security checks and several internal product improvements, such as the fully responsive Netsparker Enterprise dashboard. Below is a highlight of the main features.

Automated Configuration of URL Rewrite Rules in Netsparker Web Security Scanners

Netsparker scanners no longer require you to configure URL rewrite rules. The new web security scanners will automatically configure the URL rewrite rules needed to scan all the parameters in URLs. Configured URL rewrite rules also mean more efficient scans.

Automatically configured URL rewrite rules in Netsparker Desktop

If you wish to manually configure URL rewrite rules in Netsparker scanners it is still possible. Though if you do not have detailed knowledge of the target website's setup, or have to scan hundreds, or thousands of websites you do not need to get bogged down in such pre-scan task. Read the whitepaper Automating the Configuration of URL Rewrite Rules in Netsparker Web Application Security Scanners for more detailed information on this new unique technology.

Scan Policy Optimizer for Shorter & More Efficient Web Security Scans

Optimized scan policies mean shorter and more efficient scans, though not everyone has the time or knowledge to manually optimize web security scan policies. For this reason, our automation obsessed engineers came up with the Scan Policy Optimizer; a wizard based optimizer that enables you to optimize scan policies according to your target website, within just a minute.

Scan Policy Optimizer Summary

Proof of Exploitation, So You Do Not Have To Verify All The Scanner Findings

Automatic exploitation of identified vulnerabilities is something we pioneered with the first release of Netsparker web application security scanner. With such technology you do not have to manually verify all of the scanner's findings, easing off the post scan process.

Ever since we have been continuously improving this unique technology, and with this new release we are announcing a major improvement; proof of exploitation. Therefore upon automatically exploiting a vulnerability, the scanner will also generate a proof of the exploit. For example in case of a Command Injection, the scanner will send certain commands and show the server's response to the command injection in the vulnerability report.

Proof of a command injection

Beside of the fact Netsparker marks the vulnerability as "CONFIRMED", now Netsparker provides conclusive proof as well.

Export Identified Web Security Flaws as Issues into Github and Team Foundation Server with just a Click

You can now configure Send To actions in Netsparker web application security scanner to migrate identified security flaws to Github and Team Foundation Server with just a single mouse click. All you need to do is configure the credentials and projects. Then simply right click an identified vulnerability and select the server you would like to automatically add it to as an issue in your projects.

Export identified web vulnerabilities to JIRA, Github and other bug tracking and source control systems

Responsive Netsparker Enterprise Dashboard for Mobile and Tablet Users

The new updated Netsparker Enterprise dashboard is fully responsive. Now you can check the status of your web application security scans from your mobile phone or tablet. There is no difference to accessing Netsparker Enterprise from your portable device or your computer; you can still review scan results, assign vulnerabilities as tasks and launch new web application security scans.

List of scheduled and completed web security scans in Netsparker EnterpriseSummary of vulnerabilities identified on target website in Netsparker EnterpriseLists of tasks in Netsparker EnterpriseDashboard in Netsparker EnterpriseA cross-site scripting vulnerability reported in Netsparker EnterpriseScan summary of target website in Netsparker EnterpriseScan policies in Netsparker Enterprise

New Web Security Checks in Netsparker Desktop & Netsparker Enterprise

Here are some of the new web security checks included in the latest version of the Netsparker web security scanners:

  • Check for outdated and possible vulnerable JavaScript libraries
  • Hidden directory checks for detection of admin panels
  • Security checks for Windows short file/folder name disclosure
  • Ruby on Rails and RubyGems security checks such as:
    • checks for database configuration files
    • checks for version in HTTP responses
    • check if version is out of date
    • check for status of development mode
  • Backdoor checks for MOF Web Shell and DAws.
  • New attack patterns for "boot.ini" LFI checks.
  • MySQL "LIMIT" injection attack patterns.
  • MSSQL error based SQLi attack payloads.
  • New knowledge base nodes for SSL issues, CSS and slow pages

Improved Security Checks

  • MySQL "LIMIT" injection attack patterns.
  • MSSQL error based SQLi attack payloads.

Other Noteworthy Features & Improvements

  • New template for HIPAA compliance report
  • Windows 10 support
  • Added syntax highlighting in HTTP request and response viewers for XML, JSON, CSS, JavaScript etc
  • Several performance and memory management improvements

Complete List of What is New and Improved in New Netsparker Scanners

For a complete list of what is new and what has been improved in the latest versions of Netsparker Desktop and Netsparker Enterprise refer to the changelog.

Automate More of Your Web Application Security

Web application security is difficult, hence the tools and services your business invests in should be easy to use and help you automate as much as possible. And this is exactly what Netsparker web security scanners do; help you identify vulnerabilities in web applications and ensure they are fixed with the least possible effort from your end. Apply now for a free trial of Netsparker Enterprise or download a demo of Netsparker Desktop to see the difference.

About the Author

Ferruh Mavituna - Founder, Strategic Advisor

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.