This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
We are happy to announce version 3.2 of the false positive free Netsparker Web Application Security Scanner. The new version includes several new features, improvements that make web vulnerability scans more efficient and also a number of bug fixes. The main highlight of this version is the web services scanner; Netsparker users can now scan and identify vulnerabilities and security issues in web services automatically and easily with Netsparker.
Read this article for more information about all of the new features in Netsparker version 3.2.
Identify Vulnerabilities and Security Issues in SOAP Web Services
Netsparker 3.2 brings one of the long awaited features SOAP Web Services scanning to the table. Your much loved web vulnerability scanner Netsparker is now capable of crawling WSDL files and generate proper HTTP requests for the SOAP operations discovered to identify security issues and vulnerabilities in them. Scanning a web service with Netsparker is as easy as scanning a web application; just point Netsparker to your WSDL link and click the Start Scan button. The following screenshot shows a Boolean SQL Injection identified in a SOAP request on the target web service implementation.
Scanning a Web Application and Web Service Automatically in a Single Scan - Hybrid Scanning
Netsparker also supports what we call Hybrid Scanning of web applications and web services in a single scan. You can point Netsparker to root of your web site and if the crawler identifies a WSDL file, it will also start scanning the identified web service in the same security scan. One of the benefits of this scanning style is, if an attack to your web service endpoint surfaces on some other part of your web site, i.e. as a permanent XSS vulnerability, Netsparker will report it.
Import Offline WSDL Files to Start a Web Service Security Scan
The WSDL files do not necessarily need to be served on the target server for Netsparker to be able to scan a web service. If you have disabled WSDL generation on your production servers due to security concerns, you can import the WSDL file from your disk to Netsparker before starting the scan. Netsparker will parse the imported WSDL document and add the necessary SOAP requests to the crawler. WSDL files can be imported using the familiar interface of previous Fiddler, Paros, etc. importers on Start a New Scan dialog.
New Knowledge Base Node for Web Services
SOAP web services discovered during the security scan will also be reported in a new separate Knowledge Base node. You can see each operation of the discovered web services under Web Services (SOAP) node.
Web Services Standards Supported by Netsparker v3.2
At its current incarnation, Netsparker supports the following web service standards:
New Request and Response Viewers for New HTTP Request Formats
With the increase of different HTTP request formats that Netsparker supports on its recent versions, the need to representing these requests and response using better viewers has arisen. To resolve this issue, Netsparker 3.2 introduces the much improved request and response viewers which can render JSON and XML documents in tree views. The following screenshot shows a SOAP request and response using the XML viewers:
AJAX Knowledge Base Node
Netsparker now also reports any AJAX (XMLHttpRequest) requests under a new knowledge base node:
Complete Change Log for Netsparker 3.2
For a complete detailed changelog of what is new and improved in the latest version of Netsparker please visit the Netsparker Change Log.
Your Information will be kept private.