Netsparker Web Application Security Scanner 3.5 Features Highlight

Finally Netsparker Web Application Security Scanner version 3.5 is available for download. Check out what is new in this new version of Netsparker and update your Netsparker today to benefit from the latest features and ensure you scan your web applications with the latest web vulnerability security tests.

We are happy to announce the new Netsparker Web Application Security Scanner version 3.5. It has been quite awhile since you have heard the news of a new major version update from us, which is not normal. Typically we release new major updates much more frequently, though as you will notice in this version we implemented a new crawling engine and several other new features, which are no small feat. So even if it might have taken us some time to release this new version, we are still very happy with the outcome and we are sure you will be as well.

Automated DOM Based Cross-site Scripting Security Tests

Netsparker Cross-site Scripting engine already scans websites for XSS vulnerabilities that can be exploited by sending payloads through HTTP requests. With this new version of Netsparker the scanning engine can now also detect another category of Cross-site Scripting vulnerabilities; DOM based cross-site scripting. These vulnerabilities are usually exploited by setting an XSS payload at the web page's location hash value. If the page doesn't validate this input, chances are, a DOM based vulnerability may lay there. From this version on, Netsparker will scan your web pages against DOM Based Cross-site Scripting vulnerabilities. If your website makes use of location hash values for various purposes, scanning your web site against DOM Based Cross-site Scripting vulnerabilities is crucial.

DOM XSS reported by Netsparker Web Application Security Scanner

The DOM Based Cross-site Scripting tests can take quite some time to complete, especially when scanning pages with lots of elements. Therefore the default scan policy in Netsparker has DOM Based Cross-site Scripting off but you can always scan your site using Extensive Security Checks policy or create your own policy to find out DOM Based Cross-site Scripting vulnerabilities. In the meantime we are already working on several improvements to ensure DOM based XSS tests are as fast as all other security checks.

Read the article DOM based Cross-site Scripting Vulnerabilities for a more detailed explanation of this vulnerability variant.

Custom & Easy URL Rewrite Configuration

Websites today are making use of the technique called URL Rewrite to have more readable URLs and have higher search engine ranking. Using URL Rewrite, websites replace the ugly looking regular GET parameters in URLs with more readable URL path segments. Previous versions of Netsparker was trying to automatically detect if the site being scanned has URL Rewrite in place. This version of Netsparker introduces Custom URL Rewrite Configuration which allows you to configure the scanner by providing the URL rewrite patterns on the target web site. Once configured Netsparker will be able to attack URL segments which play role of a parameter. Also, this helps in reducing the number of attacks for the URLs with the same patterns.

Configuring URL rewrite rules in Netsparker Web Application Security Scanner is as easy as ABC

Read URL Rewrite Rules and Web Vulnerability Scanners for more detailed information on URL rewrites and check out Configuring URL Rewrite Rules in Netsparker Web application Security Scanner to see how easy it is to configure URL rewrite rules in Netsparker to scan parameters in the URL.

Ignore a Vulnerability From Scan Results

You may want to exclude a specific vulnerability from a scan result so it won't appear in the reports. These could be the kind of vulnerabilities that are informational and make the report too verbose, or you believe that the vulnerability doesn't exist any more. Using this new feature, you can ignore a vulnerability from a specific scan by right clicking it from the sitemap tree as shown in the below screen shot.

It is possible to exclude a vulnerability from a web vulnerability scan result and not having it in the report with Netsparker

Chrome Based Web Browser Engine & Crawler

Previous versions of Netsparker were using the Internet Explorer engine for performing DOM operations and JavaScript execution. There were several problems when IE was being used as a web browser engine in Netsparker. First and foremost, every Windows comes with different versions of IE, which are not always updated to latest version. This has caused us problems when developing features for a few versions of IE at once. Another problem is, the older versions of IE had some recent standard basic features missing which caused your standard based web applications  to behave unexpected. Given these problems, we decided to replace our web browser engine with a Chrome-based engine. We have also replaced the web browser pane on recording phase of our Form Authentication wizard.

The new crawling and web browser engine opens a number of new opportunities for Netsparker and we will continue developing on it to ensure that Netsparker can automatically crawl and scan a wider variety of web applications built with different technologies.

Complete Change Log for Netsparker Web Application Security Scanner 3.5

For a complete detailed changelog of what is new and improved in the latest version of Netsparker please visit the Netsparker Web Application Security Scanner Change Log.

Huseyin Tufekcilerli

About the Author

Huseyin Tufekcilerli - Director of Product Management

Product Manager at Invicti.