Netsparker 4 – Easier to Use, More Automation and Much More Web Security Checks
We are happy to announce the new Netsparker Desktop 4. The new version can automatically scan applications built with Google Web Toolkit, has an all new fully automated form authentication mechanism and is fully loaded with new web security and vulnerability checks.
Your Information will be kept private.
Stay up to date on web security trends
Your Information will be kept private.
We are happy to announce a new major version update of the desktop edition of our scanner; Netsparker Web Application Security Scanner version 4. The main highlight of this new version is the new fully automated Form Authentication mechanism; it does not require you to record anything, supports 2 factor authentication and other authentication mechanisms that require a one time code to work out of the box.
The below is a list of features highlights of the new Netsparker Web Application Security Scanner version 4.
As seen in the above screenshot all the generic scan settings you need are ergonomically placed in the right position, allowing you to quickly configure a new web application security scan. All of the advanced scan settings, such as HTTP connection options have been moved to scan policies.
Once you enter the necessary details, mainly the login form URL and credentials you can click Verify Login & Logout to verify that the scanner can automatically login and identify a logged in session, as shown in the below screenshot.
You do not have to record any login macros because the new mechanism is all based on DOM. You just have to enter the login form URL, username and password and it will automatically login to the password protected section. We have tested the new automated form authentication mechanism on more than 300 live websites and can confirm that while using an out of the box setup, it works on 85% of the websites. 13% of the remaining edge cases can be fixed by writing 2-5 lines of JavaScript code with Netsparker’s new JavaScript custom script support. Pretty neat, don't you think? The below are just a few of the login forms we tested.
The new Form Authentication mechanism also supports custom scripts which can be used to override the scanner's behaviour, or in rare cases where the automated login button detection is not working. The custom scripting language has been changed to JavaScript because it is easier and many more users are familiar with it.
Google Web Toolkit, also known as GWT is an open source framework that gained a lot of popularity. Nowadays many web applications are being built on it, or using features and functions from it. Since the web applications that are built with GWT heavily depend on complex JavaScript, we built a dedicated engine in Netsparker to support GWT.
This means that you can use Netsparker Desktop to automatically crawl, scan and identify vulnerabilities and security flaws in Google Web Toolkit applications.
Configuring New Web Application Security Scans Just Got Easier
This is the first thing you will notice when you launch the new version of Netsparker Desktop; a more straightforward and easier to use New Scan dialog. Easy to use software has become synonymous with Netsparker’s scanners and in this version we raised the bar again, giving the opportunity to many users to launch web security scans even if they are not that familiar with web application security.![The Start a New Scan dialog in Netsparker Desktop has been simplified](https://cdn.invicti.com/statics/img/blogposts/Start-a-New-Scan.png)
Revamped Form Authentication Support to Scan Password Protected Areas
The new fully automated form authentication mechanism of Netsparker Desktop emulates a real user login, therefore even if tokens or other one time parameters are used by the web application an out of the box installation of the scanner can still login in to the password protected area and scan it. For example in the below example Netsparker is being used to login to the MailChimp website.![Configuring form authentication in Netsparker is very simply. Just specify a URL and the credentials](https://cdn.invicti.com/statics/img/blogposts/Configuring-form-authentication.png)
![Use the Verify Login and Logout button to verify that the scanner can login automatically and identify a logged in session](https://cdn.invicti.com/statics/img/blogposts/Verify-Form-Authentication.png)
![Few of the login forms we tested with the new automated forms authentication mechanism](https://cdn.invicti.com/statics/img/webo/login_forms_samples.png)
Out of the Box Support for Two-Factor Authentication and One Time Passwords
The new Form Authentication mechanism of Netsparker Desktop can also be used to automatically scan websites which use two-factor authentication or any other type of one time passwords technologies. Very simple to configure; specify the login form URL, username and passwords and tick the option Interactive Login so a browser window automatically prompts allowing you to enter the third authentication factor during a web application security scan.![Interactive Form Authentication allows users to scan web applications using two-factor authentication or one time passwords and tokens](https://cdn.invicti.com/statics/img/blogposts/Interactive-Form-Authentication2.png)
Ability to Emulate Different User Roles During a Scan
To ensure that all possible vulnerabilities in a password protected area are identified, you should scan it using different users that have different roles and privileges. With the new form authentication mechanism of Netsparker you can do just that! When configuring the authentication details specify multiple usernames and passwords so in between scans you just have to select which credentials should be used without the need to record any new login macros or reconfiguring the scanner.![In the form authentication configuration you can specify multiple users which have different roles](https://cdn.invicti.com/statics/img/blogposts/Configuring-different-roles-in-authentication.png)
Automatically Identify Vulnerabilities in Google Web Toolkit Applications
![google web toolkit](https://cdn.invicti.com/statics/img/blogposts/google-web-toolkit-logo.png)
![Netsparker identified an SQL injection vulnerability in a Google Web Toolkit application](https://cdn.invicti.com/statics/img/blogposts/GWT-Vulnreability.png)
Identify Vulnerabilities in File Upload Forms
Like with every version or build of Netsparker we release, we included a number of new security checks in this version. Though one specific web application security check that is included in this version needs more attention that the others; file upload forms vulnerabilities. From this version onwards Netsparker Desktop will check all the file upload forms on your websites for vulnerabilities such forms are typically susceptible for, for example Netsparker tests that all proper validation checks in a file upload form work and that they cannot be bypassed by malicious attackers.![An unrestricted file upload form reported in Netsparker](https://cdn.invicti.com/statics/img/blogposts/File-Upload-vulnerability.png)