This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
We have just updated Netsparker Enterprise, the cloud-based edition of our web application security scanner. Below is a quick overview of what is new and improved.
Technical Check for the HTTP Header set-cookie
In this update we included a new check for the HTTP header set-cookie. The scanner checks and will alert you if multiple cookies are attached in the same set-cookie header, as shown in the below screenshot.
As such having multiple cookies attached to the same HTTP header set-cookie is not a security issue per se, but according to section 3 of the RFC 6265;
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.
We still implemented this check because attaching multiple cookies in the same set-cookie header could lead to a number of technical problems. For example most browsers will only accept the first cookie. Below is a screenshot of the alert that the scanner will issue in the case it detects multiple cookies:
Improved Security Checks
In this update we also added some improvements to the Content Security Policy check, and improved the coverage of the BlinD SQL Injection engine.
Complete List of Changes
We also fixed several bugs with this update. For a complete detailed list of all the fixes etc please refer to the Netsparker Enterprise 20161102 changelog entry.