November 2016 Netsparker Enterprise Update

This blog post is an overview of what is new, improved and fixed in the November 2016 update of Netsparker Cloud online web vulnerability scanner.

We have just updated Netsparker Enterprise, the cloud-based edition of our web application security scanner. Below is a quick overview of what is new and improved.

Technical Check for the HTTP Header set-cookie

In this update we included a new check for the HTTP header set-cookie. The scanner checks and will alert you if multiple cookies are attached in the same set-cookie header, as shown in the below screenshot.

Some web applications set multiple cookies in the same HTTP headers 

As such having multiple cookies attached to the same HTTP header set-cookie is not a security issue per se, but according to section 3 of the RFC 6265;

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

We still implemented this check because attaching multiple cookies in the same set-cookie header could lead to a number of technical problems. For example most browsers will only accept the first cookie. Below is a screenshot of the alert that the scanner will issue in the case it detects multiple cookies:

A Netsparker Cloud alert of multiple cookies in the same HTTP header set-cookie

Improved Security Checks

In this update we also added some improvements to the Content Security Policy check, and improved the coverage of the BlinD SQL Injection engine.

Complete List of Changes

We also fixed several bugs with this update. For a complete detailed list of all the fixes etc please refer to the Netsparker Enterprise 20161102 changelog entry.

About the Author

Ferruh Mavituna - Founder, Strategic Advisor

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.