November 2016 Netsparker Desktop Release

In this November 2016 update of Netsparker Desktop we included a new technical check for the Cookies HTTP Header, improved the coverage of the Blind SQL Injection Engine and more.

In this month's update of Netsparker Desktop web vulnerability scanner we have included a new technical check for the cookies HTTP header, and several product improvements and bug fixes.

Multiple Cookies in HTTP Header

During a scan Netsparker web application security scanner will check if the cookies HTTP header contains multiple cookies. If it does it will alert you, as per the below screenshot.

Netsparker web security scanner identified multiple cookies in the HTTP Header

It will alert you because as such the cookies HTTP header should only contain a single cookie, as per section 3 Overview in RFC 6265;

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

Attaching multiple cookies in the same HTTP header could lead to a number of technical problems, such as the browsers accepting the first cookie only. Also, the last thing you want on your web application is a problem with HTTP cookies and HTTP Sessions. As such none of this will lead to a security issue (until today) but one should make an effort to stick to the standards.

Web Security Checks Improvements and Bug Fixes

With this update we also shipped an improved Content Security Policy security check, and improved the coverage of the Boolean SQL Injection engine. There are several other improvements. Please refer to the changelog of Netsparker Desktop for a complete list of improvements and fixes in this version of Netsparker Desktop web application security scanner.