Popular Post itsMe Posted May 21, 2019 Popular Post Share Posted May 21, 2019 This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up WEB APPLICATION SECURITY SOLUTION A single platform for all your web app security needs Automatic: Verify vulnerabilities with Proof-Based ScanningTM technology United: A variety of integrations to collaborate and streamline your process Scalable: Enterprise features to easily manage your web application security This is the hidden content, please Sign In or Sign Up Netsparker 5.3.0.23162 - 28th March 2019 Spoiler NEW FEATURES Added Netsparker Assistant, a smart scan assistant that will guide you through a Scan Added OAuth2 Authentication support Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical Added Azure DevOps Send To integration Added an option to report only Confirmed vulnerabilities while generating reports Added Redmine Send To integration Added Bugzilla Send To integration Added F5 WAF rule generation Added Dark UI theme Added RESTful API Modeling Language (RAML) link import support Added facility to exclude certain URLs from URL Rewrite Detection Added support for importing links from WordPress REST API files Added a Scan Policy for OWASP Top 10 vulnerabilities Added a Scan Policy for PCI vulnerabilities Added support for deleting a Scan from Local Scan files NEW SECURITY CHECKS Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340) Added Unicode Transformation (Best-Fit Mapping) security check Added detection for possible Header Injection Added out-of-date detection for Oracle Database Server Added out-of-date detection for Mithril Added out-of-date detection for ef.js Added out-of-date detection for Match.js Added out-of-date detection for List.js Added out-of-date detection for RequireJS Added out-of-date detection for Riot.js Added out-of-date detection for Inferno Added out-of-date detection for Marionette.js Added out-of-date detection for GSAP Added config.json check to Resource Finder Added detection support for TS Web access Added detection support for .travis.yml IMPROVEMENTS Improved Scan performance by allocating computer resources better Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families Out-of-date server-side apps are highlighted in the Site Profile Clicking on links displayed in Knowledge Base items will navigate to the related node Added URL to the Email List Knowledge Base Added URL to the request which cookie is set on Cookies Knowledge Base Custom URL Rewrite Rules can be sorted by clicking the column header Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base Added an option to prevent the operating system from going to sleep while there is a scan in progress Added an Exploit context menu item to the Sitemap and Issues nodes Vulnerable parameters are now highlighted in the Sitemap and Issues nodes Updated Code Evaluation (PHP) attack patterns Due Date setting has been replaced with Due Days on some of the Send To integrations Improved the icons used in the Sitemap and Issues nodes Removed deleted scan files from the File Import list Improved DOM Simulation performance and fixed several issues Improved react JavaScript framework support on Form Authentication HTML Select elements without event listeners are simulated in DOM Simulation Improved the performance of the Activity pane's viewer Added a Copy URL context menu item to the Activity viewer The File Upload engine searches newly discovered file names in the upload response and in the upload folders Improved operating system detection by the Site Profile node in the Knowledge Base Added Activity Status information to the Sitemap nodes Added support for attacking the name of POST parameters Improved the layout for Reports on scans that detected zero vulnerabilities Improved the External References for several vulnerabilities Added ISO 27001 information to the Executive Summary Report CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework Added support for exploiting XSS on text and XML content types Users can now resize the Activity Viewer columns Out of Date SQL vulnerabilities are reported as Confirmed Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access All security engines are checked when the Controlled Scan panel is manually opened Added Cookie Whitepaper reference to cookie vulnerability templates Added External References to ExpressJS, CakePHP and Possible Stored XSS templates Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details Added support for highlighting input elements that are used to send passwords over query strings Improved rendering performance of the Knowledge Base's Comments page when there are too many comments More commands are executed in the Code Evaluation exploitation to generate proofs Improved Out of Band SSTI attack payloads Added automatic selection in the Form Authentication dialog when all fields are filled up Added case sensitive search for Raw Response viewer Added an overlay to display longer scans are being imported, to block user activity and show progress Added Show/Hide Password button in Form Authentication settings Added an information dialog displayed when a scan is finished and Netsparker window is in the background Improved highlight function for detected JavaScript libraries Improved reports to display the product version on which the Scan is performed Improved the HTTP Request Builder panel to display generic headers Manuscript has been renamed FogBugz Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished Improved RFI confirmation for URL Rewrite parameters Improved adding Out of Date Information Database information to the Site Profile Improved signatures of Nginx Version Disclosure patterns Optimized the attack speed of XSS and LFI engines The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks Cookie checks will analyze session cookie names to detect platform-specific default session names Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019 FIXES Fixed failing VDB update when multiple instances were running Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings Fixed an issue where JavaScript file parsing might take longer than expected in some occasions Fixed a NullReferenceException that was thrown while saving the layout of panes Fixed an ObjectDisposedException that was thrown when cancelling a Retest Fixed the Listening Port so that it is no longer set for the next Manual Crawl Fixed the issue where Finished Scans were displayed a Paused Scan icon Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie Fixed the incorrect order of the vulnerabilities in the Issues panel Fixed the Trial Licence dialog that was popping up twice Fixed the issue where data from a previous scan was displaying in the Activity panel Fixed HTTP 400 errors raised by the ServiceNow Send To integration Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration Fixed the issue where the status bar displayed the incorrect number of remaining trial days Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash Fixed the problem where the application was hanging on shutdown Fixed missing Authentication cookies in the Knowledge Base Fixed incorrect nonce detected without matching script block vulnerability Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high Fixed the issue where cookies were sent during the request for the Favicon image of the target URL Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details Fixed the high DPI issues in the Bulk Export to Enterprise panel Fixed the issue where the uninstall process was interrupted if a Netsparker instance was still running Fixed high DPI issues in the Local Scans panel during Import Fixed a NullReferenceException that occurred while rendering Vulnerability Details Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities Fixed the Knowledge Base Report's header, where the image, title and severity level were overlapping Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files Fixed an issue that caused FP Insecure Reflected Content to be reported Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared Fixed the issue where vulnerability fields were not updated after a Retest Fixed the value of double encoded null byte in LFI, XSS attack patterns Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder Fixed an issue where an imported link could be saved without correcting the errors in the Request form Fixed an issue where links generated in Netsparker attacks were added to the Sitemap Fixed the value of the double encoded null byte in the Header Injection pattern Fixed the encoding of the % sign in the base64 payload in XSS attacks Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog Fixed the selection issue in the filtered Security Checks of the Scan Policy panel Fixed the encoding issue in the SQL Injection confirmation attack Fixed the validation issue of the Send to Action configuration Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree Fixed the grouping issue on vulnerability variations and instances Fixed HTTP method icons in the Sitemap Fixed issues caused by language changes Fixed the scrolling problem in the Vulnerability viewer Fixed the confusion over which persona was used during Form Authentication verification Fixed an order issue in the Sitemap tree Fixed the incorrect variation count presentation issue in the Issues tree Fixed the broken tab key in the Request Builder panel Fixed the incorrect Remaining Day presentation in the License reminder Fixed the issue where the Back button was clickable during the Bulk Export to Netsparker Enterprise, causing the export to fail Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks Fixed the wrong proxy display after resetting settings to the default Fixed a performance issue that occurred while exporting a large Scan to Netsparker Enterprise Fixed duplicate cookie names that were reported on a Cookie vulnerability Fixed a high DPI issue in the message box Fixed visual issues in the binary Response viewer Fixed an issue where the DOM engine failed to restart on some occasions Fixed an issue where Local/SessionStorage values were not persisting throughout the scan Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS Fixed a NullReferenceException that was sometimes thrown while saving Scan data Fixed HTML form simulation for cases where the form did not have an element with the Submit type Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute Fixed an issue where Netsparker sometimes prevented Windows from shutting down while a Scan was running Fixed an issue where NTLM Authentication was being ignored during Logout Detection Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured Fixed an issue where the Max Simulated Elements option was causing the simulation to hang Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan Fixed an issue where an incorrect "Subresource Integrity (SRI) Hash Invalid" vulnerability was reported because of hash miscalculation Link to comment Share on other sites More sharing options...
Recommended Posts