(LiveHacking.Com) – Mavituna Security has released version 2.2 of its Netsparker web application security scanner. The new release focuses mainly improving the performance of Netsparker while scanning big websites and reducing CPU usage. As part of the performance drive, Netsparker now makes less requests while crawling a web application (but without sacrificing the coverage) and has the ability to handle huge websites and process very long scans without a performance hit.
Besides the performance improvements, Netsparker 2.2 improves a number of its checking techniques. First its Remote Code Evaluation checks have been improved and checks for Perl Remote code Evaluation have been added. Also Local File Inclusion (LFI) vulnerability checking has been improved along with Remote File Inclusion (RFI) vulnerability checking. RFI checking catches vulnerabilities based on a hacker’s ability to injected a file (not already on the server) into the attacked page and include it as source code for parsing and execution. Also improved is Netsparker’s PHP Source Code Disclosure checking.
Web applications have been under the spotlight recently with sites like LinkedIn and Yahoo! suffering security breaches which resulted in log in details (including email addresses and passwords) being stolen and posted online. Tools like Netsparker are increasingly becoming “must haves” in the arsenal of web application developers. Netspaker is also quite unique in the web application security scanning market in that it includes a built-in exploitation engine to positively confirm vulnerabilities.
Yahoo’s recent security breach, in which details of 450,000 accounts where stolen and posted online, is thought to have occurred because of an SQL Injection attack. Tools like Netsparker can detect various forms of SQL Injection vulnerability. They can also detect Cross Site Scripting vulnerabilities (XSS), Command Injections (where input data is interpreted as an operating system command) and CRLF injection issues (which can lead to XSS and session hijacking attacks).