October 25, 2016

New version of Netsparker is quicker while using less CPU

(LiveHacking.Com) – Mavituna Security has released version 2.2 of its Netsparker web application security scanner. The new release focuses mainly improving the performance of Netsparker while scanning big websites and reducing CPU usage. As part of the performance drive, Netsparker now makes less requests while crawling a web application (but without sacrificing the coverage) and has the ability to handle huge websites and process very long scans without a performance hit.

Besides the performance improvements, Netsparker 2.2 improves a number of its checking techniques. First its Remote Code Evaluation checks have been improved and checks for Perl Remote code Evaluation have been added. Also Local File Inclusion (LFI) vulnerability checking has been improved along with Remote File Inclusion (RFI) vulnerability checking. RFI checking catches vulnerabilities based on a hacker’s ability to injected a file (not already on the server) into the attacked page and include it as source code for parsing and execution. Also improved is Netsparker’s PHP Source Code Disclosure checking.

Web applications have been under the spotlight recently with sites like LinkedIn and Yahoo! suffering security breaches which resulted in log in details (including email addresses and passwords) being stolen and posted online. Tools like Netsparker are increasingly becoming “must haves” in the arsenal of web application developers. Netspaker is also quite unique in the web application security scanning market in that it includes a built-in exploitation engine to positively confirm vulnerabilities.

Yahoo’s recent security breach, in which details of 450,000 accounts where stolen and posted online, is thought to have occurred because of an SQL Injection attack. Tools like Netsparker can detect various forms of SQL Injection vulnerability. They can also detect Cross Site Scripting vulnerabilities (XSS), Command Injections (where input data is interpreted as an operating system command) and CRLF injection issues (which can lead to XSS and session hijacking attacks).

Mavituna have published a full list of all security checks made by Netsparker and a demo version can be downloaded from their site.

Netsparker Version Released

Mavituna Security Ltd has released a new version of Netsparker, Web Application Security Scanner. According to Mavituna Security blog, the Netsparker version has two new security tests and many new features as follow:

New Redirect Tests

This release introduces 2 new security tests, which confirm whether redirects in the web application are working as expected. If the application sends a redirect back but keeps processing the page this generally indicates a bug. The impact of the bug can vary from “Authentication Bypass “ to a simple forgotten line in the code. However, it almost always indicates a bug that needs to be addressed.

New Features

  • Microsoft Live ID, SSO Authentication Support
  • Vulnerability Summary added to reports
  • Summary Report added to Sitemap. When you click name of the website that you are scanning from the sitemap Netsparker now shows a summary report of the current scan.

Improvements on Security Tests

  • Blind SQL Injection coverage improved
  • Protocol-agnostic Open Redirection checks added
  • LFI security test coverage improved
  • Version information automatically added to all Error Based SQL Injection issues now
  • New XSS checks added to bypass blacklists

Other Improvements and Bug Fixes

  • A Form Parsing bug fixed in Text Parser
  • An error log in Blind Command Injection Engine fixed
  • Some URI Based XSS issues were reported multiple times
  • Minor bugs fixed in the Detailed and XML Reports
  • Typo fixed in CSV Report
  • Set-Cookie headers wasn’t working properly in Redirects
  • Netsparker now supports multiple set-cookies with same cookie name
  • Anti-CSRF token support improved for Form Authentication
  • A bug fixed in profile save with NTLM authentication
  • Naming in certain vulnerabilities changed. New naming uses “Confirmed”, “[Probable]” and “[Possible]”.
  • Several bugs about JavaScript parsing and Form Authentication addressed

Visit Mavituna Security website for more information and educational videos.


Source & Picture: mavitunasecurity.com