June 2016 Netsparker Desktop Update – REST API scanning, Report Policies and More

In this update of Netsparker Desktop we introduced RESTful web services support, Report Policies so you can change the way the scanner reports the web security scan findings, several new vulnerability checks and more.

This month we released a major version update of Netsparker Desktop. This blog gives an overview of what is new and improved in this new exciting version 4.6 of the only web application security scanner with Proof-Based ScanningTM technology.

Automated Scanning of RESTful Web Services and APIs

Automatically scan and identify vulnerabilities in RESTful API web services with Netsparker Desktop. For more information on Netsparker Desktop support of RESTful web services and how you can scan such web services read Finding vulnerabilities in RESTful Web Services with a security scanner.

Netsparker Report Policy

A Report Policy allows you to customize the way the scanner reports the findings of a web security scan and reports, thus making it possible to fine tune the scanner so its results match your organization’s security policies. Read Customizing web security scan reports and results for more information on Report Policies.

Use Both Manually Configured and Heuristic URL Rewrite Rules During a Scan

In versions prior to this one, you could either manually configure URL rewrite rules in Netsparker Desktop or configure it to automatically detect the URL rewrites on the target website.

Now it is possible to use both systems during the same scan, i.e. you can configure Netsparker Desktop to try and automatically identify any potential URL rewrites on the target even when you manually configure the URL rewrite rules. Therefore should you fail to configure, or you don’t have the details of some URL rewrites on the target web application, Netsparker Desktop will still be able to automatically crawl and scan all parameters for security flaws.

New Web Security Checks

SameSite Cookie Attribute Check: In this security check the scanner will check if the target web application sets the SameSite cookie attribute to the website cookies. The SameSite cookie attribute is is used to disable third party usage of the cookies, thus preventing CSRF attacks.          

Reverse Tabnabbing Check: In this security check the scanner will check if an attackers can craft a possible phishing attack through Reverse Tabnabbing; in which a browser tab opened from a trusted source displays an attacker-controlled website and uses window.opener.location.assign() to replace the content with malicious content, potentially tricking the victim into a phishing attack.

Subresource Integrity Checks: In this security check the web vulnerability scanner will issue an alert when Subresource Integrity (SRI) is not implemented or a Subresource Integrity hash is invalid. Subresource Integrity (SRI) is a mechanism that checks the integrity of a resource hosted by third parties such as Content Delivery Networks (CDNs).

Import ASP.NET Project Files for

You can now import links to a scan from Visual Studio .csproj/.vbproj project files. When you import the project file Netspaker will parse it to extract all the locations of the .aspx .asmx .ashx and other files in the project and imports them as links to be scanned. At the moment this only works with the classic ASP.NET Web Forms projects.

Other Notable Features and Improvements

  • Improved the memory usage thus supporting much larger target websites.
  • Improved coverage of the Local File Inclusion engine.
  • Improved the vulnerability templates by adding product information when a third party web application such as WordPress and Drupal is discovered.

Netsparker 4.6 Changelog

The above is just a highlight of what is new and improved. For a detailed and complete list which also includes bug fixes please refer to the change log of version 4.6.0.11104.