Netsparker, Web Application Security Scanner

The Problem of False Positives in Web Application Security and How to Tackle Them

Robert Abela — Wed, 15 May 2013 10:20:05 GMT

A false positive is like a false alarm; your house alarm is triggered and there is no burglar. In web application security a false positive is when a web application security scanner indicates that your website is vulnerable to a web vulnerability such as SQL Injection, while in reality it is not.

Web security experts and penetration testers use automated tools such as web application security scanners to ease the job of a web application penetration testing. Web application security scanners are used to ensure that all of the web application’s input vectors are tested properly in a fashionable amount of time.

Unaffordable Web Application Security because of False Positives

Web application security scanners are known to report false positives, hence a web application penetration test consumes a considerable amount of time because the penetration testers has to go through all the reported vulnerabilities and verify them by trying to exploit them manually. Because of this, web application security is unaffordable for many businesses.

Unfortunately people working in the web application security industry are accepting the fact that web application security scanners tend to report false positives. So they are trying to learn to live with them rather than pushing security software vendors to develop better web vulnerability scanners. Apart from costs, false positives bring around new problems.

Ignoring the Real Web Application Vulnerabilities

By nature, we humans tend start ignoring false alarms rather quickly. Penetration testers are doing the same in a web application penetration test. For example if a web application security scanner detects 200 cross-site scripting vulnerabilities, if the first 10 variants are false positives the penetration tester assumes that all others are as well and ignores all the rest. By doing so, there chances that a real web application vulnerability is missed are quite high.

Lack of knowledge from Pen Testers means Scanners Report a lot of False Positives

The penetration test of your web applications depends on the knowledge of the penetration tester you hired rather than the capabilities of the web application security scanner. As we have already seen, since penetration testers do not trust web application security scanners they verify every reported web vulnerability the web scanner detects.

If the penetration tester, or the employee using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such vulnerability is classified as false positive and will never be fixed.

Web Application Security Scanner vs Penetration Tester

Web application security scanners are not exactly the cheapest software you can buy, but neither are professional penetration testers. Business owners and Chief Security Officer might be wondering which is the best option to secure their web applications; invest in a web application security scanner that can be used by own employees or hire a professional penetration tester? And if we invests in a web application security scanner, do we have the right employee to verify its findings?

False Positive Free Web Application Security Scanner

The most productive and cost effective web application security solution is a false positive free web application security scanner which can be used by any of your technical employees. The benefits of having such a scanner is that web application penetration tests will consume much less time and your employees do not need to have years of hacking experience to verify the results.

Netsparker is the first web application security scanner on the market that is shipped with an exploitation engine which is automatically triggered when a web application vulnerability is detected. Exploitation is safe and read-only, so there is no chance of corrupting data or disrupting the website service because of it. Upon finding a vulnerability Netsparker automatically tries to exploit it and if it manages, it means that the vulnerability is definitely not a false positive. Netsparker will clearly report it to the user, so user can trust the results and doesn’t need to spend time to confirm it manually.

With this type of proactive and heuristic web application security scanning businesses do not need to hire expensive penetration testers to verify the findings of a web application security scan. Any developer taking care of your websites and web applications can quickly launch a web application security scan with Netsparker, analyse the findings and fix vulnerabilities.

Businesses Need Automated Web Application Security Scanners to Detect Web Vulnerabilities

Robert Abela — Wed, 08 May 2013 14:36:05 GMT

Some web security experts state that automated web application security scanners are not a good enough solution to secure your websites and web applications because they do not detect all web vulnerabilities.

As a matter of fact automated web application security scanners will find technical vulnerabilities such as SQL Injection and Cross-site scripting (XSS), but they cannot detect logical vulnerabilities. Having said that, on the contrary to what web security experts say, online businesses still need to invest and use web application security scanners to scan and secure their websites. Let’s take a look at some statistics and other web application security documentation to find out why.

OWASP Top 10

OWASP is a non profit organization which advocates web application security awareness. After analysing statistics of web application hacking attacks happening all over the world, OWASP publishes a list of the top 10 most critical web application security risks, i.e. the most commonly exploited web vulnerabilities.

The most common technical web application vulnerabilities detected by Netsparker, such as SQL Injection, Cross-site scripting, Injection Flaws, Invalidated Input etc have made it to all of the OWASP Top 10 lists which were released in 2004, 2007, 2010 and 2013.

Statistics of Hacked Websites

Each year, companies such as Verizon release an end of year report which includes statistics about the hacking incidents that happened throughout a particular year. From the 2013 Verizon data breach report we can see that 52% of the data breaches happened through web application hacking. Most of such attacks were successful because a technical vulnerability such as SQL injection was exploited.

Last year several other reports were released by well known brand names, such as Barclays, where they claim that more than 90% of the hacking incidents and data breaches are due to SQL Injection.

Current Web Hacking Attack Trends

Security firm Firehost just released its Q1 2013 web hacking attacks statistics where they detail the type and numbers of the most dangerous hacking attacks blocked by their firewalls. Cross-site scripting vulnerability attacks ranked first, amounting to 40% of all attacks. SQL Injection vulnerability attacks have had the second most significant increase in frequency when compared to last year.

Web Application Security Reality Check

One thing that we cannot deny is that low hanging fruit technical web vulnerabilities such as XSS and SQL Injection are still the most commonly exploited vulnerabilities. A web application security scanner such as Netsparker will detect these web application vulnerabilities in your websites and web applications and help you secure them.

Logical vulnerabilities should not be ignored, but as seen from the statistics these are rarely exploited. My recommendation is to first focus on the obvious; fixing of technical web application vulnerabilities. Hackers use automated tools to scan large number of websites every day and detect technical vulnerabilities to exploit them, so that is what they are going after first. Once the technical vulnerabilities have been addressed, then you can proceed and fix the rest.

What is new and what changed in OWASP TOP 10 2013

Robert Abela — Thu, 02 May 2013 09:18:45 GMT

Do you use the Open Web Application Security Project (OWASP) Top 10 Project as part of your web security testing program? If not, now’s a great time to get on board. There’s a new version coming out for 2013 that can be an invaluable resource.

The OWASP Top 10 is a consensus of the most critical web application security-related risks. It provides a good framework on the issues to avoid when developing web applications as well as what to look for when testing for security weaknesses.
Currently in the release candidate stage, the OWASP Top 10 2013 has been tweaked to further enhance the web application security cause. Notable changes and improvements include:

Broadening of URL access control flaws to now include actual application functions
Expansion and merger of data-in-transit and data-at-rest flaws on both the server side and client side
Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)
Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)-related flaws

OWASP Top 10 2013

The new OWASP Top 10 of 2013 currently reads as follows:

Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards

Use the OWASP Top 10 as a good resource for guidance around web application vulnerabilities. Just know that your mileage is going to vary when it comes to actual web security findings and what needs to be (or can be) done to fix the issues. Some security flaws you uncover pose real business risks. Some may exist but not matter in the grand scheme of what you’re doing. Other flaws appearing in the OWASP Top 10 will be non-existent. Your situation is unique and every application you look at is unique. Focus on what matters for your business.

The OWASP Top 10 is great for developers and QA professionals. It’s good for IT and information security. Most importantly, it’s good for business. The important thing is to leverage the OWASP Top 10 in the spirit of which it’s intended. It’s a free, yet invaluable, resource.

Go Beyond the OWASP Top 10 for a Complete Web Application Security Audit

Even though the OWASP Top 10 is an invaluable resource which one should follow when auditing a web application, you should not focus on finding web application vulnerabilities which are listed in this list only. The OWASP Top 10 list is to be used as a guideline and contains only the most critical vulnerabilities. There are many other web application vulnerabilities which could be exploited by hackers. Scan your websites and web applications with a web application security scanner such as Netsparker to uncover all other web application vulnerabilities your portals might have.

Are Hackers a Step Ahead? An Analysis using Web Application Vulnerabilities

Robert Abela — Tue, 23 Apr 2013 14:10:23 GMT

If you have been involved in the IT industry you’ve definitely heard the myth that hackers are always a step ahead. It seems it is the truth because hack attacks are on the increase. Follow some of the popular IT news websites and you will read about hacked websites and stolen credit card numbers almost on a daily basis. Even if you are a home user, your friendly computer shop technician warned you to stay away from malware, viruses and hackers.

Businesses shifted most of their operations online and now they are depending on websites and web applications more than ever. Hackers know very well that most businesses do not invest in secure development and web application security and they take advantage of such fact and hack them.

I personally do not agree with the myth that hackers are always a step ahead. I think that the IT industry is way behind from where it should be. I am using the results of hundreds of web application security scans performed with Netsparker web application security scanner as an example to show that the IT industry can do much better in terms of security.

Security Scanning of Open Source Web Applications

As part of the quality assurance tests and to improve the web vulnerability detection rate of false positive free web application security scanner Netsparker, our engineers launch thousands of web application security scans throughout the year against test websites. Some of these websites are built using popular open source web applications, such as Joomla, Twiki, Blog Engine .NET and TomatoCart.

What Type of Web Applications were Scanned with Netsparker?

From the below numbers we can get a better overview of how many open source web applications were tested, with which web application framework they were built and what database backend they use.

235 open source web applications scanned
183 are built with PHP
31 are built with ASP (Classic, .NET and MVC)
21 are built from a variety of other web application frameworks
183 use MySQL as database backend
29 use Microsoft SQL Server as database backend
23 use other database backend, such as PostgreSQL etc

Web Application Vulnerabilities in Open Source Web Applications

The results of the web application security scans of 235 open source web applications are quite shocking; 181 unique web vulnerability types were detected in 127 vulnerable open source web applications. Below are some statistics about the discovered web vulnerabilities:

107 Reflective Cross-Site Scripting vulnerabilities
17 Blind SQL Injection vulnerabilities
13 Boolean SQL Injection vulnerabilities
9 SQL Injection vulnerabilities
6 Permanent Cross-Site Scripting vulnerabilities
2 URI based XSS
Other discovered web vulnerabilities were a variety of command injection, command execution, HTTP header injection etc.

Different variants of SQL Injection and Cross-Site scripting vulnerabilities are still the most predominant web vulnerabilities. They sum up to 85% of the reported web vulnerabilities. When you consider that these 2 web vulnerability variants are considered as low hanging fruits vulnerabilities, and both of them were listed in the OWASP top 10 for the last decade, you would not expect to see them doing better than Lady Gaga does in the music charts!

The Aftermath: We are not Doing Enough to be One Step Ahead

Netsparker web application security scanner discovered both high and critical web vulnerabilities in around 54% of the tested open source web applications. Out of the 181 reported web application vulnerabilities, only 35 were fixed until today (23/04/2013). The other 146 zero day vulnerabilities in 127 open source web applications discovered by Netsparker are still not fixed. Therefore any website or blog running on such web application can be hacked since it has known security issues.

Web Application Security is a Must!

The whole point of this article is not to point fingers at someone and nor is to instigate some sort of an endless “open source vs closed source” debate. I am sure that if Netsparker engineers had the opportunity to scan closed source web applications with Netsparker web application security scanner they would still surprise us with the number of vulnerabilities Netsparker would detect.

The whole point is that everyone in the IT industry, from testers and developers to web masters and executives, still got a lot to learn about web application security if we want to be a step ahead of hackers. Non profit organizations such as OWASP, the PCI Security Council and security vendors such as Mavituna Security have been advocating web application security for years and hacking attacks are still on the rise. Unfortunately many web application development companies and communities from both sides of the globe, businesses and website owners are still not listening to what web application security experts are saying.

List of Scanned Applications and Vulnerabilities

List of all scanned applications and details of vulnerabilities if the relevant advisory is published.

Netsparker 2.5.3 - Equinox Release

Onur Yilmaz — Thu, 21 Mar 2013 13:47:53 GMT

This is a minor update to Netsparker Standard/Professional editions which contains bug fixes and user interface enhancements for form authentication. We have fixed a critical bug where Netsparker was failing to detect logouts when form authentication is configured (especially for the scans that use keyword-based logout detection signature).

We have tried to increase the usability of the Configure Form Authentication wizard in this release. On the status bar of the wizard, we have placed a breadcrumb widget where it shows all the steps of the process and also highlights the current step you are at:

On the first step of the wizard, we have included some mockup images that tries to illustrate the kind of web page URLs we are expecting the user to enter:

Second step of the wizard now contains a familiar user interface idiom on upper-right corner of the window, a camcorder recording animation. The user should now have a better feeling that any operation performed on this step is recorded:

And the third step (a.k.a. the playback phase) of the wizard has enhancements to keyword-based logout detection user interface. We have placed indicators right beneath the browser panes. While you are typing the logout keyword, it is matched to logged-in and logged-out views and the indicators update accordingly. You should make both of these indicators show green, as you know, green means go!

Security Check Improvements

Vulnerability database with new version checks

Bugs Fixed

Fixed a potential null reference exception on logout detection
Fixed a bug where session export confirmation isn't displayed while quitting application
Fixed a text parser issue happens when the page contains an option element without any value

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.5.3.

Netsparker 2.5 Released

Onur Yilmaz — Mon, 18 Feb 2013 11:32:28 GMT

Integration with Bug Tracking Tools and Send To Feature

Integrating Netsparker to other systems was one of the most requested features. We have tried to solve it by introducing this so called Send To feature. The idea is similar to the Send to file context menu item of Windows Explorer where you right click a file and send it to one of the predefined targets like Mail Recipient, Desktop, etc. Whereas in Netsparker, you can now right click a vulnerability on Sitemap or Issues panel and send it to a bug tracking system like FogBugz. With this version we are going to ship two Send To targets for popular bug/issue tracking systems FogBugz and JIRA. One of the best parts of this feature is that it is extensible and you are free to add your own target system with a bit of coding. There is an API for this feature and also we have a small tutorial to get you started.

HTTP Strict Transport Security (HSTS) Test

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. If your web application uses HTTPS and doesn’t take advantage of HSTS (or misconfigured), Netsparker will report this. You can read more about HSTS on ScanToSecure blog.

Generate Exploit Feature

Sometimes it’s nice to have a proof of concept for issues like Cross-site Scripting. This new feature allows you to generate an HTML Proof of Concept file to exploit an XSS identified by Netsparker just by clicking the Generate Exploit button, so you don’t have to spend your valuable time to this.

OWASP Top Ten Report

Ask and you shall receive! We now include one of the most requested report templates. You can see if your scan has vulnerabilities that are listed in OWASP Top Ten vulnerability list.

Windows 8 Certification

As of this version, Netsparker meets all the Windows 8 client app certification requirements and officially entitled to use Windows 8 Compatible logo.

Performance Improvements

Netsparker now keeps track of all responses and won’t run unnecessary checks more than once when the response is exactly same. This is enabled by default, can be disabled using Advanced Settings.

In certain websites this will significantly decrease the CPU load and will improve the performance of the scan.

New Security Checks

Shell Script Found detection
XHTML XSS Attack
Database Connection String Found vulnerability
Possible Administration Page Found Issue
UNC Server and Share Disclosure

Security Check Improvements

Vulnerability database with new version checks
Oracle admin check
SSN checks
ASP.NET detection
Elmah detection
Basic Authorization Required detection
Internal Path Leakage detection
File Upload Functionality detection
Generic E-Mail Address Disclosure detection

Other Improvements

Improved vulnerability templates by fixing typos and adding more reference/remedy content
Low quality icons on settings window
Settings windows by adding links to file/folder references on disk
API docs and User Manual
Settings user interface
Scan control by removing the Stop button and implementing a dirty tracking mechanism
Scan scheduling and added support for blank passwords
User agent selection behavior on HTTP Request settings screen
Reliability of session auto save
The naming consistency of vulnerabilities
Information, confirmation and error messages now uses Task Dialogs instead of regular Message Boxes

Bugs Fixed

A bug occurs on component dispose
The issue of momentarily black UI portions when minimized main window is restored
Long parameter value issue on Detailed Scan Report by trimming long values
A bug where Netsparker fails to open scan files (.nss) where extension contains upper-case letters
The broken text foldings on text editor for XSS vulnerabilities
Double encoded HTML output responses in Permanent XSS vulnerabilities
An issue with Burp importer where some files weren't recognized before
Wrong tab orders on various UI controls
A character encoding bug in SQL Injection Exploitation
A scan scheduling bug which occurs on non-English operating systems
Configure Authentication wizard recording step fixed and now it uses the configured user agent string on requests
JavaScript/AJAX parser fixed and now it uses the configured user agent string on requests
An issue which plays navigation sounds on systems where Explorer navigation sound is enabled
The incorrect CWE assignment of Invalid SSL Certificate vulnerability
An issue where retest was failing on first attempt

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.5.

20 Percent Time

Hüseyin Tüfekçilerli — Thu, 03 Jan 2013 12:35:32 GMT

For the last few months we have been experimenting a slightly modified version of Google’s “20 percent time” policy here at Mavituna Security and it seems to be working quite well.

“When you're hired at Google, you only have to do the job you were hired for 80% of the time. The other 20% of the time, you can work on whatever you like – provided it advances Google in some way. At least, that's the theory.”

Today I want to share our experience in this blog post.

Pet Projects

Google has pioneered this policy but later on, other companies like Apple (Blue Sky Project) and LinkedIn (InCubator Program) has adopted similar strategies to give their workers chance to work on projects that will somehow advance the company and also make the employees enjoy what they do. With the same spirit our employees are also free to work on what they are pleased to work on their 20 percent times. These pet projects could be:

A utility application not directly related with our business domain but will make our daily lives easier (see FogBugz Pivot)
A proof of concept work that would replace some inner machinery in Netsparker with a better design
A security research on a cool emerging technology that would eventually be integrated into Netsparker
A minor, low priority fix/enhancement to Netsparker which would never be implemented otherwise (We have these tasks marked with “Implement If Time” priority level and as you may have guessed, we do not implement much of those)
A blog post like this one

Members of the team should submit a brief description about what they are working on now or may just reveal a code-name of their project with no extra description to make other team members curios. You may form pairs/teams to work on a project too. We then schedule a day where we are presenting each other what we have done. We are currently experimenting a time frame like 2 months to do these presentations so every 2 months you should come up with something to present to the other team members. We are not expecting that every pet project should succeed with great results, we are seeing these as experiments and gathering the failure reasons is also valuable as succeeded projects.

My personal experience shows that the time I have spent for these kind of pet projects go beyond the 20% of my time at Mavituna Security and I find myself working on these projects in the evenings, at the weekends. You can guess how it feels better when you are working on a project that you enjoy as opposed to working on that damn dreaded finance report feature. Also having flexibility on feature set and technologies you use, you feel more free while you are developing.

Friday Techies

This is another thing that we spend our 20% time on, but this time collectively. On Fridays, we spare one hour or so to watch training videos on topics where we feel team members have lack of knowledge. During these sessions, we stop the video and having discussions on the topic and sharing ideas. This helps us to make sure all team members are on same page for that topic. If you are already familiar with this topic, you are getting more insight while you are trying to explain it to your peer and answering their questions. These sessions collectively increase the technical knowledge of the team and helps us to consume the training materials we have subscribed which otherwise would stay untouched.

For the time being, although it is too early to say, this strategy seems to be working for us and suggest you to give it a chance.

Netsparker 2.4.5.0 - Windows 8 Support

Onur Yilmaz — Wed, 19 Dec 2012 10:44:31 GMT

If you are not living under a rock, you should have noticed that Microsoft has released the latest version of Windows by the end of October this year. Terribly ashamed to admit, due to a third party component incompatibility, Netsparker couldn’t run on Windows 8. Finally, we have fixed the issue and are proud to announce that latest release of Netsparker running on Windows 8.

Vulnerability Database Update

This release also contains updates to our vulnerability database. We have added vulnerability checks to detect more version vulnerabilities for the latest versions of PHP, Apache, MSSQL, MySQL, Tomcat and OpenSSL.

Other Fixes

Fixed a typo in “Scanned URLs List (CSV)” report.
Fixed tab key order on “Schedule a Scan” dialog.

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.4.5.0.

Netsparker 2.4.2.0 - Chrome Style Updates

Onur Yilmaz — Wed, 05 Dec 2012 13:09:19 GMT

If you used Chrome browser you know how great its update system is, just like you we love that feature of Chrome, so we implemented a similar seamless update system for Netsparker. It’ll update what’s only necessary and install in the background without requiring any extra steps or clicks. This is an important step for the future of Netsparker, as this will allow us to push much more features to you without waiting too long.

New Error Reporting and Help Desk Integration

This is one of those things we hope you’ll never, ever see!

We provide really extensive and quick support and proud of it. To make it even better if Netsparker crashes on you now you see an interface which will attempt to look for a known solution and show you the solutions for that problem. If there are no known issues or the problem hasn’t solved for you after trying you’ll able to create a help desk ticket from Netsparker and our support team will get back to you swiftly.

Custom HTTP Headers

For those special applications or any interesting setup now you can add custom HTTP Headers to all requests done by Netsparker.

New Security Checks

Possible Windows Username Disclosure vulnerability detection
LigHTTPD Directory Listing vulnerability detection
Nginx Directory Listing vulnerability detection
LiteSpeed Directory Listing vulnerability detection
Generic Email Address Disclosure vulnerability detection (Now Generic Email Address Disclosure and Email Address Disclosure reported separately)
LigHTTPD Version Disclosure vulnerability detection
Nginx Version Disclosure vulnerability detection
SharePoint Version Disclosure Detection
IIS 8 Default Page Detection
Struts2 Development Mode Enabled Detection

Security Check Improvements

Highlighting added for Out of Date vulnerabilities
A new ASP.NET XSS bypass
New LFI (Local File Inclusion) checks
Improved Apache version matching
Improved HTTP Header Injection engine
Improved Unix Internal Path Leakage detection
Improved vulnerability reports by fixing typos and improving the language used
Improved Social Security Number vulnerability detection
Improved XSS engine where an extra slash character was causing problems

Other Fixes & Improvements

Lots of new default form values added. This can be configured from “Settings > Form Values”
Decreased the amount of request done by stripping unnecessary URLs produced by Netsparker attacks
Improved binary detection
Improved Detailed Scan Report where it handles long non-breaking lines better
Improved Configure Form Authentication wizard to exclude monitoring unrelated requests
Improved extensibility API where headers now can be accessed via keys (header names)
Improved Target URL text box in Start a New Scan dialog where it no more auto fills the email address in the clipboard
Improved Detailed Scan Report code by slightly refactoring
Improved User Manual documentation
Improved splash screen which no more steals focus
Fixed some external links in XSS documentation
Fixed a resource deployment bug which causes file access violations
Fixed a bug in JavaScript / AJAX Parser
Fixed Unicode non-breaking space character issue for report templates
Fixed intermittent TypeLoadException for ExtensibilityDelegateCollection bug
Fixed visual glitches seen on higher DPI settings
Fixed the incorrect behavior when Microsoft .NET Framework 4 Client profile is used. Netsparker will only launch on Extended edition
Fixed InvalidOperationException error while trying to generate a Crawled URL List report during a scan
Fixed "Token substitution failed." error when an HTTP request fails
Fixed a bug which crashes Netsparker when “Trebuchet MS Regular” style font is not installed
Fixed "InvalidOperationException: Stack empty." bug in Crawler
Fixed .NET URI decode bug occurs while unescaping path dots and slashes
Fixed a bug where the ViewState is highlighted wrong on the GUI
Fixed a bug where starting a new scan crashes Netsparker with NullReferenceException
Fixed a bug where Form Values settings grid was reporting an unexpected empty field error
Fixed a bug where regular 404 pages are added to Sitemap when Custom 404 is disabled
Fixed URI parsing bug caused by mailto: links
Fixed a bug which happens when you try to open Start a New Scan dialog while Netsparker is loading
Fixed Anti-CSRF token extraction when multiple forms exist in a page
Fixed a bug where false-positive "Redirect Body Too Large" vulnerability is reported when url location is double-encoded in body
Fixed an issue where "JavaScript / AJAX Parser" was making requests to image resources

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.4.2.0. Your next update will be delivered by the new seamless update system.

Reinventing Our Freemium Model

Tim Coulter — Tue, 11 Sep 2012 10:22:52 GMT

There's been plenty of discussion among the startup community about the pros and cons of the Freemium business model. Some declare it to be a resounding success, whilst others see it as a dismal failure. And, somewhere between these two extremes lies the notion that it all depends on you.

From our perspective, Freemium has proved to be a trusty servant and a key element in our growth. It helped us to gain early traction when we launched our business two years ago. Since then it has underpinned our brand-building and SEO activities delivering a regular and a valuable stream of willing buyers to our order page as well. To date, the free Community Edition of Netsparker has been downloaded over 175,000 times and, on any average month, we see an active user base of almost 15,000.

But despite our unreserved praise for what Freemium has given us, we are about to tear up the score card and start again. Why? Because we observed directly from our experiences that we can do even better.

Warning: This is a long post. It tells the story of how we got here and why we think we can re-work our Freemium formula for even greater success delivering much more value to our free users. Only time will tell whether we're killing the sacred cow. However, succeed or fail, we'll surely post an update and let the stats speak for themselves. If you're curious whether this experiment has a happy ending, then subscribe to our newsletter!

The Story So Far

Back in late 2009, our business was just like every other early-stage startup: an enthusiastic team with a big idea and no customers. Like any new entrant into an established market, Netsparker had a mountain to climb. And, when you're up against competition like IBM and HP, that can be an overwhelming challenge.

With a limited marketing budget and a product that nobody had ever heard of, we knew we needed to do something different to set ourselves apart. Freemium was not a new idea, even then, but it certainly wasn't commonplace in our niche, where the incumbent vendors were firmly rooted in all the old ways of the enterprise sales model.

So we decided to take a risk and see what we could achieve by giving our product away.

From the outset, our main concern was to decide on the restricted elements in the free edition. We were committed to the principle that it should be genuinely useful in its own right; not simply an upsell device. But, aside from the warm feelings we got from fulfilling an obvious need in our community, our commercial instincts were also focused on leveraging that tiny subset of free users with bigger expectations (and budgets).

Don't Give Away the Store

Most Freemium strategies entail restricting features or limiting usage capacity, but we had an additional dimension to experiment with; coverage.

When Netsparker scans a website, it tests for lots of heuristic security checks for vulnerabilities. The user receives a detailed analysis of every detected vulnerability along with the background information about its implications and its remediation. It is this comprehensive detection and resolution capability that makes Netsparker so valuable in addition to the productivity features that make it easy and fun to use.

We recognized that we could safely remove many of the bells and whistles, but we hesitated before crippling the detection algorithms that were central to Netsparker's role. Apart from compromising our "genuinely useful" principle, this would mask some of Netsparker’s most impressive capabilities and effectively undersell our value proposition.

After much debate within our team, we reached the conclusion that we had no choice but to ship the free edition firing on all cylinders.

A Necessary Compromise

In addition to disabling a number of non-essential features, we carefully reviewed the coverage list and selected a subset of vulnerabilities that would be masked in the free edition.

This selection process was guided by the desire to strike the right balance between utility and temptation. If Netsparker reports one or more serious vulnerabilities in a typical scan, most users become convinced about its detection capabilities and are also intrigued by the possibility that their website has other (more serious) vulnerabilities that might be detected by the premium editions.

Furthermore we refined this approach by reporting some vulnerabilities conditionally. For instance, we chose to report SQL Injection - probably the most common and dangerous vulnerability - but only on the lower-end database platforms (MySQL and MS-SQL). Our reasoning was that, if you can afford Oracle, you can probably justify the investment in Netsparker Standard Edition.

And so it was that we launched the inaugural version of Netsparker Community Edition in April 2010, with a coverage policy that has remained almost untouched ever since.

Return to Core Principles

As we pondered and debated our plans for the latest version of Netsparker, we wondered whether there was a better way to restrict the free edition.

Despite the obvious need for a Freemium strategy that masks certain vulnerabilities, we never felt completely comfortable with its security implications for users. In the words of one of our skeptical team members, “it's like locking the doors of your house and leaving the windows open”.

However, we realized that we had acquired a mass of data since we took our very first shots in the dark and that we could use this to create a better Community Edition; one that delivers more to its users and, at the same time, returns more to its creators.

From our own extensive studies and publicly available data such as Whitehat Website Security Statistics Report, we know that the vast majority of websites has at least one detectable vulnerability and a worrying number (upwards of 30%) have one or more critical security flaws – the kind that could wipe out a business. Thus we set about crunching the numbers, aiming to devise a new and a bolder coverage strategy.

As a result, the latest version of Netsparker Community Edition takes a completely new approach to the coverage that is expected to come as a pleasant surprise for users. It will also, hopefully, bring us some karma points and maybe even some additional sales.

Whereas all previous Community Edition releases offered only a subset of the vulnerability coverage of the paid editions, v2.3 will test and report the complete range of vulnerabilities. Some vulnerabilities will have certain details masked, such as the information that helps users to pinpoint their source and resolve them, but all detected vulnerabilities will be identified.

Long story short, if Netsparker reports no vulnerabilities, then none is detected, not because it masked some of them, as it did previously. This is important to us, because we don't want any of our users to spend money on an upscale edition of Netsparker and discover that it brought them no additional benefits.

Aside from the ethical merits of our new approach, we also expect it to have a significant marketing benefit. Since we know that virtually every website has at least one vulnerability and since Netsparker now reports them all, every Community Edition scan is a potential upsell opportunity.

We are anxious to observe the real impacts of this reasoning in the coming months. We’ll post an update as soon as the numbers are conclusive, so be sure to subscribe.

Netsparker Community Edition is Back!

Zubeyr Dereli — Wed, 29 Aug 2012 13:34:07 GMT

We announced Netsparker Community Edition in early 2010. Security community loved it, however we weren’t sure about supporting it as we couldn’t figure out the consequences in the long term. You know, giving that much of Netsparker for free! Risky business.

Download Netsparker Community Edition now

Therefore we haven’t updated it so frequently as Netsparker Professional or Standard. From the time we released Netsparker CE 1.7.2.13 till today, 6 significant updates were provided for commercial versions but nothing new on the Community Edition.

After careful consideration we decided to keep Community Edition up to date with Professional and Standard. You might still see up to a month delay on Community Edition updates however it’ll get updated sooner or later.

I’m happy to announce the new version of Netsparker Community Edition. It has tons of improvements compared to 1.7.2.13 as we fixed pretty much all known issues.

No registration required, no strings attached! Use it for free; if you like, you can always upgrade to Netsparker Standard or Professional.

Download Netsparker Community Edition - Free Web Application Security Scanner

Netsparker 2.3.0.0 - Fast but not so Furious

Zubeyr Dereli — Thu, 23 Aug 2012 14:55:25 GMT

Performance Improvements

We are constantly trying to improve the performance of scans and day by day Netsparker gets better. Now that we have optimized the crawling, Netsparker will eliminate useless links during the crawling and recursive attacking. You will definitely notice the difference in practice. Scans will do less requests and you’ll get the results earlier.

PDF Reporting Improvements

New PDF reporting code allows you to generate hundreds of pages in less time with less memory consumption. So you can get that 500 pages report without any problems.

We also addressed some minor issues and improved the design of detailed scan reports, added lovely bookmarks to PDF reports.

Other Improvements / Changes

Custom cookie input now accepts more formats, so you can simply copy & paste from your proxy or write it manually.
Highlighting improved in many vulnerabilities, so you’ll spot the problem much quicker for almost all vulnerabilities.
A parsing issue addressed in pages with multiple forms.
TRACE/TRACK checks improved.
Local File Include checks and coverage improved.
GUI fixes for high DPI setups.
Fixed tab order for Authentication checkboxes on Start a New Scan dialog.
Several templates improved, better remediation and description sections.
Fixed a known DLL loading issue when Netsparker shortcut doesn’t start in Netsparker application directory.
Various minor bug fixes and improvements.

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.3.0.0

Netsparker 2.2 at Your Service

Zubeyr Dereli — Thu, 19 Jul 2012 08:57:33 GMT

In this release we focused mostly on performance of Netsparker to scan bigger websites, faster with less CPU consumption.

Input injection points improved in all engines so Netsparker will find more vulnerabilities in places such as HTTP Referers. We significantly improved some security checks and as usual kept improving the user experience.

Faster & Better

Makes less requests for crawling web application without sacrificing the coverage.
Requires less CPU.
Ability to handle huge websites and survive very long scans with no trouble or performance hit.

Security Check Improvements

Now Netsparker identifies common publicly accessible installed web statistic applications.
Remote Code Evaluation checks improved and checks for Perl Remote code Evaluation added.
LFI attacks improved.
RFI attacks improved.
Compliance mapping references for lots of vulnerabilities updated.
Internal Path Leakage checks improved.
Detection for WS_FTP Log File added.
Readable Web.Config File check added.
PHP Source Code Disclosure check improved.

Reporting

Compliance mapping references for lots of vulnerabilities updated.
2 new CSV reports added, “Crawled URLs List” and “Scanned URLs List”.
Certainty added to XML reports.

Other Changes

Now Netsparker uses 2 files to store saved sessions. .NSS and .NDB you need to save both of these files if you want to open the scan later on or move to another computer.

Fixes & Improvements

Silent command in CLI now suppresses host connection errors as well.
%time% and %date% in CLI renamed to [time] and [date] to avoid conflicts when used with batch scripting.
Highlighting in the GUI for several vulnerabilities improved.
Netsparker handles documents directory in network locations better.
A rare crash that about resource deployment addressed. This was especially happening in first run.
Import Links feature now works better, duplicate link bugs addressed.
Autopilot mode now chooses “Detailed Scan Report” by default when a report type is not selected.
A minor bug about PDF report generation addressed. We are aware of some performance issues in the PDF generation. We'll address this in the next release.
Improved Visual Studio debugger support for user scripts.
Now it's possible to bind Netsparker's internal proxy to all interfaces, so you can connect to it from other computers.
A bug about URL based attacks addressed. This was causing Netsparker to miss some attacks for some directories.
Vulnerability detail pages improved.
A critical bug in Manual Crawl (Proxy Mode) addressed. It was missing some POST requests.
Explicit SSLv2 support added for proxy and normal scans. This can be accessed via Advanced Settings.

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check for Updates" to update to Netsparker 2.2.0.5

Pentesting Conference - Netsparker Giveaway

Zubeyr Dereli — Wed, 04 Apr 2012 08:55:57 GMT

Netsparker are proud to be sponsoring an educational ethical hacking conference 10th April at 4pm CET (1200 EST) -http://mile2.com/webcast.html

Learn how professional pentester Tom Eston breaks into Casino's and Banks and listen to Richard Stiennon, (who is the most followed security expert on Twitter, Linkedin and is widely quoted in the press including The Wall Street Journal, Financial Times and USA Today).

Our last speaker, Kevin Henry will present: a "Discussion on Persistent Advanced Threats Hacking in 2012."

We are giving away a free Netsparker subscription (winner to be announced during the show.

Participation is completely free - http://mile2.com/webcast.html

See you there and good luck with the competition!

5 Lessons Learned From our Groundhog Day Software Release

Tim Coulter — Thu, 02 Feb 2012 16:35:54 GMT

For over six months, we’ve been toiling to create the latest version of Netsparker. It didn’t start out as a six-month timeline - our development cycles are usually two to three months. But along the way, we seduced ourselves into adding a couple of unpredictably complex features and, before we realized what was happening, the holiday season was approaching.
Cautious about our announcement going unnoticed in all the pre-Christmas noise, we decided to postpone it until January 3rd, hoping to take advantage of a few days of much-needed rest and looking forward to starting the new year with a bang.

We’re fanatical about product quality, so we go to enormous lengths to avoid pushing a release that contains any embarrassing bugs. In addition to unit testing, we exercise every build against a rig of more than 2000 functional tests that simulate real-world use cases. And then, in the final week before publication, the entire company (including all the non-tech staff), has the pleasure of dogfooding Netsparker until they’re ready to scream.

Unfortunately, for Netsparker v2.1, this “final week” has lasted for more than a month. Time after time our hopes were dashed just minutes before pushing the button as we discovered yet another frustrating edge case. Every day, we awoke with the carried-forward depression and uncertainty of yesterday’s latest failed attempt. And every evening we simply confirmed our own sense failing by carrying forward yet another set of unsolved clues.

We have to acknowledge that some of our problems were self-inflicted, mostly by trying to cram just a little too much into a development cycle and occasionally by working when what we most needed was sleep. But the real pain, and the most significant reason for our lost month, was caused by fleeting issues in our 3rd party technology stack that occurred only in the most unlikely combinations of circumstances.

Building a software product can be a joy, but when you factor in the unexpected effects of externals tools, life sometimes becomes unpredictable. We use 3rd party components for licensing, obfuscation and deployment (among many others) and we usually expect these to play nicely together. But, when you have a bug that only occurs on a licensed, obfuscated, release build, and only when installed on a particular platform in a particular culture (and then only intermittently), tracking it down can become a nightmare

There was no single moment of epiphany that ended our ordeal; it was resolved only after an arduous campaign against a seemingly endless list of unrelated issues. Here are some of the painful lessons we learned along the way:

1. A chain is only as strong as its weakest link
As developers, we are accustomed to using external libraries that solve problems outside of our domain of expertise. This is a great time-saver, but it can leave us dangerously exposed to the mistakes of others.

2. Every black box added to a project compounds its complexity
Debugging our own code is (usually) easy. Getting past bugs in other peoples’ closed-source libraries is more of a challenge. But the real contest starts when you have several black boxes, each adding its own anomalies to the equation. In our case, we reached the point were every member of the team was able to offer unsubstantiated theories about what was going wrong, but nobody could prove a thing.

3. Due diligence goes way beyond product appraisal
When you use a 3rd party product as a core component in your application, you are at the mercy of the vendor. We know that we have made a poor decision in the choice of one of our components, not because the product is bad, but because the vendor’s support sucks. Replacing this component is likely to be a top priority in the future, except for one important detail …

4. Quick and easy choices can have exorbitant switching costs
As much as we’d love to dump our nightmare component vendor, we’re stuck with them for the long haul, because doing so would break compatibility across our entire user base. What started as an easy decision to buy a relatively insignificant component has turned into a major hindrance in our development process and one that adversely biases our strategy in so many ways.

5. If it ain’t broke, don’t upgrade it
In addition to our 3rd party component nightmare, we added to our own problems by upgrading not one, but four major platform / architecture components in the same development cycle. Needless to say, when we were knee deep in uncertainty, it was so easy to speculate about which of these changes might have been a contributory factor. Of course, every bad decision is so obvious with hindsight.

Despite the anguish of the last month, we eventually won through and Netsparker v2.1 earned a clean bill of health this morning.

During our interminable period of pre-release, team emotions occasionally ran high and our resolve was tested almost to breaking point, so it was inevitable that somebody would eventually throw in a wisecrack about Groundhog Day. But who could have predicted that, after more than 40 days of iterating the debug-fix-test loop, Netsparker would finally be deemed fit for purpose and released to the waiting world on February 2nd - the real Groundhog Day.

Happy Groundhog Day!

Announcing Netsparker 2.1

Tim Coulter — Thu, 02 Feb 2012 10:06:57 GMT

After a longer-than-usual development cycle, Netsparker 2.1 is finally ready to ship. This release marks some fundamental enhancements to Netsparker’s internal architecture and not only brings with it an enticing selection of new security and productivity features, but also lays the foundation for many more innovations in the pipeline.

All-new Authentication System

Prior to version 2.1, one of our users’ greatest pain points was trying to scan web applications that use complex form authentication mechanisms. Although Netsparker was capable of automated login, it lacked the flexibility to handle difficult scenarios like multi-step authentication, single-sign-on, 2-factor authentication and CAPTCHA.

We recognized that this challenge needed a radical solution, so we re-engineered our authentication architecture from scratch. Netsparker now uses a built-in HTTP macro recorder to faithfully capture every step of even the most complex login sequence. And, for sign-on sequences that require some special runtime action, like CAPTCHA input or the assignment of dynamic token values, we’ve added a user scripting interface that promises a solution to even the most complex challenge.

User Extensibility via Scripting

Whilst developing our scripting support for authentication, we realized that there are many other aspects of Netsparker’s operation that could also benefit from user-defined customization. So, we implemented extensibility in the most open and flexible way possible, enabling Netsparker to expose a scriptable interface to virtually any aspect of the scanning process.

In the current release, the scripting feature only ships with extensibility points to support authentication, but we’re committed to expanding this capability across the entire scanning cycle in future releases. Why not let us know what you want to be scriptable for version 2.2?

Scan Summary Dashboard

Netsparker now provides detailed real-time feedback about the scan in progress and even lets you modify its runtime settings in mid-session.

The scan summary dashboard provides at-a-glance information about the active scan session, including a graphical summary of the detected issues and details of the current action in progress on each of Netsparker’s active threads.

During a scan, you may also modify key scan session settings, including the number of concurrent HTTP connections, the selection of security tests that will be used for attacking and the use of custom request cookies. Changes entered via the dashboard take effect immediately.

Comparison Reporting

Netsparker’s report template suite has been extended to include a powerful new analysis capability: comparison reporting. This allows the current scan session to be compared against one or more historic scan sessions, enabling a graphical summary of the evolution of an application’s security status. It also includes a detailed vulnerability list, showing how the status of individual issues has progressed over time.

New Security Tests

Expression Language Injection
Netsparker now finds Expression Language Injection issues in your web applications.
MyFaces Stack Trace Disclosure check added.
Mongrel Server Version Disclosure check added.
Password over GET check added.
WebLogic Detection check added.
Elmah.axd Detection check added.

Vulnerability Database Updates

OpenSSL vulnerabilities added.
PHP vulnerabilities added.

Security Test Improvements

Boolean SQL Injection performance improved by decreasing the number of required requests.
More edge cases for MySQL in Boolean SQL Injections is now covered.
HTTP Header Injection checks improved, now bypasses more blacklists.
Local File Inclusion (LFI) checks improved for FreeBSD / OSX systems.
Added new checks for MySQL Error Based SQL Injections.
Extra blacklist bypass checks added to Frame Injection / Open Redirection checks.
Windows Internal Path Leakage checks improved.
LFI engine improved to cover more edge cases.
Protocol based XSS attacks significantly improved.

New Injection Points

Netsparker now attacks more injection points, such as HTTP headers, paths and unusual injection points in the URL. This was previously available only for Cross-site Scripting Security Tests. Now coverage has been increased and new injection points added for all required security tests.

Tool and Productivity Enhancements

Improved Search: The search feature in Netsparker’s HTTP response pane now includes a preemptive look-up feature (incremental search), enabling search results to be highlighted as you type.

Improved Encoding Panel: Netsparker’s built-in encoding tool has been revamped, enhancing its usability with a new intuitive layout and the addition of buttons for quick copy / paste operations.

New Resource / Directory System

Netsparker’s runtime data files are now stored in a more structured directory tree within the user’s Documents directory, enabling easier access to user-customizable files and more coherent storage of scan results.

New Settings: Values & Ignored Parameters

Netsparker’s application settings dialog now allows the definition of custom rules for applying arbitrary values to form parameters or excluding specific named HTTP parameters from being attacked. For maximum flexibility, parameters may be identified using Regex / wildcard patterns and ignored parameters may be applied selectively, according to the HTTP request method.

New Session Data Storage Format

Netsparker now stores its scan session data in a single compact file, enabling it to be safely archived and allowing scan results to be easily passed between co-workers.

Complete x64 support

Netsparker now installs as a native 64-bit application (on 64-bit machines) enabling it to take advantage of larger amounts of installed memory. This has been a critical element in a number of the stability improvements that come with version 2.1.

.NET Framework 4.0 Update

Netsparker now runs on the Microsoft .NET Framework 4.0. This pre-requisite is handled automatically by the installer / upgrade process and enables Netsparker to benefit from Microsoft’s latest bug fixes and enhancements, as well as providing an essential foundation to many of Netsparker’s own enhancements.

Improved Stability

Crash Recovery: In the event of an application crash or an unexpected computer reboot, Netsparker is now able, in most cases, to recover and continue scanning.
Memory Improvements: Netsparker’s memory management has been overhauled for version 2.1, bringing measurable improvements in stability, especially during extended scanning sessions.

How to Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check Updates" to update to Netsparker 2.1.0.39

Minor Improvements & Bug Fixes

GUI

Encoding bug fixed in “Copy URL”
Copy URL and Open in Browser menu options added to root node of sitemap.
A minor bug addressed in the auto suggested name of the reports when user scans more than 1 website in on session.
Browsing the issues and pages in Netsparker is now more optimized, previously it was lagging sometimes when the HTTP Response too large.
Response time moved to the title of the HTTP Response instead of the response textbox.
Inconsistent styling in some GUI elements changed.
Error messages in PDF generation is now looks better.

Reporting

XML Reports are now just uses CDATA instead of CDATA + Encoding.
Certainty added to Detailed Scan Reports
Known vulnerabilities added to XML reports.
Extracted data hilighting improved.
Hilighting in reports and GUI significantly improved. Now it'll be instantly obvious where was the problem in many more vulnerability reports. This is still not possible for some vulnerabilities, such as Boolean SQL Injection, where the vulnerability is not directly related with any part of the HTTP Response.
Reporting menu is not disapearing after Reset Layout anymore.

Crawler

JavaScript Parser improved for handling complex forms.
image/jpeg binary detection improved.
TextParser performance and quality significantly improved.
Accept-Language header added to all request based on the current culture and can be overwritten from the settings.
Memory issues in some very big web application addressed. Performance is more obvious in x64 systems.
Netsparker now simulates IE9 (or the most up to date browser in the system) more successfully.
Pause now pauses Resource Finder immediately.

Security Checks

Some bugs that causing Static Tests to send excessive requests addressed.

Scheduling

Scheduling improved to address potential issues when user chooses "Previous Profile" for the scheduled scan task.

Storage & Logging

Data storage performance improved and now stored data files size is smaller.
Logs are now includes better timestamps and special split characters for easier parsing.

Netsparker 2.0 has arrived!

Ferruh Mavituna — Mon, 25 Jul 2011 19:50:28 GMT

Between Netsparker 1.0 and Netsparker 2.0 we added lots of stuff. To be more precise, 7 major updates were added, 16 new security checks, 15 new features and tons of minor improvements. We are now ready to release Netsparker 2.0; even better and faster with new features.

As if adding lots of new features is not enough, we even added a new dramatic splash screen. You can’t beat that!

Vulnerability Database

We want our users to spend less time on security testing. Netsparker 2.0 introduces Vulnerability Database, which stores a list of known vulnerabilities for commonly-used systems and components. When Netsparker identifies one of these systems by detecting its version, it’ll reference the database and report all known vulnerabilities for that particular version with severity and required references (such as exploit and CVE references).

With Netsparker’s unique Post Exploitation features the following is now possible:

1. Netsparker identifies an SQL Injection
2. It exploits it safely to confirm the vulnerability
3. It tells you the version and database type
4. Then it tells you all the missing patches for that database server

So, instead of checking vulnerability databases manually, you can spend your time on more important activities. Another tedious job to check off from your list.
The initial release of Vulnerability Database is fairly limited in its range of supported systems. We’ll add more servers, components and web applications to this list over the coming months:

Apache
Tomcat
MSSQL
MySQL

Simultaneous Crawl & Attack

Previous versions of Netsparker always completed their crawling phase before before starting to identify vulnerabilities, such as SQL Injection. Netsparker v2.0 introduces the ability to crawl and attack simultaneously, which can save valuable minutes when scanning large applications.

With v2.0 you can start a scan and, literally within minutes, you can start identifying, fixing and reporting bugs. Hence getting the results quicker will help you to be more productive.

New Security Checks

SSL Checks added
Now Netsparker will report weak ciphers, self-signed SSLs and similar SSL / Certificate related issues
Tomcat default files check added
ASP.NET MVC version disclosure check added
Mongrel and Nginx version disclosure checks added

Improvements

Reporting & Automation

Vulnerability summary table added to detailed reports.

All vulnerability classifications added to reports
Reports are now highlighted to help you easily spot relevant section of the HTTP response in a much quicker way
Custom reporting API updated. New custom reports are not completely compatible with old version. You’ll need to update some references. If you run into any problems while updating your old custom reports, drop our support team an email.
CLI /silent option improved. Now, when the /silent flag is used, the GUI will suppress all dialogs. Related information will be written to logs instead and Netsparker will take the default action.
Internal Path Leakage checks improved both for *nix and Windows OSes.

Engine Improvements

Improved Signature based SQL Injection detection
LFI checks improved and coverage increased
Attribute-based XSS checks improved
PHP source code disclosure checks improved
Protocol-based XSS attacks significantly improved
ASP.NET / .NET Framework 4 Viewstate support added. MAC Enabled and Encryption issues will also be reported correctly in .NET Framework 4 systems
ORACLE SQL Injection checks improved

Other

Several Form Authentication related bugs addressed
Some CPU-related crawling bugs addressed, performance improved
Localization support added
Binary detection improved
Manual crawling improved. Some minor bugs addressed.
If an error happens while importing links, Netsparker will explain the problem in detail to the user rather than suppressing it.
Hilighting bugs in LFI exploitation addressed.
Ability to ignore certain error messages added. For example when there's a problem with DNS, rather than displaying the error repeatedly, you can ignore it and let Netsparker deal with it internally.
License conflicts when a previous installation exist are addressed.
Imports from proxy logs improved.
Several GUI-related changes made to improve usability and visuals
Several minor threading-related bugs addressed.
Cookie handling improved. Custom cookies now overwrite server-set cookies, even when their path is different.
Encoding in parameters name fixed and now correctly visible in the sitemap.
Experimental Attack Pattern Editor added which allows users to add / edit custom attacks.
Caching in Form Authentication disabled.
Issue graph dock removed, as new features made it deprecated.
Quick startup page updated.
Global database dependency removed and better x64 support added for x64 systems for storage access.

Breaking Changes

We have implemented some major changes for the greater good, but some of them will break backward compatibility with v1.x files. From now until the release of Netsparker 3.0, we’ll maintain backward compatibility. As in 1.x releases, all 2.x releases will be backward compatible.

Custom Reporting API changed. You need to update your old reports.
v2.0 introduces lots of new structural changes and we updated the save file formats as well. v2.0 is not able to open v1.x save files. If you need to work with old save files in parallel you can install v2.0 to a different directory and use 2 versions at the same time. If you need any help or need to download the old version to open save files you can tell us and we’ll help you.
Saved logins and Profiles from v1.x are not compatible with v2.0.

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is clicking "Help > Check Updates" to update to Netsparker 2.0.0.0

False Positives - The Dirty Secret of the Web Security Scanning Industry

Ferruh Mavituna — Tue, 24 May 2011 09:34:35 GMT

The primary goal of a web application security scanner is to eliminate the repetitive drudgery of penetration testing, leaving testers free to use their skills in areas where they’ll make a real difference.

In a typical application security audit, automated tools perform the initial triage and then experienced testers sift the results, positively confirming the reported vulnerabilities and working with the developers to eliminate them.

Unfortunately, as any experienced penetration tester will tell you, the confirmation stage often focuses more on eliminating false positives than dealing with real vulnerabilities. This is because automated scanners are notorious for misreading the signs and reporting vulnerabilities that don’t actually exist. In fact, the problem is so commonplace that most pen testers consider it to be an unavoidable consequence of automated testing.

False positives occur because of the weak static checks that scanners typically use to detect vulnerabilities. When a scanner tries to detect a known vulnerability, it uses a matching algorithm to look for one or more pre-defined signature patterns within an HTTP response. If a match is found (and subject to some additional extra checks that may increase the level of certainty) the scanner will deduce that the vulnerability exists and report it accordingly.

However, there are many situations where a positive signature match may be erroneously triggered. For example, the text in a web page may match a given vulnerability signature, causing a scanner to report a harmless static page as a security vulnerability. Although the proportion of erroneous matches may be relatively small, the false positive count may grow quickly when scanning a large web application, resulting in a significant additional workload for the penetration tester.

Aside from the obvious economic consequences of having to manually check and eliminate non-existent vulnerabilities, the problem also has some side effects that can be a direct threat to security. Since web applications evolve, security testing is an ongoing process that must be repeated every time the codebase is modified. It is therefore natural that a tester will encounter the same false positives time after time. On the first occasion, she will diligently check every reported vulnerability and eliminate the false positives. However, as time passes and the same vulnerabilities are repeatedly reported by the scanning process, there is a dangerous tendency for testers to disregard those that they “know” are false positives. This is when a new and very real vulnerability can go unnoticed.

Another equally worrying scenario is when security auditing is performed by staff with only rudimentary knowledge of penetration testing. For example, a developer may use a scanner to reassure himself that his application is secure. Assuming the scanning process reports no vulnerabilities, he may be reasonably assured that his work is done. But if vulnerabilities are detected, additional confirmation steps are required and this is a minefield for the uninitiated.

Given the list of vulnerabilities reported by his scanner, the developer will make initial attempts to confirm them by exploitation but, with only limited experience, this challenge will likely lead him into unknown territory. Eventually, after failing to exploit a vulnerability using all the common textbook techniques, the developer may fall back on the comforting assumption that it is a false positive. This is a justifiable rationalisation, given the pitiful reputation of most scanners, but it is nonetheless a risky strategy and one that will ultimately lead to real vulnerabilities slipping through the net.

So, what’s the solution?

Most scanner vendors devote considerable effort to continually improving the quality of their matching algorithms and adding new layers of cross-checks that seek to improve the level of certainty of any vulnerability report. Whilst this approach provides incremental gains in reporting accuracy, it doesn’t address the underlying problem – that a security vulnerability can only be absolutely confirmed if it is successfully exploited. Any amount of tinkering with signatures and matching algorithms is effectively just window dressing, as the only 100% reliable mechanism for confirming a vulnerability is exploitation.

When we designed Netsparker, this thinking was at the core of our design process. We knew it was going to be a tough challenge to achieve our goal of positive confirmation, because exploiting a vulnerability programmatically entails dynamically creating attacks that exactly match the context of the page they are attacking.

But the results speak for themselves. When Netsparker reports a confirmed vulnerability, it does so because it has successfully exploited it (in a completely safe and non-destructive manner). This diagnosis leaves no room for doubt – the application contains a real security vulnerability that requires action.

There are certain types of vulnerabilities that cannot currently be confirmed by automated exploitation and, for these, Netsparker classifies them as either Possible or Probable, depending on a certainty rating that is calculated using heuristic techniques. In any typical scan, the number of reported vulnerabilities in this category will always be in the minority and usually represent non-critical vulnerabilities or vulnerabilities without direct impact such as information disclosure issues.

Netsparker is currently the only web application security scanner that uses built-in exploitation technology to positively confirm vulnerabilities. This is, perhaps, why our competitors seem content to play down the issue of false positives, preferring to keep the industry’s dirty secret under wraps.

JavaScript Scope and IntenseDebate's Privacy Problems

Ferruh Mavituna — Tue, 26 Apr 2011 11:21:54 GMT

I like IntenseDebate a lot, they allow web developers to embed a comment system to their websites. It’s easy to implement but more importantly it allows visitors to comment with one shared account among many websites to avoid logging into every single website just to write a short comment.

Their implementation is straight forward:

Website owner embeds IntenseDebate’s JavaScript into the blog page
User logs in via IntenseDebate’s website
Now user can comment in different websites without need to log in again

What’s the problem

IntenseDebate’s JavaScript dynamically generated and includes currently logged in users’ information
This JavaScript embedded in the registered website which means the embedded website (i.e. attacker.com) can access the content of the embedded JavaScript

Now if you step back and connect the dots that you’ll notice any website can access the IntenseDebate username of the visitor. This means that when an IntenseDebate user visits the website, the website can identify the visitor even if the visitor didn’t leave a comment.
It’s kind of creepy for IntenseDebate users because you might have been identified by different websites while browsing the web.
In JavaScript to get this data all you need to do is wait until IntenseDebate JavaScripts load and then read the following string:

var data = eval('(' + str + ')');
var cuser = data['username'];

Now cuser holds the currently logged in user’s username. The next line can save it to a database:

$.post("/AjaxSave.aspx",{user: cuser})

See it in Action

Demo (you need to logged into IntenseDebate)

How to fix

It’s a known fact that storing session sensitive information in JavaScripts is bad (think JSON/JavaScript Hijacking) so you shouldn’t do it. In IntenseDebate’s case though this is by design.
A better way to design this using iframes is to force loading sensitive data in different domain. That’s what Facebook and several other similar companies do.

Responsible Disclosure

We got in touch with IntenseDebate on the 26th of Jan and then to follow on the 31st of March, I tried hard to explain them the problem, gave them a live proof of concept and explained the problem in details yet didn’t get any results. I hope this blog post will attract some attention from them and they’ll address this problem as soon as possible.

Netsparker 1.9.0.5 is out!

Ferruh Mavituna — Tue, 19 Apr 2011 12:31:49 GMT

As usual we are releasing new features and improving the quality of Netsparker.

New Redirect Tests

This release introduces 2 new security tests, which confirm whether redirects in the web application are working as expected. If the application sends a redirect back but keeps processing the page this generally indicates a bug. The impact of the bug can vary from “Authentication Bypass “ to a simple forgotten line in the code. However, it almost always indicates a bug that needs to be addressed.

New Features

Microsoft Live ID, SSO Authentication Support
Vulnerability Summary added to reports
Summary Report added to Sitemap. When you click name of the website that you are scanning from the sitemap Netsparker now shows a summary report of the current scan.

Improvements on Security Tests

Blind SQL Injection coverage improved
Protocol-agnostic Open Redirection checks added
LFI security test coverage improved
Version information automatically added to all Error Based SQL Injection issues now
New XSS checks added to bypass blacklists

Other Improvements and Bug Fixes

A Form Parsing bug fixed in Text Parser
An error log in Blind Command Injection Engine fixed
Some URI Based XSS issues were reported multiple times
Minor bugs fixed in the Detailed and XML Reports
Typo fixed in CSV Report
Set-Cookie headers wasn't working properly in Redirects
Netsparker now supports multiple set-cookies with same cookie name
Anti-CSRF token support improved for Form Authentication
A bug fixed in profile save with NTLM authentication
Naming in certain vulnerabilities changed. New naming uses “Confirmed”, “[Probable]” and “[Possible]”.
Several bugs about JavaScript parsing and Form Authentication addressed

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check Updates" to update to Netsparker 1.9.0.5

SVN Digger - Better Wordlists for Forced Browsing

Mesut Timur — Mon, 11 Apr 2011 13:08:43 GMT

Forced browsing / finding hidden resources is one of the crucial part of any black-box web application security assessment. There are great tools to accomplish this task, but our favorite is DirBuster. Simple, fast & smart.

DirBuster ships with several wordlists, these wordlists generated via one big crawler which visited tons of websites, collected links and created most common directory / file names on the Internet. This is a really nice approach and DirBuster’s wordlists worked much better than any other wordlists out there.

However there is one fundamental problem with these wordlists. Whilst the purpose of these wordlists is finding hidden and not linked resources, ironically they are generated only from known and linked resources. To address this problem we came up with the idea of generating wordlists from open source code repositories. This way it would be possible to see all file/directory names and create much more useful wordlists.

We have extracted the directory structure and file names of many projects from Google Code and SourceForge to prepare a good wordlist for discovering hidden files/folders on a targeted web application.

Numbers

We have processed over 5000 projects.
We have more than 400k words at our database.

We have sorted the words according to the their frequency count and prepared some lists based on this data.

How did we generate the wordlists?

Initially we needed to find lots of public SVN/CSV. So far we only used Google Code and Sourceforge. We did filtered search such as “Only PHP” or “Only ASP” projects. After this we used FSF (Freakin’ Simple Fuzzer) to scrape, it was a one liner.
After we had the list of all open source projects, we wrote couple of simple batch files to start getting list of files via SVN and CVS clients.
When all finished, we coded a small client to analyse the all repository outputs and load them into an SQL Server database. Later on we applied many filters with yet another small script and generated all these different wordlists to use in different scenarios.

Download

Download Wordlists (GPL) – SVNDigger.zip (~550KB)

all.txt
all-dirs.txt
all-extensionless.txt
context\admin.txt
context\debug.txt
context\error.txt
context\help.txt
context\index.txt
context\install.txt
context\log.txt
context\readme.txt
context\root.txt
context\setup.txt
context\test.txt
cat\Conf\conf.txt
cat\Conf\config.txt
cat\Conf\htaccess.txt
cat\Conf\properties.txt
cat\Database\inc.txt
cat\Database\ini.txt
cat\Database\mdb.txt
cat\Database\mdf.txt
cat\Database\sql.txt
cat\Database\xml.txt
cat\Language\ascx.txt
cat\Language\asp.txt
cat\Language\aspx.txt
cat\Language\c.txt
cat\Language\cfm.txt
cat\Language\cpp.txt
cat\Language\cs.txt
cat\Language\css.txt
cat\Language\html.txt
cat\Language\jar.txt
cat\Language\java.txt
cat\Language\js.txt
cat\Language\jsp.txt
cat\Language\jspf.txt
cat\Language\php.txt
cat\Language\php3.txt
cat\Language\php5.txt
cat\Language\phpt.txt
cat\Language\pl.txt
cat\Language\py.txt
cat\Language\rb.txt
cat\Language\sh.txt
cat\Language\swf.txt
cat\Language\tpl.txt
cat\Language\vb.txt
cat\Language\wsdl.txt
cat\Project\csproj.txt
cat\Project\pdb.txt
cat\Project\resx.txt
cat\Project\sln.txt
cat\Project\suo.txt
cat\Project\vbproj.txt

It’s licensed under GPL, feel free to share and use your own GPL-Compatible application.

Visit us at DevWeek 2011 in London

Ferruh Mavituna — Tue, 08 Mar 2011 08:46:44 GMT

We’ll be at DevWeek 2011, don’t forget to drop by our booth to meet us. There will be some special discount for Devweek attendees as well.

See you in there.

Netsparker 1.8.3.3 is out

Ferruh Mavituna — Thu, 10 Feb 2011 12:37:12 GMT

After releasing 7 updates in 2010 in total of 16 security checks and 15 new features, here is the first Netsparker update of 2011.

Anti-CSRF Token Support

If you ever tried to test a website with strict anti-CSRF manually or automatically, you would know how irritating it can get. It is also very hard to exploit vulnerabilities in these applications where many tools do not support Anti-CSRF tokens.

Netsparker 1.8.3.3 comes with Anti-CSRF token support in detection, confirmation and exploitation.

By default, it automatically works with the following frameworks / languages:

ASP.NET and ASP.NET MVC
Struts2
ColdFusion
PHP (Symfony,CodeIgniter,Zend)

You can go to ”Settings (F4) > Attacking“ to configure it according to your custom applications.

Enjoy!

Brute Force Support

Now when Netsparker sees a resource that requires Basic, NTLM or Digest Authentication, it automatically tries a list of known username and passwords and reports if it manages to find a valid credential. You can change Brute Force related settings from “Settings (F4) > Brute Force”

New Checks

Frame Injection
Possible Sensitive Files Detection (Categories: Log, Stats, Installation,Configuration,Administration, Database)
Backdoor Detection
Tomcat Source Code Disclosure
Tomcat Default Pages Identification

Form Authentication Improvements

AJAX support added to Form Authentication (Netsparker supported AJAX in crawling since the first release however it wasn’t supported in From Authentication and we finally addressed this issue)
RegEx option added to Signatures
New Source Code View added
Logged In/Out Views improved
Addressed an issue that where some characters such as (') cause problems in Configure Authentication if they are used in usernames or passwords

Other Improvements

Heuristic Binary Response Detection added. This will increase the speed and coverage of scans.
Extension Blacklisting slightly changed. Now Netsparker determines automatically whether a URL is static or a dynamic file.
New checks added to XSS Engine
Confirmation added to external JS injection in XSS Engine
An advanced Negative Match option added to Advanced Settings click to "Settings" while holding down "Ctrl" to enable Negative Matching option in Configure Form Authentication
Minor charset related bugs addressed
Basic Authentication issues were not reported if the user manually entered a Basic Authentication
Vulnerable parameter was reported incorrectly in Permanent XSS issues
If there is a Path or Internal IP Disclosures in HTTP Headers, Netsparker will report those as well
Some issues were not reported if they were in 404 pages.
Several other minor changes and improvements

If you have a valid Netsparker Professional or Standard license, then all you need to do is, to click "Help > Check Updates" to update to Netsparker’s latest version.

New version of Netsparker Community Edition (v1.7.2.13) is Released

Ferruh Mavituna — Wed, 12 Jan 2011 13:56:04 GMT

After pushing so many new features for Netsparker Professional users, it's time to update our Free Web Application Security Scanner - Netsparker Community Edition.

Netsparker CE now finds and confirms much more vulnerabilities. We also introduce registration in this version. This way we can give better support to Netsparker CE users and get better feedback from them.

Download Netsparker Community Edition v1.7.2.13

Happy New Year!

Netsparker 1.7.0.0 Released

Ferruh Mavituna — Thu, 02 Dec 2010 16:02:59 GMT

This is the 8th update this year (except minor releases). We added bunch of new checks, new features and done lots of improvements. We are really happy about this one. We added full support PostgreSQL and MS Access in SQL Injection engine. Now just like SQL Server, MySQL and ORACLE it's possible for Netsparker to find, confirm and exploit SQL Injection vulnerabilities when backend database is PostgreSQL or MS Access.

We added 5 new checks, 2 new features and lots of other improvements, if you have a valid Netsparker subscription Netsparker will automatically update itself or you can manually click "Help > Check Updates" to get this update.

New Feature : Controlled Scan

We added a quite cool new feature called "Controlled Scan". Choose a page and parameters to scan from Sitemap, choose engines that you want to scan with and click "Scan". This way you can do quick scans or very specific scans without worrying about scope restrictions.

This is a great feature to combine with Netsparker's Internal Proxy feature. Use Netsparker's proxy, browse the website, choose parameters you want to test and click "Scan".

New Feature : Retest

You told us that you need to Retest issues and as usual we listened. Choose a vulnerability from a loaded scan and click Retest to confirm whether that issue has been addressed correctly or not.

Retest is not enabled for all vulnerability types yet, when you click an issue from the sitemap or Issues List GUI will inform you whether it's possible to retest for that selected issue or not.

New Checks

Silverlight Open Access Policy / Silverlight Access Policy Identified Checks Added
Django Stack Trace Disclosure Check Added
MySQL Username Disclosure Check added
New Backup File Checks added
X-XSS-Protection Check added

We’ve improved several checks;

Reporting

CSV Report format added
XSL added to XML reports so when you open XML report they'll look better!
Several usability & GUI improvements in export report / save dialogs
Sorting in the reports and Issues List improved
Now generated HTML Reports are W3C validated

SQL Injection

New Double Encoded checks added
MS Access support added, including confirmation & exploitation
PostgreSQL support completed. Including confirmation & exploitation

LFI

A bug in LFI confirmation via /proc/version and similar checks fixed. This was breaking the LFI confirmation in some applications
New Double Encoded checks added

XSS

XSS Engine now detects and confirms XSS vulnerabilities in <style> blocks
A bug fixed and confirmation support added to remote .CSS injection for XSS
New Double Encoded checks added to XSS
New XSS Checks added to cover some more corner cases
URL Based XSS attacks optimised, some bugs addressed
Null Byte + XSS checks added
A missing confirmation added in an ASP.NET expression bypass XSS attack

Other Checks

Windows Internal Path Leakage detection improved
MS Office Information Disclosure Checks now add extracted user information to the report
Robots.txt, Sitemap.xml results weren't crawled successfully since the 1.6.0.0. Now Netsparker parses them correctly and follows the identified links
ASP.NET 4 Version Disclosure added
Started to check for .inc files

New Settings

Ability to change ignored extensions (Settings > Scope)

Other Improvements & Bug Fixes

Severities of several vulnerabilities changed
XML reports now filters null bytes and some other restricted characters to ensure compatibility with strict XML parsers
Log Based LFI Code Execution vulnerability template updated to reflect new confirmation support for this vulnerability
User friendly error message added when user try to configure a form authentication for an empty URL
Some tooltip updated and new tooltips added Form Authentication
PHP Source Code Disclosure check improved
Netsparker was doing some requests twice, this issue has been addressed
Resource Finder was doing same requests more than once
A detection pattern related bug fixed in the GUI
Extra Information was incorrectly reported in some internal path leakage and IP disclosures issues
Numbers added to Logging Window
Incorrect Custom 404 detection in URL Based XSS attacks on IIS servers addressed
Recent Files 10 files limitation bug fixed
When running Netsparker from Command Line it will no longer generate PDF files for XML reports
Several other minor fixes & improvements

Win a 16GB iPad from Netsparker [Finished]

Ferruh Mavituna — Tue, 09 Nov 2010 09:26:48 GMT

Contest is over, thanks a lot to everyone and congratulations to winner : @libbypennlondon

-----------------

We are giving away one 16GB – Wifi iPad, it’s fairly easy to win it!

Follow Netsparker – Web Application Security Scanner in twitter @netsparker and retweet this “Win an iPad from Netsparker - http://bit.ly/dmepdP #netsparker” and win an iPad now.

Here is the contest page for more information: http://twtaway.com/7sqrai

Netsparker 1.6.0.0 Released

Ferruh Mavituna — Thu, 07 Oct 2010 08:16:44 GMT

A new version of Netsparker is here! It took us a while to get this one out and there are many minor & major changes, updates, engine improvements and a new engine. As usual it's free for all current subscribers and all you need to do is clicking to “Help > Check for Updates” to update your Netsparker Professional / Standard edition.

New Engine - Blind Command Injection

We added a new engine to detect Command Injection when output of the command is not visible in the HTTP Response.

Test Improvements

Better SQL Injection Tests

We heavily focused on SQL Injection coverage and increasing it in this release. Improved Error Based SQL Injection and Blind SQL Injection Engines a lot. Now they'll find more corner cases including SQL Injections in INSERTs, UPDATEs, COLUMN fields, TABLE fields and lots of other not-so-common places.

Error based SQL Injection exploitation now supports MSSQL, MySQL, ORACLE and Postgres databases.

Post-exploitation checks "Database User has Admin Privileges" issues now support MSSQL, MySQL, ORACLE and Postgres.

New Features

Client Certificate Authentication Support

Now you can test Client Certificate required applications and it's integrated to Windows Certificate Store.

Vulnerability Classification

Netsparker now maps all identified vulnerabilities with PCI 1.2, OWASP Top 10 - 2010, WASC, CWE and CAPEC. Related references can be found in vulnerability view, PDF, XML and HTML reports.

New Save Files

Now you can double click Netsparker Save Files and open previously saved scans, while doing this we also added that now all Auto-saved scans stored in the recent file. Now you can easily access your previous scans.

Test Improvements

Internal IP Disclosure checks improved
XSS vulnerabilities in 302 responses now reported as [Possible] due to exploitation limitations in real world with some special note
LFI engine improved, new checks added
Tomcat Error Disclosure Test Added
Internal Path Leakage tests improved to be more accurate
Directory Listing Identified tests improved and new tests added
PHP Source Code Disclosure test improved

Old School Changelog

Many minor bug fixes and improvements in the GUI and several other places.
Fixed a bug that caused Netsparker to carry out the same attack twice in certain conditions
A bug fixed in the Settings interface, now it some settings like User Agent doesn't require user to restart Netsparker
A bug in Collapse All fixed
A bug in LFI Exploitation fixed, now Export Selected Files works as expected
Netsparker save files now registered to Netsparker, drag & drop, double click etc. will allow you to open Netsparker files
NTLM/Basic Auth now can be saved into profiles
Several bugs fixed in HTTP Import features
Netsparker's Proxy now works correctly with SSL websites
Non UTF-8 HTTP Responses now rendered in the GUI correctly
Binary file detection added, so Netsparker will not download some binary files anymore
A bug caused Netsparker to miss "Upload Identified" issues addressed
Sitemap doesn't show detected custom 404 pages any more
NTLM Authentication added CLI

Don't forget to tell us what you want for the releases.

OWASP AppSec USA 2010

Ferruh Mavituna — Sun, 05 Sep 2010 06:23:27 GMT

We will be exhibiting in OWASP AppSec USA 2010 in California. We'll have limited special Netsparker Professional offers and live Netsparker demos during the conference. Don't forget to stop by and say "Hello"!

Netsparker Community Edition 1.5.0.0 Released!

Ferruh Mavituna — Mon, 28 Jun 2010 10:49:26 GMT

We released a new update for Netsparker Community Edition. There is not much new features in Community Edition but this release addresses most common issues and includes several improvements. You can use “Help > Check Updates” or you can just download the latest version from Community Edition page.

Netsparker 1.5.0.0 Released

Ferruh Mavituna — Tue, 15 Jun 2010 20:22:18 GMT

Yet again we pushed our limits to bring you a new update, Netsparker 1.5.0.0 "Control" Release. Beside of the casual improvements and polishing we have some new and cool features in this release. We mostly focused on features that gives more control to the user over the scan. Ability to exclude folders, crawl the application by using Netsparker’s internal proxy, import links and from proxies etc.

Manual Crawl - Proxy Mode

If you want to crawl your website and show Netsparker where to test then this is for you. Start Netsparker's internal proxy and configure your browser to Netsparker's internal proxy and browser the website.

When you done just click Resume and Netsparker will test the crawled parts of the application. If you still want to exclude some crawled pages from the attack then you can just right click on them and choose Exclude from Attack.

Exclude from Attack

It's pretty straight and really useful feature. If you don't want Netsparker to attack a certain page (i.e. contact form) just right click on that page in the Site Map and click Exclude from Attack.

Import / Enter Links and HTTP Requests

Sometimes you know there is a part of the application that Netsparker cannot crawl (a non linked URL, a page behind a Java Applet, ActiveX or a Flash). Now all you need to do is giving these HTTP Requests / Links to Netsparker.

It's pretty easy to do this, Netsparker supports log files from proxies such as Fiddler, Burp, Webscarab, Paros or you can just use a plain text file.

To make things even simpler just type this URLs not only in the beginning of the scan even during the crawling phase.

If you don't care about having more control over your scans then don't worry you can still type the URL and click "Start Scan" and it'll do just fine.

Update

If you have a valid Netsparker Professional or Standard license then all you need to do is click "Help > Check Updates" to update to Netsparker 1.5.0.0

Netsparker 1.4.0.0 Released

Ferruh Mavituna — Mon, 24 May 2010 16:15:10 GMT

Netsparker 1.4.0.0 “reports that you can send to your boss” Release has arrived, as usual all of our customers can get this update for free, all you need to is go to "Help > Check Updates" and confirm the upgrade request.

Improved Reporting

You wanted a better reporting with charts, executive summary more details, better presentations etc. We scratched our old reporting and improved our custom reporting to deliver a much better report.

We are working on new report formats especially for compliance reporting and in the next release you'll see new reports and report customization features.

In the mean time if you want to write your own reports or customize default reports please refer to Custom Reporting API, if you run into any problem let us know and we'll help you.

Open Redirect Check Added

We do have a new engine: Open Redirect. Simply checking for Open Redirect / Arbitrary URL redirection issues. Currently it doesn't support JavaScript redirects but we are working on that.

Other Fixes and Improvements

A scope bug fixed which was causing the bypass the scope for one request after some redirects.
Extra runtime checks added to ensure that all required libraries are working properly and system requirements are correctly installed and configured by the installer.
Minor installer improvements
Netsparker wasn't using supplied URLs in the login unless they crawled. Now login URLs added to the crawler when Form Authentication configured.
More error signatures added to detect error messages in web applications
A bug addressed which was causing UI to be unresponsive when a user clicks to "Reset Layout" while using "SQL Injection Panel"
Internal Path Leakage checks improved
Error Based and Blind SQL Injection signatures improved to cover more and more corner cases
Many other minor fixed related with UI, rare crashes and usability.

Monthly Round-up March and April

Ferruh Mavituna — Sat, 22 May 2010 09:17:09 GMT

In March we released a new version : Netsparker 1.3.0.0 - increased performance, much better and effective Cross-site Scripting checks, user interface improvements, better proxy management and support and many other improvements. In April we released another version Netsparker 1.3.7.38. Adds better proxy management, experimental Second Order SQL Injection engine and many other improvements.
We released our Free web application security scanner - Netsparker Community Edition, which was a great release. Currently there are thousands of Community Editions users and a new update for Netsparker Community Edition is ready as well. We are planning to release it soon.
We have a new Help Desk and Forum to provide better support for Netsparker and Community Edition users. You can find Netsparker FAQ and some tips and tricks like Reading target websites from a text file.

Couple of Reviews

… Overall, I was quite impressed. The fact that it actually goes and tries the attacks with some dummy data, or even data that was pulled from context on the site is quite impressive. It even gives you tips or direct commands to run in order to fix some of the known issues. And where it doesn’t give specifics, it points you to the OWASP site for guidelines. I might have to look towards this again and will definitely keep a reference to it in my toolbox for future endeavours…

Gemini Security - Security Musings Blog, Netsparker

.. The community edition also found SQLi that AppScan failed to in a side by side test. ..

Cosine Security, Netsparker Community Edition Review

.. If we are to truly take any of this data seriously, then we must realize that Netsparker was the only web application security scanner that performed well in any sort of benchmarks I've seen yet. Crazier, it's the only one that's free that performs better than W3AF or Skipfish (and by a lot!). Netsparker Pro also carries one of the cheapest price tags I've seen or heard of. I would be interested to try it out and benchmark it more, especially after seeing the Community Edition. It's possible that Netsparker was released this way because they know that they have a superior product compared to the rest of the market ..

ntp, Web application scanners discussing in Sla.ckers

Couple of Twitter Mentions

@_ikki Netsparker's crawler rocks! I've just found a test script undetected by Acunetix and Skipfish.

@ToolsWatch Just finished a pentest (Netsparker was a great help). Thanks Netsparker Community Edition (i hijacked stream to spawn a shell :)

@abhaybhargav Netsparker is a great tool! It has some very unique features! Kudos!

We are going to release this update in couple of days, keep watching us, @netsparker.

Netsparker v1.3.7.38 Release

Ferruh Mavituna — Wed, 21 Apr 2010 19:31:49 GMT

Lots of improvements in Permanent XSS, XSS and SQL Injection engines. We added experimental Second Order SQL Injection support as well.

There were some issues regarding to Proxy and Proxy Authentication, all those issues addressed as well.

There are many other improvements and some bug fixes, check out the details in the Netsparker v1.3.7.38 changelog.

XSS to Root in Apache Jira Incident

Onur Yilmaz — Wed, 14 Apr 2010 13:06:40 GMT

The Apache Foundation infrastructure (apache.org) was a victim of a targeted attack for the second time this year. By exploiting a cross-site scripting vulnerability in a commercial bug tracking system called Jira, and using some social engineering skills, the attackers were able to gain access to several core servers of the Apache foundation.

The Apache Foundation & JIRA hacking Attack Details

Exploiting a XSS on Jira

Attackers knew of the cross-site scripting vulnerability in Jira, a commercial bug tracking system used by the Apache foundation. To exploit this vulnerability, the attackers posted a new issue on JIRA;

“I’ve got this error while browsing some projects in jira http://tinyurl.com/ybnf8xt”

This message triggered the interest of Apache.org members, some of which were administrators. Upon clicking on this link, the cross-site scripting vulnerability was exploited and the members’ sessions were compromised.

At this stage the attackers managed to gain administrator privileges on JIRA. Posing as administrators, the attackers changed the location of where JIRA stored uploaded files to a location where they could store and execute JSP files. They created a number of issues through JIRA which contained several malicious JSP files. Some of these JSP files were used to browse and copy the file system of the victim who accessed the file, and some others gave them backdoor access.

Social Engineering Attack Helps Hackers Gain Root Access on Apache.org

Once the attackers had admin access to JIRA, they installed a tool that would collect all passwords and logins. They then sent JIRA password reset notification to the Apache infrastructure team. The victims thought it was some bug in JIRA, so they followed the instructions to reset their passwords to the original ones.

One of these passwords was the same as the password to a local user account on an apache.org server where hosted installs of JIRA, Confluence and Bugzilla were installed. To make things worse, this account had full sudo access on the machine brutus.apache.org.

The attackers took advantage of the root access and started looking around for sensitive data. They found out that several users had cached Subversion authentication credentials and used these credentials to login to the apache.org main shell server; jackpot!

Atlassian JIRA Attacked

2 days after the Apache.org & JIRA attack, Atlassian JIRA servers were also attacked, presumably the same hacker exploiting the same vulnerability. JIRA announced this in a blog post on the 13th of April 2010. The blog post stated “The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008.”

Netsparker Identifies XSS Vulnerabilities in JIRA

After hearing the news, our engineers downloaded the latest demo of JIRA and scanned it with Netsparker web application security scanner. Much to everyone’s surprise, Netsparker identified 10 different instances of cross-site scripting vulnerabilities in the latest version of JIRA.

Use Netsparker throughout Each Stage of the SDLC

If JIRA used Netsparker throughout the software development life cycle, such hack attacks would have been avoided. It took weeks for Apache to recover from such attack; the attackers had root access to the servers and they had to move everything to new servers rather than fixing the old ones.

Netsparker Community Edition - Free web app scanner is out!

Ferruh Mavituna — Wed, 07 Apr 2010 13:52:36 GMT

Big news for us, our customers and the whole security community…

Netsparker^® Free Community Edition

Mavituna Security Ltd is proud to announce the release of Netsparker Community Edition.

Netsparker Community Edition is False Positive Free and can detect both SQL Injection and Cross-site Scripting issues better than many other scanners.

Netsparker Community Edition also detects many other vulnerabilities such as finding and reporting backup files, source code disclosures, Crossdomain.xml issues, SVN/CVS disclosures, internal path disclosures, error messages and many more.

Don't take our word for it, simply fire up your favourite scanner and compare the results with those from Netsparker Community Edition. You won't see a False-Positive from Netsparker Community Edition and it'll find more vulnerabilities.

Web application security is a big challenge and Netsparker® Community Edition is a vital tool for the security community and developers alike.

Netsparker^® Professional

Netsparker Community Edition shares the same base engine with Netsparker® Professional.

The Netsparker^® family are not simply more web application security scanners but represent a step forward into the next generation. Netsparker features False Positive Free Scanning, Integrated Exploitation, Post-Exploitation Vulnerability Assessment and accurate detection.

Netsparker Professional users also benefit from enterprise features, more security checks, priority technical support and updates.

DOWNLOAD NETSPARKER COMMUNITY EDITION

Regards,

Ferruh Mavituna
Founder and Lead Developer of Netsparker

The Academy Pro Contest

Ferruh Mavituna — Wed, 24 Mar 2010 10:06:15 GMT

The Academy Pro Contest

We are giving away one Netsparker Professional license to The Academy Pro Contest, see the details.

Netsparker 1.3.0.0 - "All you can scan" Release

Ferruh Mavituna — Mon, 22 Mar 2010 15:54:23 GMT

We've been frantically working on the new version of Netsparker. We addressed lots of minor issues, added some new features, improved many of the engines but most importantly fixed all memory related problems.

Better memory management

We received some bug reports regarding that our users were getting "Out of Memory" exceptions in big websites. Yes, almost all other web application security scanners crash in big websites, it might be acceptable for them but not for us.

So we fixed all memory related problems. It doesn't matter how big the HTTP response is, 10kB or 4096kB, it doesn't matter that Netsparker needs to do 100 requests to 2 million requests it will work just fine and won't cost you more than 300MB of memory. You might still experience some problems if you need to do more than 5 million requests due to our storage and optimisation design, however I'm pretty sure 5 million attacks will cover almost all websites and when you in doubt you can always scan folders separately and then Netsparker can merge the scan results from "File > Open" for you.

Permanent/Stored Cross-site Scripting Improvements

We improved the detection and reporting of Permanent Cross-site Scripting issues. Now you can see the details of the injection request as well as the output point. This way you can simply spot the vulnerable location.

Unfortunately Permanent XSS engine doesn't support confirmation yet but we are working on it.

Better Cross-site Scripting (XSS) Confirmation Engine

As you know Netsparker is the first and only scanner which can confirm vulnerabilities to eliminate false positives. We massively increased confirmation in XSS engine to provide one click proof of concepts to our users. Now the extra confirmation engine will try to find the easiest XSS exploit before going to more obscure ones.

Some attacks are revised and many attacks to bypass WAF/IDS added.

New Settings Interface

Even though Netsparker tries to do everything for you, detecting URL Rewrites, custom 404 page patterns, best exploitation speed etc. sometimes you want to go into details and fine tune the settings for a web application test.

Our previous settings interface was hideous so we replaced it with a new shiny interface:

Netsparker still hides some advanced settings as 99% of users don't really need to change them, however if you are really curious and somehow know what you are doing you can hold "Ctrl" button while clicking to "File > Settings > Settings" and get the advanced and still "hideous" settings interface.

If you mess up the configuration go to "Settings" and click "Reset Settings".

JavaScript parser issues

We received bug reports about NetsparkerHelper was crashing in some websites. These issues addressed and fail-safe check added to NetsparkerHelper as it'll recover itself silently so your scan can continue as it supposed to even when there is something unexpected.

Local File Inclusion (LFI) Engine Improvement

LFI is a still common and dangerous vulnerability. We fixed some problems in the confirmation engine. It wasn't confirming some LFI vulnerabilities in *nix systems.

We added new attacks to bypass blacklisting filters, IDS/WAFs. Exploitation improved and many minor bugs addressed.

Resume Feature

In the previous version there were some bugs when you try to load an unfinished scan and try to resume. We addressed these bugs so you can save a scan in the middle of crawling, attacking or anything else and then load and continue later on.

Better Time Based Blind SQL Injection Detection

It's clear that Netsparker has the best SQL Injection detection engine when it comes to MySQL, ORACLE and SQL Server. Unlike other scanners Netsparker doesn't just to "OR 1=1" it analysis the backend database, carries out many specific test to find SQL Injections in many situations then confirm the SQL Injection by safely exploiting it and finally do the post-exploitation attacks to find more issues such as database user has administrator priviliges.

In this new version we updated the Blind SQL Injection to make it even better. Now Blind SQL Injection engine analysis server responses, identifies required wait times and this means even when the responses from the server is unusually slow or the application is a bit unreliable Netsparker still can identify and confirm the SQL Injection.

Old School Changelog

Issue reports quality increased by adding and refining the content
There is a new option for waiting all static resource attacks before skipping to the attacking phase. By default Netsparker will not wait to find all directories to skip the Crawling phase, you can override this from the settings.
URL Based XSS attack patterns improved.
Permanent/Stored Cross-site Scripting (XSS) reports are not much better. It shows the injection point, output point and all other required details in the report.
LFI Engine is improved. Couple of bugs fixed, we add IDS/WAF evasion techniques, new attacks a new confirmation to confirm more LFI issues.
Minor form authentication related bugs fixed.
A new vulnerability check added that converts limited LFI attacks to Cross-site Scripting.
LFI exploitation related bugs fixed.
In the last update due to some internal changes we had to remove Cross-site Scripting detection in "script" blocks. Now it's back with confirmation.
Support for XSS in HTML comments is back with confirmation.
Report threshold increased for possible SQL Injections. Means less [Possible] reports.
A new check added to report if the configured Form Authentication doesn't seem to work and extra checks added to avoid recursive loops in incorrect form authentication settings.
Crashes in JavaScript parser (NetsparkerHelper) addressed also extra checks added to recover itself in case of a crash.
Some bugs addressed related ViewState decoding and ViewState analysis now supports .NET Framework 1.x ViewState.
GUI performance increased, even when more than 100 vulnerability reported per second GUI stays responsive.
Overall performance increased, now Netsparker can process more than 500 requests per second in a Core i7.
We massively decreased the usage of memory in Netsparker. You can test really big websites which takes days to scan and millions of requests to attack and Netsparker will manage to finish the scan and won't use too much memory.
Data Length bug in SQL Injection exploitation addressed.
In some Windows XP systems JavaScript parser crash addressed.
During the JavaScript analysis XMLHTTP Requests scope bypass addressed. (was bypassing include/exclude rules and scan scope).
Incorrect figures in dashboard during the Recrawling phase issue addressed.
A bug in getting a reverse shell from boolean based SQL Injections addressed.
A theme problem addressed in message boxes.
Merge scan was causing losing old issues from the issues panel during the load and new scans.
There were some bugs about resuming a loaded scan. Now Netsparker can resume scanning from any previously saved scan. So you can start scanning and then save it in the middle of a scan. Load it later on and continue.
One of the XSS attacks was missing from the Permanent/Stored XSS detection. This issue has been addressed.
Blind SQL Injection confirmation is improved. In new confirmation engine Netsparker can analyse the server request performance and tweak attacks to perfectly server overhead and confirm Blind SQL Injections even in really slow or unstable connections.
A problem in Static Checks addressed. This was causing to miss some hidden directories if the initial requested directory returns 3xx code.
Some bugs in heuristic URL Rewrite detection in big websites addressed.
A bug was causing crawling stage to stuck in last 1 or 2 requests addressed. This was happening only 1 in 100 scans.
Licence Loader theme changed to native OS theme for Windows 7/Vista.
New settings interface introduced. It explains all the important settings and allows you to configure them easily. If you know what you are doing and want to access all advanced settings click to hold "Ctrl" and click to "Settings" this will open the advanced settings panel instead of the new settings panel.
A bug in saved login scripts addressed.
Request Monitor removed. If you need similar functionality please refer to How to see all HTTP Requests and Responses topic.

Monthly Round-Up, February

Ferruh Mavituna — Fri, 26 Feb 2010 11:52:31 GMT

It was a good month, here is a quick overview:

We have a Demo Request page now.
We released two new versions (v1.1.2.3 and v1.1.5.0057) with bunch of new features and fixes.
Talked about Custom Reporting
Denim Group released Vulnerability Manager which supports importing Netsparker XML Reports.
We added Netsparker to Larry’s report and Netsparker was the second best out of 8 scanners (third in Point and Shoot mode). Everyone is talking about how you need to train your scanner. We finished the whole report in a day, Netsparker is that easy to use. Configuring Netsparker only took our 5 minutes in total, not more.
We sent bunch of t-shirts all over the world, Spain, UK, Turkey, USA, Canada, Singapore, Brazil… to our beta testers and users to thank them.
The Academy Pro posted a Netsparker video

What’s Next

Some of our users were having memory related issues with big websites (more than 100K requests). We addressed this problem currently Netsparker’s memory footprint is much lower and it can send more than a couple of million requests without a problem. We are still testing these changes and will release it soon.
We added a new settings interface, looks nice doesn’t it?
We are working on couple of other stuff and will post about them soon.

Subscribed to RSS Feed or follow on twitter for updates.

Netsparker, Accuracy and Time Costs of Web Application Security Scanner Report

Ferruh Mavituna — Thu, 04 Feb 2010 14:51:33 GMT

Ha.ckers blog published Larry’s new report: “Accuracy and Time Costs of Web Application Security Scanner Report”.

Unfortunately Larry never contacted us so we didn’t know that he was doing such a test. However as soon as the report was out we conducted the very same test as methodology was straight forward.

Also we sent an email to Larry and offered fully-functional trial version for him to conduct the test as well. Anyone with full or demo version of Netsparker can repeat these tests easily.

How did we conduct the test?

We used the last public version of Netsparker 1.1.5.87
We have not trained the scanner other than changing the start URL of the scans.
We attached the save files, Netsparker database and XML reports. So you can see the results by yourself. If you don’t have Netsparker than you can take a look at our XML reports. Download reports and save files.
We considered [High Possible] vulnerabilities as vulnerable and if [High Possible] vulnerability was not correct then it considered as False Positive, although all high possible issues we correct.

This is the overall output:

Two charts exactly like Larry’s report, we added Netsparker to the results.

As you can see after NTO Spider, Netsparker is the best scanner when “Trained” and the second best trainer in “Point and Shoot” right after NTO and IBM AppScan.

False-Positive Free Scanning

We delivered what we claimed and the report was false-positive free.

Although 1.1.5.87 release caused some LFI bugs which already has been addressed and will be deployed in the next release. This caused [High Possible] LFI vulnerabilities. None of them were confirmed (obviously!) but it was quite irritating, for full-disclosure I wanted to point out that clearly. We spotted some instances unconfirmed possible LFI issues in all Permanent XSS locations . Since we considered [High Possible] as vulnerability, we’ll consider these as False-Positives. We addressed this problem in v1.1.5.91, use “Help > Check Update” to update Netsparker.

Training Time

Actually Netsparker has not many training options because it doesn’t require any. It picks up many URL Rewrites automatically, it detects Custom 404’s on the fly, 99% of the time you don’t need to tweak it. It just works. In this case all we did was changing the start URL of the scan. So our training time was something between a second and a minute. Depending on how fast we can copy & paste a URL.

Overall Human Time/Cost

Larry calculated the overall human time/cost with the following formula:

Training time + (# False Positives * 15min) + (# False Negatives * 15min)

This is the original chart (in minutes, lower is better):

However since none of the scanners in the test has a confirmation engine like Netsparker he excluded the fact that even though all of the issues are not false-positives you still have to analyse them, otherwise you wouldn’t know if they are false-positive or not.

This is not an issue with Netsparker as we can confirm vulnerabilities. Out of 103 identified vulnerabilities we confirmed 87 of them, so we confirmed 84% of all identified issues. This could’ve been much higher if the test websites were using MySQL, ORACLE or MS SQL or even Postgres (we have limited support) instead of MS Access. I’ll discuss this further at the end of this post.

So I’ve revised Larry’s function and made it more realistic by adding one more criteria, time to confirm that a vulnerability is not a false positive. 15 minutes would have been harsh as some issues could be really obvious so I used 3 minutes for per identified vulnerability which is quite naive.

Revised Formula:

Training time + (# False Positives * 15min) + (# False Negatives * 15min) + ( # Identified none FP Vulnerabilities * 3 min )

Updated and more realistic results (in minutes, lower is better):

Netsparker identified 5 new vulnerabilities that other scanners missed

Netsparker identified 7 new vulnerabilities that all of the other scanners missed:

NTO Webscantest
- URL Based XSS in /datastore/search_get_by_id.php and in many other URLs
- XSS in “method” parameter in /soap/wsdlclient12.php
Acunetix testPHP
- XSS in “uphone” parameter in “/userinfo.php”
Cenzic Crackme

Permanent XSS in /kelev/php/loanrequestlist.php
Permanent XSS in /kelev/php/approveloanpage.php

UPDATE: 2 of the issues removed from zero.webappsecurity.com because they were duplicates, we didn’t notice it in the first analysis.

A Funny Vulnerability(!)

We observed that Netsparker missed a remote code evaluation vulnerability according to the Larry’s results.

I don’t know how Larry confirmed all vulnerabilities but this is certainly not exploitable :)

From “http://testphp.acunetix.com/comment.php” and “phpaction” parameter.

if ($_POST["phpaction"] == "printf(md5(acunetix_wvs_security_test));exit;//") eval($_POST["phpaction"]);

So it’s not actually a vulnerability it’s just a PoC vulnerability to demonstrate Acunetix’s related checks.

UPDATE: I want to make it clear that this is obviously not an intentional code to block other scanners. This is just a test page for Acunetix scanner for their customers and demo versions. Which make a lot of sense to do such a thing, all I wanted to point out that this issue should be excluded from the test and leaving such an issue in the report might raise questions about other issues. I’m not quite sure if there are any other issues like this in the report as we haven’t investigated every single one of them. My apologies to our friends in Acunetix if I seemed like accusing them, that definitely wasn’t my intention.

What and Why Netsparker Missed?

Netsparker missed some XSS vulnerabilities in forms. Netsparker did fill up everything correctly which means it missed the cross-site scripting issues in validation pages. Because it hasn’t seen the validation page at all. This issue was on our list and we’ll try to address it as soon as possible.
Netsparker missed some error message information disclosure, because they are so prone to false-positives. In real world reporting such issues should cause a lot false-positives. Netsparker missed about 6 error messages issues. Just to be clear Netsparker reports debugging related information but these pages were barely leaking any debug related information hence Netsparker didn’t report.
Couldn’t confirm or missed MS Access SQL Injections. Netsparker engines are specifically designed for ORACLE, MS SQL and MySQL. Currently we are in the process of adding Postgres and will eventually add support for all popular DBMSes. Basically if you change MS Access backend of all these systems to ORACLE, MySQL or MS SQL Netsparker would find and confirm those vulnerabilities. Obviously this is not an excuse to miss a vulnerability and we’re trying to do our best to add these new database engines. Netsparker especially was bad in IBM AppScan’s testfire website due to this problem.
Netsparker missed all attacks based on HTTP Header or Cookies because currently it doesn’t support. This is known limitation, in our roadmap and will be addressed.

Conclusions

We were expecting good results and we got it. Although I still think Netsparker would have performed better in more realistic scenarios. For example I haven’t notice any Full-Blind SQL Injection (time based) vulnerabilities in the whole test.

One of the most unrealistic things about the report is the amount of false-positives possibilities in the test websites. If you haven’t use any of these scanners just ask anyone and they’ll tell that they definitely report more than 2-3% false-positive issues in every scan.

Report proves that Netsparker’s Confirmation and False-positive Free Scanning feature is a real time saver.

Download Test Files and XML Reports

Netsparker Vulnerability Tables – VulnerabilityTables.pdf
Overall, Chart Document – Charts-Overall.ods
Netsparker “XML reports” and “.dlm” scan files. You need Netsparker 1.1.5.87 for opening “.dlm” files” – Reports.zip

Do you want to test it too?

You can request a demo and try Netsparker’s fully-functional evaluation version.

Netsparker - "Smart Casual" Release v1.1.5.89

Ferruh Mavituna — Wed, 03 Feb 2010 14:30:54 GMT

Apparently we are much better at writing code than writing blog posts! We have released v1.1.5.0089, 2 days ago.

This is a small update, especially addresses some minor bugs and lack of software manual.

Improvements
- Confirmation stages added to Dashboard
- Help Documentation added to installer. You can access it from the “Help” menu or you can press F1.
- Error Based SQL Injection support for Postgres added
Bug Fixes
- One character limit bug in SQL Injection exploitation panel addressed
- Netsparker Blog link added to Help menu
- A bug in internal path disclosure addressed. The bug was causing to miss some issues.
- Merge scan was causing losing old issues from the issues panel during the load and new scans.
- Incorrect figures in dashboard during the Recrawling phase issue addressed.
- Some messagebox skins corrected to match the Netsparker’s main skin
- Scope problems in XML HTTP Requests analysed by Javascript Parser addressed. Now JavaScript parser correctly obeys to include/exclude rules and scan scope.
- Licence Loader skin changed to native for Windows 7/Vista

You can use “Help > Check Updates” to update Netsparker.

Netsparker - "Automate That" Release v1.1.5.0057

Onur Yilmaz — Thu, 28 Jan 2010 17:50:58 GMT

Netsparker’s new “Automate That” [1] release is ready. It’s not just about bug fixes or improvements, we’ve also got two great new features and two big improvements. Command Line Support to automate and integrate your scans with other tools. Schedule Support so that you can scan stuff overnight or scan your application weekly and obtain reports. We decreased the request count during the attacking phase without sacrificing our coverage and added a bunch of new confirmation engines.

Schedule Support

One of the most requested features was Scheduling Support, finally we added it. It doesn’t require an extra service to install and will integrate itself to “Windows Task Scheduler”. It works correctly under Windows XP, Windows 2003, Windows Vista, Windows 7.

Command Line Support

Command line can be used to call Netsparker from another application for manual scanning, for example internally we’ve got a Firefox test extension which launches Netsparker with the current page’s URL by using the following command line:

Netsparker.exe /u [Current Page]

If you want to automate the whole scan, the best way to do is create a new profile from the “Start New Scan” window. Afterwards you can launch a new scan with your profile name. You can share these profiles between computers, they are stored in "My Documents\Netsparker Scans\Profiles".

Netsparker.exe /a /p QuickSQLI /u http://nightlybuild.example.com /rt "Vulnerabilities List (XML)" /r c:\reports\report-%date%-%time%.xml

This will scan the URL with the given profile and will save the XML report to c:\reports\ folder. %date% and %time% will be dynamically replaced with start date and time of the scan, so you don’t have to change the report name every time you run it. (**Update: Use [date] and [time] instead on recent versions of Netsparker.**)

If you need a custom output you can use create your own report with Netsparker’s Custom Reporting API.

Command Line Parameters:

/a, /auto	When other parameters are given correctly, the scan is carried out, the report is saved and the program is closed.
/p, /profile	Name of the profile to be used during the scan. If not specified, the preset profile will be used.
/u, /url	Address of the website to be scanned. If the profile file includes another website address, the address specified with this parameter will be taken into consideration. If two different URLs are specified in the profile and within this parameter, the one given with this parameter will be taken into consideration.
/pr, /proxy	Proxy server address. If the profile file includes another proxy server address, the address specified with this parameter will be taken into consideration. A valid proxy server address should be as follows: http://user:password@proxy.address/ If a user name and password are required for logging on the proxy server, these should be given in the shown format.
/r, /report	File path the report will be saved. It should be used in conjunction with the “-a” parameter. The full physical file path can be given; if only file name is given, the created report will be saved into the folder the command is run.
/rf, /reportformat	File format of the created report. If not specified, the report is created in “pdf” format; rtf, pdf, text, csv, xls or html formats are also supported. (**Update: This switch has been removed on recent Netsparker versions.)**
/rt, /reporttemplate	Type of the created report. If not specified, first type in the list will be valid.

Performance Improvements

Amount of requests to identify vulnerabilities drastically decreased. We optimised all of our attacks, combined some attacks into one and in the end we started to send 35% less requests and we opened some space to make our coverage even better by decreasing the amount of requests . This means shorter attacking phase.
Smart caching added to some detection engines to decrease CPU usage. If you have a powerful system you might not notice this at all. It’s an increase of about 2-3%.

New Security Checks

ASP.NET ViewState analysis added
- ViewState is not signed
- ViewState is not encrypted
- ViewState view panel. When you go to “HTTP Request/Response”, if the page has ViewState in it, this panel will be visible automatically. If the ViewState is not encrypted, then you can see the data in it.

New Confirmation Engines

Confirmation engines ensure that you won’t have a false-positive and you will see less [Possible] vulnerabilities. When these vulnerabilities get confirmed you’ll see Netsparker’s famous Confirmed icon!

RCE (Remote Code Evaluation) confirmation engine added.
RFI (Remote File Inclusion) confirmation engine added.
Command (Remote File Inclusion) confirmation engine added.

Improvements

Cross-site scripting engine updated. The new engine is faster and gives out less possible errors, it also allowed us to add more XSS checks. However, there are some missing bits in the new engine. This might cause to miss some rare XSS cases. We are working on this problem.
Permanent XSS detection improved. Currently there is no Confirmation engine for permanent XSS checks. We're working on this problem.
Start new scan screen remembers the last used profile.
Extra confirmation stage added to dashboard. Extra confirmation triggers in some Blind SQL Injection issues. It's a required step to avoid false-positives although it can take minutes depending on the vulnerability.
Better coverage in many engines but mostly SQL Injection (new ORACLE, MySQL and SQL Server attacks added and optimised to work in more cases)
Cross-site scripting issues now reported with alert() proof of concepts for easier copy & paste
We added new default profiles. You can always create your own custom profiles.
- Full Scan – SQL Server (checks for everything but SQL Injection attacks optimised for SQL Server backend database which makes the scan faster)
- Full Scan – MySQL (checks for everything but SQL Injection attacks optimised for MySQL backend database which makes the scan faster)
- Fast – No JavaScript (checks for everything but Netsparker won’t parse / interpret JavaScript, which speeds up the scan, especially the crawling phase)

Bug Fixes

A bug fixed in the JavaScript parser which was causing consistent crashes in some AJAX cases
Parsing issues for some relative links addressed. It was affecting links starting with a question mark (?) without a path.
Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
An issue in dashboard causing display of incorrect figures in some scans addressed.
A parsing bug addressed in pages with external JavaScript references
The bug in the "[Possible] Source Code Disclosure" vulnerability addressed.
A problem in Configure Authentication Tab addressed. This problem was affecting logout views with heavy JavaScript.
There were some problems in Blind SQL Injection detection in ORACLE. Those issues were addressed, now Blind SQL Injection works correctly even with many grouped ORACLE SQL Queries .
Null byte reporting in the XML file was addressed, which was causing problems in XML parsers. Currently all reported URLs are encoded correctly in the report.
Issues weren't sorted correctly. Confirmed issues were listed after possible issues in the same severity.
A bug addressed which was causing cookie save checkbox to be kept enabled in the profile save dialog.

[1] All alpha / beta releases of Netsparker had a release code name. Generally with a cheesy reference such as “Fast & Furious” Release, “So tell the girls I’m back in town” Release, “Getting There” Release. It was fun. We thought it’d be nice to give a code name to our public releases as well.

Integrating Netsparker with your WAF

Ferruh Mavituna — Tue, 19 Jan 2010 10:05:49 GMT

Denim Group has released Vulnerability Manager, in their own words:

Denim Group's Vulnerability Manager allows security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Because this is done in a centralized system, application security managers have greatly increased visibility into and control of these processes, and they are collecting data that can be used to support sophisticated conversations with their managers and executives.

This is great for Netsparker users because Vulnerability Manager can import Netsparker XML reports. Since Netsparker can confirm the idenfied vulnerabilities and mark them on the XML output you can simply generate WAF rules or send these identified vulnerabilities to the related defect tracking system without checking for false positives. You can even automate the whole process, you don’t need a person to check the vulnerabilities before deploying the patches.

The tech preview release demo of Vulnerabiltiy Manager:

Custom Reporting API

Onur Yilmaz — Mon, 18 Jan 2010 09:17:34 GMT

I’ll try to write a new tip or tutorial every week in here. Let’s start with Netsparker’s custom reporting API.

How does it work?

At start-up, Netsparker scans for C# code files (*.cs) in the "Report Templates" directory , which is located within the “Resources” sub-directory of the “Netsparker” data directory (by default resides in current Windows user’s Documents/My Documents directory).

Scripting Language

Netsparker’s scripting language is C#. Even if you haven’t code in C# before, it shouldn’t be a problem. It’s pretty easy to make simple changes.

Here is a sample custom report:

<%@ Assembly Name="MSL.Common" %>
<%@ Assembly Name="MSL.Core" %>
<%@ Assembly Name="MSL.Extensibility" %>
<%@ Assembly Name="System.Data" %>
<%@ Import NameSpace="MSL.Core" %>
<%@ Import NameSpace="MSL.Core.Entities.Vulnerability" %>
<%@ Import NameSpace="MSL.Core.Configuration" %>
<%@ Import NameSpace="MSL.Core.Data.Resources" %>
<%@ Import NameSpace="System.Linq" %>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Collections" %>
<%@ Import NameSpace="System.Collections.Generic" %>
<%@ Import NameSpace="System.Security" %>
<%@ Argument Name="vulns" Type="Array" %>
<%@ Argument Name="settings" Type="ScanSettings" %>
<?xml version="1.0" encoding="utf-8" ?>
<netsparker generated="<%=DateTime.Now.ToString()%>">
    <target>
        <url><%=ReportingUtility.XmlShortEscape(settings.Uri.ToString())%></url>
    </target>
<%
// Sort vulnerabilities based on their severity, Type, confirmation and rating
var sortedVulns = from IVulnerabilityView v in vulns
                  orderby v.Severity descending, v.Order ascending, v.Type ascending, v.IsConfirmed descending, v.Certainty descending
                  where v.Visibility != VulnerabilityVisibility.Hidden
                  select v;

foreach(Vulnerability vuln in vulns){
%>
    <vulnerability confirmed="<%=vuln.IsConfirmed.ToString()%>">
        <url><%=ReportingUtility.XmlShortEscape(vuln.RequestUri.ToString())%></url>
        <type><%=vuln.Type%></type>
        <severity><%=vuln.Severity.ToString()%></severity>
        <vulnerableparametertype><%=ReportingUtility.XmlShortEscape(vuln.UriManager.AttackParameter.Type.ToString())%></vulnerableparametertype>
        <vulnerableparameter><%=ReportingUtility.XmlShortEscape(vuln.UriManager.AttackParameter.Name)%></vulnerableparameter>
        <vulnerableparametervalue><%=ReportingUtility.XmlShortEscape(vuln.UriManager.AttackParameter.Value)%></vulnerableparametervalue>

        <rawrequest><%=ReportingUtility.XmlShortEscape(vuln.RawRequest)%></rawrequest>
        <rawresponse><%=ReportingUtility.XmlShortEscape(vuln.RawResponse)%></rawresponse>

        <extrainformation>
        <%
            foreach(var cField in vuln.CustomFields){
        %>
            <info name="<%=cField.Key%>"><%=SecurityElement.Escape(cField.Value.Value)%></info>
        <%
            }
        %>
        </extrainformation>
    </vulnerability>

<%
}
%>
</netsparker>

This will generate an XML file which includes:

All vulnerabilities
Vulnerable Parameter and type (GET/POST)
Vulnerability Details
Confirmation Status
Extra exploitation data
Scan time
Vulnerability severity etc...

You can add more details into the reports or customise them as much as you want.

Documentation

The detailed API documentation is in “Documentation” folder of Netsparker installation folder. (C:\Program Files (x86)\Mavituna Security\Netsparker\Resources\Documentation\NetsparkerReportingAPI.chm)

Defining the extension of the report

Name of the “.cs” file will be visible under the “Reporting“menu and when user click to it, generated report will use the extension from the custom report file name.

For example:

“Vulnerabilities List (XML).xml.cs “ - File extension will be “xml”
“Vulnerabilities List (XML).html.cs” - File extension will be “html”

Testing the code

You don’t need to restart Netsparker every time you change the source code of your report. After Netsparker adds it to the report menu once all you need to do is run it again. If it fails to compile it’ll let you know with an error message.

Sample Code

A sample report ships with Netsparker called “Vulnerabilities List (XML).xml.cs” which is a simple report which generates an XML report with all identified vulnerabilities.

Support

If you need any help just send us an email or give us a ring, we’ll be happy to help you out.

Security

The reporting engine runs with current user’s privileges. So don’t run the report unless you trust the author of the custom report code.

Netsparker New Release v1.1.2.3

Ferruh Mavituna — Tue, 12 Jan 2010 22:36:55 GMT

We released a new version of Netsparker, mostly improvements and bug fixes.

Use “Help > Check Updates” to get the latest version.

What’s new?

Encoder
We added a new panel called “Encoder” which allows you to encode and decode the data entered in various encodings as well as we added couple of common hashing algorithms.
During a web assessment, for attacking or just for analysing you can use this tool quickly.
Custom Reporting API
Now, Custom Reporting API documentation comes with the new installer. We also updated the sample XML report. I’ll write more about custom reports in the blog.

New Confirmation Engines

In this release we focused on confirmation engines and tried to ship all confirmation engines so you will see much less “[High Possibility]” issues and you can keep your report false positive free.

Remote Code Evaluation (RCE) Confirmation Engine Added
Now, Netsparker can confirm RCE issues.

Code Injection (CI) via LFI (Local File Inclusion) Confirmation Added
An attacker can use a LFI vulnerability and local resources (such as Apache error logs) or “/proc/ *” tricks to inject a piece of PHP code and then include and execute it.
This is not new, but now Netsparker can confirm the PHP execution as well.

Improvements

Less requests in SQL Injection engines. We tried to optimise the SQL Injection and Command Injection engines. They should produce about 15% less requests.
SQL Injection engine now has a light scan option. This will disable checks for Boolean/Blind SQL Injection in with 2 groups. However it'll speed up the scan. LightScan is enabled by default. You can disable by setting "Advanced Settings > LightSQLInjectionChecks" to "False"
Less CPU usage during passive analysis
Coverage improved. Netsparker will try to access the website without cookie support to find the special “Your browser doesn’t support cookies” page.
Mod_Negotiation engine updated. Now Netsparker has far smarter checks to identify Mod_Negotiation issues.
Cross-site scripting issues are now reported with alert() proof of concepts

Bug Fixes and Other Stuff

Parsing issues with some relative links addressed. This was affecting links beginning with a question mark (?) without a path.
Extra "&" characters in some GET requests fixed.
Some SQL Injection attacks constructed correctly to bypass weak blacklisting and filters.
An encoding problem addressed in SQL Injection exploitation. This was causing Netsparker not to encode the user's input in SQL Injection which works with POST.
Other minor fixes.

Monthly Round-Up

Ferruh Mavituna — Tue, 12 Jan 2010 08:52:28 GMT

We officially released and started to sell Netsparker, I forgot to mention in here!
Jason Haddix of Security Aegis interviewed with me about Netsparker for The Ethical Hacker Network : Interview: Ferruh Mavituna on Netsparker . Thanks a lot Jason.
Netsparker chosen as Most Promising Application Security Assessment Tool of 2009 by Security Database. It’s been only a month, so it feels great to see this.
Two Netsparker reviews: Ethicalhack3r’s Review and Pentestmonkey’s Review

False Positive Free Scanning

Ferruh Mavituna — Wed, 23 Dec 2009 12:26:44 GMT

When I tell someone that Netsparker is “False Positive Free”, they’ll stare at me and think “Well, yet another lunatic!” They never actually said that but I can read it from their faces. They won’t say much assuming I’m a mad person who claims a scanner can avoid false positives and since I’m a mad person, I can be dangerous. I assume that’s why they generally choose to be silent after that claim!

Then I ask them a simple question:

“If you can exploit a vulnerability, can that be a false positive?”

Instantly they say “No”, then another 15 seconds of silence before they realise Netsparker actually exploits the identified vulnerabilities to ensure that the vulnerability is not a false positive.

Simply put:
“If you can exploit, it can’t be false positive”. End of discussion.

Obviously you can’t exploit everything. You can’t exploit and confirm an “internal path leakage” vulnerability without actually compromising the system via another issue. You can’t be sure if the exposed error message is actually something dangerous or just a static text.[i]

However, you can exploit an SQL Injection and confirm that it’s actually an SQL Injection and not just an error page. You can actually confirm LFI by getting files out of the system, you can confirm a Cross-site Scripting issue by executing the injection in a browser and observing JavaScript events, you can confirm a Command Injection by executing code in the system and so on.

So there you go, you can confirm almost all important issues, because all important issues have a clear impact via exploitation. It’s a huge challenge to do this automatically, though. Manually a pen tester can simply figure out the structure of an SQL Injection but automatically it takes some good engine to figure that out. I’m happy to say that with Netsparker we managed to do this quite successfully.

Now False Positive Free Scanning is Real

Netsparker made false positive free reporting a reality rather than an urban legend. I’m sure other scanners will follow us. We are happy to change the world of automated application security scanning by introducing the first “False Positive Free Web Application Security Scanner”. Also another first is “Integrated Exploitation Engine”. So you get the whole package, crawl, detect, confirm and exploit.

Important Notes

We don’t claim every single issue we report is false positive free. What we claim is if Netsparker confirms an issue then it’s not a false positive and we’ll easily confirm %80 or more of the identified issues. If we can’t exploit it, it’ll still be reported as [High] or [Low] possibility depending on the other factors.

If it was a real vulnerability and Netsparker couldn’t confirm it, all you need to this contact us and we’ll fix it.

There are many issues where it’s not possible to confirm the identified issue hence we do report them as “[Possible]” so the user knows if the vulnerability has been confirmed or not. The beauty of this is that if the report says “Confirmed”, you know you can trust it. Don’t believe it? Use the integrated exploitation panels to exploit the vulnerability yourself. Generally it only takes two clicks.

[i] Although you can guess based on some indicators such as if the HTTP status is 500 and then there is higher possibility that it’s not a false-positive. Hence Netsparker will report issues as [High Possibility] or [Low Possibility] based on similar indicators.

Netsparker Videos

Ferruh Mavituna — Thu, 10 Dec 2009 17:14:49 GMT

Product Tour and some feature based videos:

Product Tour

Simple Scan

Getting a Reverse Shell

LFI (Local File Inclusion) Exploitation

IstSec 2009

Ferruh Mavituna — Tue, 08 Dec 2009 19:05:47 GMT

After AppSec DC in Washington DC, this time we are going to IstSec 2009 in Istanbul. IstSec is potentially the biggest security conference in Turkey. Mavituna Security is one of the conference sponsors and most of our team will be there.

I'll give a short talk about "Automation, Application Security and Challenges". If you'll be there as well, don't forget to stop by our booth to say hi.

OWASP AppSec DC 2009

Ferruh Mavituna — Thu, 05 Nov 2009 16:05:13 GMT

Next week I'll be speaking at AppSec 2009 in Washington DC about "One Click Ownage". This is a very practical way to get a reverse shell, reverse VNC or something like that. Basically after you find an SQL Injection in a MS SQL Server, you can carry out your own payload and run it in the target system by using one HTTP request. There are also other advantages of this such as the ability to exploit SQL Injections via CSRF attacks.

Finally I'll publish a small tool called WebRaider which allows you to automate the whole attack. All you need to do is type the URL and click the exploit button to get a reverse shell.

I'll be hanging around at the conference between the 11^th and 13^rd. See you over there, if you are attending and fancy a quick chat, drop me an email, ferruh-at-mavitunasecurity.com.

After the conference I'll be in New York for a while, if you are in that area and interested in Netsparker, do not hesitate to contact us so that we can arrange a demonstration in your office.

The Final Beta!

Ferruh Mavituna — Fri, 09 Oct 2009 01:54:04 GMT

I don't even want to write how much we coded in the last month, (actually it's illegal to work that much, so I'm not going to give you any numbers!). It was worth it though.

The latest version of Netsparker... I'm going to put this as adequately as I can "It kicks a**". You can see details in Netsparker changelog but I'll list some highlights, so you can see why it does such a thing:

Better performance (less CPU usage, improved HTTP performance and less requests).
Ridiculously good SQL injection coverage, I mean really good!.
Improved Engines: LFI and Command Injection engines improved.
New test modules such as "crossdomain.xml", "Apache server-status, server-info", "SVN disclosure", "Find backup files", "TRACE/TRACK check" and some more stuff that you hate to check but have to check.

While you can still join the beta email list, I can't promise anything about getting a beta version soon, as we have enough testers right now.

I'm planning to keep this blog busy by adding some tutorials, videos and insider information. If you are interested in Netsparker, subscribe to the RSS, or follow on twitter@netsparker or FriendFeed-Netsparker. If you are only interested in release date, you can subscribe our release newsletter and we'll let you know as soon as it's out.

We solved our name "Dilemma"

Ferruh Mavituna — Mon, 05 Oct 2009 20:17:09 GMT

Our web application security scanner was code-named "Dilemma". It was a lovely name but we had to separate our ways.

"Netsparker" is the new name. When you download the latest beta, you'll see lots of visual changes. We re-branded the whole application. It's not Extreme Makeover but you'll notice the changes.

By the way, new beta is around the corner, we're trying to squeeze some more features. Sit tight, I'll drop you an e-mail as soon as it's ready.

A new vision, a new beta, and a new beginning...

Ferruh Mavituna — Tue, 01 Sep 2009 00:17:15 GMT

It's quite hard to work on something really good, something that you are proud of and not telling anyone. Now we are over that stage and our new beta has reached more than a hundred people...

Our website is up, our beta feedback forum is alive and now we're blogging. If you don't what the heck I'm talking about don't worry I'll explain.

We've just released a nice beta of our web application security scanner, named "Netsparker". It has been in private beta for the last two years and soon it will be ready for production. Lots of lovely people wanted to get their hands on it before the final release and currently they are enjoying it.

We're not looking for new beta testers, but if you have a good reason to be a beta tester please send us an e-mail and convince us why "you'll be a great beta tester", "report lots of bugs" and "suggest amazing features".

I'm not going to make this post any longer. Subscribe to our RSS feed so you can get informed about future beta releases and details of some new features.

And be prepared for something new..