Sign In
Create Account
Audit the Security of Your Websites with Netsparker Web Application Security Scanner
Netsparker finds and reports web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) on all types of web applications, regardless of the platform and technology they are built with. Netsparker’s unique and dead accurate Proof-Based Scanning Technology does not just report vulnerabilities, it also produces a Proof of Concept to confirm they are not false positives. Freeing you from having to double-check the identified vulnerabilities.
Netsparker Professional Edition Full Activated
Some of the basic security tests should include testing:
SQL Injection
XSS (Cross-site Scripting)
DOM XSS
Command Injection
Blind Command Injection
Local File Inclusions & Arbitrary File Reading
Remote File Inclusions
Remote Code Injection / Evaluation
CRLF / HTTP Header Injection / Response Splitting
Open Redirection
Frame Injection
Database User with Admin Privileges
Vulnerability – Database (Inferred vulnerabilities)
ViewState not Signed
ViewState not Encrypted
Web Backdoors
TRACE / TRACK Method Support Enabled
Disabled XSS Protection
ASP.NET Debugging Enabled
ASP.NET Trace Enabled
Accessible Backup Files
Accessible Apache Server-Status and Apache Server-Info pages
Accessible Hidden Resources
Vulnerable Crossdomain.xml File
Vulnerable Robots.txt File
Vulnerable Google Sitemap
Application Source Code Disclosure
Silverlight Client Access Policy File Vulnerable
CVS, GIT, and SVN Information and Source Code Disclosure
PHPInfo() Pages Accessible and PHPInfo() Disclosure in other Pages
Sensitive Files Accessible
Redirect Response BODY Is Too Large
Redirect Response BODY Has Two Responses
Insecure Authentication Scheme Used Over HTTP
Password Transmitted over HTTP
Password Form Served over HTTP
Authentication Obtained by Brute Forcing
Basic Authentication Obtained over HTTP
Weak Credentials
E-mail Address Disclosure
Internal IP Disclosure
Directory Listing
Version Disclosure
Internal Path Disclosure
Access Denied Resources
MS Office Information Disclosure
AutoComplete Enabled
MySQL Username Disclosure
Default Page Security
Cookies not marked as Secure
Cookies not marked as HTTPOnly
Stack Trace Disclosure
Programming Error Message Disclosure
Database Error Message Disclosure
Netsparker Professional Change Log
Version 6.0 – 28th January 2021
NEW FEATURES
Added Netsparker Shark that enables Interactive Application Security Testing (IAST).
Added NIST SP 800-53 compliance classification and report template.
Added DISA STIG compliance classification and report template.
Added the OWASP ASVS 4.0 classification and report template.
Added header and footer section to customize reports.
Added an option to customize POST attacks for the Open Redirect engine.
NEW SECURITY CHECKS
Added PHP magic_quotes_gpc Is Disabled security check.
Added PHP register_globals Is Enabled security check.
Added PHP display_errors Is Enabled security check.
Added PHP allow_url_fopen Is Enabled security check.
Added PHP allow_url_include Is Enabled security check.
Added PHP session.use_trans_sid Is Enabled security check.
Added PHP open_basedir Is Not Configured security check.
Added PHP enable_dl Is Enabled security check.
Added ASP.NET Tracing Is Enabled security check.
Added ASP.NET Cookieless Session State Is Enabled security check.
Added ASP.NET Cookieless Authentication Is Enabled security check.
Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
Added ASP.NET Login Credentials Stored In Plain Text security check.
Added ASP.NET ValidateRequest Is Globally Disabled security check.
Added ASP.NET ViewStateUserKey Is Not Set security check.
Added ASP.NET CustomErrors Is Disabled security check.
Added PHP session.use_only_cookies Is Disabled security check.
Added new Blind SQL Injection attack pattern.
Added Jinjava SSTI security check.
Added Whoops Framework Detected security check.
Added CrushFTP server detected security check.
Added database error message signature pattern for Hibernate.
Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
Added Version Disclosure and Out-of-date security checks for Liferay Portal.
Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
Added detection for Varnish HTTP Cache Server.
Added detection for SonicWall VPN.
Added detection for Play Web Framework.
Added detection for Private Burp Collaborator Server.
Added detection for LiteSpeed Web Server.
Added detection for JBoss Enterprise Application Platform.
Added detection for JBoss Core Services.
Added detection for WildFly Application Server.
Added detection for Oracle HTTP Server.
Added version disclosure Daiquiri security check.
IMPROVEMENTS
Added Wordlist Entries feature to the Resource Finder security check group
Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
Improved Open Redirect attack patterns.
Improved TLS 1.0 issue remediation reference.
Added WCF service support to WSDL importer.
Added a fix to reduce the possibility of an out-of-memory problem.
Added authentication support to system proxy for PAC file.
Verification dialog remembers old logout keywords.
Added scan profile information and URL to all reports.
Added bypass list for scan policy settings.
Added scan scope variables to the Pre-Request Scripts.
Added information label to the Pre-Request Script settings panel
Added a fail tolerance to Puppeteer launch.
Improved Tomcat signature patterns.
Improved authenticator not to store the plain password in the request data
Added HTTP Request Logger to authentication
Added Canada region to the Netsparker Enterprise settings
Added tooltip to the Excluded Usage Trackers feature.
Removed X-Scanner header from default scan policies
Added new sensitive comment patterns.
Revised the description of the Resource Finder checks option.
Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
Added Incremental Scan to Knowledge Base reports.
Updated Netsparker Standard splash screen.
FIXES
Fixed Lodash Identified security check signature.
Fixed WebLogic Version Disclosure security check signature.
Fixed Whoops Error Handling Framework Identified security check signature.
Fixed Zope Web Server Version Disclosure security check signature.
Fixed Grafana Version Disclosure security check signature.
Fixed ASP.NET MVC Version Disclosure security check signature.
Fixed Telerik Version Disclosure vulnerability severity to be low.
Fixed IIS Version Disclosure vulnerability severity to be low.
Fixed the grammar issues at the CSP Not Implemented report template.
Hide the scope tooltip at the manual authentication panel.
Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
Fixed the issue “link stuck error” was repeated many times in the scan logs.
Fixed the typo in the Pre-Request Scripts Menu.
Fixed a few typos in the Impact descriptions.
Fixed validating WAF settings before trying to test WAF connection
Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
Fixed directory modifiers limit usage
Fixed sending previous request headers while navigating to the Form Authentication’s latest response URL.
Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
Fixed an issue that caused DOM simulation to fail because of the null windows and elements
Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
Fixed an issue that causes raw request created without cookies
Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
Fixed the order of classification report ribbon menu.
Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
Fixed the tooltip of Send To Tasks button at the ribbon
Fixed unwanted warning on the auto authenticator
Fixed date and time zone problem on Swagger file.
Fixed null reference exception on excluded URL check.
Fixed multiple instance knowledge base render problem.
Fixed reporting style issues.
Fixed relativity of the charts in the Comparison Report.
Fixed grid showing on the logout detection screen.
Fixed scan resuming problem on unavailable host.
Fixed pop-up problem on the DOM simulation for better performance.
Fixed the logo at the Knowledge Base render error page.
Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
Fixed internet connection problem at test site configuration dialog.
Added information label to the Azure Configuration wizard.
Fixed request and response results in out-of-band vulnerabilities.
Fixed Blind SQL Injection cache issue.
Fixed wrong expiry time for cookie which occurs at DOM simulation.
Fixed the null reference exception while checking the source type.
Fixed the Basic Authentication header problem for chromium requests.
Fixed the null reference exception while getting authorization tokens.
Fixed an issue where XSLT requests are not intercepted.
Fixed Netsparker Helper Service dll not found issue.
Fixed the client certificate selection issue while logging in to the target website.
Fixed session storage problem at DOM simulation.
Fixed upload request problem that creates false positive at LFI engine.
Fixed chromium errors at authentication
Fixed the unhandled multiple choices redirect status code at requester.
Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
Fixed an issue where the form value parser was not working.
Fixed unauthorized request handling in the license view.
Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
Fixed maximum logout detection issue.
Fixed the typo in the Pre-request Scripts menu.
Fixed a few typos in the Impact descriptions.
Fixed the issue that email disclosure was reported without identified email addresses.
Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
Removed URL signature field from the phpinfo detection pattern.
Fixed Perl version disclosure pattern.
Fixed the issue that movable type cannot be detected because the app name contained whitespace.
Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
Fixed the custom script dialog title.
Fixed the signature of Python version disclosure pattern.
Fixed the issue that charset error was repeated many times in the logs.
Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
Fixed the request parsing error in TCP Requester.
Fixed the issue that header and footer were mixed up in the reports.
Fixed info icons position in the Knowledge Base reports.
Fixed the issue XSS payload was not highlighted correctly.
Fixed the typo in the base scan CLI argument.
Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
Fixed the inconsistencies in the summary page of Asana configuration wizard.
Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
Fixed the issue that search results were not highlighted correctly.
Fixed the issue that URL was not correctly encoded in Send To Action templates.
Fixed the issue request.Headers was empty in custom script API.
Fixed the issue Mithril version could not be detected.
Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
Fixed Swagger parser that caused importing object with a parent node while the object is inside an array
