Netsparker: The Definitive Guide

This is a complete guide to Netsparker.

In this new guide, you will learn everything there is to know about this popular DAST tool, including:

  • Key features
  • Real-life use cases
  • Advanced tips
  • Pricing and lots more

So if you want to get the most out of Netsparker, this guide is for you.

Let’s jump right in.

Netsparker Guide

CHAPTER 1:

Intro to Netsparker

Intro to Netsparker

What is Netsparker?

Netsparker is a web vulnerability scanner that discovers security issues on websites and APIs. 

It is one of the most popular DAST tools (Dynamic application security testing) in the application security industry, and more than 3,100 companies use it worldwide.

What is Netsparker Used For?

Netsparker is mainly used to identify web application security issues like SQL Injections or Cross-site Scripting (XSS).

Netsparker Security Issues

Netsparker can also monitor technologies used in web applications. It reports out of date technologies or a security issue with your version. (auto-enabled)

Netsparker Out of Date Technologies

And many organizations integrate Netsparker into their CI/CD and scan every deployment automatically.

Netsparker SDLC Integration

When Netsparker first launched in 2009, it was just a single instance penetration testing tool with a promising idea; Proof-Based Scanning™.

Netsparker Website in 2014

And its has grown A LOT over the years and recently received a $625 Million Investment from Summit Partners.

Netsparker Investment News

Over that time, I've seen Netsparker's grow from a single instance web vulnerability scanner into a fully-featured application security solution that now.

Today, Netsparker is mainly used by:

  • Startup CTO's who manage web security for their websites
  • Penetration testing companies that work with multiple clients
  • “In house” security teams that run security checks for company websites and APIs.
  • Security consultants who advise clients on their Application Security Program.

How much does Netsparker cost?

Netsparker pricing works based on target numbers. Therefore, every domain and subdomain is a new target. 

You need to buy 5 FQDN licenses to scan targets below:

  1. https://appsecsanta.com
  2. https://api.appsecsanta.com
  3. https://dev.appsecsanta.com
  4. https://staging.appsecsanta.com
  5. http://127.0.0.1/~appsecsanta/
 

It is a minimum two years subscription, and you can pay annually.

You can request a quote here.

CHAPTER 2:

Discovery

At first sight, the Discovery feature is easily overlooked.

Let me ask you a question:

Do you know how many websites your company have?

  • WordPress blogs
  • Temporary campaign sites
  • The internal app that the marketing team using

This chapter will show you how to use the Discovery feature to find all your websites and more.

Discovery

Discovered Websites

The Discovery feature is enabled by default, so you will already see many websites discovered when you open your Netsparker Enterprise account. 

Netsparker Discovery Feature

And it will add more and more every time you add a new website or change the Discovery configurations.

Netsparker Discovery Feature Settings

Netsparker uses various sources to find all public websites that possibly belong to your company:

  • Your business email domain
  • Out of scope links from your scans
  • Other websites hosted from the same IP
  • SSL Certificates (Organization name)
  • Domain keywords and Second level domains
 
As it is an automated process, so it is far from being perfect. It will bring any other website that includes your domain name.
Netsparker Discovery Filter Options

You can filter them out.

Netsparker Discovery Filters

CHAPTER 3:

Website Groups

Web Groups is the section where you create your Netsparker management hierarchy.

You will use Website Groups for

  • Reporting
  • Managing Roles
  • Starting Group Scans
 

In this chapter, I will show you real website group examples.

Website Groups

New Website

You can add your websites manually or import with a CSV file.  

Websites can belong to multiple groups, and it is up to just your creativity.

Netsparker Add a New Website

some Website Groups examples based on

  • Hosting
  • Technology
  • Geolocation
  • Teams
  • Priority
Netsparker Website Groups

You can use it when you want to run a Group Scan

Starting a Netsparker Group Scan

CHAPTER 4:

Scan Settings

Let's configure your first Netsparker scan!

Add your target, configure authentication and push “Launch!

However, you need more to cover edge cases or optimize your security scans for speed.

In this chapter, you will learn how to run scans with Netsparker like a pro.

 

Scan Settings

New Scan

Netsparker Scan Settings is the most critical part of this guide, so that we will go step by step with very much detail.

So let's start from the beginning!

Target URL: you can choose a target from the list.

Scan Profile: you can save your configurations to use later or share with team.

Save a Netsparker Scan Profile

Now we are going all the way through Scan Settings.

Scan Settings

General

You will be configuring scan basics in the General section, and there are four topics:

  • Scan Policy
  • Report Policy
  • Custom Cookies
  • Crawling
Scan Policy

You can choose from built-in policies like OWASP Top 10 or PCI Checks.

Netsparker built-in Scan Policies

or you can create a New Scan Policy:

Create a New Netsparker Scan Policy

some of the essential sections in creating a New Scan Policy:

Security Checks

Add or remove some checks like “scan only for SQL Injection (Out of Band).”

Security Checks in Netsparker Scan Policy
Crawling

Netsparker will crawl up to 2,500 pages by default and stop.

You can increase the limit up to 15,000 pages.

Crawling configurations in Netsparker Scan Policy
Javascript

use Pre-defined Presets if you are scanning a Single Page Application.

You may need to increase DOM Load Timeout or Maximum Simulated Elements to include all pages in the application.

Javascript configurations in Netsparker Scan Policy

also, to exclude some specific parts of the website from the scan, you can use Exclude by CSS Selector:

Exclude by css feature in Netsparker Scan Policy
Attacking

to disable Proof-based Scanning, you can uncheck Enable Proof Generation:

Attacking configurations in Netsparker Scan Policy
Form Values

update default form values that Netsparker uses when attacks contact forms on the site. 

Configure Form Values in Netsparker Scan Policy
Brute Force

Netsparker will attack authentication forms to discover if anyone is using basic user/pass combinations.

The default wordlist has 59 words.

However, you can update the wordlist and increase it to 5000 by using an Internal Agent or Netsparker Standard. 

Configure Brute Force in Netsparker Scan Policy
Request

configure the User-Agent that Netsparker will use and limit the requests per second if you want to change the speed.

Configure Requests in Netsparker Scan Policy
HTTP Headers

add or update the HTTP header values that Netsparker will be using during the scan.

Configure HTTP Headers in Netsparker Scan Policy
Report Policy

You can create custom report templates with excluding some of the issues or add some notes:

Custom Cookies

Create a custom cookie in the application and add this into Netsparker.

You can bypass MFA (multi-factor authentication) or CAPTCHA when you want to automate scans in the staging environment.

Imported Links

Add Custom Cookies in Netsparker

You can import sitemaps or API endpoints to include in the scan.

Import links to API Scan with Netsparker

Supported formats:

  • ASP .Net Project File (.csproj, .vbproj.)
  • Burp Saved Items– (.xml)
  • Comma Separated Values (CSV) – (.csv)
  • Fiddler – (.saz files)
  • HTTP Archives – HAR files
  • I/O Docs – (.json, .zip)
  • Netsparker Session File – (.nss)
  • OWASP ZAP – (.txt)
  • Postman – (.json)
  • RAML – (.raml)
  • Open API – (.json, .yaml, .yml)
  • Web Application Description Language (WADL) – (.wadl)
  • Web Service Definition Language (WSDL) – (.wsdl, .xml)
  • WordPress REST API – (.json)

 

PCI Scan

You can run a PCI DSS scan to get official PCI Compliance.

It s disabled by default and you need to request sales team to enable.

PCI Compliance Report with Netsparker

Shark (IAST)

Shark is new in town, and it is Netsparker's IAST module.

You need to install an agent into your webserver to activate. It supports .NET, PHP, Java and Node.js at the moment.

Netsparker Shark Feature for IAST

Benefits of using Netsparker Shark:

  • better crawling 
  • improve accuracy
  • the exact location of the vulnerabilities in the code:
Netsparker Shark IAST Issue Report Example

Authentication

Netsparker support 5 different authentication methods;

  • Form Authentication
  • Basic, NTLM/Kerberos 
  • Header
  • Client Certificate 
  • Oauth2
Form Authentication
add login url and create a Persona with username and password.
Netsparker Form Authentication Settings

Then click “Verify Login & Logout”, to confirm it works.

You will see a macro running below, and it will generate a Logged-in version on the left and a Logout version on the right side.

Netsparker Form Authentication Verification
Custom Script

after adding the login URL, you will see Custom Script button will be enabled. You can create a login sequence (macro) to authenticate multi-step forms or for a complicated login form.

CHAPTER 5:

Technologies

Netsparker Technologies is designed to monitor all the technologies in the scanned applications.

It is enabled by default and works pro-actively to find out-of-date technologies or issues with your versions.

And in this chapter you’ll learn how this feature works.

Technologies

Out of Date Technologies

Find all the out of date technologies in the application after the first scan.

Netsparker Out of Date Technologies Feature

And keep monitoring proactively if there is a new issue with that library you will get a notification email even though you haven't run a scan.

Netsparker Out of Date Technologies Email

Netsparker can detect outdated versions for many JavaScript libraries, CMS's, Web Servers and database services.

You can check here the complete list.

CHAPTER 6:

Integrations

It is no secret that integrations are the key to a successful DevSecOps.

We believe that any solution that doesn’t take automation into account is an incomplete solution.

And in this chapter, you’ll learn Netsparker Integration capabilities.

Netsparker Integrations

Integrating into SDLC

It is almost 2022 here and “Security is Everyone's Responsibility” now.

Software development is faster than ever and the security team ratio is 1:100 of the development team if you are lucky.

There is no way to keep it up with application security without automation.

Netsparker has 7 topics for Integrations:

1-Issue Tracking Systems

You started a scan and Netsparker found an issue.

It creates a Jira ticket for Suphi (a developer). Suphi fixes the issue and updates the issue ticket status to “Resolved”. 

Netsparker runs a “Retest scan” and confirm the issue if it is fixed. If not It changes the status to “Reopen Status”.

Netsparker Integrations for Issues Tracking Systems
2-Project Management

If your team already using Trello, no need to make changes.

Netsparker Integrations for Project Management Tools
3-Continuous Integration Systems

It is the way to tell Netsparker to go and scan when there is a change in the application.

Netsparker Integrations for Continuous Integration Systems
4-Communication

It is the way to tell Netsparker to go and scan when there is a change in the application.

Netsparker Integrations for Communication Tools

your security team can share issues via Slack.

Netsparker Integration with Slack
5-Privileged Access Management

you can utilize the access management solution that your company uses.

Netsparker Integration for Privileged Access Management Tools
6-API

If you are using custom solutions then it is better to check out Netsparker API. (full document

Netsparker Integration API Options
7-Vulnerability Management

It supports only Service Now Vulnerability Response at the moment.

Netsparker Integration for Vulnerability Management Tools

CHAPTER 7:

Netsparker Editions

There are 3 different editions in Netsparker;

  • Netsparker Standard
  • Netsparker Team
  • Netsparker Enterprise

 

In this chapter, I will share the details of these editions and different use cases for them.

 

Let’s dive right in.

Netsparker Editions

Netsparker Standard?

Netsparker Standard is a single instance Windows only web application scanning tool.

Penetration testers and cyber security engineers mainly use it as a first-level vulnerability discovery before jumping into manual pentesting.

When you should use Netsparker Standard?

Netsparker Standard is a good choice, specifically if you have just a few targets and planning scans from time to time.

It has command-line interface support so you can create some automation. However, it is not the best choice if you are planning integrations or building an SDLC.

Finally, It is essential to know that Netsparker Standard is a single user license, so check Team edition if multiple people will run these scans.

Netsparker Team and Enterprise

You will be buying Netsparker Enterprise when you have more than +50 targets.

Let me some details:

  • Netsparker Team and Netsparker Enterprise include Netsparker Standard, and there is no user limit.
  • Netsparker Enterprise customers request custom integrations
  • Netsparker Team is Cloud only (AWS US or AWS EU)
  • Netsparker Enterprise has an On-premise option (Windows only)
  • Both support internal application scanning via agents (Windows, Linux, Docker)
  • Netsparker Enterprise customers have dedicated tech support

When you should use Netsparker Enterprise?

Netsparker Enterprise is designed to scale and manage the entire dynamic scanning process.

Most of the people who love using Netsparker Enterprise:

  • have more than 50 websites
  • integrated into SDLC and scanning every release
  • have a lot of people involved from different teams or locations
  • custom implementation required (authentication, integration)

BONUS CHAPTER:

Netsparker Pro Tips

Here’s a handful of cool things that you can do with Netsparker that I’ve picked up over the years.

 

Netsparker Expert Tips

Why am I getting emails from Netsparker?

Most likely, somebody is running a security scan on your website if It is not your security team.

Netsparker uses invicti@example.com by default in contact forms, and during the scan, it may generate dozens of emails.

If you think there is unauthorized scanning going on, contact support@netsparker.com.

How long does a typical Netsparker scan take?

It all depends on how big and complex the application is.

It usually takes 8-10 hours in average.

In any case, no scan should take more than 24 hours.

Contact support@netsparker.com for speed optimization investigations.

How to use Netsparker Custom Script Editor?

Netsparker Custom Script Editor is great when you need to configure multiple-step authentication processes.

Enter the login link, click to Custom Script and create a macro with Right Clicks to authenticate.

Also, confirm the logout page so Netsparker can detect if it gets session time-out and login back automatically.

How to scan a WAF protected web site with Netsparker?

You should whitelist Netsparker in your firewall settings. Otherwise, you will be just testing your firewall, which is not a good idea.

As we know that there are various ways to bypass firewalls in a real attack scenario, it is better not just rely on firewalls when discussing application security.

There are multiple ways to whitelist Netsparker for your firewall:

a-Whitelist by IP Address

Netsparker AWS (US): 

54.88.149.100
54.85.169.114

Netsparker AWS (EU):

3.121.126.156
3.122.64.138

b- Whitelist by Authentication Header

You can add a custom authentication header value and use it in your firewall configurations to whitelist.

Whitelist Netsparker in your firewall

Conclusion

I hope you enjoyed my new guide to Netsparker.

Now I’d like to hear from you: 

Do you already use Netsparker? If so, what’s your favourite feature?

Let me know by leaving a comment below right now.

We will be happy to hear your thoughts

Leave a reply

AppSec Santa