Netsparker Web Application Security Scanner
Audit the Security of Your Websites with Netsparker Web Application Security Scanner
Netsparker finds and reports web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) on all types of web applications, regardless of the platform and technology they are built with. Netsparker’s unique and dead accurate Proof-Based Scanning Technology does not just report vulnerabilities, it also produces a Proof of Concept to confirm they are not false positives. Freeing you from having to double check the identified vulnerabilities.
Advantages of automated tools
Automated Web Application security tools work fast. This is probably the biggest advantage you can get from automated web application security tools. During security testing, SDLC security testing, or other security assessment, complete manual approach almost always requires more time than automated approach. The price you pay ? False sense of security. Automated tools are useful during preliminary security assessment and even to rule certain types of vulnerabilities out, but don’t expect them to cover every single case. Properly integrated into SDLC, automated security tools can give developers an option to quickly test their code for vast majority of technical vulnerabilities.
Manual testing cannot possibly cover everything during (usually) limited time dedicated for security testing. Automated application security testing scores better in locating most common application-layer vulnerabilities and way better with code error detection, dead code detection and detection of other flaws that can lead to buggy software. You can eliminate huge number of reported vulnerabilities and code problems in very short amount of time. The price you pay ? False sense of security. It is advisable not to rely exclusively on these test. They are a part of your security assessment, not the only part. 0days, logical and other vulnerabilities may still exist in your code.
As web application security is relatively new, there is still a major gap between the number of jobs that are available and the number of highly qualified workforce. Skilled personnel is still pretty hard to find. This issue also overlap with another problem. Using human resources for security testing requires the security team to know an application inside-out. More often than not, your security team will not be in complete sync with your developers. This can lead to a wide range of human errors. With automated web application security testing, lesser personnel is needed to perform scanning and analysis. Security reports are generated automatically and results can be easily exported to user defined format. ‘The build’ can also be halted when a medium or severe level vulnerability is detected – something that can be pre-defined by your security team. Running automated tools is relatively simple task and usually easier than doing complete manual test. Manual penetration test obviously requires an expert or a team of experts, depending on the complexity of your application.
If implemented right, automated web application security testing enables the detection and mitigation of application layer vulnerabilities early in the software development life cycle. This saves your organization a lot of time, system and network resources and money. There is also no need to employ extra workers just to perform additional security testing. As long as you have security aware and knowledgeable developers, implementing automated web applications security testing during SDLC is by far the best way to increase your ROI. This is also the best and most preferable way of implementing automated web application security scanners in your organisation. The price you pay ? Large initial investment. Also, finding the right people can be… tricky… and time consuming.
As we can see, automated web application security assessment tools have their place in web application security – and that they can be very useful and valuable if implemented right. But what does that really mean ? Well, for one it means that they are a tool in your arsenal, just not ‘the tool’. We can divide this ‘security’ into three sections. Three type of entities that are using these tools:
- Entities that are developing their own product
This is the place where automated tools really shine. As a part of SDLC, properly implemented automated tools and security testing procedures can be a very powerful allay. They can help detect and quickly eliminate vast majority of obvious vulnerabilities that your developers introduced while they were rushing to deliver functional PoC. Incremental and partial security scans available in Netsparker [ie] are perfect example. Developers in, lets say agile environment can quickly test blocks of their code for predefined set of vulnerabilities and correct those errors right away. After all, they already know how the code works and they are familiar with code logic. Seamless integration of these tools and an attack on programmers ego are usually winning combination. Seamless integration can be a major problem here ( speaking as a former developer ). If your developers have to learn to use two or three additional complex tools that are unrelated to their coding skills, they will complain. Fortunately, some tools like Netsparker Cloud API [ie] can integrate security testing into SDLC automatically. Security tests can be predefined and maintained in separate environment, allowing security testing team to dedicate their time to more exotic and/or recently discovered vulnerabilities.
- Entities that are using someone elses product
Using someone elses product is always a tricky thing, no matter how big the software package is or from whom does it comes from. Usually the bigger the software package is, the more vulnerabilities it introduce. There’s additional layer of problems here too. Many times, some x company will develop closed source application where your team will not have the ability to closer inspect the code or to perform any kind of source code change – mostly because of the licencing model. Automated tools can be used in this setup with limited and variable success. Automated tools can test your applications for all known vulnerabilities and provide initial estimate of how many ‘real ‘vulnerabilities are really present in that package. Other than that, you are usually left on your own or in the mercy of a company that developed the package. The bigger the company is, the smaller you are. The company may decide to respond to your vulnerability reports or to ignore them. Patches and security fixes may or may not be available for your product. This is the main disadvantage of these products. This does not mean that automated tools are not useful in these situations. However, the cost of your security assessment will continuously and linearly grow – especially if you decide/have to do black box type of assessment or to reverse the code. You can also use automated security testing tools to do some form of preliminary security assessment, that can (or may) influence your decision of whether or not you will use a certain tool or a package. Automated testing can provide an insight in how good development team behind some software package really is – by looking at the amount of known vulnerabilities in that package. Those are all valuable information for someone who is trying to determine whether or not to use some software packages. At the end, as a bottom line, due to the limited scope of these tests and inability to perform deep code inspection, beside reasonable expectation of security, you and your clients will almost always stay vulnerable to one or more attacks.
- Entities that are doing or selling security testing services
Automated web application scanners are also very useful for penetration testers during reconnaissance and information gathering phase during their security assessment. Automated tools can perform initial security tests and provide a treasure trove of valuable information to security professionals who are looking for weaknesses in some environment. Penetration testers can rule out or confirm many previously reported vulnerabilities and provide easy to read reports for upper management – or export data to other security tools. Much of this testing process can be too noisy for black-box testing and it can trigger WAF or other security mechanisms. Preferable use-case is white-box security testing in development environment.
So, how do you decide ?
If you ask two penetration testers which web application security scanner is better you will get two different answers. Every web vulnerability scanner has its own benefits and what works for one company will not necessarily work for some other company. So how do you decide which web application security scanner to use ?
The most typical general requirements are:
- Automate most of the tasks; there are several advantages to automating the identification of web application vulnerabilities.
- Lowering the costs of web application security by doing in house scanning rather than hiring an expensive penetration tester or service.
- Increase the coverage; as opposed to a penetration testers, an automated web application security scanner has an extensive set of heuristic web vulnerability checks that are frequently updated by a number of researchers and security experts. This allows users to identify all type of web application vulnerabilities in custom made web applications. Some scanners also have a vulnerability database for known web applications that also comes in handy if your business or customers are using such web applications.
In short, automated web application security scanners are mostly required to save time and to ensure that most technical web vulnerabilities are identified.
Some of the basic security tests should include testing:
- SQL Injection
- XSS (Cross-site Scripting)
- DOM XSS
- Command Injection
- Blind Command Injection
- Local File Inclusions & Arbitrary File Reading
- Remote File Inclusions
- Remote Code Injection / Evaluation
- CRLF / HTTP Header Injection / Response Splitting
- Open Redirection
- Frame Injection
- Database User with Admin Privileges
- Vulnerability – Database (Inferred vulnerabilities)
- ViewState not Signed
- ViewState not Encrypted
- Web Backdoors
- TRACE / TRACK Method Support Enabled
- Disabled XSS Protection
- ASP.NET Debugging Enabled
- ASP.NET Trace Enabled
- Accessible Backup Files
- Accessible Apache Server-Status and Apache Server-Info pages
- Accessible Hidden Resources
- Vulnerable Crossdomain.xml File
- Vulnerable Robots.txt File
- Vulnerable Google Sitemap
- Application Source Code Disclosure
- Silverlight Client Access Policy File Vulnerable
- CVS, GIT and SVN Information and Source Code Disclosure
- PHPInfo() Pages Accessible and PHPInfo() Disclosure in other Pages
- Sensitive Files Accessible
- Redirect Response BODY Is Too Large
- Redirect Response BODY Has Two Responses
- Insecure Authentication Scheme Used Over HTTP
- Password Transmitted over HTTP
- Password Form Served over HTTP
- Authentication Obtained by Brute Forcing
- Basic Authentication Obtained over HTTP
- Weak Credentials
- E-mail Address Disclosure
- Internal IP Disclosure
- Directory Listing
- Version Disclosure
- Internal Path Disclosure
- Access Denied Resources
- MS Office Information Disclosure
- Auto Complete Enabled
- MySQL Username Disclosure
- Default Page Security
- Cookies not marked as Secure
- Cookies not marked as HTTPOnly
- Stack Trace Disclosure
- Programming Error Message Disclosure
- Database Error Message Disclosure
Netsparker includes a number of built-in features that are designed to optimize scanning process like:
User-Selectable Parsing Engines
Intelligent Test Bypass
One of the things that is very important but often missing from other web application scanners is, connection with other tools. Netsparker is currently able to import session data from Fiddler, Paros, Burp and other popular proxies and tools. Tools that currently inter-operate with Netsparker include: Metasploit, Metasploit Express, Metasploit Pro, Threadfix Vulnerability Manager, Kenna Security Vulnerability & Risk Intelligence (previously Risk I/O Vulnerability Dashboard), LunarLine Vulnerability Scan Converter and Dradis Framework.
Netsparker supports the following authentication methods:
SSL Client Certificate Authentication
Netsparker can scan the following type of web services:
- WSDL 1.1
- SOAP 1.1 and 1.2
- REST API (read about REST support)
This web application security scanners will also automatically detect and properly handle custom 404 error pages and can automatically detect and report vulnerabilities in them. Netsparker scanners will heuristically detect URL Rewrite patterns and automatically configure themselves to properly crawl and scan all the parameters on the target web applications. If you want to configure your own URL Rewrite rules you can override the automation and configure them via a user-friendly wizard.
Finding and confirming security vulnerabilities is only a part of the story. You also need to visualize the vulnerability yourself, keep track of the security state of the target web application, and share your security findings with colleagues, developers and management. With Netsparker Web Application Security Scanner you can generate professional reports, as well design your own customer reports.
Once a web application security scan is complete, results may be output to professional reports using rich report templates such as Detailed Scan Report, Comparison Report and OWASP Top 10 Report.
Management can also produce comparison and trending reports to get a good overview of the security progress of a web application or a specific project, or generate a PCI compliance reports to ensure that the target web application is PCI compliant.
Reports can be exported to common file formats such as HTML and PDF.
Vulnerability Details & Exploitation
One of the cornerstones of Netsparker’s design is its ability to automatically exploit suspected vulnerabilities in a safe and read only way, proving them beyond doubt and reporting no false positives. Netsparker has been designed from the ground up to exclusively support this option and is currently the only web application security scanner with an integrated exploitation engine. By exploiting detected vulnerabilities in a safe and non-destructive manner, Netsparker is often able to yield additional detail about security vulnerabilities that are completely undetected by conventional security scanning techniques. It is, in most cases able to conclusively prove that an identified web application vulnerability is real and also generates either a Proof of Exploit or Proof of Concept. In cases when such confirmation is not possible, the vulnerability will be marked as “Possible”.
For most detected vulnerabilities you will also get:
Detailed Vulnerability Specifications
Vulnerability Technical Details
Proof of Exploit or Concept
Remedy And Web Links References
- Exploitation of SQL Injection Vulnerabilities
- Exploitation of LFI (Local File Inclusion) Vulnerabilities
- Downloading source code of all crawled pages via LFI (Local File Inclusion)
- Downloading known OS files via LFI (Local File Inclusion)
- Exploitation of Remote Code Evaluation
- Obtaining a reverse shell from exploiting SQL Injection, Remote File Inclusion and other vulnerabilities
- Cross-site Scripting PoC generation
On of the options that we really liked was how much control we can have over scanning process. Netsparker offers a wide range of manual overrides, enabling us to fine-tune our security scans to many different scenarios. We could then browse our web site through build in a proxy server and automatically adds URLs to scan session site map that can be then used in ‘controlled scan’ in which we could fine-tune vulnerability tests. True awesomeness !
Software License : Professional Edition License ( All Options )
Price : $
Discount : 100% OFF