I recently found out about Netsparker through Darknet. They released an update to their community edition (free). The main thing about Netsparker that caught my eye is its fundamental approach at eliminating false positives in its web application scanning. I completely agree with the developers’ approach.
The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner?
So I decided to check out Netsparker a little further and put it to the test. I first started by running its array of scans against a few local web applications I had on my system. Most are either internal development projects or just sandbox sites I use for testing random stuff, most comprised of ASP.net apps.
The majority of the scans came out rather quickly and watching the process was somewhat entertaining. When the scan is complete, it will give you a readout of not only the vulnerabilities, but also lets you see the actual results of each attempted attack, as well as the http request/response for each transaction. It correctly identified a few of the areas that I knew about already. These being internal (some local only) sites, I hadn’t bothered to enable all the security features.
I decided my local sites were a good start so then decided to see if it could pick up some other well-known vulnerabilities. So I pointed it at my DVWA VM (Damn Vulnerable Web Application). With it filled with quite a few vulnerabilities, I’d have a decent record of known flaws for it to test against. Netsparker did quite well, even picking out a few areas that weren’t intended in the tutorial routes for DVWA.
Overall, I was quite impressed. The fact that it actually goes and tries the attacks with some dummy data, or even data that was pulled from context on the site is quite impressive. It even gives you tips or direct commands to run in order to fix some of the known issues. And where it doesn’t give specifics, it points you to the OWASP site for guidelines. I might have to look towards this again and will definitely keep a reference to it in my toolbox for future endeavors.