What You Need to Know Before Launching a Web Security Scan

Warning: Do not scan a website without proper authorization. Scanning a website without authorization is against the law. Netsparker Limited is not responsible for such actions and cannot be held responsible for potential damage to the target website.

1. Netsparker Cloud and Netsparker Desktop are false positive free web application security scanners that automatically detect vulnerabilities such as XSS and SQL Injection in web applications by attacking them. This means that Netsparker scanners have to identify all attack surfaces on the website. To do so, the crawler will navigate through the entire website and submit every form including comment forms, email contact forms, delete buttons and all other type of inputs on the target web application.

Preventing Netsparker Desktop from Testing Certain Pages

To prevent Netsparker Desktop from crawling and testing certain parts or pages, specify them in the Exclude URLs with RegEx option in the Scope section, as shown in the screenshot below. For more detailed information on how to exclude specific parts of your websites from a web security scan please refer to the following support FAQ.

Exclude pages from Netsparker Desktop

Preventing Netsparker Cloud from Testing Certain Pages

To prevent Netsparker Cloud from crawling and testing certain parts or pages, specify them in the Exclude URLs with RegEx option in the scan options, as shown in the screenshot below.

Excluding pages from Netsparker Cloud scan

2. A web security scan consists of two phases; the crawling phase where the crawler browses all of the web application to identify all attack surfaces, and the scanning phase, where the scanner starts attacking the website. During both phases the scanner will send a large number of HTTP requests to the target website. Should the web security scan affect the performance of your website you can decrease the number of concurrent connections from the scan policy:

  • In Netsparker Desktop, open "Tools > Scan Policy Editor > HTTP" to do this. You can also reduce the number of concurrent connections on the fly during a scan.
  • In Netsparker Cloud, go to "Policies > Scan Policies > Edit Policy/New Scan Policy > HTTP Request"

Recommended Practise

Netsparker scanners are designed to do non destructive web application security scans. Though we still recommend you to launch a security scan against a pre-production website when possible, especially in the beginning. Once you get used to Netsparker and get the correct configuration, you will be just fine scanning a production website.

Netsparker Support and Documentation

Professional Support is available to all to all customers and trial users. If you run into any kind of problems or if something is unclear please do not hesitate to get in touch with the support department by sending us an email on support@netsparker.com and we will get back to you as soon as possible.

Refer to our Netsparker Support pages for detailed product documentation, tutorials, FAQs and other support related documentation.

Stay Secure!