Netsparker Announces Better Coverage and Security Scanning of Single Page Applications (SPA)

Today we announced the release of Netsparker Desktop version 4.5.7, and Netsparker Cloud 20160129. With this release, we are shipping a new updated version of the DOM parser. This means that now Netsparker has much better coverage and scanning capabilities of single page applications (SPA) and modern web applications that heavily depend on JavaScripts.

What are the Under the Hood Improvements?

You were already able to scan single page web applications for vulnerabilities with previous versions of the Netsparker scanners. Though with these new updates we have seen a good improvement when it comes to coverage of both SPAs and web applications that use a lot of JavaScripts. And coverage is very  important, because unless a parameter is crawled, it won't be scanned.

The new version of the DOM parser is able to simulate a user more accurately and has better handling of multiple level JavaScript interactions. For example when it simulates a mouse click, or a mouseover, it will detect all the new changes in the web application. The same to when you are using Gmail. When you click Compose, a new section of the web application is opened with new input parameters. Now Netsparker can deal with this kind of design much better than ever before.

We have also improved the automatic submission of forms in web applications. In previous versions of Netsparker, the scanner was only populating and submitting a form during the crawling and attacking stages, using the details specified in the Form Values section of the scan policy.

Configuring pre-defined form values in Netsparker web application security scanner

From this version onwards, Netsparker will also populate and submit forms according to specified rules in the Form Values, even when analyzing client-side scripts. This means that it can bypass client-side checks, allowing it to do more thorough web security scans.

Configuring the Netsparker JavaScript Analyzer

Even though an out-of-the-box installation of Netsparker web application security scanner is able to scan SPA applications without any problems, we included a number of new settings that allow you to fine tune the scanner, should you need to.

Configuring the DOM / JavaScript parser in a  Netsparker Scan Policy

The new JavaScript Analyzer settings can be configured from the JavaScript node in a Scan Policy. Below is a list of all the options:

Load Preset Values: Use this drop down menu to select a built-in preset of settings the scanner has.

DOM Load Timeout: This is the timeout for the page to load, including the downloading and browser rendering time.

DOM Simulation Timeout: This is the timeout for the whole simulation operation of a single page. In case of a large application it might not be feasible to scan all of the application, since the parameters are typically identified until the timeout is reached. The value of this timeout can have an impact of the scan duration.

Interevent Timeout: This values define for how long should the scanner wait for a response after triggering a DOM/JS event. In this duration no other DOM/JS events will be triggered by the scanner.

Max Simulated Elements: This value defines the maximum number of simulated DOM elements the parser will simulate before terminating the simulation for this page.

Skip Threshold and Elements to Skip: These two settings are used to specify how many elements should be parsed (Skip Threshold) before the parser starts skipping (Elements to Skip) some elements. For example, if the Skip Threshold is set to 1000 and Elements to Skip is set to 10, after simulating 1000 elements, the parser will not simulate elements 1001 to 1009. Element 1010 will be simulated. The idea behind these settings is to diversify the simulation.

Max Modified Element Depth: This setting specifies the maximum number of levels the DOM parser should follow when a DOM modification is triggered by result of an another simulation or modification. This can be used as a sort of infinite loop protection.

For example imagine a case where a button is clicked and another button is created. When this new button is clicked it will create another one etc. This depth setting allows to control the maximum depth that the simulation will go in such cases.

Generate Debug Info: When this option is enabled, the DOM parser will write the diagnostics information to a log file in the scan folder, including data about the coverage. When this option is enabled, the scan may be slowed down and will use some additional disk space.


Dead accurate, fast & easy-to-use Web Application Security Scanner