We have also improved the automatic submission of forms in web applications. In previous versions of Netsparker, the scanner was only populating and submitting a form during the crawling and attacking stages, using the details specified in the Form Values section of the scan policy.
From this version onwards, Netsparker will also populate and submit forms according to specified rules in the Form Values, even when analyzing client-side scripts. This means that it can bypass client-side checks, allowing it to do more thorough web security scans.
Even though an out-of-the-box installation of Netsparker web application security scanner is able to scan SPA applications without any problems, we included a number of new settings that allow you to fine tune the scanner, should you need to.
Load Preset Values: Use this drop down menu to select a built-in preset of settings the scanner has.
DOM Load Timeout: This is the timeout for the page to load, including the downloading and browser rendering time.
DOM Simulation Timeout: This is the timeout for the whole simulation operation of a single page. In case of a large application it might not be feasible to scan all of the application, since the parameters are typically identified until the timeout is reached. The value of this timeout can have an impact of the scan duration.
Interevent Timeout: This values define for how long should the scanner wait for a response after triggering a DOM/JS event. In this duration no other DOM/JS events will be triggered by the scanner.
Max Simulated Elements: This value defines the maximum number of simulated DOM elements the parser will simulate before terminating the simulation for this page.
Skip Threshold and Elements to Skip: These two settings are used to specify how many elements should be parsed (Skip Threshold) before the parser starts skipping (Elements to Skip) some elements. For example, if the Skip Threshold is set to 1000 and Elements to Skip is set to 10, after simulating 1000 elements, the parser will not simulate elements 1001 to 1009. Element 1010 will be simulated. The idea behind these settings is to diversify the simulation.
Max Modified Element Depth: This setting specifies the maximum number of levels the DOM parser should follow when a DOM modification is triggered by result of an another simulation or modification. This can be used as a sort of infinite loop protection.
For example imagine a case where a button is clicked and another button is created. When this new button is clicked it will create another one etc. This depth setting allows to control the maximum depth that the simulation will go in such cases.
Generate Debug Info: When this option is enabled, the DOM parser will write the diagnostics information to a log file in the scan folder, including data about the coverage. When this option is enabled, the scan may be slowed down and will use some additional disk space.