How to Do a Controlled Web Security Scan with Netsparker Desktop

What is a Controlled Web Security Scan?

The controlled scan feature in Netsparker Desktop allows you to scan a single page or parameter for a specific number of vulnerabilities. A controlled scan can be launched during and after the automated web vulnerability scan, though it is mostly used when doing a manual web application crawl or when using the Crawl and Wait feature.

As an example this document explains how to scan a single parameter after automatically crawling a web application. The same concept can be applied to any type of scan.

Scanning a Single Parameter for Vulnerabilities on a Web Application

1. Crawl the Website

Once you launch Netsparker Desktop, specify the target URL in the Start a New Website or Web Service Scan dialogue and select Crawl and Wait from the drop down menu of the scan button.

Select the Crawl and Wait option to automatically crawl but not scan a website for vulnerabilities.

When using this method, the scanner will ONLY crawl the website and will only report issues that are noticed during the crawl, such as when the credentials are sent over clear text.

2. Select the Parameter to Scan

Once the web application has been crawled (or even before the crawl finishes), find the page or parameter that you would like to scan, right click it and select Controlled Scan.

Highlight a parameter, right click it and select Controlled Scan to scan it

3. Configure and Launch the Controlled Scan

Once the controlled scan interface is launched you can select which type of vulnerability checks you would like to run. Once ready click the Scan button to launch the controlled scan. In case a you select to scan a page with multiple parameters, you can also select which of the parameters should be scanned during the controlled scan.

Select which vulnerability checks should be used during the controlled scan

If vulnerabilities are found during the controlled scan, they will be reported like any other vulnerability, which means they will be added to the list of Issues in the bottom window and also under the vulnerable file in the Sitemap, as shown in the below screenshot.

The identified vulnerabilities are reported the same way like the others

Retesting a Single Vulnerability

Related to the same subject, if you would like to retest a single reported vulnerability you can do so by finding the vulnerability in the Sitemap or in the list of Issues and select Retest, as shown in the screenshot below. Should the vulnerability be fixed it will be struckthrough.

Retest a single vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner