How to Create Reports with Netsparker Custom Reporting API

Category: Product Docs & FAQS - Last Updated: Wed, 11 Jan 2017 - by Onur Yılmaz

I'll try to write a new tip or tutorial every week in here. Let's start with Netsparker's custom reporting API.

How does it work?

At start-up, Netsparker scans for C# code files (*.cs) in the R" directory , which is located within the Resources sub-directory of the Netsparker data directory (by default resides in current Windows user's Documents/My Documents directory).


Scripting Language

Netsparker's scripting language is C#. Even if you haven't code in C# before, it shouldn't be a problem. It's pretty easy to make simple changes.

Here is a sample custom report:

<%@ Assembly Name="MSL.Common" %>
<%@ Assembly Name="MSL.Core" %>
<%@ Assembly Name="MSL.Extensibility" %>
<%@ Assembly Name="System.Data" %>
<%@ Import NameSpace="MSL.Core" %>
<%@ Import NameSpace="MSL.Core.Entities.Vulnerability" %>
<%@ Import NameSpace="MSL.Core.Configuration" %>
<%@ Import NameSpace="MSL.Core.Data.Resources" %>
<%@ Import NameSpace="System.Linq" %>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Collections" %>
<%@ Import NameSpace="System.Collections.Generic" %>
<%@ Import NameSpace="System.Security" %>
<%@ Argument Name="vulns" Type="Array" %>
<%@ Argument Name="settings" Type="ScanSettings" %>
<?xml version="1.0" encoding="utf-8" ?>
<netsparker generated="<%=DateTime.Now.ToString()%>">
// Sort vulnerabilities based on their severity, Type, confirmation and rating
var sortedVulns = from IVulnerabilityView v in vulns
                  orderby v.Severity descending, v.Order ascending, v.Type ascending, v.IsConfirmed descending, v.Certainty descending
                  where v.Visibility != VulnerabilityVisibility.Hidden
                  select v;
foreach(Vulnerability vuln in vulns){
    <vulnerability confirmed="<%=vuln.IsConfirmed.ToString()%>">


            foreach(var cField in vuln.CustomFields){
            <info name="<%=cField.Key%>"><%=SecurityElement.Escape(cField.Value.Value)%></info>


This will generate an XML file which includes:

  • All vulnerabilities
  • Vulnerable Parameter and type (GET/POST)
  • Vulnerability Details
  • Confirmation Status
  • Extra exploitation data
  • Scan time
  • Vulnerability severity etc...

You can add more details into the reports or customise them as much as you want.


The detailed API documentation is in Documentation folder of Netsparker installation folder. (C:\Program Files (x86)\Netsparker\Netsparker\Resources\Documentation\NetsparkerReportingAPI.chm)

Defining the extension of the report

Name of the ".cs" file will be visible under the Reporting menu and when user click to it, generated report will use the extension from the custom report file name.

For example:

  • "Vulnerabilities List (XML).xml.cs " - File extension will be "xml"
  • "Vulnerabilities List (XML).html.cs" - File extension will be "html"

Testing the code

You don't need to restart Netsparker every time you change the source code of your report. After Netsparker adds it to the report menu once all you need to do is run it again. If it fails to compile it'll let you know with an error message.

Sample Code

A sample report ships with Netsparker called Vulnerabilities List (XML).xml.cs which is a simple report which generates an XML report with all identified vulnerabilities.


If you need any help just send us an email or give us a ring, we'll be happy to help you out.


The reporting engine runs with current user's privileges. So don't run the report unless you trust the author of the custom report code.


Dead accurate, fast & easy-to-use Web Application Security Scanner