How to Create Reports with Netsparker Custom Reporting API

Category: Product Docs & FAQS - Last Updated: Tue, 31 Jan 2017 - by Onur Yılmaz

Netsparker Desktop allows you to create and define your own web security scan report templates. These may be used to generate custom reports that suit your business needs, and for integration with other software applications. The custom reporting tool employs the Razor templating engine that runs C# code to generate reports.

Creating a Custom Web Security Scan Report

Netsparker’s scripting language is C#. Below is a sample code for a web security report that generates an XML file which includes the following:

  • A list of all the vulnerabilities detected during the scan,
  • The vulnerable Parameter and type (GET/POST),
  • Vulnerability Details,
  • Confirmation Status,
  • Extra exploitation data,
  • Web security scan time,
  • Vulnerability severity.

You can add more details into the reports, customize them, or filter your reports with custom criteria.

Code Example for Custom Netsparker Desktop Report

@using System
@using System.IO
@using System.Linq
@using MSL.Common.Text;
@using MSL.Core.Configuration
@using MSL.Core.Data.Resources
@using MSL.Core.Entities.Vulnerability
@using MSL.Core.Process.Exploitation
@using MSL.Core.Process.Reporting;
@inherits HelperBaseTemplate<ReportTemplateData>
<?xml version="1.0" encoding="utf-8" ?>
<?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>

<netsparker generated="@DateTime.Now.ToString()">
	<target>
		<url>@ReportingUtility.XmlShortEscape(Model.ScanProfile.Uri.AbsoluteUri)</url>
		<scantime>@Convert.ToInt32(ScanSettings.Instance.ElapsedTime.TotalSeconds)</scantime>
	</target>
	@{
		var reportOutput = new FileInfo(Model.ReportFilePath);
		try
		{
			File.Copy(string.Format(@"{0}/vulnerabilities-list.xsl", ResourceCategories.ReportTemplate.ResolveCustomDirectoryPath()), string.Format(@"{0}/vulnerabilities-list.xsl", reportOutput.Directory.FullName), true);
		}
		catch (Exception)
		{
		}

		// Sort vulnerabilities based on their severity, Type, confirmation and certainty
		var sortedVulns = from IVulnerabilityView v in Model.Vulnerabilities
			orderby v.Severity descending, v.Order ascending, v.Type ascending, v.IsConfirmed descending, v.Certainty descending, v.AbsolutePath
			where v.Visibility != VulnerabilityVisibility.Hidden && !v.IsIgnored
			select v;

		foreach (var vuln in sortedVulns)
		{
			if (vuln.Visibility != VulnerabilityVisibility.Hidden)
			{
				<vulnerability confirmed="@vuln.IsConfirmed.ToString()">
					<url>@ReportingUtility.XmlShortEscape(vuln.AbsoluteUri)</url>
					<type>@vuln.Type</type>
					<severity>@vuln.Severity.ToString()</severity>
					<certainty>@vuln.Certainty</certainty>

					@if (!string.IsNullOrEmpty(vuln.AttackParameterName))
					{
						<vulnerableparametertype>@ReportingUtility.XmlShortEscape(vuln.AttackParameterTypeName)</vulnerableparametertype>
						<vulnerableparameter>@ReportingUtility.XmlShortEscape(vuln.AttackParameterName)</vulnerableparameter>
						<vulnerableparametervalue>@ReportingUtility.XmlShortEscape(vuln.AttackParameterValue)</vulnerableparametervalue>
					}
					<rawrequest>@ReportingUtility.XmlEscapeCharacterData(vuln.GetRawRequest())</rawrequest>
					<rawresponse>@ReportingUtility.XmlEscapeCharacterData(vuln.GetFullResponse())</rawresponse>
					<extrainformation>
						@foreach (var field in vuln.CustomFields)
						{
							<info name="@field.Key">@ReportingUtility.XmlEscapeCharacterData(field.Value.HasMultipleValues ? string.Join(", ", field.Value.Values) : field.Value.Value)</info>
						}
					</extrainformation>

					@{
						var renderer = new ProofXmlDataRenderer();
						<proofs>@renderer.Render(vuln)</proofs>
					}

					@if (vuln.Classification != null)
					{
						<classification>
							<OWASP2013>@vuln.Classification.Owasp2013</OWASP2013>
							<WASC>@vuln.Classification.Wasc</WASC>
							<CWE>@vuln.Classification.Cwe</CWE>
							<CAPEC>@vuln.Classification.Capec</CAPEC>
							<PCI31>@vuln.Classification.Pci31</PCI31>
							<PCI32>@vuln.Classification.Pci32</PCI32>
							<HIPAA>@vuln.Classification.Hipaa</HIPAA>
						</classification>
					}

					@if (vuln.VersionVulnerabilities.Any())
					{
						<knownvulnerabilities>
							@foreach (var implied in vuln.VersionVulnerabilities)
							{
								<knownvulnerability>
									<title>@implied.Title</title>
									<severity>@implied.Severity</severity>
									<references>@(implied.References == null ? string.Empty : implied.References.Trim())</references>
									<affectedversions>@implied.AffectedVersions</affectedversions>
								</knownvulnerability>
							}
						</knownvulnerabilities>
					}
				</vulnerability>
			}
		}
	}
</netsparker>

Saving the Custom Report Template

During startup the Netsparker Desktop scanner scans the "Report Templates" directory for C# template files (*.cshtml). This directory is in the Resources sub-directory of the Netsparker data directory (default location is the current Windows user’s Documents/My Documents directory, so the full path of that directory would be Documents/Netsparker/Resources/Report Templates). Every identified file here will be visible in the "Reporting" menu as a custom report.

Figure 54: The Customized Reporting Menu

Therefore every new custom report template that you create should be saved in this directory.

Defining the File Type (Extension) of the Custom Web Security Report

The name of the C# code file will be visible under the Reporting menu. When selected, the generated report will use the extension from the custom report file name. The file extension should be chosen based on the content type of the report. For the sample report above, it should be xml.

For example:

  • "Vulnerabilities List (XML).xml.cshtml" - File extension will be "xml"
  • "Vulnerabilities List as Web Page.html.cshtml" - File extension will be "html"

Testing the Custom Reports

You do not need to restart Netsparker Desktop every time you change the source code of your custom report. Once Netsparker adds the custom report to the report drop down menu all you need to do is run it again. If it fails to compile it'll let you know with an error message.

Security of Custom Reports

The Reporting engine runs with current user's privileges. So don't run the report unless you trust the author of the report.

Documentation for Custom Reports in Netsparker Desktop

You can access a MSDN-style API documentation from the Help drop down menu in Netsparker Desktop.


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN