Malicious website hack attacks do not just happen when someone successfully exploits a web application vulnerability. Many attacks are successful because an attacker discovered a hidden admin interface while analysing the developer comments in the code, or because the attacker found some debug information in an error code that gave him enough information to connect directly to some backend portal or database.
Therefore a web vulnerability scanner should report much more than just exploitable web application vulnerabilities. And that is where Netsparker excels; Netsparker Desktop and Netsparker Cloud are not just web vulnerability scanners that automatically identify vulnerabilities in web applications. They are all rounder web security tools that can highlight other potential security issues which are typically not classified as "vulnerabilities" but help attackers gain additional knowledge and craft a successful hack attack against a web application.
Netsparker scanners provide the user with a complete detailed analysis of the target web application. All of this information can be found under the knowledge base node, in the sitemap section. Below is a complete list of all knowledge base nodes and the information they present to the user.
- AJAX / XML HTTP Requests
- Crawling Performance
- CSS Files
- Email Addresses
- Embedded Objects
- External CSS Files
- External Frames
- External Scripts
- File Extensions
- Google Web Toolkit
- Incremental Scan
- Interesting Headers
- MIME Types
- Out of Scope Links
- REST API
- Scan Performance
- Site Profile
- Slowest Pages
- URL Rewrite
- Web Pages with Inputs
- Web Services
AJAX / XML HTTP Requests
In the AJAX / XML HTTP Requests knowledge base node Netsparker lists all the AJAX requests that were identified during a scan. Therefore from this node, you can check that Netsparker is detecting and simulating all of these requests, especially when scanning a client-side script heavy web application such as a single page application.
In this knowledge base node, Netsparker lists all the source code comments identified on the target web application and highlights keywords which might contain sensitive information. Most probably this is the most overlooked security issue of all and could lead to sensitive information disclosure.
For example imagine what a comment such as the below can lead to:
<!-- similar to admin pages in /hiddenadmin/ -->
If such a comment is found by malicious attackers they know that there is some sort of hidden admin area which might give them more information or access to the admin portal. It is very typical for developers to leave very sensitive information on web applications such as connection strings, administrative accounts credentials, details of the test environment and much more.
Netsparker will automatically find and crawl identified paths in the comments but there is much more that can be left in the comments by the developers.
Netsparker also allows users to add new entries to the list of sensitive comments so they are alerted once such entry is identified in the source code comments. Users can also modify the existing patterns from the Comments node in the Netsparker settings as seen in the below screenshot.
In this knowledge base node Netsparker lists all the cookies used by the target website. Cookies can disclose a lot of information about the target website that attackers can use to craft a malicious attack. For example, cookies can store strings such as "admin=false" or "debugging=1".
From this node, security professionals have access to a centralized list of all cookies so they can analyse them one by one and identify any cookie related security issues.
In the Crawling Performance knowledge node Netsparker records the statistics about the crawl of the target website, including the number of identified links, the average and total response time, and by which Parsing Source the links were detected. Links can be detected by the following sources in Netsparker:
- StartLink: This is the link that was entered by the user to initialize the scan.
- TextParser: These links were identified by the text parser while parsing the responses’ source code.
- TextParserForm: These links were identified through HTML forms. These are the link that the forms are being submitted to.
- XmlHttpRequest: These links are identified as AJAX request.
- RelatedLink: These links are identified by the scanner by analysing the other crawled links. For example, if the scanner crawls example.com/a/b/, it also adds example.com/a/ as a link to crawl.
- DirectoryResource: Links identified by the Common Files & Directories checks, which looks for hidden resources that should not be accessible by the public.
- Unspecified: The scanner could not determine the Parsing Source of these links.
In this knowledge base node Netsparker lists all the CSS files used on the target web application. Modern web applications have dynamic CSS files (CSS files that accept input from other sources and variables) hence they can also be an attack vector. And even though Netsparker automatically scans target web applications for potential vulnerabilities in CSS files such list is handy, especially in case users need to manually analyze them.
In this knowledge base node, Netsparker lists all the email addresses identified on the target web application. Although having clear text email addresses on a website is not a vulnerability in itself, it is good to know that email addresses are published on the website.
In this knowledge base node, Netsparker lists all the embedded objects such as Flash file or ActiveX component discovered on the target web application and their location.
External CSS Files
In the External CSS Files knowledge base node Netsparker lists all the external CSS files the target website uses. This is for informational purposes only.
In this knowledge base node, Netsparker lists all the frames on the target web application which originate from an external source. Similar to external scripts, external frames might be the result of an already hacked website, hence it is good for security professionals to know about all of the external objects in a web application.
Information in this knowledge base node can also help users determine if the target web application has been already hacked, for example malware is being distributed via an injected script. All (un)trusted 3rd party scripts used on your web application are also listed in this knowledge base node.
In this knowledge base node, Netsparker lists all the different file extensions identified on the target web application. Under each extension, it will also list down all the files with such an extension. Although this information might not contain a lot of juicy information, it helps security professionals determine what is being served from the target web application.
Google Web Toolkit
In the Google Web Toolkit knowledge base node Netsparker reports any GWT-RPC requests that are identified during a scan. When such requests are identified it means that a web application built with Google Web Toolkit is running on the target server.
In the Incremental Scan knowledge base node, Netsparker lists all the new links it found during the incremental scans, thus allowing you to identify the newly added pages.
In the Interesting Headers knowledge base node Netsparker lists all the unusual HTTP headers encountered during the security scan of the target web application. Such information is very useful for quality assurance teams; it can lead them to discover any legacy or unused components which are still being called because some unused code is still enabled in the system.
Such information can also help security professionals uncover more information about the target web applications and the environment it is running in. For example they can find out if a load balancer or web application firewall is in use and can help them determine the version of some of the server components for more targeted testing.
In this knowledge base node Netsparker lists all the MIME Types discovered on the target web application. Under each MIME type Netsparker also lists all the files with such MIME type. Such information is very handy in case further manual testing is required. It also helps security professionals spot any unusual file / type served by the server which could also be a result of a successful hack.
Out of Scope Links
In the Out of Scope Links knowledge base node Netsparker lists all the links found in the target web application but do not fall under the scanning scope, hence they won't be been scanned.
From this knowledge base node users can determine what was not scanned and why so they can fine tune their security scan settings should they wish to also scan these links.
In the Proofs, knowledge base node Netsparker lists all the data that is extracted as a proof when exploiting a vulnerability. This data could be the username and database name for a SQL Injection, the content of a file for a local file injection etc. Therefore from this node, you can also get an idea of how much possible sensitive information the scanner was able to extract automatically just for demonstration purposes.
If the scanner identifies a REST API on the target web application during a scan, Netsparker will automatically crawl and scan the RESTful web service. RESTful web services that are identified automatically are listed under the Knowledge Base node, as per the below screenshot.
In the Scan Performance knowledge base node Netsparker displays the request count, total and average response times for every type of attack. Therefore from such node, you can find out how many HTTP requests were sent to the target website by the SQL Injection vulnerability checks and what were the total and average response times.
In this knowledge base node Netsparker reports the average response time of the target web application and lists down all the pages with high response time. As such pages which are slow to load do not pose any security threat, but there is a reason why they are taking longer to load. Typically this could be caused by errors in the code or the code's logic is not efficient, hence still worth knowing about them so you can troubleshoot them.
In this knowledge base node Netsparker lists the information about the SSL certificate used on the target website, and the protocols and ciphers which are supported by the target server. In the last few years there have been a good number of issues with old ciphers and protocols hence it is good to know what the target web application supports so you can fine tune the server's configuration.
In this knowledge base node Netsparker lists down the URL Rewrite rules it automatically created when scanning the target website.
Netsparker scanners automatically configure their own URL rewrite rules when scanning a website that uses URL rewrite, hence you do not have to manually configure them. And should you need to verify the rules or get a better understanding of the workings and setup of the target web application you can always check the rules that the scanner automatically configured.
Web Pages with Inputs
In this knowledge base node Netsparker lists all of the target's web application pages that have an input. This list can be used by developers and quality assurance members for further manual testing. Security professionals find such information useful as well since it gives them a better overview of the attack surfaces of a web application.
In this knowledge base node Netsparker will report any identified web services running on the target web application and their operations.
Identifying All Web Application Security Threats
As this article highlights there is much more to web application security than just identifying and remediating exploitable vulnerabilities, and this is where Netsparker Web Application Security Scanner plays a good role. Web security professionals should take advantage of such tools and use all of the information provided to their advantage.
Netsparker centralizes all information to helps security professionals understand better the target web application and identify any security issues that are not "exploitable vulnerabilities" yet expose information to malicious attackers and lead them to a successful hack attack.