Note: Even though the GUI of Netsparker Desktop and Netsparker Cloud are different, this article applies to both products since the same principles apply.
The Netsparker Scan Policy Editor can be used to fine tune web application security scans so they take less time to complete, consume less bandwidth and produce more accurate scan results. In this blog post we will see how you can use the Scan Policy Editor to create your own custom Scan Policies and save them for future scans.
Scan Policies and the Scan Policy Editor
A Scan Policy is a list of web application security scan settings. For example you can configure the list of web vulnerability checks that should be launched during the scan, URL rewrite rules, HTTP connection options and much more. When using the Scan Policy Editor to create a new or modify an existing Scan Policy, you can granularly specify which vulnerability security tests should run during a web application security scan with Netsparker.
Therefore while before you were only able to enable or disable all cross-site scripting security tests, now it is possible to enable or disable specific cross-site scripting vulnerability variants. The same applies for all other vulnerability classes, such as SQL Injection etc. The main advantages of having Scan Policies are:
- Web application security scans take much less to complete.
- Less bandwidth is consumed during a scan.
- Much less stress is generated on the web application during a web application security scan.
- Create your own Scan Policies and save them to use them in future scans rather than reconfiguring Netsparker each time.
- You can disable the web security checks that are irrelevant to your scenario. E.g. if you have a MySQL server Netsparker won’t launch MS SQL or Oracle security checks during a security scan.
The Scan Policy Editor also allows us to ship extra signatures in the near future. For example there will be signatures to bypass certain WAFs (web application firewall) and if you are using a WAF then you can customize your policy and enabled those extra checks. If you are not then your scan will not generate extra requests since the security tests for web application firewalls will be disabled. When possible Netsparker will also auto optimize the active configuration on the fly according to the target website for these extra signatures.
Built-In Netsparker Scan Policies
Netsparker has six built-in Scan Policies, all of which can be accessed by clicking on the arrow button in the Scan Policy section, as seen below.
The Netsparker built-in Scan Policies are explained below:
All Security Checks: This Scan Policy includes all the typical security checks. This is ideal if you are not familiar with the target web application.
All Security Checks (MS SQL): If the target web application uses Microsoft SQL Server as database backend, it is recommended to use this Scan Policy.
All Security Checks (MySQL): If the target web application uses MySQL database server as database backend, it is recommended to use this Scan Policy.
All Security Checks (Oracle): If the target web application uses Oracle server as database backend, it is recommended to use this Scan Policy.
All Security Checks (PostgreSQL): If the target web application uses PostgreSQL server as database backend, it is recommended to use this Scan Policy.
Extensive Security checks: This scan policy contains all the security checks included in the All Security Checks scan policy and some other attack patterns that are not too common and typically are mostly edge case scenarios. Mainly it includes also the checks for DOM XSS vulnerability and Local File Inclusion. Because of the nature of such vulnerability checks, when scanning for these vulnerabilities the scan can take a considerable amount of time.
How to Create a New Custom Scan Policy
From the Start a New Scan window, which is used to launch a new web application security scan, click on Options and on the three dotted button on the far right of the Scan Policy section, as highlighted below.
This will launch the Scan Policy Editor which we will use to create and save our new custom Scan Policy. Below is a screenshot of the Scan Policy Editor.
Click on the New button to cerate a new Scan Policy or Clone to copy one of the builtin scan policies. Once it is created the scan policy is listed with the other built in scan policies. At this stage you can browse through the options available in the bottom left hand side to configure any of those options.
For example from the Security Checks node you can configure which security flaw and vulnerability checks should be launched during a security scan. You can disable a specific vulnerability variant by highlighting the group and unticking the variant from the list on the right. You can also disable the complete group of checks by unticking its name. To configure other settings in the scan policy click on the respective node. For example click on the Crawling node to configure crawling options, URL Rewrite to configure your URL rewrite rules etc.
Once you have configured all the neccessary settings, click OK to save the new scan policy. Select your new scan policy for your next web application security scan from the Scan Policy drop down menu in the Options of Start a New Scan window.