Note: Even though the GUI of Netsparker Desktop and Netsparker Cloud are different, this article applies to both products since the same principles apply.
The Netsparker Scan Policy Editor can be used to fine tune web application security scans so they take less time to complete, consume less bandwidth and produce more accurate scan results. In this blog
Scan Policies and the Scan Policy Editor
A Scan Policy is a list of web application security scan settings. For
Therefore while before you were only able to enable or disable all cross-site scripting security tests, now it is possible to enable or disable specific cross-site scripting vulnerability variants. The same applies for all other vulnerability classes, such as SQL Injection etc. The main advantages of having Scan Policies are:
- Web application security scans take much less to complete.
- Less bandwidth is consumed during a scan.
- Much less stress is generated on the web application during a web application security
- Create your own Scan Policies and save them to use them in future scans rather than reconfiguring Netsparker each time.
- You can disable the web security checks that are irrelevant to your scenario. E.g. if you have a MySQL server Netsparker won't launch MS SQL or Oracle security checks during a security scan.
The Scan Policy Editor also allows us to ship extra signatures in the near future. For
Built-In Netsparker Scan Policies
Netsparker has six built-in Scan Policies, all of which can be accessed by clicking on the arrow button in the Scan Policy section, as seen below.
The Netsparker built-in Scan Policies are explained below:
All Security Checks: This Scan Policy includes all the typical security checks. This is ideal if you are not familiar with the target web application.
All Security Checks (MS SQL): If the target web application uses Microsoft SQL Server as
All Security Checks (MySQL): If the target web application uses MySQL database server as
All Security Checks (Oracle): If the target web application uses Oracle server as
All Security Checks (PostgreSQL): If the target web application uses PostgreSQL server as
Extensive Security checks: This scan policy contains all the security checks included in the All Security Checks scan policy and some other attack patterns that are not too common and typically are mostly edge case scenarios. Mainly it includes also the checks for DOM XSS vulnerability and Local File Inclusion. Because of the nature of such vulnerability checks, when scanning for these vulnerabilities the scan can take a considerable amount of time.
How to Create a New Custom Scan Policy
From the Start a New Scan window, which is used to launch a new web application security scan, click on Options and on the three dotted button on the far right of the Scan Policy section, as highlighted below.
This will launch the Scan Policy Editor which we will use to create and save our new custom Scan Policy. Below is a screenshot of the Scan Policy Editor.
Click on the New button to
For example from the Security Checks
Once you have configured all the