The Proof-Based Scanning™ Technology in Netsparker Web Vulnerability Scanners
By automating most of the post-scan procedures with Netsparker's Proof-Based
The Netsparker web application security scanner is the first and only solution that automatically exploits the vulnerabilities it identifies during a web vulnerability scan. This Proof-Based
Watch the video below for an introduction to the exclusive Proof-Based
If it is Exploitable, it is not a False Positive
If a vulnerability can be exploited, it is not a false positive. That's definitely not arguable. The auto-exploitation technology is built on this concept; Netsparker finds a vulnerability and it automatically exploits it. By exploiting it, it confirms it is not a false positive. And when the web application security scanning solution confirms a vulnerability, it will be marked as confirmed, as highlighted in the below screenshot.
Automatically Generating a Proof of the Identified Web Vulnerability
This is where it gets interesting; Netsparker does not just automatically exploit and confirm an identified vulnerability. It also proves that the vulnerability exists by generating either a Proof of Concept or a Proof of Exploit.
Proof of Exploit vs Proof of Concept
Netsparker will either generate a proof of exploit or a proof of concept, depending on the type of the identified vulnerability.
Proof of Concept
A proof of concept is the actual exploit that can be used to prove that the vulnerability exists. For
Below is a screenshot of a reported cross-site scripting vulnerability. Notice the Proof URL, in which Netsparker reports the URL that is used to exploit the identified vulnerability.
Proof of Exploit
A proof of exploit is used to report the data that can be extracted from the vulnerable target once the vulnerability is exploited, highlighting the impact an exploited vulnerability can have. For
The Netsparker web security solution can generate a proof of exploit when it identifies any of the below vulnerability types:
- SQL Injection
- Boolean SQL Injection
- Blind SQL Injection
- XML External Entity (XXE)
- Local File Inclusion (LFI)
- Remote Code Execution via Local File Inclusion
- Remote File Inclusion (RFI)
- Command Injection
- Blind Command Injection
- Remote Code Evaluation
- Server-Side Template Injection
Benefits of Proof-Based Scanning TM Technology
The benefits of automating the post-scan process of manually verifying the findings with the Proof-Based
- You do not have to manually verify the vulnerabilities the scanners found, thus saving precious time that you can use to fix the reported security flaws instead.
- You do not have to be
a seasoned security professional to use Netsparker and do a complete web application security check. The results are automatically confirmed for you, so there is no need to know how to reproduce the findings. - You can assign the web application vulnerability scanning to less technical team members and let the developers focus on what they do best; write code.
- The process of finding vulnerabilities in web applications will cost less since you can assign the scanning tasks to less technical people and it takes less time.
- As a QA you won't have to prove to the developers that there is a vulnerability in their code. Sounds familiar
doesn't it? - As a developer or service
provider you do not need to convince your superiors or customers to fix the issues. Just show them the proof and impact, and they will give you the go ahead!
Is Proof-Based Scanning TM Technology Safe?
Yes, it is. The Netsparker web security scanning solution only tries to exploit a vulnerability in a safe and
