Note: This FAQ applies for both Netsparker Desktop and Netsparker Cloud web scanners. Visit the support page for more documentation.
By default both the Netsparker Desktop and Netsparker Cloud web application security scanners do not scan any domains that are different from those of the starting URL. Therefore when you are scanning http://example.com, if there is a link to http://api.example.com, Netsparker will not follow and scan the website or links to http://api.example.com. Instead it reports them as Out of Scope Links in the Knowledge Base node:
If you want the Netsparker scanner to scan the websites which are linked to from the target specified in the wizard you need to specify them in the section Additional Websites in the Start a New Website or Web Service Scan dialogue box, which is shown in the below screenshot.
When specifying a new website you need to enter a full URL including the protocol and the port if the target is running on a non default port, such as http://api.example.com and http://docs.example.com:8043. Please note that you can only add websites that are allowed by your license.
The Netsparker scanner treats canonical links as target website’s links and applies the same scan settings. Therefore if for example http://example.com and http://www.example.com point to the same website enable the Canonical checkbox next to the website listing as seen in the above screenshot. When this option is enabled, when the Netsparker scanner detects a link to canonical domain such as http://www.example.com/blogs/foo-bar, it will be converted to http://example.com/blogs/foo-bar and scanned via this URL.
The configured Scan Scope settings do not apply for the Additional Websites. Instead the Whole Domain scan scope will always apply. This means that all of the detected pages and sub folders on the additional website will be scanned.
The configured Include/Exclude URLs do apply for Additional Websites. Therefore if an additional website’s links contains exit or endsession keywords, they will be excluded from the scan as per the below configuration.
You can also add Imported Links which will be applied to the Additional Websites.
The URL rewrite configuration also applies for Additional Websites. Therefore if the heuristic URL rewrite technology is used, the scanner will try to automatically identify the URL Rewrites on the target website. If custom URL Rewrite rules are configured, they will also apply to Additional Websites as well.
Therefore if an Additional Website contains a link that matches the pattern configured above, for example http://api.example.com/products/1, the URL Rewrite parameter(s) will detected automatically.
It is not possible to configure authentication settings for Additional Websites via the scan settings.
The configured Additional Websites will have a node each in the Site Map window, as can be seen from the below screenshot.
During a scan, in the scan dashboard the full URLs are shown in the activity panel, and the URLs are sorted in alphabetical order.
A new entry was also added to the reports, in which all the configured additional websites that were scanned will be listed.
The URLs in the reports are reported in full so you can see in which site the issue is, as opposed to just reporting the path and query component, as it was before.