Netsparker is a black box web vulnerability and security scanner. It works by emulating an actual attacker; it sends a number of HTTP requests to target website and waits for the responses from the web application in order to identify the vulnerabilities and other possible security problems.
It does this in an automated fashion, and it can send a big number of requests within just a few minutes. Since it is all automated, sometimes there are factors that could have an effect on the results of the scan, which also means two scans of the same website can have different results. Below is a list of things that can have an impact on your scan results so the next time you encounter inconsistent scan results, you can use this list to troubleshoot the problem:
- Server load problem: if the server is out of resources the web application might not be responding to all the HTTP requests from the scanner, hence generating timeouts. This can happen because Netsparker provokes the web applications in different ways, hence you might notice unusual CPU load on the application server, database server and other components.
- HTTP Error 500 / Internal Server Errors that occur randomly due to a session state problem, database server load, current CPU load etc.
- Session gets killed during the scan because of application memory recycle, server restart, error recovery features in the web servers and the scanner cannot recreate the session.
- Different caching algorithms.
- Web Application Firewalls, IPS and other similar security software blocking the scanner’s HTTP requests.
All of the above might be blocking the scanner’s requests or result in the web application not responding to the scanner’s requests. If the scanner does not get a response for any of its HTTP requests, it cannot determine if there is vulnerability on the target web application, hence why you can have different scan results.
- Reverse Proxy / Proxy connection failures,
- Temporary Internet Connection failures,
- HTTP Timeouts (due to server-side or communication related problems),
- Load balancers: these will almost definitely cause problems and different scan results. In such setup ideally you should scan the website directly and by bypassing the load balancer.
How Can You Improve the Scan Results?
If you are getting inconsistent scan results try:
- Decreasing the Scan Speed, i.e. the number of concurrent connections the scanner opens with the web application. To decrease the scan speed open the Scan Policy Editor, navigate to the HTTP options and adjust the Concurrent Connections slider as highlighted below. You can also adjust the scan speed during the scan.
- Monitoring the application and database server, making sure they are not under heavy load. If you notice a spike in resources try to determine which pages is the scanner scanning during that time, which might also help you solve an underlying problem.
- Ensure that there is the minimum interference between the Netspaker scanner and target website. Network components such as proxies, web application firewalls, network firewalls, intrusion prevention / detection systems can all slow down the connection, drop / block requests etc.
Diagnosing the Problem
Here are some tips which will help you troubleshoot the issue and hopefully solve it. Check the HTTP Request and Response for the vulnerabilities that were identified in only one of the scans.
- Are all the responses looking as expected?
- Do you always get the very same response when you send the same request multiple times? You can test this by exporting the request to the HTTP Request Builder tool.
- Was the vulnerable link / file / parameter identified in the scan in which the vulnerability was not reported? You can check this by reviewing the Sitemap and HTTP Referer in both scans.
If you can’t get to the root of the problem, contact us. We are always happy to help.