Netsparker’s new “Automate That”  release is ready. It’s not just about bug fixes or improvements, we’ve also got two great new features and two big improvements. Command Line Support to automate and integrate your scans with other tools. Schedule Support so that you can scan stuff overnight or scan your application weekly and obtain reports. We decreased the request count during the attacking phase without sacrificing our coverage and added a bunch of new confirmation engines.
One of the most requested features was Scheduling Support, finally we added it. It doesn’t require an extra service to install and will integrate itself to “Windows Task Scheduler”. It works correctly under Windows XP, Windows 2003, Windows Vista, Windows 7.
Command line can be used to call Netsparker from another application for manual scanning, for example internally we’ve got a Firefox test extension which launches Netsparker with the current page’s URL by using the following command line:
Netsparker.exe /u [Current Page]
If you want to automate the whole scan, the best way to do is create a new profile from the “Start New Scan” window. Afterwards you can launch a new scan with your profile name. You can share these profiles between computers, they are stored in "My Documents\Netsparker Scans\Profiles".
Netsparker.exe /a /p QuickSQLI /u http://nightlybuild.example.com /rt "Vulnerabilities List (XML)" /r c:\reports\report-%date%-%time%.xml
This will scan the URL with the given profile and will save the XML report to c:\reports\ folder. %date% and %time% will be dynamically replaced with start date and time of the scan, so you don’t have to change the report name every time you run it. (**Update: Use [date] and [time] instead on recent versions of Netsparker.**)
If you need a custom output you can use create your own report with Netsparker’s Custom Reporting API.
Command Line Parameters:
|/a, /auto||When other parameters are given correctly, the scan is carried out, the report is saved and the program is closed.|
|/p, /profile||Name of the profile to be used during the scan. If not specified, the preset profile will be used.|
|/u, /url||Address of the website to be scanned. If the profile file includes another website address, the address specified with this parameter will be taken into consideration. If two different URLs are specified in the profile and within this parameter, the one given with this parameter will be taken into consideration.|
|/pr, /proxy||Proxy server address. If the profile file includes another proxy server address, the address specified with this parameter will be taken into consideration. A valid proxy server address should be as follows: http://user:email@example.com/ If a user name and password are required for logging on the proxy server, these should be given in the shown format.|
|/r, /report||File path the report will be saved. It should be used in conjunction with the “-a” parameter. The full physical file path can be given; if only file name is given, the created report will be saved into the folder the command is run.|
|/rf, /reportformat||File format of the created report. If not specified, the report is created in “pdf” format; rtf, pdf, text, csv, xls or html formats are also supported.
(**Update: This switch has been removed on recent Netsparker versions.**)
|/rt, /reporttemplate||Type of the created report. If not specified, first type in the list will be valid.|
Confirmation engines ensure that you won’t have a false-positive and you will see less [Possible] vulnerabilities. When these vulnerabilities get confirmed you’ll see Netsparker’s famous Confirmed icon!
 All alpha / beta releases of Netsparker had a release code name. Generally with a cheesy reference such as “Fast & Furious” Release, “So tell the girls I’m back in town” Release, “Getting There” Release. It was fun. We thought it’d be nice to give a code name to our public releases as well.