The most important thing that you need to know before using Netsparker is that you must not scan a website without proper authorization from the owner. Scanning a website without this authorization is against the law. Netsparker is not responsible for such actions and cannot be held responsible for potential damage to the target website.
What You Need to Know Before Launching a Web Security Scan
Netsparker Enterprise and Netsparker Standard are web application security scanners that use Proof-Based ScanningTM technology to attack web applications in order to automatically detect vulnerabilities such as XSS and SQL Injection. This means that Netsparker scanners have to identify all attack surfaces on the website. To do so, the crawler will navigate through the entire website and submit every form, including comment forms, email contact forms, delete buttons and all other types of inputs it finds in the target web application.
Preventing Netsparker from Testing Certain Pages
To prevent Netsparker Enterprise from crawling and testing certain parts or pages on your website applications, you must specify them in the Exclude URLs with RegEx option in the Scope tab of Scan Options, as illustrated.
In Netsparker Standard, the same feature looks like this.
A web security scan consists of two phases: the crawling phase where the crawler browses the entire web application to identify all attack surfaces, and the scanning phase where the scanner starts attacking the website. During both phases, the scanner will send a large number of HTTP requests to the target website. Should the web security scan affect the performance of your website, you can decrease the number of concurrent connections in the Scan Policy.
For further information, see 6 Way to Exclude Parts of Your Website From a Web Security Scan, Excluding File Types From a Scan and Excluding Parameters from a Scan.
You can also reduce the number of concurrent connections during a scan (see How Can You Improve Scan Results?).
Netsparker scanners are designed to run non-destructive web application security scans. However, we still recommend that you launch a web application security scan against pre-production websites when possible, especially at the start. Once you get used to Netsparker, and discover the correct configuration for scanning your web applications, you will be more confident scanning an actual production website.
Netsparker Support and Documentation
Professional support is available to all customers and trial users. If you need help, please contact Support at firstname.lastname@example.org.
For detailed product information, see Support.