Scans

Introduction to Scanning

• Do Netsparker Scans Damage Web Applications?
  • Garbage Records and Accidental Data Loss
  • Email Floods
  • Server Slowdown or Downtime
  • Overloading the Server With Requests
• Overview of Scanning
  • Types of Scans

Working with Scans

• Excluding Parts of a Website From a Scan
• Scanning a RESTful Web Service
  • Differences Between a Web Service and a REST API
  • The Challenges of Scanning REST API Interfaces
  • Scanning a RESTful Web Service for Vulnerabilities
  • Authentication and RESTful Web Services
• Technologies
  • Active Technologies
  • Fixed Technologies
  • The Technologies Dashboard
  • Recent Technologies
• Configuring Additional Websites
  • The Scan Profile and Settings Used for the Additional Websites
  • Reporting Scan Activity and Issues Identified in Additional Websites
• Manual Crawling in Proxy Mode
  • How to Run a Manual Crawl with Netsparker Standard
  • How to Combine Automated and Manual Crawling in a Web Security Scan
• Importing and Exporting Scan Sessions in Netsparker Standard
  • How to Import a Scan Session into Netsparker Standard from Netsparker Enterprise
  • How to Import a Scan Session to Netsparker Standard from Your Local Machine
  • How to Export the Current Scan Session from Netsparker Standard to Your Local Machine
  • How to Export the Current Scan Session from Netsparker Standard to Netsparker Enterprise
  • How to Bulk Export Selected Scans from Netsparker Standard to Netsparker Enterprise
• Creating a New Scan
  • Netsparker Enterprise New Scan Fields
  • Netsparker Enterprise Scan Options Fields
  • How to Run Bulk Operations on a Scan
  • Netsparker Standard New Scan Fields
  • Netsparker Standard Scan Options Fields
• URL Rewrite Rules
  • Problems with URL Rewrite Rules
  • Specifying the Parameter Type
  • Encoded URLs
• Scan Time Window
• PCI Scanning in Netsparker
  • Running a PCI Scan in Netsparker Enterprise
  • PCI Scan Status Management in Netsparker Enterprise
  • Viewing PCI Scan Results in Netsparker Enterprise
  • Defining the PCI Scan Policy in Netsparker Standard
• Reviewing Scan Results and Imported Vulnerabilities
  • Vulnerability Families
  • Sending Vulnerabilities Manually to an Issue Tracking System
  • Tracking and Logs of Issues Sent to Issue Tracking System

Scan Profiles

• Overview of Scan Profiles
  • Configuring Scan Profiles in Netsparker Enterprise
  • Configuring Scan Profiles in Netsparker Standard

Security Checks

• Malware Analyzer
  • How to Configure the Malware Analyzer in Netsparker Enterprise
• Common Directories
  • How to Disable the Common Directories Security Check in Netsparker Enterprise
  • How to Disable the Common Directories Security Check in Netsparker Standard
  • How to Add Your Own Forced Browsing Keyword List
• Custom Scripts for Security Checks
  • Deciding Which Vulnerability Type Will be Detected
  • Identifying a Sample Vulnerable Web Page
• BREACH Attack
  • How to Disable the BREACH Attack Security Check in Netsparker Enterprise
  • How to Disable the BREACH Attack Security Check in Netsparker Standard
• WAF Identifier
  • How to Disable the WAF Identifier Security Check in Netsparker Standard
• Security Checks
  • How to Configure Security Check Options in Netsparker Enterprise
  • How to Configure Security Check Options in Netsparker Standard
• Custom Security Checks via Scripting
  • Active Security Checks
  • Passive Security Checks
  • Singular Security Checks
  • Per-Directory Security Checks
  • Helper Functions
  • How can I add Custom Fields to a Vulnerability?

Introduction to Scan Policies

• Overview of Scan Policies
  • Default Scan Policies
  • How to Use Default Scan Policies in Netsparker Enterprise
  • How to Use Default Scan Policies in Netsparker Standard
• Excluding Parameters From a Scan
  • Excluded Parameters Definitions
  • Pattern Options
• Configuring Predefined Web Form Values in Netsparker Web Security Scanners
  • What are Web Forms?
  • Why Does the Netsparker Scanner Need to Traverse Web Forms?
  • When Are the Configured Form Values Used?
  • Configuring Form Values in Netsparker Web Application Security Scanner
  • Form Values for POST and GET Parameters
• Configuring Scan Policies
  • Scan Policy Fields
• Scanning Parameter-Based Navigation Websites
  • Parameter-Based Navigation in PHP Websites
  • Parameter-Based Navigation in ASP.NET Websites
• Scan Policy Editor
• Scanning Single Page Applications
  • Configuring the Netsparker JavaScript Analyzer
• Scan Policy Optimizer
  • Scan Policy Optimization Wizard Steps
  • How to Create an Optimized Scan Policy in Netsparker Enterprise
  • How to Create an Optimized Scan Policy in Netsparker Standard

Excluding Parameters

HTTP Request Builder

• HTTP Request Builder
  • Working with HTTP Requests and the Request Builder
  • HTTP Headers and Parameters
  • Optional: Add a Request Body in the HTTP Request

Command Line Interface

• Command Line Interface
  • Command Line Arguments
  • Command Line Examples
  • Scanning Multiple Websites Using the Command Line Interface

Authentication

• Configuring Client Certificate Authentication in Netsparker Standard
  • How to Configure Client Certificate Authentication in Netsparker Standard
• Configuring Basic, Digest, NTLM/Kerberos Authentication in Netsparker Standard
  • NTLM/Kerberos Authentication Fields
• Custom Scripts for Form Authentication in Netsparker Standard
  • Custom Script Editor
  • Executing Scripts on Multiple Pages
  • Tips and Tricks
• Configuring OAuth2 Authentication in Netsparker Standard
  • OAuth2 Authentication Fields
  • How to Configure OAuth2 Authentication in Netsparker Standard
• Overview of Authentication
  • Supported Authentication Methods in Netsparker
• Configuring Header Authentication in Netsparker Standard
  • Header Authentication Fields
• Logout Detection
  • Configuring Redirect-Based Logout Detection
  • Configuring Keyword-Based Logout Detection
  • Configuring Authentication for Non-Supported Login Forms
• HMAC Authentication via Scripting in Netsparker Standard
  • Sample Postman Pre-Request Script
  • How to Configure HMAC Authentication via Scripting in Netsparker Standard
• Manual Authentication
  • Manual Authentication Fields
• Configuring and Verifying Form Authentication in Netsparker Enterprise
  • How to Verify Form Authentication
  • What Happens When Verifying Form Authentication Configuration and Session
• Configuring Smart Card Authentication in Netsparker Standard
  • Smart Card Authentication Fields
• Configuring Form Authentication in Netsparker Standard
  • Form Authentication Fields
  • Configuring a Login Form URL
  • Configuring Multiple Sets of Credentials and URLs
  • Configuring Form Authentication Using an OTP
  • Configuring Form Authentication Using an OTP from a QR Code
  • Problems with Form Authentication Login
• Verifying the Form Authentication Configuration in Netsparker Standard
  • How to Verify the Form Authentication Configuration by Simulating the Login and Detecting the Logout Pattern
• Logout Problems
  • Causes of Logout During Scanning
  • How Does Logout Detection Work?
• Interactive Logins in Netsparker Standard
  • One Time Tokens and Two Factor Authentication Mechanisms

Optional Scan Settings

Working with Scan Scopes

• Excluding File Types From a Scan
  • Excluding Binary Files
  • Crawl and Attack Options
• Advanced Scan Scope Settings
  • URLs and Case Sensitivity
  • Bypass Scope for Static Checks
  • Excluding Pages and Files with Specific Content Types from a Scan
  • Excluding Advertising Networks from a Scan
• Scan Scope
  • Defining the URL in the Scan Scope
  • Configuring the URL Path
  • Configuring the Scan Scope
  • Filtering the URLs in the Scan Scope
  • Scan Scope Exceptions
  • Scan Scope Examples

Scheduling Scans

• Scheduling Scans
  • Scheduled Scans Fields
  • Scheduling Scans in Netsparker Enterprise
  • Netsparker Enterprise Scheduled Scan Fields
  • How to Convert a Completed Scan Into a Scheduled Scan
  • Scheduling Scans in Netsparker Standard
  • Netsparker Standard Scheduled Scan Fields
  • Sending Web Security Reports in Netsparker Standard

Agents

• Agents in Netsparker Enterprise On-Premises
  • Managing Agents
  • Manage Agents Fields
  • Managing Groups
  • Accessing Agent Logs
• Installing Internal Agents
  • Download and Configuring the Scanning Agent
  • Setting Scanning Agent as a Windows Service
  • Defining an Internal Website in Netsparker Enterprise
• Internal Agents in Netsparker Enterprise
  • Manage Agents Fields
  • Accessing Agent Logs