SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Configuring Scan Policies

A Scan Policy is a list of web application security scan settings. When you want to run a Scan, you attach it to a Scan Policy that defines which security tests will be performed. You can select from built-in Scan Policies, or you can create your own. You can also share Scan Policies within a group, or clone a Scan Policy from a group.

Scan Policy Fields

This section lists and explains the tabs in the New Scan Policy window.

General

This table lists and explains the fields in the Policy tab. The General tab is displayed in Netsparker Enterprise only.

Field

Description

Name

This is the name for the Scan Policy.

Description

This is a description that helps explain the policy's features to anyone else who may also use it.

Shared

Select to enable others to have access to the policy.

This field is displayed in Netsparker Enterprise only.

Security Checks

In this tab, select the categories and Security Checks for the Scan Policy. By default, most security checks are enabled.

  • Select each Security Check category to view help text in the UI
  • Deselect the ones you don't require

The table lists and explains the additional settings available for some of the Security Checks.

Item

Description

Generate Proof

Select Yes to enable the generation of proof for the current security check group.

Only Run on the Start Path (RoR)

Select Yes to restrict attacking to the Start Path only. Otherwise, every directory will be attacked).

Resource Finder Limit

Enter a number to set the maximum number of hidden resources and folders to look for in each folder.

Include/Exclude

Select Include to include the specified cookie names in the security check. Select Default to include all cookies.

Cookie Names

Enter the cookie names that will be managed during the scan.

Check All Pages

Select Yes to conduct CORS checks on all pages. Otherwise only unique directories will be checked.

Prepend Original Value

Prepend the original value to the Cross Site Scripting payloads. This can make the scan more accurate.

Possible Admin Interface

Enable to ensure newly available Security Checks will be included.

Maximum Path Count

Enter a number to set the maximum number of paths to check against HTTP methods.

Dynamically Generated Patterns

Enable to ensure newly available Security Checks will be included[a][b].

Alphanumeric-Only Characters

Enable to ensure newly available Security Checks will be included.

Proof Sharing

Select Yes to enable sharing the same proof of concept across vulnerabilities.

Database Type

Select which databases your application uses in order to taylor the SQl injection payloads to the specific database type.

Upload Folders

Netsparker will search the uploaded files in these website directories. You can add more directories in a comma separated format.

Crawling

This table lists and explains the fields in the Crawling tab.

Field

Description

Crawling Page Limit

Enter a number to set the maximum number of pages to crawl. Once this number is reached, Netsparker ends the crawling phase.

Maximum Signature

Enter a number to set the maximum number of samples to take from pages with similar URL signatures.

Maximum Page Visits

Enter a number to set the maximum number of times the crawler visits a page (e.g. /index.php or /page.php). If this number is exceeded, Netsparker will stop crawling that page, even if there are new parameters that have not yet been crawled.

For further information, see Scanning Parameter-Based Navigation Websites.

Wait Resource Finder

Enable to ensure Netsparker waits for the Resource Finder to finish before ending the crawling phase. Depending on the website, this search for hidden folders and resources can take a significant amount of time, perhaps longer than the crawling phase.

Text Parser

Enable to ensure the static HTML/Text Parser can search for links in HTML comments and similar locations. The Text Parser cannot parse JavaScript.

Text Parser Extensions

List the file extensions of file types that should be parsed by the Text Parser, to find links in files with extensions not listed in the default extension list.

Default extensions include:.asa, .asax, .ascx, .ashx, .asmx, .asp, .aspx, .cfc, .cfm, .cgi, .config, .dll, .htm, .html, .inc, .include, .js, .jsp, .php, .php3, .php5, .phtm, .phtml, .shtm, .shtml, .xhtm and .xhtml.

Parse SOAP Web Services

Check to enable SOAP Web Service discovery by parsing WSDL files.

Parse REST Web Services

Check to enable REST Web Service discovery by parsing Swagger and WADL files.

Fallback to GET

Netsparker uses HEAD requests to find hidden resources. Check to enable Netsparker to fall back to GET requests when HEAD requests don't work. This might increase scan time.

Enable Parameter-Based Navigation

Check to enable Parameter-Based Navigation if the target website uses parameter based navigation instead of pages to serve different content (e.g. /?page=home, /?page=contact instead of /home.php or /contact.php).

Navigational Parameter RegEx

Enter a regular expression. If a parameter name matches the regular expression, it will be considered as a navigational parameter.

For further information, see Scanning Parameter-Based Navigation Websites.

JavaScript

This table lists and explains the fields in the JavaScript tab.

Field

Description

Analyze JavaScript/AJAX

Check to enable Netsparker to analyze JavaScript and AJAX to find relevant links and pages in the target application. This option is CPU-intensive. Please disable it if you experience performance issues.

Select a Pre-defined Preset

Netsparker can scan different kinds of JavaScript applications ranging from occasional JavaScript-generated content to large Single Page Applications.

The options are:

  • Default
  • SPA (Single Page Application)
  • Large SPA

This field is only displayed in Netsparker Enterprise.

Load Preset Values

Use this drop down menu to select a built-in preset of settings the scanner has.

This field is only displayed in Netsparker Standard.

DOM Load Timeout

Enter a number to set the amount of time (milliseconds) to wait for the page to load, including the downloading and browser rendering time, before Netsparker begins to analyze the JavaScript DOM simulation.

DOM Simulation Timeout

Enter a number to set the amount of time (milliseconds) to wait before JavaScript ends DOM simulation. This is the timeout for the whole simulation operation of a single page. In case of a large application it might not be feasible to scan all of the application, since the parameters are typically identified until the timeout is reached. The value of this timeout can have an impact of the scan duration.

Interevent Timeout

Enter a number to set the amount of time (milliseconds) to wait after triggering a JavaScript event, before the next event is triggered. In this duration no other DOM/JS events will be triggered by the scanner. Increase this number if the target website has high latency AJAX calls that modify the DOM.

Max Simulated Elements

Enter a number to set the maximum number of DOM elements the parser will simulate before terminating the simulation for this page.

Skip Threshold

Enter a number to set the number of elements to simulate before skipping elements. Enter '0' to disable sampling.

Elements to Skip

Enter a number to set the number of elements to skip simulation after the Skip Threshold has been exceeded.

This setting and one above are used to specify how many elements should be parsed (Skip Threshold) before the parser starts skipping (Elements to Skip) some elements. For example, if the Skip Threshold is set to 1000 and Elements to Skip is set to 10, after simulating 1000 elements, the parser will not simulate elements 1001 to 1009. Element 1010 will be simulated. The idea behind these settings is to diversify the simulation.

Max Modified Element Depth

Enter a number to limit the simulation to this number of nested elements. This value must be between 0 and 100.

This setting specifies the maximum number of levels the DOM parser should follow when a DOM modification is triggered by result of an another simulation or modification. This can be used as a sort of infinite loop protection.

For example imagine a case where a button is clicked and another button is created. When this new button is clicked it will create another one etc. This depth setting allows to control the maximum depth that the simulation will go in such cases.

Pre-simulation Wait

Enter a number to set the amount of time (milliseconds) the scanner should wait once a simulation has started and the page has loaded. This can be used to configure the scanner to wait for custom page loading logic of dynamic pages.

Exclude by CSS Selector

Exclude HTML elements such as logout buttons from event simulation by CSS selectors. All matched elements will be excluded with their children. To test, please try your selector in Chrome using document.querySelectorAll JavaScript function. Please note that if the selector is not very specific, i.e. many items match the selector at any time, it will affect scan performance negatively.

Maximum Option Elements

Enter a number to set the maximum number of option elements, per select element, to simulate. The value must be between 1 and 1000. The suggested maximum is 20.

Persistent JavaScript Cookies

Enter the names of cookies (separated by semicolons), that are set in JavaScript via document.cookie and not form HTTP Headers, that should persist across authentication and DOM simulation.

Open Redirect Conf. Timeout

Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for Open Redirection confirmation. The value must be between 1 and 21600000.

XSS Confirmation Timeout

Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for XSS confirmation. The value must be between 1 and 21600000.

Filter Document Events

Check to filter events that are attached to document by name to a constant set (e.g. mousedown, keyup), to reduce triggered event counting during the simulation.

Ignore document events

Check to ignore the triggering events that are attached to the document object.

Filter Colon Events

Check to filter events that contain a colon (:) in their name, to reduce triggered event counting during the simulation. They are usually used by frameworks and would be triggered by other events.

Extract Static Resources

Check to extract static resources from DOM elements.

Allow Out-of-Scope XML HTTP Requests During Simulation

Check if the target website fails to load when some requests cannot be loaded because of Scan Profile out of scope settings.

Generate Debug Info

Check to enable debug to generate debug information during the scan.

When this option is enabled, the DOM parser will write the diagnostics information to a log file in the scan folder, including data about the coverage. When this option is enabled, the scan may be slowed down and will use some additional disk space.

Attacking

This table lists and explains the fields in the Attacking tab.

Field

Description

Maximum Number of Parameters to Attack on a Single Page

Enter a number to set the maximum parameters Netsparker should attack on a single page. One the maximum is reached, Netsparker will stop attacking that page.

Enable Proof Generation

Check to generate a Proof of Exploit after a vulnerability is confirmed.

Attack Parameter Names

Enable to generate extra attacks which place attack payloads into the name of a request parameter.

Attack Referer Header

Enable to generate extra attacks which place attack payloads into the Referer header.

Attack User-Agent Header

Enable to generate extra attacks which place attack payloads into the User-Agent header.

Optimize Header Attacks

Enable to issue header attacks on each unique link path (otherwise, all links will be attacked).

Optimize Attacks to Recurring Parameters

Enable to detect recurring parameters in different URLs (e.g. search widgets, newsletter subscription forms). It will attack the number of links that are allowed in the Recurring Parameters Attack Limit field.

Recurring Parameters Attack Limit

Enter a number to set the maximum number of pages to attack for recurring parameters. Once the maximum is reached, Netsparker will stop attacking recurring parameters on remaining pages.

Anti-CSRF Token Field Names (Comma Separated)

Enter the Anti-CSRF Token Field Names

*token*,*csrf*,ViewStateUserKey,__RequestVerificationToken,protect_from_forgery,*xsrf*,nonce

Enable Random Parameter Attacks in Cross-site Scripting Engine

Enable to attempt to add extra parameters to page to detect Cross-site Scripting vulnerabilities.

Custom 404

This table lists and explains the fields in the Custom 404 tab.

Field

Description

Auto Custom 404

Check to select an automatic 404 Error page.

Manual Custom 404

Check to select a manual 404 Error page.

Disabled

Check to disable the 404 Error page.

Maximum 404 Signatures

Enter a number to set the maximum number of 404 Error page samples to collect.

Maximum 404 Pages to Attack

Enter a number to set the maximum number of Custom 404 Error pages to crawl and attack.

Custom 404 RegEx

When Netsparker Enterprise matches this RegEx on a page, it will consider it as a customer 404 error page.

Scope

This table lists and explains the fields in the Scope tab.

Field

Description

Case Sensitive

Netsparker does not differentiate between case sensitive and insensitive URLs (e.g. Index.php and index.php are treated the same).

Enable if your target uses case sensitive URLs. (If, for example, there is an SQL Injection in both Index.php and index.php, they will be reported as separate issues.)

Bypass Scope for Static checks

Enable to check for static vulnerabilities (e.g. Crossdomain.xml), even when the Scan Scope does not cover the root. (For example, if your start URL is http://example.com/test and your Scope is set to Entered Path and Below, the scanner will still send requests to the root domain, (e.g. http://example.com/Crossdomain.xml).

Static checks do not include invasive requests. So, in many cases, it is advised to enable this option. This option is disabled by default, to avoid potential legal issues in tests conducted with strict Scan Scopes.

Ignore These Extensions

Enter extensions you do not want to be crawled or tested.

If the files include a query parameter, they will still be crawled and attacked regardless of the extension.

Enable Content -Type Checks

Enable to stop analyzing pages that have a listed content-type header.

Block Ad Networks

Enable to stop sending requests to known ad networks. This option is enabled by default.

Ignored Parameters

This table lists and explains the fields in the Ignored Parameters tab.

For further information, see Excluding Parameters From a Scan.

Field

Description

Name

This is a friendly name for your reference/the parameter (e.g. 'ASP Session ID (COOKIE)').

Pattern

This is the actual name of the parameter to be excluded from the scan (e.g. ASPSESSIONID*).

Pattern matching is case sensitive, so use the correct capitalization.

You can also use any of these pattern options (wildcards) to match the patterns in the parameter name:

  • ? - any single character
  • * - zero or more characters
  • # - any single digit (0-9)
  • [charlist] - any single character in charlist
  • [!charlist] - any single character not in charlist

The parameters will be ignore only during the attack phase.

For further information, see Pattern Options.

Type

This is the parameter type (e.g. COOKIE).

The dropdown options are:

  • POST
  • GET
  • COOKIE
  • ALL

If you want to ignore GET and POST parameters with this name or match, create two entries, one with POST and one with GET.

If you want to ignore GET, POST and COOKIE parameters, create one entry with ALL.

Form Values

This table lists and explains the fields in the Form Values tab.

For further information, including Regex definitions, see Configuring Pre-Defined Web Form Values in Netsparker Web Security Scanners.

Field

Description

NAME

This is a friendly name for your reference.

TYPE

This is the form input type.

The options are:

  • hidden
  • text
  • textarea
  • submit
  • reset
  • button
  • image
  • file
  • radio
  • select
  • checkbox
  • password
  • color
  • date
  • datetime
  • datetime-local
  • email
  • month
  • number
  • range
  • search
  • tel
  • time
  • url
  • week
  • output

The type should be a valid input type.

MATCH

This is the match type for the Pattern field.

The options are:

  • RegEx
  • Exact
  • Contains
  • Starts
  • Ends

PATTERN

This is the value that the HTML attribute value will be matched against based on the selected Match.

Pattern should be a valid regular expression if the Match dropdown is set to RegEx.

TARGET

This is the match target.

The options are:

  • Select All
  • Name
  • Label
  • Placeholder
  • Id

It is possible to select one or more options.

VALUE

This is the value Netsparker will submit to the input parameter when the match is successful.

FORCE

When this option is enabled Netsparker will submit the provided value even when the parameter is already populated with some other value.

Brute Force

This table lists and explains the fields in the Brute Force tab.

Field

Description

Enable Authentication Brute Force (Basic, NTLM, Digest)

Check to enable Authentication Brute Force

Maximum Username/Password Combinations to Test

Enter a number to set the maximum number of Username/Password combinations to test.

By default, this is set to 10.

Autocomplete

This table lists and explains the fields in the Autocomplete tab.

Field

Description

Input Name

Enter a value to be matched with input name to detect whether autocomplete is enabled for the input.

The Input Name can contain any valid wildcard characters, such as ? * #.

Netsparker Enterprise will only issue an alert if Autocomplete is enabled on a text input that matches one of these values.

Netsparker Hawk

This table lists and explains the fields in the Netsparker Hawk tab. This tab is only displayed in Netsparker Standard.

Field

Description

Netsparker Hawk URI

Netsparker Hawk server that will respond to SSRF-related attacks that were initiated by Netsparker.

Validate DNS Settings

Click to validate the DNS settings of Netsparker Hawk server.

Validate Netsparker Hawk

Click to validate whether Netsparker Hawk server can report vulnerabilities.

Ignored Email Addresses

This table lists and explains the fields in the Ignored Email Addresses tab.

Field

Description

Email Pattern

Enter any email addressed you'd like the scan to ignore.

Email Pattern can contain any valid wildcard characters (? * #).

Netsparker will ignore any Email Disclosure vulnerability if it matches one of these patterns.

CSRF

This table lists and explains the fields in the CSRF tab.

Field

Description

User Name Inputs

Enter a list of strings to indicate a username that includes one of these.

Login Form Values

Enter a list of strings to indicate a login form that includes one of these.

Non-CSRF Form Values

Enter a list of strings to indicate non-CSRF form values whose name or action includes one of these.

Non-CSRF Input Values

Enter a list of strings to indicate non-CSRF input values whose name or value includes one of these.

Captcha Indicators

Enter a list of forms which contain Captcha against CSRF.

Web Storage

This table lists and explains the fields in the Web Storage tab.

Field

Description

TYPE

This is the type of which Web Storage mechanism will be used.

From the dropdown, select an item.

The options are:

  • Local
  • Session

KEY

This is the name of the key you want to create.

VALUE

This is the value you want to give the key you are creating.

ORIGIN

Enter storage data for a specific origin. (Otherwise leave it empty to allow the DOM parser to pass it for any origin.)

Extensions

This table lists and explains the fields in the Extensions tab.

Field

Description

Extension

This is a list of file types to which the specified Crawling and Attacking activity will be applied.

For further information, see Crawl and Attack Options.

Crawl

Select the required Crawling activity for the file type (Extension).

The options are:

  • Do Not Crawl
  • Crawl
  • Crawl Only Parameter (default)

Attack

Select the required Attacking activity for the file type (Extension).

The options are:

  • Do Not Attack
  • Attack Parameters (default)
  • Attack Parameters and Query String

Auto Send To

This table lists and explains the fields in the Auto Send To tab.

This tab is only displayed in Netsparker Standard.

Field

Description

Send To Action

Click Send to Action Settings.

The options are:

  • Azure DevOps
  • Bitbucket
  • Bugzilla
  • Email
  • FogBugz
  • GitHub
  • GitLab
  • JIRA
  • JIRA (Legacy)
  • Redmine
  • ServiceNow
  • TFS
  • Unfuddle
  • Zapier

For further information, see Send to Actions.

Severities

This is the vulnerability severity level.

For further information, see Web Application Vulnerabilities Severities Explained.

HTTP Request

This table lists and explains the fields in the HTTP Request tab.

Field

Description

Predefined User Agents

From the dropdown, select a User Agent to use in all HTTP requests during scans. You can also modify the User Agent string from the textbox below.

User Agent

Enter the User Agent string to be used in all HTTP requests during scans.

Force this value

Enable to force Netsparker to use the User Agent.

Request Timeout (seconds)

Enter a number to set the interval (seconds) to wait for a response from the target before it is considered to have timed-out.

Depending on the configuration, if a request times out, Netsparker will try to send it again or cancel it.

Requests per Second

Enter the maximum number of requests to perform per second. Depending on the target application, setting this figure too high might cause connectivity or Denial of Service issues. The recommendation is 30.

Accept

Enter the HTTP Accept Header string that should be used in all HTTP requests during a scan.

Accept Charset

Enter the HTTP Accept Charset Header that should be used in all requests.

Accept Language

Enter the language in the HTTP Accept Header string that should be used in all HTTP requests in a scan.

Rate Limit

Enter the maximum [number] of requests initiated in a [number] of milliseconds.

HTTP Keep Alive

Enable to improve the server's performance and decrease the load.

Support Gzip/Deflate

Enable to complete the scan in less time, if the target web server supports Gzip or Deflate.

Support Cookies

Enable to support HTTP cookies.

Capture HTTP Requests

Enable to save HTTP requests during scans using the Fiddler session file format.

Proxy

This table lists and explains the fields in the Proxy tab. This tab is only displayed in Netsparker Standard.

Field

Description

Use Application (Global) Proxy

Enable to use the Application Proxy.

The Applications Proxy can be defined at the Proxy tab in the Options dialog.

Use System (Internet Explorer) Proxy

Enable to use the System Proxy. This is the default.

The System Proxy is the system-wide proxy which is used by every program by default.

Use Custom Proxy

Enable to use and configure a Custom Proxy.

The Custom Proxy should be configured explicitly to be used unlike System Proxy.

Do Not Use Proxy

Enable so that no proxy will be used.

HTTP Headers

This table lists and explains the fields in the HTTP Headers tab.

Field

Description

Name

The Name field in the HTTP Header should only contain ASCII characters. Checked custom headers are added to HTTP requests during Scans.

Value

A header value to be used in attacks with the corresponding header.

Attack Mode

The options are:

  • None (default)
  • Optimized
  • Full

HTTP SSL/TLS

This table lists and explains the fields in the HTTP SSL/TLS tab.

Field

Description

Security Protocol

Select the security protocols that is supported by website to be scanned.

The options are:

  • SSLv3
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Untrusted Certificates

This indicates the action when attacker is encountered with untrusted certificate at Target & Additional Websites or External Websites.

The options are:

  • Accept untrusted certificate
  • Reject untrusted certificate

Knowledge Base

This table lists and explains the fields in the Knowledge Base tab.

Field

Description

Enable Knowledge Base

Enable to switch on the Knowledge Base checks.

Note that disabling this option means that some issues may not be reported.

SENSITIVE KEYWORD PATTERN

This is a pattern may be accessible from website may contain sensitive data in comments. The Sensitive Keyword Pattern should be a valid regular expression. Netsparker uses these patterns to find sensitive keywords in the code’s comments.

How to Configure a New Scan Policy in Netsparker Enterprise

  1. From the main menu, click Policies, then New Scan Policy.
  2. In the Name field, enter a Name.
  3. In the Description field, enter a Description.
  4. Enable the Shared field, if required (see Sharing Scan Policies).
  5. Complete the remaining fields. (Each tab is explained in tables in Scan Policy Fields.)
  6. Click Save.

How to Configure a New Scan Policy in Netsparker Standard

  1. From the Home tab, click Scan Policy Editor. The Scan Policy Editor dialog is displayed with all existing Scan policies listed at the top.
  2. Click New. A New Scan Policy line is displayed at the bottom of the list.

  1. Doubleclick on 'New Scan Policy' and enter a new Name.
  2. Click into the next cell and enter a Description.
  3. Complete the remaining fields. (Each tab is explained in tables in Scan Policy Fields.)
  4. Click OK.

Sharing Scan Policies

This table lists and explains the four types of Scan Policy.

Policy

Description

Default

Unless you configure them as Shared, these can only be used by you.

Share

These are policies that others can use.

Private

There are policies that only you can use.

Mine

These are policies you created.

By sharing your Scan Policy, other users can use and clone it, but they cannot modify it. Scan Policies you create are tagged as Mine and Private in the Type column.

Shared and Private Scan Policies in Netsparker Cloud

How to Share a Scan Policy

  1. Navigate to the New Scan Policy window.
  2. Enable the Is Shared field. A new section, Website Groups, is displayed.
  3. Select all the Website Groups the Scan Policy should be shared with. This means that anyone who has access to those groups can use your Scan Policy.

How to Clone a Scan Policy

Alternatively, click Clone to clone and edit an existing Scan Policy.

excluded parameters_2_scan policies_update.png

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO