Creating a New Scan
Netsparker enables you to begin scanning web applications immediately, by selecting the default scan settings.
However, there are multiple, customizable scan options available. Each option is explained in the following sections.
For further details, see Netsparker Assistant, Overview of Scanning, Overview of Scan Policies, and Scheduling Scans.
Netsparker Enterprise New Scan Fields
This table lists and explains the fields in the New Scan window.
Field |
Description |
Target URL |
This is the target URL of the website, including the path. You can add a URL in the following formats: Hostname: http://www.example.com IPv4: http://192.168.1.42/ IPv6: http://[fe80::8554:69c3:bb4:b28a]/ |
Scan Profile |
This is the Scan Profile. For further information, see Configuring Scan Profiles. |
Netsparker Enterprise New Scan Options Fields
The Options section is divided into Scan Settings and Authentication. This section lists and explains the fields in the Options section.
General
In this Scan Settings tab, you can configure the basic scanning options.
Field |
Description |
Scan Policy |
The Scan Policy defines the scan settings and which security tests will be performed. For further information, see Overview of Scan Policies and Scan Policies and the Scan Policy Editor. |
Agent Selection |
This is the type of Agent that will run the scan. The options are: Dedicated or Group. If you select Group, the Preferred Agent field (next) changes to Preferred Agent Group. This field is only available in Netsparker Enterprise (On-Premises). For further information, see Agents in Netsparker Enterprise On-Premises. |
Preferred Agent/Preferred Agent Group |
The Agent is a service application that executes scans and informs the Netsparker Enterprise application. Select an Agent or Agent Group. This field is only available in Netsparker Enterprise (On-Premises) or if Agent Mode is selected as Internal in the Website Settings for scanning websites in Netsparker Enterprise. For further information, see Agents in Netsparker Enterprise On-Premises. |
Report Policy |
The Report Policy defines how scan results will be reported. For further information, see Custom Report Policies. |
Custom Cookies |
This contains any required cookies in the formatcookiename=value. The value must be URL encoded. Use semicolons (;) to separate multiple cookies. |
Crawling |
This indicates how the scan should crawl the Target URL. The options are:
|
Max Scan Duration |
This indicates the maximum length of the scan. Drag the slider as required. If the scan is not completed within this time, it is automatically terminated. In the New Group Scan and Scheduling Group Scan windows, there are checks to:
|
Comments |
This option allows users to add a comment to their scan during a launch. This comment is displayed on the scan report. |
Scope
In this Scan Settings tab, you can configure the Scan Scope.
In addition, you can:
- Enter a list of Regular Expressions to Exclude or Include URLs
- Select whether the scanner should Include or Exclude the RegEx patterns
- Specify Disallowed HTTP Methods
For further information, see Configuring the Scan Scope.
Additional Websites
In this Scan Settings tab, you can add additional links to domains that need to be scanned, other than the domain of the target URL.
For further information, see Configuring Additional Websites.
Imported Links
In this Scan Settings tab, you can add any pages that you also want to scan, that are not linked from anywhere on the target website.
For further information, see Importing Links.
URL Rewrite
In this Scan Settings tab, you can configure URL Rewrite rules for the scan.
- Heuristic mode, to automatically detect the URL
- Custom mode, to configure the URL Rewrite rules for a faster scan
For further information, see URL Rewrites.
Pre-Request Script
In this Scan Settings tab, you can configure Pre-Request Script options.
This is an Enterprise On-Premises and Netsparker Standard feature.
Field |
Description |
Enabled |
Select to enable Pre-Request Script. Once enabled, the Presets dropdown is activated. |
Presets |
This allows you to select the HMAC option and view the relevant script. |
Test Script |
This allows you to test the new script. |
Scan Time Window
In this Scan Settings tab, you can configure the time periods in the week during which scanning is allowed and paused.
For further information, see Scan Time Window.
Notifications
In this Scan Settings tab, you can configure notifications to instantly inform you about the status of a web application security scan, or when specific vulnerabilities are detected. You also manage notification priorities and test a notification.
For more information, see Managing Notifications.
PCI Scan
In this Scan Settings tab, you can conduct a PCI Scan to receive approved PCI compliance reports for your public websites.
For further information, see PCI DSS Scanning in Netsparker.
Form
In this Authentication tab, you can configure Form Authentication options.
For further information, see Configuring and Verifying Form Authentication in Netsparker Enterprise.
Basic NTLM/Kerberos
In this Authentication tab, you can configure Basic, NTLM/Kerberos, Digest or Negotiate authentication.
For further information, see Configuring Basic, Digest, NTLM/Kerberos and Negotiate Authentication.
Header
In this Authentication tab, you can configure HTTP Header authentication.
For further information, see Configuring Header Authentication.
Client Certificate
In this Authentication tab, you can configure Client Certificate authentication.
For further information, see Configuring Client Certificate Authentication.
OAuth2
In this Authentication tab, you can configure OAuth2 authentication.
For further information, see Configuring OAuth2 Authentication.
How to Scan a Website in Netsparker Enterprise
In Netsparker Enterprise, there are two ways to launch a scan:
- You can access a new scan from a shortcut located next to [Your Name].
- You can access a new scan feature from the main menu.
Before scanning your first website in Netsparker Enterprise, make sure you have added a website (Adding A Website in Netsparker Enterprise).
- From the main menu, click Scans, then New Scan. The New Scan window is displayed.
- In the Target URL field, enter the URL.
- Complete the remainder of the fields, as described in Netsparker Enterprise New Scan Fields and Netsparker Enterprise Scan Options Fields.
- Click Launch.
How to Run a Group Scan in Netsparker Enterprise
- From the main menu, click Scans, then New Group Scan. The New Website Group Scan window is displayed.
- From the Website Group dropdown, select the website group you want to scan.
- Complete the remainder of the fields, as described in How to Scan a Website in Netsparker Enterprise.
- Click Launch.
You can also launch Group Scans from Manage Groups window (click Scan).
How to Run an Incremental Scan in Netsparker Enterprise
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the relevant scan, click Report. The Scan Summary window is displayed.
- From the Scan dropdown, select Incremental Scan. The Incremental Scan window is displayed.
- Click Launch.
How to Run an Incremental Group Scan in Netsparker Enterprise
First, make sure you have already run a Group Scan.
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the Group Scan for which you want to run an incremental scan, click the Scan dropdown, and select Incremental Scan. The Incremental Scan window is displayed.
- If required, select the Customize Max Scan Duration checkbox and configure the settings.
- Click Launch.
How to Run a Retest in Netsparker Enterprise
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the scan for which you want to run a Retest, click the Scan dropdown, and select Retest. The Retest Scan window is displayed.
- Click Launch.
How to Run Bulk Operations on a Scan in Netsparker Enterprise
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the scans for which you want to run a bulk operation, click the checkbox.
- Click the Bulk dropdown, and select the bulk operation you want.
- A dialog is displayed asking you to confirm your choice.
- Click Delete, Cancel or Pause as required.
How to Cancel or Pause a Scan in Netsparker Enterprise
- Launch a scan in Netsparker Enterprise (see How to Scan a Website in Netsparker Enterprise).
- If you want to cancel the scan, click Cancel.
The Cancel Scan dialog is displayed.
- Click Yes, cancel it.
- If you want to simply pause the scan instead, select the Cancel dropdown and click Pause.
The Pause Scan dialog is displayed.
- Click Yes, pause it.
Netsparker Standard New Scan Fields
This table lists and explains the fields in the Start a New Website or Web Service Scan dialog.
Field |
Description |
Target Website or Web Service URL |
This is the target URL of the website or web service. |
Scan Profile |
This is the Scan Profile. For further information, see Configuring Scan Profiles. |
This section lists and explains the fields in the Options section of the Start a New Website or Web Service Scan dialog box, which is divided into two further sections:
- Scan Settings
- Authentication
Scan Settings – General
In this tab, you can configure the basic scanning options.
Field |
Description |
Scan Policy |
The Scan Policy defines the scan settings and which security tests will be performed. You can also define the Scan Policy so that a PCI Checks test is performed. For further information, see Overview of Scan Policies, Scan Policy Editor and PCI Scanning in Netsparker. |
Report Policy |
The Report Policy defines how scan results will be reported. For further information, see Custom Report Policies. |
Custom Cookies |
This contains any required cookies in the formatcookiename=value. All configured cookies in Netsparker Standard are sent with every HTTP request and cannot be expired by server responses. To add a custom cookie, type in the cookie name and its value in the Custom Cookie section of the Scan Policy in the General tab. The value must be URL encoded. Use semicolons (;) to separate multiple cookies. For example: CookieName1=Value1; CookieName2=Value2; CookieName3=Value3 |
Crawling |
This indicates how the scan should crawl the Target URL. The options are:
|
Scan Settings – Scope
In this tab, you can configure the Scan Scope, RegEx expressions and HTTP Methods.
In addition, you can:
- Enter a list of Regular Expressions to Exclude or Include URLs
- Select whether the scanner should Include or Exclude the RegEx patterns
- Specify Disallowed HTTP Methods
For further information, see Configuring the Scan Scope.
Scan Settings – Additional Websites
In this tab, you can add additional links to domains that need to be scanned other than the domain of the target URL.
For further information see, Configuring Additional Websites.
Scan Settings – Imported Links
In this tab, you can add URLs, that you also want to scan, that are not linked from anywhere on the target website.
For further information, see Importing Links.
Scan Settings – URL Rewrite
In this tab, you can configure URL Rewrite rules for the scan.
- Heuristic mode, to automatically detect the URL
- Custom mode, to configure the URL Rewrite rules for a faster scan
For further information, see URL Rewrites.
Scan Settings – Pre-Request Script
In this Scan Settings tab, you can configure Pre-Request Script options for the scan.
For further information, see Pre-Request Scripts in Netsparker Standard.
Authentication – Form
In this tab, you can configure Form Authentication options.
For further information, see Configuring Form Authentication in Netsparker Standard.
Authentication – Basic, NTLM/Kerberos
In this tab, you can configure Basic, Digest, NTLM/Kerberos and Negotiate options.
For further information, see Configuring Basic, Digest, NTLM/Kerberos and Negotiate Authentication.
Authentication – Header
In this tab, you can configure HTTP Header authentication.
For further information, see Configuring Header Authentication.
Authentication – Client Certificate
In this tab, you can configure Client Certificate authentication.
For further information, see Configuring Client Certificate Authentication.
Authentication – Smart Card
In this tab, you can configure Smart Card authentication.
For more information, see Configuring Smart Card Authentication in Netsparker Standard.
Authentication – OAuth2
In this tab, you can configure OAuth2 authentication.
For further information, see Configuring OAuth2 Authentication.
Authentication – Manual Authentication
In this tab, you can configure Manual authentication.
For further information, see Manual Authentication.
How to Scan a Website in Netsparker Standard
- Open Netsparker Standard.
- In the Home tab, click New. The Start a New Website or New Service Scan dialog is displayed.
- In the Target Website or Web Service URL field, enter the URL of the website you want to scan.
- Configure the Scan Policy, Netsparker Standard Scan Options Fields and Authentication as required.
- From the Crawl and Wait dropdown, select Start Scan.
- When the scan is completed, and the Netsparker Standard window is in the background, a Scan Finished information dialog is displayed.
How to Run an Incremental Scan in Netsparker Standard
- Open Netsparker Standard.
- In the Home tab, click Incremental. The Import dialog is displayed.
- Select the file of the already completed scan, and click Open.
- The scan is imported and displayed in the UI, with the Start a New Website or Web Service Scan dialog open.
- Configure the Scan Policy, Scan Options Fields and Authentication as required.
- Click Incremental Scan.
How to Run a Retest in Netsparker Standard
- Open Netsparker Standard.
- Click the File tab. The Local Scans list is displayed.
- Double-click to select the scan you want to retest and wait until it loads. The Vulnerability tab is displayed.
- If you wish to:
- Retest the entire scan:
- Select the scan name at the top of the Sitemap panel, right click and click Retest All
- Retest a single vulnerability:
- Select the vulnerability name in the Issues panel, right click and click Retest
How to Run a Controlled Scan in Netsparker Standard
- Open Netsparker Standard.
- Click the File tab. The Local Scans list is displayed.
- From the list of previous scans, click the one you want to run as a controlled scan and wait until it loads.
- Select the View tab and click Controlled Scan on the ribbon. The Controlled Scan panel is displayed.
- From the Controlled Scan panel:
- In the Choose Parameters to Scan area, enter the page or parameters you want to scan
- Or, in Choose Security Tests, select the specific vulnerabilities you want to scan
- Click Start.
How to Start a New Instance of Netsparker Standard in Netsparker Standard
You can open multiple new instances of Netsparker Standard at once, in order to run a different scan with each instance.
- Open Netsparker Standard.
- From the Home tab, click New Instance. A new instance of Netsparker Standard starts.
- The Welcome Dashboard of the new instance is displayed.
How to Pause a Scan in Netsparker Standard
- Launch a scan in Netsparker Standard.
- If you want to pause the scan, click Pause in the Scan tab or the Quick Access Toolbar.
The scan is paused.
- When you want to continue the scan, click Resume.
The scan will continue.
Recovering Unexpectedly Terminated Scans in Netsparker Standard
Netsparker Standard has a built-in auto-save feature. If a scan is interrupted unexpectedly – for example, due to a computer restart – you can reload the partial scan and continue scanning.
The auto-saved files are stored in this folder and the progress is saved every fifteen minutes:
My Documents\Netsparker\Scans\[WEBSITE-NAME]
The two files that are created are:
- AutoSave.ndb
- AutoSave.nss
If you start Netsparker Standard after a scan was interrupted unexpectedly, the scanner will automatically resume that scan.
For further information, see How to Start a New Instance of Netsparker Standard in Netsparker Standard and How to Prevent the Operating System From Going to Sleep While There is a Scan in Progress.
How to Recover Unexpectedly Terminated Scans in Netsparker Standard
- Open My Documents\Netsparker\.
- Double-click on the Scans folder.
- Select the relevant scan folder by Name and Date.
- Double-click the AutoSave Netsparker Scan Session file. Netsparker Standard will automatically reopen.
- On the Quick Access Toolbar, click the Resume Scan button, or in the Scan tab, click Resume. The unexpectedly terminated scan will resume.