SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Creating a New Scan

Netsparker enables you to begin scanning web applications immediately, by selecting the default scan settings.

However, there are multiple, customizable scan options available. Each option is explained in the following sections.

For further details, see Netsparker Assistant, Overview of Scanning, Overview of Scan Policies, and Scheduling Scans.

Netsparker Enterprise New Scan Fields

This table lists and explains the fields in the New Scan window.

Field

Description

Target URL

This is the target URL of the website, including the path.

You can add a URL in the following formats:

Hostname: http://mysite.com/

IPv4: http://192.168.1.42/

IPv6: http://[fe80::8554:69c3:bb4:b28a]/

Scan Profile

This is the Scan Profile.

For further information, see Configuring Scan Profiles.

Netsparker Enterprise Scan Options Fields

This section lists and explains the fields in the Scan Options section.

General

In this tab, you can configure the basic scanning options.

Field

Description

Scan Policy

The Scan Policy defines the scan settings and which security tests will be performed.

For further information, see Overview of Scan Policies and Scan Policies and the Scan Policy Editor.

Agent Selection

This is the type of Agent that will run the scan.

The options are: Dedicated or Group. If you select Group, the Preferred Agent field (next) changes to Preferred Agent Group.

This field is only available in Netsparker Enterprise (On-Premises).

For further information, see Agents in Netsparker Enterprise On-Premises.

Preferred Agent/Preferred Agent Group

The Agent is a Windows service application that executes scans and informs the Netsparker Enterprise application.

Select an Agent or Agent Group.

This field is only available in Netsparker Enterprise (On-Premises).

For further information, see Agents in Netsparker Enterprise On-Premises.

Report Policy

The Report Policy defines how scan results will be reported.

For further information, see Custom Report Policies.

Custom Cookies

This contains any required cookies in the formatcookiename=value.

The value must be URL encoded. Use semicolons (;) to separate multiple cookies.

Crawling

This indicates how the scan should crawl the Target URL.

The options are:

  • Find and Follow New Links
  • Enable Crawl & Attack at the Same Time

Max Scan Duration

This indicates the maximum length of the scan. Drag the slider as required.

If the scan is not completed within this time, it is automatically terminated.

In the New Group Scan and Scheduling Group Scan windows, there are checks to:

  • Customize Max Scan Duration – Enable this setting to configure the maximum scan duration in hours. If your scan isn't completed in this time, it will be automatically terminated.
  • Customise Scan Time Windows – Enable this setting to configure the time periods during which scanning is allowed. Scanning is paused during disallowed hours.

Scan Scope

In this tab, you can configure the Scan Scope.

In addition, you can:

  • Enter a list of Regular Expressions to Exclude or Include URLs
  • Select whether the scanner should Include or Exclude the RegEx patterns
  • Specify Disallowed HTTP Methods

Field

Description

Entered Path and Below

This tab enables you to specify which parts of the target website should be crawled and scanned.

If, for example, you enter http://example.com/testarea/, the scanner will not scan the following URLs:

Only Entered URL

This tab enables you to scan only the supplied URL and the parameters on that page.

If, for example, you enter http://example.com/test.asp, the scanner will only scan URLs that start with http://example.com/test.asp, and will not scan the following:

Whole Domain

This tab enables you to scan the entire domain, even if you only entered the URL of a page or a directory. If, for example, you enter http://example.com/test.asp, the scanner will start from the test.asp page and scan everything on the http://example.com domain.

Exclude URLs with RegEx

In this section, list and configure the URLs you want included or excluded.

Include/Exclude

If you choose Include, Netsparker Enterprise will only test URLs that match any of the given regular expression. If you choose Exclude, Netsparker Enterprise will not visit and test URLs that match any of the given regular expressions.

New RegEx Pattern

This creates a new RegEx Pattern field.

Disallowed HTTP Methods

Select HTTP methods to disallow. Netsparker won’t make HTTP requests for the selected methods.

For further information, see Configuring the Scan Scope.

Additional Websites

In this tab, you can add additional links to domains that need to be scanned, other than the domain of the target URL.

Field

Description

New

Click to add additional URLs. Two additional fields are displayed.

URL

This is the URL of the additional website.

Canonical

Enable to scan canonical URLs to prevent scanning duplicate pages.

For further information, see Configuring Additional Websites.

In this tab, you can add any URLs, that you also want to scan, that are not linked from anywhere on the target website.

Field

Description

Import/Enter Links

Enter any additional URLs you want to scan.

Add File

Click to upload a file containing a list of URLs.

For further information, see Importing Links.

URL Rewrite

In this tab, you can configure URL Rewrite rules for the scan.

  • Heuristic mode, to automatically detect the URL
  • Custom mode, to configure the URL Rewrite rules for a faster scan

For further information, see URL Rewrites.

Field

Description

Root Path Max Dynamic Signatures

If a URL block in the root path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Sub Path Dynamic Signatures

If a URL block in the sub path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Block Separators

Enter separators to use to split the URL into blocks.

This field is displayed only in the Heuristic tab.

Analyzable Extensions

If the URL contains a file extension, it will be analyzed only if the respective extension is in this list.

This field is displayed only in the Heuristic tab.

Enable Heuristic URL Rewrite detection

Netsparker will try to automatically detect other URL rewrite rules if this option is set.

This field is displayed only in the Custom tab.

Placeholder Pattern

This contains the relative path with placeholders for URL rewrite parameters.

This field is displayed only in the Custom tab.

RegEx Pattern

This is a regular expression used for matching the URL rewrite parameters.

This field is displayed only in the Custom tab.

Form Authentication

In this tab, you can configure Form Authentication options.

Field

Description

Form Authentication

Select to enable Form Authentication.

Login Form URL

Enter the absolute URL of the login form, including the protocol (http or https).

Override Target URL with authenticated page

Select to enable the system to use the last page from the authentication process as the start URL, instead of the Target URL.

Detect Bearer Authentication Token

If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.

Active

Select to enable the system to log in using the supplied credentials.

Username

Enter the username for the login form.

Password

Enter the password for the login form.

Custom Scripts

If automatic authentication does not work for your website, you can click New Script and enter a JavaScript script that will be used to authenticate against the web application, completing the login form and clicking the Submit button.

You can add more than one script.

Basic NTLM/Kerberos

In this tab, you can configure NTLM/Kerberos, Basic or Digest authentication.

Field

Description

Basic or NTLM/Kerberos Authentication

Select to enable Basic or NTLM/Kerberos Authentication.

Type

Select the type of authentication.

The options are: Basic, NTLM, Kerberos, Digest, Negotiate

URL Prefix

Enter a prefix to specify the scope of the authentication method. For example: https://www.example.com/protected.

Username

Enter the username for the login popup.

Password

Enter the password for the login popup.

Domain

Enter the login form's URL.

This entry is optional, for when the domain is required in Windows environments only.

Do not expect challenge

Select to enable authenticatication, even if the server does not send an authentication challenge.

Client Certificate

In this tab, you can configure Client Certificate authentication.

Field

Description

Client Certificate

Select to enable a client certificate to be used to log in to the web application.

Browse

Click to browse and upload the certificate file.

Password

Enter the password for the certificate.

Header Authentication

In this tab, you can configure HTTP Header authentication.

Field

Description

Enabled

Select to enable Header Authentication. All listed HTTP headers will be added to all HTTP requests.

New Authentication Header

Click to add a new Authentication Header.

Name

Enter the name of the Header.

It must contain ASCII characters only.

Value

Enter the value of the header.

Scan Time Window

In this tab, you can configure the time periods in the week during which scanning is allowed and paused.

Field

Description

Enable Scan Time Window

Select to enable the configuration of scan time settings.

Weekends

Click to enable configuration of the Scan Time Window. The default start and stop time is 00:00 to 23:59 on Saturday and Sunday. Drag the slider and click Scan/Do Not Scan to alter.

Business Hours

This tab enable configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00 from Monday to Friday. Drag the slider and click Scan/Do Not Scan to alter.

Non-business Hours

This tab enable configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00. Drag the slider and click Scan/Do Not Scan to alter.

For further information, see Scan Time Window.

Notifications

In this tab, you can configure notifications to instantly inform you about the status of a web application security scan, or when specific vulnerabilities are detected. You also manage notification priorities and test a notification.

Field

Description

Event

This is the Scan Event that triggers the Notification. The options are:

  • New Scan
  • Scan Cancelled
  • Scan Failed
  • Scan Completed
  • Scheduled Scan Launch Failed

Group

Select to enable group notifications that occur within the specified period.

Scope

Notifications will be sent if the scan is related to the website or website group. The options are:

  • Any Website
  • Website Group
  • Website

Email Recipients

This is a list of names and email addresses of the recipients that will receive an Email Notification.

SMS Recipients

This is a list of the names and phone numbers of the recipients that will receive an SMS Notification.

Excluded Recipients

This is a list of users who will no longer receive notifications.

Integration Endpoints

This is a list of configured integrations.

For more information, see Introduction to Notifications in Netsparker Enterprise.

PCI Scan

In this tab, you can conduct a PCI Scan to receive approved PCI compliance reports for your public websites.

For further information, see PCI Scanning in Netsparker.

How to Scan a Website in Netsparker Enterprise

Before scanning your first website in Netsparker Enterprise, make sure you have added a website (Adding A Website in Netsparker Enterprise).

  1. From the main menu, click Scans, then New Scan.
  2. In the Target URL field, enter the URL.
  3. Complete the remainder of the fields, as described in Netsparker Enterprise New Scan Fields and Netsparker Enterprise Scan Options Fields.
  4. Click Launch.

How to Run a Group Scan in Netsparker Enterprise

  1. From the main menu, click Scans, then New Group Scan. The New Website Group Scan window is displayed.

  1. From the Website Group dropdown, select the website group you want to scan.
  2. Complete the remainder of the fields, as described in How to Scan a Website in Netsparker Enterprise.
  3. Click Launch.

You can also launch Group Scans from Manage Groups window (click Scan).

How to Run an Incremental Scan in Netsparker Enterprise

  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the relevant scan, click Report. The Executive Summary window is displayed.

  1. From the Scan dropdown, select Incremental Scan. The Incremental Scan window is displayed.
  2. Click Launch.

How to Run an Incremental Group Scan in Netsparker Enterprise

First, make sure you have already run a Group Scan.

  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the Group Scan for which you want to run an incremental scan, click the Scan dropdown, and select Incremental Scan. The Incremental Scan window is displayed.

  1. If required, select the Customize Max Scan Duration checkbox and configure the settings.
  2. Click Launch.

How to Run a Retest in Netsparker Enterprise

  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the scan for which you want to run a Retest, click the Scan dropdown, and select Retest. The Retest Scan window is displayed.

  1. Click Launch.

How to Run Bulk Operations on a Scan

  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the scans for which you want to run a bulk operation, click the checkbox.
  3. Click the Bulk dropdown, and select the bulk operation you want.

  1. A dialog is displayed asking you to confirm your choice.

  1. Click Delete, Cancel or Pause as required.

Netsparker Standard New Scan Fields

This table lists and explains the fields in the Start a New Website or Web Service Scan dialog.

Field

Description

Target Website or Web Service URL

This is target URL of the website or web service.

Scan Profile

This is the Scan Profile.

For further information, see Configuring Scan Profiles.

Netsparker Standard Scan Options Fields

This section lists and explains the fields in the Options section of the Start a New Website or Web Service Scan dialog box, which is divided into two further sections:

  • Scan Settings
  • Authentication

Scan Settings – General

In this tab, you can configure the basic scanning options.

Field

Description

Scan Policy

The Scan Policy defines the scan settings and which security tests will be performed. You can also define the Scan Policy so that a PCI Checks test is performed.

For further information, see Overview of Scan Policies, Scan Policy Editor and PCI Scanning in Netsparker.

Report Policy

The Report Policy defines how scan results will be reported.

For further information, see Custom Report Policies.

Custom Cookies

This contains any required cookies in the formatcookiename=value.

The value must be URL encoded. Use semicolons (;) to separate multiple cookies.

Crawling

This indicates how the scan should crawl the Target URL.

The options are:

  • Find and Follow New Links
  • Enable Crawl & Attack at the Same Time

Scan Settings – Scope

In this tab, you can configure the Scan Scope, RegEx expressions and HTTP Methods.

In addition, you can:

  • Enter a list of Regular Expressions to Exclude or Include URLs
  • Select whether the scanner should Include or Exclude the RegEx patterns
  • Specify Disallowed HTTP Methods

Field

Description

Scope

The Scan Scope settings allow you to specify which parts of the target website should be crawled and scanned.

Exclude URLs with RegEx

Select Include or Exclude and enter the regular expressions.

Disallowed HTTP Methods

Select HTTP methods to disallow. Netsparker won’t make HTTP requests for the selected methods.

Scan Settings – Additional Websites

In this tab, you can add additional links to domains that need to be scanned other than the domain of the target URL.

Field

Description

URL

Enter the additional URL.

Canonical

Select Canonical to scan canonical URLs, to prevent scanning duplicate pages.

For further information see, Configuring Additional Websites.

In this tab, you can add URLs, that you also want to scan, that are not linked from anywhere on the target website.

Field

Description

Method

Enter the HTTP Method, like GET or POST.

URL

Enter the URL of the added or imported pages for scanning.

Add

Click to open the Add New Link dialog.

Edit

Click to edit added or imported URLs.

Delete

Click to deletes added or imported URLs.

Clear

Click to remove all added or imported URLs.

Search

Click to search for an added or imported URL.

Import From File

Click to import URLs from a file.

Enter Links

Click to open the Enter Links/HTTP Requests dialog.

Scan Settings – URL Rewrite

In this tab, you can configure URL Rewrite rules for the scan.

  • Heuristic mode, to automatically detect the URL
  • Custom mode, to configure the URL Rewrite rules for a faster scan

For further information, see URL Rewrites.

Field

Description

Use Heuristic URL Rewrite Support

Enable to automatically detect the URL Rewrites on the target website and create rules. All fields are configurable.

Root Path Max Dynamic Signatures

If a URL block in root path contains more items than this limit, it will be identified as URL rewrite parameter. Must be between 1 and 10,000.

This field is displayed for the Heuristic setting.

Sub Path Max Dynamic Signatures

If a URL block in sub path contains more items than this limit, it will be identified as URL rewrite parameter. Must be between 1 and 10,000.

This field is displayed for the Heuristic setting.

Block Separators

Contains separators that are used for splitting the URL into blocks.

This field is displayed for the Heuristic setting.

Analyzable Extensions

If the URL contains a file extension, it will be analyzed only if the respective extension is within this list.

This field is displayed for the Heuristic setting.

Use Custom URL Rewrite Rules

Enableto configure URL rulesfor a faster scan.

New

Click to add a new rule.

Delete

Click to delete a rule.

Up/Down

Click to move a rule up or down.

Test

Click to test the rule.

Enable Heuristic Rule Detection

Enable to allow Heuristic detection too.

No URL Rewrite Rules

Enable to select no rules.

Authentication – Form

In this tab, you can configure Form Authentication options.

Field

Description

Enabled

Select to enable Form Authentication.

Login Form URL

Enter the absolute URL of the login form, including the protocol (http or https).

Custom Script

Once you complete the Login Form URL field, the Custom Script button is enabled.

Click Custom Script to open the dialog box. A browser window is displayed along with a script editor and Google Chrome browser developer tools.

Active

Select to make one of the Personas active (once you enter Username and Password credentials).

Username

Enter the username for the form.

Password

Enter the password for the form.

Interactive login (Check this for OTP, CAPTCHA etc.)

Select to enable interactive logins, such as OPT and CAPTCHA.

This displays the webpage during login to allow user input (for two-factor and other authentication mechanisms).

Override Target URL with authenticated page

Select to use the last page from the authentication process as the start URL. Netsparker will not make a request to the specified Target URL.

Detect Bearer Authorization Token

Select to automatically intercept and Bearer tokens during the scan, if there is an AJAX request after the login.

Verify Login & Logout

Click to verify all details, once Personas have been created.

Authentication – Basic, NTLM/Kerberos

In this tab, you can configure Basic, Digest and NTLM/Kerberos options.

Field

Description

Enabled

Select to enable Basic, Digest and NTLM/Kerberos Authentication.

Test Credentials

Click to test the configured settings.

Type

From the dropdown, select a type. The options are:

  • Basic
  • NTLM
  • Kerberos
  • Digest
  • Negotiate

URL Prefix

Enter a prefix to specify the scope of the authentication type. For example: https://www.example.com/protected.

Username

This is the username for the form.

Password

This is the password for the form.

Domain

Enter the value of the domain name for Windows systems (not the host name of the site).

This is an optional field.

Delete row(s)

Right click any row and select to delete.

Do not expect challenge (Basic Authentication)

Select to enable authentication, even if the server does not send an authentication challenge.

Authentication – Header

In this tab, you can configure HTTP Header authentication.

Field

Description

Enabled

Click to enable Header Authentication. All listed headers are added to all HTTP requests.

Add Authorization Header

Click to display the Add Authorization HTTP Header dialog.

Delete

Select any header row, and click to delete.

Type

In the Add Authorization HTTP Header dialog, select an item from the Type dropdown.

The options are:

  • Bearer (default)
  • HOBA
  • Mutual
  • Negotiate
  • OAuth
  • SCRAM-SHA-1
  • SCRAM-SHA-256

The selected option will be displayed in the Name column.

Credentials

Enter the relevant credentials.

Whatever you enter will be displayed in the Value column.

Name

This column displays the Type entered in the Add Authorization Header dialog.

Value

This column displayed the Credentials entered in the Add Authorization Header dialog.

Authentication – Client Certificate

In this tab, you can configure Client Certificate authentication.

Field

Description

Enabled

Select to enable Client Certificate Authentication. Once enabled, the Add New button is clickable.

Add New

Click to displayed the Certificate to Install dialog. Select the file, and click Open.

Authentication – Smart Card

In this tab, you can configure Smart Card authentication.

Field

Description

Enabled

Select to enable Smart Card Authentication. Once enabled, the Import Smart Card Certificate button is clickable.

(If Client Certificate Authentication is enabled, a Client Certificate Authentication Enabled dialog may be displayed, reminding you that if you proceed, it will be disabled. You can also manually disable it.)

Import Smart Card Certificate

Click to display the Import Smart Card Certificate dialog. Select a driver from the Smart Card Library list and click Import. The smart card containing the selected certificate should already be configured in your system.

Delete

Select any row, and click to delete.

Authentication – OAuth2

In this tab, you can configure OAuth2 authentication.

Field

Description

Enabled

Select to enable OAuth2 authentication. Once enabled, the Flow Type field is activated.

Test Credentials

Click to test the configured settings.

Flow Type

OAuth2 Flow type is defined in RFC-6749.

From this dropdown, select from:

  • Authorization Code
  • Client Credentials
  • Implicit
  • Resource Owner Password Credentials
  • Custom

Once an option has been selected, the other fields are activated.

Authentication

Select the type of authentication required by the OAuth2 endpoints(s).

From this dropdown, select from:

  • None
  • Form Authentication
  • Basic, Digest, NTLM/Kerberos Authentication

Access Token

In this tab, you can configure the parameters required to make a request to the Access Token endpoint to retrieve the OAuth2 access token.

Endpoint

(Access Token & Authorization Code tabs)

From this dropdown, select an option:

  • URL
  • Content Type
    • application/x-www-form-urlencoded
    • application/json
  • Method – GET or POST

Name

(Access Token & Authorization Code tabs)

Enter the name of the request parameter.

Value

(Access Token & & Authorization Code tabs)

Enter the value of the request parameter

Authorization Code

In this tab, you can configure the parameters required to make request to Authorization Code endpoint to retrieve the Authorization Code.

This tab is visible only when the Flow Type selected is Authorization Code.

Response Fields

In this tab, you can set the following options:

  • Access Token – The field name of the Access Token will be retrieved from the OAuth2 endpoint.
  • Refresh Token – The field name of the Refresh Token will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
  • Expire – The field name of the token expiration value will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
  • Token Type – The field name of the token type value will be retrieved from the OAuth2 endpoint. The Access Token will be sent with this OAuth2 header. If no Token Type is provided, Netsparker will use the Bearer as the header.

How to Scan a Website in Netsparker Standard

  1. Open Netsparker Standard.
  2. In the Home tab, click New. The Start a New Website or New Service Scan dialog is displayed.
  3. In the Target Website or Web Service URL field, enter the URL of the website you want to scan.
  4. Configure the Scan Policy, Netsparker Standard Scan Options Fields and Authentication as required.
  5. From the Crawl and Wait dropdown, select Start Scan.
  6. When the scan is completed, and the Netsparker Standard window is in the background, a Scan Finished information dialog is displayed.

How to Run an Incremental Scan in Netsparker Standard

  1. Open Netsparker Standard.
  2. In the Home tab, click Incremental. The Import dialog is displayed.
  3. Select the file of the already completed scan, and click Open.
  4. The scan is imported and displayed in the UI, with the Start a New Website or Web Service Scan dialog open.

  1. Configure the Scan Policy, Scan Options Fields and Authentication as required.
  2. Click Incremental Scan.

How to Run a Retest in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click the File tab. The Local Scans list is displayed.
  3. Doubleclick to select the scan you want to retest and wait until it loads. The Vulnerability tab is displayed.
  4. If you wish to:
    • Retest the entire scan:
      • Select the scan name at the top of the Sitemap panel, right click and click Retest All

    • Retest a single vulnerability:
      • Select the vulnerability name in the Issues panel, right click and click Retest

How to Run a Controlled Scan in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click the File tab. The Local Scans list is displayed.
  3. From the list of previous scans, click the one you want to run as a controlled scan and wait until it loads.
  4. Select the View tab and click Controlled Scan on the ribbon. The Controlled Scan panel is displayed.

  1. From the Controlled Scan panel:
    • In the Choose Parameters to Scan area, enter the page or parameters you want to scan
    • Or, in Choose Security Tests, select the specific vulnerabilities you want to scan

  1. Click Start.

How to Start a New Instance of Netsparker Standard in Netsparker Standard

You can open multiple new instances of Netsparker Standard at once, in order to run a different scan with each instance.

  1. Open Netsparker Standard.
  2. From the Home tab, click New Instance. A new instance of Netsparker Standard starts.

  1. The Welcome Dashboard of the new instance is displayed.

Recovering Unexpectedly Terminated Scans in Netsparker Standard

Netsparker Standard has a built-in auto-save feature. If a scan is interrupted unexpectedly – for example, due to a computer restart – you can reload the partial scan and continue scanning.

The auto-saved files are stored in this folder and the progress is saved every fifteen minutes:

My Documents\Netsparker\Scans\[WEBSITE-NAME]

The two files that are created are:

  • AutoSave.ndb
  • AutoSave.nss

If you start Netsparker Standard after a scan was interrupted unexpectedly, the scanner will automatically resume that scan.

For further information, see How to Start a New Instance of Netsparker Standard in Netsparker Standard and How to Prevent the Operating System From Going to Sleep While There is a Scan in Progress.

How to Recover Unexpectedly Terminated Scans in Netsparker Standard

  1. Open My Documents\Netsparker\.

  1. Double click on the Scans folder.

  1. Select the relevant scan folder by Name and Date.

  1. Double click the AutoSave Netsparker Scan Session file. Netsparker Standard will automatically reopen.

  1. On the Quick Access Toolbar, click the Resume Scan button, or in the Scan tab, click Resume. The unexpectedly terminated scan will resume.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO