Creating a New Scan

Field

Description

Target URL

This is the target URL of the website, including the path.

You can add a URL in the following formats:

Hostname: http://mysite.com/

IPv4: http://192.168.1.42/

IPv6: http://[fe80::8554:69c3:bb4:b28a]/

Scan Profile

This is the Scan Profile.

For further information, see Configuring Scan Profiles.

Field

Description

Scan Policy

The Scan Policy defines the scan settings and which security tests will be performed.

For further information, see Overview of Scan Policies and Scan Policies and the Scan Policy Editor.

Agent Selection

This is the type of Agent that will run the scan.

The options are: Dedicated or Group. If you select Group, the Preferred Agent field (next) changes to Preferred Agent Group.

This field is only available in Netsparker Enterprise (On-Premises).

For further information, see Agents in Netsparker Enterprise On-Premises.

Preferred Agent/Preferred Agent Group

The Agent is a Windows service application that executes scans and informs the Netsparker Enterprise application.

Select an Agent or Agent Group.

This field is only available in Netsparker Enterprise (On-Premises).

For further information, see Agents in Netsparker Enterprise On-Premises.

Report Policy

The Report Policy defines how scan results will be reported.

For further information, see Custom Report Policies.

Custom Cookies

This contains any required cookies in the formatcookiename=value.

The value must be URL encoded. Use semicolons (;) to separate multiple cookies.

Crawling

This indicates how the scan should crawl the Target URL.

The options are:

• Find and Follow New Links
• Enable Crawl & Attack at the Same Time

Max Scan Duration

This indicates the maximum length of the scan. Drag the slider as required.

If the scan is not completed within this time, it is automatically terminated.

In the New Group Scan and Scheduling Group Scan windows, there are checks to:

• Customize Max Scan Duration – Enable this setting to configure the maximum scan duration in hours. If your scan isn't completed in this time, it will be automatically terminated.
• Customise Scan Time Windows – Enable this setting to configure the time periods during which scanning is allowed. Scanning is paused during disallowed hours.

Comments

This option allows users to add a comment to their scan during a launch. This comment is displayed on the scan report.

Field

Description

Entered Path and Below

This tab enables you to specify which parts of the target website should be crawled and scanned.

If, for example, you enter http://example.com/testarea/, the scanner will not scan the following URLs:

• http://example.com/email/
• http://example.com/email.asp

Only Entered URL

This tab enables you to scan only the supplied URL and the parameters on that page.

If, for example, you enter http://example.com/test.asp, the scanner will only scan URLs that start with http://example.com/test.asp, and will not scan the following:

• http://example.com/email/
• http://example.com/email.asp

Whole Domain

This tab enables you to scan the entire domain, even if you only entered the URL of a page or a directory. If, for example, you enter http://example.com/test.asp, the scanner will start from the test.asp page and scan everything on the http://example.com domain.

Exclude URLs with RegEx

In this section, list and configure the URLs you want included or excluded.

Include/Exclude

If you choose Include, Netsparker Enterprise will only test URLs that match any of the given regular expression. If you choose Exclude, Netsparker Enterprise will not visit and test URLs that match any of the given regular expressions.

New RegEx Pattern

This creates a new RegEx Pattern field.

Disallowed HTTP Methods

Select HTTP methods to disallow. Netsparker won’t make HTTP requests for the selected methods.

Field

Description

New

Click to add additional URLs. Two additional fields are displayed.

URL

This is the URL of the additional website.

Canonical

Enable to scan canonical URLs to prevent scanning duplicate pages.

Field

Description

Enter Links

Specify the pages that you want to scan.

Import Links

Select a file for importing links from the dropdown.

Field

Description

Root Path Max Dynamic Signatures

If a URL block in the root path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Sub Path Dynamic Signatures

If a URL block in the sub path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Block Separators

Enter separators to use to split the URL into blocks.

This field is displayed only in the Heuristic tab.

Analyzable Extensions

If the URL contains a file extension, it will be analyzed only if the respective extension is in this list.

This field is displayed only in the Heuristic tab.

Enable Heuristic URL Rewrite detection

Netsparker will try to automatically detect other URL rewrite rules if this option is set.

This field is displayed only in the Custom tab.

Placeholder Pattern

This contains the relative path with placeholders for URL rewrite parameters.

This field is displayed only in the Custom tab.

RegEx Pattern

This is a regular expression used for matching the URL rewrite parameters.

This field is displayed only in the Custom tab.

Field

Description

Enabled

Select to enable Pre-Request Script. Once enabled, the Presets dropdown is activated.

Presets

This allows you to select the HMAC option and view the relevant script.

Test Script

This allows you to test the new script.

Field

Description

Enable Scan Time Window

Select to enable the configuration of scan time settings.

Weekends

Click to enable configuration of the Scan Time Window. The default start and stop time is 00:00 to 23:59 on Saturday and Sunday. Drag the slider and click Scan/Do Not Scan to alter.

Business Hours

This tab enables configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00 from Monday to Friday. Drag the slider and click Scan/Do Not Scan to alter.

Non-business Hours

This tab enables configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00. Drag the slider and click Scan/Do Not Scan to alter.

Field

Description

Event

This is the Scan Event that triggers the Notification. The options are:

• New Scan
• Scan Cancelled
• Scan Failed
• Scan Completed
• Scheduled Scan Launch Failed

Group

Select to enable group notifications that occur within the specified period.

Scope

Notifications will be sent if the scan is related to the website or website group. The options are:

• Any Website
• Website Group
• Website

Email Recipients

This is a list of names and email addresses of the recipients that will receive an Email Notification.

SMS Recipients

This is a list of the names and phone numbers of the recipients that will receive an SMS Notification.

Excluded Recipients

This is a list of users who will no longer receive notifications.

Integration Endpoints

This is a list of configured integrations.

Field

Description

Form Authentication

Select to enable Form Authentication.

Login Form URL

Enter the absolute URL of the login form, including the protocol (http or https).

Override Target URL with authenticated page

Select to enable the system to use the last page from the authentication process as the start URL, instead of the Target URL.

Detect Bearer Authentication Token

If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.

Active

Select to enable the system to log in using the supplied credentials.

Username

Enter the username for the login form.

Password

Enter the password for the login form.

OTP

Enter the One-time Password for the login form.

Custom Scripts

If automatic authentication does not work for your website, you can click New Script and enter a JavaScript script that will be used to authenticate against the web application, completing the login form and clicking the Submit button.

You can add more than one script.

Field

Description

Basic, Digest, NTLM/Kerberos, Negotiate Authentication

Select to enable Basic, Digest, NTLM/Kerberos or Negotiate Authentication.

Type

Select the type of authentication.

The options are: Basic, NTLM, Kerberos, Digest, Negotiate

URL Prefix

Enter a prefix to specify the scope of the authentication method. For example: https://www.example.com/protected.

Username

Enter the username for the login popup.

Password

Enter the password for the login popup.

Domain

Enter the login form's URL.

This entry is optional, for when the domain is required in Windows environments only.

Do not expect challenge (Basic Authentication)

Select to enable authentication, even if the server does not send an authentication challenge.

Field

Description

Enabled

Select to enable Header Authentication. All listed HTTP headers will be added to all HTTP requests.

New Authentication Header

Click to add a new Authentication Header.

Name

Enter the name of the Header.

It must contain ASCII characters only.

Value

Enter the value of the header. 

Field

Description

Client Certificate

Select to enable a client certificate to be used to log in to the web application.

Browse

Click to browse and upload the certificate file.

Password

Enter the password for the certificate.

Field

Description

Enabled

Select to enable OAuth2 authentication. Once enabled, the Flow Type field is activated.

Flow Type

OAuth2 Flow type is defined in RFC-6749.

From this dropdown, select from:

• Authorization Code
• Client Credentials
• Implicit
• Resource Owner Password Credentials
• Custom

Once an option has been selected, the other fields are activated.

3-Legged

Select to enable 3-Legged OAuth authorization.

Authentication

Select the type of authentication required by the OAuth2 endpoints(s).

From this dropdown, select from:

• None
• Form Authentication
• Basic, Digest, NTLM/Kerberos Authentication

Access Token

In this tab, you can configure the parameters required to make a request to the Access Token endpoint to retrieve the OAuth2 access token.

Endpoint

Click to open OAuth2  Access Token Endpoint dialog and complete fields:

• URL
• Content Type

• application/x-www-form-urlencoded
• application/json

• Method – GET or POST

Name

Enter the name of the request parameter.

Value

Enter the value of the request parameter.

Authorization Code

In this tab, you can configure the parameters required to make a request to the Authorization Code endpoint to retrieve the Authorization Code.

This tab is visible only when the Flow Type selected is Authorization Code.

Response Fields

In this tab, you can set the following options:

• Access Token – The field name of the Access Token will be retrieved from the OAuth2 endpoint.
• Refresh Token – The field name of the Refresh Token will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
• Expire – The field name of the token expiration value will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
• Token Type – The field name of the token type value will be retrieved from the OAuth2 endpoint. The Access Token will be sent with this OAuth2 header. If no Token Type is provided, Netsparker will use the Bearer as the header.

• Fixed – Enable to override the default (Bearer) value, if the token response is missing in the Token Type field and the authorization header  type is different to the Bearer.

3-Legged Auth

Complete if the the 3-Legged checkbox above is enabled :

• Username
• Password
• Custom Scripts

Test OAuth2 Credentials

Click to test the configured settings.

Field

Description

Target Website or Web Service URL

This is the target URL of the website or web service.

Scan Profile

This is the Scan Profile.

For further information, see Configuring Scan Profiles.

Field

Description

Scan Policy

The Scan Policy defines the scan settings and which security tests will be performed. You can also define the Scan Policy so that a PCI Checks test is performed.

For further information, see Overview of Scan Policies, Scan Policy Editor and PCI Scanning in Netsparker.

Report Policy

The Report Policy defines how scan results will be reported.

For further information, see Custom Report Policies.

Custom Cookies

This contains any required cookies in the formatcookiename=value.

All configured cookies in Netsparker Standard are sent with every HTTP request and cannot be expired by server responses. To add a custom cookie, type in the cookie and its value in the Custom Cookie section of the Scan Policy in the General tab. The value must be URL encoded. Use semicolons (;) to separate multiple cookies. For example:

CookieName1=Value1; CookieName2=Value2; CookieName3=Value3

Crawling

This indicates how the scan should crawl the Target URL.

The options are:

• Find and Follow New Links
• Enable Crawl & Attack at the Same Time

Field

Description

Scope

The Scan Scope settings allow you to specify which parts of the target website should be crawled and scanned.

Exclude URLs with RegEx

Select Include or Exclude and enter the regular expressions.

Disallowed HTTP Methods

Select HTTP methods to disallow. Netsparker won’t make HTTP requests for the selected methods.

Field

Description

URL

Enter the additional URL.

Canonical

Select Canonical to scan canonical URLs, to prevent scanning duplicate pages.

Field

Description

Method

Enter the HTTP Method, like GET or POST.

URL

Enter the URL of the added or imported pages for scanning.

Add

Click to open the Add New Link dialog.

Edit

Click to edit added or imported URLs.

Delete

Click to delete added or imported URLs.

Clear

Click to remove all added or imported URLs.

Search

Click to search for an added or imported URL.

Import From File

Click to import URLs from a file.

Enter Links

Click to open the Enter Links/HTTP Requests dialog.

Field

Description

Use Heuristic URL Rewrite Support

Enable to automatically detect the URL Rewrites on the target website and create rules. All fields are configurable.                                                                

Root Path Max Dynamic Signatures

If a URL block in root path contains more items than this limit, it will be identified as URL rewrite parameter. Must be between 1 and 10,000.

This field is displayed for the Heuristic setting.

Sub Path Max Dynamic Signatures

If a URL block in sub path contains more items than this limit, it will be identified as URL rewrite parameter. Must be between 1 and 10,000.

This field is displayed for the Heuristic setting.

Block Separators

Contains separators that are used for splitting the URL into blocks.

This field is displayed for the Heuristic setting.

Analyzable Extensions

If the URL contains a file extension, it will be analyzed only if the respective extension is within this list.

This field is displayed for the Heuristic setting.

Use Custom URL Rewrite Rules

Enableto configure URL rulesfor a faster scan.

New

Click to add a new rule.

Delete

Click to delete a rule.

Up/Down

Click to move a rule up or down.

Test

Click to test the rule.

Enable Heuristic Rule Detection

Enable to allow Heuristic detection too.

No URL Rewrite Rules

Enable to select no rules.

Field

Description

Enabled

Select to enable Pre-Request Script. Once enabled, the Presets dropdown is activated.

Presets

This allows you to select the HMAC option and view the relevant script.

Test Script

This allows you to test the new script.

Field

Description

Enabled

Select to enable Form Authentication.

Login Form URL

Enter the absolute URL of the login form, including the protocol (http or https).

Custom Script

Once you complete the Login Form URL field, the Custom Script button is enabled.

Click Custom Script to open the dialog box. A browser window is displayed along with a script editor and Google Chrome browser developer tools.

Active

Select to make one of the Personas active (once you enter Username and Password credentials).

Username

Enter the username for the form.

Password

Enter the password for the form.

OTP

Click the ellipsis to open the OTP Settings dialog.

Interactive login (Check this for OTP, CAPTCHA etc.)

Select to enable interactive logins, such as OPT and CAPTCHA.

This displays the webpage during login to allow user input (for two-factor and other authentication mechanisms).

Override Target URL with authenticated page

Select to use the last page from the authentication process as the start URL. Netsparker will not make a request to the specified Target URL.

Detect Bearer Authorization Token

Select to automatically intercept and Bearer tokens during the scan, if there is an AJAX request after the login.

Verify Login & Logout

Click to verify all details, once Personas have been created.

Field

Description

Enabled

Select to enable Basic, Digest and NTLM/Kerberos Authentication.

Test Credentials

Click to test the configured settings.

Type

From the dropdown, select a type. The options are:

• Basic
• NTLM
• Kerberos
• Digest
• Negotiate

URL Prefix

Enter a prefix to specify the scope of the authentication type. For example: https://www.example.com/protected.

Username

This is the username for the form.

Password

This is the password for the form.

Domain

Enter the value of the domain name for Windows systems (not the host name of the site).

This is an optional field.

Delete row(s)

Right click any row and select to delete.

Do not expect challenge (Basic Authentication)

Select to enable authentication, even if the server does not send an authentication challenge.

Field

Description

Enabled

Click to enable Header Authentication. All listed headers are added to all HTTP requests.

Add Authorization Header

Click to display the Add Authorization HTTP Header dialog.

Delete

Select any header row, and click to delete.

Type

In the Add Authorization HTTP Header dialog, select an item from the Type dropdown.

The options are:

• Bearer (default)
• HOBA
• Mutual
• Negotiate
• OAuth
• SCRAM-SHA-1
• SCRAM-SHA-256

The selected option will be displayed in the Name column.

Credentials

Enter the relevant credentials.

Whatever you enter will be displayed in the Value column.

Name

This column displays the Type entered in the Add Authorization Header dialog.

Value

This column displayed the Credentials entered in the Add Authorization Header dialog.

Field

Description

Enabled

Select to enable Client Certificate Authentication. Once enabled, the Add New button is clickable.

Add New

Click to display the Certificate to Install dialog. Select the file, and click Open.

Field

Description

Enabled

Select to enable Smart Card Authentication. Once enabled, the Import Smart Card Certificate button is clickable.

(If Client Certificate Authentication is enabled, a Client Certificate Authentication Enabled dialog may be displayed, reminding you that if you proceed, it will be disabled. You can also manually disable it.)

Import Smart Card Certificate

Click to display the Import Smart Card Certificate dialog. Select a driver from the Smart Card Library list and click Import. The smart card containing the selected certificate should already be configured in your system.

Delete

Select any row, and click to delete.

Field

Description

Enabled

Select to enable OAuth2 authentication. Once enabled, the Flow Type field is activated.

Test Credentials

Click to test the configured settings.

Flow Type

OAuth2 Flow type is defined in RFC-6749.

From this dropdown, select from:

• Authorization Code
• Client Credentials
• Implicit
• Resource Owner Password Credentials
• Custom

Once an option has been selected, the other fields are activated.

Authentication

Select the type of authentication required by the OAuth2 endpoints(s).

From this dropdown, select from:

• None
• Form Authentication
• Basic, Digest, NTLM/Kerberos Authentication

Access Token

In this tab, you can configure the parameters required to make a request to the Access Token endpoint to retrieve the OAuth2 access token.

Endpoint

(Access Token & Authorization Code tabs)

From this dropdown, select an option:

• URL
• Content Type

• application/x-www-form-urlencoded
• application/json

• Method – GET or POST

Name

(Access Token & Authorization Code tabs)

Enter the name of the request parameter.

Value

(Access Token &  & Authorization Code tabs)

Enter the value of the request parameter.

Authorization Code

In this tab, you can configure the parameters required to make a request to the Authorization Code endpoint to retrieve the Authorization Code.

This tab is visible only when the Flow Type selected is Authorization Code.

Response Fields

In this tab, you can set the following options:

• Access Token – The field name of the Access Token will be retrieved from the OAuth2 endpoint.
• Refresh Token – The field name of the Refresh Token will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
• Expire – The field name of the token expiration value will be retrieved from the OAuth2 endpoint. If the response doesn’t contain this field, leave it blank.
• Token Type – The field name of the token type value will be retrieved from the OAuth2 endpoint. The Access Token will be sent with this OAuth2 header. If no Token Type is provided, Netsparker will use the Bearer as the header.

Field

Description

Enabled

Select to enable Manual Authentication. Once enabled, the Authentication Settings and Logout Detection fields are clickable.

Test Credentials

Click to test the configured settings.

Authentication Settings

This section contains the authentication settings options.

Add

Click to add a new link.

Edit

Click to edit a selected link.

Delete

Click to delete a selected link.

Clear

Click to clear imported links.

Search

Click to toggle the find panel.

Import From File

Click to select file type from dropdown list.

Enter Links

Click to enter links manually.

Method

This is the method of authentication.

URL

This is the website address.

Logout Detection

This section contains the logout detection options.

None

This option is if you want no logout detection.

Redirect Based

This enables redirect based detection by entering a Redirect URL.

Keyword Based

This enables keyword based detection by entering a Keyword Pattern and checking Is Regex.