Custom Reports

Netsparker Standard allows you to create and define your own web security scan report templates. They can be used to generate custom reports that suit your business needs, and for integration with other software applications.

The custom reporting tool employs the Razor templating engine that runs C# code to generate reports.

How to Create a Custom Web Security Scan Report

  1. Create a copy of an existing template.
  2. Make the necessary changes on the template.
  3. Move this template to Documents/Netsparker/Resources/Report Templates.
  4. Reports can be exported now

Netsparker’s scripting language is C#. Below is a sample code for a web security report that generates an XML file which includes the following:

  • A list of all the vulnerabilities detected during the scan,
  • The vulnerable Parameter and request method (GET/POST),
  • Vulnerability Details,
  • Confirmation Status,
  • Extra exploitation data,
  • Web security scan time,
  • Vulnerability severity.

You can add more details into the reports, customize them, or filter your reports with custom criteria.

Code Example for Custom Netsparker Standard Report

This is a sample of the code that could be used to create a custom Netsparker Standard report.

@using System

@using System.IO

@using System.Linq

@using MSL.Common.Text;

@using MSL.Core.Configuration

@using MSL.Core.Data.Resources

@using MSL.Core.Entities.Vulnerability

@using MSL.Core.Process.Exploitation

@using MSL.Core.Process.Reporting;

@inherits HelperBaseTemplate<ReportTemplateData>

<?xml version="1.0" encoding="utf-8" ?>

<?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>

<netsparker generated="@DateTime.Now.ToString()">

        <target>

                <url>@ReportingUtility.XmlShortEscape(Model.ScanProfile.Uri.AbsoluteUri)</url>

                <scantime>@Convert.ToInt32(ScanSettings.Instance.ElapsedTime.TotalSeconds)</scantime>

        </target>

        @{

                var reportOutput = new FileInfo(Model.ReportFilePath);

                try

                {

                        File.Copy(string.Format(@"{0}/vulnerabilities-list.xsl", ResourceCategories.ReportTemplate.ResolveCustomDirectoryPath()), string.Format(@"{0}/vulnerabilities-list.xsl", reportOutput.Directory.FullName), true);

                }

                catch (Exception)

                {

                }

                // Sort vulnerabilities based on their severity, Type, confirmation and certainty

                var sortedVulns = from IVulnerabilityView v in Model.Vulnerabilities

                        orderby v.Severity descending, v.Order ascending, v.Type ascending, v.IsConfirmed descending, v.Certainty descending, v.AbsolutePath

                        where v.Visibility != VulnerabilityVisibility.Hidden && !v.IsIgnored

                        select v;

                foreach (var vuln in sortedVulns)

                {

                        if (vuln.Visibility != VulnerabilityVisibility.Hidden)

                        {

                                <vulnerability confirmed="@vuln.IsConfirmed.ToString()">

                                        <url>@ReportingUtility.XmlShortEscape(vuln.AbsoluteUri)</url>

                                        <type>@vuln.Type</type>

                                        <severity>@vuln.Severity.ToString()</severity>

                                        <certainty>@vuln.Certainty</certainty>

                                        @if (!string.IsNullOrEmpty(vuln.AttackParameterName))

                                        {

                                                <vulnerableparametertype>@ReportingUtility.XmlShortEscape(vuln.AttackParameterTypeName)</vulnerableparametertype>

                                                <vulnerableparameter>@ReportingUtility.XmlShortEscape(vuln.AttackParameterName)</vulnerableparameter>

                                                <vulnerableparametervalue>@ReportingUtility.XmlShortEscape(vuln.AttackParameterValue)</vulnerableparametervalue>

                                        }

                                        <rawrequest>@ReportingUtility.XmlEscapeCharacterData(vuln.GetRawRequest())</rawrequest>

                                        <rawresponse>@ReportingUtility.XmlEscapeCharacterData(vuln.GetFullResponse())</rawresponse>

                                        <extrainformation>

                                                @foreach (var field in vuln.CustomFields)

                                                {

                                                        <info name="@field.Key">@ReportingUtility.XmlEscapeCharacterData(field.Value.HasMultipleValues ? string.Join(", ", field.Value.Values) : field.Value.Value)</info>

                                                }

                                        </extrainformation>

                                        @{

                                                var renderer = new ProofXmlDataRenderer();

                                                <proofs>@renderer.Render(vuln)</proofs>

                                        }

                                        @if (vuln.Classification != null)

                                        {

                                                <classification>

                                                        <OWASP2013>@vuln.Classification.Owasp2013</OWASP2013>

                                                        <WASC>@vuln.Classification.Wasc</WASC>

                                                        <CWE>@vuln.Classification.Cwe</CWE>

                                                        <CAPEC>@vuln.Classification.Capec</CAPEC>

                                                        <PCI31>@vuln.Classification.Pci31</PCI31>

                                                        <PCI32>@vuln.Classification.Pci32</PCI32>

                                                        <HIPAA>@vuln.Classification.Hipaa</HIPAA>

                                                </classification>

                                        }

                                        @if (vuln.VersionVulnerabilities.Any())

                                        {

                                                <knownvulnerabilities>

                                                        @foreach (var implied in vuln.VersionVulnerabilities)

                                                        {

                                                                <knownvulnerability>

                                                                        <title>@implied.Title</title>

                                                                        <severity>@implied.Severity</severity>

                                                                        <references>@(implied.References == null ? string.Empty : implied.References.Trim())</references>

                                                                        <affectedversions>@implied.AffectedVersions</affectedversions>

                                                                </knownvulnerability>

                                                        }

                                                </knownvulnerabilities>

                                        }

                                </vulnerability>

                        }

                }

        }

</netsparker>

Saving the Custom Report Template

Every time you create a new custom report template, save it into the default directory. This directory is in the Resources sub-directory of the Netsparker data directory. The default location is the current Windows user’s Documents/My Documents directory. The full path of that directory would be Documents/Netsparker/Resources/Report Templates.

During startup, the Netsparker Standard scanner scans the Report Templates directory for C# template files (*.cshtml).  If the scanner detects a new file in this folder, it will be displayed on the Reporting tab as a custom report.

Defining the File Type (Extension) of the Custom Web Security Report

The name of the C# code file will be visible under the Reporting menu. When selected, the generated report will use the extension from the custom report file name. The file extension should be chosen based on the content type of the report. For the sample report above, it should be xml.

For example:

  • "Vulnerabilities List (XML).xml.cshtml" - File extension will be "xml"
  • "Vulnerabilities List as Web Page.html.cshtml" - File extension will be "html"

Testing the Custom Reports

You do not need to restart Netsparker Standard every time you change the source code of your custom report. However, if the template change is carried out while Netsparker is open, a restart is required. Once Netsparker adds the custom report to the Reporting tab, all you need to do is run it again. If it fails to compile, an error message will be displayed.

Security of Custom Reports

The Reporting engine runs with current user's privileges. Don't run the report unless you trust its author.

Comprehensive API Documentation

For further information on API Settings, from the Help menu in Netsparker Standard, click Reporting API to see our MSDN-style API documentation that is updated with each relevant code change.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO