You can conduct your own attacks in Netsparker and raise vulnerabilities during scans.
This topic explains how Netsparker Standard helps you to add custom vulnerability detections to your scans.
For further information on security check types and how to write custom code for those, see Custom Security Checks via Scripting.
Deciding Which Vulnerability Type Will be Detected
Netsparker's Default Report Policy includes many vulnerabilities. They are the built-in vulnerabilities that Netsparker can find out of the box, including SqlInjection, XSS, LFI.
In addition, you can define custom vulnerability types by creating a new Report Policy. These new vulnerability types will be available to all the scans that use the report policy.
When writing script code, you should refer to built-in vulnerability types by their names, but to custom vulnerability types by the generated GUIDs.
Before writing a custom security check script, you should decide what type of vulnerability the script will raise. If it does not already exist in a Default Report Policy, you should create a custom one in the Report Policy Editor (see Custom Report Policies). You can specify the name of the vulnerability, its severity and the text to be displayed when it is displayed in the UI and in reports.
Identifying a Sample Vulnerable Web Page
For Netsparker to be able to find a vulnerability, it first needs to discover that page during the crawling stage of the scan. That is also the case for custom vulnerabilities. Go ahead and perform a Crawl Only scan for the target website and make sure the vulnerable page is listed in the Sitemap tree. Do not forget to select the custom report policy if you are going to write a script for a custom vulnerability you have created.
How to Write a Custom Script for a Security Check
- Right click the target page in the Sitemap, and click Custom Scripts.
- The Custom Scripts panel is displayed and docked to the right of the Netsparker window.
- In the Custom Scripts panel, click the New Script dropdown, and select one of the security check types for you want to write a script (see Custom Security Checks via Scripting for more information on custom security check types for which you can write scripts).
- The file will already be populated with some template custom script code. Make any necessary changes to the code, and save it.
- Switch back to the Netsparker window. First, make sure the target vulnerable page is still selected in the Sitemap tree, because the code you have written will be executed against whatever is selected. Then, from the Custom Scripts panel toolbar, click Execute.
- When Netsparker is finished executing the custom security check script, a message is displayed, informing you whether a vulnerability has been found during execution:
- If a vulnerability is found (hopefully the one you have raised in your custom script code), it will be displayed in the Sitemap tree under the selected vulnerable page's node
- If no vulnerabilities have been found, check the script code you have written. You should also make check the Logs panel for error logs. If your custom security check is performing HTTP requests, you can use a tool like Fiddler to diagnose whether the correct request parameters were sent and whether the expected response has been returned from server. Execute the script code as many times as you want until you see it reported in the Sitemap tree.
Also, make sure you have created a new Scan Policy in the Scan Policy Editor and remember to you have selected the custom security check you have just created.
- If things are working as expected, your activity will be listed in the Activity panel during the scan. This confirms that the script code you have written is executing for all the discovered links and parameters.
The scan will also find the vulnerability in the vulnerable page.