SUPPORT

Contact Support

OPEN A TICKET

Deploying Netsparker Shark (IAST)

You can run interactive security testing (IAST) with Netsparker Shark in your web application in order to confirm more vulnerabilities and further minimize false positives. 

Netsparker provides industry-leading dynamic application security testing (DAST) capabilities to help find vulnerabilities in the target web application. Using Shark enables Netsparker to provide additional information from the back-end while scanning your web application.

By adding IAST capabilities with the Shark, Netsparker provides the following benefits:

  • Showing the exact location of the issue and reporting debug information
  • Providing additional details to help security teams uncover more vulnerabilities
  • Complementing existing Proof-based Scanning™ functionality to automatically prove even more vulnerabilities and simplify remediation efforts
  • Ensuring that the entire web application is scanned, including any hidden and unlinked locations that may be inaccessible to the crawler

For Netsparker Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

Deploying the Shark Agent is optional. Netsparker is still best in class as a black-box scanner, and the Shark Agent improves accuracy and vulnerability results when scanning .NET, Java, Node.js, and PHP web applications.
Shark has only a very minimal impact on resources on the target machine — less than 1% in lab test results.

Recommendation for Netsparker Shark

Netsparker Shark works best in specific environments. To get the best out of Netsparker Shark, you need to use it in the right environment. The following points provide the best practice in using the Shark:

  • You need to install Netsparker Shark on your staging servers. This is the best place to perform IAST analysis.
  • You may install Netsparker Shark on virtual machines to perform IAST analysis as part of CI/CD pipelines. In this case, the Shark installation would need to be done as part of the CI/CD pipeline.
  • We do not recommend installing Netsparker Shark on production servers. Your production environment may run slower although Netsparker Shark consumes limited resources.

For further information, see Changing the DAST Game with Netsparker IAST.

Netsparker Shark fields

This table lists and explains the fields on the Shark (IAST) page.

Button/Section/Field

Description

Installation Files

This is the section that lets you download the required file to use on your server.

Server Platform

This lets you select the server to download the required files for your server, such as PHP, Java.

Advanced Settings

This lets you override settings for the default Shark Token and Bridge URL/Port.

  • If you want to override the default token and bridge settings, make sure to change them before downloading any files for your server.

Shark Token

  • This token secures communication between the Netsparker scanner and the IAST Shark agent. A unique token is automatically generated for each website's installation of the Shark agent.
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • This field is mandatory.

Bridge URL and Port

  • This is the URL and port number of the IAST bridge. The bridge is used to relay information from the Shark agent to the Netsparker Scanning Engine.
  • You can set the default bridge URL and port on the General Settings page. This setting on the Shark configuration page lets you override the default bridge URL for each website.
  • Make sure that the Shark can connect to the address/port specified.
  • This field is only mandatory for Java and Node.js.

Validate Shark Settings

This lets you validate that the request is forwarded to the bridge and the sensor sends the request to the bridge.

This is only available in Netsparker Standard.

Downloading Shark Sensors in Netsparker Enterprise

Ready to use Netsparker Shark? Contact us. 

To do this, follow these steps: From the main menu, go to Scans > New Scan > Shark, then select I'm Interested in Adding Shark.

Once approved, you are ready to download.
How to download Shark sensors in Netsparker Enterprise
  1. Log in to Netsparker Enterprise
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings, select Shark (IAST).

  1. From the Shark Settings section, select Enable Shark.
  2. From the Installation Files section, select a platform from the Server Platform drop-down, then click Save As. The download starts immediately.
If you change any of the following settings after the download, please re-download your files.

If you change your token or Bridge URL after installing the Netsparker Shark sensor, you must have a clean installation so that the changes take effect.
  1. From the Advanced Settings, if required, you can do the following:
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • Enter your Bridge URL and Port only if you want to override the default bridge URL and Port.

Downloading Shark sensors in Netsparker Standard

Netsparker Standard has Shark (IAST) capability. However, this capability can only be enabled in Netsparker Standard only if you have a proper Plan. To use the Shark in Netsparker Standard, contact us.

How to download Shark sensors in Netsparker Standard
  1. Open Netsparker Standard
  2. In the Home tab, select New.
  3. From the Scan Settings, select Shark.
  4. From the Shark Settings section, select Enable Shark.
  5. From the Installation Files section, select a platform from the Server Platform drop-down, then select Save As.
  6. Select a save location and select Save.
  7. From the Shark Settings section, if required, you can do the following:
    • Change Bridge URL, if necessary.
    • Keep the auto-generated Shark Token as it is or enter your token if you have already.
If you change your token or Bridge URL after installing the Netsparker Shark sensor, you must have a clean installation so that the changes take effect.
    • Select Validate Shark Settings to verify that the request is forwarded to the bridge and the sensor sends the request to the bridge.

Deploying Netsparker Shark in your server is explained in related topics:

Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo