Using outdated technologies introduces serious risks and can pave the way for attackers to exploit vulnerabilities in order to induce harm to your system.
For many years, attackers targeted potential issues in the source code to hack your system. That, however, has become difficult in recent years because best practices in coding have matured. Now, the attackers began to focus on potential issues in third-party application codes and open-source integrations.
That means even if your application has no vulnerabilities, the application will not be secure if it uses even a single vulnerable external library. After all, a chain is only as strong as its weakest link.
- These issues can be out-of-date technologies or vulnerabilities.
- Netsparker can identify these problems thanks to its vulnerability database package.
This topic explains the vulnerability database in general and how Netsparker identifies out-of-date components in your application.
Netsparker is an advanced heuristic web application security scanner that also checks for known web application vulnerabilities.
To report known vulnerabilities, the scanner rests on its vulnerability database (VDB). This database is an integration point for the Netsparker security checks, which serves as a data store of known technologies, their versions, and their vulnerabilities.
Netsparker updates this database per week. Netsparker Enterprise automatically updates its vulnerability database and adds these new vulnerabilities into your scan policy. So, there is no need to manually update it.
For Netsparker Standard, whenever you open the program, it checks the database to see whether there are updates. In addition to this, from the Help tab in Netsparker Standard, you can click Check for VDB Update to manually check for the updates.
How Netsparker Identifies Out-of-date Version
There are three stages in detecting out-of-date version(s).
- Then, the scanner tries to identify the version of these applications. If successful, it reports this as a version disclosure issue.
- Following the version disclosure, Netsparker queries its vulnerability database to see if there is a newer version. If so, it further reports this issue as an out-of-date version. In addition to reporting the out-of-date version, Netsparker reports CVEs linked to this outdated application, if any.
Netsparker also has a couple of security checks that are integrated (or directly working with the vulnerability database) to identify the out-of-date issues. To clarify the dynamics, here are the vulnerability database integrated security checks:
Web App Fingerprint Check
Netsparker, first, identifies web applications, then the version of them. Following this, Netsparker reports vulnerabilities in the web application(s) that the scanner identified. If Netsparker matches the web application with more than one version, it reports them, merges them into a list, and updates the report's confidence score regarding the matched version count.
The severity of the out-of-date vulnerabilities will be elevated to match the most severe CVE (Common Vulnerabilities and Exposures) reported for the identified version(s).
Netsparker runs a couple of predetermined signatures against responses it received during the crawling stage. If this RegEx matches and Netsparker identifies versions, this security check will communicate with the vulnerability database to report any known vulnerabilities.
If there is a newer version in the Netsparker vulnerability database, it also reports an out-of-date issue. This security check mostly reports the application servers, programming languages, frameworks, etc.
In addition to the earlier security checks, proof-generating security checks also interact with the vulnerability database. For example, when SQL Injection checks extracted a proof containing technology and its version, it'll also communicate with the vulnerability database to report any known issues related to the extracted technologies.
SQL Injection Check
As a web application security scanning tool, Netsparker does not have direct security check(s) to identify database servers in your system.
Still, it reports these vulnerabilities in the following way:
- SQL Injection security check identifies a vulnerability in your system
- Netsparker's Proof Based ScanningTM technology exploits this vulnerability in a read-only and safe manner.
- Netsparker extracts version information of the underlying database management system.
- Netsparker reports this information as confirmed.
- Then, Netsparker queries the Vulnerability Database to determine other vulnerabilities related to this version.
- Netsparker also reports these related vulnerabilities, if any.
You can find the vulnerability database package if you installed Netsparker Standard on your computer under C:\Users\[USER]\Documents\Netsparker\Version Tables.