SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

What is Netsparker?

Netsparker is an automated, yet fully configurable, online web application security scanner that enables you to scan websites, web applications and web services, and identify security flaws. Netsparker can scan all types of web applications, regardless of the platform or the language with which they are built.

Netsparker is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way, in order to confirm identified issues. It also presents proof of the vulnerability so you do not need to waste time manually verifying it. For example, in the case of a detected SQL injection vulnerability, it will show the database name as a proof of the vulnerability.

Our scanning technology is designed to help you secure web applications easily without any fuss, so you can focus on fixing the reported vulnerabilities. If Netsparker cannot automatically confirm a vulnerability it will inform you about it by prefixing it with '[Possible]', and assigning an accuracy rating so you know what should be fixed immediately.

Key Concepts

This is a list of key concepts in Netsparker.

Concept

Description

Dead accurate

Netsparker produces dead accurate web application security scans, whose vulnerabilities are verified, proving that they are not false positives.

Proof-Based Scanning™

Our Proof-Based Scanning technology actively and automatically verifies detected vulnerabilities, confirming that they are real and not false positives, by exploiting them in a read-only and safe manner. Depending on the type of vulnerability, Netsparker will generate proof. Some vulnerabilities also allow you to exploit them manually or generate a Proof of Concept.

It's completely safe. For example, when exploiting a SQL injection vulnerability and generating a proof of exploit for it, the scanners will only try to read data from the database, not write or delete data from the database.

Proof of Concept

Netsparker identifies vulnerabilities, then it safely exploits them during the web vulnerability scan. This Proof of Concept is the actual exploit that proves that the vulnerability exists. This means you save the time it would take to manually verify it and its useful if you need to reproduce the vulnerability to a developer.

This is what an XSS vulnerability report looks like, where the Proof URL is what Netsparker uses to exploit the vulnerability.

Proof of Exploit

A proof of exploit is used to report the data that can be extracted from the vulnerable target once the vulnerability is exploited, demonstrating the impact an exploited vulnerability can have and proving that it is not a false positive. This is what it looks like in the case of an SQL Injection vulnerability.

Netsparker scanners can generate a proof when they identify the following vulnerability types:

  • SQL Injection
  • Boolean SQL Injection
  • Blind SQL Injection
  • Command Injection
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Remote Code Evaluation
  • Remote Code Execution via Local File Inclusion

If Netsparker is unable to automatically prove the vulnerability exists, you will be advised so that you can double-check its findings.

Vulnerabilities

A vulnerability is a security weakness in your website or web application that provides an opening for malicious hackers to gain access, get access to data or exploit for illegitimate or illegal purposes.

Issues

An Issue is the name, type, date and other details of any detected vulnerability.

Severities

Each vulnerability is assigned a different severity or threat level according to the damage it could do and the urgency with which it requires fixing.

Scan Policies

Netsparker allows you to use Scan Policies in order to determine and specify the type, range, and targets of your scan according to your needs.

Scheduled Scans

Scans can be launched immediately or they can be scheduled for times when it best suits you, including at regular intervals.

Integrations

Netsparker can work with and import or export information in conjunction with other security scanning tools.

Benefits of Proof-Based Scanning™ Technology

These of some of the key benefits of automating the post-scan process:

  • You do not have to manually verify detected vulnerabilities the scanners found, saving time that you can use to fix them
  • You do not have to be a seasoned security professional to use the Netsparker security scanners, since results are automatically confirmed for you (and there is no need to know how to reproduce the findings)
  • The process of finding vulnerabilities in web applications will cost you less, since you can assign it to less technical people.
  • If you are a QA, you won't be sent back by the developers to prove that there is a vulnerability in their code
  • As a developer or service provider, you do not need to convince your superior or customer to fix their issues, simply show them the proof!

What is the Difference Between Netsparker Enterprise and Netsparker Standard?

Netsparker Enterprise is a scalable, multi-user web application security solution and Netsparker Standard is an on-premises desktop web vulnerability scanner

For further information, see Netsparker Standard and Netsparker Enterprise Comparison.

Netsparker Crawling and Scanning Technology

Netsparker has industry leading scanning technology. Both editions are built around the same crawling and Proof-Based Scanning technology. Therefore, in terms of web application coverage, detection of vulnerabilities and security flaws, you get the same results.

Overview of Both Netsparker Web Application Security Scanners

The Standard edition of Netsparker was built for those who conduct penetration tests, and scan typically less than fifty websites.

Netsparker Enterprise is a multi-user platform that is designed to help enterprises manage the long term security of thousands of websites. It's built-in tools also help automate most of the post scan tasks, such as issue management, which allows teams to collaborate with efficiency and precision.

Scalability of Service

Scalability is the major difference between the editions. The resources of Netsparker Standard are limited to the specifications of the hardware on which it runs. It was designed to scan one or several applications at a time. If you need to scan multiple websites at the same time, you can manually launch multiple instances of the Standard scanner. The advantage of Netsparker Enterprise is that, since it is a hosted web vulnerability scanner, its resources are virtually unlimited, thanks to Amazon's Cloud (AWS) infrastructure.

Feature Highlight: Website Groups

Netsparker Enterprise enables you to group websites, configure generic scan settings and launch or schedule a web security scan with a single click.

Keeping Up with the Latest Web Security Threats

Follow our web application security blog and you will notice that we frequently release software updates. In fact, our list of vulnerabilities checks grows daily. Releasing frequent updates ensures that you can scan your web applications against the latest security threats and vulnerabilities. The response time for releasing new security checks is also critical especially when a vulnerability such as Shellshock is discovered and being exploited in the wild.

  • Netsparker Standard check for updates every time it is launched. You can apply updates in minutes.
  • Netsparker Enterprise is maintenance-free. We update the service and updates are automatically available.

Web Security Scanner Adaptability

Typically, desktop software is more configurable than an online service. The reason is because an online service is built around an engine that is designed to cater for a wider variety of customers. Therefore, it has fewer configurable parameters, resulting in a number of limitations.

But, this is not the case with the Netsparker. Anything that can be configured in Netsparker Standard can also be configured in Netsparker Enterprise, such as the URL rewrite rules and other crawling options, HTTP connection properties and other scan policy settings.

Team Collaboration

  • Netsparker Standard is a desktop application that is designed for a single user who has access to the computer on which it is installed.
  • Netsparker Enterprise is a multi-user environment. Every team member has their own username in the Netsparker Enterprise account and can launch web application security scans, view reports and issues. As an administrator, you can configure different privileges for each user.

Feature Highlight: Vulnerability Management and Tasks

Just like dedicated bug tracking systems, Netsparker Enterprise enables you to assign identified vulnerabilities as tasks to team members for remediation. This is an essential feature when you are tracking the security of many web applications.

Tasks marked as Fixed are automatically rescanned. Depending on the result, they are either closed or reopened and reassigned.

The vulnerability management system is designed to ensure every user knows what they need to do, and for results and fixes to be checked automatically. You can also integrate your existing bug tracking solution.

Web Application Security Scans in Your SDLC

Both Standard and Enterprise editions can be easily integrated into your SDLC and Continuous Integration processes.

  • Netsparker Standard has command line support allowing you to easily write scripts that can be triggered by other applications to launch automated scans.
  • Netsparker Enterprise has an extensive and well documented API that you can use to trigger any type of action available in the Netsparker Enterprise dashboard.

Keeping Web Applications Secure

Launching a single web application security scan and remediating the identified vulnerabilities can be quite difficult. It is even more demanding to scan all web applications frequently and ensure that detected vulnerabilities are fixed, and that the applied fixes do not open new security flaws.

  • If you use Netsparker Standard, you can compare different scan results on the same website. This allows you to pinpoint the differences between scans and keep track of all issues. It's easy to compare results, but time consuming if you have lots of websites.
  • This is where Netsparker Enterprise shines. Its trending and correlated reports are automatically updated each time a website or web application is scanned. This negates the need to manually compare results.

Manual Crawling and Security Scanning

If you need to manually crawl a website or a section of it, you'll need to proxy the traffic through the scanner so it will capture it, identify attack surfaces and then scan them. Netsparker Standard can be used for manual crawling.

With Netsparker Enterprise, you cannot, as it is a cloud based product. I am sure you understand the implications of why such a service cannot be used for manual browsing. One aspect is that such a feature could easily be abused by attackers. It's never a good idea to have an open proxy that allows any user to interact with websites using an IP address that belongs to your web service. The other reason is privacy. While we ensure that we don't store sensitive user data, such as a browsing history on our server, we understand that having the manual crawling feature on our Netsparker Enterprise product would create unnecessary amounts of private data, which we always try to avoid. However, you can still achieve the same results by configuring a browser to proxy the traffic through a local proxy (such as Fiddler for example) and capture the traffic. Once you capture the traffic, you can import the Fiddler capture to Netsparker Enterprise and launch the scan. This won't be the same, nor as interactive, as with Netsparker Standard, but it will get the job done when manual request entry is required.

Enterprise or Standard Web Application Security Scanner?

  • If you have a small team and a small number of websites, and you prefer to be more hands-on, Netsparker Standard is the best option.
  • If you operate in a large team and have many websites and web applications to secure, and need supporting tools to ensure collaboration among the team members, Netsparker Enterprise is recommended.
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO