The Netsparker web application security scanners report vulnerabilities with a high degree of specificity, thus ensuring developers understand the vulnerability, fix it and learn to write more secure code.
The Netsparker scanners will not only report the vulnerability type, but also its variant. For example, where other commercial scanners simply report a Cross-site Scripting (XSS) vulnerability, Netsparker reports the specific variant of XSS, such as Reflective XSS, Permanent XSS, XSS via RFI, Limited XSS etc.
For every vulnerability the scanners identify, the scanners will also report the vulnerable page and its URL, the vulnerable parameter and its type, and the attack pattern used during the web application security scan.
To verify that the identified vulnerabilities are not false positives, the Netsparker web vulnerability scanners will also generate a proof of concept or exploit.
In addition to the PoC or PoE the Netsparker scanners also report the impact the identified vulnerability might have should it be exploited. Such information enables the management to take more informed decisions when deciding which vulnerabilities should be fixed first.
To help developers better understand the mechanisms of a vulnerability, the Netsparker scanners also recommend a number of web links in the vulnerability details which developers can refer to. By using such external resources, developers can read and learn about the vulnerability in question, which helps them write more secure code in the future.
External reference links to well-known compliance specifications such as PCI, OWASP and WASC are also included in the vulnerability details. Such links come in handy if you are running a vulnerability management software.
The more you know about your web applications the better you can secure them. To help you do a complete successful penetration test, Netsparker also compiles extensive information about the target web application and reports it in the Knowledge Base nodes. For example it will gather all source code comments and highlight sensitive keywords in comments, just in case developers left comments that could help malicious hackers craft an attack.