Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner ...

Netsparker is the first false-positive free scanner. In this 

document you can see the details of features, how to use 

them and how to tweak Netsparker. If you can’t find 

what you are looking for, please contact us 

(support@mavitunasecurity.com) and we will get back to 

you as soon as possible. 

Mavituna Security Ltd. 

Finance House, 522A Uxbridge Rd. 

Pinner. HA5 3PU / UK 

+44 845 686 3001 

+44 845 686 5001

Chapter:

Chapter:

Chapter:

Chapter: Introduction to Netsparker 

5 

Product Overview 

Welcome to Netsparker, Next Generation Web Application Security Scanner. 

Netsparker is a powerful web application security scanner, which can crawl, attack and 

identify vulnerabilities in all types of web application whatever platform and 

technology it is built on. It can identify web application vulnerabilities like SQL 

Injection, Cross-site Scripting (XSS), Remote Code Execution and many more with 

easy-to-use and intuitive user interface. 

Netsparker helps web application developers or penetration testers to secure web applications 

easily and painless than ever before. With preset scan profiles, you can quickly start scanning your 

applications and get instant reports. 

Mavituna Security Ltd. © 2009-2010, all rights reserved. 

www.mavitunasecurity.com


6 

Feature List 

False-Positive Free 

Netsparker doesn’t produce false positives, period. 

All web application security scanners report false-positives, that is, they report vulnerabilities which 

do not exist. 

Netsparker will try lots of different things to confirm identified issues. If it can’t confirm them and 

requires manual inspection, it’ll inform you about a potential issue generally prefixed as [Possible], 

but if it’s confirmed, that’s it. It’s a vulnerability. You can trust it. 

Netsparker confirm vulnerabilities by exploiting them in a safe manner. If a vulnerability successfully 

exploited it can’t be a false-positive. Exploitation is carried out by a non-destructive way. 

Please see False Positive Free Scanning in our website for more details about the technical details and 

overall technology. 

JavaScript / AJAX / Web 2.0 Support 

Netsparker has a JavaScript engine which can parse, execute and analyse the output of JavaScript 

and VBScript used in web applications. 

This allows Netsparker to successfully crawl and understand websites that use different AJAX 

frameworks, custom code or well known frameworks such as Query. 

Detailed Issue Reporting 

Netsparker reports vulnerabilities with maximum details to make the issue and impact clear to the 

user. 

For example, instead of simply reporting XSS (Cross-site Scripting), it will report one of the following 

issues: 

 

 

 

 

Reflective Cross-site Scripting 

Permanent Cross-site Scripting 

Cross-site Scripting via RFI (Where the user can carry out an XSS attack via RFI but cannot 

execute code) 

Limited Cross-site Scripting (Attack only works on Internet Explorer) 

The same goes for many other vulnerabilities. 

Impact and remediation of issues is also tailored based on the details, therefore developers will know 

what to do specifically to solve the right problem in the right way. 

Automation 

Netsparker provides CLI (Command Line Interface) for you to automate scans and integrate 

Netsparker into your automated scanning, reporting or development systems. 




7 

Logging 

Netsparker supports logging all HTTP Requests and responses as well as all identified vulnerabilities 

and other scan related data. This might help penetration testing companies that want to have a copy 

of all the actions carried out by the scanner. 

Reporting 

Netsparker provides several different report outputs: 

 

 

 

XML 

RTF / Word 

PDF 

If you like, you can use Netsparker’s Reporting API to generate your own custom reports. Reporting 

API supports C# scripting and Netsparker ships with a sample report. All you need to do is use the 

provided template and create a new file and put it into the ”Report Templates“ folder. 

DRM Free Licensing 

Netsparker licensing system is very user-friendly and also respects users’ privacy. It’s DRM free. You 

don’t have to activate it every time you move your license, it doesn’t require internet connection to 

activate or work. It works instantly, you don’t have to login anywhere or get permission from us to 

start using your licence. 

Integrated Exploitation Engine 

Netsparker delivers detection, confirmation and exploitation of vulnerabilities in a single integrated 

environment. 

When Netsparker identifies a vulnerability, if the vulnerability has an exploitation module, it will let 

you exploit the vulnerability so that you can see the real impact of an attack. 

Currently it supports: 

 

 

 

 

 

Exploitation of SQL Injection Vulnerabilities 

Getting a reverse shell from SQL Injection vulnerabilities 

Exploitation of LFI (Local File Inclusion) Vulnerabilities 

Downloading the source code of all the crawled pages via LFI (Local File Inclusion) 

Downloading known OS files via LFI (Local File Inclusion) 

Post-Exploitation 

Netsparker is the only web application security scanner with an integrated exploitation engine. This 

gives Netsparker an edge and allows it to carry out some post-exploitation security checks. 

Currently it doesn’t support a lot of checks, but we are working on that. Right now, the only check is 

carried after SQL Injections. 

When Netsparker identifies an SQL Injection, it will check if the database user has admin privileges. If 

the user has administrator privileges, it’ll report a new issue called “Database User Has Admin 

Privileges” 




8 

Authentication 

Netsparker supports several authentication methods: 

 

 

 

 

Basic Authentication 

Form Authentication 

The user can configure form authentication for different websites. 

NTLM Authentication 

Digest Authentication 

This way you can test an application which requires one of the listed authentication methods. 

Figure 1: A Sample View from the User Interface 




9 

Technical Details 

When Netsparker identifies an SQL Injection, it can automatically determine how to exploit it and 

extract the version information from the application. When the version is successfully extracted, 

Netsparker will report the issue as confirmed, so that you can ensure that the issue is not a falsepositive. 

The same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads 

the injection in an actual browser and observes the execution of JavaScript to confirm that the 

injection will actually get executed in the browser. 

List of issues Netsparker is looking for. 

E-mail Address Disclosure 

Netsparker identifies email addresses exposed in the website. This can help users to determine what 

sort of information you exposed on the internet and can also help you to fight against spam. 

Internal IP Disclosure 

Netsparker identifies internal IP Disclosure issues where a system exposes its internal network IP 

address. 

Cookies are not marked as Secure 

Netsparker reports an issue if the cookies are not marked as “Secure” in HTTPS websites. 

Not marking cookies as “Secure” can allow attackers to steal the cookies over an HTTP connection 

and use those cookies to login to the application. 

Cookies are not marked as HTTPOnly 

Netsparker reports an issue if the cookies are not marked as HTTPOnly. 

JavaScript can’t read cookies if the cookie is marked as “HTTPOnly”, which means that a Cross-site 

Scripting attack can’t just steal the cookies via JavaScript. However that doesn’t mean the application 

is secure. Cross-site Scripting vulnerabilities should be addressed even though cookies are marked as 

“HTTPOnly” since there are many other ways to use Cross-site Scripting attacks. 

“HTTPOnly” should be considered as a defence in depth feature and should be used where possible. 

Directory Listing 

Netsparker detects if directory listing is enabled in the web server. 

Directory listing can allow attackers to see all files in the system and can help them to gain more 

information or download sensitive files from the target system. 

Stack Trace Disclosure 

Netsparker determines if the target application is disclosing stack trace information. 

Stack trace can leak information about internals of the application and might include some sensitive 

data or application logic related clues. 




10 

Version Disclosure 

Netsparker identifies version disclosures in HTTP Headers and HTTP responses. It supports many 

frameworks and well known languages and web servers such as ORACLE, IIS, PHP, ASP.NET, Apache, 

Apache Modules, JSP. 

Figure 2: Apache Module Version Disclosure 

Access Denied Resources 

Netsparker reports an information issue when access is denied to the requested resources. 

This can help the user to determine the design of the application and possible resources that exist in 

the web server but are not publicly available. 

Internal Path Disclosure 

Netsparker determines if an application discloses internal paths related to the application or the 

configuration. 

This generally indicates a programming error in the application and can help an attacker to gain more 

information about internals of the system. An attacker can use this information while crafting an 

exploit for another identified vulnerability. 

Programming Error Messages 

Netsparker provokes the given website to give error messages and reports these. These errors have 

no direct security impact but most of the time they indicate a programming error, quality issue or a 

potential vulnerability in the application. 




11 

Many of them also leak information about the logic or the implementation of the application which 

can help an attacker to identify or exploit other related issues. 

Figure 3: Sample Programming Error Messages Example 




12 

Database Error Messages 

Netsparker provokes and reports database error messages leaked by the website. If the problem is 

related to SQL Injection, a separate issue will be raised by Netsparker, otherwise this is reported to 

inform the user that the application is giving away some database error messages which is potentially 

related to a programming error or another problem regarding the database connectivity. 

Figure 4: Database Error Messages Example 




13 

SQL Injection 

Netsparker can detect different SQL Injections including Error Based, Blind and Time Based SQL 

Injections. The SQL Injection engine is quite comprehensive and can detect Blind SQL Injections even 

in complicated queries. 

After identification of the vulnerability, Netsparker will carry out extra checks to determine if the 

database user used by the application has admin privileges. In this case it’ll report a separate issue 

called “Admin User DB Connection” 

Figure 5: Database User Has Administrator Rigths Example 




14 

Local File Inclusions & Arbitrary File Reading 

Netsparker detects Local File Inclusion and Arbitrary File Reading issues. It detects if an attacker can 

access files and source code from the server. 

It supports Windows and *nix systems. It carries out advanced checks, uses process directories, Null 

byte injection attacks, dynamic file extension replacements and many other methods to bypass weak 

filters and black listings. 

It checks if the Local File Inclusion can be used for executing remote commands by injection code 

into log files. 

Netsparker has exploitation features for Local File Inclusion attacks. 

Figure 6: Local File Inclusion 




15 

Remote File Inclusions 

Netsparker detects if the application is vulnerable to Remote File Inclusions which allow an attacker 

to inject a remote file and execute a piece of code in the server. 

Netsparker carries out several dynamic requests and tries to bypass many weak protections and 

black-listings. 

Figure 7: Remote File Inclusion 




16 

Remote Code Injection / Evaluation 

Netsparker detects if the application evaluates / executes the given code within itself by using a 

dangerous call such as eval(). 

This is a very dangerous vulnerability and can allow an attacker to execute code in the server. 

Figure 8: Remote Code Evaluation 




17 

XSS (Cross-site Scripting) 

Netsparker identifies Permanent/Stored and Reflective Cross-site Scriptings. Cross-site scripting 

issues can be identified in parameters or in the URL. 

It carries our several different attacks to bypass known and custom weak protections. 

Figure 9: Cross-site Scripting 

XSS (Cross-site Scripting) via Remote File Injection 

Netsparker detects if it’s possible for an attacker to call inject a remote file to execute JavaScript in 

the current page. 

This can be used by attackers to carry out normal Cross-site scripting attacks. 

XSS (Cross-site Scripting) in URLs 

Netsparker detects Cross-site Scripting issues in URLs. This is common in websites using URL Rewrite 

and PHP. 

OS Level Command Injection 

Netsparker detects if an attacker can inject an OS command via the web application to execute code 

in the server. 

This vulnerability can allow an attacker to gain full access over the server and the web application. 

CRLF / HTTP Header Injection / Response Splitting 

Netsparker detects CRLF injection issues in the web applications. 




18 

This issue can cause many problems. The most common of these Cross-site scripting and session 

hijacking by carrying out a session fixation attack. 

Find Backup Files 

Netsparker tries to find backup and temporary files in the target website by using crawled file names 

and well known names. 

Netsparker determines if this problem can lead to source code disclosure issues. 

Crossdomain.xml Analysis 

Netsparker detects and analyses crossdomain.xml files for problems such as open access policy. 

An attacker needs to attack an authenticated user of the website to exploit this problem successfully 

. The attacker can read authenticated users’ private messages or carry out actions as the attacked 

user. If the Crossdomain.xml file has open policy, the attacker can bypass any CSRF protections 

(nonce / CSRF tokens). 

Figure 10: Open Policy Crossdomain.xml Identified 




19 

Finds and Analyse Potential Issues in Robots.txt 

Netsparker detects and parse links in Robots.txt files. If it identifies a potentially critical URL listed in 

the Robots.txt it will report the problem with details. 

Figure 11: Robots File Identified 




20 

Finds and Analyse Google Sitemap Files 

Netsparker detects and parses Google Sitemap files to increase the coverage and inform the user 

that the sitemap file is accessible to confirm that this is the intended behaviour. 

Figure 12: Sitemap File Identified 




21 

Detect TRACE / TRACK Method Support 

Netsparker checks and determines if the TRACE / TRACK HTTP Methods are supported and enabled 

by the web server. 

Figure 13: TRACE / TRACK Identified 




22 

Detect ASP.NET Debugging 

Netsparker detects if ASP.NET Debugging is enabled. 

Figure 14: ASP.NET Debugging Enabled 

Detect ASP.NET Trace 

Netsparker detects if ASP.NET Tracing is enabled and accessible. 

An attacker can use ASP.NET Tracing output to access active users’ sessions and gather information 

about the application and its structure. 

Checks for CVS, GIT and SVN Information and Source Code Disclosure 

Issues 

Netsparker detects files disclosed by source code versioning systems such as CVS, GIT and SVN. 

An attacker might exploit this problem to gain access to the source code of the application or might 

retrieve configuration and other important files. 




23 

Finds PHPInfo() pages and PHPInfo() disclosure in other pages 

Netsparker attempts to find forgotten phpinfo files in the system. It also reports the PHPinfo() output 

in all crawled pages. 

Information disclosed from PHPInfo() might help attackers to gain more information about the target 

system. 

Figure 15: PHP Info Disclosure 

Finds Apache Server-Status and Apache Server-Info pages 

Netsparker detects if the Apache Server-Status or Server-Info pages are publicly accessible. 

Apache Server-Status and Server-Info can be used by attackers to gain more information about the 

target system and will help them to find hidden URLs and currently visited URLs. 

Find Hidden Resources 

Netsparker looks for hidden files and directories in the target website. 

These include: 

 

 

 

Test files 

Management files and directories 

Known vulnerable files / scripts 

For example, even if it’s not linked anywhere in the website, Netsparker will identify the “admin” 

directory. 




24 

Basic Authentication over HTTP 

Netsparker reports if the server requests Basic Authentication over HTTP. 

An attacker sitting between the user and the website might carry out a MITM (Man in the middle) or 

sniffing attack to capture the user’s password. 

Password Transmitted over HTTP 

Netsparker identifies if the website sends passwords over HTTP. 

An attacker sitting between the user and the website might carry out a MITM (Man in the middle) or 

sniffing attack to capture the user’s password. 

Password Form Served over HTTP 

Netsparker determines if a login form server over HTTP and the target of the form is HTTPS. 

Many developers might not be aware that this is a security issue, therefore Netsparker reports a 

detailed issue for this problem to ensure that the issue is correctly addressed by developers. 

An attacker sitting between the user and the website might carry out a MITM (Man in the middle) 

and inject a piece of JavaScript code to steal the password before it reaches HTTPS, or he/she can 

easily change the target of the form to HTTP as well to steal the user’s password. 




25 

Source Code Disclosure 

Netsparker provokes the web server to disclose source code where possible and detects whether the 

source code disclosure is due to a configuration problem or a security issue or just left commented in 

the code. 

An attacker can access hard coded passwords, might gain information about the logic of the 

application and the system by reading the disclosed source code. 

Figure 16: ASP.NET Source Code Disclosure 

Auto Complete Enabled 

Netsparker determines if Auto Complete is left Enabled in sensitive form fields such as Credit Card 

numbers. 

An attacker who can access the user’s computer can access these cached auto complete data via the 

browser. This is especially critical if the website is used from public computers. 

ASP.NET ViewState Analysis 

Netsparker analyses ViewState related issues in ASP.NET pages. 

ViewState is not Signed 

Netsparker reports a new issue if the ViewState in the page is not signed. In this case an attacker 

might modify the content of the ViewState and subvert the logic of the application or carry out other 

attacks by changing the ViewState . 




26 

ViewState is not Encrypted 

Netsparker reports a vulnerability if the ViewState in the page is not encrypted. In this case an 

attacker can read the data within ViewState by simply decoding it. This might leak sensitive 

information. 

Figure 17: ASP.NET ViewState Analysis 



System Requirements 

 

 

 

 

 

 

 

Microsoft Windows XP Professional Edition Service Pack 2 or Windows Server 2003 Service 

Pack 1 or higher 

Microsoft Internet Explorer 6 or higher 

Microsoft .NET Framework 3.5 Service Pack 1 runtime 

1Ghz Pentium processor or higher 

512 MB of available RAM (minimum); 1 GB (recommended) 

100 MB of HDD space for installation and additional 100 MB for scanning 

CD or DVD drive is not required 

Installation Instructions 

First, please make sure that you read the release notes if provided with the installation package. Also 

make sure that you have the latest service packs and Windows updates on your computer. 

Download the latest version of Netsparker from the provided download location and save the setup 

file to your computer. When download finishes, run NetsparkerSetup.exe to start the installation 

wizard. 

Figure 18: Installer Window 

The first page of the wizard is the Licence Agreement page. On this page, review the Licence 

Agreement and press I Agree button to continue. 

On the second page Netsparker Setup will provide a default installation folder; if you need to change 

the destination folder, press Browse... to change it, and press Continue to proceed. 

The following page will ask you to choose the Start Menu folder, you can change it if you want, and 

press Install to start installation. 

Installation will take up to a few minutes and then pressing Close will exit Netsparker setup.

Chapter: Installing Netsparker 

28 

After finishing installation, Netsparker will start and ask for the licence file. Press the Load Licence 

File... button to locate the licence file. This action will copy your licence file into the program folder 

and load the main user interface. 

Figure 19: Licence Question Window 

Updating and Automatic Updates 

When you run Netsparker for the first time, it asks for your permission to access the update server. 

So, Netsparker can automatically update itself over the Internet. If you decide not to do so, you can 

update manually by selecting Check for Updates on the Help menu or by Ctrl+U keyboard shortcut. 

Figure 20: Check for Updates Menu 

If automatic updates are enabled, Netsparker connects to the update server to check for available 

updates once a day. Netsparker does not connect to the Internet without your permission i . 

When there is an available update, it will prompt you to confirm the download and installation of the 

update. When you press Yes the update will be downloaded and installation wizard will start. 

Figure 21: Update Found Dialog 

You can enable or disable Automatic Updates at any time by using Advanced Settings on the Settings 

menu. 



Starting a new scan 

To start a new scan with Netsparker, click Start a New Scan button from the File menu or from the 

toolbar. Type the address (URL) of the web application to be scanned in the Target URL box in the 

opened dialog window and click the Start button. 

After typing the URL of the web application, you can customize the scan by clicking the Profiles 

button and selecting one of the preset scan profiles and afterwards start the scan by clicking the 

Start button. You can find detailed information on customization options in the Start a New Scan 

dialog window in the “Customizing Scan Profile” section 

Figure 22: Start a New Scan Button 

The scan time will vary depending on size of the scanned web application, performance of the server 

on which it is running, and also the selected scan profile. During the scan, you can find detailed 

information about the scan progress on the Dashboard and track issues identified during the scan in 

the Issues and Sitemap panels.

Chapter: Getting Started 

30 

Customizing Scan Profiles 

Scan and Modules Tab 

In this tab, you can choose the issues the scanned web application will be tested against and speed 

and scope of the scan. 

When the Crawl Only option is not selected, attack types to be performed during scan can be chosen 

with Tests to Run. 

Figure 23: Tests to Run Window 

The Crawl Only option is used to scan without attacking the web application. When this option is 

selected, only the site map will be prepared and issues found identified this process will be reported. 

Crawl Only mode will not identified issues requires active attacking such as SQL Injection and Crosssite 

Scripting. This mode is useful if you want to assess some security best practices passively. Crawl 

Only mode report issues such as “Auto Complete is enabled”, “Password Transmitted over HTTP” and 

“Cookies are not Marked as Secure”. 

Scan Scope 

Scan scope defines which part of the application Netsparker allowed to crawl and attack. 

The scan scope can be chosen out of three different options: 

Figure 24: Scan Scope Option 

Entered Path and Below 

Scan requests and attacks are only made to the target path and URLs under that path. 

For example if the entered URL was https://example.com/testfolder/ 

Will be tested: 




31 

 

 

 

 

https://example.com/testfolder/test.php 

https://example.com/testfolder/test/modify.php 

https://example.com/testfolder/test/ 

https://example.com/testfolder/test/ 

Will not be tested: 

 

http://example.com/testfolder/ 

Protocol is different (target URL was https) 

 

http://example.com/test.php 

URL is not under the given target 

 

http://test.example.com 

Different domain or subdomain 

Only Entered URL 

Scan requests and attacks are only made to the target link and no external links are followed. This 

function is quite useful if you want to test only one page and all parameters in that page without 

testing the whole web application. 

Be careful if you enter http://example.com/test , http://example.com/testx will be tested 

as well. This scope uses includes all URLs starts with the given target URL. 

For example if the entered URL was https://example.com/testfolder/test.php 


 

 


https://example.com/testfolder/test/test.php?id=1 


 

https://example.com/testfolder/register.php 

URL does not start with the given target 

 


Protocol is different (target URL was https) 

 

http://example.com/test.php 

URL does not start with the given target 

 






32 

Whole Domain 

The target URL is taken as the start point and all the URLs beginning with the same hostname are 

scanned. 

For example if the entered URL was https://example.com/testfolder/test.php 


 

 

 

 

https://example.com/index.php 

http://example.com/register/ 


http://example.com/testfolder/test/test.php?id=1 


 



Authentication Tab 

In the Authentication Tab, you can configure the authentication settings required for access to the 

web application you will scan with Netsparker. 

Netsparker supports NTLM, Basic, Digest Authentication and Forms Authentication. It also offers 

Cookie support if you need to set custom cookies. 

Figure 25: Authentication Tab 




33 

Configure Form Authentication 

If the target web application requires to login via a web form you can configure it from this short 

wizard. When it’s configured correctly Netsparker will stay logged in to the application during the 

scan. 

First Step 

In the section you enter by clicking the Configure Form Authentication button; 

 

 

 

 

Support Dynamic Tokens: By activating this option, you can enable support for dynamic 

tokens used against vulnerabilities such as CSRF, 

Login Form Url In this field, you should type the URL of the Login Page of the application you 

want to scan, 

A Login Required Url , this field you should type the URL of a page accessible only after login 

is performed to the application, 

Username and Password fields should be filled in with the username and password required 

for logging in. 

Figure 26: Configure Form Authentication Step 1 

Proceed to the next step after you fill in the relevant fields with correct information by clicking the 

Next button. 

Second Step 

In the second step, Netsparker will make a request to the login page of the application and fill up the 

username and password in the relevant fields automatically. What should be done here is make sure 

that the relevant information is typed correctly and complete the login procedure by from the login 

form presented by the web application. When you click to login Netsparker will identify the login 

request and will enable the Next button. 




34 

Figure 27: Configure Form Authentication Step 2 

Proceed to the next step with the Next button. 

Third Step 

Using the information you gave, Netsparker logs in to the web application automatically and in case 

logout is performed during scan, it offers the options String Based Logout and Redirect Based Logout 

determining how this condition will be detected. 

Figure 28: Confirm Logged out and Logged In Views 

Moreover, in order for you to confirm accuracy of the settings, Netsparker will show the logged out 

and logged in states of the application and enable you to respond in case there is a fault. 

If Redirect Based Logout is identified Netsparker will fill it out for you. If it hasn’t you need enter a 

piece of text from logged out view. This text should not be visible in the Logged In view so Netsparker 

can understand that the application logged it out. 




35 

After you complete the final step, you can click the Finish button to start the scan with the login 

information created by Netsparker. Netsparker also keeps the previous login information in the 

Logins folder under the “My Documents\Netsparker Scans” folder. 

Next time you scan the very same URL Netsparker will automatically remember the authentication 

details so you don’t have to go through this process every time. However if you want to remove that 

profile you can click the Configure Form Authentication and then click the Cancel button again. This 

will remove the saved form authentication. 




36 

NTLM / Basic / Digest Authentication 

If the application you want to scan requires NTLM, Basic or Digest Authentication you can easily 

meet this requirement with Netsparker. 

All you have to do is: 

 

 

 

 

Check the NTLM or Basic or Digest Authentication Required checkbox, 

Type the username needed for authentication in the Username field, 

Type the password in the Password field, 

Type the domain of the application you want to scan in the Domain field. 

Figure 29: NTLM / Digest / Basic Authentication Details 

To allow you to scan web sites with invalid SSL certificate Netsparker will not check for the 

validity of the SSL certificate of the target web application. Therefore in the case of MITM 

(mat in the middle attack) the given password can be in danger. 

Custom Cookies 

You can set custom cookies. These cookies will be send with every request and cannot be expired by 

the server responses. 

Figure 30: Custom Cookies Window 

You can easily add a cookie in this format: CookieName=Value or add multiple cookies in the form 

CookieName1=Value1; CookieName2=Value2 

Exclude or Include Links 

Netsparker can limit the requests according to criteria determined by you. This will allow you to test 

only some parts of the target application or exclude some parts of the application from the test. 

Figure 31: Include & Exclude Rule Window 

Let us examine how this mechanism works through an example: 




37 

When you activate the Exclude option and type “logout” in the relevant field, Netsparker will not 

make requests to links including the text “logout” while scanning your application. 

Netsparker will only look for the name in the URL not in the Link’s name or the title. If the 

Logout Page’s name sessionend.php you need to use “sessionend“ instead of the text in the 

link such as “Logout”. 

In the same way, when you activate the Include option and type “test” in the relevant field, 

Netsparker will only make requests to links including the text “test”. 

This field allows you to enter RegEx rules. For example if you want to exclude logout.php and 

/nottotest folder you can use the following RegEx and choose the Exclude radio button. 

(logout\.php|/nottotest) 




38 

Advanced Settings 

Prior to starting to scan with Netsparker, from the Advanced Settings tab, you can choose how the 

pages will be analysed (Choose Parsers), optionally choose the proxy server address to be used 

(Proxy) and choose the database server type of the application you want to scan. 

Figure 32: Advanced Settings 

Choose Parsers 

To identify forms and link Netsparker uses two different parsers. 

Figure 33: Parsers 

 

 

Parse JavaScript / Ajax (DOM Parser): The DOM Parser analyses JavaScript / AJAX in the web 

application you want to scan and finds forms and links within them. It simulates and 

interprets the JavaScript for better accuracy. 

HTML / Text Parser: The Text Parser to HTML codes and links in text form in the application 

to be scanned. 

It’s highly recommended to keep both of these parsers enabled in every scan. If you know that the 

target application has not many JavaScripts you can try to disable JavaScript parser to speed up the 

Crawling Phase. 

Connection 

You can activate this feature if a Proxy Server is required to access the target web application, or if 

you want to pass the requests to be made to the target web application you want to scan through a 

proxy server. 

By default Netsparker will use the Internet Explorer’s proxy. If you want to disable this you can 

go to “Settings » Advanced Settings” and set DoNotUseSystemProxy to True 




39 

Figure 34: Proxy Settings 

You can use the following formats to configure a proxy: 

 

 

http://localhost:8080 

https://user@pass@127.0.0.1:8000/ 

Scan Optimisation 

If you know what the database the target web application running, you can choose the suitable 

option from the Scan Optimisation section and have the requests to be made during the scan 

optimised according to this database server, thus increase the scan performance by having it send 

less requests. 

Figure 35: Database Optimisation 

Some parts of the application you want to scan with Netsparker may use a different database server 

or you might not know the backend database server. In such cases where you cannot be sure for this 

reason, you can choose the Any option and have make Netsparker send requests including 

possibilities aimed at all database servers. 




40 

Analyzing Vulnerabilities 

When Netsparker detects a new issue as a result of a scan, you can access the details of this issue 

from the Issues and Sitemap panels. There is no need to wait for completion of the scan to examine 

the issues. 

Figure 36: Issues Panel 

In the Issues panel, issues are listed in groups according to 4 different properties. 

Figure 37: Sample Issue Details 

After you choose the issue details of which you want to see from the Sitemap or Issues list, you can 

see the page including the issue from the Browser View tab and at the same time you can see HTTP 

requests and responses from the HTTP Request / Response tab. 

Figure 38: Browser View 




41 

Figure 39: HTTP Request / Response View 




42 

Merging Scans 

If a web application is hosted on two or more different hostnames, scanning and reporting can done 

by scanning first and merging the second or following scans. 

Whenever you press the Start a New Scan button, Netsparker asks you to decide if you want to clear 

previous scan results or merge them. If you clear current results by pressing the Yes button, new 

scan will start with a clear site map. If you press the No button, current results will be merged with 

the new scans result, so that you can analyse and report them together. 

Figure 40: Scan Merge Question 



Scheduling 

Thanks to scheduling support, you can make your Netsparker scans run with daily, weekly or 

monthly periods and have the results saved to the given folder after the scan is complete. 

To schedule a new scan click to Start a New Scan or Schedule a New Scan then customise the scan 

and click Schedule Scan button. 

Scan Profile and Schedule Settings 

First thing to do is create a profile to specify the settings scans will use while running. 

Figure 41: Schedule a New Scan Window 

After the profile is set, you should specify the Scheduling settings by clicking the Schedule Scan 

button. After this button is clicked, the “Schedule Scan” window will open. 

Figure 42: Schedule Settings

Chapter: Using Netsparker 

44 

In the above window, the following settings should be made: 

 

 

Scheduled Task Name: Name of task to be scheduled. Run as User / Password: User name 

and password for running the relevant scan task. 

Recurrence: The time and intervals the scan will be repeated. 

o Run scan on / at: Start date and time of the scan. 

o Repeat: Repeating setting of the scan. It can be set as daily, weekly or monthly. 

Figure 43: Scan Recurrence Settings 

 

Reporting: Reporting settings. 

Figure 44: Reporting Settings 

o 

Report Type: Report format in which the scan result will be saved. You can get the 

scan result in “Adobe PDF File”, “Microsoft Word (RTF) File”, “Microsoft Excel (XLS) 

File”, “Web Page (HTML), “CSV File”, “Plain Text File”, “Vulnerabilities List (XML)” 

formats. 

o 

Figure 45: Report Types 

Path: File path the report will be saved. 

Report path can include %date% or %time% variables in the file name. This will allow 

you to run the same scan over and over and have a separate report file for each. For 

example you can use the following path: 

C:\My Reports\Testsite-%date%-%time%.pdf 

Generated names will be like this: 

c:\My Reports\Testsite-05032009-125012.pdf 

Figure 46: Report Path 

After the relevant settings are made correctly and saved, on the specified time, the “Windows Task 

Scheduler” will start the relevant scan task and save the result report into the specified folder when 

the scan is over. After the save is complete, you can use “Windows Task Scheduler” to track the scan 

task. 




45 

Reporting 

Netsparker offers two types of reporting systems. With the Generate Report option in the Reporting 

menu, you can obtain a report in which you can see all the vulnerabilities, print this report or save it 

in different file types. It is possible to obtain a report while the scan with Netsparker is still in 

progress or when it is completed. 

Generating Custom Reports 

You can access the report interface by using the Generate Report option in the Reporting menu on 

the menu bar, or with the Ctrl+E keyboard shortcut. You can see all the vulnerabilities as grouped 

according to their types on the left-hand side of the reporting interface. The vulnerabilities are listed 

as documents on the right-hand side. You can move over the document by clicking the groups or 

vulnerabilities on the document map. 

Figure 47: Reporting Document Map 

Figure 48: Sample Issue View from the Report 

In the Netsparker reporting interface; you can make searches within the report, change the page 

layout of your report and apply various styles to your report. 




46 

Figure 49: Report Settings 

If you like, you can save the report with the buttons on the toolbar or with the Export Document... 

option from the File menu, print it with the Print option or send it as e-mail with the Send via E-Mail 

option. Netsparker can report issues as Adobe Acrobat (PDF), webpage (HTML), rich text format 

(RTF), Microsoft Excel document (XLS, XLSX), plain text or various image formats and send these as e- 

mail. You can save the report in the rich text format (RTF) to open it in Microsoft Word or OpenOffice 

Writer. 




47 

Custom Reporting and Templates 

Netsparker can help you to generate custom reports according to your business need and for 

integration with other software. Custom reporting tool employs a scripting engine to run your C# 

code to generate reports. 

How does it work 

During the startup of Netsparker, it scans for C# code files (*.cs) in "ReportTemplates" directory 

located under Netsparker's installation directory. Every identified file will be visible in the 

"Reporting" menu as a custom report. 

Scripting Language 

Scripting language is C#. Even if you haven't written code in C# before, it shouldn't be a problem. It's 

pretty easy to make simple changes. 

Here is a sample custom report code: 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

< 

/vulnerableparameter> 

 

 

 

 

 

 

 

 

 

 




48 

 

This will generate an XML file which includes: 

 

 

 

 

 

 

 

All vulnerabilities 

Vulnerable Parameter and type (GET/POST) 

Vulnerability Details 

Confirmation Status 

Extra exploitation data 

Scan time 

Vulnerability severity etc... 

You can add more details into the reports, customise them or filter your reports for with custom 

criteria. 

Documentation 

You can find MSDN style API documentation under "ReportTemplates" directory, named 

"NetsparkerReportingAPI.chm" 

Defining the extension of the report 

Name of the C# code file will be visible under Reporting menu and when user clicks to it generated 

report will use the extension from the custom report file name. 

For example: 

 

 

"Vulnerabilities List (XML).xml.cs" - File extension will be "xml" 

"Vulnerabilities List as Web Page.html.cs" - File extension will be "html" 

Testing Reports 

You don't need to restart Netsparker every time you change the source code of your report. After 

Netsparker adds it to the report menu once all you need to do is run it again. If it fails to compile it'll 

let you know with an error message. 

Security 

Reporting engine runs with current user's privileges. So don't run the report unless you trust the 

author of the report. 



Command Line Arguments 

You can use Netsparker from the command line interface. This interface can be used for automating 

scan operations or running a scan, settings of which were pre-specified with profiles and start-up 

parameters, with one click through a shortcut. 

Advanced scan settings can be specified from the console interface with profile support. Supported 

parameters are explained below. 

/a, /auto 

/p, /profile 

/u, /url 

/pr, /proxy 

When other parameters are given correctly, scan is carried out, report is saved 

and the program is closed. 

Name of the profile to be used during the scan. If not specified, the preset profile 

will be used. 

Address of the website to be scanned. If the profile file includes another website 

address, the address specified with this parameter will be taken into 

consideration. If two different URLs are specified in the profile and within this 

parameter, the one given with this parameter will be taken into consideration. 

Proxy server address. If the profile file includes another proxy server address, the 

address specified with this parameter will be taken into consideration. A valid 

proxy server address should be as follows: http://user:password@proxy.address/ 

If a user name and password are required for logging on the proxy server, these 

should be given in the shown format. 

/r, /report 

/rf, 

/reportformat 

/rt, 

/reporttemplate 

File path the report will be saved. It should be used with the “-a” parameter. The 

full physical file path can be given; if only the file name is given, the created 

report will be saved into the folder the command is run. 

File format of the created report. If not specified, the report is created in “pdf” 

format; rtf, pdf, text, csv, xls or html formats are also supported. 

Type of the created report. If not specified, first type in the list will be valid. 

Sample Usages: 

Scan http://test23.example.com and save the report to C:\reports\report.pdf. 

Netsparker /a /url http://test23.example.com /rf pdf /r C:\reports\scanreport.pdf 

Launch a new scan parameter with a custom profile and URL: 

Netsparker /url http://test23.example.com /p LFI


50 

Figure 50: Netsparker Launched from Command Line with Custom Profile and URL 



Chapter: Exploitation 

51 

Fundamentals 

Netsparker’s integrated exploitation engine allows you to exploit certain vulnerabilities directly from 

the user interface. This does not require exploitation expertise and can be used easily. Currently 

Netsparker supports exploitation for the following vulnerabilities: 

 

 

SQL Injection 

o Error Based SQL Injection 

o Boolean SQL Injection 

LFI (Local File Inclusions) 

Figure 51: Exploitation Toolbar 

Netsparker will hilight exploitation buttons based on the selected vulnerability from the “Issues 

Panel” or “Sitemap”. Netsparker will not hilight buttons if the exploitation is not possible. For 

example if the database user in an SQL Injection vulnerability has not priviliges to execute commands 

Get Shell button will not get hilighted. 




52 

Exploiting SQL Injections 

You can exploit the Error Based or Boolean Based SQL Injection vulnerabilities identified in the web 

application and run custom SQL queries in the application’s database via Netsparker’s SQL Injection 

panel. 

Figure 52: SQL Injection issues in the Issues Panel 

From the issues in the Issues panel choose a confirmed “SQL Injection” or “Boolean Based SQL 

Injection” issue, click the Execute SQL Commands button and the SQL Injection panel will appear 

where you can run custom SQL queries. 

Figure 53: Running Custom SQL Queries in SQL Injection Panel 

Afterwards, you can type an SQL query and run the query with the Run Query button. Response of 

the query will be displayed in the panel. 

Figure 54: Sample Custom SQL Query Output 




53 

Getting a Reverse Shell 

When Netsparker identifies and confirms an SQL Injection vulnerability, Netsparker checks the 

database user automatically. If the user has admin rights and can access the file system, they can 

access the command prompt on the target system. The panel reverse shell dialog will pop up when 

you click the Get Shell button. 

Figure 55: Get Shell Button 

Figure 56: Reverse Shell Dialog 

Reverse shell will send a small executable to the target system and then when this executable gets 

executed by Netsparker it will connect back to your system. When it connects back you can run 

commands in the target system. For this purpose you should configure reverse shell settings in this 

dialog. You can either use your computer to listen for a shell or you can use a “Custom Listener”. 

You should choose IP Address to Listen so you can receive the shell. If you are not sure about 

addresses or if you are connected to a single network, it is recommended that you choose the “Any 

Interface” option. 

In the Public IP Address field, you must type your public IP address. This is the IP Address where the 

transferred executable will connect to. Thus ensure that this IP address is reachable by the target. If 

you access the target system over the internet this IP address should be your public IP address. You 

can find your public IP address from a website such as www.whatismyipaddress.com. If you need to 

enter your public address do not forget to configure port forwarding in your router. 

www.portforward.com website can guide you on how to configure port forwarding in your router. 

If target is in the local network you can use your local IP Address. 

In the Port field, you should specify the port number in your computer over which the reverse shell 

connection will be made; since this port will be used for listening, the required firewall configuration 

should be completed. 

After filling in the relevant fields, you can click the OK button to start sending the requests required 

to get reverse shell. 




54 

Figure 57: Sample Reverse Shell Session 

After connection is made successfully, you can run commands on the opposite system from the Code 

Execution panel. 

Using a Custom Listener 

You can activate the Use Custom Listener option to use a listener of your own choice instead of 

Netsparker’s connection listener. This is quite useful if you already have public internet facing system 

in place. Just configure a tool such as Netcat to listen the given port and set Public IP Address to that 

system’s IP Address. In this case you can’t see the reverse shell in Netsparker’s screen but you will 

able to access the shell from the Netcat. Use the following command to listen port 443 with Netcat: 

nc -vv -l -p 443 

Netsparker will use a standard reverse shell therefore you can use a tool such Netcat or any other 

similar tool. 




55 

Exploiting LFI 

It is possible to exploit the “Local File Inclusion” vulnerabilities identified in the target application. 

Netsparker can download files on the system and can access the source code of the application. 

Figure 58: Local File Inclusion Vulnerability in Issues Panel 

After an issue of Local File Inclusion type is selected from the Issue list, you can click the Open LFI 

Exploitation button to access the panel that will enable you to read files on the system and access 

source code of the application. 

Figure 59: LFI Exploitation Question 

It is possible to download some known files automatically from the target system. 

Figure 60: Download Files 

Even if you did not select automatic download, you can use the Download button to re-download 

known files on the system and source code of the application. 




56 

Figure 61: LFI Exploation Downloaded File View 

You can also type the file name manually and download a file that you know exists on the system in 

the LFI Exploitation panel. After you click the Download button, you can see contents of the file in 

question when the download is complete. 



Chapter: Support 

57 

Getting Support 

Netsparker has a pretty and easy-to-use interface which makes it possible for someone to run a new 

scan without a guide. 

By keeping an eye on the Netsparker blog - http://www.mavitunasecurity.com/blog/ , you can access 

tips & tricks and latest news about Netsparker. 

Get in touch with us 

We are fanatical about support. You can contact us by email or telephone for any other issue and we 

will get back to you as soon as possible. 

Email: 

support@mavitunasecurity.com 

Phone: 

+44 845 686 3001 (weekdays between 09:00 and 17:30 GMT 



Chapter: Glossary 

58 

B 

Black-box Scanning 

Scanning security of a system without having extra privileges on target system, such as an attacker 

would do. For a web application, black-box scanning means having no source-code, administrative 

account or access to system hardware etc. 

F 

False-Positive 

False-Positive is when you a software reports a vulnerability identified but in fact there is no 

vulnerability in the scanned web application. Before Netsparker False-Positives were considered as 

mandatory side effect and there was no software that can eliminate false-positives. Netsparker is the 

first tool that doesn’t report false-positives. 

False-Negative 

When a tool misses a vulnerability that actually exist in the application, it’s called as false-negative. 

W 

Web Application Security Scanner 

It’s an automated tool designed to find vulnerabilities in web applications. 

i This does not include the servers that are connected during a scan process. All hosts referred in your web 

application may be accessed while scanning it.

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?