Recent
Netsparker – The next gen web app scanner
I was lucky enough to get my greasy hands on a copy of ‘Netsparker Final BETA’ from Mavituna Security’s project leader Ferruh Mavituna.
Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it’s built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more.
I tested Netsparker v0.9.9.9935 (FINAL BETA) against DVWA v1.0.6. Setting up a new scan was as easy as putting in the DVWA URL, adding the security/PHPSESSID cookies and then selecting the different vulnerabilities to scan for. Netsparker picked up on almost all of DVWA’s vulnerabilities, even the SQL Injection vulnerability which a lot of web application scanners have problems picking up for some reason. The vulnerabilities that it did not pick up on I sent in an email to Ferruh, he has already added scans for some of these and will implement others in future.
The GUI of Netsparker is really clean and easy to navigate. It includes a dashboard where you can visualise the progress of your scan, a vulnerability chart showing the criticality of the vulnerabilities found, live HTTP packet request/responses and much more.
After the scan has finished Netsparker allows you to export the results in a nice easy to read HTML or XML report. As well as crawling and scanning for vulnerabilities Netsparker also aids the exploitation of some of the vulnerabilities; it aids you in executing SQL commands against the vulnerable application much like using an SQL client, it also has a ‘Get Shell’ feature which injects a reverse shell payload into the vulnerable application which connects back to your testing box allowing you to execute commands on the underlying OS.
Netsparker is still in BETA and I have to say has made it into my top 3 web application tools I have played with. Netsparker will be commercially available, I am told at a lower price than most commercial web application vulnerability scanners.
For more information: http://www.mavitunasecurity.com/
Follow Netsparker on Twitter: http://www.twitter.com/netsparker
3 Responses to “Netsparker – The next gen web app scanner”
WOW said...
WOW Cool Stuff Today! http://su.pr/28lEv3
tmacuk said...
Great blog post. Really excited to get my ‘greasy’ hands on this too. Any idea about release dates and/or price?
ethicalhack3r said...
The release date and price are yet to be announced.