Netsparker v3.5.3 - Web Application Security Scanner [Review]

Netsparker is a web application security scanner, can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on. It can find a wide range of vulnerabilities like SQL Injection, XSS (Cross-site Scripting), DOM XSS, Command Injection, Blind Command Injection, Local File Inclusions & Arbitrary File Reading, Remote File Inclusions, CRLF / HTTP Header Injection / Response Splitting and more...

Installation of the software is easy. Starting the application you are presented with a intuitive gui, that shows a lot of information. To start a scan, just putting in a URL. It is very easy for noobs in security to setup and use.

Many scanners at the time of an audit will give us many vulnerabilities, but most are false positives, which means that you won’t need a PHD in security testing to verify any vulnerabilities that it finds. Netsparker is an automated scanning tool that can circumvent this waste by actively exploiting its detected vulnerabilities and thus prove, beyond doubt, that they are real. Netsparker is the only False-positive-free web application security scanner.

In my experience with other scanners, when the scanner fails unexpectedly (power is off, overload and closed, etc ...), it is very difficult to resume the scan and usually do not progress is saved. With Netsparker I had no problem with this, because it saves time to time the progress of the scan.

The full scan is very slow (as any vulnerability scanning tool), but on the progress of scan you can increase the number of concurrent connections.

In summary, Netsparker is a comprehensive and versatile tool with many tools to help find and diagnose a large number of vulnerabilities:

• SQL Injection
• XSS (Cross-site Scripting)
• DOM XSS
• Command Injection
• Blind Command Injection
• LFI (Local File Inclusion) & Arbitrary File Reading
• Remote File Inclusion
• Remote Code Injection / Evaluation
• CRLF / HTTP Header Injection / Response Splitting
• Open Redirection
• Frame Injection
• Database User has Admin Privileges
• Vulnerability Database (Inferred vulnerabilities)
• ASP.NET ViewState Vulnerabilities
• ViewState is not Signed
• ViewState is not Encrypted
• Web Backdoor Identified
• TRACE / TRACK Method Support Enabled
• XSS Protection Disabled
• ASP.NET Debugging Enabled
• ASP.NET Trace Enabled
• Backup Files Accessible
• Apache Server-Status and Apache Server-Info pages Accessible
• Hidden Resources Accessible
• Crossdomain.xml File Vulnerable
• Robots.txt File Vulnerable
• Google Sitemap Vulnerable
• Silverlight Client Access Policy File Vulnerable
• CVS, GIT and SVN Information and Source Code Disclosure
• PHPInfo() Pages Accessible and PHPInfo() Disclosure in other Pages
• Sensitive Files Accessible
• Redirect Response BODY Is Too Large
• Redirect Response BODY Has Two Responses
• Insecure Authentication Scheme Used Over HTTP
• Password Transmitted over HTTP
• Password Form Served over HTTP
• Authentication Obtained by Brute Forcing
• Basic Authentication Obtained over HTTP
• Weak Credentials
• E-mail Address Disclosure
• Internal IP Disclosure
• Directory Listing
• Version Disclosure
• Internal Path Disclosure
• Access Denied Resources
• MS Office Information Disclosure
• Auto-Complete Enabled
• MySQL Username Disclosure
• Default Page Identified
• Cookies are not Marked as Secure
• Cookies are not Marked as HTTPOnly
• Stack Trace Disclosure
• Programming Error Message Disclosure
• Database Error Message Disclosure
• Application Source Code Disclosure

For more information visit:

Web Application Security with Netsparker Web Vulnerability Scanner