Web Application Security Scanning Flow

Launching an automated web application security scan is not enough on its own.
Maintaining a secure web application is a broader and more challenging process. Thanks to
Netsparker’s advanced technologies, discovering issues in a web application and fixing
them is easier than ever.

Netsparker will help you with default options and explanations. But you also need to gather
some detailed information about your web applications. This topic will help you prepare, so
that you can set the correct options for your Netsparker scan.

Knowing Your Web Application

Before launching a scan, it's best to conduct a mental inventory. The answers will help you
to optimize your Scan Policies.

Do you know the following about your website Technologies?

  Which programming (or scripting) languages were used to develop the website?

 Is the web application based on a framework or a CMS?

 On which operating system does the application run?

 Are there any databases connected to the application?

 Are you aware of all your online collateral, web applications and services?

 The most vulnerable components of a web application could be the login forms and
the input fields (which are reported in the Knowledge Base once a scan has been
completed). Have you checked your websites to determine if there are any web
forms or input areas? You will need them for setting form authentication or excluding
them from the Scan Scope. Excluding components will be very useful in such cases.
Netsparker carries out a large number of attacks which may negatively affect your
web application if the parameters are not set properly. For instance, if there is a mail
form on your web application, Netsparker will send requests on that form and you
may receive many unwanted emails..

For further information, see Before Using Netsparker, Application & Service Discovery

Service, and Do Netsparker Scans Damage Web Applications?.

Preparing and Configuring Scans

After learning which technologies and other elements exist on the web application, next you
will start configuring the scan. 

Netsparker is a very user-friendly, automated web application security scanner. In most

cases, it is enough to enter the target URL and start scanning. The scanner will
automatically fine-tune itself. However, even though Netsparker will discover the issues
successfully, it may make extra and unnecessary security checks, keeping the target host
needlessly busy, because the scan is not configured precisely. So, you can choose to
configure the Scan Settings yourself. Alternatively, you can make use of Netsparker
Assistant.

The duration of a web application security scan depends on various factors. To keep the
duration short, you can optimize a scan by configuring some of the settings. For even more
accurate scan results, you should configure the scan further. You can configure the
following options:
  Crawling Options

 Scan Scope

 URL Rewrite Rules

 Website Authentication

 Scan Policy

Before scanning your website, the target host must be ready for the test. Ensure that the
target host stays online during the scanning process. In addition, you can use the Pause
and Stop features. To avoid any service breakdowns, you can use the Scan Time
Window to set the time for Netsparker to scan the target URL.

For further information, see Overview of Scan Policies and Scan Policy Optimizer.

Scanning Your Web Applications

Think of your web applications as an unsecured back door into your business. Modern web
applications let users interact with the host’s network or server. Poor coding and defective
hardening policies may negatively affect the web application security. If the web application
is not developed with the relevant security standards, it can be manipulated by exploiting
vulnerabilities and misconfigurations.

Netsparker’s advanced Proof-Based Scanning  technology makes it easy to identify SQL

TM

Injection, Cross-site Scripting (XSS) and thousands of other vulnerabilities in web

applications. Netsparker also can detect out-of-date web application technologies to help
you keep your web application up-to-date. 

The VDB (Vulnerability database) is updated every week.

In the Netsparker Standard edition, there are also built-in security testing tools such as
HTTP Request Builder, ViewState Viewer, and Encoding and Decoding Tools. It also has a
report generator that allows the user to export the details of the scan results. Netsparker
can be easily integrated into your SDLC, DevOps and other environments to help keep your
web applications secure.
For further information, see What is Netsparker? and Integrating Netsparker Enterprise
into Your Existing SDLC.

Reviewing and Comparing Scan Results with

Previous Scans

If you have a Netsparker edition, you probably have already performed a scan of your web
application. Previous scans make you aware of the security development process. Please
compare the old and new scan results, and review the newly discovered issues.

 Netsparker allows you to retest the issues found on a previous scan.

 You can also choose the security test type for specific vulnerabilities.

 Incremental scans help you save time. Instead of scanning the web application, you
can just scan the new pages added since the last scan.

You can integrate an issue tracker with Netsparker to help you manage and maintain a list
of all the issues at each stage of the SDLC (Software Development Life Cycle).

For further information, see Creating a New Scan and Reviewing Scan Results and

Imported Vulnerabilities.

Fixing Issues

Attackers use different methods to hack web applications. Every day brings the potential for
a new attack. Scheduling and performing periodic security scans are vital. Each scan may
discover new vulnerabilities in your web application. If vulnerabilities are detected, you need
to fix them as quickly as possible and then re-test them with Netsparker. At this point,
Netsparker checks whether the issues are properly fixed. If so, they are marked as
resolved.  This process needs to be conducted continuously so that the security of your web
applications is maintained.

For further information, see Updating the Status of an Issue in Netsparker Enterprise.

Retesting Fixed Issues

The main objective of a security scan is to detect issues and fix them. Netsparker lets you
retest the issues to check if they are fixed or not. Instead of starting a full scan, you can
retest only the fixed issues.

In Netsparker Standard, you can retest a single issue or multiple issues at once. In
Netsparker Enterprise, you can retest all issues. Netsparker Enterprise automatically
checks the issue. If it is fixed as intended, the issue will be marked as Fixed. If not, the
issue will be assigned back to the Assignee. If you are sure that the issue is a false positive,
you can mark it as a False Positive. You can also mark the issue as Accepted Risk if you
are aware of its impact. And, finally, you can manually mark an issue as Fixed
(Unconfirmed).

For further information, see How to Run a Retest in Netsparker Enterprise, and How to

Run a Retest in Netsparker Standard.

Generating Reports

Reporting is the most important step in the web application security scanning process.
Netsparker can generate reports based on relevant regulations. If you want your web
application to be compliant with ISO 27001, generate an ISO 27001 Compliance Report to
check for specific vulnerabilities and apply the correct remedies. 

Netsparker Enterprise On-Demand also has a PCI compliance feature that enables you to
automate most of the process and generate approved PCI compliance reports. When a PCI
scan is completed, websites that meet the standard will receive an approved compliance
report. If the website fails, you can fix the listed vulnerabilities and retest them.

Netsparker also enables you to create custom reports (see Custom Report Policies). This
means you can change the vulnerability details, classification numbers, actions to take or
add the logo of your organization.
Report Templates
In Netsparker, you can generate and download a series of various types of individual scan
reports, including compliance reports from a series of Report Templates.

In Netsparker Enterprise and Netsparker Standard, scan reports are accessed differently:

 In Netsparker Enterprise, scan reports are accessed from the Recent Scans window.

 In Netsparker Standard, scan reports are downloaded from the Reporting tab, along
with Lists.

This table lists and explains the Report Templates.

Report Template Description

New Report Template This is a Netsparker Standard only feature that enables you to customize
and name your own report template, using one of the other report
templates as a Base Template.

For further information on how to create your own custom report

templates using the Custom Reporting API, see Custom Reports.

Detailed Scan Report This is a detailed report that outlines scan details such as request,
response, and vulnerability descriptions, including information on the
impact of the vulnerability, remedy procedure, classifications, and proof
URLs. This report also includes a summary of which settings were used.

For further information, see Detailed Scan Report.

Executive Summary This is a brief report that includes recommendations, and summaries
Report based on the most recent scan of the website.

For further information, see Executive Summary Report.

HIPAA Compliance This is a report that lists the vulnerabilities included in HIPAA
Report standards, along with their details.

For further information, see HIPAA Compliance Report.

ISO 27001 This is a report that outlines the vulnerabilities included in the ISO
Compliance Report 27001 standard, along with their details.

For further information, see ISO 27001 Compliance Report.

OWASP Top Ten This is a detailed report that outlines the OWASP Top Ten 2013
2013 Report vulnerabilities, along with their details.

For further information, see OWASP Top Ten 2013 Report.

OWASP Top Ten This is a detailed report that outlines the OWASP Top Ten 2017
2017 Report vulnerabilities, along with their details.

For further information, see OWASP Top Ten 2017 Report.

PCI DSS Compliance This is a report that lists the vulnerabilities that are listed in the PCI
Report classification, along with their details.

For further information, see PCI DSS Compliance Report.

 SANS Top 25 Report This is a detailed, Netsparker Standard only, report that outlines the
CWE/SANS Top 25 vulnerabilities, along with their details.

For further information, see SANS Top 25 Report.

Comparison Report This is a detailed, Netsparker Standard only, report that includes

compared results between more than one scan.

For further information, see Comparison Report.

 Knowledge Base This is a report that lists the Knowledge Base details of the scan.
Report
For further information, see  Knowledge Base Report.

F5 BIG-IP ASM WAF This is a report that lists the vulnerabilities according to the BIG-IP
Rules ASM WAF Rules.

For further information, see BIG-IP ASM WAF Rules Report.

ModSecurity WAF This is a report that lists the vulnerabilities according to the
Rules ModSecurity WAF Rules.

For further information, see ModSecurity WAF Rules Report.

For further information on how to modify the way vulnerabilities are reported during a scan,
and report them to match your organization's security policies, see Custom Report
Policies.

For further information on how to generate and download Vulnerabilities Lists, as well as
Scanned URLs and Crawled URLs lists in both Netsparker Enterprise and Netsparker
Standard, see Lists.

How to Generate and Download a Report in Netsparker Enterprise

1. Log in to Netsparker Enterprise

2. From the main menu, click Scans, then Recent Scans. The Recent Scans window
is displayed.

3. Next to the relevant scan, click Report. The Scan Summary window is displayed.
4. Click Export. The Export Report dialog is displayed.
5. From the Report dropdown, select the relevant report.
6. From the Format dropdown, select an option.

7. If required, select Exclude Addressed Issues to exclude those issues from any

report on which you’ve already taken action.
8. If required, select Only Confirmed Issues to include in any report only those issues
that are confirmed.
9. Click Export. You can view the Report in the saved location.
How to Generate and Download a Report in Netsparker Standard

1. Open Netsparker Standard.

2. From the ribbon, select the File tab. Local Scans are displayed. Doubleclick the
relevant scan to display its results. (This will be the first scan you want to add to the
report.)[l]
3. From the Reporting tab, click the icon of the report you want to generate (e.g.
HIPAA Compliance Report).

4. The Save Report As dialog box is displayed. (If you selected Knowledge Base

Report in step 1, this step and the next do not apply. Go to step 4.)
5. Select a save location and click Save. The report is saved.
6. The Export Report dialog is also displayed at this point, with the Path field already
populated from the previous dialog.

7. From this dialog, you can do the following:

 In the Path field, change the save location

 From the Policy dropdown, select a Default or New Report Policy

  Select to Export as HTML or Export as PDF

 Enable Open Generated Report to open the report immediately upon saving it

(checked by default)

 Enable Export All Variations to include all vulnerability variations in the report, or

check Export Only Confirmed to include only confirmed vulnerabilities

8. Click Save. The report will open automatically.

If you select Comparison Report in step 1, the following additional steps apply.

9. The Add Netsparker Session File(s) dialog is displayed.

10. Select the relevant file, and click Open. The report opens immediately.
How to Use Your Company Logo in a Report in Netsparker Standard

This replaces the Netsparker logo in the report.

 1. Navigate to C:\Program Files (x86)\Netsparker\Resources\Images\.
2. Replace the mini-logo.gif file with your company's logo. (You can rename the
extension of the original file to something else.)
3. You can now generate reports with your company's logo, without needing to restart
Netsparker.

Built-In Reports
Netsparker has several built-in reports that provide you with both an overview and an in-
depth look at the security state of all your websites and web applications.

 It also has a Reporting tool that allows you to generate your own statistical reports,
allowing you to better manage the security of all your web applications.

 You can also export the scan results as either a HTML or PDF Detailed Scan Report,
or several other report types such as a list of all identified vulnerabilities in XML
format.

For further information, see Generating and Viewing Statistical Reports in Netsparker

Enterprise, Report Templates and Lists.

Generic Trend and Status Security Reports

From the global, websites group or single website dashboard in Netsparker Enterprise you
can get a good overview of the security state of all your websites.

For further information on reports available on the Dashboard, see Viewing the Global
Dashboard in Netsparker Enterprise.

Trend Matrix Reports

The Trend Matrix Report allows you to see correlated trending data about the status of the
identified vulnerabilities throughout several scans. It will provide you with detailed
information about every vulnerability that was identified on a single website, such as when it
was found, fixed, if it revived in future scans etc. 

You can access the Trend Matrix report from the Scan Summary Dashboard in Netsparker
Enterprise, which displays scanning information for a single website (see How to View the
Scan Summary Dashboard in Netsparker Enterprise).
From the Trend Matrix Report, you can see when a vulnerability was identified, fixed and
maybe even identified again in later scans. Therefore, apart from allowing you to get an
overview of the security state of a website, the trending report also allows you to easily track
the progress and work of the developers.
Scan Results Report

Once a web security scan is ready you can also access the report of that scan in both
Netsparker Enterprise and Netsparker Standard, from where you can see all the technical
details about every identified vulnerability.
How to View the Scan Results Report in
Netsparker Enterprise

Scan results are generated automatically in Netsparker Enterprise.

1. First, run a scan.

2. From the main menu, click Scans, then Recent Scans.
3. Next to the relevant scan, click Report. The Scan Summary Dashboard is displayed,
showing the scan results for that website.

For further information, see Viewing the Scan Summary Dashboard in Netsparker

Enterprise.

How to View the Scan Results Report in

Netsparker Standard
1. First, run a scan.
2. The scan results are displayed in the Central Panel.

For further information, see Viewing the Scan Summary Dashboard in Netsparker

Standard.

How to Find the Scan ID of a Report

1. Run a report (see Scan Results Report).

2. In the report's URL (which is similar to

'https://www.netsparkercloud.com/scans/report/[ScanId]/'), find the ScanId, and keep
it somewhere safe. You will need the value of the ScanId later to identify the base
scan of the Incremental Scan.

Creating new Scans

https://www.netsparker.com/support/creating-new-scan-netsparker/