In Netsparker Version 3 we introduced the all new Scan Policy Editor that can be used to fine tune web application security scans so they take less time to complete and consume less bandwidth. In this blog post we will see how to use the Scan Policy Editor to create your own custom Scan Policies and save them to use them in future scans.
Scan Policies and the Scan Policy Editor
A Scan Policy is a list of web vulnerability checks that should be launched during a web application security scan. When using the Scan Policy Editor to create a new or modify an existing Scan Policy, you can granularly specify which vulnerability security tests should run during a web application security scan with Netsparker.
Therefore while before you were only able to enable or disable all cross-site scripting security tests, now it is possible to enable or disable specific cross-site scripting vulnerability variants. The same applies for all other vulnerability classes, such as SQL Injection etc. The main advantages of having Scan Policies are:
- Web application security scans take much less to complete.
- Less bandwidth is consumed during a scan.
- Much less stress is generated on the web application during a web application security scan.
- Create your own Scan Policies and save them to use them in future scans rather than reconfiguring Netsparker each time.
- You can disable the web security checks that are irrelevant to your scenario. E.g. if you have a MySQL server Netsparker won’t launch MS SQL or Oracle security checks during a security scan.
This update allows us to ship extra signatures in the near future. For example there will be signatures to bypass certain WAFs (web application firewall) and if you are using a WAF then you can customize your policy and enabled those extra checks. If you are not then your scan will not generate extra requests since the security tests for web application firewalls will be disabled. When possible Netsparker will also auto optimize the active configuration on the fly according to the target website for these extra signatures.
Built-In Netsparker Scan Policies
6 built-in Scan Policies are available in Netsparker web application security scanner and can be accessed by clicking on the arrow button in the Scan Policy section, as seen below.
The Netsparker built-in Scan Policies are explained below:
All Security Checks: This Scan Policy includes all the security checks in Netsparker. This is ideal if you are not familiar with the target web application.
All Security Checks (MS SQL): If the target web application uses Microsoft SQL Server as database backend, it is recommended to use this Scan Policy.
All Security Checks (MySQL): If the target web application uses MySQL database server as database backend, it is recommended to use this Scan Policy.
All Security Checks (Oracle): If the target web application uses Oracle server as database backend, it is recommended to use this Scan Policy.
All Security Checks (PostgreSQL): If the target web application uses PostgreSQL server as database backend, it is recommended to use this Scan Policy.
Passive Security Checks: As the name implies, this Scan Policy contains only a list of passive and analysis vulnerability checks. Vulnerability checks that might inject your web application, such as SQL injection or Cross-site scripting are not included in this Scan Policy.
How to Create a New Custom Scan Policy
From the Start a New Scan window, which is used to launch a new web application security scan, click on Options and on the three dotted button on the far right of the Scan Policy section, as highlighted below.
This will launch the Scan Policy Editor which we will use to create and save our new custom Scan Policy Editor. Below is a screenshot of the Scan Policy Editor.
1. Click on the New button for a new Scan Policy. Once it is created and listed in the Policy Name section, which can be seen in the top left corner of the above screenshot, click on the name to rename the Scan Policy.
2. From the General Settings section (top right section in Scan Policy Editor) you can specify a description for the new Scan Policy, and also specify which modules and parsers should be enabled or disabled when using the newly generated Scan Policy. Below is a list of options:
- Wait Resource Finder: Set this to True if you would like to wait until the Resource Finder module in Netpsarker finishes looking for hidden directories and resources. Set to False if you would like to start the vulnerability checks scans without waiting for this module.
- Knowledge Base: Enable or disable the knowledge base checks and node during this web security scan. This might affect what some engines detect.
- Text Parser: The text parser is used to parse static HTML to find comment and links. Set to True to enable the text parser and False to disable it.
- Analyze JS / AJAX: This option is used to enable or disable JavaScript and AJAX (client side scripts) analyzers, which are used to execute client side scripts and discover links and other pages which are accessible via such scripts.
3. To select which web security vulnerability checks should be launched during a scan, highlight the test group from the bottom left window Test Groups to see all the web security checks it contains, which show up in the bottom right window Tests. You can enable or disable a whole test group (left window) or individual security tests (right window).
4. Once you are ready with the selection of web vulnerability checks, click OK to save your new Scan Policy.
5. Select your newly generate scan policy for your next web application security scan from the Scan Policy drop down menu in the Options of Start a New Scan window.