False-Positive Free
All web application security scanners report false-positives, which means they report vulnerabilities that don’t exist.
Netsparker will try lots of different things to confirm identified issues. If it can’t confirm it and if it requires manual inspection, it’ll inform you about a potential issue generally prefixed as [Possible], but if it’s confirmed, that’s it. It’s a vulnerability. You can trust it.
Netsparker confirms vulnerabilities by exploiting them in a safe manner. If a vulnerability is successfully exploited it can’t be a false-positive. Exploitation is carried out in a non-destructive way.
Technical Details
When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.
Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.
Some of great features supported by Netsparker
- JavaScript / AJAX / Web 2.0 Support
- Detailed Issue Reporting
- Automation
- Logging
- Reporting
XML
RTF / Word
- Integrated Exploitation Engine
Exploitation of SQL Injection Vulnerabilities
Getting a reverse shell from SQL Injection vulnerabilities
Exploitation of LFI (Local File Inclusion) Vulnerabilities
Downloading source code of all crawled pages via LFI (Local File Inclusion)
Downloading known OS files via LFI (Local File Inclusion)
Post-Exploitation
- Authentication
Basic Authentication
Form Authentication
- Custom 404 Detection
- Heuristic URL Rewrite Detection
- List of Vulnerability Checks
- List of issues Netsparker is looking for.
- SQL Injection
- XSS (Cross-site Scripting)
- XSS (Cross-site Scripting) via Remote File Injection
- XSS (Cross-site Scripting) in URLs
- Local File Inclusions & Arbitrary File Reading
- Remote File Inclusions
- Remote Code Injection / Evaluation
- OS Level Command Injection
- CRLF / HTTP Header Injection / Response Splitting
- Find Backup Files
- Crossdomain.xml Analysis
- Finds and Analyse Potential Issues in Robots.txt
- Finds and Analyse Google Sitemap Files
- Detect TRACE / TRACK Method Support
- Detect ASP.NET Debugging
- Netsparker identifies if ASP.NET Debugging is enabled.
- Detect ASP.NET Trace
- Netsparker detects if ASP.NET Tracing is enabled and accessible.
- Checks for CVS, GIT and SVN Information and Source Code Disclosure Issues
- Finds PHPInfo() pages and PHPInfo() disclosure in other pages
- Finds Apache Server-Status and Apache Server-Info pages
- Find Hidden Resources
- Basic Authentication over HTTP
- Source Code Disclosure
- Auto Complete Enabled
- ASP.NET ViewState Analysis
- ViewState is not Signed
- ViewState is not Encrypted
- E-mail Address Disclosure
- Internal IP Disclosure
- Cookies are not marked as Secure
- Cookies are not marked as HTTPOnly
- Directory Listing
- Stack Trace Disclosure
- Version Disclosure
- Access Denied Resources
- Internal Path Disclosure
- Programming Error Messages
- Database Error Messages
For more detailed features screen shots & demo click here