Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Transcription

1 Netsparker is the first false-positive free scanner. In this document you can see the details of features, how to use them and how to tweak Netsparker. If you can t find what you are looking for, please contact us (support@mavitunasecurity.com) and we will get back to you as soon as possible. Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

2 Chapter: <Table of Contents 2 Table of Contents... 2 Introduction to Netsparker... 5 Product Overview... 5 Feature List... 6 False-Positive Free... 6 JavaScript / AJAX / Web 2.0 Support... 6 Detailed Issue Reporting... 6 Automation... 6 Logging... 7 Reporting... 7 DRM Free Licensing... 7 Integrated Exploitation Engine... 7 Post-Exploitation... 7 Authentication... 8 Technical Details Address Disclosure... 9 Internal IP Disclosure... 9 Cookies are not marked as Secure... 9 Cookies are not marked as HTTPOnly... 9 Directory Listing... 9 Stack Trace Disclosure... 9 Version Disclosure Access Denied Resources Internal Path Disclosure Programming Error Messages Database Error Messages SQL Injection Local File Inclusions & Arbitrary File Reading Remote File Inclusions Remote Code Injection / Evaluation XSS (Cross-site Scripting) OS Level Command Injection... 17

3 Chapter: <Table of Contents 3 CRLF / HTTP Header Injection / Response Splitting Find Backup Files Crossdomain.xml Analysis Finds and Analyse Potential Issues in Robots.txt Finds and Analyse Google Sitemap Files Detect TRACE / TRACK Method Support Detect ASP.NET Debugging Detect ASP.NET Trace Checks for CVS, GIT and SVN Information and Source Code Disclosure Issues Finds PHPInfo() pages and PHPInfo() disclosure in other pages Finds Apache Server-Status and Apache Server-Info pages Find Hidden Resources Basic Authentication over HTTP Password Transmitted over HTTP Password Form Served over HTTP Source Code Disclosure Auto Complete Enabled ASP.NET ViewState Analysis ViewState is not Signed ViewState is not Encrypted Installing Netsparker System Requirements Installation Instructions Updating and Automatic Updates Getting Started Starting a new scan Customizing Scan Profiles Scan and Modules Tab Scan Scope Authentication Tab Advanced Settings Analyzing Vulnerabilities Merging Scans Using Netsparker... 43

4 Chapter: <Table of Contents 4 Scheduling Scan Profile and Schedule Settings Reporting Generating Custom Reports Custom Reporting and Templates How does it work Scripting Language Documentation Defining the extension of the report Testing Reports Security Command Line Arguments Sample Usages: Exploitation Fundamentals Exploiting SQL Injections Getting a Reverse Shell Using a Custom Listener Exploiting LFI Support Getting Support Get in touch with us Glossary B Black-box Scanning F W... 58

5 Chapter: Introduction to Netsparker 5 Product Overview Welcome to Netsparker, Next Generation Web Application Security Scanner. Netsparker is a powerful web application security scanner, which can crawl, attack and identify vulnerabilities in all types of web application whatever platform and technology it is built on. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more with easy-to-use and intuitive user interface. Netsparker helps web application developers or penetration testers to secure web applications easily and painless than ever before. With preset scan profiles, you can quickly start scanning your applications and get instant reports.

6 Chapter: Introduction to Netsparker 6 Feature List False-Positive Free Netsparker doesn t produce false positives, period. All web application security scanners report false-positives, that is, they report vulnerabilities which do not exist. Netsparker will try lots of different things to confirm identified issues. If it can t confirm them and requires manual inspection, it ll inform you about a potential issue generally prefixed as [Possible], but if it s confirmed, that s it. It s a vulnerability. You can trust it. Netsparker confirm vulnerabilities by exploiting them in a safe manner. If a vulnerability successfully exploited it can t be a false-positive. Exploitation is carried out by a non-destructive way. Please see False Positive Free Scanning in our website for more details about the technical details and overall technology. JavaScript / AJAX / Web 2.0 Support Netsparker has a JavaScript engine which can parse, execute and analyse the output of JavaScript and VBScript used in web applications. This allows Netsparker to successfully crawl and understand websites that use different AJAX frameworks, custom code or well known frameworks such as Query. Detailed Issue Reporting Netsparker reports vulnerabilities with maximum details to make the issue and impact clear to the user. For example, instead of simply reporting XSS (Cross-site Scripting), it will report one of the following issues: Reflective Cross-site Scripting Permanent Cross-site Scripting Cross-site Scripting via RFI (Where the user can carry out an XSS attack via RFI but cannot execute code) Limited Cross-site Scripting (Attack only works on Internet Explorer) The same goes for many other vulnerabilities. Impact and remediation of issues is also tailored based on the details, therefore developers will know what to do specifically to solve the right problem in the right way. Automation Netsparker provides CLI (Command Line Interface) for you to automate scans and integrate Netsparker into your automated scanning, reporting or development systems.

7 Chapter: Introduction to Netsparker 7 Logging Netsparker supports logging all HTTP Requests and responses as well as all identified vulnerabilities and other scan related data. This might help penetration testing companies that want to have a copy of all the actions carried out by the scanner. Reporting Netsparker provides several different report outputs: XML RTF / Word PDF If you like, you can use Netsparker s Reporting API to generate your own custom reports. Reporting API supports C# scripting and Netsparker ships with a sample report. All you need to do is use the provided template and create a new file and put it into the Report Templates folder. DRM Free Licensing Netsparker licensing system is very user-friendly and also respects users privacy. It s DRM free. You don t have to activate it every time you move your license, it doesn t require internet connection to activate or work. It works instantly, you don t have to login anywhere or get permission from us to start using your licence. Integrated Exploitation Engine Netsparker delivers detection, confirmation and exploitation of vulnerabilities in a single integrated environment. When Netsparker identifies a vulnerability, if the vulnerability has an exploitation module, it will let you exploit the vulnerability so that you can see the real impact of an attack. Currently it supports: Exploitation of SQL Injection Vulnerabilities Getting a reverse shell from SQL Injection vulnerabilities Exploitation of LFI (Local File Inclusion) Vulnerabilities Downloading the source code of all the crawled pages via LFI (Local File Inclusion) Downloading known OS files via LFI (Local File Inclusion) Post-Exploitation Netsparker is the only web application security scanner with an integrated exploitation engine. This gives Netsparker an edge and allows it to carry out some post-exploitation security checks. Currently it doesn t support a lot of checks, but we are working on that. Right now, the only check is carried after SQL Injections. When Netsparker identifies an SQL Injection, it will check if the database user has admin privileges. If the user has administrator privileges, it ll report a new issue called Database User Has Admin Privileges

8 Chapter: Introduction to Netsparker 8 Authentication Netsparker supports several authentication methods: Basic Authentication Form Authentication The user can configure form authentication for different websites. NTLM Authentication Digest Authentication This way you can test an application which requires one of the listed authentication methods. Figure 1: A Sample View from the User Interface

9 Chapter: Introduction to Netsparker 9 Technical Details When Netsparker identifies an SQL Injection, it can automatically determine how to exploit it and extract the version information from the application. When the version is successfully extracted, Netsparker will report the issue as confirmed, so that you can ensure that the issue is not a falsepositive. The same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser. List of issues Netsparker is looking for. Address Disclosure Netsparker identifies addresses exposed in the website. This can help users to determine what sort of information you exposed on the internet and can also help you to fight against spam. Internal IP Disclosure Netsparker identifies internal IP Disclosure issues where a system exposes its internal network IP address. Cookies are not marked as Secure Netsparker reports an issue if the cookies are not marked as Secure in HTTPS websites. Not marking cookies as Secure can allow attackers to steal the cookies over an HTTP connection and use those cookies to login to the application. Cookies are not marked as HTTPOnly Netsparker reports an issue if the cookies are not marked as HTTPOnly. JavaScript can t read cookies if the cookie is marked as HTTPOnly, which means that a Cross-site Scripting attack can t just steal the cookies via JavaScript. However that doesn t mean the application is secure. Cross-site Scripting vulnerabilities should be addressed even though cookies are marked as HTTPOnly since there are many other ways to use Cross-site Scripting attacks. HTTPOnly should be considered as a defence in depth feature and should be used where possible. Directory Listing Netsparker detects if directory listing is enabled in the web server. Directory listing can allow attackers to see all files in the system and can help them to gain more information or download sensitive files from the target system. Stack Trace Disclosure Netsparker determines if the target application is disclosing stack trace information. Stack trace can leak information about internals of the application and might include some sensitive data or application logic related clues.

10 Chapter: Introduction to Netsparker 10 Version Disclosure Netsparker identifies version disclosures in HTTP Headers and HTTP responses. It supports many frameworks and well known languages and web servers such as ORACLE, IIS, PHP, ASP.NET, Apache, Apache Modules, JSP. Figure 2: Apache Module Version Disclosure Access Denied Resources Netsparker reports an information issue when access is denied to the requested resources. This can help the user to determine the design of the application and possible resources that exist in the web server but are not publicly available. Internal Path Disclosure Netsparker determines if an application discloses internal paths related to the application or the configuration. This generally indicates a programming error in the application and can help an attacker to gain more information about internals of the system. An attacker can use this information while crafting an exploit for another identified vulnerability. Programming Error Messages Netsparker provokes the given website to give error messages and reports these. These errors have no direct security impact but most of the time they indicate a programming error, quality issue or a potential vulnerability in the application.

11 Chapter: Introduction to Netsparker 11 Many of them also leak information about the logic or the implementation of the application which can help an attacker to identify or exploit other related issues. Figure 3: Sample Programming Error Messages Example

12 Chapter: Introduction to Netsparker 12 Database Error Messages Netsparker provokes and reports database error messages leaked by the website. If the problem is related to SQL Injection, a separate issue will be raised by Netsparker, otherwise this is reported to inform the user that the application is giving away some database error messages which is potentially related to a programming error or another problem regarding the database connectivity. Figure 4: Database Error Messages Example

13 Chapter: Introduction to Netsparker 13 SQL Injection Netsparker can detect different SQL Injections including Error Based, Blind and Time Based SQL Injections. The SQL Injection engine is quite comprehensive and can detect Blind SQL Injections even in complicated queries. After identification of the vulnerability, Netsparker will carry out extra checks to determine if the database user used by the application has admin privileges. In this case it ll report a separate issue called Admin User DB Connection Figure 5: Database User Has Administrator Rigths Example

14 Chapter: Introduction to Netsparker 14 Local File Inclusions & Arbitrary File Reading Netsparker detects Local File Inclusion and Arbitrary File Reading issues. It detects if an attacker can access files and source code from the server. It supports Windows and *nix systems. It carries out advanced checks, uses process directories, Null byte injection attacks, dynamic file extension replacements and many other methods to bypass weak filters and black listings. It checks if the Local File Inclusion can be used for executing remote commands by injection code into log files. Netsparker has exploitation features for Local File Inclusion attacks. Figure 6: Local File Inclusion

15 Chapter: Introduction to Netsparker 15 Remote File Inclusions Netsparker detects if the application is vulnerable to Remote File Inclusions which allow an attacker to inject a remote file and execute a piece of code in the server. Netsparker carries out several dynamic requests and tries to bypass many weak protections and black-listings. Figure 7: Remote File Inclusion

16 Chapter: Introduction to Netsparker 16 Remote Code Injection / Evaluation Netsparker detects if the application evaluates / executes the given code within itself by using a dangerous call such as eval(). This is a very dangerous vulnerability and can allow an attacker to execute code in the server. Figure 8: Remote Code Evaluation

17 Chapter: Introduction to Netsparker 17 XSS (Cross-site Scripting) Netsparker identifies Permanent/Stored and Reflective Cross-site Scriptings. Cross-site scripting issues can be identified in parameters or in the URL. It carries our several different attacks to bypass known and custom weak protections. Figure 9: Cross-site Scripting XSS (Cross-site Scripting) via Remote File Injection Netsparker detects if it s possible for an attacker to call inject a remote file to execute JavaScript in the current page. This can be used by attackers to carry out normal Cross-site scripting attacks. XSS (Cross-site Scripting) in URLs Netsparker detects Cross-site Scripting issues in URLs. This is common in websites using URL Rewrite and PHP. OS Level Command Injection Netsparker detects if an attacker can inject an OS command via the web application to execute code in the server. This vulnerability can allow an attacker to gain full access over the server and the web application. CRLF / HTTP Header Injection / Response Splitting Netsparker detects CRLF injection issues in the web applications.

18 Chapter: Introduction to Netsparker 18 This issue can cause many problems. The most common of these Cross-site scripting and session hijacking by carrying out a session fixation attack. Find Backup Files Netsparker tries to find backup and temporary files in the target website by using crawled file names and well known names. Netsparker determines if this problem can lead to source code disclosure issues. Crossdomain.xml Analysis Netsparker detects and analyses crossdomain.xml files for problems such as open access policy. An attacker needs to attack an authenticated user of the website to exploit this problem successfully. The attacker can read authenticated users private messages or carry out actions as the attacked user. If the Crossdomain.xml file has open policy, the attacker can bypass any CSRF protections (nonce / CSRF tokens). Figure 10: Open Policy Crossdomain.xml Identified

19 Chapter: Introduction to Netsparker 19 Finds and Analyse Potential Issues in Robots.txt Netsparker detects and parse links in Robots.txt files. If it identifies a potentially critical URL listed in the Robots.txt it will report the problem with details. Figure 11: Robots File Identified

20 Chapter: Introduction to Netsparker 20 Finds and Analyse Google Sitemap Files Netsparker detects and parses Google Sitemap files to increase the coverage and inform the user that the sitemap file is accessible to confirm that this is the intended behaviour. Figure 12: Sitemap File Identified

21 Chapter: Introduction to Netsparker 21 Detect TRACE / TRACK Method Support Netsparker checks and determines if the TRACE / TRACK HTTP Methods are supported and enabled by the web server. Figure 13: TRACE / TRACK Identified

22 Chapter: Introduction to Netsparker 22 Detect ASP.NET Debugging Netsparker detects if ASP.NET Debugging is enabled. Figure 14: ASP.NET Debugging Enabled Detect ASP.NET Trace Netsparker detects if ASP.NET Tracing is enabled and accessible. An attacker can use ASP.NET Tracing output to access active users sessions and gather information about the application and its structure. Checks for CVS, GIT and SVN Information and Source Code Disclosure Issues Netsparker detects files disclosed by source code versioning systems such as CVS, GIT and SVN. An attacker might exploit this problem to gain access to the source code of the application or might retrieve configuration and other important files.

23 Chapter: Introduction to Netsparker 23 Finds PHPInfo() pages and PHPInfo() disclosure in other pages Netsparker attempts to find forgotten phpinfo files in the system. It also reports the PHPinfo() output in all crawled pages. Information disclosed from PHPInfo() might help attackers to gain more information about the target system. Figure 15: PHP Info Disclosure Finds Apache Server-Status and Apache Server-Info pages Netsparker detects if the Apache Server-Status or Server-Info pages are publicly accessible. Apache Server-Status and Server-Info can be used by attackers to gain more information about the target system and will help them to find hidden URLs and currently visited URLs. Find Hidden Resources Netsparker looks for hidden files and directories in the target website. These include: Test files Management files and directories Known vulnerable files / scripts For example, even if it s not linked anywhere in the website, Netsparker will identify the admin directory.

24 Chapter: Introduction to Netsparker 24 Basic Authentication over HTTP Netsparker reports if the server requests Basic Authentication over HTTP. An attacker sitting between the user and the website might carry out a MITM (Man in the middle) or sniffing attack to capture the user s password. Password Transmitted over HTTP Netsparker identifies if the website sends passwords over HTTP. An attacker sitting between the user and the website might carry out a MITM (Man in the middle) or sniffing attack to capture the user s password. Password Form Served over HTTP Netsparker determines if a login form server over HTTP and the target of the form is HTTPS. Many developers might not be aware that this is a security issue, therefore Netsparker reports a detailed issue for this problem to ensure that the issue is correctly addressed by developers. An attacker sitting between the user and the website might carry out a MITM (Man in the middle) and inject a piece of JavaScript code to steal the password before it reaches HTTPS, or he/she can easily change the target of the form to HTTP as well to steal the user s password.

25 Chapter: Introduction to Netsparker 25 Source Code Disclosure Netsparker provokes the web server to disclose source code where possible and detects whether the source code disclosure is due to a configuration problem or a security issue or just left commented in the code. An attacker can access hard coded passwords, might gain information about the logic of the application and the system by reading the disclosed source code. Figure 16: ASP.NET Source Code Disclosure Auto Complete Enabled Netsparker determines if Auto Complete is left Enabled in sensitive form fields such as Credit Card numbers. An attacker who can access the user s computer can access these cached auto complete data via the browser. This is especially critical if the website is used from public computers. ASP.NET ViewState Analysis Netsparker analyses ViewState related issues in ASP.NET pages. ViewState is not Signed Netsparker reports a new issue if the ViewState in the page is not signed. In this case an attacker might modify the content of the ViewState and subvert the logic of the application or carry out other attacks by changing the ViewState.

26 Chapter: Introduction to Netsparker 26 ViewState is not Encrypted Netsparker reports a vulnerability if the ViewState in the page is not encrypted. In this case an attacker can read the data within ViewState by simply decoding it. This might leak sensitive information. Figure 17: ASP.NET ViewState Analysis

27 System Requirements Microsoft Windows XP Professional Edition Service Pack 2 or Windows Server 2003 Service Pack 1 or higher Microsoft Internet Explorer 6 or higher Microsoft.NET Framework 3.5 Service Pack 1 runtime 1Ghz Pentium processor or higher 512 MB of available RAM (minimum); 1 GB (recommended) 100 MB of HDD space for installation and additional 100 MB for scanning CD or DVD drive is not required Installation Instructions First, please make sure that you read the release notes if provided with the installation package. Also make sure that you have the latest service packs and Windows updates on your computer. Download the latest version of Netsparker from the provided download location and save the setup file to your computer. When download finishes, run NetsparkerSetup.exe to start the installation wizard. Figure 18: Installer Window The first page of the wizard is the Licence Agreement page. On this page, review the Licence Agreement and press I Agree button to continue. On the second page Netsparker Setup will provide a default installation folder; if you need to change the destination folder, press Browse... to change it, and press Continue to proceed. The following page will ask you to choose the Start Menu folder, you can change it if you want, and press Install to start installation. Installation will take up to a few minutes and then pressing Close will exit Netsparker setup.

28 Chapter: Installing Netsparker 28 After finishing installation, Netsparker will start and ask for the licence file. Press the Load Licence File... button to locate the licence file. This action will copy your licence file into the program folder and load the main user interface. Figure 19: Licence Question Window Updating and Automatic Updates When you run Netsparker for the first time, it asks for your permission to access the update server. So, Netsparker can automatically update itself over the Internet. If you decide not to do so, you can update manually by selecting Check for Updates on the Help menu or by Ctrl+U keyboard shortcut. Figure 20: Check for Updates Menu If automatic updates are enabled, Netsparker connects to the update server to check for available updates once a day. Netsparker does not connect to the Internet without your permission i. When there is an available update, it will prompt you to confirm the download and installation of the update. When you press Yes the update will be downloaded and installation wizard will start. Figure 21: Update Found Dialog You can enable or disable Automatic Updates at any time by using Advanced Settings on the Settings menu.

29 Starting a new scan To start a new scan with Netsparker, click Start a New Scan button from the File menu or from the toolbar. Type the address (URL) of the web application to be scanned in the Target URL box in the opened dialog window and click the Start button. After typing the URL of the web application, you can customize the scan by clicking the Profiles button and selecting one of the preset scan profiles and afterwards start the scan by clicking the Start button. You can find detailed information on customization options in the Start a New Scan dialog window in the Customizing Scan Profile section Figure 22: Start a New Scan Button The scan time will vary depending on size of the scanned web application, performance of the server on which it is running, and also the selected scan profile. During the scan, you can find detailed information about the scan progress on the Dashboard and track issues identified during the scan in the Issues and Sitemap panels.

30 Chapter: Getting Started 30 Customizing Scan Profiles Scan and Modules Tab In this tab, you can choose the issues the scanned web application will be tested against and speed and scope of the scan. When the Crawl Only option is not selected, attack types to be performed during scan can be chosen with Tests to Run. Figure 23: Tests to Run Window The Crawl Only option is used to scan without attacking the web application. When this option is selected, only the site map will be prepared and issues found identified this process will be reported. Crawl Only mode will not identified issues requires active attacking such as SQL Injection and Crosssite Scripting. This mode is useful if you want to assess some security best practices passively. Crawl Only mode report issues such as Auto Complete is enabled, Password Transmitted over HTTP and Cookies are not Marked as Secure. Scan Scope Scan scope defines which part of the application Netsparker allowed to crawl and attack. The scan scope can be chosen out of three different options: Figure 24: Scan Scope Option Entered Path and Below Scan requests and attacks are only made to the target path and URLs under that path. For example if the entered URL was Will be tested:

31 Chapter: Getting Started Will not be tested: Protocol is different (target URL was https) URL is not under the given target Different domain or subdomain Only Entered URL Scan requests and attacks are only made to the target link and no external links are followed. This function is quite useful if you want to test only one page and all parameters in that page without testing the whole web application. Be careful if you enter will be tested as well. This scope uses includes all URLs starts with the given target URL. For example if the entered URL was Will be tested: Will not be tested: URL does not start with the given target Protocol is different (target URL was https) URL does not start with the given target Different domain or subdomain

32 Chapter: Getting Started 32 Whole Domain The target URL is taken as the start point and all the URLs beginning with the same hostname are scanned. For example if the entered URL was Will be tested: Will not be tested: Different domain or subdomain Authentication Tab In the Authentication Tab, you can configure the authentication settings required for access to the web application you will scan with Netsparker. Netsparker supports NTLM, Basic, Digest Authentication and Forms Authentication. It also offers Cookie support if you need to set custom cookies. Figure 25: Authentication Tab

33 Chapter: Getting Started 33 Configure Form Authentication If the target web application requires to login via a web form you can configure it from this short wizard. When it s configured correctly Netsparker will stay logged in to the application during the scan. First Step In the section you enter by clicking the Configure Form Authentication button; Support Dynamic Tokens: By activating this option, you can enable support for dynamic tokens used against vulnerabilities such as CSRF, Login Form Url In this field, you should type the URL of the Login Page of the application you want to scan, A Login Required Url, this field you should type the URL of a page accessible only after login is performed to the application, Username and Password fields should be filled in with the username and password required for logging in. Figure 26: Configure Form Authentication Step 1 Proceed to the next step after you fill in the relevant fields with correct information by clicking the Next button. Second Step In the second step, Netsparker will make a request to the login page of the application and fill up the username and password in the relevant fields automatically. What should be done here is make sure that the relevant information is typed correctly and complete the login procedure by from the login form presented by the web application. When you click to login Netsparker will identify the login request and will enable the Next button.

34 Chapter: Getting Started 34 Figure 27: Configure Form Authentication Step 2 Proceed to the next step with the Next button. Third Step Using the information you gave, Netsparker logs in to the web application automatically and in case logout is performed during scan, it offers the options String Based Logout and Redirect Based Logout determining how this condition will be detected. Figure 28: Confirm Logged out and Logged In Views Moreover, in order for you to confirm accuracy of the settings, Netsparker will show the logged out and logged in states of the application and enable you to respond in case there is a fault. If Redirect Based Logout is identified Netsparker will fill it out for you. If it hasn t you need enter a piece of text from logged out view. This text should not be visible in the Logged In view so Netsparker can understand that the application logged it out.

35 Chapter: Getting Started 35 After you complete the final step, you can click the Finish button to start the scan with the login information created by Netsparker. Netsparker also keeps the previous login information in the Logins folder under the My Documents\Netsparker Scans folder. Next time you scan the very same URL Netsparker will automatically remember the authentication details so you don t have to go through this process every time. However if you want to remove that profile you can click the Configure Form Authentication and then click the Cancel button again. This will remove the saved form authentication.

36 Chapter: Getting Started 36 NTLM / Basic / Digest Authentication If the application you want to scan requires NTLM, Basic or Digest Authentication you can easily meet this requirement with Netsparker. All you have to do is: Check the NTLM or Basic or Digest Authentication Required checkbox, Type the username needed for authentication in the Username field, Type the password in the Password field, Type the domain of the application you want to scan in the Domain field. Figure 29: NTLM / Digest / Basic Authentication Details To allow you to scan web sites with invalid SSL certificate Netsparker will not check for the validity of the SSL certificate of the target web application. Therefore in the case of MITM (mat in the middle attack) the given password can be in danger. Custom Cookies You can set custom cookies. These cookies will be send with every request and cannot be expired by the server responses. Figure 30: Custom Cookies Window You can easily add a cookie in this format: CookieName=Value or add multiple cookies in the form CookieName1=Value1; CookieName2=Value2 Exclude or Include Links Netsparker can limit the requests according to criteria determined by you. This will allow you to test only some parts of the target application or exclude some parts of the application from the test. Figure 31: Include & Exclude Rule Window Let us examine how this mechanism works through an example:

37 Chapter: Getting Started 37 When you activate the Exclude option and type logout in the relevant field, Netsparker will not make requests to links including the text logout while scanning your application. Netsparker will only look for the name in the URL not in the Link s name or the title. If the Logout Page s name sessionend.php you need to use sessionend instead of the text in the link such as Logout. In the same way, when you activate the Include option and type test in the relevant field, Netsparker will only make requests to links including the text test. This field allows you to enter RegEx rules. For example if you want to exclude logout.php and /nottotest folder you can use the following RegEx and choose the Exclude radio button. (logout\.php /nottotest)

38 Chapter: Getting Started 38 Advanced Settings Prior to starting to scan with Netsparker, from the Advanced Settings tab, you can choose how the pages will be analysed (Choose Parsers), optionally choose the proxy server address to be used (Proxy) and choose the database server type of the application you want to scan. Figure 32: Advanced Settings Choose Parsers To identify forms and link Netsparker uses two different parsers. Figure 33: Parsers Parse JavaScript / Ajax (DOM Parser): The DOM Parser analyses JavaScript / AJAX in the web application you want to scan and finds forms and links within them. It simulates and interprets the JavaScript for better accuracy. HTML / Text Parser: The Text Parser to HTML codes and links in text form in the application to be scanned. It s highly recommended to keep both of these parsers enabled in every scan. If you know that the target application has not many JavaScripts you can try to disable JavaScript parser to speed up the Crawling Phase. Connection You can activate this feature if a Proxy Server is required to access the target web application, or if you want to pass the requests to be made to the target web application you want to scan through a proxy server. By default Netsparker will use the Internet Explorer s proxy. If you want to disable this you can go to Settings» Advanced Settings and set DoNotUseSystemProxy to True

39 Chapter: Getting Started 39 Figure 34: Proxy Settings You can use the following formats to configure a proxy: Scan Optimisation If you know what the database the target web application running, you can choose the suitable option from the Scan Optimisation section and have the requests to be made during the scan optimised according to this database server, thus increase the scan performance by having it send less requests. Figure 35: Database Optimisation Some parts of the application you want to scan with Netsparker may use a different database server or you might not know the backend database server. In such cases where you cannot be sure for this reason, you can choose the Any option and have make Netsparker send requests including possibilities aimed at all database servers.

40 Chapter: Getting Started 40 Analyzing Vulnerabilities When Netsparker detects a new issue as a result of a scan, you can access the details of this issue from the Issues and Sitemap panels. There is no need to wait for completion of the scan to examine the issues. Figure 36: Issues Panel In the Issues panel, issues are listed in groups according to 4 different properties. Figure 37: Sample Issue Details After you choose the issue details of which you want to see from the Sitemap or Issues list, you can see the page including the issue from the Browser View tab and at the same time you can see HTTP requests and responses from the HTTP Request / Response tab. Figure 38: Browser View

41 Chapter: Getting Started 41 Figure 39: HTTP Request / Response View

42 Chapter: Getting Started 42 Merging Scans If a web application is hosted on two or more different hostnames, scanning and reporting can done by scanning first and merging the second or following scans. Whenever you press the Start a New Scan button, Netsparker asks you to decide if you want to clear previous scan results or merge them. If you clear current results by pressing the Yes button, new scan will start with a clear site map. If you press the No button, current results will be merged with the new scans result, so that you can analyse and report them together. Figure 40: Scan Merge Question

43 Scheduling Thanks to scheduling support, you can make your Netsparker scans run with daily, weekly or monthly periods and have the results saved to the given folder after the scan is complete. To schedule a new scan click to Start a New Scan or Schedule a New Scan then customise the scan and click Schedule Scan button. Scan Profile and Schedule Settings First thing to do is create a profile to specify the settings scans will use while running. Figure 41: Schedule a New Scan Window After the profile is set, you should specify the Scheduling settings by clicking the Schedule Scan button. After this button is clicked, the Schedule Scan window will open. Figure 42: Schedule Settings

44 Chapter: Using Netsparker 44 In the above window, the following settings should be made: Scheduled Task Name: Name of task to be scheduled. Run as User / Password: User name and password for running the relevant scan task. Recurrence: The time and intervals the scan will be repeated. o Run scan on / at: Start date and time of the scan. o Repeat: Repeating setting of the scan. It can be set as daily, weekly or monthly. Figure 43: Scan Recurrence Settings Reporting: Reporting settings. Figure 44: Reporting Settings o Report Type: Report format in which the scan result will be saved. You can get the scan result in Adobe PDF File, Microsoft Word (RTF) File, Microsoft Excel (XLS) File, Web Page (HTML), CSV File, Plain Text File, Vulnerabilities List (XML) formats. o Figure 45: Report Types Path: File path the report will be saved. Report path can include %date% or %time% variables in the file name. This will allow you to run the same scan over and over and have a separate report file for each. For example you can use the following path: C:\My Reports\Testsite-%date%-%time%.pdf Generated names will be like this: c:\my Reports\Testsite pdf Figure 46: Report Path After the relevant settings are made correctly and saved, on the specified time, the Windows Task Scheduler will start the relevant scan task and save the result report into the specified folder when the scan is over. After the save is complete, you can use Windows Task Scheduler to track the scan task.

45 Chapter: Using Netsparker 45 Reporting Netsparker offers two types of reporting systems. With the Generate Report option in the Reporting menu, you can obtain a report in which you can see all the vulnerabilities, print this report or save it in different file types. It is possible to obtain a report while the scan with Netsparker is still in progress or when it is completed. Generating Custom Reports You can access the report interface by using the Generate Report option in the Reporting menu on the menu bar, or with the Ctrl+E keyboard shortcut. You can see all the vulnerabilities as grouped according to their types on the left-hand side of the reporting interface. The vulnerabilities are listed as documents on the right-hand side. You can move over the document by clicking the groups or vulnerabilities on the document map. Figure 47: Reporting Document Map Figure 48: Sample Issue View from the Report In the Netsparker reporting interface; you can make searches within the report, change the page layout of your report and apply various styles to your report.

46 Chapter: Using Netsparker 46 Figure 49: Report Settings If you like, you can save the report with the buttons on the toolbar or with the Export Document... option from the File menu, print it with the Print option or send it as with the Send via option. Netsparker can report issues as Adobe Acrobat (PDF), webpage (HTML), rich text format (RTF), Microsoft Excel document (XLS, XLSX), plain text or various image formats and send these as e- mail. You can save the report in the rich text format (RTF) to open it in Microsoft Word or OpenOffice Writer.

47 Chapter: Using Netsparker 47 Custom Reporting and Templates Netsparker can help you to generate custom reports according to your business need and for integration with other software. Custom reporting tool employs a scripting engine to run your C# code to generate reports. How does it work During the startup of Netsparker, it scans for C# code files (*.cs) in "ReportTemplates" directory located under Netsparker's installation directory. Every identified file will be visible in the "Reporting" menu as a custom report. Scripting Language Scripting language is C#. Even if you haven't written code in C# before, it shouldn't be a problem. It's pretty easy to make simple changes. Here is a sample custom report code: <%@ Assembly Name="MSL.Project" %> <%@ Assembly Name="MSL.Interfaces" %> <%@ Assembly Name="MSL.Shared" %> <%@ Import NameSpace="FM.Dilemma" %> <%@ Import NameSpace="System.Collections" %> <%@ Import NameSpace="System.Collections.Generic" %> <%@ Import NameSpace="System.Security" %> <%@ Argument Name="vulns" Type="Array" %> <%@ Argument Name="settings" Type="ScanSettings" %> <?xml version="1.0" encoding="utf-8"?> <netsparker generated="<%=datetime.now.tostring()%>"> <target> <url><%=securityelement.escape(settings.uri.tostring())%></url> </target> <% foreach(vulnerability vuln in vulns){ %> <vulnerability confirmed="<%=vuln.confirmed.tostring()%>"> <url><%=securityelement.escape(vuln.requesturi.tostring())%></url> <type><%=vuln.type%></type> <severity><%=vuln.extendedtype.severity.tostring()%></severity> <vulnerableparametertype><%=securityelement.escape(vuln.urimanager.attackparameter.type.tostring())%></vulnerableparametertype> <vulnerableparameter><%=securityelement.escape(vuln.urimanager.attackparameter.name)%>< /vulnerableparameter> <vulnerableparametervalue><%=securityelement.escape(vuln.urimanager.attackparameter.val ue)%></vulnerableparametervalue> <rawrequest><%=securityelement.escape(vuln.rawrequest)%></rawrequest> <rawresponse><%=securityelement.escape(vuln.rawresponse)%></rawresponse> <extrainformation> <% foreach(keyvaluepair<string, CustomField> cfield in vuln.customfields){ %> <info name="<%=cfield.key%>"><%=securityelement.escape(cfield.value.value)%></info> <% } %> </extrainformation> </vulnerability> <% } %>

48 Chapter: Using Netsparker 48 </netsparker> This will generate an XML file which includes: All vulnerabilities Vulnerable Parameter and type (GET/POST) Vulnerability Details Confirmation Status Extra exploitation data Scan time Vulnerability severity etc... You can add more details into the reports, customise them or filter your reports for with custom criteria. Documentation You can find MSDN style API documentation under "ReportTemplates" directory, named "NetsparkerReportingAPI.chm" Defining the extension of the report Name of the C# code file will be visible under Reporting menu and when user clicks to it generated report will use the extension from the custom report file name. For example: "Vulnerabilities List (XML).xml.cs" - File extension will be "xml" "Vulnerabilities List as Web Page.html.cs" - File extension will be "html" Testing Reports You don't need to restart Netsparker every time you change the source code of your report. After Netsparker adds it to the report menu once all you need to do is run it again. If it fails to compile it'll let you know with an error message. Security Reporting engine runs with current user's privileges. So don't run the report unless you trust the author of the report.

49 Command Line Arguments You can use Netsparker from the command line interface. This interface can be used for automating scan operations or running a scan, settings of which were pre-specified with profiles and start-up parameters, with one click through a shortcut. Advanced scan settings can be specified from the console interface with profile support. Supported parameters are explained below. /a, /auto /p, /profile /u, /url /pr, /proxy When other parameters are given correctly, scan is carried out, report is saved and the program is closed. Name of the profile to be used during the scan. If not specified, the preset profile will be used. Address of the website to be scanned. If the profile file includes another website address, the address specified with this parameter will be taken into consideration. If two different URLs are specified in the profile and within this parameter, the one given with this parameter will be taken into consideration. Proxy server address. If the profile file includes another proxy server address, the address specified with this parameter will be taken into consideration. A valid proxy server address should be as follows: If a user name and password are required for logging on the proxy server, these should be given in the shown format. /r, /report /rf, /reportformat /rt, /reporttemplate File path the report will be saved. It should be used with the -a parameter. The full physical file path can be given; if only the file name is given, the created report will be saved into the folder the command is run. File format of the created report. If not specified, the report is created in pdf format; rtf, pdf, text, csv, xls or html formats are also supported. Type of the created report. If not specified, first type in the list will be valid. Sample Usages: Scan and save the report to C:\reports\report.pdf. Netsparker /a /url /rf pdf /r C:\reports\scanreport.pdf Launch a new scan parameter with a custom profile and URL: Netsparker /url /p LFI

50 Chapter: Using Netsparker 50 Figure 50: Netsparker Launched from Command Line with Custom Profile and URL

51 Chapter: Exploitation 51 Fundamentals Netsparker s integrated exploitation engine allows you to exploit certain vulnerabilities directly from the user interface. This does not require exploitation expertise and can be used easily. Currently Netsparker supports exploitation for the following vulnerabilities: SQL Injection o Error Based SQL Injection o Boolean SQL Injection LFI (Local File Inclusions) Figure 51: Exploitation Toolbar Netsparker will hilight exploitation buttons based on the selected vulnerability from the Issues Panel or Sitemap. Netsparker will not hilight buttons if the exploitation is not possible. For example if the database user in an SQL Injection vulnerability has not priviliges to execute commands Get Shell button will not get hilighted.

52 Chapter: Exploitation 52 Exploiting SQL Injections You can exploit the Error Based or Boolean Based SQL Injection vulnerabilities identified in the web application and run custom SQL queries in the application s database via Netsparker s SQL Injection panel. Figure 52: SQL Injection issues in the Issues Panel From the issues in the Issues panel choose a confirmed SQL Injection or Boolean Based SQL Injection issue, click the Execute SQL Commands button and the SQL Injection panel will appear where you can run custom SQL queries. Figure 53: Running Custom SQL Queries in SQL Injection Panel Afterwards, you can type an SQL query and run the query with the Run Query button. Response of the query will be displayed in the panel. Figure 54: Sample Custom SQL Query Output

53 Chapter: Exploitation 53 Getting a Reverse Shell When Netsparker identifies and confirms an SQL Injection vulnerability, Netsparker checks the database user automatically. If the user has admin rights and can access the file system, they can access the command prompt on the target system. The panel reverse shell dialog will pop up when you click the Get Shell button. Figure 55: Get Shell Button Figure 56: Reverse Shell Dialog Reverse shell will send a small executable to the target system and then when this executable gets executed by Netsparker it will connect back to your system. When it connects back you can run commands in the target system. For this purpose you should configure reverse shell settings in this dialog. You can either use your computer to listen for a shell or you can use a Custom Listener. You should choose IP Address to Listen so you can receive the shell. If you are not sure about addresses or if you are connected to a single network, it is recommended that you choose the Any Interface option. In the Public IP Address field, you must type your public IP address. This is the IP Address where the transferred executable will connect to. Thus ensure that this IP address is reachable by the target. If you access the target system over the internet this IP address should be your public IP address. You can find your public IP address from a website such as If you need to enter your public address do not forget to configure port forwarding in your router. website can guide you on how to configure port forwarding in your router. If target is in the local network you can use your local IP Address. In the Port field, you should specify the port number in your computer over which the reverse shell connection will be made; since this port will be used for listening, the required firewall configuration should be completed. After filling in the relevant fields, you can click the OK button to start sending the requests required to get reverse shell.

54 Chapter: Exploitation 54 Figure 57: Sample Reverse Shell Session After connection is made successfully, you can run commands on the opposite system from the Code Execution panel. Using a Custom Listener You can activate the Use Custom Listener option to use a listener of your own choice instead of Netsparker s connection listener. This is quite useful if you already have public internet facing system in place. Just configure a tool such as Netcat to listen the given port and set Public IP Address to that system s IP Address. In this case you can t see the reverse shell in Netsparker s screen but you will able to access the shell from the Netcat. Use the following command to listen port 443 with Netcat: nc -vv -l -p 443 Netsparker will use a standard reverse shell therefore you can use a tool such Netcat or any other similar tool.

55 Chapter: Exploitation 55 Exploiting LFI It is possible to exploit the Local File Inclusion vulnerabilities identified in the target application. Netsparker can download files on the system and can access the source code of the application. Figure 58: Local File Inclusion Vulnerability in Issues Panel After an issue of Local File Inclusion type is selected from the Issue list, you can click the Open LFI Exploitation button to access the panel that will enable you to read files on the system and access source code of the application. Figure 59: LFI Exploitation Question It is possible to download some known files automatically from the target system. Figure 60: Download Files Even if you did not select automatic download, you can use the Download button to re-download known files on the system and source code of the application.

56 Chapter: Exploitation 56 Figure 61: LFI Exploation Downloaded File View You can also type the file name manually and download a file that you know exists on the system in the LFI Exploitation panel. After you click the Download button, you can see contents of the file in question when the download is complete.

57 Chapter: Support 57 Getting Support Netsparker has a pretty and easy-to-use interface which makes it possible for someone to run a new scan without a guide. By keeping an eye on the Netsparker blog - you can access tips & tricks and latest news about Netsparker. Get in touch with us We are fanatical about support. You can contact us by or telephone for any other issue and we will get back to you as soon as possible. support@mavitunasecurity.com Phone: (weekdays between 09:00 and 17:30 GMT