Nessus and Nmap are some of the most popular tools used by both penetration tester and network administrators. Therefore, whenever I do a beginner penetration test, my students always ask ...
One of the most components of the DevSecOps approach is security automation. To have this aspect in their DevOps environment companies should implement both a SAST and a DAST tool. Therefore, many people are asking is Netsparker a DAST?
Netsparker is a DAST tool as it gives the development team the ability to automatically perform dynamic vulnerability detection scans. Netsparker was also designed to easily integrate multiple DevOps solution, which make it very easy to use as a DAST solution.
Having a DAST solution is necessary to detect the type of vulnerabilities that can’t be discovered while analyzing the app source code. Netsparker offers this capacity while making its integration easier in a DevSecOps environment. In this blog post, I am going to explain what makes Netsparker a DAST tool and what features it offers. Moreover, I will give you some alternatives for Netsparker and its pros and cons.
Before we discuss what makes Netsparker a Dast tool we should first understand what a DAST tool is and what it should do. DAST or Dynamic application security testing is a tool that performs dynamic vulnerability detection by running the application and injecting forged data in all its inputs.
Therefore, all DAST tools can be considered vulnerability scanners. However, the opposite is not always right. What makes a vulnerability scanner a DAST tool is the ability to manipulate an application by executing its different functionalities to try to either crash it or trigger a weird behavior. I have already explained how vulnerability scanners work in the following blog post, what does a vulnerability scanner look for?
Netsparker is designed to exactly perform those things by first using the heuristic technology to identify all the entry points of the app. Then Netsparker uses fuzzing techniques to inject forged data in all the discovered application inputs.
Once the vulnerability is identified, Netsparker tries to exploit the vulnerability to create a proof of concept to validate the vulnerability. This exploitation is controlled by the tool and performed in a safe way. However, I highly do not recommend using it against a production environment.
For more details about this subject, you can take a look at the blog post I have written about is Acunetix a safe tool? As you will see in the next sections of this blog post, Acunetix is one of the Netsparker alternatives.
In addition, a DAST tool should also be designed to easily get integrated into a DevSecOps environment, which is the case for Netsparker. This tool can work easily in harmony with tools like:
Every DAST tool feature can be divided into 5 main sections:
Netsparker was designed to perform a deep application discovery by applying the most advanced heuristic crawling techniques. By using the heuristic crawling, Netsparker significantly reduces the time needed to crawl the app as this step is the most time-consuming.
In addition, Netsparker is capable of discovering more than 870 vulnerabilities, including server-based vulnerabilities. With the use of the IAST (interactive application security testing) technology, Netsparker is capable of identifying exactly what line is vulnerable to correctly fix it.
However, you should keep in mind that until the day this blog post is written, there is no solution in the market that can discover all types of vulnerabilities (contrary to what they affirm on their website).
Netsparker offers also the ability to detect vulnerable components used in the web application, like old JS libraries that remain on the website and usually never get updated. Moreover, what I really like about Netsparker is the manual testing proxy mode it gives. You can use this tool as a proxy to manipulate the application the way you want to discover many other vulnerabilities that require manual interactions.
Netsparker generates a small false positive rate compared to other tools and this is due to its proof-based technology. This technology is based on verifying the scan results by performing a small and controlled read-only exploitation of the discovered vulnerability.
Moreover, Netsparker was designed to basically serve as DAST tool by making its integration in a DevOps environment very easy.
For more details about these features, you can take a look at the following link.
After years of working with Netsparker and many other vulnerability scanners, here is the summary of the pros and cons of Netsparker:
|Very easy to use||Swedish and English-speaking support only|
|Extreme amount of customization for scanning any web application||Expensive than other solutions|
|Designed to fit big companies||Netsparker offers a few flexible plans|
|Less false positive||The desktop version consume so many resources|
|Many DevOps integration possibilities||Only Desktop or Cloud version|
|Only Windows installation|
|Very few vulnerabilities can be detected compared to its competitors|
Netsparker is a very nice tool, which suits perfectly the big company’s requirements in terms of speed and less false positive. In addition, Netsparker offers many ways to customize the web scanning, with a very easy user interface.
However, this tool suffers from many limitations that may in some cases push you to change your mind. For example, a lot of companies around the world do not have technical people with a very good level of English. Therefore, solving the issues that may occur during both the exploitation and the installation of the tool may take more time than expected as no support is available in other languages than Swedish or English.
Unfortunately, Netsparker is only available as a Desktop or Cloud version, there is no local web interface, which makes it very limited to the platforms it can be installed in. I mean who in the world still uses fat applications. What makes it even worst is the fact that the Netsparker app consumes so much resource that may block the whole system production.
In my point of view, all those problems could be forgotten if the app was capable of detecting more vulnerabilities than its competitor. Unfortunately, this is not the case, the number of vulnerabilities the Acunetix tool can discover is more than 7000, compared to 870 vulnerabilities only.
Netsparker is still a good tool if you are working with big and complex applications at a company level. However, for smaller budgets, there are better solutions. Here is a list of some of the alternatives that you can think of:
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).