New Web Application Scanner: Netsparker
If you can’t be bothered reading this post, make sure you at least check out the videos of Netsparker in action (particularly the bit where it gets a reverse shell from a SQL injection!).
What is Netsparker?
It’s a web application scanner. It does the same job as WebInspect and the like. Type in the URL and it crawls the site finding SQL Injection, Cross-Site Scripting, Local File Includes and that good stuff.
Is it any good?
I’ve previously been a heavy user of Burp Suite and WebInspect. I’ve generally found the Netsparker finds at least as many vulnerabilities as these, with the added benefit of being pretty fast and managing to avoid most false positives.
What’s clear for the testing I’ve done is that Netsparker is likely to stand shoulder to shoulder with your favourite scanner.
I’ve has always been a fan of automating pentesting as much as possible. As far as I’m concerned, the killer features of Netsparker are its exploitation capabilities: when it finds a SQL injection, it provides you with an option to get a reverse shell! This leaves you with more time get on with the fun post-exploitation phase.
Alternatively, you can get a SQL shell – something similar to MS Query Analyzer. Type in your SQL query to the interface and Netsparker will execute it using the SQL injection it found, displaying the query result in an easy to read fashion.
So, you spend less time messing around with trying to upload your reverse shell exe, binding a listener somewhere, removing bad characters from your injection, etc.
Now, obviously Netsparker is not magic. There will be times where a reverse shell isn’t possible. But a good chunk of the time it’s going to save you a lot of bother.
More features to Come
I spoke to Ferruh, the author of Netsparker recently. He has LOTS more cool features he still plans to implement. It wouldn’t be right for me to spill the beans here, but keep and eye on his blog.
I can’t wait to see what Netsparker looks like a year from now. Definitely one to watch.
Posted in Blog