New Web Application Scanner: Netsparker

I’ve been involved in the beta testing of Netsparker for some time now.  Now that it’s publicly available, I wanted to write a brief blog post to recommend that you try it out…

If you can’t be bothered reading this post, make sure you at least check out the videos of Netsparker in action (particularly the bit where it gets a reverse shell from a SQL injection!).

What is Netsparker?

It’s a web application scanner.  It does the same job as WebInspect and the like.  Type in the URL and it crawls the site finding SQL Injection, Cross-Site Scripting, Local File Includes and that good stuff.

Is it any good?

I’ve previously been a heavy user of Burp Suite and WebInspect.  I’ve generally found the Netsparker finds at least as many vulnerabilities as these, with the added benefit of being pretty fast and managing to avoid most false positives.

It’s really hard to say definitively which scanner is “best”.  They all have their particular strengths.  Burp for example benefits from being able to replay requests that it’s seen in its proxy, while Netsparker puts tremendous effort into rendering JavaScript so it can even test AJAX-heavy sites.

What’s clear for the testing I’ve done is that Netsparker is likely to stand shoulder to shoulder with your favourite scanner.


I’ve has always been a fan of automating pentesting as much as possible. As far as I’m concerned, the killer features of Netsparker are its exploitation capabilities: when it finds a SQL injection, it provides you with an option to get a reverse shell!  This leaves you with more time get on with the fun post-exploitation phase. 🙂

Alternatively, you can get a SQL shell – something similar to MS Query Analyzer.  Type in your SQL query to the interface and Netsparker will execute it using the SQL injection it found, displaying the query result in an easy to read fashion.

So, you spend less time messing around with trying to upload your reverse shell exe, binding a listener somewhere, removing bad characters from your injection, etc.

Now, obviously Netsparker is not magic.  There will be times where a reverse shell isn’t possible.  But a good chunk of the time it’s going to save you a lot of bother.

More features to Come

I spoke to Ferruh, the author of Netsparker recently.  He has LOTS more cool features he still plans to implement.  It wouldn’t be right for me to spill the beans here, but keep and eye on his blog.

I can’t wait to see what Netsparker looks like a year from now.  Definitely one to watch.


Leave a Reply