Paid Advertising
web application security lab

Mavituna Security’s Netsparker Community Edition

For those pen-testers out there, you may be interested in this. Mavituna security recently announced a free “community version” of their scanner, Netsparker. For those who haven’t played with it yet, it’s pretty slick in one very important way, for manual penetration testers. If it can find something like blind SQL injection or command injection of some sort it will allow you to essentially use the tool itself as a pivoting tool to begin performing assessments after that initial compromise is complete. Pretty cool idea, and if you check the website, Ferruh has put up some good movies showing how powerful that can be. This would be one very good difference between a vulnerability assessment and a penetration test.

The community version can be found here. It’s definitely a great tool for those who want to perform assessments on the cheap or want to try a tool before they buy. Other scanners have tried this route in the past (E.g. Acunetix), and I think it’s a great way to show off the goods. I’m sure he and his team would appreciate feedback.

4 Responses to “Mavituna Security’s Netsparker Community Edition”

  1. DucDigital Says:

    Interesting, I definitely will test it out

  2. Andre Gironda Says:

    Netsparker Standard/Pro perform 92% on (measuring link extraction) and the Community Edition performed at 84%. There is no recorder for the Community version, and I don’t think you can tell it to scan more than one domain at a time (because the CLI is limited), although you can include/exclude URIs.

    If you compare to other free tools such as W3AF (50%), skipfish (46%), and Websecurify (21%), you will realize that Netsparker Community is the top contender when crawling web applications. If you plan on running a crawler through a passive proxy, such as Google ratproxy, Netsparker Community Edition is the best tool for the job (although I have not compared it to Acunetix WVS Free Edition). Keep it in crawl-only mode and set the thread count to 1 or as low as possible when running through a proxy.

    However, I think that skipfish is best at scanning huge sites with unknown subdomains and URIs, regardless of the fact that it is also faster than almost any other tool out there. I am looking forward to seeing improvements across all of these free application scanners. I think open-source projects such as w3af, skipfish, and Websecurify have a lot of potential, though.

  3. TheLightCosine Says:

    I just downloaded this and started checking it out. I’ve got to say, it’s pretty good for an automated scanner. the fact that it’s tools let you spin off of the automated results right into manual testing is great. This is exactly the direction these kinds of tools need to be going. The community edition also found SQLi that AppScan failed to in a side by side test. Pretty slick. For only 3k for a pro license, I think I might be able to convince the powers that be to buy this as a second ‘eyes’ tool.

  4. TheEnlightened Says:

    Well, all these stats are absolutely bogus. Get a grip none of the scanners can scan wizards, none of them deal with AJAX correctly and none of them can spider more than wget combined with spidermonkey.

    Netsparker is just yet another tool with strong marketing gimmicks behind its operations.