Mavituna Security has announced a new release of its web application scanner as Netsparker Community Edition. Netsparker is an application for the Windows platform and this edition is the first one available free of charge.

Netsparker focuses on the elimination of false positives as the main point of its vision of security scanning, with the goal of augmenting the actual value provided by automatic scans.
“This is important in many levels,” says Ferruh Mavituna, the lead developer of the project, “especially if the user is not a web application security expert it’s hard to judge a vulnerability. When developers start to see more and more false positives they tend to ignore actual vulnerabilities as well.”

Netsparker accomplishes it’s job by going further than just a simple static research of attack vectors: Netsparker automatically tries to exploit, in a non-harmful way, the possible vulnerabilities it finds. Thus the results of a scanning are a picture of the real impact of the vulnerabilities; where an exploit is found, the most advanced editions of the product provide reverse shells for the target host and download the source code of the web application. “Basically when Netsparker identify a vulnerability it figures out how to exploit it as well,” continues Mavituna, “how to escape from XSS filtering or how to close the SQL sentence to start a new one, if it needs to add NULL byte (%00) at the end of the file name to exploit a Local File  Inclusion vulnerability etc. After this stage Netsparker provides a user interface to exploit further (however not all these exploitation features available in the Community Edition).”

Netsparker has also some rare features that give it a competitive advantage over the competitors, at least in the free application market for what regards its Community Edition. For instance, it is capable of executing JavaScript via an internal engine and thus crawling ajax websites. The crawler’s quality has been benchmarked by external projects.

Netsparker Community Edition shares the same engine of its brothers, the Standard and Professional editions, but it is somewhat limited on its capabilities, as you would expect from a community edition of a commercial product. It retains however many outstanding features — like ajax crawling and source code disclosure — and given the absence of noisy false positives in its reports you may want to give it a try.