A closer look at Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner automatically checks your web applications for SQL Injection, XSS and other web vulnerabilities.

Features:

  • AcuSensor Technology
  • SQL injection and XSS testing
  • Penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
  • Visual macro recorder makes testing web forms and password protected areas easy
  • Support for pages with CAPTCHA, single sign-on and 2FA mechanisms
  • Reporting facilities including PCI compliance reports
  • Multi-threaded scanner that processes thousands of pages with ease
  • Crawler detects web server type, application language and smartphone-optimized sites.
  • Acunetix crawls and analyzes different types of websites including HTML5, SOAP and AJAX
  • Port scans a web server and runs security checks against network services running on the server.

Here’s a tour of the software, click each image to see the full version.

This is the main interface of Acunetix Web Vulnerability Scanner (WVS). From here, the user can access the most common tasks available in Acunetix WVS.

New Scan using Wizard – From the main interface, the user can click on New Scan to launch the New Scan Wizard. This will guide the user on setting up a new scan, and will allow the user to tweak the settings of the scan. Default setting can be used to quickly launch the scan from the Web Scanner node.

Creating a Login Sequence – One of the steps in the New Scan Wizard allows for the configuration for scanning of password protected areas in the web site. This can be done by configuring a Login Sequence with the easy to use Login Sequence Recorder. Apart from recording login actions, one can specify restricted links, such as logout links. The Login Sequence recorder will then proceed to automatically detect which sessions are still active and store this in the Login Sequence. The Login Sequence will be saved for future scans of the same site.

Finished Scan Results – After scanning the site, Acunetix WVS provides the scan results ranking the security alerts by severity. In addition, Acunetix WVS provides an Alerts Summary in the Details pane. The user can expand each type of alert to get more information on the specific alert.

XSS Vulnerability – This is an example of a Cross Site Scripting (XSS) Vulnerability. The Alert details provide a description of the vulnerability together with details on how the vulnerability was discovered. The alert also provides remediation advice on how to fix the specific vulnerability, and links to third party sites and Classification using CVE, CWE and CVSS.

SQLi showing SQL Query with AcuSensor – This alert shows the detection of an SQL Injection vulnerability. In this case, Acunetix WVS provides the exact location of the vulnerability (line 51 in product.php), and the SQL query that was executed when the vulnerability was detected. All this information is provided by AcuSensor – which is installed on the website and acts as an agent for Acunetix. AcuSensor makes the scan more accurate, provides additional information during the scan, and results in less false positives.

Knowledge Base showing list of files with inputs – apart from scanning for vulnerabilities, Acunetix WVS provides additional information, such as a list of external hosts, list of email addresses detected in the website, or the list of files with inputs, which is shown in the screenshot. In addition, Acunetix WVS will also show the Site Structure, as detected while crawling the web site.

Site Structure showing detailed info for selected file – The user can click on any file in the file structure to get detailed information on the specific file.

Acunetix Manual Testing Tools – A set of web security tools are also included in Acunetix, allowing the user to perform additional tests manually. Most vulnerabilities discovered during an Acunetix WVS scan can be exported to the relevant manual testing tool, allowing for further verification of the vulnerability.

Scheduler – Using the Acunetix Scheduler’s web interface, web scans can be scheduled to be launched at a convenient time, such as low traffic periods. Scans can be scheduled to occur either continuously or on a daily weekly or monthly schedule.

Reporter – Using the Acunetix WVS Reporter, the user can produce a variety of reports, ranging from an Executive Summary Report to detailed Developer Reports. In addition, the Reporter Tool can generate reports showing compliance with various standards and regulations such as PCI DSS 3.0, HIPAA, ISO 27001 and others.