wvs 5 manual

Acunetix Web Vulnerability Scanner

Manual

v5.0

By Acunetix Ltd.

Acunetix Ltd.

http://www.acunetix.com

E-mail: [email protected]

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Acunetix Ltd.

Acunetix WVS is copyright of Acunetix Ltd. 20042007.

Acunetix Ltd. All rights reserved.

Document version 5.00

Last updated 4th June 2007.

Acunetix Web Vulnerability Scanner Contents i

Contents

1. INTRODUCTION TO ACUNETIX WEB VULNERABILITY SCANNER __________________________________ 5

1.1 WHY YOU NEED TO SECURE YOUR WEB APPLICATIONS ____________________________________________ 5 1.2 WEB ATTACK EXAMPLES _________________________________________________________________ 6 1.3 THE ACUNETIX WEB VULNERABILITY SCANNER __________________________________________________ 7 1.4 AUDITED VULNERABILITIES _______________________________________________________________ 7 1.5 SUPPORTED TECHNOLOGIES _______________________________________________________________ 9 1.6 MAIN FEATURES ______________________________________________________________________ 9 1.7 ACUNETIX WVS PROGRAM OVERVIEW ______________________________________________________ 13 1.8 LICENSE SCHEME _____________________________________________________________________ 19

1.8.1 Perpetual or Time Based Licenses _________________________________________________ 19 1.8.2 Small Business Version 1 Site/Server _______________________________________________ 19 1.8.3 Enterprise Version Unlimited Sites/Servers __________________________________________ 19 1.8.4 Consultant Version _____________________________________________________________ 19 1.8.5 Purchasing Acunetix WVS ________________________________________________________ 20

2. INSTALLING ACUNETIX WVS _____________________________________________________________ 21

2.1 SYSTEM REQUIREMENTS ________________________________________________________________ 21 2.2 INSTALLATION PROCEDURE ______________________________________________________________ 21 2.3 UPGRADE PROCEDURE _________________________________________________________________ 23 2.4 CONFIGURING A PROXY SERVER ___________________________________________________________ 25 2.5 CONFIGURING WEB BROWSER FOR HTTP SNIFFER ______________________________________________ 26 2.6 PASSWORD PROTECT WVS ______________________________________________________________ 27 2.7 LIMITATIONS OF THE EVALUATION VERSION ___________________________________________________ 29 2.8 UPGRADING FROM AN EVALUATION TO A PURCHASED VERSION _____________________________________ 29 2.9 EXTENDING OR UPGRADING A PURCHASED VERSION _____________________________________________ 29

3. THE USER INTERFACE ___________________________________________________________________ 31

3.1 INTRODUCTION ______________________________________________________________________ 31 3.2 THE WVS MAIN INTERFACE _____________________________________________________________ 31

3.2.1 Layout _______________________________________________________________________ 31 3.2.2 Navigation ____________________________________________________________________ 31 3.2.3 Toolbar ______________________________________________________________________ 32 3.2.4 Tools Explorer _________________________________________________________________ 33 3.2.5 Main Area ____________________________________________________________________ 34 3.2.6 Activity Window _______________________________________________________________ 34 3.2.7 Status Bar ____________________________________________________________________ 35 3.2.8 Hiding Panels__________________________________________________________________ 35 3.2.9 Context Menus ________________________________________________________________ 35

3.3 THE SETTINGS INTERFACE _______________________________________________________________ 36 3.3.1 Saving Changes ________________________________________________________________ 37

3.4 ERROR HANDLING ____________________________________________________________________ 37

4. GETTING STARTED: SCANNING YOUR WEBSITE ______________________________________________ 38

4.1 STARTING A SCAN ____________________________________________________________________ 38 4.2 STEP 1: SELECT TARGET(S) TO SCAN ________________________________________________________ 39 4.3 STEP 2: CONFIRM TARGETS AND TECHNOLOGIES DETECTED ________________________________________ 40 4.4 STEP 3: SPECIFY CRAWLER OPTIONS ________________________________________________________ 41 4.5 STEP 4: SPECIFY SCANNING PROFILE OPTIONS AND MODE _________________________________________ 42 4.6 STEP 5: CONFIGURE LOGIN FOR PASSWORD PROTECTED AREAS______________________________________ 43 4.7 STEP 6: CONFIGURING CUSTOM 404 ERROR PAGES _____________________________________________ 47 4.8 SELECTING THE FILES/FOLDERS TO SCAN _____________________________________________________ 49

Contents ii Acunetix Web Vulnerability Scanner

4.9 ANALYZING THE SCAN RESULTS ___________________________________________________________ 50 4.9.1 Alerts Node ___________________________________________________________________ 51 4.9.2 Site Structure Node _____________________________________________________________ 53

4.10 SAVING THE SCAN RESULTS ______________________________________________________________ 54 4.11 GENERATING A REPORT FROM THE SCAN RESULTS _______________________________________________ 54 4.12 GOOGLE HACKING VULNERABILITIES ________________________________________________________ 55

5. SITE CRAWLER TOOL ___________________________________________________________________ 57

5.1 INTRODUCTION ______________________________________________________________________ 57 5.2 ANALYZING A WEBSITE STRUCTURE _________________________________________________________ 58

5.2.1 Starting the crawling process _____________________________________________________ 58 5.2.2 Analyzing the information collected by the crawler ___________________________________ 58 5.2.3 Info Tab ______________________________________________________________________ 58 5.2.4 Referrers Tab __________________________________________________________________ 59 5.2.5 HTTP Headers Tab ______________________________________________________________ 59 5.2.6 Inputs Tab ____________________________________________________________________ 60 5.2.7 View Source Tab _______________________________________________________________ 60 5.2.8 View Page Tab _________________________________________________________________ 61 5.2.9 HTML Analysis Tab _____________________________________________________________ 62

6. TARGET FINDER TOOL __________________________________________________________________ 67

6.1 INTRODUCTION ______________________________________________________________________ 67 6.2 TO START A SCAN ____________________________________________________________________ 67

7. SUBDOMAIN SCANNER TOOL ____________________________________________________________ 69

7.1 INTRODUCTION ______________________________________________________________________ 69 7.2 STARTING A SUBDOMAIN SCAN ___________________________________________________________ 69

8. HTTP SNIFFER TOOL ____________________________________________________________________ 70

8.1 INTRODUCTION ______________________________________________________________________ 70 8.2 CONFIGURING THE HTTP SNIFFER _________________________________________________________ 71 8.3 ENABLING THE HTTP SNIFFER ____________________________________________________________ 71 8.4 CREATING AN HTTP SNIFFER TRAP FILTER ____________________________________________________ 72 8.5 ANALYZING AND RESPONDING TO THE TRAPPED REQUESTS ________________________________________ 73

8.5.1 The Trap Form _________________________________________________________________ 73 8.6 EDITING AN HTTP REQUEST WITHOUT A TRAP _________________________________________________ 74

9. AUTHENTICATION TESTER TOOL __________________________________________________________ 75

9.1 INTRODUCTION ______________________________________________________________________ 75 9.2 TESTING HTTP AUTHENTICATION __________________________________________________________ 75

9.2.1 What is HTTP Authentication? ____________________________________________________ 75 9.2.2 Testing the Password Strength ____________________________________________________ 76

9.3 TESTING HTML FORM AUTHENTICATION_____________________________________________________ 76 9.3.1 What is HTML Forms Authentication? ______________________________________________ 76 9.3.2 Testing Password Strength _______________________________________________________ 77

10. HTTP EDITOR TOOL ___________________________________________________________________ 79

10.1 INTRODUCTION ______________________________________________________________________ 79 10.2 EDITING A REQUEST ___________________________________________________________________ 80 10.3 FIN-TUNING REQUESTS AND ANALYZING RESPONSES _____________________________________________ 82

10.3.1 Response Headers and Response Data tabs _________________________________________ 83 10.3.2 Text Only Tab _________________________________________________________________ 83 10.3.3 View Page Tab _________________________________________________________________ 83 10.3.4 HTML Structure Analysis Tab _____________________________________________________ 84

11. HTTP FUZZER TOOL ___________________________________________________________________ 85

11.1 INTRODUCTION ______________________________________________________________________ 85

Acunetix Web Vulnerability Scanner Contents iii

11.2 CREATING A RULE TO AUTOMATICALLY TEST A SERIES OF INPUTS _____________________________________ 85

12. WEB SERVICES SCANNER ______________________________________________________________ 90

12.1 INTRODUCTION ______________________________________________________________________ 90 12.2 STARTING A WEB SERVICE SCAN ___________________________________________________________ 90 12.3 ANALYZING RESULTS ___________________________________________________________________ 92

13. WEB SERVICES EDITOR ________________________________________________________________ 95

13.1 INTRODUCTION ______________________________________________________________________ 95 13.2 USING THE WEB SERVICES EDITOR _________________________________________________________ 95 13.3 HTTP EDITOR EXPORT FEATURE ___________________________________________________________ 99

14. COMPARE RESULTS TOOL ____________________________________________________________ 101

14.1 INTRODUCTION _____________________________________________________________________ 101 14.2 COMPARING RESULTS _________________________________________________________________ 101 14.3 ANALYZING THE RESULTS COMPARISON _____________________________________________________ 103 14.4 MODIFY/DELETE TEMPLATE ITEMS ________________________________________________________ 104

15. THE REPORTER _____________________________________________________________________ 105

15.1 INTRODUCTION TO THE REPORTER ________________________________________________________ 105 15.2 LAUNCHING THE REPORTER _____________________________________________________________ 105 15.3 REPORT STYLES AND TEMPLATES _________________________________________________________ 106 15.4 GENERATING A REPORT ________________________________________________________________ 109 15.5 THE REPORT VIEW ___________________________________________________________________ 111 15.6 WVS DATABASE ____________________________________________________________________ 112 15.7 THE REPORTER SETTINGS_______________________________________________________________ 112

16. COMMAND LINE SUPPORT ___________________________________________________________ 114

16.1 INTRODUCTION _____________________________________________________________________ 114 16.2 LOCATING THE WVS COMMAND LINE EXECUTABLE _____________________________________________ 115 16.3 COMMAND LINE PARAMETERS AND OPTIONS _________________________________________________ 116 16.4 REPORTER COMMAND LINE _____________________________________________________________ 118 16.5 COMMAND LINE EXAMPLES _____________________________________________________________ 118

17. SCHEDULER ________________________________________________________________________ 119

17.1 INTRODUCTION _____________________________________________________________________ 119 17.2 THE SCHEDULER MANAGEMENT CONSOLE ___________________________________________________ 120 17.3 CREATING A SCHEDULE ________________________________________________________________ 124

18. CONFIGURING ACUNETIX WVS ________________________________________________________ 126

18.1 INTRODUCTION _____________________________________________________________________ 126 18.2 SETTINGS: APPLICATION SETTINGS > GENERAL ________________________________________________ 127 18.3 SETTINGS: APPLICATION SETTINGS > LAN SETTINGS ____________________________________________ 129 18.4 SETTINGS: APPLICATION SETTINGS > DATABASE _______________________________________________ 130 18.5 SETTINGS: APPLICATION SETTINGS > CERTIFICATES _____________________________________________ 132 18.6 SETTINGS: APPLICATION SETTINGS > LOGGING ________________________________________________ 133 18.7 TOOL SETTINGS > SITE CRAWLER _________________________________________________________ 134 18.8 TOOL SETTINGS > SITE CRAWLER > FILE FILTERS _______________________________________________ 136 18.9 TOOL SETTINGS > SITE CRAWLER > DIRECTORY FILTERS __________________________________________ 137 18.10 TOOL SETTINGS > SITE CRAWLER > URL REWRITE ____________________________________________ 138 18.11 TOOL SETTINGS > SITE CRAWLER > CUSTOM COOKIES _________________________________________ 141 18.12 TOOL SETTINGS > HTTP SNIFFER _______________________________________________________ 142 18.13 TOOL SETTINGS > SCANNER ___________________________________________________________ 142 18.14 SCANNER SETTINGS > LOGIN SEQUENCES __________________________________________________ 144 18.15 SCANNER SETTINGS > HTML FORMS _____________________________________________________ 146 18.16 SCANNER SETTINGS > PARAMETER EXCLUSIONS _____________________________________________ 149 18.17 SCANNER SETTINGS > CUSTOM ERROR PAGES _______________________________________________ 150

Contents iv Acunetix Web Vulnerability Scanner

18.18 SCANNER SETTINGS > GHDB __________________________________________________________ 152 18.19 SCANNING PROFILES ________________________________________________________________ 153

18.19.1 Default Scanning Profiles _____________________________________________________ 154 18.20 CREATING/MODIFYING SCAN PROFILES ___________________________________________________ 155

19. DATABASE CONVERSION UTILITY ______________________________________________________ 156

19.1 INTRODUCTION _____________________________________________________________________ 156 19.2 OBTAINING THE DATABASE CONVERSION UTILITY ______________________________________________ 156 19.3 CONVERTING A DATABASE ______________________________________________________________ 156

20. VULNERABILITY EDITOR ______________________________________________________________ 161

20.1 INTRODUCTION _____________________________________________________________________ 161 20.2 ACUNETIX WVS AUDIT MODULES _________________________________________________________ 162 20.3 ADDING A VULNERABILITY TEST __________________________________________________________ 163

20.3.1 Editing the Vulnerability Description ______________________________________________ 165 20.3.2 Specifying When the Vulnerability Check is Applicable ________________________________ 167 20.3.3 Specifying Test Variables _______________________________________________________ 167 20.3.4 Variables Explained ____________________________________________________________ 168 20.3.5 Defining the Requests to be Made in the Test _______________________________________ 170 20.3.6 Analyzing the Response ________________________________________________________ 171

20.4 ADDING A VULNERABILITY ITEM __________________________________________________________ 173 20.5 EXAMPLE: CREATING A TEST WHICH SEARCHES FOR A PARTICULAR FILE _______________________________ 174

20.5.1 Step 1: Creating a Vulnerability __________________________________________________ 174 20.5.2 Step 2: Adding a Vulnerability Item _______________________________________________ 175 20.5.3 Step 3: Configuring the Test Properties ____________________________________________ 176 20.5.4 Step 4: Save the Test and Re-Launch Acunetix WVS __________________________________ 178

21. WVS FILE TYPES ____________________________________________________________________ 179

21.1 WVS TOOLS FILE TYPES _______________________________________________________________ 179 21.2 WVS EXPORT FILE TYPES ______________________________________________________________ 179

22. TROUBLESHOOTING _________________________________________________________________ 180

22.1 INTRODUCTION _____________________________________________________________________ 180 22.2 REQUEST SUPPORT VIA E-MAIL __________________________________________________________ 180 22.3 SUPPORT CENTER ____________________________________________________________________ 181

23. CREDITS ___________________________________________________________________________ 183

24. INDEX_____________________________________________________________________________ 185

5 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 5

1. Introduction to Acunetix Web Vulnerability Scanner

1.1 Why You Need To Secure Your Web Applications

Website security is possibly today's most overlooked aspect of securing the enterprise and should be a priority in any organization.

Increasingly, hackers are concentrating their efforts on web-based applications to obtain access and to misuse sensitive data such as customer details, credit card numbers and proprietary corporate data.

Hackers already have a wide repertoire of attacks that they regularly launch against organizations including SQL Injection, Cross Site Scripting, Directory Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP headers, HTML Forms), Authentication Attacks, Directory Enumeration and other exploits. Moreover, the hacker community is very close-knit; newly discovered web application intrusions are posted on a number of forums and websites known only to members of that exclusive group. Postings are updated daily and are used to propagate and facilitate further hacking.

Web applications shopping carts, forms, login pages, dynamic content, and other bespoke applications are designed to allow your website visitors to retrieve and submit dynamic content including varying levels of personal and sensitive data.

If these web applications are not secure, then your entire database of sensitive information is at serious risk. A Gartner Group study reveals that 75% of cyber attacks are done at the web application level.

Why does this happen?

Websites and related web applications must be available 24 hours a day, 7 days a week to provide the required service to customers, employees, suppliers and other stakeholders.

Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public.

Web applications often have direct access to backend data such as customer databases and, hence, control valuable data and are much more difficult to secure.

Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.

Various high-profile hacking attacks have proven that web application security remains the most critical. If your web applications are compromised, hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly.

6 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

Network security defense provides no protection against web application attacks since these are launched on port 80 (default for websites) which has to remain open to allow regular operation of the business.

For the most comprehensive security strategy, it is therefore imperative that you regularly and consistently audit your web applications for exploitable vulnerabilities.

The need for automated web application security scanning

Manual vulnerability auditing of all your web applications is complex and time-consuming. It also demands a high-level of expertise and the ability to keep track of considerable volumes of code and of all the latest tricks of the hackers trade.

Automated vulnerability scanning allows you to focus on the more challenging issue of securing your web applications from any exploitable vulnerability that jeopardizes your data.

1.2 Web Attack Examples

Well-known sites that were open to web application attacks include:

TJX, the owner of clothing retailers T.J. Maxx, Marshall's Inc. suffered the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts. TJX first learned that there was suspicious software on its computer system on Dec. 18, 2006, however the stolen data covered transactions dating as far back as December 2002.

In September 2006 hackers pilfered the personal data of nearly 19,000 DSL equipment customers through a vulnerability in AT&Ts online store. In a statement, AT&T attributed the motive of the attack to a criminal market for illegally obtained personal information. In fact, the data also included customers credit card details.

In 2006, ChoicePoint, Inc. paid $10 million in civil penalties and $5 million in consumer redress after the personal financial records of more than 163,000 consumers in its database had been compromised.

Last year, the University of Southern California spent more than $140,000 to notify affected students and also shut down the applications website for 10 days after a hacker gained online access to the admissions website.

In June 2004, security analyst ZapTheDingbat pointed out that MasterCard, Natwest, Barclaycard, WorldPay, the GCHQ, and various other sites had missed some basic gaps in their security including the cross-site scripting vulnerability. This flaw, for example, allows hackers to send users to the legitimate site while displaying content and functionality of the hackers choice.

In June 2003 fashion label Guess and pet supply retailer PetCo.com were notoriously found to be vulnerable to the SQL injection vulnerability. This resulted in PetCo leaving as many as 500,000 credit card numbers open to anyone able to construct this specially-crafted URL.

One hacker gained access to over five million credit card accounts in February 2003 through a web application attack. Similarly, in December 2002, a vulnerability at Tower Records website laid bare the companys customer orders database.


1.3 The Acunetix Web Vulnerability Scanner

The Acunetix Web Vulnerability Scanner (WVS) broadens the scope of vulnerability scanning by introducing highly advanced heuristic and rigorous technologies designed to tackle the complexities of today's web-based environments.

WVS is an automated web application security testing tool that audits your web applications by checking for vulnerabilities to SQL Injection, Cross site scripting and other exploitable hacking vulnerabilities. In general, the product scans any website or web application that is accessible via a web browser and that respects HTTP/HTTPS rules.

Besides automatically scanning for exploitable vulnerabilities, WVS offers a strong and unique solution for analyzing off-the-shelf and custom web applications including those relying on JavaScript (e.g., AJAX applications).

The Acunetix WVS is suitable for any small, medium sized and large organizations with intranets, extranets, and websites aimed at exchanging and/or delivering information with/to customers, vendors, employees and other stakeholders.

How WVS Works

Acunetix WVS has a vast array of automated features and manual tools and, in general, works in the following manner:

1. It crawls the entire website by following all the links on the site and in the robots.txt file (if available). WVS will then map out the website structure and display detailed information about every file.

2. After this discovery stage or crawling process, WVS automatically launches a series of vulnerability attacks on each page found, in essence emulating a hacker. WVS analyzes each page for places where it can input data, and subsequently attempts all the different input combinations. This is the Automated Scan Stage.

3. As it finds vulnerabilities, Acunetix WVS reports these in the Alerts Node. Each alert contains information about the vulnerability and recommendations on how to fix it.

4. After a scan has been completed, it may be saved to file for later analysis and for comparison to previous scans. With the reporter tool a professional report may be created summarizing the scan.

1.4 Audited Vulnerabilities

Acunetix WVS automatically checks for the following vulnerabilities:

Version Check o Vulnerable Web Servers o Vulnerable Web Server Technologies such as PHP 4.3.0 file

disclosure and possible code execution.

CGI Tester o Checks for Web Servers Problems Determines if dangerous

HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE)

o Verify Web Server Technologies

Parameter Manipulation

o Cross-Site Scripting (XSS) o SQL Injection o Code Execution


o Directory Traversal o File Inclusion o Script Source Code Disclosure o CRLF Injection / HTTP Response Splitting o Cross Frame Scripting (XFS) o PHP Code Injection o XPath Injection o Full Path Disclosure o LDAP Injection o Cookie Manipulation o URL Redirection o Application Error Message

MultiRequest Parameter Manipulation o Blind SQL / XPath Injection

File Checks

o Checks for Backup Files or Directories - Looks for common files (such as logs, application traces, CVS web repositories)

o Cross Site Scripting in URI o Checks for Script Errors

Directory Checks o Looks for Common Files (such as logs, traces, CVS) o Discover Sensitive Files/Directories o Discovers Directories with Weak Permissions o Cross Site Scripting in Path and PHPSESSID Session Fixation.

Web Applications Large database of known vulnerabilities for specific web applications such as Forums, Web Portals, Collaboration Platforms, CMS Systems, E-Commerce Applications and PHP Libraries.

Text Search

o Directory Listings o Source Code Disclosure o Check for Common Files o Check for Email Addresses o Microsoft Office Possible Sensitive Information o Local Path Disclosure o Error Messages

GHDB Google Hacking Database

o Over 1400 GHDB Search Entries in the Database

Web Services Parameter Manipulation o SQL Injection / Blind SQL Injection o Directory Traversal o Code Execution o XPath Injection o Application Error Messages

Other vulnerability tests may also be performed using the manual tools provided, including:

Input Validation

Authentication attacks

Buffer overflows


1.5 Supported Technologies

Acunetix WVS is designed to use a web application as an exploitable front-end through which it can make contact with a database or web-server. This approach ensures that WVS does not rely on specific compatible web-servers for a scan to be executed.

For scanning web applications, Acunetix WVS is designed around the following concept; if an application can be viewed in any browser without installing special plug-ins, over the HTTP and HTTPS protocols, then it will also be correctly crawled and scanned. Tests carried out internally, and on public web applications, have confirmed that Acunetix WVS can efficiently crawl and scan the following technologies: ASP, ASP.NET, JavaScript, AJAX, PHP, FrontPage, PERL, JRun, Ruby, Flash, ColdFusion. Tested web applications were also hosted on a number of different web servers such as IIS, APACHE, Sun Java, and Lotus Domino.

1.6 Main Features

Compliance Reporting

The reporter allows you to generate detailed compliance reports for OWASP, PCI, Sarbanes-Oxley, Web Application Security Consortium and HIPPA.

JavaScript / AJAX Support Client Script Analyzer (CSA)

During the discovery stage, Acunetix WVS crawls for JavaScript and AJAX using the new Client Script Analyzer (CSA). This allows the crawler to build a comprehensive site structure upon which the automated scan will be launched.

The CSA has been designed to be part of the crawling process to allow automated rather than manual crawls of websites that rely on JavaScript / AJAX. Rather than parsing the client code on the page, the CSA actually executes the JavaScript in real time and in similar fashion to the browser. This is does since it builds the Document Object Model (DOM) of each page on the website.

These design features significantly reduce the time needed to scan websites containing JavaScript code while simplifying the whole scanning process for such sites.

Web Services Support

For complete web security analysis, Acunetix WVS features full support for Web Services vulnerability scanning and assessment. Web Services are now becoming a commonplace implementation for information availability and task processing over the internet, and the need to secure these systems from being exploited also brings about the need for the right tools to perform this task. The Web Services Scanner and Web Services Editor allow for full vulnerability scanning and WSDL analysis, with full reporting functionality.

Subdomain Scanner

The Subdomain scanner allows fast and easy identification of active Subdomains using various techniques and guessing of common subdomain names. The Subdomain Scanner can be configured to use the targets DNS server, or one specified by the user for added flexibility.


Scheduler Application

The scheduler application ensures enhanced flexibility and automation when launching all types of scans including concurrent and/or sequential scans of single or multiple websites.

Schedule such tasks as automated web crawling and scanning at a time most convenient to you. Tasks may be run daily, weekly, monthly, at certain times and/or continuously within a queue.

Scheduling runs as a service with the related management console enabling users to fully and easily configure scanning, crawling, logging and saving of results features. Relevant schedule logs provide users with detailed information on the scheduled queues.

Command Line

The Command Line support provides a command line interface that gives you the power of Acunetix WVS without the usual graphical user interface.

It allows you to use WVS directly from the command prompt and from batch files and script languages, making it ideal for automating repetitive tasks. A comprehensive set of command line parameters gives you direct control over the WVS features.

The WVS Command Line supports the normal tasks for automated scanning as well as support for tasks related to Web Services.

URL Rewrite Support

The idea behind URL Rewriting (for example: mod_rewrite) is to use a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.

The URL Rewrite configurations may be setup in Acunetix WVS to support the proper crawling of such websites. The configuration may be done manually by defining custom rulesets and also by importing the rules directly from Apache httpd.conf or .htaccess files.

Detects Google Hacking Vulnerabilities

Google hacking is the term used to refer to when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, a hacker may still crawl your site and launch Google Hacking Database queries directly onto the crawled content.

The Google hacking feature will launch all the queries found in the Google hacking database, onto the crawled content of your website thus finding any sensitive data or exploitable targets before a search engine hacker does. The Google hacking feature is a unique, industry first feature.

The Google Hacking Database is located at http://johnny.ihackstuff.com and looks for the following information:

Advisories and server vulnerabilities

Error messages that contain too much information

Files containing passwords

Sensitive directories

Pages containing logon portals


Pages containing network or vulnerability data such as firewall logs.

For further reference please visit:

http://www.informit.com/articles/article.asp?p=170880&rl=1

Extend Attacks with the HTTP Editor and Sniffer

With the HTTP Editor, you may construct HTTP/HTTPS requests and analyze the related responses of the web server. Thus the feature allows you to perform and test for custom SQL injection and cross site scripting attacks. With the HTTP Sniffer you can log, intercept and modify all HTTP/HTTPS traffic, giving you an in-depth knowledge of the data sent by your web application.

In-Depth Testing with the HTTP Fuzzer

The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and input validation. With it, you can create rules to automatically test a range of variables.

A simple example would be the following URL:

http://testphp.acunetix.com/listproducts.php?cat=1

Using the HTTP Fuzzer you could create a rule which would automatically replace the last part of the URL - 1 - with numbers between 1 999. Only valid results will be reported. This degree of automation allows you to quickly test the results of a 1000 queries while significantly reducing the amount of manual input.

Login Sequence Recorder for Protected Areas

The recorder allows you to scan password-protected sections of your website. Simply use the login sequence tool to provide Acunetix WVS with single or multiple login details. In addition, you can provide the scanner with links it should not crawl, for example, a logout link.

Automatic HTML Form-filler

When the crawler encounters an HTML form, it can be instructed to use certain input values when submitting this form.

This way you can automatically test your website for different types of inputs.

Crawl Flash Files

Acunetix WVS analyzes flash files looking for both links to follow and HTML code.

Test Password Strength of Login Pages

With the authentication tester, you can audit password protected pages by launching a dictionary attack.

Vulnerability Editor

Create custom web attack checks or modify existing ones with the Vulnerability editor.

Supports All Major Web Technologies

Acunetix WVS supports scanning for vulnerabilities in websites that use any of the major development technologies, including ASP, ASP.NET, PHP and


CGI. In general, the product scans any website or web application that is accessible via a web browser and that respects HTTP/HTTPS rules.

Scanning Profiles

You can use different scanning profiles to scan different websites with different identity and scan options. This reduces scan times and allows for deeper analyses.

Report Generator

The Acunetix WVS V5 Reporting Application makes it quick and easy to generate different reports of your scan results, with the added functionality to export the report to a variety of file types. Designed as a stand-alone application, the Reporter connects directly to the WVS Database, and allows you to view results and generate different reports for vulnerabilities, compliance, statistics, and parallel comparison of results. In-built search functionality allows you to search for specific alerts within a set of results. The Reporter is also fully configurable. One can configure the default report-type for on the fly report generation, insert custom logos, headers, and footers, or change page layout and size.

Compare Scans and Find Differences

Use the compare function to easily contrast recent and previous scans thereby reflecting the changes made and identifying any resulting new vulnerabilities.

Easily Re-Audit Website Changes

Good security best-practice requires you to check your website with every effected change. This can automatically be done with Acunetix WVS. Re-auditing a website has been further simplified with the Scheduler application which allows you to automatically configure website scans according to your specific work and development schedules.


1.7 Acunetix WVS Program Overview

The following pages briefly explain the main WVS tools and features:

Web Scanner

Screenshot 1 - Acunetix Web Vulnerability Scanner

The Web Scanner is the most important component it launches the automated security audit of a website. The automated scan consists of two phases:

1. Crawling This discovery phase will automatically analyze the website and build a site structure.

2. Scanning A vulnerability scan consists of a series of attacks launched against the crawled site structure, in effect, emulating a hacker.


Screenshot 2 Scan Results

The results of a scan are displayed in an Alert Node tree. Each Alert Node contains extensive details on all the vulnerabilities found within the website.

Site Crawler

Screenshot 3 The Site Crawler

The Site Crawler tool crawls the entire target website and displays its structure together with detailed information on each file found.


HTTP Editor

Screenshot 4 The HTTP Editor

The HTTP Editor allows you to create custom HTTP requests from scratch and debug HTTP requests/responses.

HTTP Sniffer

Screenshot 5 - The HTTP Sniffer

In contrast to the HTTP Editor (see above), the HTTP Sniffer helps you modify an HTTP request.


The HTTP Sniffer allows you to capture, examine and modify HTTP communications between an HTTP client and a web server. This tool is used to:

Analyze how Session IDs are stored Session IDs are used by the application to uniquely identify a client browser. It is important that the session ID is unpredictable and the application utilizes a strong method of generating random IDs.

Analyze how inputs are sent back to the server.

Alter any HTTP request being sent back to the server before it does actually get sent.

Navigate through parts of the website which cannot be crawled automatically because, for example, of certain JavaScript code.

To use this tool, all http requests must pass through WVS thus the software must be set as the proxy server for your browser.

HTTP Fuzzer

Screenshot 6 - The HTTP Fuzzer

The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and input validation. With this tool you can easily create input rules for Acunetix WVS to test.

A simple example would be the following URL:

http://testphp.acunetix.com/listproducts.php?cat=1

Using the HTTP Fuzzer you can create a rule which would automatically replace the last part of the URL - 1 - with numbers between 1 999. Only valid results will be reported. This degree of automation allows you to quickly test the results of a 1000 queries while significantly reducing the amount of manual input.


Authentication Tester

Screenshot 7 - The Authentication Tester

With the Authentication Tester tool you can perform a dictionary attack on login pages which use HTTP (NTLM) or HTML form authentication. This tool uses two predefined text files which contain an extensive list of common usernames and passwords. These text files may be easily modified to include your own combinations.

Vulnerability Editor

Screenshot 8 The Vulnerability Editor

The Vulnerability Editor allows you to create custom security checks.

You will also notice changes and additions to the Vulnerability Editor as updates to the Acunetix WVS are installed. For more information on updating the Acunetix WVS please refer to page 127 of this manual.


Reporter

The Reporter application allows you to present the scan results in a printable format, which you can send to your colleagues or customers. Various report templates are available, including summary, detailed reports and also compliance reporting.

The Consultant Version of the WVS allows further customization of the report headers.

Screenshot 9 - Typical WVS Report including Chart of alerts


1.8 License Scheme

Acunetix Web Vulnerability Scanner (WVS) is available in 3 versions: Small Business, Enterprise and Consultant.

1.8.1 Perpetual or Time Based Licenses

Acunetix WVS is sold as a one-year or perpetual license. The 1 year license expires 1 year from the date of purchase. The perpetual license never expires.

The Enterprise and Consultant versions are available as both a one-year and perpetual license. The Small Business version is available as a perpetual license only.

A Maintenance Agreement, which entitles the end user to free support and version upgrades, is included for free in the one-year license for the full duration. Perpetual licenses include two months of free support and upgrades. To extend this period of support a maintenance agreement should be purchased along with the perpetual license. A maintenance agreement can be purchased in yearly intervals and begins from the date of product purchase.

1.8.2 Small Business Version 1 Site/Server

The Small Business Version license allows you to install one copy of Acunetix WVS on one computer, and scan one nominated site or server; this site or server must be owned by yourself (or your company) and not by third parties. In the case of companies, you must obtain proper authorization to scan the website. Acunetix Small Business version will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited with this license.

To scan multiple websites you would require the Enterprise unlimited license.

To install copies on several computers, you require purchasing the necessary individual licenses.

1.8.3 Enterprise Version Unlimited Sites/Servers

The Enterprise version license allows you to install one copy of Acunetix WVS on one computer, and scan an unlimited number of sites or servers. The sites or servers must be owned by yourself (or your company) and not by third parties. In the case of companies, you must obtain proper authorization to scan the website. Acunetix Enterprise version will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited with this license.

To install copies on several computers, you are required to purchase the necessary individual licenses.

1.8.4 Consultant Version

The Consultant version license allows you to install one copy of Acunetix on one computer, and scan an unlimited number of sites or servers including 3

rd

party, provided that you have obtained permission from the respective site owners. This is the correct version to use if you are a consultant who provides web security testing services, or an ISP. The consultant edition also includes the capability of modifying the reports to include your own company logo. Furthermore this version does not leave any trail in the log files of the scanned server.


1.8.5 Purchasing Acunetix WVS

To purchase any of these licenses please visit:

http://www.acunetix.com/ordering/ and contact one of the Channel Partners in your area. If there are no Channel Partners in your country, you may place your order online from http://www.acunetix.com/ordering/pricing.htm

Pricing is available at http://www.acunetix.com/ordering/pricing.htm

21 Installing Acunetix WVS Installing Acunetix WVS 21

2. Installing Acunetix WVS

2.1 System Requirements

Microsoft Windows XP Professional or Home Edition, Windows 2000, Windows Server 2003 and Windows Vista.

128 MB of RAM (256 MB or higher recommended).

200 MB of available hard-disk space.

Microsoft Internet Explorer 5.1 (or higher).

Microsoft SQL Server / Access support if database is enabled (optional)

2.2 Installation Procedure

1. Double click on webvulnscan5.exe file to launch Acunetix WVS setup wizard and click Next.

2. Read and review the License agreement and, if you agree with the conditions laid out, select I accept the agreement. Click on Next to continue the installation.

Screenshot 10 Setup Wizard Enter Details

3. Enter your Name, Company Name and License key. If you are evaluating the product, leave the license key edit box blank. Click Next.

22 Installing Acunetix WVS Acunetix Web Vulnerability Scanner

Screenshot 11 Setup Wizard Confirm Details

4. Select the folder location where you want to install Acunetix Web Vulnerability Scanner and click Next.

5. Choose whether a program shortcut icon is to be created on the desktop. Click on Next to continue with your installation.

If using the evaluation version, you will only be able to scan one of the Acunetix test websites:

http://testphp.acunetix.com - A test website with PHP technology http://testasp.acunetix.com - A test website with ASP technology http://testaspnet.acunetix.com - A test website with ASP.NET technology

Furthermore, you will not be able to save the scan results.


6. After Acunetix WVS has been installed, you will be prompted to launch the application. Check the tick box as appropriate and click Finish.

Screenshot 12 Setup Wizard Finish

2.3 Upgrade Procedure

1. Double click on webvulnscan5.exe file to launch Acunetix WVS set-up wizard. The installer automatically detects any previous versions installed and will display a dialog which gives you a choice if to continue or not.

Screenshot 13 Setup Upgrade Confirmation Dialog

By default, Acunetix WVS is installed with Microsoft Access database support enabled. This is required to create reports using the Reporter. If you want to use a Microsoft SQL Server or MSDE database, you will need to enter the required credentials from the configuration screen under the Application Settings node. For more information on how to configure this feature, please refer to page 113 of this manual.

SQL Server/MSDE must be installed in mixed mode or SQL server authentication mode. NT authentication only mode is NOT supported.


2. Click on Yes to proceed with the upgrade

3. At this point the uninstaller is launched and it will verify again that you want to actually uninstall the previous version of Acunetix WVS. Click on Yes to proceed with the upgrade.

Screenshot 14 Setup Uninstall Confirmation Dialog

4. The next step requires a careful choice:

If you plan to keep your past scan results and use them in the new version or build of Acunetix WVS, you may select NO to keep the current database.

If you plan to clear all your past scans and start from scratch with the new version or build, you may select YES to remove your current database.

Screenshot 15 Setup Database Removal Dialog

5. At this stage, the un-installation process starts and when finished click on OK to proceed with the upgrade.

6. The installation steps that follow are the same as described in section 2.2 of this manual. The installation procedure will be identical to a standard installation from here on.

Screenshot 16 First Run Previous Settings Import Dialog

7. After the installation is finished, run Acunetix WVS. The application will present a dialog to upgrade any previous settings from the previous build that was installed. Click on Yes to restore any previous configurations to the new version or build just installed.


2.4 Configuring a Proxy Server

Screenshot 17 - LAN HTTP Proxy Settings

If your machine is sitting behind a proxy server and you need Acunetix WVS to use this proxy, then you need to configure the proxy server settings.

From the Tools Explorer Panel on the far left-hand side of the user interface, select Configuration > Settings. Then select Application Settings > LAN Settings to access the configuration panel as shown above..

Acunetix WVS supports both HTTP and SOCKS proxy settings. You can setup the Acunetix Web Vulnerability Scanner to use both technologies concurrently.

HTTP Proxy Settings

Use an HTTP proxy server Tick the check box to make Acunetix WVS use an HTTP proxy server.

Hostname and Port Hostname (or IP address) and port number of the HTTP proxy server.

Username and Password Credentials used to access the proxy. If no authentication is required, leave these options empty.

SOCKS Proxy Settings

Use a SOCKS proxy server Tick the check box to make Acunetix WVS use a SOCKS proxy server.

Hostname and Port Hostname (or IP address) and port number for the SOCKS proxy server.

Protocol Select which SOCKS protocol to use. Both Socks v4 or v5 protocols are supported by Acunetix WVS.

Username and Password The credentials used to access this proxy. If no authentication is required, leave these options empty.


2.5 Configuring Web Browser for HTTP Sniffer

To sniff HTTP traffic, you must configure Acunetix WVS as a proxy server for the browser installed on your machine. This allows you to direct WVS to pages it either could not find automatically or could not access (because of JavaScript etc.) and thus be able to scan them.

Internet Explorer Configuration

To configure Internet Explorer to pass via the Acunetix WVS proxy:

1. Launch Internet Explorer and select Tools > Internet Options > Connections > LAN Settings

Screenshot 18 - Internet Explorer Proxy Server setup

2. Enable Use a proxy server for your LAN and specify the IP address / Name and Port (default 8080) of the computer were Acunetix WVS is running. If the browser is running on the same computer as Acunetix WVS, you can use 127.0.0.1 or localhost as the proxy server address.

To use the browser you need to launch Acunetix WVS and enable the HTTP Sniffer. Therefore, it is advisable to install a second browser (either Internet Explorer or Firefox depending on your default preference) and use it for sniffing traffic. You may then continue using your preferred browser for regular browsing.


Mozilla Firefox Configuration

To configure Mozilla Firefox 2.0.0+ to pass via the Acunetix WVS proxy:

1. Launch Firefox and select Tools > Options

Screenshot 19- Firefox proxy setup

2. Click on the Advanced icon at the top of the dialog. Then go to the Network tab and click on Settings

3. Select Manual proxy configuration and specify the IP address/Name and port (default 8080) of the computer running Acunetix WVS for both HTTP and SSL.

4. If you will be using the HTTP Sniffer to browse a local website hosted on the same machine as Acunetix WVS, also clear the No proxy for: textbox.

5. Click on the OK button to save the changes.

2.6 Password Protect WVS

To password protect the main interface of WVS together with all the supporting applications including the Reporter, Vulnerability Editor and Scheduler, simply follow these steps:

1. Go to the Configuration > Settings > Application Settings > General node to access the password protection configuration settings.


Screenshot 20- Password Protection Options

2. In the Password protection section of the page, enter the current password in the Current password textbox. If you are configuring a password for the first time leave this field empty.

3. Enter the new password in both the New password and the Confirm new password textboxes.

4. Click on the Set Password button to save the settings.

Screenshot 21- Password Protection Dialog

Once a password has been set in WVS, the next time and all the subsequent time that you will launch the product or any of its supporting applications, you will be presented with a password protection dialog. Simply enter the password you configured in WVS into this dialog to access the application normally.

For more information on the password protection feature of WVS, please go to page 128.


2.7 Limitations of the Evaluation Version

The evaluation version of WVS, which is downloadable from the Acunetix main website, is practically identical to the full version in functionality and in the set of tools that it presents with the following limitations:

Websites will be scanned for Cross Site Scripting (XSS) vulnerabilities only the Acunetix test websites will be scanned for all types of vulnerabilities

Only the default report can be generated and it cannot be printed or exported

Scan Results cannot be saved

Screenshot 22- Evaluation Limitations Dialog

2.8 Upgrading From an Evaluation to a Purchased Version

If you decide to purchase Acunetix WVS, you will need to upgrade the evaluation version to the purchased version. You will receive a new download location to obtain the unlocked and full version.

After download, simply launch the setup file. Setup will ask whether it can remove the evaluation version and install the full version. Any settings you have already made will be retained.

You will be able to enter the License key you received, after which you will install the full version and scan your website.

2.9 Extending or Upgrading a Purchased Version

If you have already installed the full version, but only want to extend the license key or upgrade from an enterprise to a consultant version, you can enter your new license key under the General > Licensing node. Right-click on the General/Licensing Node, select License Product and enter your new license key.

To find out on how to purchase Acunetix Web Vulnerability Scanner, select General > How to purchase.

31 The User Interface The User Interface 31

3. The User Interface

3.1 Introduction

Acunetix WVS consists of a comprehensive set of highly technical, complex and flexible tools. The product has an easy-to-use and intuitive Graphical User Interface (GUI) designed to ensure immediate use of the product without any particular level of technical expertise.

3.2 The WVS Main Interface

The following sections contain detailed descriptions of the different parts of the Acunetix Web Vulnerability Scanner.

3.2.1 Layout

Screenshot 23 The Acunetix WVS Main Interface Layout

The Main Interface includes all the main features needed to operate the application and conduct your audits. From this interface you can launch a new scan, access the individual tools of the application and configure all settings and options.

3.2.2 Navigation

Navigation in Acunetix WVS is performed through the Toolbar and the various nodes in the Tools Explorer panel.

32 The User Interface Acunetix Web Vulnerability Scanner

3.2.3 Toolbar

Screenshot 24 The Acunetix WVS Toolbar

Found below the menu bar, at the top, the Toolbar contains quick access buttons (represented by a number of icons) that allow quick access to the main tools of the application, to settings and to main operation of the product that of starting a new scan.

You will note the following icons/buttons on the toolbar:

New Scan Access the Scan Wizard to start a new scan.

Web Scanner Access the Web Scanner tool to launch a scan manual instead of using the Scan Wizard.

Site Crawler Access the Site Crawler tool.

Target Finder Access the Target Finder tool.

Subdomain Scanner Access the Subdomain Scanner tool.

HTTP Editor Access the HTTP Editor tool.

HTTP Sniffer Access the HTTP Sniffer tool.

HTTP Fuzzer Access the HTTP Fuzzer tool.

Authentication Tester Access the Authentication Tester tool.

Compare Results Access the Compare Results tool.

Web Services Scanner Access the Web Services Scanner tool.

Web Services Editor Access the Web Services Editor tool.

Settings Access the configuration settings area of the application.

Scanning Profile Access the Scanning Profiles configuration.

Scheduler Access the Acunetix WVS Scheduler application.

Reporter Access the Reporter application


3.2.4 Tools Explorer

Screenshot 25 The Tools Explorer

As will be seen throughout this manual, the Tools Explorer is central to navigating within Acunetix WVS. The Tools Explorer is laid out in a hierarchical tree of nodes (branches) and corresponding sub-nodes (sub-branches). Each sub-node has a parent node which categorizes the structure in sections.

The tree structure has four main nodes:

Tools This node category contains all the tools available in the application.

Web Services This node category contains all the tools related to web services available in the application.

Configuration This node category contains the configuration settings of the application and also the Scanning Profiles configuration settings.

General This node category contains general application information and links to the support centre.

The convention used to denote a particular node and sub-node throughout this manual is referenced in the following manner: Node > Sub-Node. For example the Settings sub-node is child to the parent node Configuration. Hence, to denote the Settings node we use Configuration -> Settings.


3.2.5 Main Area

Screenshot 26 The Acunetix WVS Main Area

The Main Area of the application will show the current active screen depending on your selection from the toolbar or the tools explorer. It, therefore, varies according to the tool and feature you are using.

3.2.6 Activity Window

Screenshot 27 The Activity Window

The Activity Window at the bottom will show the current activity of the application in real time. This section is subdivided into two tabs:


Application Log Tab This tab includes real-time information on all tools and any informational messages.

Error Log Tab This tab shows any errors occurring during the scan or the use of any of the tools.

3.2.7 Status Bar

Screenshot 28 The Acunetix WVS Status Bar

The Status Bar found at the bottom of the Main Interface provides summary information of the current running tool in the application.

This information is shown entirely through the operation of all tools so that you always have an immediate overview of the current activity and status of the application.

3.2.8 Hiding Panels

The Tools Explorer and the Activity Window panels can be hidden in order to obtain more space in the main panel. This is extremely useful when working in low resolution modes.

To hide a panel simply click on the icon at the edge of the panel.

Screenshot 29 Hide Panel Icon

This will trigger the panels auto-hide mode. Moving the mouse to the main panel will auto-hide the panel and moving the mouse to the edge where the panel was will bring it into focus again. To change the panels behavior to

fixed mode again, simply click on the icon again.

The auto-hide panel mode is available to other panels throughout the

application which have the icon.

3.2.9 Context Menus

Many of the nodes used in the Tools Explorer and also in the tools themselves contain useful Context Menus. Accessed directly by right-click, these menus are contextual in the sense that they allow access to specific actions tied to a particular node.


Screenshot 30 The Web Scanner Context Menu

For example, the context menu of the Web Scanner node in the Tools Explorer contains several options regarding the scan results and also an option to start a new scan or load saved scan results.

Screenshot 31 The Site Crawler Context Menu

In this example, the context menu of the Site Crawler node contains options which let you save and load crawl results.

3.3 The Settings Interface

Screenshot 32 The Acunetix WVS Settings Interface


The Settings Interface is accessed from the Configuration > Settings node in the Tools Explorer on the left in the main interface.

The settings interface is also laid out in a tree structure to facilitate navigation across the various configuration nodes. The settings tree structure is categorized in the following sections:

Application Settings Contains the configurations screens related to the general application settings.

Tools Settings Contains the configuration screens related to the tools in the application.

Scanner Settings Contains the configuration screens related to the Scanner in the application.

3.3.1 Saving Changes

The settings interface provides two buttons at the bottom of each configuration screen to apply or discard the settings effected. To save the configuration changes you made, click the Apply button otherwise your changes will not be saved.

Screenshot 33 Changing the WVS Settings

After making changes on any of the configuration screens the text Settings have been changed! will be shown next to these buttons.

3.4 Error Handling

If an error occurs in Acunetix WVS, the appropriate response in the form of a dialogue box will be presented. Please refer to Troubleshooting section on page 180 for guidelines on how to handle any problems in the application.

Screenshot 34 The Acunetix WVS Error Handling Dialog

38 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

4. Getting Started: Scanning Your Website

4.1 Starting a Scan

Auditing the security of your website with Acunetix WVS is easy. The Scan Wizard allows you to quickly set-up an automated crawl and scan of your website. An automated scan provides a comprehensive and deep understanding of the level website security by simply reviewing the individual alerts returned.

This chapter presents the process of launching a security audit of your website through the Scan wizard

DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION!

The web server logs will show the scans and any attacks made by Acunetix WVS. If you are not the sole administrator of the website please make sure to you warn other administrators before performing a scan.

Some scans might cause a website to crash requiring a restart of the website.

39 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 39

4.2 Step 1: Select Target(s) to Scan

You will need to enter the IP or the URL of the website that you wish to scan. To begin a new scan:

1. Click on File > New Scan: The Scan Wizard will start up and offer you a number of steps to guide you through the process of launching a website audit.

Screenshot 35 Scan Wizard Select Scan Type

2. Specify the target(s) to be scanned. The scan target options are:

Scan single website - Scans a single website. Enter a URL, e.g. http://testphp.acunetix.com, https://www.testaspnet.acunetix.com or http:// 80.237.145.112.

Scan using saved crawling results If you previously performed a crawl/scan on a website and saved the results, you can analyze these results directly without having to crawl the site again. Specify the Saved crawler results file by clicking on the folder button.

Scan List of Websites Scans a list of target websites specified in a plain text file (one target per line). Every target in the file is to be specified in the format:

or or or

For example http://80.237.145.112:80/. Ensure that the port is included in each line, even if its a default port.

Scan Range of Computers This will scan a specific range of IPs (e.g. 192.168.0.10-192.168.0.200) for target sites which are open on the specified ports (Default 80, 81 and 443).

3. Click Next to continue.


4.3 Step 2: Confirm Targets and Technologies Detected

Screenshot 36 Scan Wizard Selecting Targets and Technologies

Acunetix WVS will automatically probe the website(s) target(s) for basic details such as operating system, web server, web server technologies and whether a custom error page is used (For more details on Custom Error Pages refer to page 47 of this manual).

The web vulnerability scanner will optimize the scan for the selected technologies and use these details to reduce the number of tests performed which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a UNIX system). This will reduce scanning time.

If you already know what technologies the website is running, you can check whether Acunetix WVS identified them correctly.

Click on the relevant field and change the setting from the provided check boxes as shown above.

After you have confirmed the technologies, click Next to proceed.


4.4 Step 3: Specify Crawler Options

Screenshot 37 Scan Wizard Crawling Options

1. In this dialog you can configure the crawling options.

Crawling Options

The Crawler traverses the entire website and identifies its structure. The following crawling options may be configured:

Start HTTP Sniffer for manual crawling at the end of the scan process this option will start the HTTP Sniffer automatically at the end of the crawl process, enabling you to browse (the browser must be set to use Acunetix WVS as proxy) parts of the site that the crawler could not reach or did not find. Frequently these are pages are linked via JavaScript menus or other methods. Although the Acunetix WVS handles JavaScript, there may be situations where a manual crawl is still required. The crawler will update the site structure with the newly discovered links and pages.

Get first URL only Scan only the index or first page.

Do not fetch anything above start folder - Select this option to instruct the crawler not to follow any links above the start folder. For example, if you specify http://testphp.acunetix.com/wvs/ as a start URL it will not traverse the links which point to a location above the base link e.g. http://testphp.acunetix.com/. However it will traverse all links to pages located in the /wvs/ folder or any of its subfolders.

Fetch files below base folder - Select this option to also follow links which are contained outside the base folder. For example, if you specify http://testphp.acunetix.com/ as a start URL it will traverse the links which point to a location below the base link e.g.:

http://testphp.acunetix.com/wvs/

Fetch directory indexes even if not linked - Select this option to instruct the crawler to request the directory index for every discovered directory even if the directory index is not directly linked.


Submit forms With this option enabled any forms encountered during the scan will be automatically submitted with test-data. To instruct WVS to submit specific data in a particular form you can navigate to the HTML Forms setting: Configuration > Settings (in Tools Explorer) > Scanner Settings > HTML Forms (in the Settings Interface) node. (For full details on how to configure the Acunetix WVS see Chapter 0 on page 126 of this manual).

Retrieve and process robots.txt, sitemap.xml Select this option to have Acunetix WVS look for a robots.txt file and follow all the links in it.

Case insensitive paths Select this option to ignore any case difference in the links found on the website. E.g. /Admin will be considered the same as /admin

Analyze JavaScript Select this option to activate the Client Script Analyzer (CSA) during crawling. This will execute JavaScript/AJAX code on the website to gather a more complete site structure.

After crawling let me choose the files to scan Select this option to present a window at the end of the crawling process which lets you select which files from the site structure to actually scan.

Click Next.

4.5 Step 4: Specify Scanning Profile Options and Mode

1. In this dialog you can configure the scanning profile and scan options, including the options for the scanning mode.

Scanning Profile

The Scanning Profile will determine which tests are to be carried out on the target site.

For example, if you only want to test your website(s) for SQL injection, you would select the sql_injection profile and no additional tests would be performed.


Refer to the Scanning Profiles section on page 153 for more information on how to customize existing profiles and create new scanning profiles.

Scan Options

From this section you can select the Scanning Mode which will be used during the scan. The scanning mode options are the following:

Quick In this mode the scanner will test for just the first value of every parameter.

Heuristic In this mode the scanner will try to automatically figure out for which parameters to test all values and for which not to test all values.

Extensive In this mode the scanner will test all possible combinations for all parameters on the website. In some cases, this can generate a huge number of requests and should be used with caution.

The other options which you can select are:

Test known web application vulnerabilities on every directory If this option is selected, the scanner will test for the known web application vulnerabilities on every directory instead of the default directory for each known vulnerability. This option will generate a lot of HTTP traffic and will extend the scanning time if the website being scanned is very large.

Manipulate HTTP headers With this option selected, the scanner will try to manipulate the HTTP headers which might be used by server side technologies.

Check for stored XSS Enabling this option instructs the scanner to make extra tests for XSS which may be stored in databases.

4.6 Step 5: Configure Login for Password Protected Areas

Your website may have password protected areas or pages behind an HTML feedback form (e.g. visitor registration required to download whitepapers, files etc.) using either HTTP authentication or HTML forms authentication.

HTML forms authentication is not handled via HTTP, but rather via a web form which asks the user for a username and password. This information is sent back to the server for validation by a custom script.

HTTP authentication is part of the HTTP specification. If a site uses HTTP authentication, then the browser will pop up a password dialog. The web server validates the logon against a database of users. (In the case of IIS these are local Windows user accounts, and in the case of Apache these are stored in a file).

If you want Acunetix WVS to scan the pages contained within/behind the login page, then configure Acunetix WVS to authenticate the password protected area or fill in the HTML form details.


Screenshot 38 - Login Details Options

To test a HTTP password protected area:

1. Tick the box Authenticate with this user name and password combination

2. Enter the username and password

3. Click Next. When Acunetix WVS encounters a HTTP password dialog, it will use the details you entered.

To test an HTML form password protected area:

1. Click on Record new login sequence. The record login sequence window starts. The Login Sequence Recorder allows WVS to save and replicate all the events which were manually performed to access the area secured by the login page.

2. Browse the HTML forms login page, enter username and password and authenticate by clicking login. Note that on your website the names of the fields and the submit button might be different. Now click on the End login sequence button at the top of the dialog.


Screenshot 39 - Login Sequence Recording

Screenshot 40 - Login Sequence Recording Logout

3. After you have authenticated, you also need to identify the logout link otherwise, Acunetix WVS will try to crawl the logout link and logout of the password protected area. Click on the logout link and select restricted link


Screenshot 41 - Login Sequence Editing

4. You can review the login sequence that you recorded by clicking on the

Edit login sequence button:

5. When you are done, click on the save icon and click on the exit button to exit the login sequence editor. The wizard will save the login sequence.

Screenshot 42 - Login Sequences configuration

You can reuse the login sequence during future scans. Login sequences can be edited from the Tools Explorer by selecting Configuration > Settings and then selecting the appropriate Scanner Settings > Login sequences node in the Settings Interface as shown.


Screenshot 43 The Tools Explorer and Access to Application, Tool and Scanner Settings

4.7 Step 6: Configuring Custom 404 Error Pages

A 404 error page is the page which appears when an invalid URL is entered. In many cases, rather than displaying the standard error 404, many websites show a page formatted according to the look and feel of the website to inform the user that the page requested does not exist. Custom 404 error pages do not necessarily represent a server 404 error (invalid URLs), and therefore Acunetix WVS must be able to automatically identify these pages to detect the difference between an invalid URL and a valid web page.

The scan wizard will automatically try to detect whether your site uses custom error pages. If your website does so, WVS will display the custom error page and will automatically attempt to locate the unique identifier of such an error page; in this case Error 404: Page Not Found.

To configure the custom error page:

1. Highlight the text that is unique to this page. This text should not be found on any other page on your website.

You can choose to configure HTML form input directly, without the login sequence editor, from the Tools Explorer by selecting Configuration > Settings and then selecting the appropriate Scanner Settings > HTML Forms node.

For more information see the chapter Configuring Acunetix WVS on page 126 of this manual.


Screenshot 44 Custom Error Page Configuration

2. Click on the Generate pattern button within the wizard window to generate a regular expression from the highlighted text. The highlighted text will be copied to the Error message pattern box and changed into a regular expression that Acunetix WVS can interpret.

3. Click on the Text pattern button to verify the generated pattern.

4. Click Next.

Once the custom error page is configured, it will be saved and may be accessed by selecting Configuration > Settings from the Tools Explorer and then selecting the Scanner Settings > Custom 404 Pages node.


Screenshot 45 - Scan Wizard - Finish window

6. If you want to save the scan results to a database, enable Save scan results to the database for report generation.

Click on the Finish button to start the scan.

4.8 Selecting the Files/Folders to Scan

If the option to choose the files to scan was selected in the crawling option, a window with the site structure will open up, from which a selection of files to scan and ones to ignore can be made.

By default all the files and folders in the site structure shown will be selected. To remove items from being included in the scan, simply uncheck the tick box next to the item.

For websites with a large number of items, the toolbar at the top of the window provides the following functionality:

Filter Show only the items partially matching the entered text

Check Selected Select the highlighted items

Uncheck Selected Deselect the highlighted items

Check All Select ALL files in the site structure

Uncheck All Deselect ALL files in site structure

It may take several hours to complete an automated scan of a large website!


Screenshot 46 Choice of which files / folders to include in the scan

4.9 Analyzing the Scan Results

After the scan is completed, the results can be expanded by clicking on the scan, in the Scan results window. Two main nodes, Alerts and Site Structure, will be shown.

Screenshot 47 - Scan Result and Information window

To change the selection of multiple items at the same time without having to go through each item individually, you can use the CTRL and SHIFT key combinations.


4.9.1 Alerts Node

The alerts node displays all vulnerabilities found and how to fix them. Alerts

are sorted into four severity levels: High, Medium, Low and Informational. The number of vulnerabilities detected is displayed in brackets () next to the alert categories.

Screenshot 48 - Scan Results Vulnerability information

By clicking on an alert category node more information will be shown:

Vulnerability description A description of the current vulnerability and the object affected.

The impact of this vulnerability What impact this vulnerability may have.

Attack details Detailed information about the current alert. For example, for an SQL injection alert the parameters used to test for this vulnerability will be displayed.

View HTTP headers Display HTTP headers for the request and response.

View HTML response Display the HTML response as a frame in the current document.

Launch the attack with HTTP Editor This will load the current HTTP request and response in the HTTP Editor for manual inspection. For more information, please refer to the HTTP Editor chapter.

How to fix this vulnerability Recommendation on how to fix the problem.

Detailed information This section provides extensive detailed information for certain high risk vulnerabilities.

Web references A list of references where you could gather more information about the current vulnerability and/or how to fix it.


Levels of Severity

There are four vulnerability severity levels:

High Risk Alert Level 3 Vulnerabilities categorized as the most dangerous, which put a site at maximum risk for hacking and data theft.

Medium Risk Alert Level 2 Vulnerabilities caused by server miss-configuration and site-coding flaws, which facilitate server disruption and directory intrusion.

Low Risk Alert Level 1 Vulnerabilities derived from lack of encryption for data traffic, or directory path disclosures

Informational Alert Sites which are susceptible to revealing information through GHDB search strings, or email addresses disclosure.

For further investigation, click on Launch the attack with HTTP Editor at the bottom

of the pane. This will load the current HTTP request and response in the HTTP Editor for manual inspection. For more information, refer to the HTTP Editor chapter 79 of this manual


4.9.2 Site Structure Node

The Site Structure Node displays the layout of the target site including all files and directories discovered during the crawling process. For every item retrieved more detailed information is available in the right information pane.

Screenshot 49 - Site Structure details

Summary information for a file or directory includes:

Filename The name of this file/directory.

Page Title The page title of this file/directory.

File path The file/directory location.

URL The file/directory URL location.

HTTP Result The file/directory HTTP Get Response Code.

Length The file/directory size in bytes.

Input Variable Count Number of inputs used for collecting and processing data usually gathered within HTML forms.

Status File status.

Grouping of Test Variants

When more than a single instance of the same vulnerability is detected on any page, the scanner will group the variants of each exploit according to the parameter which was tested. This makes it easy to understand how many total exploits were detected, and also how many files were found to be vulnerable.

This organization of vulnerability data makes it easier for results to be interpreted, and also makes it easier to keep track of vulnerable pages and what vulnerabilities need to be fixed. Vulnerability data can also be presented in a report with this system of grouping, by selecting the Vulnerability Report template in the reporting application.


4.10 Saving the Scan Results

When a scan is completed you can save the scan results to an external file for analysis and comparison at a later stage. The saved file will contain all the scans from the current session including alert information and site structure.

To save the scan results go on File > Save Scan Results.

To load the scan results go on File > Load Scan Results.

4.11 Generating a Report from the Scan Results

Creating a report when viewing the scan results, is as easy as clicking a

button. Simply click on the Report button on the toolbar at the top this automatically starts the report generation process using the default report configuration.

More information on how to configure the default report, which is generated when clicking on the Report button, can be found on page 112 of this manual.

Screenshot 50 - Report Button in Scan Results

Once the report is generated, the Acunetix WVS Reporter will automatically be launched, and you will be presented with the vulnerability report which is configured as the default. From this screen you can print the report or export it to the various supported formats.

Screenshot 51 Default Generated Report from Scan Results

To generate a report, a database must be configured (either MDB or SQL). This can be done from the Tools Explorer by selecting the Configuration > Settings node and,

subsequently, Application Settings > Database.


4.12 Google Hacking Vulnerabilities

Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, a hacker may still crawl your site, and launch Google Hacking Database queries directly onto the crawled content.

The Google hacking feature will launch all the queries found in the Google Hacking Database, onto the crawled content of your website thus finding any sensitive data or exploitable targets before a search engine hacker does. The Google hacking feature is a unique, industry first feature.

The Google Hacking Database i

wvs 5 manual

Documents

copyright of acunetix

purchasing acunetix

acunetix wvs program

document version

evaluation version

purchased version

web browser

web applications