wvs manual
DESCRIPTION
asdasdsaTRANSCRIPT
-
Web Vulnerability Scanner v9.5 Product Manual
-
Informationinthisdocumentissubjecttochangewithoutnotice.Companies,names,anddatausedinexampleshereinarefictitiousunlessotherwisenoted.Nopartofthisdocumentmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,foranypurpose,withouttheexpresswrittenpermissionofAcunetixLtd.AcunetixWebVulnerabilityScanneriscopyrightofAcunetixLtd.20042014.AcunetixLtd.Allrightsreserved.http://[email protected]:3rdNovember2014
-
Table of Contents
Introduction Overview Installing Acunetix Installing AcuSensor Scanning a Website Analysing Scan Results Scanning Web Services Generating Reports Acunetix Reports Scheduling Scans Troubleshooting and Support
-
Introduction to Acunetix Web Vulnerability Scanner Why You Need To Secure Your Web Applications Websitesecurityistoday'smostoverlookedaspectofsecuringanenterpriseandshouldbeapriorityinanyorganization.Increasingly,hackersareconcentratingtheireffortsonwebbasedapplicationsshoppingcarts,forms,loginpages,dynamiccontent,etc.Accessible24/7fromanywhereintheworld,insecurewebapplicationsprovideeasyaccesstobackendcorporatedatabasesandalsoallowhackerstoperformillegalactivitiesusingtheattackedsites.Avictimswebsitecanbeusedtolaunchcriminalactivitiessuchashostingphishingsitesortotransferillicitcontent,whileabusingthewebsitesbandwidthandmakingitsownerliablefortheseunlawfulacts.HackersalreadyhaveawiderepertoireofattacksthattheyregularlylaunchagainstorganizationsincludingSQLInjection,CrossSiteScripting,DirectoryTraversalAttacks,ParameterManipulation(e.g.,URL,Cookie,HTTPheaders,webforms),AuthenticationAttacks,DirectoryEnumerationandotherexploits.Thehackingcommunityisalsoverycloseknitnewlydiscoveredwebapplicationintrusions,knownasZeroDayexploits,arepostedonanumberofforumsandwebsitesknownonlytomembersofthatexclusiveundergroundgroup.Postingsareupdateddailyandareusedtopropagateandfacilitatefurtherhacking.Webapplicationsshoppingcarts,forms,loginpages,dynamiccontent,andotherbespokeapplicationsaredesignedtoallowyourwebsitevisitorstoretrieveandsubmitdynamiccontentincludingvaryinglevelsofpersonalandsensitivedata.Ifthesewebapplicationsarenotsecure,thenyourentiredatabaseofsensitiveinformationisatseriousrisk.AGartnerGroupstudyrevealsthat75%ofcyberattacksaredoneatthewebapplicationlevel.Whyarewebapplicationsvulnerable?
Websitesandwebapplicationsareeasilyavailableviatheinternet24hoursaday,7daysaweektocustomers,employees,suppliersandthereforealsohackers.
FirewallsandSSLprovidenoprotectionagainstwebapplicationhacking,simplybecauseaccesstothewebsitehastobemadepublic.
Webapplicationsoftenhavedirectaccesstobackenddatasuchascustomerdatabases.
Mostwebapplicationsarecustommadeand,therefore,involvealesserdegreeoftestingthanofftheshelfsoftware.Consequently,customapplicationsaremoresusceptibletoattack.
Varioushighprofilehackingattackshaveproventhatwebapplicationsecurityremainsthemostcritical.Ifyourwebapplicationsarecompromised,hackerswillhavecompleteaccesstoyourbackenddataeventhoughyourfirewallisconfiguredcorrectlyandyouroperatingsystemandapplicationsarepatchedrepeatedly.
Networksecuritydefenseprovidesnoprotectionagainstwebapplicationattackssincethesearelaunchedonport80whichhastoremainopentoallowregular
-
operationofthebusiness.Itisthereforeimperativethatyouregularlyandconsistentlyaudityourwebapplicationsforexploitablevulnerabilities.
The need for automated web application security scanning Manualvulnerabilityauditingofallyourwebapplicationsiscomplexandtimeconsuming,sinceitgenerallyinvolvesprocessingalargevolumeofdata.Italsodemandsahighlevelofexpertiseandtheabilitytokeeptrackofconsiderablevolumesofcodeusedinawebapplication.Inaddition,hackersareconstantlyfindingnewwaystoexploityourwebapplication,whichmeansthatyouwouldhavetoconstantlymonitorthesecuritycommunities,andfindnewvulnerabilitiesinyourwebapplicationcodebeforehackersdiscoverthem.Automatedvulnerabilityscanningallowsyoutofocusonthealreadychallengingtaskofbuildingawebapplication.Anautomatedwebapplicationscannerisalwaysonthelookoutfornewattackpathsthathackerscanusetoaccessyourwebapplicationorthedatabehindit.Withinminutes,anautomatedwebapplicationscannercanscanyourwebapplication,identifyallthefilesaccessiblefromtheinternetandsimulatehackeractivityinordertoidentifyvulnerablecomponents.Inaddition,anautomatedvulnerabilityscannercanalsobeusedtoassessthecodewhichmakesupawebapplication,allowingittoidentifypotentialvulnerabilitieswhichmightnotbeobviousfromtheinternet,butstillexistinthewebapplication,andcanthusstillbeexploited.
Acunetix Web Vulnerability Scanner AcunetixWebVulnerabilityScannerisanautomatedwebapplicationsecuritytestingtoolthatauditsyourwebapplicationsbycheckingforvulnerabilitieslikeSQLInjection,Crosssitescriptingandotherexploitablevulnerabilities.Ingeneral,AcunetixWebVulnerabilityScannerscansanywebsiteorwebapplicationthatisaccessibleviaawebbrowserandusestheHTTP/HTTPSprotocol.AcunetixWebVulnerabilityScanneroffersastronganduniquesolutionforanalyzingofftheshelfandcustomwebapplicationsincludingthoseutilizingJavaScript,AJAXandWeb2.0webapplications.Acunetixhasanadvancedcrawlerthatcanfindalmostanyfile.Thisisimportantsincewhatisnotfoundcannotbechecked.
How Acunetix Web Vulnerability Scanner Works AcunetixWebVulnerabilityScannerworksinthefollowingmanner:
1. AcunetixDeepScananalysestheentirewebsitebyfollowingallthelinksonthesite,includinglinkswhicharedynamicallyconstructedusingJavaScript,andlinksfoundinrobots.txtandsitemap.xml(ifavailable).Theresultisamapofthesite,whichAcunetixWebVulnerabilityScannerwillusetolaunchtargetedchecksagainsteachpartofthesite.
-
ScreenshotCrawlerResults
2. IfAcunetixAcuSensorTechnologyisenabled,thesensorwillretrievealistingofallthefilespresentinthewebapplicationdirectoryandaddthefilesnotfoundbythecrawlertothecrawleroutput.Suchfilesusuallyarenotdiscoveredbythecrawlerastheyarenotaccessiblefromthewebserver,ornotlinkedthroughthewebsite.AcunetixAcuSensoralsoanalysesfileswhicharenotaccessiblefromtheinternet,suchasweb.config.
3. Afterthecrawlingprocess,theWebVulnerabilityScannerautomaticallylaunchesaseriesofvulnerabilitychecksoneachpagefound,inessenceemulatingahacker.AcunetixWebVulnerabilityScanneralsoanalyseseachpageforplaceswhereitcaninputdata,andsubsequentlyattemptsallthedifferentinputcombinations.ThisistheAutomatedScanStage.IftheAcuSensorTechnologyisenabled,aseriesofadditionalvulnerabilitychecksarelaunchedagainstthewebsite.MoreinformationaboutAcuSensorisprovidedinthefollowingsection.
ScreenshotScanResults
4. ThevulnerabilitiesidentifiedareshownintheScanResults.EachvulnerabilityalertcontainsinformationaboutthevulnerabilitysuchasPOSTdataused,affecteditem,httpresponseoftheserverandmore.
5. IfAcuSensorTechnologyisuseddetailssuchassourcecodelinenumber,stacktraceoraffectedSQLquerywhichleadtothevulnerabilityarelisted.Recommendationsonhowtofixthevulnerabilityarealsoshown.
-
6. Variousreportscanbegeneratedoncompletedscans,includingExecutiveSummaryreport,DeveloperreportandvariouscompliancereportssuchasPCIorISO270001.
Acunetix AcuSensor Technology AcunetixsuniqueAcuSensorTechnologyallowsyoutoidentifymorevulnerabilitiesthanotherWebApplicationScanners,whilstgeneratinglessfalsepositives.AcunetixAcuSensorindicatesexactlywhereinyourcodethevulnerabilityisandreportsadditionaldebuginformation.
ScreenshotAcuSensorpinpointsvulnerabilitiesincodeTheincreasedaccuracy,availableforPHPand.NETwebapplications,isachievedbycombiningblackboxscanningtechniqueswithfeedbackfromsensorsplacedinsidethesourcecode.Blackboxscanningdoesnotknowhowtheapplicationreactsandsourcecodeanalyzersdonotunderstandhowtheapplicationwillbehavewhileitisbeingattacked.AcuSensortechnologycombinesbothtechniquestoachievesignificantlybetterresultsthanusingsourcecodeanalyzersandblackboxscanningindependently.TheAcuSensorsensorscanbeinsertedinthe.NETandPHPcodetransparently.The.NETsourcecodeisnotrequiredthesensorscanbeinjectedinalreadycompiled.NET
-
applications!Thusthereisnoneedtoinstallacompilerorobtainthewebapplicationssourcecode,whichisabigadvantagewhenusingathirdparty.NETapplication.IncaseofPHPwebapplications,thesourceisreadilyavailable.Todate,AcunetixistheonlyWebVulnerabilityScannertoimplementthistechnology.
Advantages of using AcuSensor Technology Abilitytoprovidemoreinformationaboutthevulnerability,suchassourcecodeline
number,stacktrace,affectedSQLquery. Allowsyoutolocateandfixthevulnerabilityfasterbecauseoftheabilitytoprovide
moreinformationaboutthevulnerability,suchassourcecodelinenumber,stacktrace,affectedSQLquery,etc.
Significantlyreducesfalsepositiveswhenscanningawebsitebecauseitunderstandsthebehaviorofthewebapplicationbetter.
Alertsyoutowebapplicationconfigurationproblemswhichcanresultinavulnerableapplicationorexposesensitiveinformation.E.g.Ifcustomerrorsareenabledin.NET,thiscouldexposesensitiveapplicationdetailstoamalicioususer.
Advisesyouhowtobettersecureyourwebserversettings,e.g.ifwriteaccessisenabledonthewebserver.
DetectsmoreSQLinjectionvulnerabilities.PreviouslySQLinjectionvulnerabilitiescouldonlybefoundifdatabaseerrorswerereported,whereasnowthesourcecodecanbeanalyzedforimproveddetection.
AbilitytodetectSQLinjectionvulnerabilitiesinallSQLstatements,includinginSQLINSERTstatements.UsingablackboxscannersuchSQLinjectionvulnerabilitiescannotbefound.ThissignificantlyincreasestheabilityforAcunetixWebVulnerabilityScannertofindvulnerabilities.
Discoversallthefilespresentandaccessiblethroughthewebserver.Ifanattackergainsaccesstothewebsiteandcreatesabackdoorfileintheapplicationdirectory,thefileisfoundandscannedwhenusingtheAcuSensorTechnologyandyouwillbealerted.
AcuSensorTechnologyisabletointerceptallwebapplicationinputsandbuildacomprehensivelistwithallpossibleinputsinthewebsiteandtestthem.
NoneedtowriteURLrewriteruleswhenscanningwebapplicationswhichusesearchenginefriendlyURLs!UsingtheAcuSensorTechnologythescannerisabletorewriteSEOURLsonthefly.
Abilitytotestforarbitraryfilecreationanddeletionvulnerabilities.E.g.Throughavulnerablescriptamalicioususercancreateafileinthewebapplicationdirectoryandexecuteittohaveprivilegedaccess,ordeletesensitivewebapplicationfiles.
Abilitytotestforemailinjection.E.g.Amalicioususermayappendadditionalinformationsuchasalistorrecipientsoradditionalinformationtothemessagebodytoavulnerablewebform,tospamalargenumberofrecipientsanonymously.
Network Vulnerability Scanning Aspartofawebsiteaudit,Acunetixwillexecuteanetworksecurityauditoftheserverhostingthewebsite.Thisnetworksecurityscanwillidentifyanyservicesrunningonthescannedserverbyrunningaportscanonthesystem.Acunetixwillreporttheoperatingsystemand
-
thesoftwarehostingtheservicesdetected.ThisprocesswillalsoidentifyTrojanswhichmightbelurkingontheserver.ThenetworkvulnerabilityscanassessesthesecurityofpopularprotocolssuchasFTP,DNS,SMTP,IMAP,POP3,SSH,SNMPandTelnet.Apartfromtestingforweakordefaultpasswords,Acunetixwillalsocheckformisconfigurationintheservicesdetectedwhichcouldleadtoasecuritybreach.Acunetixwillalsocheckthatanyotherserversrunningonthemachinearenotusinganydeprecatedprotocols.Alltheseleadtoaninsecuresystem,whichwouldallowanintrudertodamageyourwebsiteandyourreputation.AcunetixOnlineVulnerabilityScanner(OVS)alsointegratesthepopularOpenVASnetworkscannertocheckforover35,000networkvulnerabilities.Duringanetworkscan,AcunetixOVSmakesuseofvariousportprobingandOSfingerprintingtechniquestoidentifyavastnumberofdevices,OperatingSystemsandserverproducts.Numeroussecuritychecksarethenlaunchedagainsttheproductsidentifiedrunningonthescannedserver,allowingyoutodetectallthevulnerabilitiesthatexistonyourperimeterservers.
-
Acunetix Web Vulnerability Scanner Overview AcunetixWebVulnerabilityScannerallowsyoutosecureyourwebsitequicklyandefficiently.Itconsistsofthefollowingcomponents:
ScreenshotAcunetixWebVulnerabilityScanner
WebScannerTheWebScannerlaunchesanautomaticsecurityauditofawebsite.Awebsitesecurityscantypicallyconsistsoftwophases:
1. CrawlingMakinguseofAcunetixDeepScan,AcunetixWebVulnerabilityScannerautomaticallyanalyzesandcrawlsthewebsiteinordertobuildthesite'sstructure.Thecrawlingprocessenumeratesallfilesandisvitaltoensurethatallthefilesofyourwebsitearescanned.
2. ScanningAcunetixWebVulnerabilityScannerlaunchesaseriesofwebvulnerabilitychecksagainsteachfileinyourwebapplicationineffect,emulatingahacker.TheresultsofascanaredisplayedintheAlertNodetreeandincludecomprehensivedetailsofallthevulnerabilitiesfoundwithinthewebsite.
AcuSensorTechnologyAgentAcunetixAcuSensorTechnologyisauniquetechnologythatallowsyoutoidentifymorevulnerabilitiesthanatraditionalblackboxwebsecurityscanner,andisdesignedtofurther
-
reducefalsepositives.Additionally,italsoindicatesthecodewherethevulnerabilitywasfound.Thisincreasedaccuracyisachievedbycombiningblackboxscanningtechniqueswithdynamiccodeanalysiswhilstthesourcecodeisbeingexecuted.ForAcunetixAcuSensortowork,anagentmustbeinstalledonyourwebsitetoenablecommunicationbetweenAcunetixWebVulnerabilityScannerandAcuSensor.AcunetixAcuSensorcanbeusedwithbothPHPand.NETwebapplications.
AcuMonitorServiceSomevulnerabilitiescanonlybedetectedusinganintermediateservice.TheAcunetixAcuMonitorserviceallowsAcunetixWebVulnerabilityScannertodetectsuchvulnerabilities.Dependingonthevulnerability,AcuMonitorcaneitherreportthevulnerabilityimmediatelyduringascan,orsendanotificationemaildirectlytotheuserifthevulnerabilityisidentifiedafterthescanhasfinished.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/websitesecurity/acumonitor/
PortScanner
ScreenshotPortScanning
ThePortScannerperformsaportscanagainstthewebserverhostingthescannedwebsite.Whereopenportsarefound,AcunetixWebVulnerabilityScannerwillperformnetworklevelsecuritychecksagainstthenetworkservicerunningonthatport.TheseincludeDNSOpenRecursiontests,badlyconfiguredproxyservertests,weakSNMPcommunitystrings,andmanyothernetworklevelsecuritychecks.Youcanalsowriteyourownnetworkservicessecuritychecksusingthescriptengine.Ascriptingreferenceisavailablefrom:
-
http://www.acunetix.com/blog/docs/creatingcustomchecksacunetixwebvulnerabilityscanner/
TargetFinder
ScreenshotTargetFinderTheTargetFinderisascannerthatallowsyoutolocatewebservers(generallyonports80,443)withinagivenrangeofIPaddresses.Ifawebserverisfound,thescannerwillalsodisplaytheresponseheaderoftheserverandthewebserversoftware.Theportnumberstoscanareconfigurable.Moreinformationaboutthetargetfindercanbefoundhere:http://www.acunetix.com/blog/docs/targetfinder/
-
SubdomainScanner
ScreenshotSubdomainScannerUsingvarioustechniques,theSubdomainscannerallowsfastandeasyidentificationofactivesubdomainsofatopleveldomain.TheSubdomainScannercanbeconfiguredtousethetargetsDNSserveroranyotherDNSserverspecifiedbytheuser.MoreinformationabouttheSubdomainscannercanbefoundhere:http://www.acunetix.com/blog/docs/subdomainscanner/
-
BlindSQLInjector
ScreenshotBlindSQLInjectorIdealforpenetrationtesters,theBlindSQLinjectorisanautomateddatabasedataextractiontoolwithwhichyoucanmakemanualteststofurtheranalyzeSQLinjectionsreportedduringascan.ThetoolmakesuseofBlindSQLInjectiontechniquestoenumeratedatabasesandtables,dumpdataandalsoreadspecificfilesonthefilesystemofthewebserverifanexploitableSQLinjectionisdiscovered.WiththeBlindSQLInjectortoolyoucanalsorunmanualteststocheckfordifferentvariantsofSQLinjection.Usingthistool,youcanalsoruncustomSQLSelectqueriesagainstthedatabase.MoreinformationabouttheblindSQLinjectorcanbefoundhere:http://www.acunetix.com/blog/docs/blindsqlinjectortool/
-
HTTPEditor
ScreenshotHTTPEditorTheHTTPEditorallowsyoutocreate,analyze,andeditclientHTTPrequestsandserverresponses.Italsocontainsanencodinganddecodingtooltoencode/decodetextandURLstoMD5hashes,UTF7formatsandmanyotherformats.YoucanstarttheHTTPEditorfromtheToolsnodewithintheToolsExplorer.TheToppaneintheHTTPeditordisplaystheHTTPrequestdataandheaders.ThebottompanedisplaystheHTTPresponseheadersdata.MoreinformationabouttheHTTPeditorcanbefoundhere:http://www.acunetix.com/blog/docs/httpeditor/
-
HTTPSniffer
ScreenshotHTTPSnifferTheHTTPSnifferactsasaproxyandallowsyoutocapture,examineandmodifyHTTPtrafficbetweenanHTTPclientandawebserver.Youcanalsoenable,addoredittrapstocapturetrafficbeforeitissenttothewebserverorbacktothewebclient.Thistoolisusefulto:
AnalyzehowSessionIDsarestoredandhowinputsaresenttotheserver. AlteranyHTTPrequestsbeingsentbacktotheserverbeforetheygetsent. Manualcrawlingnavigatethroughpartsofthewebsitewhichcannotbecrawled
automatically,andimporttheresultsintothescannertoincludethemintheautomatedscan.
ForHTTPrequeststopassthroughAcunetixWebVulnerabilityScanner,AcunetixWebVulnerabilityScannermustbeconfiguredasaproxyinyourwebbrowser.
-
HTTPFuzzer
ScreenshotHTTPFuzzerTheHTTPFuzzerenablesyoutolaunchaseriesofsophisticatedfuzzingteststoauditthewebapplicationshandlingofinvalidandunexpectedrandomdata.TheHTTPFuzzeralsoallowsyoutoeasilycreateinputrulesforfurthertestinginAcunetixWebVulnerabilityScanner.AnexamplewouldbethefollowingURL:http://testphp.acunetix.com/listproducts.php?cat=1UsingtheHTTPFuzzeryoucancreatearulethatwouldautomaticallyreplacethelastpartoftheURL1withnumbersbetween1and999.Onlyvalidresultswillbereported.Thisdegreeofautomationallowsyoutoquicklytesttheresultsofa1000querieswithouthavingtoperformthemonebyone.MoreinformationabouttheHTTPFuzzercanbefoundhere:http://www.acunetix.com/blog/docs/httpfuzzertool/
AuthenticationTester
ScreenshotAuthenticationTesterWiththeAuthenticationTesteryoucanperformadictionaryattackagainstloginpagesthatusebothHTTP(NTLMv1,NTLMv2,digest)orformbasedauthentication.Thistoolusestwo
-
predefinedtextfiles(dictionaries)containingalistofcommonusernamesandpasswords.Youcanaddyourowncombinationstothesetextfiles.MoreinformationabouttheAuthenticationtestercanbefoundhere:http://www.acunetix.com/blog/docs/authenticationtester/
WebServicesScannerandWebServicesEditor
ScreenshotWebServicesScannerTheWebServicesScannerallowsyoutolaunchautomatedvulnerabilityscansagainstWSDLbasedWebServices.WebServicesarecommonlyusedtoexchangedataandgenerallyvulnerabilitiesinWebServicescaneasilybeexploitedinordertoleaksensitiveinformation.TheWebServicesEditorallowsyoutoimportanonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperationsoverdifferentporttypesforanindepthanalysisofWSDLrequestsandresponses.TheeditoralsofeaturessyntaxhighlightingforalllanguagestoeasilyeditSOAPheadersandcustomizeyourownmanualattacks.
-
AcunetixWebVulnerabilityScannerSDK
ScreenshotWebVulnerabilityScannerScriptingtoolTheAcunetixWebVulnerabilityScannerScriptingtoolallowsyoutocreatenewcustomwebvulnerabilitychecks.ThesechecksmustbewritteninJavaScriptandrequireinstallationoftheSoftwareDevelopmentKit(SDK).YoucanreadmoreaboutwritingcustomwebsecuritychecksatthefollowingURL:http://www.acunetix.com/blog/docs/creatingcustomvulnerabilitychecks/YoucandownloadthescriptingSDKfrom:http://www.acunetix.com/download/tools/Acunetix_SDK.zip
Reporter TheReporterallowsyoutogeneratereportsofscanresultsinaprintableformat.Variousreporttemplatesareavailable,includingsummary,detailedreportsandcompliancereporting.TheConsultantVersionofAcunetixWebVulnerabilityScannerallowscustomizationofthegeneratedreport.
-
ScreenshotTypicalReportincludingChartofalerts
NewinAcunetixWebVulnerabilityScannerVersion9 IntroductionofAcunetixDeepScan,whichmakesuseofthesamerenderingengine
usedinGoogleChromeandAppleSafaritobetteridentifythewebsite'sstructureduringascan.AcunetixDeepScanprovidesahugeimprovementinscanningofAJAXsites,JavaScriptbasedsitesandSinglePageApplications(SPA).
IntroductionoftheAcunetixAcuMonitorservice,whichisusedtoidentifyspecificvulnerabilitieswhichrequireanintermediateserver.
Improvedsupportindetectingandscanningsmartphone/tabletfriendlywebsites.Whenamobilefriendlysiteisscanned,theuserisgiventheoptiontocrawlandscanthesiteasanormalbrowserorasasmartphonebrowser.
FullsupportforHTML5websites. DetectionofDOMbasedXSSvulnerabilities. DetectionofBlindXSSvulnerabilities(usingAcuMonitor). DetectionofServerSideRequestForgery(SSRF),XMLExternalEntity(XXE),Mail
HeaderInjectionandHostHeaderbasedvulnerabilities(usingAcuMonitor).
NewinAcunetixWebVulnerabilityScannerVersion9.5
DetectionofSQLInjection,XSSandothervulnerabilitiesinwebapplicationsimplementedinGoogleWebToolkit.
DetectionofvulnerabilitiesinJSONandXMLdataandHTTPHOSTHeaders. AlertsarenowtaggedwiththeirCVE,CWEandCVSS. AcuSensornowsupports.NET4.5. IntroducedsupportforCRUD(create,read,updateanddelete). NewreportforNIST80053rev4.
-
AcunetixBlogandSupportPageAcunetixpublishesanumberofwebsecurityandAcunetixhowtotechnicaldocumentsontheAcunetixWebApplicationSecurityBloghttp://www.acunetix.com/blog.Youcanalsofindanumberofsupportrelateddocuments,suchasFAQsintheAcunetixWebVulnerabilityScannersupportpagehttp://www.acunetix.com/support.
LicensingAcunetixWebVulnerabilityScannerAcunetixWebVulnerabilityScannerisavailablein5editions:SmallBusiness,Enterprise,Enterprisex10instances,ConsultantandConsultantx10instances.Orderingandpricinginformationcanbefoundhere:http://www.acunetix.com/ordering/pricing.htm
PerpetualorTimeBasedLicensesAcunetixWebVulnerabilityScannerEnterpriseandConsultanteditionsaresoldasa1yearsubscriptionorperpetuallicense.The1yearsubscriptionlicenseexpiresafter1yearfromthedateofdownloadoractivation.Theperpetuallicensedoesnotexpire.TheSmallBusinessversionisavailableasaperpetuallicenseonly.Ifyoupurchasetheperpetuallicense,youmustbuyamaintenanceagreementtogetfreesupportandupgradesbeyondthefirstmonthafterpurchase.Themaintenanceagreemententitlesyoutofreeversionupgradesandsupportforthedurationoftheagreement.Supportandversionupgradesareincludedinthepriceoftheoneyearlicense.
EnterpriseEditionUnlimitedSites/ServersTheEnterpriseeditionlicenseallowsyoutoinstallonecopyofAcunetixWebVulnerabilityScannerononecomputertoscananunlimitednumberofsitesorservers.Thesitesorserversmustbeownedbyyourself(oryourcompany)andnotbythirdparties.AcunetixEnterpriseeditionwillleaveatrailinthelogfilesofthescannedserverandscanningofthirdpartysitesisprohibitedbythelicenseagreement.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.
ConsultantEditionTheConsultanteditionlicenseallowsyoutoinstallonecopyofAcunetixononecomputertoscananunlimitednumberofsitesorserversincluding3rdpartysites,providedthatyouhaveobtainedpermissionfromtherespectivesiteowners.ThisisthecorrecteditiontouseifyouareaconsultantwhoprovideswebsecuritytestingservicesorareahostingproviderorISP.Theconsultanteditionalsoincludesthecapabilityofmodifyingthereportstoincludeyourowncompanylogo.Thiseditiondoesnotleaveanytrailinthelogfilesofthescannedserver.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.
-
LimitationsoftheTrialThetrialofAcunetixWebVulnerabilityScannerdownloadablefromtheAcunetixwebsiteispracticallyidenticaltothefullversioninfunctionalityandfeatures,butcontainsthefollowinglimitations:
TheTrialeditionwillexpireafter15days.Whenscanningyourwebsite,alltheWebAlertswillbereported.Howeveryouwillnotbeabletodrilldownandfindwherethevulnerabilityisfoundinyourwebsite.
Reportscannotbegenerated.ScanresultswillnotbestoredintheReportsdatabase.
Fullscans(includingdetailedinformationonthevulnerabilitiesdiscovered)canbemadeagainstthefollowingAcunetixtestwebsites:
http://testphp.vulnweb.com http://testasp.vulnweb.com http://testaspnet.vulnweb.com http://testhtml5.vulnweb.com
TheScanSchedulerisnotavailable.IfyoudecidetopurchaseAcunetixWebVulnerabilityScanner,youwillneedtouninstallthetrialandinstallthepurchasededition,whichmustbedownloadedasaseparateinstallerfile.Downloadtheinstallerfileusingthelinkprovidedbyoursalesteam,anddoubleclicktobeginthesetup.Youwillbepromptedtoremovethetrialandinstallthefulledition.Allsettingsfromthepreviouslyinstalledversionwillberetained.Oncetheinstallationiscomplete,youwillbepromptedtoentertheLicensekey.
-
Installing Acunetix Web Vulnerability Scanner Minimum System Requirements
Operatingsystem:MicrosoftWindowsXPandlater CPU:32bitor64bitprocessor Systemmemory:minimumof2GBRAM Storage:200MBofavailableharddiskspace MicrosoftInternetExplorer7(orlater)somecomponentsofInternetExplorerare
usedbyAcunetix Optional:MicrosoftSQLServerforthereportingdatabase.BydefaultaMicrosoft
Accessdatabaseisused(MicrosoftAccessisnotrequired).
Installing Acunetix Web Vulnerability Scanner 1. DownloadthelatestversionofAcunetixWebVulnerabilityScannerfromthedownload
locationprovidedwhenyoupurchasedthelicense.2. Doubleclickthewebvulnscan.exefiletolaunchtheAcunetixWebVulnerability
ScannerinstallationwizardandclickNextwhenprompted.3. ReviewandaccepttheLicenseAgreement.4. SelectthefolderlocationwhereAcunetixWebVulnerabilityScannerwillbeinstalled.5. TheinstallationwillpromptyoutoinstallauniquerootcertificateusedforHTTPs
trafficandtocreateadesktopshortcut.6. ClickInstalltostarttheinstallation.SetupwillnowcopyallfilesandinstalltheAcunetix
WebVulnerabilityScannerSchedulerservice.7. ClickFinishwhenready.
Registering with AcuMonitor Service
ScreenshotAcuMonitorRegistrationWhenyoustartAcunetixWebVulnerabilityScannerthefirsttime,youwillbeaskedtoregisterwiththeAcuMonitorService.TheAcuMonitorServiceisusedtoautomaticallydetectcertainvulnerabilitieswhichcanonlybedetectedusinganintermediateserver,suchasBlindXSS,ServerSideRequestForgery(SSRF)andEmailHeaderInjection.
-
YoucanregistertotheAcuMonitorserviceusingyouremailaddressandyourlicensekey.RegistrationcanalsobedoneatalaterstagefromAcunetixWebVulnerabilityScanner>Configuration>ApplicationSettings>AcuMonitor.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/vulnerabilityscanner/acumonitorblindxssdetection/.Installing AcuSensor in your web application Ifyouneedtoscana.NETorPHPwebapplication,youshouldinstallAcunetixAcuSensoronyourwebapplicationinordertoimprovethedetectionofvulnerabilities,getthelineinthesourcecodewherevulnerabilitiesarelocatedandtodecreasefalsepositives.
Upgrading Acunetix Web Vulnerability Scanner Itisrecommendedthatyoubackupyoursettingsbeforeproceedingwiththeupgradeasperhttp://www.acunetix.com/blog/docs/backupacunetixsettingscustomizations/.ToupgradeapreviousversionofAcunetixWebVulnerabilityScannertothelatestversion:
1. CloseallinstancesofAcunetixWebVulnerabilityScanner(andrelatedutilitiessuchastheReporter)
2. OptionallybackuptheLoginSequencesifyouwouldliketousetheseininthenewerversion.Dependingontheversion,thesecanbecopiedfromforversion7orolderorfornewerversions.
3. OptionallybackuptheReportingDatabaseifyouwouldliketouseitinthenewerversion.IfyouareusinganAccessDatabase,thedefaultlocationofthedatabaseis
4. FromtheAcunetixWebVulnerabilityScannerProgramGroup,selecttouninstalltheproduct.
5. InstallthenewerversionofAcunetixWebVulnerabilityScanner.6. TorestoretheLoginSequences,copythefilesbackedupin(2)to
7. Ifupgradingfromversion7,theReportingdatabaseneedstobeupdatedbeforeitcan
beusedinanewerversion.ThiscanbedoneusingtheReportingDatabaseUpgradetoolwhichcanbedownloadedfromhttp://www.acunetix.com/download/tools/ConvertWVSDatabase.zip.Proceedasfollows:
IfyouareusinganSQLdatabase,selectMSSQLServer,andspecifytheServer,credentialsandDatabasewhichneedstobeupgradedandclickontheConvertbutton.ThenconfigurethenewversionofAcunetixWebVulnerabilityScannertousetheupgradeddatabase.
-
ScreenshotUpgradeReportingDatabase
IfyouareusinganAccessdatabase,selectMSAccess,andselectthedatabasebackedupin(3),andclickontheConvertbutton.Onceready,copytheupgradeddatabaseto
-
Installing AcuSensor AcunetixAcuSensorincreasestheefficiencyofanAcunetixscanbyimprovingthecrawling,detectionandreportingofvulnerabilities,whiledecreasingfalsepositives.AcunetixAcuSensorcanbeusedon.NETandPHPwebapplications.
Installing the AcuSensor Agent NOTE:InstallingtheAcuSensorAgentisoptional.AcunetixWebVulnerabilityScannerisstillbestinclassasablackboxscannerbuttheAcuSensorAgentimprovesaccuracyandvulnerabilityresultswhenscanning.NETandPHPwebapplications.TheuniqueAcunetixAcuSensorTechnologyidentifiesmorevulnerabilitiesthanablackboxWebApplicationScannerwhilegeneratinglessfalsepositives.Inaddition,itindicatesexactlywherevulnerabilitiesaredetectedinyourcodeandalsoreportsdebuginformationAcunetixAcuSensorrequiresanagenttobeinstalledonyourwebsite.Thisagentisgenerateduniquelyforyourwebsiteforsecurityreasons.
Generating the AcuSensor files FirstyouwillneedtogenerateyouruniqueAcuSensorfiles.Proceedasfollows:
1. IfusingAcunetixWVS,openAcunetixWVSandnavigatetotheConfiguration>ApplicationSettingsnode.ClickontheAcuSensorDeploymentnode.
ScreenshotAcuSensorDeploymentsettingsnode
2. IfusingAcunetixOnlineVulnerabilityScanner,youcangeneratetheAcuSensorfilesfromtheScanTargetsconfiguration.FromAcunetixOVS,changetoScanTargets>ListScanTargets>ClickontheScanTargetsname.Skiptostep6.
3. EnterapasswordorclickonthepadlockicontorandomlygenerateapassworduniquetotheAcuSensorfile.
4. Select'Alsosetpasswordincurrentlyselectedsettingstemplate'tostorethepasswordspecifiedinthescansettingstemplate.
5. SpecifythepathwhereyouwanttheAcuSensorfilestobegenerated.6. SelectwhethertogeneratefilesforaPHPwebsiteora.NETwebsite.7. ClickonGenerateAcuSensorInstallationFilestogeneratethefiles.
-
8. DependingonifyouareusinganASP.NEToraPHPwebsite,useoneofthefollowingprocedurestoinstalltheAcuSensorfiles.
Installing the AcuSensor agent for ASP .NET Websites TheAcuSensoragentwillneedtobeinstalledinyourwebapplication.ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.
1. InstallPrerequisitesontheserverhostingthewebsite:TheAcuSensorinstallerapplicationrequiresMicrosoft.NETFramework3.5orhigher.
ScreenshotEnableIIS6MetabaseCompatibilityonWindows2008OnWindows2008,youmustalsoinstallIIS6MetabaseCompatibilityfromControlPanel>TurnWindowsfeaturesOnorOff>Roles>WebServer(IIS)>ManagementTools>IIS6ManagementCompatibility>IIS6MetabaseCompatibilitytoenablelistingofall.NETapplicationsrunningonserver.
-
2. CopytheAcuSensorinstallationfilestotheserverhostingthe.NETwebsite.
ScreenshotAcunetix.NETAcuSensorAgentinstallation
3. DoubleclickSetup.exetoinstalltheAcunetix.NETAcuSensoragentandspecifytheinstallationpath.Theapplicationwillstartautomaticallyoncetheinstallationisready.Iftheapplicationisnotsettostartautomatically,clickonAcunetix.NETAcuSensorTechnologyInjectorfromtheprogramgroupmenu.
ScreenshotAcunetix.NETAcuSensorTechnologyAgent
4. Onstartup,theAcunetix.NETAcuSensorTechnologyInstallerwillretrievealistof.NETapplicationsinstalledonyourserver.SelectwhichapplicationsyouwouldliketoinjectwithAcuSensorTechnologyandselecttheFrameworkversionfromthedropdownmenu.ClickonInjectSelectedtoinjecttheAcuSensorTechnologycodeintheselected.NETapplications.Oncefilesareinjected,closetheconfirmationwindowandalsotheAcuSensorTechnologyInjector.
Note:TheAcuSensorinstallerwilltrytoautomaticallydetectthe.NETframeworkversionusedtodevelopthewebapplicationsoyoudonothavetomanuallyspecifywhichframeworkversionwasusedfromtheTargetRuntimedropdownmenu.
Installing the AcuSensor agent for PHP websites ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.
1. LocatethePHPAcuSensorfileofthewebsiteyouwanttoinstallAcuSensoron.Copytheacu_phpaspect.phpfiletotheremotewebserverhostingthewebapplication.
-
TheAcuSensoragentfileshouldbeinalocationwhereitcanbeaccessedbythewebserversoftware.AcunetixAcuSensorTechnologyworksonwebsitesusingPHPversion5andup.
2. Thereare2methodstoinstalltheAcuSensoragent,onemethodcanbeusedforApacheservers,andtheothermethodcanbeusedforbothIISandApacheservers.
Method 1: Apache .htaccess file Createa.htaccessfileinthewebsitedirectoryandaddthefollowingdirective:php_valueauto_prepend_file[pathtoacu_phpaspect.phpfile].Note:ForWindowsuseC:\sensor\acu_phpaspect.phpandforLinuxuse/Sensor/acu_phpaspect.phppathdeclarationformats.IfApachedoesnotexecute.htaccessfiles,itmustbeconfiguredtodoso.Refertothefollowingconfigurationguide:http://httpd.apache.org/docs/2.0/howto/htaccess.html.Theabovedirectivecanalsobeconfiguredinthehttpd.conffile.
Method 2: IIS and Apache php.ini 1. Locatethefilephp.iniontheserverbyusingphpinfo()function.2. Searchforthedirectiveauto_prepend_file,andspecifythepathtothe
acu_phpaspect.phpfile.Ifthedirectivedoesnotexist,additinthephp.inifile:auto_prepend_file=[pathtoacu_phpaspect.phpfile]
3. Saveallchangesandrestartthewebserverfortheabovechangestotakeeffect.
Testing your AcuSensor Agent TotestiftheAcuSensoragentisworkingproperlyonthetargetwebsite,dothefollowing:
1. IntheToolsExplorer,NavigatetoConfiguration>ScanSettingsnodeandselecttheAcuSensornode.
2. EnterthepasswordoftheAcuSensoragentfilewhichwascopiedtothetargetwebsite.
3. ClickTestAcuSensorinstallationonaSpecificURL.AdialogwillpromptyoutosubmittheURLofthetargetwebsitewheretheAcuSensorAgentfileisinstalled.EnterthedesiredURLandclickOK.
Changing the AcuSensor Password IfyouneedtochangethepasswordusedbytheAcuSensoragentonyourwebsite,youwillneedtoregeneratetheAcuSensorFilesandreinstallthemonyourwebsite.Performthefollowingifyouareusinga.NETwebsite:
1. UsetheprocedureinthenextsectiontoDisableandUninstalltheAcuSensoragent.2. Configureanewpassword.
ThisstepcanbeomittedifyouareusingAcunetixOnlineVulnerabilityScanner,sinceanewuniqueandsecurepasswordisautomaticallygeneratedeachtimetheAcuSensorfilesaregenerated.TheuniquepasswordisstoredwiththeScanTargetssettings.
3. ClickonGenerateAcuSensorinstallationfiles.4. ProceedwithinstallingthenewAcuSensorfiles.IfyouareusingaPHPweb
application,youwilljustneedtooverwritetheoldacu_phpaspect.phpwiththenewacu_phpaspect.phpfile.
-
Disabling and uninstalling AcuSensor Touninstallanddisablethesensorfromyourwebsite:
AcuSensor for ASP .NET websites 1. BrowsetotheinstallationdirectorywheretheAcuSensorAgentwasbeeninstalled2. OpenAcuSensorInjector.exe.
ScreenshotSelectwebsiteandclickUninjectSelected
3. SelectthewebsitewheretheAcuSensoragentisinstalledandclickonUninjecttoremovetheAcuSensorAgentfromthesite.
4. CloseAcuSensorInjector.exe5. Fromthesamedirectory,doubleclickuninstall.exetouninstalltheAcuSensorAgent
files.Note:IfyouuninstalltheAcunetix.NETAcuSensorTechnologyInjectorwithoutuninjectingthe.NETapplication,thentheAcuSensorcodewillnotberemovedfromyour.NETapplication.
AcuSensor for PHP 1. Ifmethod1(.htaccessfile)wasusedtoinstallthePHPAcuSensor,deletethe
directive:php_valueauto_prepend_file=[pathtoacu_phpaspect.phpfile]from.htaccess
2. Ifmethod2wasusedtoinstallthePHPAcuSensor,deletethedirective:auto_prepend_file=[pathtoacu_phpaspect.phpfile]fromphp.ini.
3. Finally,deletetheAcunetixAcuSensorPHPfile:acu_phpaspect.php.Note:AlthoughtheAcunetixAcuSensoragentrequiresauthentication,itisrecommendedthattheAcuSensorclientfilesareuninstalledandremovedfromthewebapplicationiftheyarenolongerinuse.
-
Scanning a Website NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION! ThewebserverlogswillshowyourIPaddressandalltheattacksmadebyAcunetixWebVulnerabilityScanner.Ifyouarenotthesoleadministratorofthewebsitepleasemakesuretowarnotheradministratorsbeforeperformingascan.Somescansmightcauseawebsitetocrash,requiringarestartofthewebsite.Toscanawebsite,youfirstneedtoperformthefollowingsteps:
Step 1: Select Target(s) to Scan 1. ClickonFile>New>NewWebsiteScantostarttheScanWizard,orclicktheNew
ScanbuttononthetoplefthandoftheAcunetixWebVulnerabilityScannermenubar.
ScreenshotScanWizard:SelectScanType
2. Specifythescanoptions:a. ScansinglewebsiteEntertheURLofthetargetwebsite,e.g.
http://testphp.vulnweb.com.b. ScanusingsavedcrawlingresultsIfyoupreviouslyperformedacrawlona
website,youcanusethesavedresultstolaunchascaninsteadofhavingtocrawlthewebsiteagain.
3. ClickNexttocontinue.Note:TheAcunetixWebVulnerabilityScannerSchedulercanbeusedtoscanwebsitesataspecifictimeandtoconfigurerecurringscans.
-
Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options
ScreenshotScanningProfileandScanSettingstemplate
Scanning Profile TheScanningProfilewilldeterminewhichtestsaretobelaunchedagainstthetargetwebsite.Forexample,ifyouonlywanttotestyourwebsite(s)forSQLinjection,selecttheprofilesql_injection.Noadditionaltestswillbeperformed.TheDefaultscanningprofilewilltestyourwebsiteforallknownwebvulnerabilities.RefertotheScanningProfilessectionformoreinformationonhowtocustomizeorcreatescanningprofiles.
Scan Settings template TheScanSettingstemplatewilldeterminewhatCrawlerandScannersettingsaretobeusedduringascan.RefertotheScanSettingstemplatessectionformoreinformationonhowtocustomizeorcreatenewScanSettingstemplates.
Save scan Results Ifyouwanttoautomaticallysavethescanresultstothereportingdatabase,enabletheSavescanresultstothedatabaseforreportgenerationoption.
Crawling Options TicktheoptionAftercrawlingletmechoosewhichfilestoscanifyouwouldliketoselect/deselectfilesfromtheautomatedwebsitesecurityscan,insteadofscanningthewholewebsite.TicktheoptionDefinelistofURLstobeprocessedbycrawleratstartifyouwouldlikeaspecificURLtobecrawledbeforeanyother(notavailableifusingsavedcrawlingresults).
-
Step 3: Confirm Targets and Technologies Detected
ScreenshotScanWizardSelectingTargetsandTechnologiesAcunetixWebVulnerabilityScannerwillautomaticallyfingerprintthetargetwebsitefortheserversoperatingsystem,thewebserveranditswebservertechnologies.Thewebvulnerabilityscannerwillreducethescantimebyscanningonlyfortheselectedwebtechnologies.E.g.AcunetixWebVulnerabilityScannerwillnotlaunchIISsecuritychecksagainstaLinuxsystemrunninganApachewebserver.Clickontherelevantfieldandchangethesettingsfromtheprovidedcheckboxesifyouwouldliketoaddorremovescansforspecifictechnologies.Note:IfaspecificwebtechnologyisnotlistedunderOptimizeforthefollowingtechnologies,itdoesnotmeanthatitisunsupportedbyWebVulnerabilityScanner,onlythattherearenovulnerabilitytestsexclusivetothattechnology.
Step 4: Configure Login for Password Protected Areas TwotypesofLoginmechanismsarecommonlyusedontheweb:HTTPAuthenticationThistypeofauthenticationishandledbythewebserver,wheretheuserispromptedwithapassworddialog.ScanninganHTTPpasswordprotectedarearequiresthatyoueitherenterthecredentialsduringthecrawlingofyourwebapplication,oryouhavethecredentialspreconfiguredinAcunetix.Thisiscoveredinmoredetailhere..FormsAuthenticationThistypeofauthenticationishandledviaawebformandnotviaHTTP.Thecredentialsaresenttotheserverforvalidationbyacustomscript.ScanningwebsitesusingformsbasedauthenticationisdoneusingtheLoginSequenceRecorderandiscoveredinmoredetailhere.
-
Step 5: Finalize Scan Options
ScreenshotFinalizeScanOptionsBeforetheScanisstarted,theScanWizardwillreportissueswhichmighthinderthescan.Thefollowingisalistofactionswhichyoumightbepresentedwith:
Ifanerrorisencounteredwhileconnectingtothetargetserver,theerrorwillbeshown.
IfAcunetixWebVulnerabilityScannerisunabletoautomaticallydetectacustom404errorpagepattern,youwillhavetoconfigureacustom404errorpagerulebyclickingtheCustomizebutton.ReadmoreaboutconfiguringAcunetixtohandleCustom404errorpages.
IfthetargetserverisusingCASEinsensitiveURLs,youmustforcecaseinsensitivecrawling.ThiscanbedonefromConfiguration>ScanSettings>CrawlingOptions>IgnoreCASEdifferencesinpaths.
IfAcuSensorTechnologyisenabledandthetargetserverisrunningPHPor.NET,youwillgetanerroriftheAcuSensoragentisnotdetected.ClicktheCustomizebuttontoinstallAcuSensoronthetargetwebapplication.
Ifadditionalhostshavebeenfoundtobelinkedtofromthewebsitebeingscanned,youcanoptionallyselecttoscanthesetoo.Youwillrequirepermissionstoscantheselectedhoststoo.
Ifasmartphonefriendlyversionofthewebsiteisdetected,youwillbegiventheoptiontocrawlandscanthesiteasanormalbrowseroramobilebrowser.
IfyouhavemadechangestotheScanSettingstemplate,youwillbeaskedifyouwanttosavethemodificationstotheexistingornewtemplate.
-
Step 6: Start the scan ClickonFinishtostarttheautomatedscan.IftheoptionAftercrawlingletmechoosethefilestoscanwasselectedinthecrawlingoptions,youwillbeaskedtoselectthefilestoscanafterAcunetixWebVulnerabilityScannerhasfinishedcrawlingthesite.Dependingonthesizeofthewebsite,scanningprofileselected,andtheserversresponsetime,ascanmaytakeseveralhours.
-
Analyzing the Scan Results ThevulnerabilitiesdiscoveredduringthescanofawebsitearedisplayedinrealtimeintheAlertsnodeintheScanResultswindow.ASiteStructurenodeisalsoshownlistingthefilesandfoldersdiscovered.
ScreenshotScanResultsshowingAlertsSummary
Web Alerts TheWebAlertsnodedisplaysallvulnerabilitiesfoundonthetargetwebsite.WebAlertsarecategorizedaccordingto4severitylevels:
HighRiskAlertLevel3Vulnerabilitiescategorizedasthemostdangerous,whichputasiteatmaximumriskforhackinganddatatheft.
MediumRiskAlertLevel2Vulnerabilitiescausedbyservermisconfigurationandsitecodingflaws,whichfacilitateserverdisruptionandintrusion.
LowRiskAlertLevel1Vulnerabilitiesderivedfromlackofencryptionofdatatraffic,ordirectorypathdisclosures.
-
InformationalAlertTheseareitemswhichhavebeendiscoveredduringascanandwhicharedeemedtobeofinterest,e.g.thepossibledisclosureofaninternalIPaddressoremailaddress,ormatchingasearchstringfoundintheGoogleHackingDatabaseMoreinformationaboutthevulnerabilityisshownwhenyouclickonanalertcategorynode:
VulnerabilitydescriptionAdescriptionofthediscoveredvulnerability.TheAcuSensorlogoisdisplayedintheVulnerabilityDescriptionforthevulnerabilitiesthataredetectedusingtheAcuSensorTechnology.
AffecteditemsThelistoffilesvulnerabletothediscoveredvulnerability. TheimpactofthisvulnerabilityLevelofimpactonthewebsiteorwebserverif
thisvulnerabilityisexploited. AttackdetailsDetailsabouttheparametersandvariablesusedtotestforthis
vulnerability.E.g.foraCrossSiteScriptingalert,thenameoftheexploitedinputvariableandthestringitwassettowillbedisplayed.YoucanalsofindtheHTTPrequestsenttothewebserverandtheresponsesentbackbythewebserver(includingtheHTMLresponse).TheattackcanbeinspectedandrelaunchedmanuallybyclickingLaunchtheattackwithHTTPEditor.Formoreinformation,pleaserefertohttp://www.acunetix.com/blog/docs/httpeditor/.
HowtofixthisvulnerabilityGuidanceonhowtofixthevulnerability. DetailedinformationMoreinformationaboutthereportedvulnerability. WebreferencesAlistofweblinksprovidingmoreinformationonthevulnerabilityto
helpyouunderstandandfixit.
Marking an Alert as a False Positive Ifyouarecertainthatthevulnerabilitydiscoveredisafalsepositive,youcanflagthealertasaFalsePositivetoavoiditbeingreportedinsubsequentscansofthesamewebsite.Todothis,clickontheMarkalertasfalsepositivelinkorrightclickonthealertandselectthemenuoption.YoucanremoveanalertfromthefalsepositiveslistbynavigatingtotheConfiguration>ApplicationSettingsnodeintheToolsExplorerandselecttheFalsePositivesnode.
Network Alerts
ScreenshotNetwork,PortScannerandKnowledgebasenodes
-
TheNetworkAlertsnodedisplaysnetworklevelvulnerabilitiesdiscoveredinscannednetworkservices,suchasDNS,FTP,SMTPandSSHservers.Networkalertsarecategorizedinto4severitylevels(similartowebalerts).Thenumberofvulnerabilitiesdetectedisdisplayedinbrackets()nexttothealertcategories.Clickanalertcategorynodetoviewmoreinformation(similartowebalerts).Note:YoucandisablenetworksecuritychecksbyuntickingtheEnablePortScanningoptionintheScanWizard.NetworkSecurityChecksareonlyperformedonopenportsdetectedduringthescan,thusdisablingportscanningwilleffectivelydisableallthenetworksecuritychecks.
Port Scanner ThePortScannernodedisplaysallthediscoveredopenportsontheserver.Networkservicebannerscanbeviewedbyclickingonanopenport.Note:PortScanningofthetargetservercanbeenabledordisabledfromAcunetixWVS>Configuration>ScanSettings>ScanningOptions>EnablePortScanning.
Knowledge Base Theknowledgebasenodeisahighlevelreportthatdisplays:
ListofopenTCPportsfoundontheserver,includingtheportbanner. ListofNetworkServicesrunningonthewebserverandtheirresponse. Listoffileswithinputsfoundonthewebsite.Thenumberofinputsperfilearealso
shown. Listoflinkstoexternalhostsfoundonthewebsite.E.g.testphp.vulnweb.com
containsalinktowww.acunetix.com. ListofClientandServerHTTPerrorresponsestogetherwiththeHTTPrequeststhat
generatedthem.AnexamplewouldbetheresponsecodeServerInternalErrorHTTP500.Checktheresponseforinformationexposure.
Site Structure TheSiteStructureNodedisplaysthelayoutofthetargetwebsiteincludingallfilesanddirectoriesdiscoveredduringthecrawlingprocess.
-
ScreenshotSiteStructureIntheCrawlerresults(SiteStructurenode),colorcodesareusedtoshowdifferentfilestatuses.Thefilenamecolorcodingisasfollows
GreenThesefileswillbetestedwithAcuSensorTechnology,resultinginmoreadvancedsecuritychecksandlessfalsepositivealerts.FromtheAcuSensordatatab,theusercanseewhatdatarelatedtothesefilesisbeingreturnedbytheAcuSensor.SuchinformationisusefultoknowwhatSQLquerieswereexecutedoriftheselectedfileisusingfunctionswhicharemonitoredbyAcuSensor.
BlueFilewasdetectedduringavulnerabilitytestandnotbythecrawler.Mostprobablysuchfilesarenotlinkedfromanywhereonthetargetwebsite.
BlackFilesdiscoveredbythecrawler.Foreverydiscovereditem,moredetailedinformationisavailableintheinformationpaneontherighthandside:
InfoGenericinformationsuchasfilename,pagetitle,path,length,URLetc. ReferrersThefilesorpagesthatlinkedtothetestedfile. HTTPHeadersTheHTTPheadersoftherequestsenttothewebservertoretrieve
theselectedfile,andtheHTTPresponseheadersreceived. InputsPossibleinputparametersandvaluesforthefile. ViewSourceThesourceHTMLofthepage. ViewPageThepageisdisplayedasitisshowninawebbrowser.Mostclientside
scriptsaredisabledinthistabforsecuritypurposestoavoidlaunchingvulnerabilitiesagainstthecomputeronwhichAcunetixWebVulnerabilityScannerisrunning.
-
AcuSensorDataAnyAcuSensorTechnologydatareturned. AlertsAlistofalertsfortheselectedfile.
Inaddition,eachitemcontainstheHTMLStructureAnalysis,whichincludes:
Alistoflinksdiscoveredinthefile. Commentsdiscoveredintheselectedpage.Theinformationcontainedinthe
commentscannotbeautomaticallyanalyzedbutmayrevealinterestinginformationabouttheconstructionandcodingofthewebsite.
Anyclientsidescripts(JavaScript,VBScriptetc.)andtheirsourcecodediscoveredintheselectedpage.Theclientwebbrowserwillexecutethesescripts.Thismightrevealinformationaboutthelogicofthewebapplication.
Anyformsdiscoveredintheselectedobjectareshowninthetopwindow.Alistofparametersandtheirpossiblevaluesareshowninthemiddleandbottomwindow.
AlistofMETAtagsdiscoveredintheselectedobject.METAtagscontaininformationaboutthewebsite,e.g.thedescriptionandkeywordsMETAtagsusedbysearchengines.METAtagswithanHTTPEQUIVattributeareequivalenttoHTTPheaders.Typically,suchMETAtagscontroltheactionofbrowsersandmaybeusedtorefinetheinformationprovidedbytheactualheaders.TagsusingthisformshouldhaveanequivalenteffectwhenspecifiedasanHTTPheader,andinsomeserversmaybetranslatedtoactualHTTPheadersautomaticallyorbyapreprocessingtool.
Grouping of Vulnerabilities
ScreenshotGroupingofvulnerabilities
-
Ifthesametypeofvulnerabilityisdetectedonmultiplepages,thescannerwillgroupthemunderonealertnode.Expandingthealertnodewillrevealallthevulnerablepages.Expandfurthertoviewthevulnerableparametersfortheselectedpage.
Saving / Loading Scan Results Whenascaniscompletedyoucansavethescanresultstoanexternalfileforanalysisandcomparisonatalaterstage.Thesavedfilewillcontainallthescansfromthecurrentsessionincludingalertinformationandsitestructure.
TosavethescanresultsclicktheFilemenuandselectSaveScanResults. ToloadthescanresultsclicktheFilemenuandselectLoadScanResults.
-
Scanning Web Services WebServices,likeanyotherinternetdependentsystems,presentnewexploitpossibilitiesandincreasetheneedforsecurityaudits.TheWebServicesScannerperformsautomatedvulnerabilityscansforWebServicesandgeneratesadetailedsecurityreportoftheresults.
Screenshot66WebServicesScanner
Starting a Web Service Scan 1. FromtheToolsExplorerselectWebServicesScannerandclicktheNewScan
buttoninthetoolbartolaunchtheWebServiceScanWizard.SpecifytheURLofanonlineorlocalWSDLandchooseascanningprofile.ClickNexttoproceed.
2. IntheSelectionstep,selecttheWebServices,PortsandOperationsthatmustbescanned.ThenumberofinputsacceptedbyeachoperationandtheURLoftheportswillbedisplayedintheDetailssection.
3. Enterspecificinputvalues(optional)forthescannertouseasWebServiceOperationsintheDefaultValuesstep.
4. Proceedtothescansummary,reviewitandclickFinishtolaunchthescan.
-
Web Services Editor
Screenshot67WebServicesEditor TheWebServicesEditorallowsimportingofonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperations,foranindepthanalysisofWSDLrequestsandresponses.Theeditoralsofeaturessyntaxhighlightingforalllanguages,makingiteasytoeditSOAPheadersandcustomizemanualattacks.EditingandsendingofWebServicesSOAPmessagesisverysimilartoeditingnormalrequestssentviatheHTTPEditor.
Importing WDSL and Sending Request 1. ClickontheWebServicesEditornodeinthetoolsexplorerandentertheURLofthe
WSDL,orlocatethelocaldirectorywherethelocalWSDLfileisstored.ClickImporttoimportallWSDLinformation.
2. Fromthedropdownmenusinthetoolbar,selecttheService,PortandOperationthatmustbetested.
3. SpecifyavaluefortheoperationandclickSendtopasstheSOAPrequesttothewebservice.ThewebserverresponsecanthenbeviewedinastructuredorXMLviewtypeinthelowerwindowpane.
Response Tab DisplaystheresponsesentbackfromthewebserviceinrawXMLformat.
Structured Data Tab PresentstheXMLdatareceivedfromthewebserviceresponseusingahierarchyofnodesthatshowthevalueforeachelement.
WSDL Structure Tab PresentsadetailedviewofthewebservicedataasprovidedbytheWSDLStructure.TheWSDLinformationisstructuredintheformofnodesandsubnodesandthemainnodesofthetreestructureareXMLSchemaandServices.
-
TheXMLSchemanodelistsalltheComplexTypesandtheElementsofthewebservice.TheServicesnodelistsallthewebserviceportsandtheirrespectiveoperationstogetherwiththeresourcedetailsofthesourceoftheSOAPdata.AmoredetailedWSDLstructurecanalsobeshownbytickingtheShowdetailedWSDLstructureatthebottomofthescreen.ThiswillprovideextensiveinformationforeachsubnodeoftheServicesnodestructuresuchasinputmessagesandparameters.
WSDL Tab ThistabshowstheactualWDSLdataintheformofXMLtags.Usingthetoolbarprovidedatthebottomofthescreenyoucansearchforcertainkeywordsorelementsinthesourcecodeandalsochangethesyntaxhighlightingifneeded.
HTTP Editor Export IntheWebServicesEditoryoucanexportaSOAPrequesttotheHTTPEditorbyclickingontheHTTPEditorbuttonintheWebServicesEditortoolbar.TheHTTPEditortoolwillautomaticallyimportthedatasotherequestcanbecustomizedandsentasanHTTPPOSTrequest.
-
Generating Reports
ScreenshotTheReporterApplicationTheAcunetixWebVulnerabilityScannerReporterisastandaloneapplicationthatallowsyoutogeneratereportsforthesecurityscansperformedusingAcunetixWebVulnerabilityScanner.TheReportercanbelaunchedaftercompletingascan,orfromtheAcunetixWebVulnerabilityScannerprogramgroup,andcanbeusedtogeneratevarioustypesofreportsincludingdeveloperreports,executivereports,compliancestandardreportsorareportthatcomparestheresultsoftwoscans.
Generating a Report from the Scan Results Therearetwowaystogenerateareport.Afterscanningasite,clickonthe ReportbuttonontheAcunetixtoolbar.ThiswillstarttheAcunetixWebVulnerabilityScannerReporterandwillloadtheDefaultReportforthescan.TheDefaultReportusedcanbeselectedfromtheReporterSettings.
-
ScreenshotSampleReportThesecondmethodistoloadtheAcunetixWebVulnerabilityScannerReporterfromtheAcunetixWebVulnerabilityScannerProgramGroup.ThiswillallowyoutoreportonthescansthathavebeensavedtotheReportsdatabase.
1. FromtheReportslist,selectthetypeofreportandclickonReportWizard.2. InthecaseofComplianceReport,selecttheRegulatorybodyorStandardtobeused
inthereport.ClickNext.
-
ScreenshotSelectComplianceReport
3. Youcanthenselecttoshowtheresultsofallthescansstoredinthereportsdatabaseortofilterthescansthataredisplayedbasedonspecificscancriteria.ClickNext.
-
ScreenshotFilterScans
-
4. Selectthescanthatyouwouldliketoreporton.
ScreenshotSelectScan
5. Selectwhatpropertiesanddetailsthereportshouldinclude.TheReportPropertieswillvarydependingonthetypeofreportthatyouaregenerating.
-
ScreenshotSelectReportProperties
6. ClicktheGeneratebuttontogeneratethereport.7. Oncethereportisgenerated,itcanbeprintedorexportedinvariousformats
includingPDF,WordandHTML.
Reporter Settings TheReportersettingsallowyoutoconfigurethelayoutandstyleofthegeneratedreports.ToaccessthereportsettingsnavigatetotheConfiguration>SettingsnodeintheReporterToolsExplorer.FromtheReportOptionsnode,youcancustomizethelayout,titles,andimagesintheheadersofthereport.
-
ScreenshotReporterOptionsGeneralSettingsConfigurethedefaultreporttemplateforgeneratingareport.ReportOptionsSelectcustomicons,logos,headersandfooterstocustomizethereport.FromthePageSettingsnodeyoucanconfigurethedefaultpagesize,orientationandmarginsofyourreports.Thesesettingswillapplytoallreports.
Saving Reports Onceyouhavegeneratedyourreport,youcanusethetoolbaratthetoptosavethereportinPRE(preparedreports)format,whichwillallowyoutoreviewthereportlater.YoucanalsoexportthereporttoPDF,HTML,Text,WordDocumentandBMPorprintthereport.
Changing the Reporter Database AcunetixWebVulnerabilityScannerstoresthescanresultsinabackenddatabase.Bydefault,MicrosoftAccessisused.YoumightwanttoswitchtousingMicrosoftSQLserver.Thisisrecommendedwhenscanningalotofsitesorlargersites.Thiscanbedoneasfollows:
1. NavigatetotheConfiguration>ApplicationSettings>DatabasenodeintheAcunetixWebVulnerabilityScannerinterface.SelectMSSQLServerfromtheDatabaseTypedropdownmenu.
-
2. EntertheServerIPorFQDNintheServertextboxandthecredentialstoconnecttotheserverintheUsernameandPasswordtextbox.OnlySQLAuthenticationissupported.
3. SpecifyadatabasenameintheDatabasetextbox.Ifthedatabasedoesnotexistitwillbeautomaticallycreated.Ifthedatabasespecifiedalreadyexists,youwillbepromptedwithaconfirmationtooverwritethecurrentdatabasestructureanddata.
Note:ThecreationofthedatabaserequiresauserwithSQLAdministratorprivileges.Oncethedatabaseiscreated,youcanchangetheSQLcredentialstoauseraccountwithreadandwritepermissionsonthedatabase.Itisalsopossibletoimportadatabaseconfigurationfile.SelectImportDatabaseConfigurationandselecta*.dbconfigfilegeneratedbytheAcunetixEnterpriseReportertoautomaticallyimportSQLdatabasesettings.
-
Acunetix Reports ThefollowingisalistofthereportsthatcanbegeneratedfromAcunetixWebVulnerabilityScanner(WVS)andAcunetixOnlineVulnerabilityScanner(OVS):
Affected Items Report Availability:OVSandWVSTheAffectedItemsreportshowsthefilesandlocationswherevulnerabilitieshavebeendetectedduringascan.Thereportshowstheseverityofthevulnerabilitydetected,togetherwithotherdetailsabouthowthevulnerabilityhasbeendetected.
Developer Report Availability:OVSandWVS TheDeveloperReportistargetedtodeveloperswhoneedtoworkonthewebsiteinordertoaddressthevulnerabilitiesdiscoveredbyAcunetixWebVulnerabilityScanner.Thereportprovidesinformationonthefileswhichhavealongresponsetime,alistofexternallinks,emailaddresses,clientscriptsandexternalhosts,togetherwithremediationexamplesandbestpracticerecommendationsforfixingthevulnerabilities.
Executive Report Availability:OVSandWVSTheExecutiveReportsummarizesthevulnerabilitiesdetectedinawebsiteandgivesaclearoverviewoftheseveritylevelofvulnerabilitiesfoundinthewebsite.
Quick Report Availability:OVSandWVSTheQuickReportprovidesadetailedlistingofallthevulnerabilitiesdiscoveredduringthescan.
Network Security Report Availability:OVSonlyTheNetworkSecurityReportprovidesdetailedsecurityinformationabouttheperimeternetworkserverscannedbyAcunetixOnlineVulnerabilityScanner.Thisinformationisveryusefulforanetworksecurityauditororpentesterwhoistaskedwithanalysingthesecurityoftheperimeternetwork.
-
Compliance Reports
ScreenshotPCIComplianceReportComplianceReportsareavailableforthefollowingcompliancebodiesandstandards:
CWE / SANS Top 25 Most Dangerous Software Errors Availability:OVSandWVSThisreportshowsalistofvulnerabilitiesthathavebeendetectedinyourwebsitewhicharelistedintheCWE/SANStop25mostdangeroussoftwareerrors.Theseerrorsareofteneasytofindandexploitandaredangerousbecausetheywilloftenallowattackerstotakeoverthewebsiteorstealdata.Moreinformationcanbefoundathttp://cwe.mitre.org/top25/.
The Health Insurance Portability and Accountability Act (HIPAA) Availability:OVSandWVSPartoftheHIPAAActdefinesthepolicies,proceduresandguidelinesformaintainingtheprivacyandsecurityofindividuallyidentifiablehealthinformation.Thisreportidentifiesthevulnerabilitiesthatmightbeinfringingthesepolicies.ThevulnerabilitiesaregroupedbythesectionsasdefinedintheHIPAAAct.
-
International Standard ISO 27001 Availability:OVSandWVSISO27001,partoftheISO/IEC27000familyofstandards,formallyspecifiesamanagementsystemthatisintendedtobringinformationsecurityunderexplicitmanagementcontrol.Thisreportidentifiesvulnerabilitieswhichmightbeinviolationofthestandardandgroupsthevulnerabilitiesbythesectionsdefinedinthestandard.
NIST Special Publication 800-53 Availability:OVSandWVSNISTSpecialPublication80053coverstherecommendedsecuritycontrolsfortheFederalInformationSystemsandOrganizations.Onceagain,thevulnerabilitiesidentifiedduringascanaregroupedbythecategoriesasdefinedinthepublication.
OWASP Top10 2013 Availability:OVSandWVSTheOpenWebApplicationSecurityProject(OWASP)iswebsecurityprojectledbyaninternationalcommunityofcorporations,educationalinstitutionsandsecurityresearchers.OWASPisrenownforitsworkinwebsecurity,specificallythroughitslistoftop10websecurityriskstoavoid.ThisreportshowswhichofthedetectedvulnerabilitiesarefoundontheOWASPtop10vulnerabilities.
Payment Card Industry (PCI) standards Availability:OVSandWVSThePaymentCardIndustryDataSecurityStandard(PCIDSS)isaninformationsecuritystandard,whichappliestoorganizationsthathandlecreditcardholderinformation.Thisreportidentifiesvulnerabilitieswhichmightbreachpartsofthestandardandgroupsthevulnerabilitiesbytherequirementthathasbeenviolated.
Sarbanes Oxley Act Availability:OVSandWVSTheSarbanesOxleyActwasenactedtopreventfraudulentfinancialactivitiesbycorporationsandtopmanagement.VulnerabilitieswhicharedetectedduringascanwhichmightleadtoabreachinsectionsoftheActarelistedinthisreport.
DISA STIG Web Security Availability:OVSandWVSTheSecurityTechnicalImplementationGuide(STIG)isaconfigurationguideforcomputersoftwareandhardwaredefinedbytheDefenseInformationSystemAgency(DISA),whichpartoftheUnitedStatesDepartmentofDefense.ThisreportidentifiesvulnerabilitieswhichviolatesectionsofSTIGandgroupsthevulnerabilitiesbythesectionsoftheSTIGguidewhicharebeingviolated.
-
Web Application Security Consortium (WASC) Threat Classification Availability:OVSandWVSTheWebApplicationSecurityConsortium(WASC)isanonprofitorganizationmadeupofaninternationalgroupofsecurityexperts,whichhascreatedathreatclassificationsystemforwebvulnerabilities.ThisreportgroupsthevulnerabilitiesidentifiedonyoursiteusingtheWASCthreatclassificationsystem.
Scan Comparison Report
ScreenshotScanComparisonReportAvailability:WVSonly
-
TheScanComparisonReportallowstheusertotrackthechangesbetweentwoscanresultsforthesameapplication.Thisreportwillhighlightresolved,unchangedandnewvulnerabilities,makingiteasytotrackdevelopmentchangesaffectingthesecurityofyourwebapplication.
Monthly Vulnerabilities Report Availability:WVSonlyThisstatisticalreportcorrelatesthedatafromthescansperformedinaspecificmonth,andreportsonthevulnerabilitiesidentifiedduringthatmonth.
-
Scheduling Scans TheSchedulerapplicationallowsyoutoschedulescansataconvenienttimewithoutrequiringAcunetixWebVulnerabilityScannerortheAcunetixWebVulnerabilityScannerSchedulerInterfacetoberunning.
ConfiguringtheSchedulerserviceTheAcunetixSchedulerhasawebbasedinterfacethatcanbeconfiguredthroughtheAcunetixWebVulnerabilityScannerapplicationsettings.ToaccesstheSchedulerservicesettingsnavigatetoConfiguration>ApplicationSettings>Schedulernode.
ConfiguringtheSchedulerwebinterface
ScreenshotSchedulerwebinterfaceconfiguration
Bydefault,theSchedulerwebinterfaceisonlyaccessiblevialocalhostandonport8181(http://localhost:8181).IfyouwouldliketheSchedulerwebinterfacetobeaccessiblefromotherremotecomputers,ticktheAllowremotecomputerstoconnectoption.Whenenabled,youwillbepromptedtospecifyausernameandpasswordforHTTPStobeautomaticallyenabled.Forsecurityreasons,logincredentialsmustalwaysbedefinedwhentheschedulerwebinterfaceisconfiguredtobeaccessedremotely.Note:WhenyouchangeanyoftheWebInterfacesettings,uponclickingtheApplybuttonrestarttheAcunetixWVSSchedulerservicefromtheWindowsServicesconsole.
ScanOptions
ScreenshotSchedulerscanoptions
IntheSchedulerScanOptions,youcanspecifythepathwheretheAcunetixWebVulnerabilityScannerscanresultsshouldbesaved.Bydefault,thescanresultsaresavedintheMyDocumentsfolderoftheWindowsPublicuserprofileintheAcunetixWVSsubdirectory.
ScanningmultiplewebsitesFromthissectionyoucanalsoconfigurethenumberofparallelscanslaunchedinAcunetixWebVulnerabilityScanner.E.g.ifyouwanttoscan4websitesandtheirscanschedule
-
overlaps,insteadofthescansbeingqueued,anotherinstanceofAcunetixWebVulnerabilityScannerisautomaticallystartedandthescanswillbelaunchedinparallel.Ifyouarescanningalargenumberofwebsitesitissuggestedtoincreasethenumberofparallelscanssotheirscheduledoesnotoverlap.Maximumnumberofparallelscansis10ifyouhavethex10instanceslicense.Note:ThemaximumnumberofscheduledscansthatcanbeconfiguredintheAcunetixWebVulnerabilityScannerscheduleris2000.
ConfiguringEmailnotifications
ScreenshotScheduleremailnotifications
Inthissectionyoucanspecifythesettingsforemailnotifications,suchasSMTPserverIPorFQDN,port,SMTPserverauthentication(optional)andtheemailaddresswherenotificationswillbesent.
Excludedhourstemplates
ScreenshotExcludedHoursTemplates
IntheExcludedHoursTemplatessectionyoucanspecifyarangeofhourstopauseongoingscans.E.g.ifyoudonotwanttoscanyourwebsiteduringtimesofhightraffic.
-
ScreenshotExcludedHoursConfiguration
ToaddanewExcludedHoursTemplateclickontheAddbuttonandthen:1. SpecifyanameofthetemplateintheNameinputfield.2. Highlightthehoursofthedaywhenscansshouldnotrun.3. ClickOKtosavethenewtemplate.
Note:Ifascanisstillrunningduringtheexcludedhours,thescanwillbeautomaticallypausedandresumedagainwhenscanningisallowed.
CreatingaScheduledscan1. AccesstheSchedulerinterfacebyclickingtheSchedulerIcon onthetoolbarinthe
AcunetixWebVulnerabilityScannerinterface,orbrowsehttp://127.0.0.1:8181usingawebbrowser.Note:JavaScriptshouldbeenabledtoaccesstheAcunetixSchedulerwebinterface.
ScreenshotAcunetixSchedulerwebinterface
2. ClickontheNewscanbuttontoaddanewscan.Youcanaddasmanyscansasyouwish.Ifthescanscheduleoverlaps,theywillbescannedinparallel.YoucanincreaseordecreasethenumberofparallelscansfromtheSchedulerconfigurationintheAcunetixWebVulnerabilityScannerapplicationsettings.
3. Ifyouwouldliketoimportanumberofscans(upto2,000)usingaCSVfile,clickontheImportCSVbutton.Youcanreadmoreaboutthisfeaturelaterinthischapter.
-
ScheduledScanBasicOptions
ScreenshotAcunetixSchedulerBasicoptions
TheBasicOptionsallowyoutospecifywhichtarget/stoscanaswellasthescanrecursion.TherecursionoptiongivesyoutheoptiontoconfiguretheSchedulertorunascanOnce,EveryDay,EveryWeek,EveryMonthorContinuous.Setaspecificdaynumberifscheduleissettoweeklyormonthly,e.g.2nddayoftheweekor21stdayofthemonth.
ScheduledScanAdvancedOptions
ScreenshotAcunetixSchedulerAdvancedoptions
TheAdvancedOptionsallowyoutoconfigure: ScanningProfile LoginSequence ScanSettingstemplate ScanMode ExcludedHoursTemplate
-
Scheduledscanresultsandreports
ScreenshotAcunetixSchedulerScanresultsandReports
IntheScanresultsandreportssection,youcanselecttosavethescanresultstothereportingdatabase,savethescanlogs,andgenerateareport.Youcanalsospecifyinwhichformatyouwantthereporttobegeneratedandanemailaddresswherethescanresultsaresent.Ifnoemailaddressisspecified,theemailaddressconfiguredintheschedulersettingsisused.Inaddition,theReporttemplatefieldallowsyoutospecifywhatreporttemplatetouse.YoucanchooseamongfourtemplateswhichareAffectedItems,DeveloperReport,ExecutiveSummaryandQuickReport.
ImportingSchedulingScansYoucanalsoimportscheduledscansfromaCSVfile.TheformatoftheCSVfilesaredescribednext.
CSVFilePropertiesEachlineintheCSVfileshouldonlycontainonescan.Foreachscanyoushouldspecifythefollowingproperties:
URLSpecifytheURLwithorwithoutprotocol(httpandhttps).Ifnoprotocolisspecified,httpisused.Thisentryismandatory.
DateSpecifythedatewhenthescanshouldbelaunched.ThedateformatisDDMMYYYYandshouldbesinglestring.E.g.Ifascanistobescheduledforthe5thofNovember2014,thedateshouldbe05112014.Thisentryismandatory.
TimeSpecifythetimewhenthescanshouldbelaunched.Thetimeformatis24hoursandshouldbeasinglestringof4digits.E.g.10amshouldbe1000and10pmshouldbe2200.Thisentryismandatory.
ScanningProfileSpecifythenameofanexistingscanningprofiletobeusedduringthescan.Ifnotspecified,thedefaultscanningprofilewillbeusedduringthescan.
LoginSequenceSpecifythenameofanexistingloginsequenceifyouwanttousealoginsequenceduringthescan.Ifnothingisspecified,nologinsequencewillbeusedduringthescan.
ScanSettingsSpecifythenameofanexistingscansettingstemplate.Ifnoscansettingstemplateisspecified,thedefaultscansettingstemplatewillbeused.
-
ScanModeSpecifythescanmodetobeusedduringthescan.Theoptionsarequick,heuristicandextensive.Ifnoscanmodeisspecified,thedefaultscanmodewillbeused.
GenerateReportSpecifyifareportshouldbegeneratedafterthescan.Theoptionsareyesorno.Ifnothingisspecified,noreportwillbegenerated.
ReportFormatIfyouspecifiedthegeneratereportoption,thenyouhavetospecifythereportformataswell.TheoptionsavailablearePDF,RTF,REPorHTML.Ifyoudonotspecifyanyformat,aPDFreportwillbegenerated.
NotificationEmailAddressSpecifytheemailaddresswheretheemailshouldbesentuponcompletionofthescan.Ifanemailisnotspecified,thedefaultemailaddressconfiguredintheAcunetixWebVulnerabilityScannerGUIwillbeused.
Ifyouwouldliketoomitanentrysothedefaultvalueisused,simplyleaveaspacebetweenthecommas.Someexamplesfollow:Example1:Toscantestphp.vulnweb.comonthe5thofNovember2014at10pmusingthedefaultvalues,usethebelowlineintheCSVfile:http://testphp.vulnweb.com,05112014,2200,,,,,,,Example2:Toscantestasp.vulnweb.comonthe5thofNovember2014at3:15pmusingtheXSS(Crosssitescripting)scanningprofile,withoutloginsequence,defaultscansettings,usingtheextensivescanningmode,[email protected],usethebelowexample:http://testasp.vulnweb.com,05112014,1515,XSS,,,extensive,yes,PDF,[email protected]:ScansimportedfromaCSVfilewillonlybeexecutedonce.ItisnotpossibletoconfigurerecurringscansusingtheCSVfileimportfeature.
-
Troubleshooting and Support User Manual Themostcommonqueriescanbeansweredbyconsultingthisusermanual.
Frequently Asked Questions Oursupportteammaintainsalistoffrequentlyaskedquestionsathttp://www.acunetix.com/support/faq/.
Acunetix Blog Wehighlyrecommendthatyoufollowoursecurityblogbybrowsingto:http://www.acunetix.com/blog/.
Request Support Ifyouencounterpersistentproblemsthatyoucannotresolve,weencourageyoutocontacttheAcunetixSupportteamviaemailatsupport@acunetix.com.Pleaseincludeanyinformationyouthinkisusefultohelpusdiagnoseyourissue,suchasinformationonthewebtechnologiesbeingused,screenshotsshowingtheproblemetc.Pleaseincludealsothelicensekeyinformationinthesupportemail.Wewilldoourbesttoansweryourquerywithin24hoursorless,dependingonyourtimezone.
Knowledge base / Support page YoucanalsoexploretheAcunetixknowledgebaseandothersupportoptionsbybrowsingto:http://www.acunetix.com/support/.
Acunetix Facebook page JoinusonFacebookforthelatestproductandindustryupdates:http://www.facebook.com/Acunetix.