Upload
eduardo-aranguiz-olea
View
235
Download
0
Embed Size (px)
DESCRIPTION
asdasdsa
Citation preview
Web Vulnerability Scanner v9.5 Product Manual
Informationinthisdocumentissubjecttochangewithoutnotice.Companies,names,anddatausedinexampleshereinarefictitiousunlessotherwisenoted.Nopartofthisdocumentmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,foranypurpose,withouttheexpresswrittenpermissionofAcunetixLtd.AcunetixWebVulnerabilityScanneriscopyrightofAcunetixLtd.20042014.AcunetixLtd.Allrightsreserved.http://[email protected]:3rdNovember2014
Table of Contents
Introduction Overview Installing Acunetix Installing AcuSensor Scanning a Website Analysing Scan Results Scanning Web Services Generating Reports Acunetix Reports Scheduling Scans Troubleshooting and Support
Introduction to Acunetix Web Vulnerability Scanner Why You Need To Secure Your Web Applications Websitesecurityistoday'smostoverlookedaspectofsecuringanenterpriseandshouldbeapriorityinanyorganization.Increasingly,hackersareconcentratingtheireffortsonwebbasedapplicationsshoppingcarts,forms,loginpages,dynamiccontent,etc.Accessible24/7fromanywhereintheworld,insecurewebapplicationsprovideeasyaccesstobackendcorporatedatabasesandalsoallowhackerstoperformillegalactivitiesusingtheattackedsites.Avictimswebsitecanbeusedtolaunchcriminalactivitiessuchashostingphishingsitesortotransferillicitcontent,whileabusingthewebsitesbandwidthandmakingitsownerliablefortheseunlawfulacts.HackersalreadyhaveawiderepertoireofattacksthattheyregularlylaunchagainstorganizationsincludingSQLInjection,CrossSiteScripting,DirectoryTraversalAttacks,ParameterManipulation(e.g.,URL,Cookie,HTTPheaders,webforms),AuthenticationAttacks,DirectoryEnumerationandotherexploits.Thehackingcommunityisalsoverycloseknitnewlydiscoveredwebapplicationintrusions,knownasZeroDayexploits,arepostedonanumberofforumsandwebsitesknownonlytomembersofthatexclusiveundergroundgroup.Postingsareupdateddailyandareusedtopropagateandfacilitatefurtherhacking.Webapplicationsshoppingcarts,forms,loginpages,dynamiccontent,andotherbespokeapplicationsaredesignedtoallowyourwebsitevisitorstoretrieveandsubmitdynamiccontentincludingvaryinglevelsofpersonalandsensitivedata.Ifthesewebapplicationsarenotsecure,thenyourentiredatabaseofsensitiveinformationisatseriousrisk.AGartnerGroupstudyrevealsthat75%ofcyberattacksaredoneatthewebapplicationlevel.Whyarewebapplicationsvulnerable?
Websitesandwebapplicationsareeasilyavailableviatheinternet24hoursaday,7daysaweektocustomers,employees,suppliersandthereforealsohackers.
FirewallsandSSLprovidenoprotectionagainstwebapplicationhacking,simplybecauseaccesstothewebsitehastobemadepublic.
Webapplicationsoftenhavedirectaccesstobackenddatasuchascustomerdatabases.
Mostwebapplicationsarecustommadeand,therefore,involvealesserdegreeoftestingthanofftheshelfsoftware.Consequently,customapplicationsaremoresusceptibletoattack.
Varioushighprofilehackingattackshaveproventhatwebapplicationsecurityremainsthemostcritical.Ifyourwebapplicationsarecompromised,hackerswillhavecompleteaccesstoyourbackenddataeventhoughyourfirewallisconfiguredcorrectlyandyouroperatingsystemandapplicationsarepatchedrepeatedly.
Networksecuritydefenseprovidesnoprotectionagainstwebapplicationattackssincethesearelaunchedonport80whichhastoremainopentoallowregular
operationofthebusiness.Itisthereforeimperativethatyouregularlyandconsistentlyaudityourwebapplicationsforexploitablevulnerabilities.
The need for automated web application security scanning Manualvulnerabilityauditingofallyourwebapplicationsiscomplexandtimeconsuming,sinceitgenerallyinvolvesprocessingalargevolumeofdata.Italsodemandsahighlevelofexpertiseandtheabilitytokeeptrackofconsiderablevolumesofcodeusedinawebapplication.Inaddition,hackersareconstantlyfindingnewwaystoexploityourwebapplication,whichmeansthatyouwouldhavetoconstantlymonitorthesecuritycommunities,andfindnewvulnerabilitiesinyourwebapplicationcodebeforehackersdiscoverthem.Automatedvulnerabilityscanningallowsyoutofocusonthealreadychallengingtaskofbuildingawebapplication.Anautomatedwebapplicationscannerisalwaysonthelookoutfornewattackpathsthathackerscanusetoaccessyourwebapplicationorthedatabehindit.Withinminutes,anautomatedwebapplicationscannercanscanyourwebapplication,identifyallthefilesaccessiblefromtheinternetandsimulatehackeractivityinordertoidentifyvulnerablecomponents.Inaddition,anautomatedvulnerabilityscannercanalsobeusedtoassessthecodewhichmakesupawebapplication,allowingittoidentifypotentialvulnerabilitieswhichmightnotbeobviousfromtheinternet,butstillexistinthewebapplication,andcanthusstillbeexploited.
Acunetix Web Vulnerability Scanner AcunetixWebVulnerabilityScannerisanautomatedwebapplicationsecuritytestingtoolthatauditsyourwebapplicationsbycheckingforvulnerabilitieslikeSQLInjection,Crosssitescriptingandotherexploitablevulnerabilities.Ingeneral,AcunetixWebVulnerabilityScannerscansanywebsiteorwebapplicationthatisaccessibleviaawebbrowserandusestheHTTP/HTTPSprotocol.AcunetixWebVulnerabilityScanneroffersastronganduniquesolutionforanalyzingofftheshelfandcustomwebapplicationsincludingthoseutilizingJavaScript,AJAXandWeb2.0webapplications.Acunetixhasanadvancedcrawlerthatcanfindalmostanyfile.Thisisimportantsincewhatisnotfoundcannotbechecked.
How Acunetix Web Vulnerability Scanner Works AcunetixWebVulnerabilityScannerworksinthefollowingmanner:
1. AcunetixDeepScananalysestheentirewebsitebyfollowingallthelinksonthesite,includinglinkswhicharedynamicallyconstructedusingJavaScript,andlinksfoundinrobots.txtandsitemap.xml(ifavailable).Theresultisamapofthesite,whichAcunetixWebVulnerabilityScannerwillusetolaunchtargetedchecksagainsteachpartofthesite.
ScreenshotCrawlerResults
2. IfAcunetixAcuSensorTechnologyisenabled,thesensorwillretrievealistingofallthefilespresentinthewebapplicationdirectoryandaddthefilesnotfoundbythecrawlertothecrawleroutput.Suchfilesusuallyarenotdiscoveredbythecrawlerastheyarenotaccessiblefromthewebserver,ornotlinkedthroughthewebsite.AcunetixAcuSensoralsoanalysesfileswhicharenotaccessiblefromtheinternet,suchasweb.config.
3. Afterthecrawlingprocess,theWebVulnerabilityScannerautomaticallylaunchesaseriesofvulnerabilitychecksoneachpagefound,inessenceemulatingahacker.AcunetixWebVulnerabilityScanneralsoanalyseseachpageforplaceswhereitcaninputdata,andsubsequentlyattemptsallthedifferentinputcombinations.ThisistheAutomatedScanStage.IftheAcuSensorTechnologyisenabled,aseriesofadditionalvulnerabilitychecksarelaunchedagainstthewebsite.MoreinformationaboutAcuSensorisprovidedinthefollowingsection.
ScreenshotScanResults
4. ThevulnerabilitiesidentifiedareshownintheScanResults.EachvulnerabilityalertcontainsinformationaboutthevulnerabilitysuchasPOSTdataused,affecteditem,httpresponseoftheserverandmore.
5. IfAcuSensorTechnologyisuseddetailssuchassourcecodelinenumber,stacktraceoraffectedSQLquerywhichleadtothevulnerabilityarelisted.Recommendationsonhowtofixthevulnerabilityarealsoshown.
6. Variousreportscanbegeneratedoncompletedscans,includingExecutiveSummaryreport,DeveloperreportandvariouscompliancereportssuchasPCIorISO270001.
Acunetix AcuSensor Technology AcunetixsuniqueAcuSensorTechnologyallowsyoutoidentifymorevulnerabilitiesthanotherWebApplicationScanners,whilstgeneratinglessfalsepositives.AcunetixAcuSensorindicatesexactlywhereinyourcodethevulnerabilityisandreportsadditionaldebuginformation.
ScreenshotAcuSensorpinpointsvulnerabilitiesincodeTheincreasedaccuracy,availableforPHPand.NETwebapplications,isachievedbycombiningblackboxscanningtechniqueswithfeedbackfromsensorsplacedinsidethesourcecode.Blackboxscanningdoesnotknowhowtheapplicationreactsandsourcecodeanalyzersdonotunderstandhowtheapplicationwillbehavewhileitisbeingattacked.AcuSensortechnologycombinesbothtechniquestoachievesignificantlybetterresultsthanusingsourcecodeanalyzersandblackboxscanningindependently.TheAcuSensorsensorscanbeinsertedinthe.NETandPHPcodetransparently.The.NETsourcecodeisnotrequiredthesensorscanbeinjectedinalreadycompiled.NET
applications!Thusthereisnoneedtoinstallacompilerorobtainthewebapplicationssourcecode,whichisabigadvantagewhenusingathirdparty.NETapplication.IncaseofPHPwebapplications,thesourceisreadilyavailable.Todate,AcunetixistheonlyWebVulnerabilityScannertoimplementthistechnology.
Advantages of using AcuSensor Technology Abilitytoprovidemoreinformationaboutthevulnerability,suchassourcecodeline
number,stacktrace,affectedSQLquery. Allowsyoutolocateandfixthevulnerabilityfasterbecauseoftheabilitytoprovide
moreinformationaboutthevulnerability,suchassourcecodelinenumber,stacktrace,affectedSQLquery,etc.
Significantlyreducesfalsepositiveswhenscanningawebsitebecauseitunderstandsthebehaviorofthewebapplicationbetter.
Alertsyoutowebapplicationconfigurationproblemswhichcanresultinavulnerableapplicationorexposesensitiveinformation.E.g.Ifcustomerrorsareenabledin.NET,thiscouldexposesensitiveapplicationdetailstoamalicioususer.
Advisesyouhowtobettersecureyourwebserversettings,e.g.ifwriteaccessisenabledonthewebserver.
DetectsmoreSQLinjectionvulnerabilities.PreviouslySQLinjectionvulnerabilitiescouldonlybefoundifdatabaseerrorswerereported,whereasnowthesourcecodecanbeanalyzedforimproveddetection.
AbilitytodetectSQLinjectionvulnerabilitiesinallSQLstatements,includinginSQLINSERTstatements.UsingablackboxscannersuchSQLinjectionvulnerabilitiescannotbefound.ThissignificantlyincreasestheabilityforAcunetixWebVulnerabilityScannertofindvulnerabilities.
Discoversallthefilespresentandaccessiblethroughthewebserver.Ifanattackergainsaccesstothewebsiteandcreatesabackdoorfileintheapplicationdirectory,thefileisfoundandscannedwhenusingtheAcuSensorTechnologyandyouwillbealerted.
AcuSensorTechnologyisabletointerceptallwebapplicationinputsandbuildacomprehensivelistwithallpossibleinputsinthewebsiteandtestthem.
NoneedtowriteURLrewriteruleswhenscanningwebapplicationswhichusesearchenginefriendlyURLs!UsingtheAcuSensorTechnologythescannerisabletorewriteSEOURLsonthefly.
Abilitytotestforarbitraryfilecreationanddeletionvulnerabilities.E.g.Throughavulnerablescriptamalicioususercancreateafileinthewebapplicationdirectoryandexecuteittohaveprivilegedaccess,ordeletesensitivewebapplicationfiles.
Abilitytotestforemailinjection.E.g.Amalicioususermayappendadditionalinformationsuchasalistorrecipientsoradditionalinformationtothemessagebodytoavulnerablewebform,tospamalargenumberofrecipientsanonymously.
Network Vulnerability Scanning Aspartofawebsiteaudit,Acunetixwillexecuteanetworksecurityauditoftheserverhostingthewebsite.Thisnetworksecurityscanwillidentifyanyservicesrunningonthescannedserverbyrunningaportscanonthesystem.Acunetixwillreporttheoperatingsystemand
thesoftwarehostingtheservicesdetected.ThisprocesswillalsoidentifyTrojanswhichmightbelurkingontheserver.ThenetworkvulnerabilityscanassessesthesecurityofpopularprotocolssuchasFTP,DNS,SMTP,IMAP,POP3,SSH,SNMPandTelnet.Apartfromtestingforweakordefaultpasswords,Acunetixwillalsocheckformisconfigurationintheservicesdetectedwhichcouldleadtoasecuritybreach.Acunetixwillalsocheckthatanyotherserversrunningonthemachinearenotusinganydeprecatedprotocols.Alltheseleadtoaninsecuresystem,whichwouldallowanintrudertodamageyourwebsiteandyourreputation.AcunetixOnlineVulnerabilityScanner(OVS)alsointegratesthepopularOpenVASnetworkscannertocheckforover35,000networkvulnerabilities.Duringanetworkscan,AcunetixOVSmakesuseofvariousportprobingandOSfingerprintingtechniquestoidentifyavastnumberofdevices,OperatingSystemsandserverproducts.Numeroussecuritychecksarethenlaunchedagainsttheproductsidentifiedrunningonthescannedserver,allowingyoutodetectallthevulnerabilitiesthatexistonyourperimeterservers.
Acunetix Web Vulnerability Scanner Overview AcunetixWebVulnerabilityScannerallowsyoutosecureyourwebsitequicklyandefficiently.Itconsistsofthefollowingcomponents:
ScreenshotAcunetixWebVulnerabilityScanner
WebScannerTheWebScannerlaunchesanautomaticsecurityauditofawebsite.Awebsitesecurityscantypicallyconsistsoftwophases:
1. CrawlingMakinguseofAcunetixDeepScan,AcunetixWebVulnerabilityScannerautomaticallyanalyzesandcrawlsthewebsiteinordertobuildthesite'sstructure.Thecrawlingprocessenumeratesallfilesandisvitaltoensurethatallthefilesofyourwebsitearescanned.
2. ScanningAcunetixWebVulnerabilityScannerlaunchesaseriesofwebvulnerabilitychecksagainsteachfileinyourwebapplicationineffect,emulatingahacker.TheresultsofascanaredisplayedintheAlertNodetreeandincludecomprehensivedetailsofallthevulnerabilitiesfoundwithinthewebsite.
AcuSensorTechnologyAgentAcunetixAcuSensorTechnologyisauniquetechnologythatallowsyoutoidentifymorevulnerabilitiesthanatraditionalblackboxwebsecurityscanner,andisdesignedtofurther
reducefalsepositives.Additionally,italsoindicatesthecodewherethevulnerabilitywasfound.Thisincreasedaccuracyisachievedbycombiningblackboxscanningtechniqueswithdynamiccodeanalysiswhilstthesourcecodeisbeingexecuted.ForAcunetixAcuSensortowork,anagentmustbeinstalledonyourwebsitetoenablecommunicationbetweenAcunetixWebVulnerabilityScannerandAcuSensor.AcunetixAcuSensorcanbeusedwithbothPHPand.NETwebapplications.
AcuMonitorServiceSomevulnerabilitiescanonlybedetectedusinganintermediateservice.TheAcunetixAcuMonitorserviceallowsAcunetixWebVulnerabilityScannertodetectsuchvulnerabilities.Dependingonthevulnerability,AcuMonitorcaneitherreportthevulnerabilityimmediatelyduringascan,orsendanotificationemaildirectlytotheuserifthevulnerabilityisidentifiedafterthescanhasfinished.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/websitesecurity/acumonitor/
PortScanner
ScreenshotPortScanning
ThePortScannerperformsaportscanagainstthewebserverhostingthescannedwebsite.Whereopenportsarefound,AcunetixWebVulnerabilityScannerwillperformnetworklevelsecuritychecksagainstthenetworkservicerunningonthatport.TheseincludeDNSOpenRecursiontests,badlyconfiguredproxyservertests,weakSNMPcommunitystrings,andmanyothernetworklevelsecuritychecks.Youcanalsowriteyourownnetworkservicessecuritychecksusingthescriptengine.Ascriptingreferenceisavailablefrom:
http://www.acunetix.com/blog/docs/creatingcustomchecksacunetixwebvulnerabilityscanner/
TargetFinder
ScreenshotTargetFinderTheTargetFinderisascannerthatallowsyoutolocatewebservers(generallyonports80,443)withinagivenrangeofIPaddresses.Ifawebserverisfound,thescannerwillalsodisplaytheresponseheaderoftheserverandthewebserversoftware.Theportnumberstoscanareconfigurable.Moreinformationaboutthetargetfindercanbefoundhere:http://www.acunetix.com/blog/docs/targetfinder/
SubdomainScanner
ScreenshotSubdomainScannerUsingvarioustechniques,theSubdomainscannerallowsfastandeasyidentificationofactivesubdomainsofatopleveldomain.TheSubdomainScannercanbeconfiguredtousethetargetsDNSserveroranyotherDNSserverspecifiedbytheuser.MoreinformationabouttheSubdomainscannercanbefoundhere:http://www.acunetix.com/blog/docs/subdomainscanner/
BlindSQLInjector
ScreenshotBlindSQLInjectorIdealforpenetrationtesters,theBlindSQLinjectorisanautomateddatabasedataextractiontoolwithwhichyoucanmakemanualteststofurtheranalyzeSQLinjectionsreportedduringascan.ThetoolmakesuseofBlindSQLInjectiontechniquestoenumeratedatabasesandtables,dumpdataandalsoreadspecificfilesonthefilesystemofthewebserverifanexploitableSQLinjectionisdiscovered.WiththeBlindSQLInjectortoolyoucanalsorunmanualteststocheckfordifferentvariantsofSQLinjection.Usingthistool,youcanalsoruncustomSQLSelectqueriesagainstthedatabase.MoreinformationabouttheblindSQLinjectorcanbefoundhere:http://www.acunetix.com/blog/docs/blindsqlinjectortool/
HTTPEditor
ScreenshotHTTPEditorTheHTTPEditorallowsyoutocreate,analyze,andeditclientHTTPrequestsandserverresponses.Italsocontainsanencodinganddecodingtooltoencode/decodetextandURLstoMD5hashes,UTF7formatsandmanyotherformats.YoucanstarttheHTTPEditorfromtheToolsnodewithintheToolsExplorer.TheToppaneintheHTTPeditordisplaystheHTTPrequestdataandheaders.ThebottompanedisplaystheHTTPresponseheadersdata.MoreinformationabouttheHTTPeditorcanbefoundhere:http://www.acunetix.com/blog/docs/httpeditor/
HTTPSniffer
ScreenshotHTTPSnifferTheHTTPSnifferactsasaproxyandallowsyoutocapture,examineandmodifyHTTPtrafficbetweenanHTTPclientandawebserver.Youcanalsoenable,addoredittrapstocapturetrafficbeforeitissenttothewebserverorbacktothewebclient.Thistoolisusefulto:
AnalyzehowSessionIDsarestoredandhowinputsaresenttotheserver. AlteranyHTTPrequestsbeingsentbacktotheserverbeforetheygetsent. Manualcrawlingnavigatethroughpartsofthewebsitewhichcannotbecrawled
automatically,andimporttheresultsintothescannertoincludethemintheautomatedscan.
ForHTTPrequeststopassthroughAcunetixWebVulnerabilityScanner,AcunetixWebVulnerabilityScannermustbeconfiguredasaproxyinyourwebbrowser.
HTTPFuzzer
ScreenshotHTTPFuzzerTheHTTPFuzzerenablesyoutolaunchaseriesofsophisticatedfuzzingteststoauditthewebapplicationshandlingofinvalidandunexpectedrandomdata.TheHTTPFuzzeralsoallowsyoutoeasilycreateinputrulesforfurthertestinginAcunetixWebVulnerabilityScanner.AnexamplewouldbethefollowingURL:http://testphp.acunetix.com/listproducts.php?cat=1UsingtheHTTPFuzzeryoucancreatearulethatwouldautomaticallyreplacethelastpartoftheURL1withnumbersbetween1and999.Onlyvalidresultswillbereported.Thisdegreeofautomationallowsyoutoquicklytesttheresultsofa1000querieswithouthavingtoperformthemonebyone.MoreinformationabouttheHTTPFuzzercanbefoundhere:http://www.acunetix.com/blog/docs/httpfuzzertool/
AuthenticationTester
ScreenshotAuthenticationTesterWiththeAuthenticationTesteryoucanperformadictionaryattackagainstloginpagesthatusebothHTTP(NTLMv1,NTLMv2,digest)orformbasedauthentication.Thistoolusestwo
predefinedtextfiles(dictionaries)containingalistofcommonusernamesandpasswords.Youcanaddyourowncombinationstothesetextfiles.MoreinformationabouttheAuthenticationtestercanbefoundhere:http://www.acunetix.com/blog/docs/authenticationtester/
WebServicesScannerandWebServicesEditor
ScreenshotWebServicesScannerTheWebServicesScannerallowsyoutolaunchautomatedvulnerabilityscansagainstWSDLbasedWebServices.WebServicesarecommonlyusedtoexchangedataandgenerallyvulnerabilitiesinWebServicescaneasilybeexploitedinordertoleaksensitiveinformation.TheWebServicesEditorallowsyoutoimportanonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperationsoverdifferentporttypesforanindepthanalysisofWSDLrequestsandresponses.TheeditoralsofeaturessyntaxhighlightingforalllanguagestoeasilyeditSOAPheadersandcustomizeyourownmanualattacks.
AcunetixWebVulnerabilityScannerSDK
ScreenshotWebVulnerabilityScannerScriptingtoolTheAcunetixWebVulnerabilityScannerScriptingtoolallowsyoutocreatenewcustomwebvulnerabilitychecks.ThesechecksmustbewritteninJavaScriptandrequireinstallationoftheSoftwareDevelopmentKit(SDK).YoucanreadmoreaboutwritingcustomwebsecuritychecksatthefollowingURL:http://www.acunetix.com/blog/docs/creatingcustomvulnerabilitychecks/YoucandownloadthescriptingSDKfrom:http://www.acunetix.com/download/tools/Acunetix_SDK.zip
Reporter TheReporterallowsyoutogeneratereportsofscanresultsinaprintableformat.Variousreporttemplatesareavailable,includingsummary,detailedreportsandcompliancereporting.TheConsultantVersionofAcunetixWebVulnerabilityScannerallowscustomizationofthegeneratedreport.
ScreenshotTypicalReportincludingChartofalerts
NewinAcunetixWebVulnerabilityScannerVersion9 IntroductionofAcunetixDeepScan,whichmakesuseofthesamerenderingengine
usedinGoogleChromeandAppleSafaritobetteridentifythewebsite'sstructureduringascan.AcunetixDeepScanprovidesahugeimprovementinscanningofAJAXsites,JavaScriptbasedsitesandSinglePageApplications(SPA).
IntroductionoftheAcunetixAcuMonitorservice,whichisusedtoidentifyspecificvulnerabilitieswhichrequireanintermediateserver.
Improvedsupportindetectingandscanningsmartphone/tabletfriendlywebsites.Whenamobilefriendlysiteisscanned,theuserisgiventheoptiontocrawlandscanthesiteasanormalbrowserorasasmartphonebrowser.
FullsupportforHTML5websites. DetectionofDOMbasedXSSvulnerabilities. DetectionofBlindXSSvulnerabilities(usingAcuMonitor). DetectionofServerSideRequestForgery(SSRF),XMLExternalEntity(XXE),Mail
HeaderInjectionandHostHeaderbasedvulnerabilities(usingAcuMonitor).
NewinAcunetixWebVulnerabilityScannerVersion9.5
DetectionofSQLInjection,XSSandothervulnerabilitiesinwebapplicationsimplementedinGoogleWebToolkit.
DetectionofvulnerabilitiesinJSONandXMLdataandHTTPHOSTHeaders. AlertsarenowtaggedwiththeirCVE,CWEandCVSS. AcuSensornowsupports.NET4.5. IntroducedsupportforCRUD(create,read,updateanddelete). NewreportforNIST80053rev4.
AcunetixBlogandSupportPageAcunetixpublishesanumberofwebsecurityandAcunetixhowtotechnicaldocumentsontheAcunetixWebApplicationSecurityBloghttp://www.acunetix.com/blog.Youcanalsofindanumberofsupportrelateddocuments,suchasFAQsintheAcunetixWebVulnerabilityScannersupportpagehttp://www.acunetix.com/support.
LicensingAcunetixWebVulnerabilityScannerAcunetixWebVulnerabilityScannerisavailablein5editions:SmallBusiness,Enterprise,Enterprisex10instances,ConsultantandConsultantx10instances.Orderingandpricinginformationcanbefoundhere:http://www.acunetix.com/ordering/pricing.htm
PerpetualorTimeBasedLicensesAcunetixWebVulnerabilityScannerEnterpriseandConsultanteditionsaresoldasa1yearsubscriptionorperpetuallicense.The1yearsubscriptionlicenseexpiresafter1yearfromthedateofdownloadoractivation.Theperpetuallicensedoesnotexpire.TheSmallBusinessversionisavailableasaperpetuallicenseonly.Ifyoupurchasetheperpetuallicense,youmustbuyamaintenanceagreementtogetfreesupportandupgradesbeyondthefirstmonthafterpurchase.Themaintenanceagreemententitlesyoutofreeversionupgradesandsupportforthedurationoftheagreement.Supportandversionupgradesareincludedinthepriceoftheoneyearlicense.
EnterpriseEditionUnlimitedSites/ServersTheEnterpriseeditionlicenseallowsyoutoinstallonecopyofAcunetixWebVulnerabilityScannerononecomputertoscananunlimitednumberofsitesorservers.Thesitesorserversmustbeownedbyyourself(oryourcompany)andnotbythirdparties.AcunetixEnterpriseeditionwillleaveatrailinthelogfilesofthescannedserverandscanningofthirdpartysitesisprohibitedbythelicenseagreement.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.
ConsultantEditionTheConsultanteditionlicenseallowsyoutoinstallonecopyofAcunetixononecomputertoscananunlimitednumberofsitesorserversincluding3rdpartysites,providedthatyouhaveobtainedpermissionfromtherespectivesiteowners.ThisisthecorrecteditiontouseifyouareaconsultantwhoprovideswebsecuritytestingservicesorareahostingproviderorISP.Theconsultanteditionalsoincludesthecapabilityofmodifyingthereportstoincludeyourowncompanylogo.Thiseditiondoesnotleaveanytrailinthelogfilesofthescannedserver.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.
LimitationsoftheTrialThetrialofAcunetixWebVulnerabilityScannerdownloadablefromtheAcunetixwebsiteispracticallyidenticaltothefullversioninfunctionalityandfeatures,butcontainsthefollowinglimitations:
TheTrialeditionwillexpireafter15days.Whenscanningyourwebsite,alltheWebAlertswillbereported.Howeveryouwillnotbeabletodrilldownandfindwherethevulnerabilityisfoundinyourwebsite.
Reportscannotbegenerated.ScanresultswillnotbestoredintheReportsdatabase.
Fullscans(includingdetailedinformationonthevulnerabilitiesdiscovered)canbemadeagainstthefollowingAcunetixtestwebsites:
http://testphp.vulnweb.com http://testasp.vulnweb.com http://testaspnet.vulnweb.com http://testhtml5.vulnweb.com
TheScanSchedulerisnotavailable.IfyoudecidetopurchaseAcunetixWebVulnerabilityScanner,youwillneedtouninstallthetrialandinstallthepurchasededition,whichmustbedownloadedasaseparateinstallerfile.Downloadtheinstallerfileusingthelinkprovidedbyoursalesteam,anddoubleclicktobeginthesetup.Youwillbepromptedtoremovethetrialandinstallthefulledition.Allsettingsfromthepreviouslyinstalledversionwillberetained.Oncetheinstallationiscomplete,youwillbepromptedtoentertheLicensekey.
Installing Acunetix Web Vulnerability Scanner Minimum System Requirements
Operatingsystem:MicrosoftWindowsXPandlater CPU:32bitor64bitprocessor Systemmemory:minimumof2GBRAM Storage:200MBofavailableharddiskspace MicrosoftInternetExplorer7(orlater)somecomponentsofInternetExplorerare
usedbyAcunetix Optional:MicrosoftSQLServerforthereportingdatabase.BydefaultaMicrosoft
Accessdatabaseisused(MicrosoftAccessisnotrequired).
Installing Acunetix Web Vulnerability Scanner 1. DownloadthelatestversionofAcunetixWebVulnerabilityScannerfromthedownload
locationprovidedwhenyoupurchasedthelicense.2. Doubleclickthewebvulnscan.exefiletolaunchtheAcunetixWebVulnerability
ScannerinstallationwizardandclickNextwhenprompted.3. ReviewandaccepttheLicenseAgreement.4. SelectthefolderlocationwhereAcunetixWebVulnerabilityScannerwillbeinstalled.5. TheinstallationwillpromptyoutoinstallauniquerootcertificateusedforHTTPs
trafficandtocreateadesktopshortcut.6. ClickInstalltostarttheinstallation.SetupwillnowcopyallfilesandinstalltheAcunetix
WebVulnerabilityScannerSchedulerservice.7. ClickFinishwhenready.
Registering with AcuMonitor Service
ScreenshotAcuMonitorRegistrationWhenyoustartAcunetixWebVulnerabilityScannerthefirsttime,youwillbeaskedtoregisterwiththeAcuMonitorService.TheAcuMonitorServiceisusedtoautomaticallydetectcertainvulnerabilitieswhichcanonlybedetectedusinganintermediateserver,suchasBlindXSS,ServerSideRequestForgery(SSRF)andEmailHeaderInjection.
YoucanregistertotheAcuMonitorserviceusingyouremailaddressandyourlicensekey.RegistrationcanalsobedoneatalaterstagefromAcunetixWebVulnerabilityScanner>Configuration>ApplicationSettings>AcuMonitor.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/vulnerabilityscanner/acumonitorblindxssdetection/.Installing AcuSensor in your web application Ifyouneedtoscana.NETorPHPwebapplication,youshouldinstallAcunetixAcuSensoronyourwebapplicationinordertoimprovethedetectionofvulnerabilities,getthelineinthesourcecodewherevulnerabilitiesarelocatedandtodecreasefalsepositives.
Upgrading Acunetix Web Vulnerability Scanner Itisrecommendedthatyoubackupyoursettingsbeforeproceedingwiththeupgradeasperhttp://www.acunetix.com/blog/docs/backupacunetixsettingscustomizations/.ToupgradeapreviousversionofAcunetixWebVulnerabilityScannertothelatestversion:
1. CloseallinstancesofAcunetixWebVulnerabilityScanner(andrelatedutilitiessuchastheReporter)
2. OptionallybackuptheLoginSequencesifyouwouldliketousetheseininthenewerversion.Dependingontheversion,thesecanbecopiedfromforversion7orolderorfornewerversions.
3. OptionallybackuptheReportingDatabaseifyouwouldliketouseitinthenewerversion.IfyouareusinganAccessDatabase,thedefaultlocationofthedatabaseis
4. FromtheAcunetixWebVulnerabilityScannerProgramGroup,selecttouninstalltheproduct.
5. InstallthenewerversionofAcunetixWebVulnerabilityScanner.6. TorestoretheLoginSequences,copythefilesbackedupin(2)to
7. Ifupgradingfromversion7,theReportingdatabaseneedstobeupdatedbeforeitcan
beusedinanewerversion.ThiscanbedoneusingtheReportingDatabaseUpgradetoolwhichcanbedownloadedfromhttp://www.acunetix.com/download/tools/ConvertWVSDatabase.zip.Proceedasfollows:
IfyouareusinganSQLdatabase,selectMSSQLServer,andspecifytheServer,credentialsandDatabasewhichneedstobeupgradedandclickontheConvertbutton.ThenconfigurethenewversionofAcunetixWebVulnerabilityScannertousetheupgradeddatabase.
ScreenshotUpgradeReportingDatabase
IfyouareusinganAccessdatabase,selectMSAccess,andselectthedatabasebackedupin(3),andclickontheConvertbutton.Onceready,copytheupgradeddatabaseto
Installing AcuSensor AcunetixAcuSensorincreasestheefficiencyofanAcunetixscanbyimprovingthecrawling,detectionandreportingofvulnerabilities,whiledecreasingfalsepositives.AcunetixAcuSensorcanbeusedon.NETandPHPwebapplications.
Installing the AcuSensor Agent NOTE:InstallingtheAcuSensorAgentisoptional.AcunetixWebVulnerabilityScannerisstillbestinclassasablackboxscannerbuttheAcuSensorAgentimprovesaccuracyandvulnerabilityresultswhenscanning.NETandPHPwebapplications.TheuniqueAcunetixAcuSensorTechnologyidentifiesmorevulnerabilitiesthanablackboxWebApplicationScannerwhilegeneratinglessfalsepositives.Inaddition,itindicatesexactlywherevulnerabilitiesaredetectedinyourcodeandalsoreportsdebuginformationAcunetixAcuSensorrequiresanagenttobeinstalledonyourwebsite.Thisagentisgenerateduniquelyforyourwebsiteforsecurityreasons.
Generating the AcuSensor files FirstyouwillneedtogenerateyouruniqueAcuSensorfiles.Proceedasfollows:
1. IfusingAcunetixWVS,openAcunetixWVSandnavigatetotheConfiguration>ApplicationSettingsnode.ClickontheAcuSensorDeploymentnode.
ScreenshotAcuSensorDeploymentsettingsnode
2. IfusingAcunetixOnlineVulnerabilityScanner,youcangeneratetheAcuSensorfilesfromtheScanTargetsconfiguration.FromAcunetixOVS,changetoScanTargets>ListScanTargets>ClickontheScanTargetsname.Skiptostep6.
3. EnterapasswordorclickonthepadlockicontorandomlygenerateapassworduniquetotheAcuSensorfile.
4. Select'Alsosetpasswordincurrentlyselectedsettingstemplate'tostorethepasswordspecifiedinthescansettingstemplate.
5. SpecifythepathwhereyouwanttheAcuSensorfilestobegenerated.6. SelectwhethertogeneratefilesforaPHPwebsiteora.NETwebsite.7. ClickonGenerateAcuSensorInstallationFilestogeneratethefiles.
8. DependingonifyouareusinganASP.NEToraPHPwebsite,useoneofthefollowingprocedurestoinstalltheAcuSensorfiles.
Installing the AcuSensor agent for ASP .NET Websites TheAcuSensoragentwillneedtobeinstalledinyourwebapplication.ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.
1. InstallPrerequisitesontheserverhostingthewebsite:TheAcuSensorinstallerapplicationrequiresMicrosoft.NETFramework3.5orhigher.
ScreenshotEnableIIS6MetabaseCompatibilityonWindows2008OnWindows2008,youmustalsoinstallIIS6MetabaseCompatibilityfromControlPanel>TurnWindowsfeaturesOnorOff>Roles>WebServer(IIS)>ManagementTools>IIS6ManagementCompatibility>IIS6MetabaseCompatibilitytoenablelistingofall.NETapplicationsrunningonserver.
2. CopytheAcuSensorinstallationfilestotheserverhostingthe.NETwebsite.
ScreenshotAcunetix.NETAcuSensorAgentinstallation
3. DoubleclickSetup.exetoinstalltheAcunetix.NETAcuSensoragentandspecifytheinstallationpath.Theapplicationwillstartautomaticallyoncetheinstallationisready.Iftheapplicationisnotsettostartautomatically,clickonAcunetix.NETAcuSensorTechnologyInjectorfromtheprogramgroupmenu.
ScreenshotAcunetix.NETAcuSensorTechnologyAgent
4. Onstartup,theAcunetix.NETAcuSensorTechnologyInstallerwillretrievealistof.NETapplicationsinstalledonyourserver.SelectwhichapplicationsyouwouldliketoinjectwithAcuSensorTechnologyandselecttheFrameworkversionfromthedropdownmenu.ClickonInjectSelectedtoinjecttheAcuSensorTechnologycodeintheselected.NETapplications.Oncefilesareinjected,closetheconfirmationwindowandalsotheAcuSensorTechnologyInjector.
Note:TheAcuSensorinstallerwilltrytoautomaticallydetectthe.NETframeworkversionusedtodevelopthewebapplicationsoyoudonothavetomanuallyspecifywhichframeworkversionwasusedfromtheTargetRuntimedropdownmenu.
Installing the AcuSensor agent for PHP websites ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.
1. LocatethePHPAcuSensorfileofthewebsiteyouwanttoinstallAcuSensoron.Copytheacu_phpaspect.phpfiletotheremotewebserverhostingthewebapplication.
TheAcuSensoragentfileshouldbeinalocationwhereitcanbeaccessedbythewebserversoftware.AcunetixAcuSensorTechnologyworksonwebsitesusingPHPversion5andup.
2. Thereare2methodstoinstalltheAcuSensoragent,onemethodcanbeusedforApacheservers,andtheothermethodcanbeusedforbothIISandApacheservers.
Method 1: Apache .htaccess file Createa.htaccessfileinthewebsitedirectoryandaddthefollowingdirective:php_valueauto_prepend_file[pathtoacu_phpaspect.phpfile].Note:ForWindowsuseC:\sensor\acu_phpaspect.phpandforLinuxuse/Sensor/acu_phpaspect.phppathdeclarationformats.IfApachedoesnotexecute.htaccessfiles,itmustbeconfiguredtodoso.Refertothefollowingconfigurationguide:http://httpd.apache.org/docs/2.0/howto/htaccess.html.Theabovedirectivecanalsobeconfiguredinthehttpd.conffile.
Method 2: IIS and Apache php.ini 1. Locatethefilephp.iniontheserverbyusingphpinfo()function.2. Searchforthedirectiveauto_prepend_file,andspecifythepathtothe
acu_phpaspect.phpfile.Ifthedirectivedoesnotexist,additinthephp.inifile:auto_prepend_file=[pathtoacu_phpaspect.phpfile]
3. Saveallchangesandrestartthewebserverfortheabovechangestotakeeffect.
Testing your AcuSensor Agent TotestiftheAcuSensoragentisworkingproperlyonthetargetwebsite,dothefollowing:
1. IntheToolsExplorer,NavigatetoConfiguration>ScanSettingsnodeandselecttheAcuSensornode.
2. EnterthepasswordoftheAcuSensoragentfilewhichwascopiedtothetargetwebsite.
3. ClickTestAcuSensorinstallationonaSpecificURL.AdialogwillpromptyoutosubmittheURLofthetargetwebsitewheretheAcuSensorAgentfileisinstalled.EnterthedesiredURLandclickOK.
Changing the AcuSensor Password IfyouneedtochangethepasswordusedbytheAcuSensoragentonyourwebsite,youwillneedtoregeneratetheAcuSensorFilesandreinstallthemonyourwebsite.Performthefollowingifyouareusinga.NETwebsite:
1. UsetheprocedureinthenextsectiontoDisableandUninstalltheAcuSensoragent.2. Configureanewpassword.
ThisstepcanbeomittedifyouareusingAcunetixOnlineVulnerabilityScanner,sinceanewuniqueandsecurepasswordisautomaticallygeneratedeachtimetheAcuSensorfilesaregenerated.TheuniquepasswordisstoredwiththeScanTargetssettings.
3. ClickonGenerateAcuSensorinstallationfiles.4. ProceedwithinstallingthenewAcuSensorfiles.IfyouareusingaPHPweb
application,youwilljustneedtooverwritetheoldacu_phpaspect.phpwiththenewacu_phpaspect.phpfile.
Disabling and uninstalling AcuSensor Touninstallanddisablethesensorfromyourwebsite:
AcuSensor for ASP .NET websites 1. BrowsetotheinstallationdirectorywheretheAcuSensorAgentwasbeeninstalled2. OpenAcuSensorInjector.exe.
ScreenshotSelectwebsiteandclickUninjectSelected
3. SelectthewebsitewheretheAcuSensoragentisinstalledandclickonUninjecttoremovetheAcuSensorAgentfromthesite.
4. CloseAcuSensorInjector.exe5. Fromthesamedirectory,doubleclickuninstall.exetouninstalltheAcuSensorAgent
files.Note:IfyouuninstalltheAcunetix.NETAcuSensorTechnologyInjectorwithoutuninjectingthe.NETapplication,thentheAcuSensorcodewillnotberemovedfromyour.NETapplication.
AcuSensor for PHP 1. Ifmethod1(.htaccessfile)wasusedtoinstallthePHPAcuSensor,deletethe
directive:php_valueauto_prepend_file=[pathtoacu_phpaspect.phpfile]from.htaccess
2. Ifmethod2wasusedtoinstallthePHPAcuSensor,deletethedirective:auto_prepend_file=[pathtoacu_phpaspect.phpfile]fromphp.ini.
3. Finally,deletetheAcunetixAcuSensorPHPfile:acu_phpaspect.php.Note:AlthoughtheAcunetixAcuSensoragentrequiresauthentication,itisrecommendedthattheAcuSensorclientfilesareuninstalledandremovedfromthewebapplicationiftheyarenolongerinuse.
Scanning a Website NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION! ThewebserverlogswillshowyourIPaddressandalltheattacksmadebyAcunetixWebVulnerabilityScanner.Ifyouarenotthesoleadministratorofthewebsitepleasemakesuretowarnotheradministratorsbeforeperformingascan.Somescansmightcauseawebsitetocrash,requiringarestartofthewebsite.Toscanawebsite,youfirstneedtoperformthefollowingsteps:
Step 1: Select Target(s) to Scan 1. ClickonFile>New>NewWebsiteScantostarttheScanWizard,orclicktheNew
ScanbuttononthetoplefthandoftheAcunetixWebVulnerabilityScannermenubar.
ScreenshotScanWizard:SelectScanType
2. Specifythescanoptions:a. ScansinglewebsiteEntertheURLofthetargetwebsite,e.g.
http://testphp.vulnweb.com.b. ScanusingsavedcrawlingresultsIfyoupreviouslyperformedacrawlona
website,youcanusethesavedresultstolaunchascaninsteadofhavingtocrawlthewebsiteagain.
3. ClickNexttocontinue.Note:TheAcunetixWebVulnerabilityScannerSchedulercanbeusedtoscanwebsitesataspecifictimeandtoconfigurerecurringscans.
Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options
ScreenshotScanningProfileandScanSettingstemplate
Scanning Profile TheScanningProfilewilldeterminewhichtestsaretobelaunchedagainstthetargetwebsite.Forexample,ifyouonlywanttotestyourwebsite(s)forSQLinjection,selecttheprofilesql_injection.Noadditionaltestswillbeperformed.TheDefaultscanningprofilewilltestyourwebsiteforallknownwebvulnerabilities.RefertotheScanningProfilessectionformoreinformationonhowtocustomizeorcreatescanningprofiles.
Scan Settings template TheScanSettingstemplatewilldeterminewhatCrawlerandScannersettingsaretobeusedduringascan.RefertotheScanSettingstemplatessectionformoreinformationonhowtocustomizeorcreatenewScanSettingstemplates.
Save scan Results Ifyouwanttoautomaticallysavethescanresultstothereportingdatabase,enabletheSavescanresultstothedatabaseforreportgenerationoption.
Crawling Options TicktheoptionAftercrawlingletmechoosewhichfilestoscanifyouwouldliketoselect/deselectfilesfromtheautomatedwebsitesecurityscan,insteadofscanningthewholewebsite.TicktheoptionDefinelistofURLstobeprocessedbycrawleratstartifyouwouldlikeaspecificURLtobecrawledbeforeanyother(notavailableifusingsavedcrawlingresults).
Step 3: Confirm Targets and Technologies Detected
ScreenshotScanWizardSelectingTargetsandTechnologiesAcunetixWebVulnerabilityScannerwillautomaticallyfingerprintthetargetwebsitefortheserversoperatingsystem,thewebserveranditswebservertechnologies.Thewebvulnerabilityscannerwillreducethescantimebyscanningonlyfortheselectedwebtechnologies.E.g.AcunetixWebVulnerabilityScannerwillnotlaunchIISsecuritychecksagainstaLinuxsystemrunninganApachewebserver.Clickontherelevantfieldandchangethesettingsfromtheprovidedcheckboxesifyouwouldliketoaddorremovescansforspecifictechnologies.Note:IfaspecificwebtechnologyisnotlistedunderOptimizeforthefollowingtechnologies,itdoesnotmeanthatitisunsupportedbyWebVulnerabilityScanner,onlythattherearenovulnerabilitytestsexclusivetothattechnology.
Step 4: Configure Login for Password Protected Areas TwotypesofLoginmechanismsarecommonlyusedontheweb:HTTPAuthenticationThistypeofauthenticationishandledbythewebserver,wheretheuserispromptedwithapassworddialog.ScanninganHTTPpasswordprotectedarearequiresthatyoueitherenterthecredentialsduringthecrawlingofyourwebapplication,oryouhavethecredentialspreconfiguredinAcunetix.Thisiscoveredinmoredetailhere..FormsAuthenticationThistypeofauthenticationishandledviaawebformandnotviaHTTP.Thecredentialsaresenttotheserverforvalidationbyacustomscript.ScanningwebsitesusingformsbasedauthenticationisdoneusingtheLoginSequenceRecorderandiscoveredinmoredetailhere.
Step 5: Finalize Scan Options
ScreenshotFinalizeScanOptionsBeforetheScanisstarted,theScanWizardwillreportissueswhichmighthinderthescan.Thefollowingisalistofactionswhichyoumightbepresentedwith:
Ifanerrorisencounteredwhileconnectingtothetargetserver,theerrorwillbeshown.
IfAcunetixWebVulnerabilityScannerisunabletoautomaticallydetectacustom404errorpagepattern,youwillhavetoconfigureacustom404errorpagerulebyclickingtheCustomizebutton.ReadmoreaboutconfiguringAcunetixtohandleCustom404errorpages.
IfthetargetserverisusingCASEinsensitiveURLs,youmustforcecaseinsensitivecrawling.ThiscanbedonefromConfiguration>ScanSettings>CrawlingOptions>IgnoreCASEdifferencesinpaths.
IfAcuSensorTechnologyisenabledandthetargetserverisrunningPHPor.NET,youwillgetanerroriftheAcuSensoragentisnotdetected.ClicktheCustomizebuttontoinstallAcuSensoronthetargetwebapplication.
Ifadditionalhostshavebeenfoundtobelinkedtofromthewebsitebeingscanned,youcanoptionallyselecttoscanthesetoo.Youwillrequirepermissionstoscantheselectedhoststoo.
Ifasmartphonefriendlyversionofthewebsiteisdetected,youwillbegiventheoptiontocrawlandscanthesiteasanormalbrowseroramobilebrowser.
IfyouhavemadechangestotheScanSettingstemplate,youwillbeaskedifyouwanttosavethemodificationstotheexistingornewtemplate.
Step 6: Start the scan ClickonFinishtostarttheautomatedscan.IftheoptionAftercrawlingletmechoosethefilestoscanwasselectedinthecrawlingoptions,youwillbeaskedtoselectthefilestoscanafterAcunetixWebVulnerabilityScannerhasfinishedcrawlingthesite.Dependingonthesizeofthewebsite,scanningprofileselected,andtheserversresponsetime,ascanmaytakeseveralhours.
Analyzing the Scan Results ThevulnerabilitiesdiscoveredduringthescanofawebsitearedisplayedinrealtimeintheAlertsnodeintheScanResultswindow.ASiteStructurenodeisalsoshownlistingthefilesandfoldersdiscovered.
ScreenshotScanResultsshowingAlertsSummary
Web Alerts TheWebAlertsnodedisplaysallvulnerabilitiesfoundonthetargetwebsite.WebAlertsarecategorizedaccordingto4severitylevels:
HighRiskAlertLevel3Vulnerabilitiescategorizedasthemostdangerous,whichputasiteatmaximumriskforhackinganddatatheft.
MediumRiskAlertLevel2Vulnerabilitiescausedbyservermisconfigurationandsitecodingflaws,whichfacilitateserverdisruptionandintrusion.
LowRiskAlertLevel1Vulnerabilitiesderivedfromlackofencryptionofdatatraffic,ordirectorypathdisclosures.
InformationalAlertTheseareitemswhichhavebeendiscoveredduringascanandwhicharedeemedtobeofinterest,e.g.thepossibledisclosureofaninternalIPaddressoremailaddress,ormatchingasearchstringfoundintheGoogleHackingDatabaseMoreinformationaboutthevulnerabilityisshownwhenyouclickonanalertcategorynode:
VulnerabilitydescriptionAdescriptionofthediscoveredvulnerability.TheAcuSensorlogoisdisplayedintheVulnerabilityDescriptionforthevulnerabilitiesthataredetectedusingtheAcuSensorTechnology.
AffecteditemsThelistoffilesvulnerabletothediscoveredvulnerability. TheimpactofthisvulnerabilityLevelofimpactonthewebsiteorwebserverif
thisvulnerabilityisexploited. AttackdetailsDetailsabouttheparametersandvariablesusedtotestforthis
vulnerability.E.g.foraCrossSiteScriptingalert,thenameoftheexploitedinputvariableandthestringitwassettowillbedisplayed.YoucanalsofindtheHTTPrequestsenttothewebserverandtheresponsesentbackbythewebserver(includingtheHTMLresponse).TheattackcanbeinspectedandrelaunchedmanuallybyclickingLaunchtheattackwithHTTPEditor.Formoreinformation,pleaserefertohttp://www.acunetix.com/blog/docs/httpeditor/.
HowtofixthisvulnerabilityGuidanceonhowtofixthevulnerability. DetailedinformationMoreinformationaboutthereportedvulnerability. WebreferencesAlistofweblinksprovidingmoreinformationonthevulnerabilityto
helpyouunderstandandfixit.
Marking an Alert as a False Positive Ifyouarecertainthatthevulnerabilitydiscoveredisafalsepositive,youcanflagthealertasaFalsePositivetoavoiditbeingreportedinsubsequentscansofthesamewebsite.Todothis,clickontheMarkalertasfalsepositivelinkorrightclickonthealertandselectthemenuoption.YoucanremoveanalertfromthefalsepositiveslistbynavigatingtotheConfiguration>ApplicationSettingsnodeintheToolsExplorerandselecttheFalsePositivesnode.
Network Alerts
ScreenshotNetwork,PortScannerandKnowledgebasenodes
TheNetworkAlertsnodedisplaysnetworklevelvulnerabilitiesdiscoveredinscannednetworkservices,suchasDNS,FTP,SMTPandSSHservers.Networkalertsarecategorizedinto4severitylevels(similartowebalerts).Thenumberofvulnerabilitiesdetectedisdisplayedinbrackets()nexttothealertcategories.Clickanalertcategorynodetoviewmoreinformation(similartowebalerts).Note:YoucandisablenetworksecuritychecksbyuntickingtheEnablePortScanningoptionintheScanWizard.NetworkSecurityChecksareonlyperformedonopenportsdetectedduringthescan,thusdisablingportscanningwilleffectivelydisableallthenetworksecuritychecks.
Port Scanner ThePortScannernodedisplaysallthediscoveredopenportsontheserver.Networkservicebannerscanbeviewedbyclickingonanopenport.Note:PortScanningofthetargetservercanbeenabledordisabledfromAcunetixWVS>Configuration>ScanSettings>ScanningOptions>EnablePortScanning.
Knowledge Base Theknowledgebasenodeisahighlevelreportthatdisplays:
ListofopenTCPportsfoundontheserver,includingtheportbanner. ListofNetworkServicesrunningonthewebserverandtheirresponse. Listoffileswithinputsfoundonthewebsite.Thenumberofinputsperfilearealso
shown. Listoflinkstoexternalhostsfoundonthewebsite.E.g.testphp.vulnweb.com
containsalinktowww.acunetix.com. ListofClientandServerHTTPerrorresponsestogetherwiththeHTTPrequeststhat
generatedthem.AnexamplewouldbetheresponsecodeServerInternalErrorHTTP500.Checktheresponseforinformationexposure.
Site Structure TheSiteStructureNodedisplaysthelayoutofthetargetwebsiteincludingallfilesanddirectoriesdiscoveredduringthecrawlingprocess.
ScreenshotSiteStructureIntheCrawlerresults(SiteStructurenode),colorcodesareusedtoshowdifferentfilestatuses.Thefilenamecolorcodingisasfollows
GreenThesefileswillbetestedwithAcuSensorTechnology,resultinginmoreadvancedsecuritychecksandlessfalsepositivealerts.FromtheAcuSensordatatab,theusercanseewhatdatarelatedtothesefilesisbeingreturnedbytheAcuSensor.SuchinformationisusefultoknowwhatSQLquerieswereexecutedoriftheselectedfileisusingfunctionswhicharemonitoredbyAcuSensor.
BlueFilewasdetectedduringavulnerabilitytestandnotbythecrawler.Mostprobablysuchfilesarenotlinkedfromanywhereonthetargetwebsite.
BlackFilesdiscoveredbythecrawler.Foreverydiscovereditem,moredetailedinformationisavailableintheinformationpaneontherighthandside:
InfoGenericinformationsuchasfilename,pagetitle,path,length,URLetc. ReferrersThefilesorpagesthatlinkedtothetestedfile. HTTPHeadersTheHTTPheadersoftherequestsenttothewebservertoretrieve
theselectedfile,andtheHTTPresponseheadersreceived. InputsPossibleinputparametersandvaluesforthefile. ViewSourceThesourceHTMLofthepage. ViewPageThepageisdisplayedasitisshowninawebbrowser.Mostclientside
scriptsaredisabledinthistabforsecuritypurposestoavoidlaunchingvulnerabilitiesagainstthecomputeronwhichAcunetixWebVulnerabilityScannerisrunning.
AcuSensorDataAnyAcuSensorTechnologydatareturned. AlertsAlistofalertsfortheselectedfile.
Inaddition,eachitemcontainstheHTMLStructureAnalysis,whichincludes:
Alistoflinksdiscoveredinthefile. Commentsdiscoveredintheselectedpage.Theinformationcontainedinthe
commentscannotbeautomaticallyanalyzedbutmayrevealinterestinginformationabouttheconstructionandcodingofthewebsite.
Anyclientsidescripts(JavaScript,VBScriptetc.)andtheirsourcecodediscoveredintheselectedpage.Theclientwebbrowserwillexecutethesescripts.Thismightrevealinformationaboutthelogicofthewebapplication.
Anyformsdiscoveredintheselectedobjectareshowninthetopwindow.Alistofparametersandtheirpossiblevaluesareshowninthemiddleandbottomwindow.
AlistofMETAtagsdiscoveredintheselectedobject.METAtagscontaininformationaboutthewebsite,e.g.thedescriptionandkeywordsMETAtagsusedbysearchengines.METAtagswithanHTTPEQUIVattributeareequivalenttoHTTPheaders.Typically,suchMETAtagscontroltheactionofbrowsersandmaybeusedtorefinetheinformationprovidedbytheactualheaders.TagsusingthisformshouldhaveanequivalenteffectwhenspecifiedasanHTTPheader,andinsomeserversmaybetranslatedtoactualHTTPheadersautomaticallyorbyapreprocessingtool.
Grouping of Vulnerabilities
ScreenshotGroupingofvulnerabilities
Ifthesametypeofvulnerabilityisdetectedonmultiplepages,thescannerwillgroupthemunderonealertnode.Expandingthealertnodewillrevealallthevulnerablepages.Expandfurthertoviewthevulnerableparametersfortheselectedpage.
Saving / Loading Scan Results Whenascaniscompletedyoucansavethescanresultstoanexternalfileforanalysisandcomparisonatalaterstage.Thesavedfilewillcontainallthescansfromthecurrentsessionincludingalertinformationandsitestructure.
TosavethescanresultsclicktheFilemenuandselectSaveScanResults. ToloadthescanresultsclicktheFilemenuandselectLoadScanResults.
Scanning Web Services WebServices,likeanyotherinternetdependentsystems,presentnewexploitpossibilitiesandincreasetheneedforsecurityaudits.TheWebServicesScannerperformsautomatedvulnerabilityscansforWebServicesandgeneratesadetailedsecurityreportoftheresults.
Screenshot66WebServicesScanner
Starting a Web Service Scan 1. FromtheToolsExplorerselectWebServicesScannerandclicktheNewScan
buttoninthetoolbartolaunchtheWebServiceScanWizard.SpecifytheURLofanonlineorlocalWSDLandchooseascanningprofile.ClickNexttoproceed.
2. IntheSelectionstep,selecttheWebServices,PortsandOperationsthatmustbescanned.ThenumberofinputsacceptedbyeachoperationandtheURLoftheportswillbedisplayedintheDetailssection.
3. Enterspecificinputvalues(optional)forthescannertouseasWebServiceOperationsintheDefaultValuesstep.
4. Proceedtothescansummary,reviewitandclickFinishtolaunchthescan.
Web Services Editor
Screenshot67WebServicesEditor TheWebServicesEditorallowsimportingofonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperations,foranindepthanalysisofWSDLrequestsandresponses.Theeditoralsofeaturessyntaxhighlightingforalllanguages,makingiteasytoeditSOAPheadersandcustomizemanualattacks.EditingandsendingofWebServicesSOAPmessagesisverysimilartoeditingnormalrequestssentviatheHTTPEditor.
Importing WDSL and Sending Request 1. ClickontheWebServicesEditornodeinthetoolsexplorerandentertheURLofthe
WSDL,orlocatethelocaldirectorywherethelocalWSDLfileisstored.ClickImporttoimportallWSDLinformation.
2. Fromthedropdownmenusinthetoolbar,selecttheService,PortandOperationthatmustbetested.
3. SpecifyavaluefortheoperationandclickSendtopasstheSOAPrequesttothewebservice.ThewebserverresponsecanthenbeviewedinastructuredorXMLviewtypeinthelowerwindowpane.
Response Tab DisplaystheresponsesentbackfromthewebserviceinrawXMLformat.
Structured Data Tab PresentstheXMLdatareceivedfromthewebserviceresponseusingahierarchyofnodesthatshowthevalueforeachelement.
WSDL Structure Tab PresentsadetailedviewofthewebservicedataasprovidedbytheWSDLStructure.TheWSDLinformationisstructuredintheformofnodesandsubnodesandthemainnodesofthetreestructureareXMLSchemaandServices.
TheXMLSchemanodelistsalltheComplexTypesandtheElementsofthewebservice.TheServicesnodelistsallthewebserviceportsandtheirrespectiveoperationstogetherwiththeresourcedetailsofthesourceoftheSOAPdata.AmoredetailedWSDLstructurecanalsobeshownbytickingtheShowdetailedWSDLstructureatthebottomofthescreen.ThiswillprovideextensiveinformationforeachsubnodeoftheServicesnodestructuresuchasinputmessagesandparameters.
WSDL Tab ThistabshowstheactualWDSLdataintheformofXMLtags.Usingthetoolbarprovidedatthebottomofthescreenyoucansearchforcertainkeywordsorelementsinthesourcecodeandalsochangethesyntaxhighlightingifneeded.
HTTP Editor Export IntheWebServicesEditoryoucanexportaSOAPrequesttotheHTTPEditorbyclickingontheHTTPEditorbuttonintheWebServicesEditortoolbar.TheHTTPEditortoolwillautomaticallyimportthedatasotherequestcanbecustomizedandsentasanHTTPPOSTrequest.
Generating Reports
ScreenshotTheReporterApplicationTheAcunetixWebVulnerabilityScannerReporterisastandaloneapplicationthatallowsyoutogeneratereportsforthesecurityscansperformedusingAcunetixWebVulnerabilityScanner.TheReportercanbelaunchedaftercompletingascan,orfromtheAcunetixWebVulnerabilityScannerprogramgroup,andcanbeusedtogeneratevarioustypesofreportsincludingdeveloperreports,executivereports,compliancestandardreportsorareportthatcomparestheresultsoftwoscans.
Generating a Report from the Scan Results Therearetwowaystogenerateareport.Afterscanningasite,clickonthe ReportbuttonontheAcunetixtoolbar.ThiswillstarttheAcunetixWebVulnerabilityScannerReporterandwillloadtheDefaultReportforthescan.TheDefaultReportusedcanbeselectedfromtheReporterSettings.
ScreenshotSampleReportThesecondmethodistoloadtheAcunetixWebVulnerabilityScannerReporterfromtheAcunetixWebVulnerabilityScannerProgramGroup.ThiswillallowyoutoreportonthescansthathavebeensavedtotheReportsdatabase.
1. FromtheReportslist,selectthetypeofreportandclickonReportWizard.2. InthecaseofComplianceReport,selecttheRegulatorybodyorStandardtobeused
inthereport.ClickNext.
ScreenshotSelectComplianceReport
3. Youcanthenselecttoshowtheresultsofallthescansstoredinthereportsdatabaseortofilterthescansthataredisplayedbasedonspecificscancriteria.ClickNext.
ScreenshotFilterScans
4. Selectthescanthatyouwouldliketoreporton.
ScreenshotSelectScan
5. Selectwhatpropertiesanddetailsthereportshouldinclude.TheReportPropertieswillvarydependingonthetypeofreportthatyouaregenerating.
ScreenshotSelectReportProperties
6. ClicktheGeneratebuttontogeneratethereport.7. Oncethereportisgenerated,itcanbeprintedorexportedinvariousformats
includingPDF,WordandHTML.
Reporter Settings TheReportersettingsallowyoutoconfigurethelayoutandstyleofthegeneratedreports.ToaccessthereportsettingsnavigatetotheConfiguration>SettingsnodeintheReporterToolsExplorer.FromtheReportOptionsnode,youcancustomizethelayout,titles,andimagesintheheadersofthereport.
ScreenshotReporterOptionsGeneralSettingsConfigurethedefaultreporttemplateforgeneratingareport.ReportOptionsSelectcustomicons,logos,headersandfooterstocustomizethereport.FromthePageSettingsnodeyoucanconfigurethedefaultpagesize,orientationandmarginsofyourreports.Thesesettingswillapplytoallreports.
Saving Reports Onceyouhavegeneratedyourreport,youcanusethetoolbaratthetoptosavethereportinPRE(preparedreports)format,whichwillallowyoutoreviewthereportlater.YoucanalsoexportthereporttoPDF,HTML,Text,WordDocumentandBMPorprintthereport.
Changing the Reporter Database AcunetixWebVulnerabilityScannerstoresthescanresultsinabackenddatabase.Bydefault,MicrosoftAccessisused.YoumightwanttoswitchtousingMicrosoftSQLserver.Thisisrecommendedwhenscanningalotofsitesorlargersites.Thiscanbedoneasfollows:
1. NavigatetotheConfiguration>ApplicationSettings>DatabasenodeintheAcunetixWebVulnerabilityScannerinterface.SelectMSSQLServerfromtheDatabaseTypedropdownmenu.
2. EntertheServerIPorFQDNintheServertextboxandthecredentialstoconnecttotheserverintheUsernameandPasswordtextbox.OnlySQLAuthenticationissupported.
3. SpecifyadatabasenameintheDatabasetextbox.Ifthedatabasedoesnotexistitwillbeautomaticallycreated.Ifthedatabasespecifiedalreadyexists,youwillbepromptedwithaconfirmationtooverwritethecurrentdatabasestructureanddata.
Note:ThecreationofthedatabaserequiresauserwithSQLAdministratorprivileges.Oncethedatabaseiscreated,youcanchangetheSQLcredentialstoauseraccountwithreadandwritepermissionsonthedatabase.Itisalsopossibletoimportadatabaseconfigurationfile.SelectImportDatabaseConfigurationandselecta*.dbconfigfilegeneratedbytheAcunetixEnterpriseReportertoautomaticallyimportSQLdatabasesettings.
Acunetix Reports ThefollowingisalistofthereportsthatcanbegeneratedfromAcunetixWebVulnerabilityScanner(WVS)andAcunetixOnlineVulnerabilityScanner(OVS):
Affected Items Report Availability:OVSandWVSTheAffectedItemsreportshowsthefilesandlocationswherevulnerabilitieshavebeendetectedduringascan.Thereportshowstheseverityofthevulnerabilitydetected,togetherwithotherdetailsabouthowthevulnerabilityhasbeendetected.
Developer Report Availability:OVSandWVS TheDeveloperReportistargetedtodeveloperswhoneedtoworkonthewebsiteinordertoaddressthevulnerabilitiesdiscoveredbyAcunetixWebVulnerabilityScanner.Thereportprovidesinformationonthefileswhichhavealongresponsetime,alistofexternallinks,emailaddresses,clientscriptsandexternalhosts,togetherwithremediationexamplesandbestpracticerecommendationsforfixingthevulnerabilities.
Executive Report Availability:OVSandWVSTheExecutiveReportsummarizesthevulnerabilitiesdetectedinawebsiteandgivesaclearoverviewoftheseveritylevelofvulnerabilitiesfoundinthewebsite.
Quick Report Availability:OVSandWVSTheQuickReportprovidesadetailedlistingofallthevulnerabilitiesdiscoveredduringthescan.
Network Security Report Availability:OVSonlyTheNetworkSecurityReportprovidesdetailedsecurityinformationabouttheperimeternetworkserverscannedbyAcunetixOnlineVulnerabilityScanner.Thisinformationisveryusefulforanetworksecurityauditororpentesterwhoistaskedwithanalysingthesecurityoftheperimeternetwork.
Compliance Reports
ScreenshotPCIComplianceReportComplianceReportsareavailableforthefollowingcompliancebodiesandstandards:
CWE / SANS Top 25 Most Dangerous Software Errors Availability:OVSandWVSThisreportshowsalistofvulnerabilitiesthathavebeendetectedinyourwebsitewhicharelistedintheCWE/SANStop25mostdangeroussoftwareerrors.Theseerrorsareofteneasytofindandexploitandaredangerousbecausetheywilloftenallowattackerstotakeoverthewebsiteorstealdata.Moreinformationcanbefoundathttp://cwe.mitre.org/top25/.
The Health Insurance Portability and Accountability Act (HIPAA) Availability:OVSandWVSPartoftheHIPAAActdefinesthepolicies,proceduresandguidelinesformaintainingtheprivacyandsecurityofindividuallyidentifiablehealthinformation.Thisreportidentifiesthevulnerabilitiesthatmightbeinfringingthesepolicies.ThevulnerabilitiesaregroupedbythesectionsasdefinedintheHIPAAAct.
International Standard ISO 27001 Availability:OVSandWVSISO27001,partoftheISO/IEC27000familyofstandards,formallyspecifiesamanagementsystemthatisintendedtobringinformationsecurityunderexplicitmanagementcontrol.Thisreportidentifiesvulnerabilitieswhichmightbeinviolationofthestandardandgroupsthevulnerabilitiesbythesectionsdefinedinthestandard.
NIST Special Publication 800-53 Availability:OVSandWVSNISTSpecialPublication80053coverstherecommendedsecuritycontrolsfortheFederalInformationSystemsandOrganizations.Onceagain,thevulnerabilitiesidentifiedduringascanaregroupedbythecategoriesasdefinedinthepublication.
OWASP Top10 2013 Availability:OVSandWVSTheOpenWebApplicationSecurityProject(OWASP)iswebsecurityprojectledbyaninternationalcommunityofcorporations,educationalinstitutionsandsecurityresearchers.OWASPisrenownforitsworkinwebsecurity,specificallythroughitslistoftop10websecurityriskstoavoid.ThisreportshowswhichofthedetectedvulnerabilitiesarefoundontheOWASPtop10vulnerabilities.
Payment Card Industry (PCI) standards Availability:OVSandWVSThePaymentCardIndustryDataSecurityStandard(PCIDSS)isaninformationsecuritystandard,whichappliestoorganizationsthathandlecreditcardholderinformation.Thisreportidentifiesvulnerabilitieswhichmightbreachpartsofthestandardandgroupsthevulnerabilitiesbytherequirementthathasbeenviolated.
Sarbanes Oxley Act Availability:OVSandWVSTheSarbanesOxleyActwasenactedtopreventfraudulentfinancialactivitiesbycorporationsandtopmanagement.VulnerabilitieswhicharedetectedduringascanwhichmightleadtoabreachinsectionsoftheActarelistedinthisreport.
DISA STIG Web Security Availability:OVSandWVSTheSecurityTechnicalImplementationGuide(STIG)isaconfigurationguideforcomputersoftwareandhardwaredefinedbytheDefenseInformationSystemAgency(DISA),whichpartoftheUnitedStatesDepartmentofDefense.ThisreportidentifiesvulnerabilitieswhichviolatesectionsofSTIGandgroupsthevulnerabilitiesbythesectionsoftheSTIGguidewhicharebeingviolated.
Web Application Security Consortium (WASC) Threat Classification Availability:OVSandWVSTheWebApplicationSecurityConsortium(WASC)isanonprofitorganizationmadeupofaninternationalgroupofsecurityexperts,whichhascreatedathreatclassificationsystemforwebvulnerabilities.ThisreportgroupsthevulnerabilitiesidentifiedonyoursiteusingtheWASCthreatclassificationsystem.
Scan Comparison Report
ScreenshotScanComparisonReportAvailability:WVSonly
TheScanComparisonReportallowstheusertotrackthechangesbetweentwoscanresultsforthesameapplication.Thisreportwillhighlightresolved,unchangedandnewvulnerabilities,makingiteasytotrackdevelopmentchangesaffectingthesecurityofyourwebapplication.
Monthly Vulnerabilities Report Availability:WVSonlyThisstatisticalreportcorrelatesthedatafromthescansperformedinaspecificmonth,andreportsonthevulnerabilitiesidentifiedduringthatmonth.
Scheduling Scans TheSchedulerapplicationallowsyoutoschedulescansataconvenienttimewithoutrequiringAcunetixWebVulnerabilityScannerortheAcunetixWebVulnerabilityScannerSchedulerInterfacetoberunning.
ConfiguringtheSchedulerserviceTheAcunetixSchedulerhasawebbasedinterfacethatcanbeconfiguredthroughtheAcunetixWebVulnerabilityScannerapplicationsettings.ToaccesstheSchedulerservicesettingsnavigatetoConfiguration>ApplicationSettings>Schedulernode.
ConfiguringtheSchedulerwebinterface
ScreenshotSchedulerwebinterfaceconfiguration
Bydefault,theSchedulerwebinterfaceisonlyaccessiblevialocalhostandonport8181(http://localhost:8181).IfyouwouldliketheSchedulerwebinterfacetobeaccessiblefromotherremotecomputers,ticktheAllowremotecomputerstoconnectoption.Whenenabled,youwillbepromptedtospecifyausernameandpasswordforHTTPStobeautomaticallyenabled.Forsecurityreasons,logincredentialsmustalwaysbedefinedwhentheschedulerwebinterfaceisconfiguredtobeaccessedremotely.Note:WhenyouchangeanyoftheWebInterfacesettings,uponclickingtheApplybuttonrestarttheAcunetixWVSSchedulerservicefromtheWindowsServicesconsole.
ScanOptions
ScreenshotSchedulerscanoptions
IntheSchedulerScanOptions,youcanspecifythepathwheretheAcunetixWebVulnerabilityScannerscanresultsshouldbesaved.Bydefault,thescanresultsaresavedintheMyDocumentsfolderoftheWindowsPublicuserprofileintheAcunetixWVSsubdirectory.
ScanningmultiplewebsitesFromthissectionyoucanalsoconfigurethenumberofparallelscanslaunchedinAcunetixWebVulnerabilityScanner.E.g.ifyouwanttoscan4websitesandtheirscanschedule
overlaps,insteadofthescansbeingqueued,anotherinstanceofAcunetixWebVulnerabilityScannerisautomaticallystartedandthescanswillbelaunchedinparallel.Ifyouarescanningalargenumberofwebsitesitissuggestedtoincreasethenumberofparallelscanssotheirscheduledoesnotoverlap.Maximumnumberofparallelscansis10ifyouhavethex10instanceslicense.Note:ThemaximumnumberofscheduledscansthatcanbeconfiguredintheAcunetixWebVulnerabilityScannerscheduleris2000.
ConfiguringEmailnotifications
ScreenshotScheduleremailnotifications
Inthissectionyoucanspecifythesettingsforemailnotifications,suchasSMTPserverIPorFQDN,port,SMTPserverauthentication(optional)andtheemailaddresswherenotificationswillbesent.
Excludedhourstemplates
ScreenshotExcludedHoursTemplates
IntheExcludedHoursTemplatessectionyoucanspecifyarangeofhourstopauseongoingscans.E.g.ifyoudonotwanttoscanyourwebsiteduringtimesofhightraffic.
ScreenshotExcludedHoursConfiguration
ToaddanewExcludedHoursTemplateclickontheAddbuttonandthen:1. SpecifyanameofthetemplateintheNameinputfield.2. Highlightthehoursofthedaywhenscansshouldnotrun.3. ClickOKtosavethenewtemplate.
Note:Ifascanisstillrunningduringtheexcludedhours,thescanwillbeautomaticallypausedandresumedagainwhenscanningisallowed.
CreatingaScheduledscan1. AccesstheSchedulerinterfacebyclickingtheSchedulerIcon onthetoolbarinthe
AcunetixWebVulnerabilityScannerinterface,orbrowsehttp://127.0.0.1:8181usingawebbrowser.Note:JavaScriptshouldbeenabledtoaccesstheAcunetixSchedulerwebinterface.
ScreenshotAcunetixSchedulerwebinterface
2. ClickontheNewscanbuttontoaddanewscan.Youcanaddasmanyscansasyouwish.Ifthescanscheduleoverlaps,theywillbescannedinparallel.YoucanincreaseordecreasethenumberofparallelscansfromtheSchedulerconfigurationintheAcunetixWebVulnerabilityScannerapplicationsettings.
3. Ifyouwouldliketoimportanumberofscans(upto2,000)usingaCSVfile,clickontheImportCSVbutton.Youcanreadmoreaboutthisfeaturelaterinthischapter.
ScheduledScanBasicOptions
ScreenshotAcunetixSchedulerBasicoptions
TheBasicOptionsallowyoutospecifywhichtarget/stoscanaswellasthescanrecursion.TherecursionoptiongivesyoutheoptiontoconfiguretheSchedulertorunascanOnce,EveryDay,EveryWeek,EveryMonthorContinuous.Setaspecificdaynumberifscheduleissettoweeklyormonthly,e.g.2nddayoftheweekor21stdayofthemonth.
ScheduledScanAdvancedOptions
ScreenshotAcunetixSchedulerAdvancedoptions
TheAdvancedOptionsallowyoutoconfigure: ScanningProfile LoginSequence ScanSettingstemplate ScanMode ExcludedHoursTemplate
Scheduledscanresultsandreports
ScreenshotAcunetixSchedulerScanresultsandReports
IntheScanresultsandreportssection,youcanselecttosavethescanresultstothereportingdatabase,savethescanlogs,andgenerateareport.Youcanalsospecifyinwhichformatyouwantthereporttobegeneratedandanemailaddresswherethescanresultsaresent.Ifnoemailaddressisspecified,theemailaddressconfiguredintheschedulersettingsisused.Inaddition,theReporttemplatefieldallowsyoutospecifywhatreporttemplatetouse.YoucanchooseamongfourtemplateswhichareAffectedItems,DeveloperReport,ExecutiveSummaryandQuickReport.
ImportingSchedulingScansYoucanalsoimportscheduledscansfromaCSVfile.TheformatoftheCSVfilesaredescribednext.
CSVFilePropertiesEachlineintheCSVfileshouldonlycontainonescan.Foreachscanyoushouldspecifythefollowingproperties:
URLSpecifytheURLwithorwithoutprotocol(httpandhttps).Ifnoprotocolisspecified,httpisused.Thisentryismandatory.
DateSpecifythedatewhenthescanshouldbelaunched.ThedateformatisDDMMYYYYandshouldbesinglestring.E.g.Ifascanistobescheduledforthe5thofNovember2014,thedateshouldbe05112014.Thisentryismandatory.
TimeSpecifythetimewhenthescanshouldbelaunched.Thetimeformatis24hoursandshouldbeasinglestringof4digits.E.g.10amshouldbe1000and10pmshouldbe2200.Thisentryismandatory.
ScanningProfileSpecifythenameofanexistingscanningprofiletobeusedduringthescan.Ifnotspecified,thedefaultscanningprofilewillbeusedduringthescan.
LoginSequenceSpecifythenameofanexistingloginsequenceifyouwanttousealoginsequenceduringthescan.Ifnothingisspecified,nologinsequencewillbeusedduringthescan.
ScanSettingsSpecifythenameofanexistingscansettingstemplate.Ifnoscansettingstemplateisspecified,thedefaultscansettingstemplatewillbeused.
ScanModeSpecifythescanmodetobeusedduringthescan.Theoptionsarequick,heuristicandextensive.Ifnoscanmodeisspecified,thedefaultscanmodewillbeused.
GenerateReportSpecifyifareportshouldbegeneratedafterthescan.Theoptionsareyesorno.Ifnothingisspecified,noreportwillbegenerated.
ReportFormatIfyouspecifiedthegeneratereportoption,thenyouhavetospecifythereportformataswell.TheoptionsavailablearePDF,RTF,REPorHTML.Ifyoudonotspecifyanyformat,aPDFreportwillbegenerated.
NotificationEmailAddressSpecifytheemailaddresswheretheemailshouldbesentuponcompletionofthescan.Ifanemailisnotspecified,thedefaultemailaddressconfiguredintheAcunetixWebVulnerabilityScannerGUIwillbeused.
Ifyouwouldliketoomitanentrysothedefaultvalueisused,simplyleaveaspacebetweenthecommas.Someexamplesfollow:Example1:Toscantestphp.vulnweb.comonthe5thofNovember2014at10pmusingthedefaultvalues,usethebelowlineintheCSVfile:http://testphp.vulnweb.com,05112014,2200,,,,,,,Example2:Toscantestasp.vulnweb.comonthe5thofNovember2014at3:15pmusingtheXSS(Crosssitescripting)scanningprofile,withoutloginsequence,defaultscansettings,usingtheextensivescanningmode,[email protected],usethebelowexample:http://testasp.vulnweb.com,05112014,1515,XSS,,,extensive,yes,PDF,[email protected]:ScansimportedfromaCSVfilewillonlybeexecutedonce.ItisnotpossibletoconfigurerecurringscansusingtheCSVfileimportfeature.
Troubleshooting and Support User Manual Themostcommonqueriescanbeansweredbyconsultingthisusermanual.
Frequently Asked Questions Oursupportteammaintainsalistoffrequentlyaskedquestionsathttp://www.acunetix.com/support/faq/.
Acunetix Blog Wehighlyrecommendthatyoufollowoursecurityblogbybrowsingto:http://www.acunetix.com/blog/.
Request Support Ifyouencounterpersistentproblemsthatyoucannotresolve,weencourageyoutocontacttheAcunetixSupportteamviaemailatsupport@acunetix.com.Pleaseincludeanyinformationyouthinkisusefultohelpusdiagnoseyourissue,suchasinformationonthewebtechnologiesbeingused,screenshotsshowingtheproblemetc.Pleaseincludealsothelicensekeyinformationinthesupportemail.Wewilldoourbesttoansweryourquerywithin24hoursorless,dependingonyourtimezone.
Knowledge base / Support page YoucanalsoexploretheAcunetixknowledgebaseandothersupportoptionsbybrowsingto:http://www.acunetix.com/support/.
Acunetix Facebook page JoinusonFacebookforthelatestproductandindustryupdates:http://www.facebook.com/Acunetix.