Web Vulnerability Scanner v9.5 Product Manual

Informationinthisdocumentissubjecttochangewithoutnotice.Companies,names,anddatausedinexampleshereinarefictitiousunlessotherwisenoted.Nopartofthisdocumentmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,foranypurpose,withouttheexpresswrittenpermissionofAcunetixLtd.AcunetixWebVulnerabilityScanneriscopyrightofAcunetixLtd.20042014.AcunetixLtd.Allrightsreserved.http://www.acunetix.cominfo@acunetix.comDocumentversion9.5Lastupdated:3rdNovember2014

Table of Contents

Introduction Overview Installing Acunetix Installing AcuSensor Scanning a Website Analysing Scan Results Scanning Web Services Generating Reports Acunetix Reports Scheduling Scans Troubleshooting and Support

Introduction to Acunetix Web Vulnerability Scanner Why You Need To Secure Your Web Applications Websitesecurityistoday'smostoverlookedaspectofsecuringanenterpriseandshouldbeapriorityinanyorganization.Increasingly,hackersareconcentratingtheireffortsonwebbasedapplicationsshoppingcarts,forms,loginpages,dynamiccontent,etc.Accessible24/7fromanywhereintheworld,insecurewebapplicationsprovideeasyaccesstobackendcorporatedatabasesandalsoallowhackerstoperformillegalactivitiesusingtheattackedsites.Avictimswebsitecanbeusedtolaunchcriminalactivitiessuchashostingphishingsitesortotransferillicitcontent,whileabusingthewebsitesbandwidthandmakingitsownerliablefortheseunlawfulacts.HackersalreadyhaveawiderepertoireofattacksthattheyregularlylaunchagainstorganizationsincludingSQLInjection,CrossSiteScripting,DirectoryTraversalAttacks,ParameterManipulation(e.g.,URL,Cookie,HTTPheaders,webforms),AuthenticationAttacks,DirectoryEnumerationandotherexploits.Thehackingcommunityisalsoverycloseknitnewlydiscoveredwebapplicationintrusions,knownasZeroDayexploits,arepostedonanumberofforumsandwebsitesknownonlytomembersofthatexclusiveundergroundgroup.Postingsareupdateddailyandareusedtopropagateandfacilitatefurtherhacking.Webapplicationsshoppingcarts,forms,loginpages,dynamiccontent,andotherbespokeapplicationsaredesignedtoallowyourwebsitevisitorstoretrieveandsubmitdynamiccontentincludingvaryinglevelsofpersonalandsensitivedata.Ifthesewebapplicationsarenotsecure,thenyourentiredatabaseofsensitiveinformationisatseriousrisk.AGartnerGroupstudyrevealsthat75%ofcyberattacksaredoneatthewebapplicationlevel.Whyarewebapplicationsvulnerable?

Websitesandwebapplicationsareeasilyavailableviatheinternet24hoursaday,7daysaweektocustomers,employees,suppliersandthereforealsohackers.

FirewallsandSSLprovidenoprotectionagainstwebapplicationhacking,simplybecauseaccesstothewebsitehastobemadepublic.

Webapplicationsoftenhavedirectaccesstobackenddatasuchascustomerdatabases.

Mostwebapplicationsarecustommadeand,therefore,involvealesserdegreeoftestingthanofftheshelfsoftware.Consequently,customapplicationsaremoresusceptibletoattack.

Varioushighprofilehackingattackshaveproventhatwebapplicationsecurityremainsthemostcritical.Ifyourwebapplicationsarecompromised,hackerswillhavecompleteaccesstoyourbackenddataeventhoughyourfirewallisconfiguredcorrectlyandyouroperatingsystemandapplicationsarepatchedrepeatedly.

Networksecuritydefenseprovidesnoprotectionagainstwebapplicationattackssincethesearelaunchedonport80whichhastoremainopentoallowregular

operationofthebusiness.Itisthereforeimperativethatyouregularlyandconsistentlyaudityourwebapplicationsforexploitablevulnerabilities.

The need for automated web application security scanning Manualvulnerabilityauditingofallyourwebapplicationsiscomplexandtimeconsuming,sinceitgenerallyinvolvesprocessingalargevolumeofdata.Italsodemandsahighlevelofexpertiseandtheabilitytokeeptrackofconsiderablevolumesofcodeusedinawebapplication.Inaddition,hackersareconstantlyfindingnewwaystoexploityourwebapplication,whichmeansthatyouwouldhavetoconstantlymonitorthesecuritycommunities,andfindnewvulnerabilitiesinyourwebapplicationcodebeforehackersdiscoverthem.Automatedvulnerabilityscanningallowsyoutofocusonthealreadychallengingtaskofbuildingawebapplication.Anautomatedwebapplicationscannerisalwaysonthelookoutfornewattackpathsthathackerscanusetoaccessyourwebapplicationorthedatabehindit.Withinminutes,anautomatedwebapplicationscannercanscanyourwebapplication,identifyallthefilesaccessiblefromtheinternetandsimulatehackeractivityinordertoidentifyvulnerablecomponents.Inaddition,anautomatedvulnerabilityscannercanalsobeusedtoassessthecodewhichmakesupawebapplication,allowingittoidentifypotentialvulnerabilitieswhichmightnotbeobviousfromtheinternet,butstillexistinthewebapplication,andcanthusstillbeexploited.

Acunetix Web Vulnerability Scanner AcunetixWebVulnerabilityScannerisanautomatedwebapplicationsecuritytestingtoolthatauditsyourwebapplicationsbycheckingforvulnerabilitieslikeSQLInjection,Crosssitescriptingandotherexploitablevulnerabilities.Ingeneral,AcunetixWebVulnerabilityScannerscansanywebsiteorwebapplicationthatisaccessibleviaawebbrowserandusestheHTTP/HTTPSprotocol.AcunetixWebVulnerabilityScanneroffersastronganduniquesolutionforanalyzingofftheshelfandcustomwebapplicationsincludingthoseutilizingJavaScript,AJAXandWeb2.0webapplications.Acunetixhasanadvancedcrawlerthatcanfindalmostanyfile.Thisisimportantsincewhatisnotfoundcannotbechecked.

How Acunetix Web Vulnerability Scanner Works AcunetixWebVulnerabilityScannerworksinthefollowingmanner:

1. AcunetixDeepScananalysestheentirewebsitebyfollowingallthelinksonthesite,includinglinkswhicharedynamicallyconstructedusingJavaScript,andlinksfoundinrobots.txtandsitemap.xml(ifavailable).Theresultisamapofthesite,whichAcunetixWebVulnerabilityScannerwillusetolaunchtargetedchecksagainsteachpartofthesite.

ScreenshotCrawlerResults

2. IfAcunetixAcuSensorTechnologyisenabled,thesensorwillretrievealistingofallthefilespresentinthewebapplicationdirectoryandaddthefilesnotfoundbythecrawlertothecrawleroutput.Suchfilesusuallyarenotdiscoveredbythecrawlerastheyarenotaccessiblefromthewebserver,ornotlinkedthroughthewebsite.AcunetixAcuSensoralsoanalysesfileswhicharenotaccessiblefromtheinternet,suchasweb.config.

3. Afterthecrawlingprocess,theWebVulnerabilityScannerautomaticallylaunchesaseriesofvulnerabilitychecksoneachpagefound,inessenceemulatingahacker.AcunetixWebVulnerabilityScanneralsoanalyseseachpageforplaceswhereitcaninputdata,andsubsequentlyattemptsallthedifferentinputcombinations.ThisistheAutomatedScanStage.IftheAcuSensorTechnologyisenabled,aseriesofadditionalvulnerabilitychecksarelaunchedagainstthewebsite.MoreinformationaboutAcuSensorisprovidedinthefollowingsection.

ScreenshotScanResults

4. ThevulnerabilitiesidentifiedareshownintheScanResults.EachvulnerabilityalertcontainsinformationaboutthevulnerabilitysuchasPOSTdataused,affecteditem,httpresponseoftheserverandmore.

5. IfAcuSensorTechnologyisuseddetailssuchassourcecodelinenumber,stacktraceoraffectedSQLquerywhichleadtothevulnerabilityarelisted.Recommendationsonhowtofixthevulnerabilityarealsoshown.

6. Variousreportscanbegeneratedoncompletedscans,includingExecutiveSummaryreport,DeveloperreportandvariouscompliancereportssuchasPCIorISO270001.

Acunetix AcuSensor Technology AcunetixsuniqueAcuSensorTechnologyallowsyoutoidentifymorevulnerabilitiesthanotherWebApplicationScanners,whilstgeneratinglessfalsepositives.AcunetixAcuSensorindicatesexactlywhereinyourcodethevulnerabilityisandreportsadditionaldebuginformation.

ScreenshotAcuSensorpinpointsvulnerabilitiesincodeTheincreasedaccuracy,availableforPHPand.NETwebapplications,isachievedbycombiningblackboxscanningtechniqueswithfeedbackfromsensorsplacedinsidethesourcecode.Blackboxscanningdoesnotknowhowtheapplicationreactsandsourcecodeanalyzersdonotunderstandhowtheapplicationwillbehavewhileitisbeingattacked.AcuSensortechnologycombinesbothtechniquestoachievesignificantlybetterresultsthanusingsourcecodeanalyzersandblackboxscanningindependently.TheAcuSensorsensorscanbeinsertedinthe.NETandPHPcodetransparently.The.NETsourcecodeisnotrequiredthesensorscanbeinjectedinalreadycompiled.NET

applications!Thusthereisnoneedtoinstallacompilerorobtainthewebapplicationssourcecode,whichisabigadvantagewhenusingathirdparty.NETapplication.IncaseofPHPwebapplications,thesourceisreadilyavailable.Todate,AcunetixistheonlyWebVulnerabilityScannertoimplementthistechnology.

Advantages of using AcuSensor Technology Abilitytoprovidemoreinformationaboutthevulnerability,suchassourcecodeline

number,stacktrace,affectedSQLquery. Allowsyoutolocateandfixthevulnerabilityfasterbecauseoftheabilitytoprovide

moreinformationaboutthevulnerability,suchassourcecodelinenumber,stacktrace,affectedSQLquery,etc.

Significantlyreducesfalsepositiveswhenscanningawebsitebecauseitunderstandsthebehaviorofthewebapplicationbetter.

Alertsyoutowebapplicationconfigurationproblemswhichcanresultinavulnerableapplicationorexposesensitiveinformation.E.g.Ifcustomerrorsareenabledin.NET,thiscouldexposesensitiveapplicationdetailstoamalicioususer.

Advisesyouhowtobettersecureyourwebserversettings,e.g.ifwriteaccessisenabledonthewebserver.

DetectsmoreSQLinjectionvulnerabilities.PreviouslySQLinjectionvulnerabilitiescouldonlybefoundifdatabaseerrorswerereported,whereasnowthesourcecodecanbeanalyzedforimproveddetection.

AbilitytodetectSQLinjectionvulnerabilitiesinallSQLstatements,includinginSQLINSERTstatements.UsingablackboxscannersuchSQLinjectionvulnerabilitiescannotbefound.ThissignificantlyincreasestheabilityforAcunetixWebVulnerabilityScannertofindvulnerabilities.

Discoversallthefilespresentandaccessiblethroughthewebserver.Ifanattackergainsaccesstothewebsiteandcreatesabackdoorfileintheapplicationdirectory,thefileisfoundandscannedwhenusingtheAcuSensorTechnologyandyouwillbealerted.

AcuSensorTechnologyisabletointerceptallwebapplicationinputsandbuildacomprehensivelistwithallpossibleinputsinthewebsiteandtestthem.

NoneedtowriteURLrewriteruleswhenscanningwebapplicationswhichusesearchenginefriendlyURLs!UsingtheAcuSensorTechnologythescannerisabletorewriteSEOURLsonthefly.

Abilitytotestforarbitraryfilecreationanddeletionvulnerabilities.E.g.Throughavulnerablescriptamalicioususercancreateafileinthewebapplicationdirectoryandexecuteittohaveprivilegedaccess,ordeletesensitivewebapplicationfiles.

Abilitytotestforemailinjection.E.g.Amalicioususermayappendadditionalinformationsuchasalistorrecipientsoradditionalinformationtothemessagebodytoavulnerablewebform,tospamalargenumberofrecipientsanonymously.

Network Vulnerability Scanning Aspartofawebsiteaudit,Acunetixwillexecuteanetworksecurityauditoftheserverhostingthewebsite.Thisnetworksecurityscanwillidentifyanyservicesrunningonthescannedserverbyrunningaportscanonthesystem.Acunetixwillreporttheoperatingsystemand

thesoftwarehostingtheservicesdetected.ThisprocesswillalsoidentifyTrojanswhichmightbelurkingontheserver.ThenetworkvulnerabilityscanassessesthesecurityofpopularprotocolssuchasFTP,DNS,SMTP,IMAP,POP3,SSH,SNMPandTelnet.Apartfromtestingforweakordefaultpasswords,Acunetixwillalsocheckformisconfigurationintheservicesdetectedwhichcouldleadtoasecuritybreach.Acunetixwillalsocheckthatanyotherserversrunningonthemachinearenotusinganydeprecatedprotocols.Alltheseleadtoaninsecuresystem,whichwouldallowanintrudertodamageyourwebsiteandyourreputation.AcunetixOnlineVulnerabilityScanner(OVS)alsointegratesthepopularOpenVASnetworkscannertocheckforover35,000networkvulnerabilities.Duringanetworkscan,AcunetixOVSmakesuseofvariousportprobingandOSfingerprintingtechniquestoidentifyavastnumberofdevices,OperatingSystemsandserverproducts.Numeroussecuritychecksarethenlaunchedagainsttheproductsidentifiedrunningonthescannedserver,allowingyoutodetectallthevulnerabilitiesthatexistonyourperimeterservers.

Acunetix Web Vulnerability Scanner Overview AcunetixWebVulnerabilityScannerallowsyoutosecureyourwebsitequicklyandefficiently.Itconsistsofthefollowingcomponents:

ScreenshotAcunetixWebVulnerabilityScanner

WebScannerTheWebScannerlaunchesanautomaticsecurityauditofawebsite.Awebsitesecurityscantypicallyconsistsoftwophases:

1. CrawlingMakinguseofAcunetixDeepScan,AcunetixWebVulnerabilityScannerautomaticallyanalyzesandcrawlsthewebsiteinordertobuildthesite'sstructure.Thecrawlingprocessenumeratesallfilesandisvitaltoensurethatallthefilesofyourwebsitearescanned.

2. ScanningAcunetixWebVulnerabilityScannerlaunchesaseriesofwebvulnerabilitychecksagainsteachfileinyourwebapplicationineffect,emulatingahacker.TheresultsofascanaredisplayedintheAlertNodetreeandincludecomprehensivedetailsofallthevulnerabilitiesfoundwithinthewebsite.

AcuSensorTechnologyAgentAcunetixAcuSensorTechnologyisauniquetechnologythatallowsyoutoidentifymorevulnerabilitiesthanatraditionalblackboxwebsecurityscanner,andisdesignedtofurther

reducefalsepositives.Additionally,italsoindicatesthecodewherethevulnerabilitywasfound.Thisincreasedaccuracyisachievedbycombiningblackboxscanningtechniqueswithdynamiccodeanalysiswhilstthesourcecodeisbeingexecuted.ForAcunetixAcuSensortowork,anagentmustbeinstalledonyourwebsitetoenablecommunicationbetweenAcunetixWebVulnerabilityScannerandAcuSensor.AcunetixAcuSensorcanbeusedwithbothPHPand.NETwebapplications.

AcuMonitorServiceSomevulnerabilitiescanonlybedetectedusinganintermediateservice.TheAcunetixAcuMonitorserviceallowsAcunetixWebVulnerabilityScannertodetectsuchvulnerabilities.Dependingonthevulnerability,AcuMonitorcaneitherreportthevulnerabilityimmediatelyduringascan,orsendanotificationemaildirectlytotheuserifthevulnerabilityisidentifiedafterthescanhasfinished.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/websitesecurity/acumonitor/

PortScanner

ScreenshotPortScanning

ThePortScannerperformsaportscanagainstthewebserverhostingthescannedwebsite.Whereopenportsarefound,AcunetixWebVulnerabilityScannerwillperformnetworklevelsecuritychecksagainstthenetworkservicerunningonthatport.TheseincludeDNSOpenRecursiontests,badlyconfiguredproxyservertests,weakSNMPcommunitystrings,andmanyothernetworklevelsecuritychecks.Youcanalsowriteyourownnetworkservicessecuritychecksusingthescriptengine.Ascriptingreferenceisavailablefrom:

http://www.acunetix.com/blog/docs/creatingcustomchecksacunetixwebvulnerabilityscanner/

TargetFinder

ScreenshotTargetFinderTheTargetFinderisascannerthatallowsyoutolocatewebservers(generallyonports80,443)withinagivenrangeofIPaddresses.Ifawebserverisfound,thescannerwillalsodisplaytheresponseheaderoftheserverandthewebserversoftware.Theportnumberstoscanareconfigurable.Moreinformationaboutthetargetfindercanbefoundhere:http://www.acunetix.com/blog/docs/targetfinder/

SubdomainScanner

ScreenshotSubdomainScannerUsingvarioustechniques,theSubdomainscannerallowsfastandeasyidentificationofactivesubdomainsofatopleveldomain.TheSubdomainScannercanbeconfiguredtousethetargetsDNSserveroranyotherDNSserverspecifiedbytheuser.MoreinformationabouttheSubdomainscannercanbefoundhere:http://www.acunetix.com/blog/docs/subdomainscanner/

BlindSQLInjector

ScreenshotBlindSQLInjectorIdealforpenetrationtesters,theBlindSQLinjectorisanautomateddatabasedataextractiontoolwithwhichyoucanmakemanualteststofurtheranalyzeSQLinjectionsreportedduringascan.ThetoolmakesuseofBlindSQLInjectiontechniquestoenumeratedatabasesandtables,dumpdataandalsoreadspecificfilesonthefilesystemofthewebserverifanexploitableSQLinjectionisdiscovered.WiththeBlindSQLInjectortoolyoucanalsorunmanualteststocheckfordifferentvariantsofSQLinjection.Usingthistool,youcanalsoruncustomSQLSelectqueriesagainstthedatabase.MoreinformationabouttheblindSQLinjectorcanbefoundhere:http://www.acunetix.com/blog/docs/blindsqlinjectortool/

HTTPEditor

ScreenshotHTTPEditorTheHTTPEditorallowsyoutocreate,analyze,andeditclientHTTPrequestsandserverresponses.Italsocontainsanencodinganddecodingtooltoencode/decodetextandURLstoMD5hashes,UTF7formatsandmanyotherformats.YoucanstarttheHTTPEditorfromtheToolsnodewithintheToolsExplorer.TheToppaneintheHTTPeditordisplaystheHTTPrequestdataandheaders.ThebottompanedisplaystheHTTPresponseheadersdata.MoreinformationabouttheHTTPeditorcanbefoundhere:http://www.acunetix.com/blog/docs/httpeditor/

HTTPSniffer

ScreenshotHTTPSnifferTheHTTPSnifferactsasaproxyandallowsyoutocapture,examineandmodifyHTTPtrafficbetweenanHTTPclientandawebserver.Youcanalsoenable,addoredittrapstocapturetrafficbeforeitissenttothewebserverorbacktothewebclient.Thistoolisusefulto:

AnalyzehowSessionIDsarestoredandhowinputsaresenttotheserver. AlteranyHTTPrequestsbeingsentbacktotheserverbeforetheygetsent. Manualcrawlingnavigatethroughpartsofthewebsitewhichcannotbecrawled

automatically,andimporttheresultsintothescannertoincludethemintheautomatedscan.

ForHTTPrequeststopassthroughAcunetixWebVulnerabilityScanner,AcunetixWebVulnerabilityScannermustbeconfiguredasaproxyinyourwebbrowser.

HTTPFuzzer

ScreenshotHTTPFuzzerTheHTTPFuzzerenablesyoutolaunchaseriesofsophisticatedfuzzingteststoauditthewebapplicationshandlingofinvalidandunexpectedrandomdata.TheHTTPFuzzeralsoallowsyoutoeasilycreateinputrulesforfurthertestinginAcunetixWebVulnerabilityScanner.AnexamplewouldbethefollowingURL:http://testphp.acunetix.com/listproducts.php?cat=1UsingtheHTTPFuzzeryoucancreatearulethatwouldautomaticallyreplacethelastpartoftheURL1withnumbersbetween1and999.Onlyvalidresultswillbereported.Thisdegreeofautomationallowsyoutoquicklytesttheresultsofa1000querieswithouthavingtoperformthemonebyone.MoreinformationabouttheHTTPFuzzercanbefoundhere:http://www.acunetix.com/blog/docs/httpfuzzertool/

AuthenticationTester

ScreenshotAuthenticationTesterWiththeAuthenticationTesteryoucanperformadictionaryattackagainstloginpagesthatusebothHTTP(NTLMv1,NTLMv2,digest)orformbasedauthentication.Thistoolusestwo

predefinedtextfiles(dictionaries)containingalistofcommonusernamesandpasswords.Youcanaddyourowncombinationstothesetextfiles.MoreinformationabouttheAuthenticationtestercanbefoundhere:http://www.acunetix.com/blog/docs/authenticationtester/

WebServicesScannerandWebServicesEditor

ScreenshotWebServicesScannerTheWebServicesScannerallowsyoutolaunchautomatedvulnerabilityscansagainstWSDLbasedWebServices.WebServicesarecommonlyusedtoexchangedataandgenerallyvulnerabilitiesinWebServicescaneasilybeexploitedinordertoleaksensitiveinformation.TheWebServicesEditorallowsyoutoimportanonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperationsoverdifferentporttypesforanindepthanalysisofWSDLrequestsandresponses.TheeditoralsofeaturessyntaxhighlightingforalllanguagestoeasilyeditSOAPheadersandcustomizeyourownmanualattacks.

AcunetixWebVulnerabilityScannerSDK

ScreenshotWebVulnerabilityScannerScriptingtoolTheAcunetixWebVulnerabilityScannerScriptingtoolallowsyoutocreatenewcustomwebvulnerabilitychecks.ThesechecksmustbewritteninJavaScriptandrequireinstallationoftheSoftwareDevelopmentKit(SDK).YoucanreadmoreaboutwritingcustomwebsecuritychecksatthefollowingURL:http://www.acunetix.com/blog/docs/creatingcustomvulnerabilitychecks/YoucandownloadthescriptingSDKfrom:http://www.acunetix.com/download/tools/Acunetix_SDK.zip

Reporter TheReporterallowsyoutogeneratereportsofscanresultsinaprintableformat.Variousreporttemplatesareavailable,includingsummary,detailedreportsandcompliancereporting.TheConsultantVersionofAcunetixWebVulnerabilityScannerallowscustomizationofthegeneratedreport.

ScreenshotTypicalReportincludingChartofalerts

NewinAcunetixWebVulnerabilityScannerVersion9 IntroductionofAcunetixDeepScan,whichmakesuseofthesamerenderingengine

usedinGoogleChromeandAppleSafaritobetteridentifythewebsite'sstructureduringascan.AcunetixDeepScanprovidesahugeimprovementinscanningofAJAXsites,JavaScriptbasedsitesandSinglePageApplications(SPA).

IntroductionoftheAcunetixAcuMonitorservice,whichisusedtoidentifyspecificvulnerabilitieswhichrequireanintermediateserver.

Improvedsupportindetectingandscanningsmartphone/tabletfriendlywebsites.Whenamobilefriendlysiteisscanned,theuserisgiventheoptiontocrawlandscanthesiteasanormalbrowserorasasmartphonebrowser.

FullsupportforHTML5websites. DetectionofDOMbasedXSSvulnerabilities. DetectionofBlindXSSvulnerabilities(usingAcuMonitor). DetectionofServerSideRequestForgery(SSRF),XMLExternalEntity(XXE),Mail

HeaderInjectionandHostHeaderbasedvulnerabilities(usingAcuMonitor).

NewinAcunetixWebVulnerabilityScannerVersion9.5

DetectionofSQLInjection,XSSandothervulnerabilitiesinwebapplicationsimplementedinGoogleWebToolkit.

DetectionofvulnerabilitiesinJSONandXMLdataandHTTPHOSTHeaders. AlertsarenowtaggedwiththeirCVE,CWEandCVSS. AcuSensornowsupports.NET4.5. IntroducedsupportforCRUD(create,read,updateanddelete). NewreportforNIST80053rev4.

AcunetixBlogandSupportPageAcunetixpublishesanumberofwebsecurityandAcunetixhowtotechnicaldocumentsontheAcunetixWebApplicationSecurityBloghttp://www.acunetix.com/blog.Youcanalsofindanumberofsupportrelateddocuments,suchasFAQsintheAcunetixWebVulnerabilityScannersupportpagehttp://www.acunetix.com/support.

LicensingAcunetixWebVulnerabilityScannerAcunetixWebVulnerabilityScannerisavailablein5editions:SmallBusiness,Enterprise,Enterprisex10instances,ConsultantandConsultantx10instances.Orderingandpricinginformationcanbefoundhere:http://www.acunetix.com/ordering/pricing.htm

PerpetualorTimeBasedLicensesAcunetixWebVulnerabilityScannerEnterpriseandConsultanteditionsaresoldasa1yearsubscriptionorperpetuallicense.The1yearsubscriptionlicenseexpiresafter1yearfromthedateofdownloadoractivation.Theperpetuallicensedoesnotexpire.TheSmallBusinessversionisavailableasaperpetuallicenseonly.Ifyoupurchasetheperpetuallicense,youmustbuyamaintenanceagreementtogetfreesupportandupgradesbeyondthefirstmonthafterpurchase.Themaintenanceagreemententitlesyoutofreeversionupgradesandsupportforthedurationoftheagreement.Supportandversionupgradesareincludedinthepriceoftheoneyearlicense.

EnterpriseEditionUnlimitedSites/ServersTheEnterpriseeditionlicenseallowsyoutoinstallonecopyofAcunetixWebVulnerabilityScannerononecomputertoscananunlimitednumberofsitesorservers.Thesitesorserversmustbeownedbyyourself(oryourcompany)andnotbythirdparties.AcunetixEnterpriseeditionwillleaveatrailinthelogfilesofthescannedserverandscanningofthirdpartysitesisprohibitedbythelicenseagreement.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.

ConsultantEditionTheConsultanteditionlicenseallowsyoutoinstallonecopyofAcunetixononecomputertoscananunlimitednumberofsitesorserversincluding3rdpartysites,providedthatyouhaveobtainedpermissionfromtherespectivesiteowners.ThisisthecorrecteditiontouseifyouareaconsultantwhoprovideswebsecuritytestingservicesorareahostingproviderorISP.Theconsultanteditionalsoincludesthecapabilityofmodifyingthereportstoincludeyourowncompanylogo.Thiseditiondoesnotleaveanytrailinthelogfilesofthescannedserver.Additionallicensesarerequiredforseparateinstallsontodifferentworkstations.Thiseditioncanalsobeupgradedtoallowupto10simultaneousscans.

LimitationsoftheTrialThetrialofAcunetixWebVulnerabilityScannerdownloadablefromtheAcunetixwebsiteispracticallyidenticaltothefullversioninfunctionalityandfeatures,butcontainsthefollowinglimitations:

TheTrialeditionwillexpireafter15days.Whenscanningyourwebsite,alltheWebAlertswillbereported.Howeveryouwillnotbeabletodrilldownandfindwherethevulnerabilityisfoundinyourwebsite.

Reportscannotbegenerated.ScanresultswillnotbestoredintheReportsdatabase.

Fullscans(includingdetailedinformationonthevulnerabilitiesdiscovered)canbemadeagainstthefollowingAcunetixtestwebsites:

http://testphp.vulnweb.com http://testasp.vulnweb.com http://testaspnet.vulnweb.com http://testhtml5.vulnweb.com

TheScanSchedulerisnotavailable.IfyoudecidetopurchaseAcunetixWebVulnerabilityScanner,youwillneedtouninstallthetrialandinstallthepurchasededition,whichmustbedownloadedasaseparateinstallerfile.Downloadtheinstallerfileusingthelinkprovidedbyoursalesteam,anddoubleclicktobeginthesetup.Youwillbepromptedtoremovethetrialandinstallthefulledition.Allsettingsfromthepreviouslyinstalledversionwillberetained.Oncetheinstallationiscomplete,youwillbepromptedtoentertheLicensekey.

Installing Acunetix Web Vulnerability Scanner Minimum System Requirements

Operatingsystem:MicrosoftWindowsXPandlater CPU:32bitor64bitprocessor Systemmemory:minimumof2GBRAM Storage:200MBofavailableharddiskspace MicrosoftInternetExplorer7(orlater)somecomponentsofInternetExplorerare

usedbyAcunetix Optional:MicrosoftSQLServerforthereportingdatabase.BydefaultaMicrosoft

Accessdatabaseisused(MicrosoftAccessisnotrequired).

Installing Acunetix Web Vulnerability Scanner 1. DownloadthelatestversionofAcunetixWebVulnerabilityScannerfromthedownload

locationprovidedwhenyoupurchasedthelicense.2. Doubleclickthewebvulnscan.exefiletolaunchtheAcunetixWebVulnerability

ScannerinstallationwizardandclickNextwhenprompted.3. ReviewandaccepttheLicenseAgreement.4. SelectthefolderlocationwhereAcunetixWebVulnerabilityScannerwillbeinstalled.5. TheinstallationwillpromptyoutoinstallauniquerootcertificateusedforHTTPs

trafficandtocreateadesktopshortcut.6. ClickInstalltostarttheinstallation.SetupwillnowcopyallfilesandinstalltheAcunetix

WebVulnerabilityScannerSchedulerservice.7. ClickFinishwhenready.

Registering with AcuMonitor Service

ScreenshotAcuMonitorRegistrationWhenyoustartAcunetixWebVulnerabilityScannerthefirsttime,youwillbeaskedtoregisterwiththeAcuMonitorService.TheAcuMonitorServiceisusedtoautomaticallydetectcertainvulnerabilitieswhichcanonlybedetectedusinganintermediateserver,suchasBlindXSS,ServerSideRequestForgery(SSRF)andEmailHeaderInjection.

YoucanregistertotheAcuMonitorserviceusingyouremailaddressandyourlicensekey.RegistrationcanalsobedoneatalaterstagefromAcunetixWebVulnerabilityScanner>Configuration>ApplicationSettings>AcuMonitor.MoreinformationontheAcuMonitorServicecanbefoundathttp://www.acunetix.com/vulnerabilityscanner/acumonitorblindxssdetection/.Installing AcuSensor in your web application Ifyouneedtoscana.NETorPHPwebapplication,youshouldinstallAcunetixAcuSensoronyourwebapplicationinordertoimprovethedetectionofvulnerabilities,getthelineinthesourcecodewherevulnerabilitiesarelocatedandtodecreasefalsepositives.

Upgrading Acunetix Web Vulnerability Scanner Itisrecommendedthatyoubackupyoursettingsbeforeproceedingwiththeupgradeasperhttp://www.acunetix.com/blog/docs/backupacunetixsettingscustomizations/.ToupgradeapreviousversionofAcunetixWebVulnerabilityScannertothelatestversion:

1. CloseallinstancesofAcunetixWebVulnerabilityScanner(andrelatedutilitiessuchastheReporter)

2. OptionallybackuptheLoginSequencesifyouwouldliketousetheseininthenewerversion.Dependingontheversion,thesecanbecopiedfromforversion7orolderorfornewerversions.

3. OptionallybackuptheReportingDatabaseifyouwouldliketouseitinthenewerversion.IfyouareusinganAccessDatabase,thedefaultlocationofthedatabaseis

4. FromtheAcunetixWebVulnerabilityScannerProgramGroup,selecttouninstalltheproduct.

5. InstallthenewerversionofAcunetixWebVulnerabilityScanner.6. TorestoretheLoginSequences,copythefilesbackedupin(2)to

7. Ifupgradingfromversion7,theReportingdatabaseneedstobeupdatedbeforeitcan

beusedinanewerversion.ThiscanbedoneusingtheReportingDatabaseUpgradetoolwhichcanbedownloadedfromhttp://www.acunetix.com/download/tools/ConvertWVSDatabase.zip.Proceedasfollows:

IfyouareusinganSQLdatabase,selectMSSQLServer,andspecifytheServer,credentialsandDatabasewhichneedstobeupgradedandclickontheConvertbutton.ThenconfigurethenewversionofAcunetixWebVulnerabilityScannertousetheupgradeddatabase.

ScreenshotUpgradeReportingDatabase

IfyouareusinganAccessdatabase,selectMSAccess,andselectthedatabasebackedupin(3),andclickontheConvertbutton.Onceready,copytheupgradeddatabaseto

Installing AcuSensor AcunetixAcuSensorincreasestheefficiencyofanAcunetixscanbyimprovingthecrawling,detectionandreportingofvulnerabilities,whiledecreasingfalsepositives.AcunetixAcuSensorcanbeusedon.NETandPHPwebapplications.

Installing the AcuSensor Agent NOTE:InstallingtheAcuSensorAgentisoptional.AcunetixWebVulnerabilityScannerisstillbestinclassasablackboxscannerbuttheAcuSensorAgentimprovesaccuracyandvulnerabilityresultswhenscanning.NETandPHPwebapplications.TheuniqueAcunetixAcuSensorTechnologyidentifiesmorevulnerabilitiesthanablackboxWebApplicationScannerwhilegeneratinglessfalsepositives.Inaddition,itindicatesexactlywherevulnerabilitiesaredetectedinyourcodeandalsoreportsdebuginformationAcunetixAcuSensorrequiresanagenttobeinstalledonyourwebsite.Thisagentisgenerateduniquelyforyourwebsiteforsecurityreasons.

Generating the AcuSensor files FirstyouwillneedtogenerateyouruniqueAcuSensorfiles.Proceedasfollows:

1. IfusingAcunetixWVS,openAcunetixWVSandnavigatetotheConfiguration>ApplicationSettingsnode.ClickontheAcuSensorDeploymentnode.

ScreenshotAcuSensorDeploymentsettingsnode

2. IfusingAcunetixOnlineVulnerabilityScanner,youcangeneratetheAcuSensorfilesfromtheScanTargetsconfiguration.FromAcunetixOVS,changetoScanTargets>ListScanTargets>ClickontheScanTargetsname.Skiptostep6.

3. EnterapasswordorclickonthepadlockicontorandomlygenerateapassworduniquetotheAcuSensorfile.

4. Select'Alsosetpasswordincurrentlyselectedsettingstemplate'tostorethepasswordspecifiedinthescansettingstemplate.

5. SpecifythepathwhereyouwanttheAcuSensorfilestobegenerated.6. SelectwhethertogeneratefilesforaPHPwebsiteora.NETwebsite.7. ClickonGenerateAcuSensorInstallationFilestogeneratethefiles.

8. DependingonifyouareusinganASP.NEToraPHPwebsite,useoneofthefollowingprocedurestoinstalltheAcuSensorfiles.

Installing the AcuSensor agent for ASP .NET Websites TheAcuSensoragentwillneedtobeinstalledinyourwebapplication.ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.

1. InstallPrerequisitesontheserverhostingthewebsite:TheAcuSensorinstallerapplicationrequiresMicrosoft.NETFramework3.5orhigher.

ScreenshotEnableIIS6MetabaseCompatibilityonWindows2008OnWindows2008,youmustalsoinstallIIS6MetabaseCompatibilityfromControlPanel>TurnWindowsfeaturesOnorOff>Roles>WebServer(IIS)>ManagementTools>IIS6ManagementCompatibility>IIS6MetabaseCompatibilitytoenablelistingofall.NETapplicationsrunningonserver.

2. CopytheAcuSensorinstallationfilestotheserverhostingthe.NETwebsite.

ScreenshotAcunetix.NETAcuSensorAgentinstallation

3. DoubleclickSetup.exetoinstalltheAcunetix.NETAcuSensoragentandspecifytheinstallationpath.Theapplicationwillstartautomaticallyoncetheinstallationisready.Iftheapplicationisnotsettostartautomatically,clickonAcunetix.NETAcuSensorTechnologyInjectorfromtheprogramgroupmenu.

ScreenshotAcunetix.NETAcuSensorTechnologyAgent

4. Onstartup,theAcunetix.NETAcuSensorTechnologyInstallerwillretrievealistof.NETapplicationsinstalledonyourserver.SelectwhichapplicationsyouwouldliketoinjectwithAcuSensorTechnologyandselecttheFrameworkversionfromthedropdownmenu.ClickonInjectSelectedtoinjecttheAcuSensorTechnologycodeintheselected.NETapplications.Oncefilesareinjected,closetheconfirmationwindowandalsotheAcuSensorTechnologyInjector.

Note:TheAcuSensorinstallerwilltrytoautomaticallydetectthe.NETframeworkversionusedtodevelopthewebapplicationsoyoudonothavetomanuallyspecifywhichframeworkversionwasusedfromtheTargetRuntimedropdownmenu.

Installing the AcuSensor agent for PHP websites ThissectiondescribeshowtoinstallAcuSensorinanASP.NETwebapplication.

1. LocatethePHPAcuSensorfileofthewebsiteyouwanttoinstallAcuSensoron.Copytheacu_phpaspect.phpfiletotheremotewebserverhostingthewebapplication.

TheAcuSensoragentfileshouldbeinalocationwhereitcanbeaccessedbythewebserversoftware.AcunetixAcuSensorTechnologyworksonwebsitesusingPHPversion5andup.

2. Thereare2methodstoinstalltheAcuSensoragent,onemethodcanbeusedforApacheservers,andtheothermethodcanbeusedforbothIISandApacheservers.

Method 1: Apache .htaccess file Createa.htaccessfileinthewebsitedirectoryandaddthefollowingdirective:php_valueauto_prepend_file[pathtoacu_phpaspect.phpfile].Note:ForWindowsuseC:\sensor\acu_phpaspect.phpandforLinuxuse/Sensor/acu_phpaspect.phppathdeclarationformats.IfApachedoesnotexecute.htaccessfiles,itmustbeconfiguredtodoso.Refertothefollowingconfigurationguide:http://httpd.apache.org/docs/2.0/howto/htaccess.html.Theabovedirectivecanalsobeconfiguredinthehttpd.conffile.

Method 2: IIS and Apache php.ini 1. Locatethefilephp.iniontheserverbyusingphpinfo()function.2. Searchforthedirectiveauto_prepend_file,andspecifythepathtothe

acu_phpaspect.phpfile.Ifthedirectivedoesnotexist,additinthephp.inifile:auto_prepend_file=[pathtoacu_phpaspect.phpfile]

3. Saveallchangesandrestartthewebserverfortheabovechangestotakeeffect.

Testing your AcuSensor Agent TotestiftheAcuSensoragentisworkingproperlyonthetargetwebsite,dothefollowing:

1. IntheToolsExplorer,NavigatetoConfiguration>ScanSettingsnodeandselecttheAcuSensornode.

2. EnterthepasswordoftheAcuSensoragentfilewhichwascopiedtothetargetwebsite.

3. ClickTestAcuSensorinstallationonaSpecificURL.AdialogwillpromptyoutosubmittheURLofthetargetwebsitewheretheAcuSensorAgentfileisinstalled.EnterthedesiredURLandclickOK.

Changing the AcuSensor Password IfyouneedtochangethepasswordusedbytheAcuSensoragentonyourwebsite,youwillneedtoregeneratetheAcuSensorFilesandreinstallthemonyourwebsite.Performthefollowingifyouareusinga.NETwebsite:

1. UsetheprocedureinthenextsectiontoDisableandUninstalltheAcuSensoragent.2. Configureanewpassword.

ThisstepcanbeomittedifyouareusingAcunetixOnlineVulnerabilityScanner,sinceanewuniqueandsecurepasswordisautomaticallygeneratedeachtimetheAcuSensorfilesaregenerated.TheuniquepasswordisstoredwiththeScanTargetssettings.

3. ClickonGenerateAcuSensorinstallationfiles.4. ProceedwithinstallingthenewAcuSensorfiles.IfyouareusingaPHPweb

application,youwilljustneedtooverwritetheoldacu_phpaspect.phpwiththenewacu_phpaspect.phpfile.

Disabling and uninstalling AcuSensor Touninstallanddisablethesensorfromyourwebsite:

AcuSensor for ASP .NET websites 1. BrowsetotheinstallationdirectorywheretheAcuSensorAgentwasbeeninstalled2. OpenAcuSensorInjector.exe.

ScreenshotSelectwebsiteandclickUninjectSelected

3. SelectthewebsitewheretheAcuSensoragentisinstalledandclickonUninjecttoremovetheAcuSensorAgentfromthesite.

4. CloseAcuSensorInjector.exe5. Fromthesamedirectory,doubleclickuninstall.exetouninstalltheAcuSensorAgent

files.Note:IfyouuninstalltheAcunetix.NETAcuSensorTechnologyInjectorwithoutuninjectingthe.NETapplication,thentheAcuSensorcodewillnotberemovedfromyour.NETapplication.

AcuSensor for PHP 1. Ifmethod1(.htaccessfile)wasusedtoinstallthePHPAcuSensor,deletethe

directive:php_valueauto_prepend_file=[pathtoacu_phpaspect.phpfile]from.htaccess

2. Ifmethod2wasusedtoinstallthePHPAcuSensor,deletethedirective:auto_prepend_file=[pathtoacu_phpaspect.phpfile]fromphp.ini.

3. Finally,deletetheAcunetixAcuSensorPHPfile:acu_phpaspect.php.Note:AlthoughtheAcunetixAcuSensoragentrequiresauthentication,itisrecommendedthattheAcuSensorclientfilesareuninstalledandremovedfromthewebapplicationiftheyarenolongerinuse.

Scanning a Website NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION! ThewebserverlogswillshowyourIPaddressandalltheattacksmadebyAcunetixWebVulnerabilityScanner.Ifyouarenotthesoleadministratorofthewebsitepleasemakesuretowarnotheradministratorsbeforeperformingascan.Somescansmightcauseawebsitetocrash,requiringarestartofthewebsite.Toscanawebsite,youfirstneedtoperformthefollowingsteps:

Step 1: Select Target(s) to Scan 1. ClickonFile>New>NewWebsiteScantostarttheScanWizard,orclicktheNew

ScanbuttononthetoplefthandoftheAcunetixWebVulnerabilityScannermenubar.

ScreenshotScanWizard:SelectScanType

2. Specifythescanoptions:a. ScansinglewebsiteEntertheURLofthetargetwebsite,e.g.

http://testphp.vulnweb.com.b. ScanusingsavedcrawlingresultsIfyoupreviouslyperformedacrawlona

website,youcanusethesavedresultstolaunchascaninsteadofhavingtocrawlthewebsiteagain.

3. ClickNexttocontinue.Note:TheAcunetixWebVulnerabilityScannerSchedulercanbeusedtoscanwebsitesataspecifictimeandtoconfigurerecurringscans.

Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options

ScreenshotScanningProfileandScanSettingstemplate

Scanning Profile TheScanningProfilewilldeterminewhichtestsaretobelaunchedagainstthetargetwebsite.Forexample,ifyouonlywanttotestyourwebsite(s)forSQLinjection,selecttheprofilesql_injection.Noadditionaltestswillbeperformed.TheDefaultscanningprofilewilltestyourwebsiteforallknownwebvulnerabilities.RefertotheScanningProfilessectionformoreinformationonhowtocustomizeorcreatescanningprofiles.

Scan Settings template TheScanSettingstemplatewilldeterminewhatCrawlerandScannersettingsaretobeusedduringascan.RefertotheScanSettingstemplatessectionformoreinformationonhowtocustomizeorcreatenewScanSettingstemplates.

Save scan Results Ifyouwanttoautomaticallysavethescanresultstothereportingdatabase,enabletheSavescanresultstothedatabaseforreportgenerationoption.

Crawling Options TicktheoptionAftercrawlingletmechoosewhichfilestoscanifyouwouldliketoselect/deselectfilesfromtheautomatedwebsitesecurityscan,insteadofscanningthewholewebsite.TicktheoptionDefinelistofURLstobeprocessedbycrawleratstartifyouwouldlikeaspecificURLtobecrawledbeforeanyother(notavailableifusingsavedcrawlingresults).

Step 3: Confirm Targets and Technologies Detected

ScreenshotScanWizardSelectingTargetsandTechnologiesAcunetixWebVulnerabilityScannerwillautomaticallyfingerprintthetargetwebsitefortheserversoperatingsystem,thewebserveranditswebservertechnologies.Thewebvulnerabilityscannerwillreducethescantimebyscanningonlyfortheselectedwebtechnologies.E.g.AcunetixWebVulnerabilityScannerwillnotlaunchIISsecuritychecksagainstaLinuxsystemrunninganApachewebserver.Clickontherelevantfieldandchangethesettingsfromtheprovidedcheckboxesifyouwouldliketoaddorremovescansforspecifictechnologies.Note:IfaspecificwebtechnologyisnotlistedunderOptimizeforthefollowingtechnologies,itdoesnotmeanthatitisunsupportedbyWebVulnerabilityScanner,onlythattherearenovulnerabilitytestsexclusivetothattechnology.

Step 4: Configure Login for Password Protected Areas TwotypesofLoginmechanismsarecommonlyusedontheweb:HTTPAuthenticationThistypeofauthenticationishandledbythewebserver,wheretheuserispromptedwithapassworddialog.ScanninganHTTPpasswordprotectedarearequiresthatyoueitherenterthecredentialsduringthecrawlingofyourwebapplication,oryouhavethecredentialspreconfiguredinAcunetix.Thisiscoveredinmoredetailhere..FormsAuthenticationThistypeofauthenticationishandledviaawebformandnotviaHTTP.Thecredentialsaresenttotheserverforvalidationbyacustomscript.ScanningwebsitesusingformsbasedauthenticationisdoneusingtheLoginSequenceRecorderandiscoveredinmoredetailhere.

Step 5: Finalize Scan Options

ScreenshotFinalizeScanOptionsBeforetheScanisstarted,theScanWizardwillreportissueswhichmighthinderthescan.Thefollowingisalistofactionswhichyoumightbepresentedwith:

Ifanerrorisencounteredwhileconnectingtothetargetserver,theerrorwillbeshown.

IfAcunetixWebVulnerabilityScannerisunabletoautomaticallydetectacustom404errorpagepattern,youwillhavetoconfigureacustom404errorpagerulebyclickingtheCustomizebutton.ReadmoreaboutconfiguringAcunetixtohandleCustom404errorpages.

IfthetargetserverisusingCASEinsensitiveURLs,youmustforcecaseinsensitivecrawling.ThiscanbedonefromConfiguration>ScanSettings>CrawlingOptions>IgnoreCASEdifferencesinpaths.

IfAcuSensorTechnologyisenabledandthetargetserverisrunningPHPor.NET,youwillgetanerroriftheAcuSensoragentisnotdetected.ClicktheCustomizebuttontoinstallAcuSensoronthetargetwebapplication.

Ifadditionalhostshavebeenfoundtobelinkedtofromthewebsitebeingscanned,youcanoptionallyselecttoscanthesetoo.Youwillrequirepermissionstoscantheselectedhoststoo.

Ifasmartphonefriendlyversionofthewebsiteisdetected,youwillbegiventheoptiontocrawlandscanthesiteasanormalbrowseroramobilebrowser.

IfyouhavemadechangestotheScanSettingstemplate,youwillbeaskedifyouwanttosavethemodificationstotheexistingornewtemplate.

Step 6: Start the scan ClickonFinishtostarttheautomatedscan.IftheoptionAftercrawlingletmechoosethefilestoscanwasselectedinthecrawlingoptions,youwillbeaskedtoselectthefilestoscanafterAcunetixWebVulnerabilityScannerhasfinishedcrawlingthesite.Dependingonthesizeofthewebsite,scanningprofileselected,andtheserversresponsetime,ascanmaytakeseveralhours.

Analyzing the Scan Results ThevulnerabilitiesdiscoveredduringthescanofawebsitearedisplayedinrealtimeintheAlertsnodeintheScanResultswindow.ASiteStructurenodeisalsoshownlistingthefilesandfoldersdiscovered.

ScreenshotScanResultsshowingAlertsSummary

Web Alerts TheWebAlertsnodedisplaysallvulnerabilitiesfoundonthetargetwebsite.WebAlertsarecategorizedaccordingto4severitylevels:

HighRiskAlertLevel3Vulnerabilitiescategorizedasthemostdangerous,whichputasiteatmaximumriskforhackinganddatatheft.

MediumRiskAlertLevel2Vulnerabilitiescausedbyservermisconfigurationandsitecodingflaws,whichfacilitateserverdisruptionandintrusion.

LowRiskAlertLevel1Vulnerabilitiesderivedfromlackofencryptionofdatatraffic,ordirectorypathdisclosures.

InformationalAlertTheseareitemswhichhavebeendiscoveredduringascanandwhicharedeemedtobeofinterest,e.g.thepossibledisclosureofaninternalIPaddressoremailaddress,ormatchingasearchstringfoundintheGoogleHackingDatabaseMoreinformationaboutthevulnerabilityisshownwhenyouclickonanalertcategorynode:

VulnerabilitydescriptionAdescriptionofthediscoveredvulnerability.TheAcuSensorlogoisdisplayedintheVulnerabilityDescriptionforthevulnerabilitiesthataredetectedusingtheAcuSensorTechnology.

AffecteditemsThelistoffilesvulnerabletothediscoveredvulnerability. TheimpactofthisvulnerabilityLevelofimpactonthewebsiteorwebserverif

thisvulnerabilityisexploited. AttackdetailsDetailsabouttheparametersandvariablesusedtotestforthis

vulnerability.E.g.foraCrossSiteScriptingalert,thenameoftheexploitedinputvariableandthestringitwassettowillbedisplayed.YoucanalsofindtheHTTPrequestsenttothewebserverandtheresponsesentbackbythewebserver(includingtheHTMLresponse).TheattackcanbeinspectedandrelaunchedmanuallybyclickingLaunchtheattackwithHTTPEditor.Formoreinformation,pleaserefertohttp://www.acunetix.com/blog/docs/httpeditor/.

HowtofixthisvulnerabilityGuidanceonhowtofixthevulnerability. DetailedinformationMoreinformationaboutthereportedvulnerability. WebreferencesAlistofweblinksprovidingmoreinformationonthevulnerabilityto

helpyouunderstandandfixit.

Marking an Alert as a False Positive Ifyouarecertainthatthevulnerabilitydiscoveredisafalsepositive,youcanflagthealertasaFalsePositivetoavoiditbeingreportedinsubsequentscansofthesamewebsite.Todothis,clickontheMarkalertasfalsepositivelinkorrightclickonthealertandselectthemenuoption.YoucanremoveanalertfromthefalsepositiveslistbynavigatingtotheConfiguration>ApplicationSettingsnodeintheToolsExplorerandselecttheFalsePositivesnode.

Network Alerts

ScreenshotNetwork,PortScannerandKnowledgebasenodes

TheNetworkAlertsnodedisplaysnetworklevelvulnerabilitiesdiscoveredinscannednetworkservices,suchasDNS,FTP,SMTPandSSHservers.Networkalertsarecategorizedinto4severitylevels(similartowebalerts).Thenumberofvulnerabilitiesdetectedisdisplayedinbrackets()nexttothealertcategories.Clickanalertcategorynodetoviewmoreinformation(similartowebalerts).Note:YoucandisablenetworksecuritychecksbyuntickingtheEnablePortScanningoptionintheScanWizard.NetworkSecurityChecksareonlyperformedonopenportsdetectedduringthescan,thusdisablingportscanningwilleffectivelydisableallthenetworksecuritychecks.

Port Scanner ThePortScannernodedisplaysallthediscoveredopenportsontheserver.Networkservicebannerscanbeviewedbyclickingonanopenport.Note:PortScanningofthetargetservercanbeenabledordisabledfromAcunetixWVS>Configuration>ScanSettings>ScanningOptions>EnablePortScanning.

Knowledge Base Theknowledgebasenodeisahighlevelreportthatdisplays:

ListofopenTCPportsfoundontheserver,includingtheportbanner. ListofNetworkServicesrunningonthewebserverandtheirresponse. Listoffileswithinputsfoundonthewebsite.Thenumberofinputsperfilearealso

shown. Listoflinkstoexternalhostsfoundonthewebsite.E.g.testphp.vulnweb.com

containsalinktowww.acunetix.com. ListofClientandServerHTTPerrorresponsestogetherwiththeHTTPrequeststhat

generatedthem.AnexamplewouldbetheresponsecodeServerInternalErrorHTTP500.Checktheresponseforinformationexposure.

Site Structure TheSiteStructureNodedisplaysthelayoutofthetargetwebsiteincludingallfilesanddirectoriesdiscoveredduringthecrawlingprocess.

ScreenshotSiteStructureIntheCrawlerresults(SiteStructurenode),colorcodesareusedtoshowdifferentfilestatuses.Thefilenamecolorcodingisasfollows

GreenThesefileswillbetestedwithAcuSensorTechnology,resultinginmoreadvancedsecuritychecksandlessfalsepositivealerts.FromtheAcuSensordatatab,theusercanseewhatdatarelatedtothesefilesisbeingreturnedbytheAcuSensor.SuchinformationisusefultoknowwhatSQLquerieswereexecutedoriftheselectedfileisusingfunctionswhicharemonitoredbyAcuSensor.

BlueFilewasdetectedduringavulnerabilitytestandnotbythecrawler.Mostprobablysuchfilesarenotlinkedfromanywhereonthetargetwebsite.

BlackFilesdiscoveredbythecrawler.Foreverydiscovereditem,moredetailedinformationisavailableintheinformationpaneontherighthandside:

InfoGenericinformationsuchasfilename,pagetitle,path,length,URLetc. ReferrersThefilesorpagesthatlinkedtothetestedfile. HTTPHeadersTheHTTPheadersoftherequestsenttothewebservertoretrieve

theselectedfile,andtheHTTPresponseheadersreceived. InputsPossibleinputparametersandvaluesforthefile. ViewSourceThesourceHTMLofthepage. ViewPageThepageisdisplayedasitisshowninawebbrowser.Mostclientside

scriptsaredisabledinthistabforsecuritypurposestoavoidlaunchingvulnerabilitiesagainstthecomputeronwhichAcunetixWebVulnerabilityScannerisrunning.

AcuSensorDataAnyAcuSensorTechnologydatareturned. AlertsAlistofalertsfortheselectedfile.

Inaddition,eachitemcontainstheHTMLStructureAnalysis,whichincludes:

Alistoflinksdiscoveredinthefile. Commentsdiscoveredintheselectedpage.Theinformationcontainedinthe

commentscannotbeautomaticallyanalyzedbutmayrevealinterestinginformationabouttheconstructionandcodingofthewebsite.

Anyclientsidescripts(JavaScript,VBScriptetc.)andtheirsourcecodediscoveredintheselectedpage.Theclientwebbrowserwillexecutethesescripts.Thismightrevealinformationaboutthelogicofthewebapplication.

Anyformsdiscoveredintheselectedobjectareshowninthetopwindow.Alistofparametersandtheirpossiblevaluesareshowninthemiddleandbottomwindow.

AlistofMETAtagsdiscoveredintheselectedobject.METAtagscontaininformationaboutthewebsite,e.g.thedescriptionandkeywordsMETAtagsusedbysearchengines.METAtagswithanHTTPEQUIVattributeareequivalenttoHTTPheaders.Typically,suchMETAtagscontroltheactionofbrowsersandmaybeusedtorefinetheinformationprovidedbytheactualheaders.TagsusingthisformshouldhaveanequivalenteffectwhenspecifiedasanHTTPheader,andinsomeserversmaybetranslatedtoactualHTTPheadersautomaticallyorbyapreprocessingtool.

Grouping of Vulnerabilities

ScreenshotGroupingofvulnerabilities

Ifthesametypeofvulnerabilityisdetectedonmultiplepages,thescannerwillgroupthemunderonealertnode.Expandingthealertnodewillrevealallthevulnerablepages.Expandfurthertoviewthevulnerableparametersfortheselectedpage.

Saving / Loading Scan Results Whenascaniscompletedyoucansavethescanresultstoanexternalfileforanalysisandcomparisonatalaterstage.Thesavedfilewillcontainallthescansfromthecurrentsessionincludingalertinformationandsitestructure.

TosavethescanresultsclicktheFilemenuandselectSaveScanResults. ToloadthescanresultsclicktheFilemenuandselectLoadScanResults.

Scanning Web Services WebServices,likeanyotherinternetdependentsystems,presentnewexploitpossibilitiesandincreasetheneedforsecurityaudits.TheWebServicesScannerperformsautomatedvulnerabilityscansforWebServicesandgeneratesadetailedsecurityreportoftheresults.

Screenshot66WebServicesScanner

Starting a Web Service Scan 1. FromtheToolsExplorerselectWebServicesScannerandclicktheNewScan

buttoninthetoolbartolaunchtheWebServiceScanWizard.SpecifytheURLofanonlineorlocalWSDLandchooseascanningprofile.ClickNexttoproceed.

2. IntheSelectionstep,selecttheWebServices,PortsandOperationsthatmustbescanned.ThenumberofinputsacceptedbyeachoperationandtheURLoftheportswillbedisplayedintheDetailssection.

3. Enterspecificinputvalues(optional)forthescannertouseasWebServiceOperationsintheDefaultValuesstep.

4. Proceedtothescansummary,reviewitandclickFinishtolaunchthescan.

Web Services Editor

Screenshot67WebServicesEditor TheWebServicesEditorallowsimportingofonlineorlocalWSDLforcustomeditingandexecutionofvariouswebserviceoperations,foranindepthanalysisofWSDLrequestsandresponses.Theeditoralsofeaturessyntaxhighlightingforalllanguages,makingiteasytoeditSOAPheadersandcustomizemanualattacks.EditingandsendingofWebServicesSOAPmessagesisverysimilartoeditingnormalrequestssentviatheHTTPEditor.

Importing WDSL and Sending Request 1. ClickontheWebServicesEditornodeinthetoolsexplorerandentertheURLofthe

WSDL,orlocatethelocaldirectorywherethelocalWSDLfileisstored.ClickImporttoimportallWSDLinformation.

2. Fromthedropdownmenusinthetoolbar,selecttheService,PortandOperationthatmustbetested.

3. SpecifyavaluefortheoperationandclickSendtopasstheSOAPrequesttothewebservice.ThewebserverresponsecanthenbeviewedinastructuredorXMLviewtypeinthelowerwindowpane.

Response Tab DisplaystheresponsesentbackfromthewebserviceinrawXMLformat.

Structured Data Tab PresentstheXMLdatareceivedfromthewebserviceresponseusingahierarchyofnodesthatshowthevalueforeachelement.

WSDL Structure Tab PresentsadetailedviewofthewebservicedataasprovidedbytheWSDLStructure.TheWSDLinformationisstructuredintheformofnodesandsubnodesandthemainnodesofthetreestructureareXMLSchemaandServices.

TheXMLSchemanodelistsalltheComplexTypesandtheElementsofthewebservice.TheServicesnodelistsallthewebserviceportsandtheirrespectiveoperationstogetherwiththeresourcedetailsofthesourceoftheSOAPdata.AmoredetailedWSDLstructurecanalsobeshownbytickingtheShowdetailedWSDLstructureatthebottomofthescreen.ThiswillprovideextensiveinformationforeachsubnodeoftheServicesnodestructuresuchasinputmessagesandparameters.

WSDL Tab ThistabshowstheactualWDSLdataintheformofXMLtags.Usingthetoolbarprovidedatthebottomofthescreenyoucansearchforcertainkeywordsorelementsinthesourcecodeandalsochangethesyntaxhighlightingifneeded.

HTTP Editor Export IntheWebServicesEditoryoucanexportaSOAPrequesttotheHTTPEditorbyclickingontheHTTPEditorbuttonintheWebServicesEditortoolbar.TheHTTPEditortoolwillautomaticallyimportthedatasotherequestcanbecustomizedandsentasanHTTPPOSTrequest.

Generating Reports

ScreenshotTheReporterApplicationTheAcunetixWebVulnerabilityScannerReporterisastandaloneapplicationthatallowsyoutogeneratereportsforthesecurityscansperformedusingAcunetixWebVulnerabilityScanner.TheReportercanbelaunchedaftercompletingascan,orfromtheAcunetixWebVulnerabilityScannerprogramgroup,andcanbeusedtogeneratevarioustypesofreportsincludingdeveloperreports,executivereports,compliancestandardreportsorareportthatcomparestheresultsoftwoscans.

Generating a Report from the Scan Results Therearetwowaystogenerateareport.Afterscanningasite,clickonthe ReportbuttonontheAcunetixtoolbar.ThiswillstarttheAcunetixWebVulnerabilityScannerReporterandwillloadtheDefaultReportforthescan.TheDefaultReportusedcanbeselectedfromtheReporterSettings.

ScreenshotSampleReportThesecondmethodistoloadtheAcunetixWebVulnerabilityScannerReporterfromtheAcunetixWebVulnerabilityScannerProgramGroup.ThiswillallowyoutoreportonthescansthathavebeensavedtotheReportsdatabase.

1. FromtheReportslist,selectthetypeofreportandclickonReportWizard.2. InthecaseofComplianceReport,selecttheRegulatorybodyorStandardtobeused

inthereport.ClickNext.

ScreenshotSelectComplianceReport

3. Youcanthenselecttoshowtheresultsofallthescansstoredinthereportsdatabaseortofilterthescansthataredisplayedbasedonspecificscancriteria.ClickNext.

ScreenshotFilterScans

4. Selectthescanthatyouwouldliketoreporton.

ScreenshotSelectScan

5. Selectwhatpropertiesanddetailsthereportshouldinclude.TheReportPropertieswillvarydependingonthetypeofreportthatyouaregenerating.

ScreenshotSelectReportProperties

6. ClicktheGeneratebuttontogeneratethereport.7. Oncethereportisgenerated,itcanbeprintedorexportedinvariousformats

includingPDF,WordandHTML.

Reporter Settings TheReportersettingsallowyoutoconfigurethelayoutandstyleofthegeneratedreports.ToaccessthereportsettingsnavigatetotheConfiguration>SettingsnodeintheReporterToolsExplorer.FromtheReportOptionsnode,youcancustomizethelayout,titles,andimagesintheheadersofthereport.

ScreenshotReporterOptionsGeneralSettingsConfigurethedefaultreporttemplateforgeneratingareport.ReportOptionsSelectcustomicons,logos,headersandfooterstocustomizethereport.FromthePageSettingsnodeyoucanconfigurethedefaultpagesize,orientationandmarginsofyourreports.Thesesettingswillapplytoallreports.

Saving Reports Onceyouhavegeneratedyourreport,youcanusethetoolbaratthetoptosavethereportinPRE(preparedreports)format,whichwillallowyoutoreviewthereportlater.YoucanalsoexportthereporttoPDF,HTML,Text,WordDocumentandBMPorprintthereport.

Changing the Reporter Database AcunetixWebVulnerabilityScannerstoresthescanresultsinabackenddatabase.Bydefault,MicrosoftAccessisused.YoumightwanttoswitchtousingMicrosoftSQLserver.Thisisrecommendedwhenscanningalotofsitesorlargersites.Thiscanbedoneasfollows:

1. NavigatetotheConfiguration>ApplicationSettings>DatabasenodeintheAcunetixWebVulnerabilityScannerinterface.SelectMSSQLServerfromtheDatabaseTypedropdownmenu.

2. EntertheServerIPorFQDNintheServertextboxandthecredentialstoconnecttotheserverintheUsernameandPasswordtextbox.OnlySQLAuthenticationissupported.

3. SpecifyadatabasenameintheDatabasetextbox.Ifthedatabasedoesnotexistitwillbeautomaticallycreated.Ifthedatabasespecifiedalreadyexists,youwillbepromptedwithaconfirmationtooverwritethecurrentdatabasestructureanddata.

Note:ThecreationofthedatabaserequiresauserwithSQLAdministratorprivileges.Oncethedatabaseiscreated,youcanchangetheSQLcredentialstoauseraccountwithreadandwritepermissionsonthedatabase.Itisalsopossibletoimportadatabaseconfigurationfile.SelectImportDatabaseConfigurationandselecta*.dbconfigfilegeneratedbytheAcunetixEnterpriseReportertoautomaticallyimportSQLdatabasesettings.

Acunetix Reports ThefollowingisalistofthereportsthatcanbegeneratedfromAcunetixWebVulnerabilityScanner(WVS)andAcunetixOnlineVulnerabilityScanner(OVS):

Affected Items Report Availability:OVSandWVSTheAffectedItemsreportshowsthefilesandlocationswherevulnerabilitieshavebeendetectedduringascan.Thereportshowstheseverityofthevulnerabilitydetected,togetherwithotherdetailsabouthowthevulnerabilityhasbeendetected.

Developer Report Availability:OVSandWVS TheDeveloperReportistargetedtodeveloperswhoneedtoworkonthewebsiteinordertoaddressthevulnerabilitiesdiscoveredbyAcunetixWebVulnerabilityScanner.Thereportprovidesinformationonthefileswhichhavealongresponsetime,alistofexternallinks,emailaddresses,clientscriptsandexternalhosts,togetherwithremediationexamplesandbestpracticerecommendationsforfixingthevulnerabilities.

Executive Report Availability:OVSandWVSTheExecutiveReportsummarizesthevulnerabilitiesdetectedinawebsiteandgivesaclearoverviewoftheseveritylevelofvulnerabilitiesfoundinthewebsite.

Quick Report Availability:OVSandWVSTheQuickReportprovidesadetailedlistingofallthevulnerabilitiesdiscoveredduringthescan.

Network Security Report Availability:OVSonlyTheNetworkSecurityReportprovidesdetailedsecurityinformationabouttheperimeternetworkserverscannedbyAcunetixOnlineVulnerabilityScanner.Thisinformationisveryusefulforanetworksecurityauditororpentesterwhoistaskedwithanalysingthesecurityoftheperimeternetwork.

Compliance Reports

ScreenshotPCIComplianceReportComplianceReportsareavailableforthefollowingcompliancebodiesandstandards:

CWE / SANS Top 25 Most Dangerous Software Errors Availability:OVSandWVSThisreportshowsalistofvulnerabilitiesthathavebeendetectedinyourwebsitewhicharelistedintheCWE/SANStop25mostdangeroussoftwareerrors.Theseerrorsareofteneasytofindandexploitandaredangerousbecausetheywilloftenallowattackerstotakeoverthewebsiteorstealdata.Moreinformationcanbefoundathttp://cwe.mitre.org/top25/.

The Health Insurance Portability and Accountability Act (HIPAA) Availability:OVSandWVSPartoftheHIPAAActdefinesthepolicies,proceduresandguidelinesformaintainingtheprivacyandsecurityofindividuallyidentifiablehealthinformation.Thisreportidentifiesthevulnerabilitiesthatmightbeinfringingthesepolicies.ThevulnerabilitiesaregroupedbythesectionsasdefinedintheHIPAAAct.

International Standard ISO 27001 Availability:OVSandWVSISO27001,partoftheISO/IEC27000familyofstandards,formallyspecifiesamanagementsystemthatisintendedtobringinformationsecurityunderexplicitmanagementcontrol.Thisreportidentifiesvulnerabilitieswhichmightbeinviolationofthestandardandgroupsthevulnerabilitiesbythesectionsdefinedinthestandard.

NIST Special Publication 800-53 Availability:OVSandWVSNISTSpecialPublication80053coverstherecommendedsecuritycontrolsfortheFederalInformationSystemsandOrganizations.Onceagain,thevulnerabilitiesidentifiedduringascanaregroupedbythecategoriesasdefinedinthepublication.

OWASP Top10 2013 Availability:OVSandWVSTheOpenWebApplicationSecurityProject(OWASP)iswebsecurityprojectledbyaninternationalcommunityofcorporations,educationalinstitutionsandsecurityresearchers.OWASPisrenownforitsworkinwebsecurity,specificallythroughitslistoftop10websecurityriskstoavoid.ThisreportshowswhichofthedetectedvulnerabilitiesarefoundontheOWASPtop10vulnerabilities.

Payment Card Industry (PCI) standards Availability:OVSandWVSThePaymentCardIndustryDataSecurityStandard(PCIDSS)isaninformationsecuritystandard,whichappliestoorganizationsthathandlecreditcardholderinformation.Thisreportidentifiesvulnerabilitieswhichmightbreachpartsofthestandardandgroupsthevulnerabilitiesbytherequirementthathasbeenviolated.

Sarbanes Oxley Act Availability:OVSandWVSTheSarbanesOxleyActwasenactedtopreventfraudulentfinancialactivitiesbycorporationsandtopmanagement.VulnerabilitieswhicharedetectedduringascanwhichmightleadtoabreachinsectionsoftheActarelistedinthisreport.

DISA STIG Web Security Availability:OVSandWVSTheSecurityTechnicalImplementationGuide(STIG)isaconfigurationguideforcomputersoftwareandhardwaredefinedbytheDefenseInformationSystemAgency(DISA),whichpartoftheUnitedStatesDepartmentofDefense.ThisreportidentifiesvulnerabilitieswhichviolatesectionsofSTIGandgroupsthevulnerabilitiesbythesectionsoftheSTIGguidewhicharebeingviolated.

Web Application Security Consortium (WASC) Threat Classification Availability:OVSandWVSTheWebApplicationSecurityConsortium(WASC)isanonprofitorganizationmadeupofaninternationalgroupofsecurityexperts,whichhascreatedathreatclassificationsystemforwebvulnerabilities.ThisreportgroupsthevulnerabilitiesidentifiedonyoursiteusingtheWASCthreatclassificationsystem.

Scan Comparison Report

ScreenshotScanComparisonReportAvailability:WVSonly

TheScanComparisonReportallowstheusertotrackthechangesbetweentwoscanresultsforthesameapplication.Thisreportwillhighlightresolved,unchangedandnewvulnerabilities,makingiteasytotrackdevelopmentchangesaffectingthesecurityofyourwebapplication.

Monthly Vulnerabilities Report Availability:WVSonlyThisstatisticalreportcorrelatesthedatafromthescansperformedinaspecificmonth,andreportsonthevulnerabilitiesidentifiedduringthatmonth.

Scheduling Scans TheSchedulerapplicationallowsyoutoschedulescansataconvenienttimewithoutrequiringAcunetixWebVulnerabilityScannerortheAcunetixWebVulnerabilityScannerSchedulerInterfacetoberunning.

ConfiguringtheSchedulerserviceTheAcunetixSchedulerhasawebbasedinterfacethatcanbeconfiguredthroughtheAcunetixWebVulnerabilityScannerapplicationsettings.ToaccesstheSchedulerservicesettingsnavigatetoConfiguration>ApplicationSettings>Schedulernode.

ConfiguringtheSchedulerwebinterface

ScreenshotSchedulerwebinterfaceconfiguration

Bydefault,theSchedulerwebinterfaceisonlyaccessiblevialocalhostandonport8181(http://localhost:8181).IfyouwouldliketheSchedulerwebinterfacetobeaccessiblefromotherremotecomputers,ticktheAllowremotecomputerstoconnectoption.Whenenabled,youwillbepromptedtospecifyausernameandpasswordforHTTPStobeautomaticallyenabled.Forsecurityreasons,logincredentialsmustalwaysbedefinedwhentheschedulerwebinterfaceisconfiguredtobeaccessedremotely.Note:WhenyouchangeanyoftheWebInterfacesettings,uponclickingtheApplybuttonrestarttheAcunetixWVSSchedulerservicefromtheWindowsServicesconsole.

ScanOptions

ScreenshotSchedulerscanoptions

IntheSchedulerScanOptions,youcanspecifythepathwheretheAcunetixWebVulnerabilityScannerscanresultsshouldbesaved.Bydefault,thescanresultsaresavedintheMyDocumentsfolderoftheWindowsPublicuserprofileintheAcunetixWVSsubdirectory.

ScanningmultiplewebsitesFromthissectionyoucanalsoconfigurethenumberofparallelscanslaunchedinAcunetixWebVulnerabilityScanner.E.g.ifyouwanttoscan4websitesandtheirscanschedule

overlaps,insteadofthescansbeingqueued,anotherinstanceofAcunetixWebVulnerabilityScannerisautomaticallystartedandthescanswillbelaunchedinparallel.Ifyouarescanningalargenumberofwebsitesitissuggestedtoincreasethenumberofparallelscanssotheirscheduledoesnotoverlap.Maximumnumberofparallelscansis10ifyouhavethex10instanceslicense.Note:ThemaximumnumberofscheduledscansthatcanbeconfiguredintheAcunetixWebVulnerabilityScannerscheduleris2000.

ConfiguringEmailnotifications

ScreenshotScheduleremailnotifications

Inthissectionyoucanspecifythesettingsforemailnotifications,suchasSMTPserverIPorFQDN,port,SMTPserverauthentication(optional)andtheemailaddresswherenotificationswillbesent.

Excludedhourstemplates

ScreenshotExcludedHoursTemplates

IntheExcludedHoursTemplatessectionyoucanspecifyarangeofhourstopauseongoingscans.E.g.ifyoudonotwanttoscanyourwebsiteduringtimesofhightraffic.

ScreenshotExcludedHoursConfiguration

ToaddanewExcludedHoursTemplateclickontheAddbuttonandthen:1. SpecifyanameofthetemplateintheNameinputfield.2. Highlightthehoursofthedaywhenscansshouldnotrun.3. ClickOKtosavethenewtemplate.

Note:Ifascanisstillrunningduringtheexcludedhours,thescanwillbeautomaticallypausedandresumedagainwhenscanningisallowed.

CreatingaScheduledscan1. AccesstheSchedulerinterfacebyclickingtheSchedulerIcon onthetoolbarinthe

AcunetixWebVulnerabilityScannerinterface,orbrowsehttp://127.0.0.1:8181usingawebbrowser.Note:JavaScriptshouldbeenabledtoaccesstheAcunetixSchedulerwebinterface.

ScreenshotAcunetixSchedulerwebinterface

2. ClickontheNewscanbuttontoaddanewscan.Youcanaddasmanyscansasyouwish.Ifthescanscheduleoverlaps,theywillbescannedinparallel.YoucanincreaseordecreasethenumberofparallelscansfromtheSchedulerconfigurationintheAcunetixWebVulnerabilityScannerapplicationsettings.

3. Ifyouwouldliketoimportanumberofscans(upto2,000)usingaCSVfile,clickontheImportCSVbutton.Youcanreadmoreaboutthisfeaturelaterinthischapter.

ScheduledScanBasicOptions

ScreenshotAcunetixSchedulerBasicoptions

TheBasicOptionsallowyoutospecifywhichtarget/stoscanaswellasthescanrecursion.TherecursionoptiongivesyoutheoptiontoconfiguretheSchedulertorunascanOnce,EveryDay,EveryWeek,EveryMonthorContinuous.Setaspecificdaynumberifscheduleissettoweeklyormonthly,e.g.2nddayoftheweekor21stdayofthemonth.

ScheduledScanAdvancedOptions

ScreenshotAcunetixSchedulerAdvancedoptions

TheAdvancedOptionsallowyoutoconfigure: ScanningProfile LoginSequence ScanSettingstemplate ScanMode ExcludedHoursTemplate

Scheduledscanresultsandreports

ScreenshotAcunetixSchedulerScanresultsandReports

IntheScanresultsandreportssection,youcanselecttosavethescanresultstothereportingdatabase,savethescanlogs,andgenerateareport.Youcanalsospecifyinwhichformatyouwantthereporttobegeneratedandanemailaddresswherethescanresultsaresent.Ifnoemailaddressisspecified,theemailaddressconfiguredintheschedulersettingsisused.Inaddition,theReporttemplatefieldallowsyoutospecifywhatreporttemplatetouse.YoucanchooseamongfourtemplateswhichareAffectedItems,DeveloperReport,ExecutiveSummaryandQuickReport.

ImportingSchedulingScansYoucanalsoimportscheduledscansfromaCSVfile.TheformatoftheCSVfilesaredescribednext.

CSVFilePropertiesEachlineintheCSVfileshouldonlycontainonescan.Foreachscanyoushouldspecifythefollowingproperties:

URLSpecifytheURLwithorwithoutprotocol(httpandhttps).Ifnoprotocolisspecified,httpisused.Thisentryismandatory.

DateSpecifythedatewhenthescanshouldbelaunched.ThedateformatisDDMMYYYYandshouldbesinglestring.E.g.Ifascanistobescheduledforthe5thofNovember2014,thedateshouldbe05112014.Thisentryismandatory.

TimeSpecifythetimewhenthescanshouldbelaunched.Thetimeformatis24hoursandshouldbeasinglestringof4digits.E.g.10amshouldbe1000and10pmshouldbe2200.Thisentryismandatory.

ScanningProfileSpecifythenameofanexistingscanningprofiletobeusedduringthescan.Ifnotspecified,thedefaultscanningprofilewillbeusedduringthescan.

LoginSequenceSpecifythenameofanexistingloginsequenceifyouwanttousealoginsequenceduringthescan.Ifnothingisspecified,nologinsequencewillbeusedduringthescan.

ScanSettingsSpecifythenameofanexistingscansettingstemplate.Ifnoscansettingstemplateisspecified,thedefaultscansettingstemplatewillbeused.

ScanModeSpecifythescanmodetobeusedduringthescan.Theoptionsarequick,heuristicandextensive.Ifnoscanmodeisspecified,thedefaultscanmodewillbeused.

GenerateReportSpecifyifareportshouldbegeneratedafterthescan.Theoptionsareyesorno.Ifnothingisspecified,noreportwillbegenerated.

ReportFormatIfyouspecifiedthegeneratereportoption,thenyouhavetospecifythereportformataswell.TheoptionsavailablearePDF,RTF,REPorHTML.Ifyoudonotspecifyanyformat,aPDFreportwillbegenerated.

NotificationEmailAddressSpecifytheemailaddresswheretheemailshouldbesentuponcompletionofthescan.Ifanemailisnotspecified,thedefaultemailaddressconfiguredintheAcunetixWebVulnerabilityScannerGUIwillbeused.

Ifyouwouldliketoomitanentrysothedefaultvalueisused,simplyleaveaspacebetweenthecommas.Someexamplesfollow:Example1:Toscantestphp.vulnweb.comonthe5thofNovember2014at10pmusingthedefaultvalues,usethebelowlineintheCSVfile:http://testphp.vulnweb.com,05112014,2200,,,,,,,Example2:Toscantestasp.vulnweb.comonthe5thofNovember2014at3:15pmusingtheXSS(Crosssitescripting)scanningprofile,withoutloginsequence,defaultscansettings,usingtheextensivescanningmode,generateaPDFreportandsendtheresultstoresults@myemail.com,usethebelowexample:http://testasp.vulnweb.com,05112014,1515,XSS,,,extensive,yes,PDF,results@myemail.comNote:ScansimportedfromaCSVfilewillonlybeexecutedonce.ItisnotpossibletoconfigurerecurringscansusingtheCSVfileimportfeature.

Troubleshooting and Support User Manual Themostcommonqueriescanbeansweredbyconsultingthisusermanual.

Frequently Asked Questions Oursupportteammaintainsalistoffrequentlyaskedquestionsathttp://www.acunetix.com/support/faq/.

Acunetix Blog Wehighlyrecommendthatyoufollowoursecurityblogbybrowsingto:http://www.acunetix.com/blog/.

Request Support Ifyouencounterpersistentproblemsthatyoucannotresolve,weencourageyoutocontacttheAcunetixSupportteamviaemailatsupport@acunetix.com.Pleaseincludeanyinformationyouthinkisusefultohelpusdiagnoseyourissue,suchasinformationonthewebtechnologiesbeingused,screenshotsshowingtheproblemetc.Pleaseincludealsothelicensekeyinformationinthesupportemail.Wewilldoourbesttoansweryourquerywithin24hoursorless,dependingonyourtimezone.

Knowledge base / Support page YoucanalsoexploretheAcunetixknowledgebaseandothersupportoptionsbybrowsingto:http://www.acunetix.com/support/.

Acunetix Facebook page JoinusonFacebookforthelatestproductandindustryupdates:http://www.facebook.com/Acunetix.