Web Application Vulnerability Scanners are used to protect your website from malicious hackers. These scanners scan web applications to look for secuirty vulnerabilities such as SQL Injection, XSS (Cross-site scripting), Comand injection etc.,
Web Application Vulnerability Scanners are also known as Dynamic Application Security Testing (DAST) tools.
Today in this post, we review Acunetix Web Vulnerability Scanner (WVS).
What is Acunetix Web Vulnerability Scanner
Acunetix by Invicti is an end-to-end web security testing solution for securing your websites, web applications, and APIs. It addresses security vulnerabilities across all your critical web assets.
It is best for the teams who want to secure their websites, web applications as well as APIs.
Some of the features of Acunetix are as follows:
- The setup of Acunetix is easy and intuitive. It allows you to start scanning in just a few clicks.
- It detects 7000+ vulnerabilities including SQL injections, Cross-Site Scripting (XSS), weak passwords, misconfigurations, exposed databases, etc.,
- It scans single-page applications, web apps, and complex web applications.
- It runs on Windows, Linux, and macOS
- It can be integrated with a number of issue tracking systems such as Atlassian JIRA, GitHub, GitLab, Azure DevOps, Bugzilla, or Mantis.
- It can be integrated with the CI/CD tool Jenkins.
- Its macro recording technology scans password-protected pages and multi-level forms of your site.
- It has the highest detection rate of vulnerabilities with low false positives compared to its competitors in the market.
- It provides a detailed report which contains the vulnerabilities it found along with suggestions on how to resolve the vulnerabilities.
- In the Acunetix report, you can see the structure of the site and all the pages of the site that the scanner has crawled.
- It shows a list of vulnerabilities and also the type of vulnerability in the report.
- It also gives suggestions on how to fix the vulnerabilities found.
- It supports certain compliance standards such as HIPAA, ISO, NIST, OWASP Top 10, PCI DSS.
- It supports integrations with web applications firewalls such as F5, Fortinet, Imperva, Citrix, AWS, and others.
- Acunetix Standard: It is a web vulnerability scanner, which automatically tests your websites for over 7,000 security vulnerabilities.
- Acunetix Premium: It is a web application security solution for managing the security of multiple websites, web applications, and APIs. Integration features allow you to automate your DevOps and issue management infrastructures.
- Acunetix 360: It is a best-of-breed enterprise web vulnerability solution designed to be a part of complex environments. It provides multiple integrations as well as options to integrate within custom contexts.
Note: It always recommends running vulnerability scanner tools only on a test server. Don’t ever run on the production server.
How Acunetix Works
Let’s start with its Dashboard
In the dashboard, we can see the following
Total no. of vulnerabilities discovered across your targets
Scan information such as the total no. of scans running, waiting, conducted, open vulnerabilities, and total targets.
The most vulnerable targets section and the top vulnerabilities section.
Trends such as Open Vulnerabilities for the past 12 months, Average Vulnerabilities per Target, Average days to remediate, Vulnerabilities found in the last 12 months.
Scanning a website with Acunetix is very simple and the basic setting are very straight forward.
Step 1: Go to Acunetix – Targets
Step 2: Add the URL of the website you want to scan and the description
Here the URL is http://testphp.vulnweb.com and the description is Test
Note: It allows you to batch import target URLs and description from a CSV file.
Step 3: You can also create targets in groups, which is handy for staging or QA, or, you can organize your apps by business function or by country.
Once you click on Save, you can see all your targets in the main targets lisitng.
Go to a specific target and configure further settings like authentication, scope, speed and connectivity.
Here the target we are going to open is http://testphp.vulnweb.com
You can change the ‘Business Criticality’ such as Low, Normal, High, Critical and you can toggle the ‘Scan Speed’ to slower, slow, moderate, and fast
You can configure authentication if required.
You can also do settings like multi-factor authentication, macro recorders, site scope settings, import files, HTTP settings, client certificates, and many more.
You can change the ‘Scanning Options’ as per your requirement like scanning on regular basis, yearly once, etc.,
You can also set daily scans for high severity vulnerabilities and a full scan every week once to ensure that the target is secure.
Once you start scanning, Acunetix crawls your website, map out all of the directories in your website and then it will launch mock attacks to identify the vulnerabilities in your website.
You can find the scan report as shown below. The report will show you the details of the scan such as a snippet of alerts, out of scope links, scan duration, requests, average response time and much more.
Go to Scans to find all the information related to scans.
You can see the site structure, all the pages that the Acunetix scanner has crawled, and all the vulnerabilities that were found during the website scan.
Go to Vulnerabilities to see the list of vulnerabilities.
Open a particular vulnerability say ‘SQL Injection’
You can see the type of vulnerability, its severity, the URL of the page where the vulnerability was found, and other parameters.
You can also filter them based on the status, business criticality, target groups, severity, etc.
To see more important information just click on a particular vulnerability say ‘Directory Traversal Vulnerability’.
You can find the vulnerability details, such as a description, the attack details, the request and response sections, and proof of exploit.
The tool gives suggestions on how to fix this type of vulnerability.
You can change the status and save this record as open, fixed, ignored, or false positive.
You can retest it or submit it to supported issue tracker from this page.
You can generate all sorts of reports based on that particular vulnerability and any other vulnerabilities that you’d want to include.
Acunetix offers extensive reporting, such as executive, comprehensive, developer, and compliance reports.
Here I am going to conclude this simple scan using Acunetix Web Vulnerability Scanner. You can do more settings and find more critical issues by setting up an authentication mechanism.
You can use Acunetix Macro Recorders to record critical business logic and easily scan flows like shopping carts.
You can integrate it with issue trackers and CI/CD tools.
You can also integarte it with 3rd party systems using its API.
Acunetix offers more settings to customize your experience even further.
It allows you to add users, assign them certain permissions, either to access certain targets or certain groups. You can assign them a role that will give them abilities to test, or pull reports.
Acunetix helps you and your team to secure your websites no matter you are trying to secure few websites or automating your web vulnerability assessment and management.
Acunetix secures your organization through its web-based application security scanner functionality.
It is reasonably priced compared to its compitetors in this field.
I hope this review will help you in choosing Acunetix as your organizations Security testing tool.
Don’t forget to try Acunetix Web Vulnerability Scanner. Share your working experience on this tool here in the comment section below with us.
Images source Acunetix.
- Netsparker Web Application Security Scanner Review
- Best Dynamic Application Security Testing (DAST) Software
- Best Vulnerability Assessment Scanning Tools
- Best Penetration Testing Companies
- Best Nessus Alternatives
- Best Burp Suite Alternatives
- Best Penetration Testing Tools
- Penetration Testing Guide
- Best Security Testing Tools
- Best Web Application Testing Tools