by Michael Ortega
Find out if your website is secure before hackers download sensitive data, commit a crime by using your website as a launch pad, and endanger your business. Acunetix Web Vulnerability Scanner (WVS) crawls your website, automatically analyzes your web applications and finds perilous SQL injection, Cross site scripting and other vulnerabilities that expose your online business. Concise reports identify where web applications need to be fixed, thus enabling you to protect your business from impending hacker attacks!
In today’s threat landscape, organizations and security professionals can no longer focus on the patching and infrastructure vulnerabilities. If regulations or industry standards are not your driver, you can guarantee that clients will soon be asking “how are you securing your applications?” As with any solution you need to have the people, processes, and technology in place to be successful. While much of this testing could be done manually, the proliferation of applications used in organizations today would make manual testing an insurmountable and never-ending task. Application Security testing tools are often the best solution for security professionals tasked with securing applications throughout the Software Development Lifecycle (SDLC). This is where we introduce Acunetix!
As a precursor to the remainder of this article, I have had the opportunity to work with a number of Application Security tools for large enterprises. This is the first time I have worked directly with Acunetix.
What is Acunetix Web Vulnerability Scanner
In Acunetix’s own words:
“Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.”
The need to be able to test applications in depth and further than traditional vulnerability management tools (e.g. Nessus, Nexpose, etc.) do, has created a market with several players in the Application Security space. Whereas Nessus / Nexpose are vulnerability management (VM) tools, Acunetix focuses more on web application vulnerabilities and variants thereof, and does a much better job at detection than traditional VM tools.
Key Features and Functionality
I could spend time walking you through how to complete a scan with Acunetix, but the “getting started” and “user manual” provide a wealth of information for this. The best use of your time will be to understand the features that distinguish Acunetix from the other vulnerability scanners.
- Vulnerability Detection – First and foremost, does the Acunetix do what is says it does? The resounding answer is…YES! The ability to scan HTML5/JS sites provides coverage where a number of products start to fall apart. Additionally, the speed of the scanner allows scans to be completed in very little time. While I did a side by side comparison I found a number of features with Acunetix I did not see with OSS (Open Source Software)products;
- AcuSensor – AcuSensor is an agent installation that is installed on the web server for testing purposes, interacting with the console. This allows the number of false positives to be reduced as the scanner is not only relying on HTTP responses but will also interact with the agent on the server to determine if the test was successful or not. At the time of this writing, AcuSensor is used primarily with PHP and .NET web applications. I understand that other products have this similar technology for JAVA so before investing make sure you understand how your applications were written so you can fully take advantage of this. To emphasise, AcuSensor identifies more vulnerabilities than a traditional black box web security scanner and reduces false positives. AcuSensor will show you the line of code where it found the vulnerability, which helps you to get it fixed faster. This is achieved by combining black box scanning techniques with dynamic code analysis whilst the source code is being executed.
- It is also possible to detect some vulnerabilities using an intermediary server. AcuMonitor allows Acunetix WVS to find such vulnerabilities, including Blind XSS, Server Side Request Forgery and Email Header Injection. It depends on the vulnerability but it can be reported during the scan and also by an email which will be sent directly to the user.
- Tools – These are a few of the features that jumped out at me right away. Some of the tools are not something you expect to see in a Web Application Security scanner, but such tools aid interpretation of the scan results.
- Target Finder – This functionality lets you scan subnets looking for web services by port (e.g. 80, 443, etc.). This functionality is important especially in organizations where there is uncertainty where web services are actually running and where some malware might have installed web servers on users’ machines.This is something that is missing in some of the other products out there today.
- Subdomain scanner – this is another feature that I did not expect to find in a web security scanner. The ability to search for subdomains based on DNS records automatically is another valuable tool for someone trying to get a handle on their environment.
- Compare Results – Conducting repeat scans to confirm that issues have been remediated has been problematic in other tools. This feature made the issues between each test easy to distinguish.
- The Scheduler – Acunetix allows you to schedule your scans for a single site or multiple sites. This is a great feature in a vulnerability scanner as it allows you to test during those late night maintenance windows without giving up those precious hours of sleep or drinking!
- Single Pane Navigation – While this is more of a preference, there were many instances where I have spent time reviewing issues with application teams having to flip through multiple screens. The Acunetix issue summary is managed in one pane with all the relevant information provided such as issue details, issue summaries, and recommended fixes. The tools mentioned above are all in the same frame as well.
Other Useful Functionalities
It is impossible to detail all the functionalities of the scanner in one article but these last few certainly deserve a mention.
|One of these is the ability of Acunetix is to crawl and scan HTML5/JS sites including Angular JS, which is already ahead of the pack in version 9.5 and I’m told will be further strengthened in version 10. This is one feature which readers should find very useful.Another plus is that the information is easy to understand, the vulnerabilities are categorized allowing the user to focus on the most important alerts, and the results include information on the vulnerability, remediation advice and are augmented with external references.|
In addition, whilst working on the review, the Bash vulnerability was discovered, and within 24 hours Acunetix notified of an update for a check for Shellshock.
- Easy to use – Acunetix is extremely easy to use right after being installed. Additionally, it allowed me to configure the scan with some more in depth testing options to ensure I covered most of the application without sacrificing speed. All key features and functionality are contained within the application (i.e. issue retest, scan templates, CVE info, Web Services scanning, etc.) and easily found so that the documentation provided is rarely needed. The additional tools (Target finder, subdomain scanners, port scanner, etc.) for discovery of your environment are a great addition to the product.
- Application Authentication – Authenticating your application is important, as you want to make sure you cover your entire application as part of the test. This has always been challenging in other products (even with a completely separate application to manage authentication). Acunetix did a good job of handling the application authentication through various applications without much hassle.
- Pricing – I have worked with other solutions before and pricing always seemed to be complex and tiered. The Acunetix pricing model is very straightforward and very reasonably priced. (https://www.acunetix.com/ordering/).
- Product Transparency – Any time I evaluate any product I open my favourite search engine and type in ‘$productname bugs’ or ‘$productname request for enhancements’ to find some forums on problems that current users are having. I was surprised to see that Acunetix will make all this information available to all people including non-customers. http://acunetixwvs.ideascale.com/a/ideafactory.do This is of some reassurance that you’re not falling into that slippery salesman approach and that you know what you are buying. Check out this page!
- Acunetix focuses on being a good scanner giving good technical results and a palette of reports. A scan is usually run on a single target.
- Acunetix provides CVE, CVSS, CWE scores either in the results or in the reports, as well as OWASP, SANS reports. Results can be compared using Acunetix result comparison. Of course risk would need to be further assessed on the basis of the target app importance. If Acunetix is repeatedly used on multiple targets then data aggregation solutions need to be made available.
- Acunetix results can be consumed by a vulnerability data management system to address more management requirements. These solutions would use Acunetix XML outputs to integrate with Vulnerability Management aggregation tools such as one particular Technology Partner Acunetix work with whereby the vulnerability information resulting from multiple orchestrated scans and/or scanners would be overlaid onto a matrix of applications classified by importance to help prioritize remediation tasks. That system comes complete with defect tracking and management system integration which then lines up tasks for developers in an SDLC environment to look into. Acunetix can point to and support integration with such solutions that could be deployed to achieve these goals at a fee if not already available out of the box as with particular Technology Partners.
As I mentioned earlier, this is the first opportunity I had to try Acunetix for any length of time. It has all the features and functionality that allows the product to compete with the “big boys” in the field but is also reasonably priced. Acunetix is a solid product to get your Application Security Testing program off the ground. As always ensure that you understand your SDLC so that you get the coverage you need to test. Acunetix have also recently released an online version of the scanner for the audit of public internet facing Web Servers and Network Interfaces. You need to check yourself (so follow the link in “On the Net” frame).
On the Net
- 14-day Acunetix WVS Download – http://www.acunetix.com/vulnerability-scanner/download/
- 14-day Acunetix OVS REgistration – http://www.acunetix.com/vulnerability-scanner/register-online-vulnerability-scanner/
- Acunetix Website – http://www.acunetix.com
- Online Scan with Acunetix – https://www.acunetix.com/vulnerability-scanner/register-online-vulnerability-scanner/
- Audit Your Website Security with Acunetix Web Vulnerability Scanner – https://www.acunetix.com/vulnerability-scanner/
- Advanced Pen-Testing Tools – https://www.acunetix.com/vulnerability-scanner/pen-testing-tools/
- Regulatory Compliance Reports for PCI, HIPAA and others – https://www.acunetix.com/vulnerability-scanner/pci-regulatory-compliance/
- AcuMonitor Service – http://www.acunetix.com/websitesecurity/acumonitor/
Securing the web applications of today’s businesses is perhaps the most overlooked aspect of securing the enterprise. Web application hacking is on the rise with as many as 75% of cyber attacks done at web application level or via the web. Most corporations have secured their data at the network level, but have overlooked the crucial step of checking whether their web applications are vulnerable to attack. Web applications — which often have a direct line into the company’s most valuable data assets — are online 24/7, completely unprotected by a firewall and therefore easy prey for attackers..
Acunetix was founded with this threat in mind. It was understood that the only way to combat website hacking was to develop an automated tool that could help companies scan their web applications to identify and resolve exploitable vulnerabilities. In July 2005, Acunetix Web Vulnerability Scanner was released – a heuristic tool designed to replicate a hacker’s methodology to find dangerous vulnerabilities — like SQL injection and cross site scripting — before hackers do. Acunetix WVS brings an extensive feature-set of both automated and manual penetration testing tools, enabling security analysts to perform a complete vulnerability assessment, and repair detected threats, with just the one product.
The Acunetix development team consists of highly experienced security developers, all with extensive development experience in network security scanning software prior to working on Acunetix WVS. The management team is backed by years of experience in marketing and selling security software.