Web Vulnerability Scanner (WVS)

Acunetix Web Vulnerability Scanner is a highly customisable, regularly updated and fully supported web application scanner which allows the tester to thoroughly check for a plethora of current web application vulnerabilities.

Acunetix uses bespoke AcuSensor Technology allowing the identification of more vulnerabilities than with other current web application scanners with extremely low false positives being recorded.  This technology also provides details of specific vulnerabilities identified within the web apps code and reports debug information.

AcuSensor Technology - Insight/ Evaluation

AcuSensor Technology talks to the web server and determines the sites configuration and coding language (PHP and .NET et al), it also allows a return of a full directory listing, including files not viewable via normal web links :-)  A list of all available application inputs is also enumerated, once all this is known a broader range of tests is performed against the application.

One nice little piece of technology integrated in AcuSensor is the way it hooks in between the web application itself and the backend database, allowing the ability to trace SQL injection vulnerabilities in the code against relying on database errors to determine vulnerabilities. For reporting details such as source code line number, stack trace, affected SQL query etc. are a major plus for code developers to perform quick remedial action on the affected application.

There's detailed information about this new technology available from here.

This new technology recently found an 0day, more details can be found here.

Vulnerability Checks

Currently Acunetix carries out multiple pre-defined checks for the following vulnerabilities:

Specific profiles are installed by default to aid the tester, however, bespoke profiles are easily creatable and can be up and running within seconds.

Port Scanner/ Service and Vulnerability Enumeration

Another tool added to Acunetix which will provide huge benefits to Acunetix users is the ability to perform Port Scanning and enumerate and assess the discovered open services for well-known vulnerabilities'.  We may now see the first steps away from just being a dedicated Web Application Scanner to an all purpose excellent Web and fully-armed Network scanner.  The fact that these service detection and vulnerability checks can be scripted and new ones custom written is an excellent feature and akin to the nasl scripts available and customisable in Nessus.  I expect this feature will grow and grow.

Currently Acunetix allows you to conduct:

• DNS Open recursion tests,

• Weak SNMP community strings,
• MySQL information, version and account brute force tests,
• Oracle service enumeration and a whole lot more....

Other benefits now offered with version 6 is the ability to:

• Pause and Resume sessions.
• Scan websites protected with NTLMv2 authentication.
• Cease testing if network errors occur.
• Mark and disregard false positives.
• Highly flexible scheduling of tasks.

Acunetix also provides a number of test sites to test their demonstration version of the application against deploying all major web app technologies:

http://testasp.acunetix.com
http://testphp.acunetix.com
http://testaspnet.acunetix.com

In addition to its automated scanning engine, Acunetix includes advanced tools including the ability to perform SQL Blind Injection to allow penetration testers to fine tune web application security checks allowing the tester to use:

• HTTP Editor - With this tool you can easily construct HTTP/HTTPS requests and analyze the web server response.
• HTTP Sniffer - Intercept, log and modify all HTTP/HTTPS traffic and reveal all data sent by a web application
• HTTP Fuzzer - Performs sophisticated testing for buffer overflows and input validation. Test thousands of input variables with the easy to use rule builder of the HTTP fuzzer. Tests that would have taken days to perform manually can now be done in minutes.
• Custom attacks/ modify existing ones with the Web Vulnerability Editor

Acunetix is also able to automatically fill in web forms and authenticate against web logins. Most web vulnerability scanners are unable to do this or require complex scripting to test these pages.

Acunetix trial full: http://www.acunetix.com/vulnerability-scanner/download.htm

Acunetix free: http://www.acunetix.com/cross-site-scripting/scanner.htm

Installation:

Simply download and install (and register)

Select to install Firefox Plugin - A review of this can be found here.

Execution:

Two Modes:

Wizard process

Selecting New Scan.

Input URL/ IP or Browse to new or save target file.

Acunetix will automatically detect (or the user can specify) the targets server-side web technologies deployed to fully tailor and optimise the scan.

Crawling Options - Specify verbosity level for site crawling.

Scan Options - Select pre-defined (or user created) profile and scannig mode i.e. Quick, Extensive, Heuristic etc.

Authentication Details - User supplied credentials or Recorded Login Sequence.

Finish (i.e. Execute)

Manual

Select specific Tool

Input required information i.e. URL, Authentication Method/ Error Codes etc.

Select Start

An explorer type window details the Site Structure and any alerts found with full descriptions of any vulnerabilities' identified.  Included within this are links to Acunetix knowledgebase articles and helpful www links to resources.

Acunetix includes an extensive reporting module which can generate reports that can be tailored dependant on your clients requirements. The Compliance Report template is especially useful allowing you to demonstrate compliance against the requirements of HIPAA, NIST, PCI, Sarbanes Oxley and recommendations made by the Web Application Security Consortium: Threat Classification.

Reporting can be produced in a plethora of formats including pdf, html, text, word and bmp

Version 5 Vs Version 6

A test was carried out against http://testphp.acunetix.com using the blind sql injection pre-configured profile with both versions of the scanner with all associated patches and updates applied.  A large difference in reported results was obtained:

The medium vulnerabilities identified were missed by version 5 and could should they have been exploited have amounted to possible remote code execution and information disclosure on the remote vulnerable server!

You will notice there is a lot more informational alerts being found, these although not necessarily expressing any details of vulnerabilities in the system are highly valuable for customer feedback, detailing files found in publically available directories that are not linked directly from the site, these of course could contain sensitive configuration information, scripts, credentials and the like so should not be overlooked and investigated thoroughly.

Version 6 seemed to carry out a better job of spidering/crawling the remote web application, returning 7 extra web directories on the server, possible extra cookie values etc.

Version 5 was slightly quicker in the test taking 2 mins 33 secs, version 6 took 2 mins 59 seconds.

In essence, version 6 is a big step ahead with increased functionality, reporting and identification of potential problems and vulnerabilities.

Definitely worth the upgrade if using version 5!

Summary:

An excellent tool and my Web Application Scanner of choice. Thoroughly extensible and with some excellent bespoke features missing from similar products.  Definitely add this to your toolset!