Web applications and websites are core components of any business these days. As the number of websites increases, attackers are also more active for hacking websites and stealing important business data.
With this threat, it’s becoming important to have Website vulnerability scanning as a part of complete test cycle.
Today, we are going to review a tool for a security audit of web applications and websites – Acunetix Web Vulnerability Scanner (WVS). Acunetix WVS is the tool of choice for SQL Injection testing, Cross-site scripting (XSS) and OWASP top 10 other vulnerabilities.
What You Will Learn:
Acunetix WVS is an automated web application security testing, founded to combat the rise in attacks at the web application layer. Acunetix WVS audits a website’s security by launching a series of attacks against the site. It then provides concise reports of any vulnerabilities it found and will even offer suggestions on how to fix them.
In this tutorial, I shall be taking Acunetix WVS for a spin and explaining some of its unique features.
Before starting a scan, I needed a vulnerable site to test. Acunetix maintains its own test sites which you can scan to test the product.
Starting a new scan is as simple as starting the Scan Wizard by clicking the New Scan button in the main toolbar. The wizard will walk you through some options you can use to customize the scan.
We first need to tell Acunetix Web Vulnerability Scanner what site we’d like to scan. In this case, I’ll be sticking with the PHP test site above (i.e. http://testphp.vulnweb.com).
(Note: Click on any image for enlarged view)
Next, we’ll need to select a Scanning Profile. A Scanning Profile is a logical grouping of tests that perform a specific group of tests. This feature allows you to customize what tests you want or don’t want Acunetix WVS to run. You can choose from the several built-in Scanning Profiles, or you can create custom Scanning Profiles that suit your specific requirements.
The Default Scanning Profile includes every test Acunetix Web Vulnerability Scanner can run. However, let’s assume I’m only concerned about high-risk alerts, I can customize the scan to the only test for those vulnerabilities.
Scanning Profiles are not the only way to customize a scan — Scan Setting allows very granular control over your scan. Most users will not need to modify these settings since the defaults have been carefully selected to cater for the vast majority of websites and web applications. However, since I happen to be connecting to the internet using an HTTP proxy, I’ll go ahead and configure that from here by clicking the Customize button next to the Scan Settings list box.
Should you need them, Acunetix WVS also has advanced options you can leverage if you need even more control over the pages you want (or don’t want) the scanner crawl and scan.
You can select which pages you want to exclude from a scan using the After crawling let me choose the files to scan option, and even import results from other tools such as Portswigger’s BurpSuite and Telerik’s Fiddler, and of course Acunetix WVS’ built-in HTTP Sniffer.
Being a black-box scanner, Acunetix WVS can scan any website or web application, regardless of the technologies, or programming languages it uses — it essentially tests a website or web application without any prior knowledge of how that site works, just like a real attacker would.
Having said this, Acunetix Web Vulnerability Scanner has some intelligent tricks up its sleeve to optimize the scan for a specific technology. Acunetix WVS will try to fingerprint the web application in order to detect the technologies it is using to cut-down on the scan time. E.g. If I’m testing a site built using PHP, there is no reason to look for vulnerabilities that can only exist in ASP.NET applications.
Because this site has a login page, we need to create a Login Sequence in order to instruct the scanner on how to log into the application. This is an essential part of the scanning process and something that is usually difficult or tedious to set-up properly with other scanners. You can either attempt to have the scanner log in for you (this will work for most simple sites with just a username and password), or else you can create a Login Sequence manually (works better for more complex logins and provides much more control).
Acunetix Web Vulnerability Scanner makes creating a Login Sequence dead-easy, simply go through your normal login process of signing into an account; you’ll notice that your actions are being recorded. The scanner will replay these actions to log in during the scan.
You can also use the replay button at the bottom-left of the Login Sequence Recorder window to replay your actions just to make sure everything is working correctly.
Once you click Next you have the option of selecting what links you do not want the scanner to click on while logged in. We obviously don’t want the scanner to get logged out of the session during a crawl or a scan, so I’ll be clicking on the Logout link in order to restrict it, however, you are free to set-up as many restrictions as you like. It’s also worth noting that the Login Sequence Recorder also has support for restricting links with nonces (one-time tokens in links) by using wildcards.
Once you’re done restricting links, click Next. A Login Sequence alone is not enough. The scanner needs to understand when it is logged in and when it is logged out. The Login Sequence Recorder needs what is known as a Session Pattern.
A Session Pattern is nothing more than something unique between a logged in and a logged-out state of a web application. The Login Sequence Recorder will detect this pattern automatically for you; however, you’re free to customize this pattern if you wish to do so.
Clicking Finish will ask you to save the Login Sequence you’ve just created. This can be used at a later date so you don’t need to go through the process of creating a Login Sequence every time you want to scan the same site.
You will then be presented with the final screen of the Scan Wizard which gives you the option of saving any Scan Settings you might have set. In addition, Acunetix WVS is smart enough to identify if a site provides a different response to a mobile User-Agent string and it will ask you if you’d like to change your User Agent string to say that of an iPhone or an Android device — handy if your site is mobile friendly.
After the crawl and scan are complete, Acunetix WVS will list a list of high-severity vulnerabilities that it detected on the test site.
The moment you click on a specific vulnerability (SQL Injection in this case), Acunetix WVS reveals not only which input parameter is vulnerable but it will also list variations of an attack on that parameter.
Selecting one of the variations of vulnerability explains the vulnerability in great detail. The scanner will first provide a summary of the vulnerability, and then it will proceed to explain what the impact of such vulnerability is and how to fix the vulnerability.
If you’ve installed Acunetix AcuSensor (this is optional), a server-side component for PHP and .NET applications that communicate with Acunetix WVS results for vulnerabilities such as SQL Injection will even include the file and the vulnerable line of code!
The alert will then provide you with further information containing a lengthier explanation of the problem, as well as more details on how to fix the vulnerability together with a list of reference URLs where you can read up more about the subject, just in case the scanner found something you’re not quite familiar with.
Re-running the scan from the start is obviously one way of checking if the fix for a detected vulnerability is successful. However, Acunetix WVS has a very handy Retest feature.
Simply right-click an alert you’d like to retest and select Retest alert(s). The tests that detected that vulnerability will be re-run and the new result will be shown. If the vulnerability is resolved, Acunetix will mark it in a gray, strike-through font.
From here you can save the scan’s results or generate a variety of easy to understand reports. You can generate reports by clicking the Reporter button in the main toolbar.
When the Acunetix Web Vulnerability Scanner Reporter loads, you’re presented with a selection of reports you can choose from. If you’re after high-level reports, the Affected Items, Executive Summary, and Quick Report provide a variety of concise reports to choose from.
If on the other hand, you’re after compliance reports, the Acunetix reporter can generate reports tailored to a compliance standard of your choice, be that the OWASP Top 10, PCI, HIPPA or any of the other Compliance Reports available. These reports are periodically updated to always be in-line with the latest version of a compliance standard.
The most detailed report is the Developer Report. This report is also highly configurable, allowing the user to include just the necessary information in the report.
Clicking Generate will produce a report which you can save out to PDF, HTML, and other formats to share with colleagues and other stakeholders.
We’ve already covered that Acunetix is a black box scanner, and therefore, as long as a site is accessible over HTTP or HTTPS it can be scanned, however, the scanner is very “intelligent” when it comes to fishing out vulnerabilities that are endemic to certain frameworks and technologies — from PHP,NET, Ruby on Rails and several popular Java frameworks all the way to CMSs such as WordPress and it’s plugins. Acunetix WVS can identify and audit a site based on what technology stack a site is running.
In order to make it even easier for web application developers to track down DOM-based XSS vulnerabilities, Acunetix WVS will also provide the user with a stack trace of how the XSS payload flowed through the browser’s Document Object Model (DOM).
As we’ve already seen, AcuSensor is an optional component (included with Acunetix WVS) that is installed on the server-side and is available for both PHP and .NET applications. The use of AcuSensor provides what is known as Interactive Application Security Testing (IAST).
The installation for both PHP and .NET is very straightforward, and with.NET, there is no need to re-compile DLLs — you can simply inject and un-inject AcuSensor from within precompiled .NET DLLs.
Most web application black-box scanners (including Acunetix WVS without AcuSensor) can’t see how code behaves while it’s being executed. On the other end of the spectrum, source code analysis tools can’t always understand what happens when the code is in execution.
Acunetix AcuSensor brings both testing methodologies together and as a result, can provide a more accurate and comprehensive scan. Since the sensor has knowledge of the backend system, it can also find vulnerabilities in difficult-to-reach areas with a typical black-box scanner. For example, SQL injection vulnerabilities are usually either found through information leaked through database errors, or through blind injection techniques. AcuSensor can find SQL Injection vulnerabilities in any SQL query; including INSERT statements.
As we’ve already seen, Acunetix AcuSensor can indicate the vulnerable line of code and can even report additional debug information. This greatly increases a development team’s efficiency at resolving critical security bugs.
AcuMonitor is a set-it-and-forget-it technology that is included as part of Acunetix WVS. It serves as an intermediary service that works in the background and allows the scanner to detect second-order vulnerabilities.
Second-order vulnerability testing accounts for vulnerabilities that do not provide a response to a scanner during testing. Such vulnerabilities include Blind XSS (also referred to as Delayed XSS), XML External Entity Injection (XXE), Server Side Request Forgery (SSRF), Host Header Attacks, Email Header Injection, Password Reset Poisoning, Blind Out-of-Band SQL Injection and Blind Out-of-Band Remote Code Execution; all of which can be automatically detected using AcuMonitor.
In order to detect second-order vulnerabilities, an intermediary that the scanner controls, or has access to, needs to exist. Acunetix WVS, combined with AcuMonitor, makes automatic detection of such vulnerabilities painless and transparent to the user running the scan.
Acunetix is available online or on-premise. Acunetix offers a 14-day trial of Acunetix WVS, and they also offer an online rendition of the scanner called Acunetix OVS, which you can also try out for 14-days. The only real way to get to grips with any product is to try it out for yourself.
In addition to all of the above, Acunetix Web Vulnerability Scanner also comes bundled with a range of integrated manual penetration testing tools. These tools allow auditors to run automated scans and verify results manually without the need for switching tools.
Acunetix WVS offers security professionals and software engineers alike a range of stunning features in an easy, straight-forward and very robust package. Of course, this review can only cover so much, and while this tutorial aims to provide a broad overview of the product, there are several other useful features that were not included.
Have you used Acunetix or any other web vulnerability scanner? Let us know your experience or queries in comments below.