Acunetix WVS v9 User Manual - ITCS (IT Consulting and Services)
Contents
1. LAN Settings Gf Custom Cookies Ol Input Fields a AcuSensor Port Scanner name Sialpharand i Custom 404 nick alpharand pseudo S alpharand surname alpharand z cognome S alpharand bs fsmille alpharand ms nachname alpharand z addr 3137 Laguna Street Screenshot 60 Input Fields Navigate to the Configuration gt Scan Settings gt Input Fields node Enter the URL of the webpage or web service containing the specific form or list of operations to which pre defined values must be passed and click Parse from URL button The resulting list will then be automatically completed with the form fields found in the given URL n To crawl and scan certain websites and web services automatically the values for G Crawling Options specific input fields and web service operations must be set in advance You can use cii Define a list of input field values to be set automatically when submitting HTML forms or d HTTP Options arse from URL Enter the values for the required fields by double clicking the respective value column Click Apply to save changes Input fields also support wildcards to match a broad range of data Below you can find a number of examples 61 e cus is used to match any number of characters before and after the pattern cus e cus is used to match any number of characters before the pattern2. Ge m gt ip Info 4 Referrers S HTTP Headers 3 Inputs E View Source a View gt Activity Window R Ge Screenshot 51 The crawler tool interface The interface of the Site Crawler consists of Site structure window left hand side Displays target site information fetched by the crawler e g cookies robots files and directories Details window right hand side Displays general information about a file selected in the site structure window e g filename file path etc A series of tabs at the bottom of the Details window display further information about the selected object Starting a Website Crawl 1 2 Select Tools gt Site Crawler Enter the URL of the target website e g http testohp vulnweb com If you want to use a recorded login sequence during the crawl select it from the Login Sequence drop down menu Click on the start button to start the crawling process If the website or any parts of it require HTTP authentication to be accessed a pop up window will automatically appear for you to enter the correct credentials unless they were already configured in the HTTP Authentication settings node The site structure will be displayed on the left hand side For each directory found a node will be created together with sub nodes for each file The site Crawler will also create a Cookies node which displays information about the cookies used It is also possibl
3. 14 HTTP Sniffer z 9 Stop E Ee Enable Traps la Edit Traps E ld iS P Status Running on port 8080 PA f GE http www acunetix com ele charset UTF 8 A8 200 OK 28 Kb GET http www acunetix com wp content the text css 200 OK 1 Kb GET http www acunetix com wp content plu text css 200 OK 2 Kb i GET http www acunetx com wp content themes ac text css 8 200 OK 24 Kb GET http www acuneti com wp content the text css 200 OK 465 b GET http www acuneti com wp content pluuw text css 200 OK 484b GET HITP 1 1 Host WWW acunetix com User Agent Mozilla 5 0 Windows NT 6 1 WOW64 rw 18 0 Gecko 20100101 Firefox 1i8 0 Accept text html E EE o q 0 8 e Screenshot 10 HTTP Sniffer The HTTP Sniffer acts as a proxy and allows you to capture examine and modify HTTP traffic between an HTTP client and a web server You can also enable add or edit traps to capture traffic before it is sent to the web server or back to the web client This tool is useful to Analyze how Session IDs are stored and how inputs are sent to the server Alter any HTTP requests being sent back to the server before they get sent Manual crawling navigate through parts of the website which cannot be crawled automatically and import the results into the scanner to include them in the automated scan For http requests to pass through Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability
4. Port Scanner 1 Scanning Profiles s Custom 404 EEN Socks4 zl E General Program Updates Username 0 Version Information Password SP Licensing SI Support Center Purchase User Manual html SI User Manual pdf si AcuSensor i Settings changed Click Apply to save changes Cancel Activity Window Screenshot 22 LAN HTTP Proxy Settings If your machine is located behind a proxy server the Acunetix Proxy server settings must be configured for the scanner to connect to the target application Navigate to the Configuration gt Scan Settings gt LAN Settings node to access the HTTP Proxy and SOCKS proxy settings page shown in the above screenshot HTTP Proxy Settings Use an HTTP proxy server Tick the check box to configure Acunetix Web Vulnerability Scanner to use a HTTP proxy server Hostname and Port Hostname or IP address and port number of the HTTP proxy server Username and Password Credentials used to access the proxy If no authentication is required leave these options empty SOCKS Proxy Settings Use a SOCKS proxy server Tick the check box to configure Acunetix Web Vulnerability Scanner to use a SOCKS proxy server 26 Hostname and Port Hostname or IP address and port number for the SOCKS proxy server Protocol Select which SOCKS protocol to use Both Socks v4 or v5 protocols are supported by Acunetix Web Vulnerability Scanner Username and Password
5. The Basic Options allow you to specify what target s to scan as well as the scan recursion The recursion option gives you the option to configure the Scheduler to run a scan Once Every Day 74 Every Week Every Month or Continuous Set a specific day number if schedule is set to weekly or monthly e g 207 day of the week or 21 day of the month Scheduled Scan Advanced Options gt Basic options Advanced options Scanning profile Default S Login sequence nns d Scan settings Default d Scan mode Heuristic d Excluded hours nns e d gt Crawling options gt Scan results and reports OK Cancel Mi 4 Screenshot 75 Acunetix Scheduler Advanced options The Advanced Options allow you to configure e Scanning Profile e Login Sequence e Scan Settings template e Scan Mode e Excluded Hours Template Scheduled scan results and reports gt Basic options Advanced options Scan results and reports M Save scan results to database I Save scan logs Il Generate report Report format Ieper el Report template Developer Repot Report x Email address for notifications TT OK Cancel 4a Screenshot 76 Acunetix Scheduler Scan results and Reports In this section you can specify to save the scan results to the reporting database save the scan logs and generate a report You can also specify in which format you want the report to be generated and an email address
6. http wew w3 org TR html4 loose dtd gt template Templates main dynami c template dwt php codeOutsideHIMLIsLocked false gt Screenshot 7 Subdomain Scanner Using various techniques the Subdomain scanner allows fast and easy identification of active sub domains of a top level domain The Subdomain Scanner can be configured to use the target s DNS server or any other DNS server specified by the user More information about the Subdomain scanner can be found here http www acunetix com blog docs subdomain scanner 12 Blind SQL Injector Acunetix Web Vulnerability Scanner NFR Evaluation Edition File Actions Tools Configuration Help New Scan ces pe A a B se amp ie ez IS sl id di gt B B el OH Be HTTP Request Settings Tools Default value 1 Jasojdxg spe GET fartists phptartist injecthere HITP 1 1 Cookie mycookie 3 Host testphp vulnweb com 80 Connection Keep alive Accept Encoding gzip deflate User Agent Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 0 NEI CLR 1 1 4322 U 2 A 4 5 6 T D Look for CH aj fret ly Plain text UIC USCI GLU DT Wo A artist_id int Siame varchar adese text E Databases 8 E e ee SE 1 r4wB 173 lt p gt 0ALorem ipsum dolor sit EES 2 Blad3 lt p gt 0ALorem ipsum dolor sit E CUart lf Bee 3 lyzae lt p gt 0ALorem ipsum dolor sit Te EJ artistid int E aname varchar E adesc text
7. 4 e 3 Unauthorized Object moved xj mpi Activity Window Web Scanner Scanning 1 webs efs Numbex of websites left to scan 1 Screenshot 40 Scan Result and Information window In the Crawler results Site Structure node color codes are used to show different file statuses The filename color coding is as follows Green These files will be tested with AcuSensor Technology resulting in more advanced security checks and less false positive alerts From the AcuSensor data tab the user can see what data related to these files is being returned by the AcuSensor Such information is useful to know what SQL queries were executed or if the selected file is using functions which are monitored by AcuSensor Blue File was detected during a vulnerability test and not by the crawler Most probably such files are not linked from anywhere on the target website Black Files discovered by the crawler For every discovered item more detailed information is available in the information pane on the right hand side Info Generic information such as file name page title path length URL etc Referrers The files or pages that linked to the tested file 42 HTTP Headers The HTTP headers of the request sent to the web server to retrieve the selected file and the HTTP response headers received Inputs Possible input parameters and values for the file View Source The source HTML of the page View Page
8. http www acunetix com blog docs http fuzzer tool Authentication Tester Target URL to test http testohp vulnweb com login php Stop Authentication method Web form based D Select user password form fields to use Select Logon has failed if Result contains D you must login D Username dictionary path C ProgramData Acunetix WWS Data General userlist txt T Password dictionary path C ProgramData Acunetix WV5 8 Data Generalpasslist txt ye a http testohp vulnweb com login php with username test and password test Screenshot 12 Authentication Tester With the Authentication Tester you can perform a dictionary attack against login pages that use both HTTP NTLM v1 NTLM v2 digest or form based authentication This tool uses two predefined text files dictionaries containing a list of common usernames and passwords You can add your own combinations to these text files More information about the Authentication tester can be found here http www acunetix com blog docs authentication tester 16 Web Services Scanner and Web Services Editor fa Acunetix Web Vulnerability Scanner Consultant Edition l z Ol x gt File Actions Tools Configuration Help News Eo Pau Be 6 a e 8 nlala 3 C EF l d Report Just pt htip testaspnet vuinweb com acuservice service asmx WSDL Profile ws_defauit AE Scan Results Status Loi ai EA p p dee acunetix WEB
9. 83 Open Port 22 ssh 83 Open Port 80 http 83 Open Port 8443 https alt RB Knowledge Base 7 List of open TCP ports Whois lookup SSH server running List of file extensions List of files with inputs List of external hosts List of email addresses a Site Structure C fe Cookies Screenshot 39 Network Port Scanner and Knowledge base nodes The Network Alerts node displays network level vulnerabilities discovered in scanned network services such as DNS FTP SMTP and SSH servers Network alerts are categorized by 4 severity levels similar to web alerts The number of vulnerabilities detected is displayed in brackets next to the alert categories Click an alert category node to view more information similar to web alerts Note You can disable network security checks by un ticking the Enable Port Scanning option in the Scan Wizard Network Security Checks are only performed on open ports detected during the scan thus disabling port scanning will effectively disable all the network security checks Port Scanner The Port Scanner node displays all the discovered open ports on the server Network service banners can be viewed by clicking on an open port Note Port Scanning of the target server can be disabled by un ticking the Enable Port Scanning option in the Scan Wizard Knowledge Base The knowledge base node is a high level report that displays 41 e List of open TCP ports found on the server including
10. Login sequence lt no login sequence gt D lt Back Next gt Cancel Screenshot 27 Login Details Options Scanning a HTTP password protected area If you scan an HTTP password protected website you will be automatically prompted to specify the username and password unless they are predefined Acunetix Web Vulnerability Scanner supports multiple sets of HTTP credential for the same target website HTTP authentication credentials can be configured to be used for a specific website host URL or even for a specific file only To specify HTTP authentication credentials 1 Navigate to Configu ration gt Application Settings gt HTTP Authentication 2 Click on the Add credentials button HTTP authentication WS needs to authenticate Please enter your credentials below Credentials will be saved and applied automatically to any path that is below the path you have defined here If the path is a sub directory and not a file add the q trailing slash Applies to Username robert D Password Host testphp vulnweb com Path admin k Screenshot 28 HTTP Authentication 3 Enter the Username and Password In the Host text box field specify the main website URL e g testohp vulnweb com In the Path text box specify the path for where the credentials should be used e g protected Do not specify a path if the credentials are used site wide 32 fa Acuneti
11. Scanner must be configured as a proxy in your web browser You can read more about the HTTP Sniffer and it s configuration in chapter 7 of this manual 15 HTTP Fuzzer Ej start RB Fuzzer Filters b ic wei Number of requests 1000 GET listproducts php cat Gen_1 HITP 1 1 Add Generator Insert into Request Remove Generator Generators Referer http testphp vulnweb com Cake eee a Host testphp vulnweb com d Gen 1 Number generator Range 0 999 Step 1 Enc None Pad Connection Keep alive Accept Encoding gzip deflate User Agent Mozilla 5 0 compatible MSIE 9 Accept Name Gen 1 Start number 0 Stop number 999 Increment 1 Encoding None Padding No padding Screenshot 11 HTTP Fuzzer The HTTP Fuzzer enables you to launch a series of sophisticated fuzzing tests to audit the web application s handling of invalid and unexpected random data The HTTP Fuzzer also allows you to easily create input rules for further testing in Acunetix Web Vulnerability Scanner An example would be the following URL http testphp acunetix com listproducts php cat 1 Using the HTTP Fuzzer you can create a rule that would automatically replace the last part of the URL T with numbers between 1 and 999 Only valid results will be reported This degree of automation allows you to quickly test the results of a 1000 queries without having to perform them one by one More information about the HTTP Fuzzer can be found here
12. Ubuntu mod_python 3 1 4 Python 2 4 3 PHP 5 1 2 mod_ssl 2 0 55 Error message on page OpenSSL 0 9 8a mod_peri 2 0 2 Periv5 8 7 HTML Form found in redrect page Sewer OS Unix PHPinfo page found code Server technologies PHP meg aal mod per mod Gvibon OpenSSL Per Hidden form input named price was found User credentials are sent in clear text Threat level Broken inks Emai address found M acunetix threat level Acunetix Threat Level 3 GHDB Defaut phprrfo page Level 3 High One or more high severity type vulnerabilities have been discovered by the scanner A GHDB Genenc MySQL error message malicious user can exploit these vulnerabilities and compromise the backend database GHDB phpinfo EE and or deface your website GHDB SQL em message Password type input with autocomplete enabled Possible intemal IP address disclosure Alerts distribution Possible server path disclosure Linx Possble usemame or password disclosure Total alerts found 147 anc ata ana z High 51 M p para eeng ds 2 86 Screenshot 43 Sample Report 45 The second method is to load the Acunetix Web Vulnerability Scanner Reporter from the Acunetix Web Vulnerability Scanner Program Group This will allow you to report on the scans that have been saved to the Reports database 1 2 3 You can then select to show the results of all the scans stored in the reports database or to filter the scans that are displayed based on specific scan criteria Click
13. carts ET categ H featured s aptent taciti sociosqu ad 0Alitora torquent per conubia nostra per inceptos hymenaeos Aliquam lacus 0AMauris magna eros semper a tempor et rutrum et tortor 320A lt p gt Activity Window Ready Screenshot 8 Blind SQL Injector Ideal for penetration testers the Blind SQL injector is an automated database data extraction tool with which you can make manual tests to further analyze SQL injections reported during a scan The tool makes use of Blind SQL Injection techniques to enumerate databases tables dump data and also read specific files on the file system of the web server if an exploitable SQL injection is discovered With the Blind SQL Injector tool you can also run manual tests to check for different variants of SQL injection Using this tool you can also run custom SQL Select queries against the database More information about the blind SQL injector can be found here http www acunetix com blog docs blind sql injector tool 13 HTTP Editor Start kA Encoder Tool es Kl as method Post Protocol HTTP 1 1 URI questbook php El Edit Request Variables Request Headers Request Data name anonymoust2520user 22 26 325 3c5cRiP Header Name Content Length 107 t 20 3eprompt 973893 t3ct2 ScRiPtt3eesubmit Content Type application x www form urlencoc addt20message text 1 teferer p testphp vulnweb com Re
14. details 4 Replace with fartist php Y subsecton 1 amp details 2 Rule options w Last rule Match on the full URI HS URL Rewrite rule Screenshot 58 URL Rewrite Rule Specify if the rule set is generic for the whole website by ticking General rule If for a specific directory only tick Directory rule and specify the directory name In the Regular Expression input field specify a part of the URL including regular expressions or a group of Regular expressions which Acunetix Web Vulnerability Scanner should use to recognize a rewritten URL E g Details d indicates that everything must be matched after the Details directory as well as subsequent strings beginning with digits In the Replace with input field specify the URL Acunetix Web Vulnerability Scanner should request instead of the rewritten URL E g Mod_Rewrite_Shop details php id 1 The 1 will be replaced with the value retrieved from the first regular expression group specified in the Regular Expression input field in this case d For example if Acunetix finds this URL Mod_Rewrite_Shop Details network storage d link dns 313 enclosure 1 x sata 1 it will request the following Mod_Rewrite_Shop details php id 1 Tick the Last rule option to indicate that no more rules should be executed after this one Tick Case insensitive if the URLs are not case sensitive Tick Match on the full URI option so that the regular expression is executed on th
15. Alter by start URL eme Filter by date Hide not responsive Hide aborted acunetix Screenshot 45 Filter Scans 4 Select the scan that you would like to report on 46 Compliance Report Wizard M Report Style Select Scan E Fiter Scans Select the scan result which will be the source of the report You can also select individual alerts or alerts belonging to a specific vulnerability class or of a given severity Only selected Select Scan alerts will be included in the report ER O Sg hito testphp vulnweb com 02 19 2013 H O z http Aestphp vulnweb com 02 19 2013 S C Se hitp Aestphp wulnweb com 80 02 15 2013 PAOR 4 hitp Aestphp vuinweb com 02 13 2013 H O Sy http Aestphp vulnweb com H O S hitp Aestphp vuinweb com H O S http testphp vulnweb com E Sy http Aestphp vulnweb com H O S hitp Aestphp vuinweb com H O S http Aestphp vulnweb com O Sg hito testaspnet vuliweb com ei O Sg hitp testasp vulnweb com a S http Aestphp vulnweb com H Sy http Aestphp vulnweb com H O z http Aestphp vulnweb com H O Se hitp Aocalhost 8181 02 13 2013 02 13 2013 02 13 2013 02 13 2013 02 13 2013 02 08 2013 02 08 2013 02 08 2013 02 08 2013 02 08 2013 02 08 2013 02 07 2013 ocCunett 2 O Mitp Aestphp vuinweb com 01 30 2013 a Tiers zs Screenshot 46 Select Scan 5 Select what properties and details the report should include The Report Properties wi
16. C www eclectasy corn Save customized scan settings You can choose to save the settings you ve made for future scans This can be usefull if you are planning to scan more similar websites ou can also chose to save the settings in a new file by clicking the below button Save to a new template acunetix R Finish Cancel Screenshot 37 Finalize Scan Options Before the Scan is started the Scan Wizard will show if any further actions are required The following is a list of actions which you might be presented e fan error is encountered while connecting to the target server the error will be shown e f Acunetix Web Vulnerability Scanner is unable to automatically detect a custom 404 error page pattern you will have to configure a custom 404 error page rule by clicking the Customize button You can read more about Custom 404 error pages at page 84 of the manual 38 e lf the target server is using CASE insensitive URLs you must force case insensitive crawling This can be done from Configuration gt Scan Settings gt Crawling Options gt Ignore CASE differences in paths e f AcuSensor Technology is enabled and the target server is PHP or NET you must install the agent Click the Customize button to install AcuSensor on the target server You can read more about AcuSensor on page 22 of this manual e If additional hosts have been found to be linked to from the web site being scanned you Can option
17. Network security checks are fully scriptable thereby allowing you to write new ones The Acunetix Web Vulnerability Scanner Network Alert scripting reference is available from the following URL http www acunetix com vulnerability scanner scriptingreference index html Custom 404 Error Pages A 404 error page is the page that appears when a requested page is not found In many cases rather than returning an HTTP Status Code 404 Not Found websites return an HTTP Status Code of 200 Success and show a page formatted according to the look and feel of the website to inform the user that the page requested does not exist Custom 404 error pages do not necessarily represent a server 404 error Page not found and therefore Acunetix Web Vulnerability Scanner must be able to automatically identify these pages to detect the difference between a non existent URL and a valid web page By default Acunetix Web Vulnerability Scanner will automatically detect custom 404 pages and patterns to match them therefore you do not need to configure Custom 404 Error Pages rules manually In case you want to override the Acunetix Web Vulnerability Scanner automatic detection you can configure a custom error page rule by completing the following steps 01 URL to match on http estasp vue com Test pattern Pattern Eronst40dhs 4s s Page Match on Result body D wi Regular expression F Select a descriptive unique part of the page then click Genera
18. Next From the Reports list select the type of report and click on Report Wizard In the case of Compliance Report select the Regulatory body or Standard to be used in the report Click Next Compliance Report Wizard Report Style Report Style MI Fitter Scans Select the compliance report style you want to use E Select Scan WW Properties EI The Health Insurance Portability and Accountability Act HIPAA Lal Intemational Standard 150 27001 Fi NIST Special Publication 800 53 Recommended Securty Controls for Federal In Le OWASP TOP 10 2004 Cal OWASP TOP 10 2007 ai OWASP TOP 10 2010 gl Payment Card Industry Data Security Standard version 1 1 a 2010 CWE SANS Top 25 Most Dangerous Software Errors The 2010 CWE SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities They are often easy to find and easy to exploit They are dangerous because they will frequently allow attackers to acune t j xX completely take over the software steal data or prevent the software from working at all Cca Screenshot 44 Select Compliance Report Compliance Report Wizard a Rep ort Style Filter Scans o F you have a big database of scan results you may want to filter the results displayed on the dh Select 5 selection page select Scan _ Properties Numberof scans to show
19. PHP 5 3 2 lubuntu4 5 wi IC General Last Modified Wed 04 Apr 2012 03 11 46 GMT ETag 46 768 549 1 4bcd 108916080 Arrent O anned Screenshot 6 Target Finder The Target Finder is a scanner that allows you to locate web servers generally on ports 80 443 within a given range of IP addresses If a web server is found the scanner will also display the response header of the server and the web server software The port numbers to scan are configurable More information about the target finder can be found here http www acunetix com blog docs target finder 11 Subdomain Scanner e Acunetix Web Vulnerability Scanner Consultant Edition l z ojx Fie Actions Tools Configuration Help _ Newsa GG Pia iBeo 6 ale Mala ld Toals Explorer q Domain vulnweb com D Lee DNS server from target Timeout sec 10 Start eS IPAddress Web Server Banner HTTP Le oo testphp vulnweb com 176 28 50 165 WS Apache G Site Crawler test vulnweb com 50 116 82 154 WW Apache S i Target Finder testasp vulnweb com 87 230 29 167 E Microsoft II5 6 0 E Subdomain Scanner testaspnet vulnweb com 87 230 29 167 W Microsoft IIS 6 0 3 authentication Teste E PS tel Compare Results Response Headers Response Data View Page GE Web Services Look for sae tp HTML i gt Configuration QO ke K 2 Ese General lt DOCTYPE HIML PUBLIC W3c DID HTML 4 01 Transitional EN
20. Scanner Minimum System Requirements Operating system Microsoft Windows XP and later CPU 32 bit or 64 bit processor System memory minimum of 2 GB RAM Storage 200 MB of available hard disk space Microsoft Internet Explorer 7 or later some components of Internet Explorer are used by Acunetix Optional Microsoft SQL Server for the reporting database By default a Microsoft Access database is used Microsoft Access is not required Installing Acunetix Web Vulnerability Scanner 1 7 Download the latest version of Acunetix Web Vulnerability Scanner from the download location provided to you when you purchased the license Double click the webvulnscan9 exe file to launch the Acunetix Web Vulnerability Scanner installation wizard and click Next when prompted Review and accept the License Agreement Select the folder location where Acunetix Web Vulnerability Scanner will be installed The installation will prompt you to install a unique root certificate used for HTTPs traffic and to create a desktop shortcut Click Install to start the installation Setup will now copy all files and install the Acunetix Web Vulnerability Scanner Scheduler service Click Finish when ready Registering with AcuMonitor Service AcuMonitor Service l x Some vulnerabilities can only be detected or verfed by using an intermediate server Acunetx Acubonitor is uted to expose these type of vulnerabilities our email address and licen
21. THE RESULTS ssssussussununnunnunnunnnnunnunnunnununnunnunnunnnnnnnnnnnnnan 45 IAMOGUGTION to Ne Repone EE 45 Generating a Report from the Scan Hesuhte ee 45 TypES O RODOS EE 47 PODOR SUNOS E 50 Saving tele 51 Changing the Reporter Database erene ienn A 51 TSME CRAWLER E 53 MUO ier Le EE 53 Stanno Eelere ee 53 Crawling ODIOM CC 54 PCUMEIIX Ree DE 56 ICH ae E ION I Mt 57 Directoy ana Al en WEE 58 URE RN WWI ILS E ces cucencesctaszactesescestce ee wet acauusi rac erence cae eevee cone coven eneanenen in iemiean 58 EE EE 60 Configuring Input Fields to Traverse Web Form Hages EEN 61 8 MANUAL CRAWLING USING THE HTTP SNIFFER cc csssssesssssssssseessssesesererseseseearareneess 63 Idee ert Le EE 63 Goniguring yOUr BOWS ncaa satin ngntalin anh iieun ditional awhiaaiueunmnnn 63 C ptunno Ga KN ean col e 64 ATI SMO TMap ME 65 Editing a HIT TP Request without a Trap BE 66 9 COMPARE RESULTS TOOL siisii aaa aa 67 MOGUCU EE 67 COMmparing RESUS E 67 Analyzing the RESUItS COMPANi SON E 67 10 SCANNING WEB SERVICES c scssccsssssscssssssssserssssssessarsssssssnsarsersnssarersessssansarsessssensorserasssnransarsnes 69 Idee rent Le EE 69 otaning a VV Eb SeInviCe SCAN annsna 69 MVS le nur 70 SEN EGOE DON E 71 Tie THE SCHEDULER EE 72 Ideeen el EE 72 Configuring the Scheduler service EEN 72 creating GcoC MCCUE En EE 74 mMporning Schedulnd lt 5 CAINS sereno ecu atunhaecertsna icditincetssngatiacestauieiaagtiatiblaae nents 76
22. The Reporter can be launched after completing a scan or from Acunetix Web Vulnerability Scanner program group and can be used to generate various types of reports including developer reports executive reports compliance standard reports or a report that compare the results of two scans Generating a Report from the Scan Results There are two ways to generate a report After scanning a site click on the CN Report button on the Acunetix toolbar This will start the Acunetix Web Vulnerability Scanner Reporter and will load the Default Report for the scan The Default Report used can be selected from the Reporter Settings irs BS J So id 3 A a w s A Bind SOL Injection a f CRLF injection HTTP response spitting AS Cross Ste Scripting Directory Traversal AS Scan of http testphp vulnweb com Macromedia Dreamweaver Remote Database Script PHP HTML Entity Encoder Heap Overfiow Vulnerability PHP version older than 52 1 Scan details PHP version older than 5 2 3 PHP version older than 5 2 5 Scan information PHP version older than 5 2 6 Starttime 21 10 2011 16 48 08 PHP Zend_Hash_Del_Key_Or_index vulnerability Finish time The scan was aborted by the user aoe pg fg Scan time 14 minutes 51 seconds injection AS Apache 2x version older than 2 0 61 Profile Default Apache 2x version older than 2 0 63 Apache httpd Remote Derial of Service Application eror massage Responsive True Backup files Saver ee Apache 2_0 55
23. acunetix Web Vulnerability Scanner v9 User Manual Information in this document is subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of Acunetix Ltd Acunetix Web Vulnerability Scanner is copyright of Acunetix Ltd 2004 2013 Acunetix Ltd All rights reserved http www acunetix com info acunetix com Document version 9 Last updated 13th August 2013 Contents 1 INTRODUCTION TO ACUNETIX WEB VULNERABILITY SCANNER cssssssseees 4 Why You Need To Secure Your Web ApplicationS ENEE 4 Acunetix Web Vulnerability Scanner EEN 5 Acunetix AcuSensor Technology sscssciecisnsstussssstivsncriseaervinanwnduaacsitesnuctieneemibesintsediianasitenaeisctentnsnninaneerclenisiye 6 2 ACUNETIX WEB VULNERABILITY SCANNER PROGRAM OVERVIEW 0 ssse00 9 Ee EE 9 ACUSENSOL Technology Agent ssssssssessssessesssssessessssssssssssssessessessessussussucsacsacsassaesassacssesaesseeaessessessessessessssatsess 9 ee De tege 10 Belge en EN 10 arget ale E 11 e leien E Un Be ul 12 BE IV Es ee 13 APEP e ue 14 KR nl 15 ef 16 Authentication WeSC lca date catatonia E R oun E 16 Web Services Scanner and Web Services Edtor ee 17 Acunetix Web Vulnerability Scanner SDK EEN 17 Beil 18 New in Acunetix
24. build the site s structure The crawling process enumerates all files and is vital to ensure that all the files on your website are scanned 2 Scanning Acunetix Web Vulnerability Scanner launches a series of web vulnerability checks against each file in your web application in effect emulating a hacker The results of a scan are displayed in the Alert Node tree and include comprehensive details on all the vulnerabilities found within the website AcuSensor Technology Agent Acunetix AcuSensor Technology is a unique technology that allows you to identify more vulnerabilities than a traditional black box web security scanner and is designed to further reduce false positives Additionally it also indicates the code where the vulnerability was found This increased accuracy is achieved by combining black box scanning techniques with dynamic code analysis whilst the source code is being executed For Acunetix AcuSensor to work an agent must be 9 installed on your website to enable communication between Acunetix Web Vulnerability Scanner and AcuSensor Acunetix AcuSensor can be used with PHP and NET web applications AcuMonitor Service Some vulnerabilities can only be detected using an intermediate service The Acunetix AcuMonitor service allows Acunetix Web Vulnerability Scanner to detect such vulnerabilities Depending on the vulnerability AcuMonitor can either report the vulnerability immediately during a scan or a notification
25. can set the HTTP Sniffer to listen on all interfaces so web client applications running on other machines can proxy traffic through the HTTP Sniffer for analysis The HTTP Sniffer port can also be configured Capturing HTTP traffic To capture HTTP traffic 1 Goto the Tools gt HTTP sniffer node 2 Click on the Start button to enable the HTTP Sniffer 3 From your browser browse the website that you are interested in All HTTP requests and responses will be listed in the main window 4 Click on a request or response to view the complete details All the requests responses will be displayed in the lower window pane 5 Click Stop when browsing is complete Keep in mind that when the HTTP Sniffer is stopped the web browser will lose its connection to the target URL 6 Youcan then save the browsing logs and load them into the crawler Click Save to store the logs 64 Go to Tools gt Site Crawler and click on the Build structure from HTTP sniffer log button Browse to the sniffer log you just saved The crawler will build the structure You can then right click on the site and scan it from within the Crawler or save the crawl results and load them into the web scanner For more information about using the HTTP sniffer http www acunetix com blog docs manual crawling http sniffer HTTP Sniffer Trap Filters Through an HTTP Proxy trap filter you can configure the HTTP Sniffer to intercept an HTTP request for it to be man
26. email is sent directly to the user if the vulnerability is identified after the scan has finished More information on the AcuMonitor Service can be found at http www acunetix com websitesecurity acumonitor Port Scanner fal Acunetix Web Vulnerability Scanner Consultant Edition gt File Actions Tools Configuration Help Newsen Ma PAB 6 ele el aY a G a Tools Explorer P E ia el ve d dh Report Ki Start URL http testphp vi ie Default sl Gl stop Hl Pause e Web Vulnerability Scanne e een E A Scan Thread 1 http testphp vulnweb cor D Web Services m ll Web Alerts 124 DL Configuration Ke CS SE woe BEE Scan Results To acunetix WEB APPLICATION SECURITY Open Port 22 ssh GE General 4 Port Scanner 13 Se e Fe Port Eisen Port Banner gt TH Open Port 21 fp gt 9 Open Port 25 smtp SS5H 2 0 OpenSSH_5 3p1 Debian 3ubuntu7 e TE Open Port 53 domain gt TH Open Port 80 http aaaaaIaIaaaaaaaamamMM 8 Open Port 106 pop3pw 8 Open Port 110 pop3 Open Port 21 ftp 8 Open Port 143 imap 2 lt 6 Open Port 443 https Port Banner J Open Port 465 smtps Open Port 993 imaps 220 ProFTPD 1 3 3e Server ProFTPD 176 28 50 165 TH Open Port 995 pop3s b g Open Port 8443 https alt E Knowledge Base 1 a M4 ick Open Port 25 smtp Web Scanner Scanning 1 website s Number of websites left to scan 1 Screenshot 5 Port Sc
27. of file extensions to be included or excluded during a crawl This is done by configure the extensions in one of the following Include List Process all files fitting the wildcard specified Exclude List Ignore all files fitting the wildcard specified Note Binary files such as images movies and archives are excluded by default to avoid unnecessary traffic 57 Directory and File Filters This node enables you to specify a list of directories or filenames to be excluded from a crawl Filters can be configured according to directory or file names as well as through the use of wildcards to match multiple directories or files with the same filter Regular expressions can also be used to match a number of directories or files If a regular expression is specified as a filter toggle the value to Yes under the Regex column by clicking on it EN Add URL EN Add Filter Remove UALS Filter Regex Al http www acunetix com ee Il icons Ho W as hm He HI A N hmg Yes Wl dir Nn htm Yes Screenshot 56 Directory and File Filter rules To add a directory or file rule 1 Click the Add URL button and specify the address of the website where the directory or file is located 2 Click the Add Filter button and specify the directory or filename a wild card or a regular expression When specifying a directory do not add a slash in front of the directory name A trailing slash is automati
28. on Save button to save the profile Modifying a Scanning Profile 1 Select the scanning profile you would like to edit from the Profile drop down menu 2 Check un check all the vulnerability security checks you would like to include exclude in the scanning profile 3 Click on Save button to save the profile Creating custom vulnerability checks Acunetix Web Vulnerability Scanner allows you to create your own web and network vulnerability checks For example if you are familiar with a particular web application and want to create specific checks for it you can use the Acunetix Vulnerability Check SDK to create your own vulnerability checks More information about creating vulnerability checks can be found here http www acunetix com blog docs creating custom vulnerability checks 87 15 More information User Manual The most common queries can be answered by consulting this user manual Frequently Asked Questions Our support team maintains a list of frequently asked questions at http www acunetix com support faq Acunetix Blog We highly recommend that you follow our security blog by browsing to http www acunetix com blog Request Support If you encounter persistent problems that you cannot resolve we encourage you to contact the Acunetix Support team via e mail at support acunetix com Please include any information you think is useful to help us diagnose your issue such as information on the web
29. only request headers only etc 6 Inthe Regular expression option enter a regular expression that matches the data you would like to trap 7 Once the new trap is ready click on the Add button to save the new trap This will add the trap and automatically enable it You can enable disable traps by clicking on the tick box in front of the trap rule 8 Click the OK button to return to the HTTP Sniffer dialog and click on the Enable traps button to activate the traps in the HTTP Sniffer The Trap Form r HTTP Trap il CC RSE HTTP 1 1 200 OK Structured Text Only Header Name Header Value vJ Date Fri 30 Jul 2010 15 08 09 GMT V Server Apache 2 0 55 Ubuntu mod_python 3 1 4 Python 2 4 3 X Powered By PHP 5 1 2 Z Content Length 3895 iv Keep Alive timeout 15 max 100 vJ Content Type text html charset UTF 8 v Proxy Connection Keep Alive Look for i tr el Plain text X 1 lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 01 Transitional EN 2 http www w3 org TR html14 loose dtd gt 3 lt html gt lt InstanceBegin template Templates main dynamic template dwt php codeOutsideHTMLIsLocked false gt m b 4 lt headf lt meta http equiv Content Type content text html charset iso 8859 2 gt 6 7 lt InstanceBeginEditable name document title rgn gt 8 lt title gt Home of Acunetix Art lt title gt 9 lt InstanceEndEditable gt 10 lt l
30. recipients or additional information to the message body to a vulnerable web form to spam a large number of recipients anonymously 2 Acunetix Web Vulnerability Scanner Program Overview Acunetix Web Vulnerability Scanner is a suite of tools that allows you to secure your website in the most efficient manner It consists of the following components EI Acunetix Web Vulnerability Scanner Consultant Edition iol x File Tools Configuration Help New Scan ic Ei 7 A J B 5 Pi ce Se J Gel d DE Ee acunetix Je Web Scanner WEB APPLICATION SECURITY Tools Acunetix Web Vulnerability Scanner 3 Site Crawler J Target Finder Web Scanner Performs automatic security auditing for web applications Subdomain Scanner Blind SQL Injector LC Tools Security tools that contribute to the auditing process HTTP Editor HTTP Sniffer amp Web Senices Tools for auditing web services SM 5 miat amp Configuration Configuration of the application or the scanning profiles G mAr LC General Used to perform application updates check version information and licensing techical support and purchasing information Web Services ae Web Services Scanner 4 Web Services Editor gt Configuration K Application Settings If Scan Settings S S pes ining Profiles Sample Scan er ba Program a aer New WS Scan Start a new web service scan Version In ation a Licensing d Repor
31. recognize the difference between a logged in session and a logged out session Click Next to proceed with the wizard BER Sequence Name testphp vuinweb com_login Login Actions aj POST http testphp vulnweb comuserinfo php Logout Actions E GET http testphp vulnweb com logout php Session Detection E Detection URL http testphp vulnweb com Screenshot 35 Recorded login sequence review 8 Review the recorded sequence You can change priority of URL s using the up and down arrows edit requests and add or remove requests Click Finish to finalize the session recording Note Login sequences are saved in the Documents folder of the Public profile The default path is lt C Users Public Documents Acunetix WVS 9 LoginSequences gt Marking Pages for Manual Intervention used for Captchas If some pages in your web application require manual intervention such as pages with CAPTCHA One Time password or Two Factor authentication use the Login Sequence Recorder to configure the crawler to wait for user input when crawling such page To mark a page for manual intervention 1 Launch the Login Sequence Recorder and enter the web application URL in the first step 2 Inthe second step of the wizard Record Login Sequence click on the Pause button to pause the recording and enter the URL of the page which requires human input in the URL input field W Manual Intervention ID x E e Ss 98
32. scanning and crawling so to never overwrite the Enter the URL of the site for which the cookie will be used in the left hand URL column Enter the custom string that will be sent with the cookie E g if cookie name is Cookie Name and content is XYZ enter Cookie_Name XYZ Click Apply to save the changes custom cookies with new ones sent from the website during a crawl or scan Configuring Input Fields to Traverse Web Form Pages Many websites include web forms that capture visitor data like download forms Acunetix Web Vulnerability Scanner can be configured to automatically submit random data or specific values to web forms during the crawl and scan stages of a security audit Note By default Acunetix Web Vulnerability Scanner uses a generic submit rule that will submit generic and random values to any kind of web form encountered during a crawl or scan O x To specify a list of pre defined values that must be automatically entered on a web form or web service 1 2 en Acunetix Web Vulnerability Scanner Consultant Edition gt File Actions Tools Configuration Help gen See G PA 1Be 8 Ble e Template Default LU G Scanning Options Input Fields mi Headers and Cookies j Parameter Exdusions GHDE SFE web services G File Extension Filters wildcards to define a range of URLs for each input value 3 Directory and File Filters 3 URL Rewrite
33. select the profile sol injection No additional tests will be performed The Default scanning profile will test your website for all known web vulnerabilities Refer to the Scanning Profiles section on page 80 for more information on how to customize or create scanning profiles Scan Settings template The Scan Settings template will determine what Crawler and Scanner settings are to be used during a scan Refer to the Scan Settings templates section on page 80 for more information on how to customize or create new Scan Settings templates Save scan Results If you want to automatically save the scan results to the reporting database enable the Save scan results to the database for report generation option You can read more about the Acunetix Reporter in page 45 of this user manual Crawling Options Tick the option After crawling let me choose which files to scan if you would like to select deselect files from the automated website security scan instead of scanning the whole website Tick the option Define list of URLs to be processed by crawler at start if you would like a specific URL to be crawled before any other not available if using saved crawling results 30 Step 3 Confirm Targets and Technologies Detected xi S can Type Select Targ ets Hi Options Please wait until the scanning is finished and then select the targets you want to scan from the list below For every target you can enter details such as ope
34. specified below Memory Optimization Enabling this option instructs Acunetix Web Vulnerability Scanner to store temporary data in the specified location instead of system memory Acunetix Web Vulnerability Scanner must have full access to this folder This will greatly reduce overall memory usage In this section you can also configure the amount of memory the crawler should use If during a crawl the crawler consumes the configured amount of memory the crawl will stop and the scanning will proceed Display Options Display custom HTTP status information Display the full HTTP response status line header and the corresponding status string Display HTTPS status icon Enable this option to show a padlock icon next to files or directories that are accessed via HTTPS and not HTTP Password Protection In this section the user can set a password to restrict access to the Acunetix Web Vulnerability Scanner main interface and all the other Acunetix Web Vulnerability Scanner applications such as the Reporter To create a new password enter the password in the fields New Password and Confirm New Password To remove password protection enter the current password in the field Current Password and leave the other 2 fields blank 78 AcuSensor Deployment From the AcuSensor Deployment node you can configure the settings for the AcuSensor and generate the AcuSensor Installation Files More information on this can be found in the Installi
35. this Navigate to Configuration gt Application Settings gt Client Certificates Specify a certificate location by browsing to the certificate with the Browse icon next to the Certificate file text box and enter the certificate password in the Password text box 77 Enter the URL which needs a client certificate to be accessed Click on Import and Apply to save the certificate information Login Sequence Manager The Login Sequence Manager allows you to manage your recorded login sequences including the ones that have been defined prior to a scan You can add edit or remove Login Sequences from this node False Positives When a Specific vulnerability is marked as False Positive in the scan results it will be listed in this node Press on the button to remove a vulnerability from the list of False Positives Note False positives are site specific by URL and file Therefore if you mark a XSS vulnerability on http www testphp vulnweb com artists php as false positive if you scan another site this vulnerability will show up again if it is discovered HTTP Sniffer From the HTTP Sniffer node you can specify the interface and the port that the HTTP Sniffer will listen on Scheduler From the Scheduler node you can configure the settings for the Acunetix Web Vulnerability Scanner Scheduler service More information can be found in The Scheduler chapter on Page 72 Miscellaneous From this node you can configure the options
36. where the scan result is to be sent If no email address is specified in this section the email address specified in the scheduler settings is used In addition the Report template field allows you to specify what report template to use You can choose among four templates which are Affected Items Developer Report Executive Summary and Quick Report 75 Importing Scheduling Scans If you would like to schedule up to 2 000 scans you can use a CSV file to import the scheduled scans properties CSV File Properties Each line in the CSV file should only contain 1 scan For each scan you should specify the below properties e URL Specify the URL with or without protocol http and https If no protocol is specified http is used This entry is mandatory e Date Specify the date when the scan should be launched The date format is DDMMYYYY and should be single string E g If a scan is to be scheduled for the 5 of November 2012 the date should be 05112012 This entry is mandatory e Time Specify the time when the scan should be launched The time format is 24 hours and should be a single string of 4 digits E g 10am should be 1000 and 10pm should be 2200 This entry is mandatory e Scanning Profile Specify the name of an existing scanning profile to be used during the scan If not specified the default scanning profile will be used during the scan e Login Sequence Specify the name of an existing login sequence if you want to u
37. 12 APPLICATION SETTINGS ssscssesesecscesscuesacesexsisessccscaevarancncseenasaeestsaenesenrnernnasacesseussavsninsineranssanaiasenss 77 13 SCAN SETTINGS TER EE 80 ENNESCH ee 86 Creating custom vulnerability CHECKS EE 87 1 MORE INFORMATION raaa a 88 WISER MAN LA E 88 BC Ee Reien 88 Ae Elek BIOO WEE 88 Medus t SU OME amen 88 Knowledge base SUDDOM Dade vawianwadeinvivntaninndionmaaineidenianaanaiaminman 88 ACNE F AGCOOO EE 88 1 Introduction to Acunetix Web Vulnerability Scanner Why You Need To Secure Your Web Applications Website security is today s most overlooked aspect of securing the enterprise and should be a priority in any organization Increasingly hackers are concentrating their efforts on web based applications shopping carts forms login pages dynamic content etc Accessible 24 7 from anywhere in the world insecure web applications provide easy access to backend corporate databases and also allow hackers to perform illegal activities using the attacked sites A victim s website can be used to launch criminal activities such as hosting phishing sites or to transfer illicit content while abusing the website s bandwidth and making its owner liable for these unlawful acts Hackers already have a wide repertoire of attacks that they regularly launch against organizations including SQL Injection Cross Site Scripting Directory Traversal Attacks Parameter Manipulation e g URL Cookie HTTP headers web forms Authen
38. 3 b s testphp acunetix comfagin php http testphp acunetix comiogin php Name Surname Company Phone Email Type verification image Browsing 0 Screenshot 36 Manual browser window 37 3 Once the page is loaded click on Manual Intervention button Proceed by clicking the Next button till the end of the wizard Once a scan is launched a browser window will automatically pop up when the application page is reached You can now perform the required action Click Done once the action is complete Note Only one page has to be marked for manual intervention If you have more than one page that requires manual intervention specify these URLs the first time the browser window automatically appears during the crawl and perform the action on those pages as well This allows the crawler to automatically process those pages without you having to wait for another dialog to appear More information and a video about the Login Sequence Recorder can be found here http www acunetix com blog docs acunetix wvs login sequence recorder Step 6 Finalize Scan Options x E Scan Type Finish E Option After analyzing the website responses we have compiled a list of recommendations for the curent scan WG E Login Additional hosts detected Finish Some additional hosts were detected Check the ones you want to include in the scan C download macromedia com COI waad acunetis com
39. APPLICATION SECURITY E Sg http testaspnet vulnweb com acuservice service asmx WSDL Finished 4 alerts s S oc Mere Surana Blind SQL Injection 2 Alerts summary CR Web Services 1 SAL injection verified ER R Service ER ServiceSoap e httptestaspnetvulnweb com acusenice sevice asmx e i ServiceSoap12 o Service SernviceSoap GetUserlnfo username Oo Semice Senvicesoapl2 GetUserlnfo usename Blind SQL Injection e http Htestaspnetvulnweb com acusernvice sevice asmx Oo Senice SenviceSoap GetUserlnfo usemame Oo Semice Senvicesoapl2 GetUserinfo usename Screenshot 13 Web Services Scanner The Web Services Scanner allows you to launch automated vulnerability scans against WSDL based Web Services Web Services are commonly used for to exchange data and generally vulnerabilities in Web Services can easy be used to leak sensitive information The Web Services Editor allows you to import an online or local WSDL for custom editing and execution of various web service operations over different port types for an in depth analysis of WSDL requests and responses The editor also features syntax highlighting for all languages to easily edit SOAP headers and customize your own manual attacks Acunetix Web Vulnerability Scanner SDK LI a id H Ei O re oO M acunetix documents manuals SDK Version ZAeample scripts basicXS5 script amp AspectData AspectDataltem Za HTMLForm amp HTMLFormlnput amp HTMLQuery HTMLTo
40. AcuSensor refer to page 22 in this manual Port Scanner While scanning a website you can also choose to launch a port scan against the web server hosting the site The port scanner will scan the web server using a specific list of ports If a port is found to be open the port scanner will identify what network service is running on that port and will launch a number of security checks specifically targeting the discovered network service Therefore if a DNS server is discovered tests such as DNS open zone transfer and DNS open recursion tests are run against the network service The Port Scanner configuration options are Number of sockets used for scanning Specify the amount of network sockets to be used by the Port Scanner module The larger the number the faster the scan will be but it will also increase the load on the web server Connection timeout in seconds Specify the timeout in seconds i e if there is no response when trying to connect to a port within the specified amount of seconds the port will be considered as closed List of scanned ports The list of specified ports for which the Port Scanner will check Use the button to add a port and a description and use the button to remove selected ports from the list A list of open ports on the server will be displayed in the scan results under Knowledge Base gt List of open TCP Ports in the Scan results window pane 83 Note The Network Alert Scripts
41. Acunetix Web Vulnerability Scanner Scheduler can be used to scan multiple websites at the same time since it launches an instance of Acunetix Web Vulnerability Scanner per each simultaneous scan You can read more about the Acunetix Web Vulnerability Scanner scheduler in page 72 of this manual 3 Click Next to continue 29 Step 2 Specify Scanning Profile Scan Settings Template and Crawling Options x H Scan Type Options Adjust crawling scanning options from this page Options M Select Targets Login i Finish M Scanning options Ag Scanning profile will enable disable different tests or group of tests from the test database Scanning profile Default D ES Scanning settings allow you to adjust scanning behavior to the current scanfs Scan settings Default D Customize JV Save scan results to database for report generation gt Crawling options These options will define the behaviour of the crawler for the current scans If you want to modify the general crawler behaviour you should go to settings Define list of URL s to be processed by crawler at start Filename LS acunetix lt Back ge Cancel Screenshot 25 Scanning Profile and Scan Settings template Scanning Profile The Scanning Profile will determine which tests are to be launched against the target website For example if you only want to test your website s for SQL injection
42. L Form found in redirect page 1 PHPinfo page found 2 GET artists php artist 1ACUSTART 27 22NwKL9ACUEND HITP 1 1 Si Acunetix Aspect Password 082119f75623eb7abd7bf357698ff 6c Source code disclosure 1 S p S g cunetix Aspect enabled Hidden form input named price was found 2 Cookie login testacx testacx mycookie 3 E User credentials are sent in dear text 2 Host testphp vulnweb com D Broken links 6 Connection Keep alive el Email address found 44 Accept Encoding gzip deflate D A t Mozilla 4 0 tible MSIE 8 0 Windi NT 6 0 E GHDB Default phpinfo page 1 raining iozilla compatible indows GHDB Generic MySQL error message 3 e GHDB phpinfo 1 HI E October 19 16 21 36 Email address found Mod_Rewrite_Shop BuyProduct October 19 16 22 06 Finished scanni October 19 16 22 06 Saving scan results to database October 19 16 22 10 Done saving to database October 19 16 22 11 Flush file buffers Ready Screenshot 3 AcuSensor pin points vulnerabilities in code The increased accuracy available for PHP and NET web applications is achieved by combining black box scanning techniques with feedback from sensors placed inside the source code Black box scanning does not know how the application reacts and source code analyzers do not understand how the application will behave while it is being attacked AcuSensor technology combines both techniques to achieve significa
43. OST s HTTP 1 01 i HTTP 1 01 s iJ4ccept Encoding sgzip deflates r n 7iJUser Agent s nf i GETIPOST ss 47 s HT TP 1 IO 7iJHost Ss rn ran DAT POST Content Type 5s application x www 2i Server Ss 2 An ran i GETIPOST sf s HT TP 1 01 if Powered By 4s M n Mr n Action lt div style clear both background c UserAgent WYS 2 0 Get vars are 2 Host 1 Post vars are 1 Server 1 URL is 2 X Powered By 1 Screenshot 63 HTTP Sniffer Edit Trap window In the HTTP Sniffer toolbar click on the Edit traps button to launch the HTTP Traps window Select a trap rule template e g trap requests and trap ASP or PHP requests This will load up a preconfigured trap which you can edit Alternatively you can create a new trap by first entering a description for the rule Specify the rule type from the following 4 options e include Configure which HTTP requests and responses should be trapped e I Exclude Configure which HTTP requests and responses should excluded e Replace or change rules Configure which HTTP requests should be automatically changed based on the given expression e gd Logging rules Configure which HTTP requests or responses should be logged in the Activity window 65 5 The type of traffic that will be captured by the trap must also be configured Traps can be set to capture all traffic HTTP requests
44. P Editor by clicking on the HTTP Editor button in the Web Services Editor toolbar The HTTP Editor tool will automatically import the data so the request can be customized and sent as an HTTP POST request 71 11 The Scheduler Introduction The Scheduler application allows you to schedule scans at a convenient time without requiring Acunetix Web Vulnerability Scanner or the Acunetix Web Vulnerability Scanner Scheduler Interface to be running Configuring the Scheduler service The Acunetix Scheduler has a web based interface that can be configured through the Acunetix Web Vulnerability Scanner application settings To access the Scheduler service settings navigate to Configuration gt Application Settings gt Scheduler node Configuring the Scheduler web interface http localhost 8181 Allow remote computers to connect Use HTTPS Change administrative password Screenshot 68 Scheduler web interface configuration By default the Scheduler web interface is only accessible via localhost and on port 8181 http localhost 8181 If you would like the Scheduler web interface to be accessible from other remote computers tick the Allow remote computers to connect option When enabled you will be prompted to specify a username and password for HTTPS to be automatically enabled For security reasons login credentials must always be defined when the scheduler web interface is configured to be accessed remotely Note Whe
45. P requests and responses exchanged between a web client browser or other http application and a web server The HTTP Sniffer can be used to manually crawl sections of a website that cannot be crawled automatically by Acunetix Web Vulnerability Scanner The captured data can then be loaded into the Crawler and used to launch a scan To capture live traffic your web browser must be configured to proxy through the HTTP Sniffer and then export the logs to the Site Crawler You can read more about this process from the following URL http www acunetix com blog docs manual crawling http sniffer The HTTP Sniffer can also be used to analyze HTTP traffic and to trap particular POST or GET requests that can be changed on the fly manually or automatically to emulate a man in the middle attack Configuring Your Browser To start capturing traffic you must first configure your browser to use the Acunetix HTTP Sniffer as proxy server Mozilla Firefox 1 From the Tools drop down menu select Internet Options Select Lan Settings from the Connections tab In the Connection section click on Settings and tick Manual proxy configuration Set HTTP Proxy to 127 0 0 1 and Port to 8080 If you also need to capture SSL traffic configure the SSL Proxy to 127 0 0 1 and Port to 8080 Ss eS Click OK to save all options and close all configuration windows 63 Internet Explorer S Automatic configuration Automatic configuration may override
46. T or a PHP website use one of the following procedures to install the AcuSensor files 22 Installing the AcuSensor agent for ASP NET Websites 1 Install Prerequisites on the server hosting the website The AcuSensor installer application requires Microsoft NET Framework 3 5 TE j x Select Role Services Select the role services to install for Web Server ITS Confirmation Role services Description TIS 6 Metabsse Compatibility provides are Digest Authentication infrastructure to query and configure Results _ Ghent Certificate Mapping Authenticaton the metabase so that you can run _ DS Client Certificate Mapping Authentication applications and scripts migrated from URL Authorization earlier versions of IIS thatuse Admin D guest Fitering A r stal p d Base Object A80 or Active Directory C mp and Domain Restrictions Service Interface ADSI APIS DN Performance instaled _ Dynamic Content Compression DN Management Tools Installed bk en e V Li red vz A 115 Management Scripts and Tools Management Service Di 1S 6 Management Compatbii an IIS 6 Metabase Con _ TIS 6 wt Compatibility IIS 6 Scripting Tools C 1S 6 Management Console _ FTP Publishing Service FTP Server _ FTP Management Console More about role services Esc erst eos Screenshot 18 Enable IIS 6 Metabase Compatibility on Windows 2008 On Windows 2008 you must al
47. The credentials used to access this proxy If no authentication is required leave these options empty Upgrading from a previous version of Acunetix Web Vulnerability Scanner It is recommended that you backup your settings before proceeding with the upgrade as per http www acunetix com blog docs backup acunetix settings customizations Perform the following to upgrade a previous version of Acunetix Web Vulnerability Scanner to the latest version 1 Close all instances of Acunetix Web Vulnerability Scanner and related utilities such as the Reporter Optionally backup the Login Sequences if you would like to use these in in the newer version Depending on the version these can be copied from lt C Program Files x86 Acunetix Web Vulnerability Scanner X Data General LoginSequences gt for version 7 or older or lt C Users Public Documents Acunetix WVS X LoginSequences gt for newer versions Optionally backup Reporting Database if you would like to use it in the newer version If you are using an Access Database the default location of the database is lt C Program Files x86 Acunetix Web Vulnerability Scanner X Data Database vulnscanresults mdb gt From the Acunetix Web Vulnerability Scanner Program Group select to uninstall the product Install the newer version of Acunetix Web Vulnerability Scanner To restore the Login Sequences copy the files backed up in 2 to lt C Users Public Documents Acunetix WVS X LoginSe
48. The page is displayed as it is shown in a web browser Most client side scripts are disabled in this tab for security purposes to avoid launching vulnerabilities against the computer on which Acunetix Web Vulnerability Scanner is running HTML Structure Analysis HTML structure information such as A list of links discovered in the file Comments discovered in the selected page The information contained in the comments cannot be automatically analyzed but may reveal interesting information about the construction and coding of the website Any client side scripts JavaScript VBScript etc and their source code discovered in the selected page The client web browser will execute these scripts Such information might reveal information about the logic of the web application Any forms discovered in the selected object are shown in the top window A list of parameters and their possible values are shown in the middle and bottom window A list of META tags discovered in the selected object META tags contain information about the website e g the description and keywords META tags used by search engines META tags with an HTTP EQUIV attribute are equivalent to HTTP headers Typically such META tags control the action of browsers and may be used to refine the information provided by the actual headers Tags using this form should have an equivalent effect when specified as an HTTP header and in some servers may be translated to actual HTTP hea
49. Tools Explorer From the Report Options node you can customize the layout titles and images in the headers of the report 50 gt lo x it a 28 E Report Options General Settings E4 Page Settings Default report template when called from WWS Affected tems Iw Display left image Default Leftlmage macunetix Restore to Default Display right image Default RightImage oe VCO APP CATIGE SOCLOAITY Restore to Default Report title Acunetix Website Audit Footertest Acunetix Website Audit i settings have been changed Cancel e Activity Window D Zi Screenshot 50 Reporter Options General Settings Configure the default report template for generating a report Report Options Select custom icons logos headers and footers to customize the report From the Page Settings node you can configure the default page size orientation and margins of your reports These settings will apply to all reports Saving Reports Once you have generated your report you can use the toolbar at the top to save the report in PRE prepared reports format which will allow you to review the report later You can also export the report to PDF HTML Text Word Document and BMP or print the report Changing the Reporter Database Acunetix Web Vulnerability Scanner stores the scan results in a backend database By default Microsoft Access is used You might want to switch to using Mi
50. Web Vulnerability Scanner Version D 18 Acunetix Blog and Support Page EEN 19 Licensing Acunetix Web Vulnerability Gcamnner een 19 3 INSTALLING ACUNETIX WEB VULNERABILITY SCANNER cssssssssssssssssssssnesesseens 21 MINIMUM System Heouremente EEN 21 Installing Acunetix Web Vulnerability Gcammer ee 21 Registering with ACUMONItOr Gervice EEN 21 Installing Ine ACUSENSOF AQCIN iwisieiciiccsccidhciccvicsasianacauceadiiimaiircaliainnivenailactacalncdnidibinn 22 Disabling and uninstalling ACUSEenNnSOTr EEN 25 Configuring an HTTP Proxy or SOCKS Proxy Gener ee 26 Upgrading from a previous version of Acunetix Web Vulnerability Gcamner een 27 4 SCANNING WEB SUT Eisen tcssoscsctevascsdesatcesnsactscicvudiscasccatassdusatvscscicstsstsuseusectertesadaesscisonsuasssciesiarasoateusde 29 otep 1 Select Ee EECH e SCAN E EEEE 29 Step 2 Specify Scanning Profile Scan Settings Template and Crawling OptionS 30 Step 3 Confirm Targets and Technologies Deteched see 31 Step 4 Configure Login for Password Protected Area EEN 31 Step 5 Scanning a Form Based Password Protected Area EEN 34 Step 6 Finalize Scan PONS issen naa EEEE AEAN REARS ERATARA 38 GEET 39 5 ANALYZING THE SCAN RESULTS vivcsiisscsicscscinstvcicisiticentinedvenneniensiendonmtinteieeniniautiivenivs 40 Idee ier el E 40 EE 40 Klein 41 Rei geer we 41 lge Eeer 41 STLCRSILLO OILD Le 42 ZElgeifleilviebeeitfllZe teg 44 ele e es eer a E EEN 44 6 GENERATING A REPORT FROM
51. alled on your server Select which applications you would like to inject with AcuSensor Technology and select the Framework version from the drop down menu Click on Inject Selected to inject the AcuSensor Technology code in the selected NET applications Once files are injected close the confirmation window and also the AcuSensor Technology Injector Note The AcuSensor installer will try to automatically detect the NET framework version used to develop the web application so you do not have to manually specify which framework version was used from the Target Runtime drop down menu Installing the AcuSensor agent for PHP websites If your web application is written in PHP 1 Locate the PHP AcuSensor file of the website you want to install AcuSensor on Copy the acu_phpaspect php file to the remote webserver hosting the web application The AcuSensor agent file should be in a location where it can be accessed by the web server software Acunetix AcuSensor Technology works on websites using PHP version 5 and up 2 There are 2 methods to install the AcuSensor agent one method can be used for Apache servers and the other method can be used for both IIS and Apache servers Method 1 Apache htaccess file Create a htaccess file in the website directory and add the following directive php_value auto_prepend_file path to acu_phpaspect php file Note For Windows use C sensor acu_phpaspect php and for Linux use Sensor acu_p
52. ally select to scan these too You will require permissions to scan the selected hosts too e fasmartphone friendly version of the website is detected you will be given the option to crawl and scan the site as a normal browser or a mobile browser e fyou have made changes to the Scan Settings template you can also save the modifications to the existing or new template Refer to page 80 of this user manual to read more about the Scan Settings templates Step 7 Completing the scan Click on Finish to start the automated scan If the option After crawling let me choose the files to scan was selected in the crawling options you will be asked to select the files to scan after Acunetix Web Vulnerability Scanner has finished crawling the site Depending on the size of the website scanning profile selected and the server response time a scan may take up to several hours 39 5 Analyzing the Scan Results Introduction The vulnerabilities discovered during the scan of a website are displayed in real time in the Alerts node in the Scan Results window A Site Structure node is also shown listing the files and folders discovered BER Fie Actors Too Configuration Help New Scan e j 5e CAE dep a v Start URL Profile stop O Pause al 7 M ocunetix threat level Acunetix Threat Level 3 e x i ak One or more high severity type e aa Alert 4 d Ss Web Alerts 34 Level 3 High yulnerabitities have been discovered b
53. and click Send to pass the SOAP request to the web service The web server response can then be viewed in a structured or XML view type in the lower window pane Response Tab Displays the response sent back from the web service in raw XML format Structured Data Tab Presents the XML data received from the web service response using a hierarchy of nodes that show the value for each element WSDL Structure Tab Presents a detailed view of the web service data as provided by the WSDL Structure The WSDL information is structured in the form of nodes and sub nodes and the main nodes of the tree structure are XML Schema and Services 70 The XML Schema node lists all the ComplexTypes and the Elements of the web service The Services node lists all the web service ports and their respective operations together with the resource details of the source of the SOAP data A more detailed WSDL structure can also be shown by ticking the Show detailed WSDL structure at the bottom of the screen This will provide extensive information for each sub node of the Services node structure such as input messages and parameters WSDL Tab This tab shows the actual WDSL data in the form of XML tags Using the toolbar provided at the bottom of the screen you can search for certain keywords or elements in the source code and also change the syntax highlighting if needed HTTP Editor Export In the Web Services Editor you can export a SOAP request to the HTT
54. anning The Port Scanner performs a port scan against the web server hosting the scanned website When open ports are found Acunetix Web Vulnerability Scanner will perform network level security checks against the network service running on that port such as DNS Open Recursion tests badly configured proxy server tests weak SNMP community strings and many other network level security checks You can also write your own network services security checks using the script engine A scripting reference is available from the following URL http www acunetix com vulnerability scanner scriptingreference index html 10 Target Finder fa Acunetix Web Vulnerability Scanner Consultant Edition Ioj x Fie Actions Tools Configuration Help New Scan ls E kees H ere Gr Tools Explorer LS We samer http 192 168 7 2 80 Apache 2 2 21 Win32 PHP 5 4 0 eegent Sen die Site Crawler http 192 1658 i 11 80 oe SO Ver EE e j Target Finder http 192 168 7 12 80 owaspbwa_ 6 http HOER 168 7 16 80 nicks pe acunetix local 7 FEH o eg L Subdomain Scanr ZS bts 193 168 7 1 443 none 2 HTTP Sniffer Response Headers Respon ze HTTP Fuzzer e Data View Page m a Header Name Header W alue thentication Te Goen 3 200 OK Cl Compare Results i el fe Web Services Date Thu 24 Jan 2013 12 22 57 GMT Si Configuration Server Apache 2 2 14 Ubuntu mod_mono 2 4 3
55. ate such pattern automatically 1 Enter the website s URL in the Browse URL input field and click GO The browser will request non existing URL s to trigger the Custom 404 error page 2 Highlight the unique text from the custom error page 3 Click Generate pattern from selection 85 14 Scanning Profiles The scanning profiles enable you to specify which type of vulnerability checks e g XSS SQL Injection you would like to run on your website From the Configuration gt Scanning Profiles node in the Tools Explorer window pane you can create or edit scanning profiles including the default set Default Scanning Profiles A number of default scanning profiles are included with Acunetix Web Vulnerability Scanner Below is a list of all the scanning profiles and a summary of the security checks they perform For a detailed list of the vulnerability checks that are included in each scanning profile navigate to the Configuration gt Scanning Profiles node in the Tools Explorer and select the profile name from the Profile drop down menu The tests selected with a checkbox will be launched when the scanning profile is used such as directory traversal file tempering etc Blind SQL injection vulnerability checks only CSRF Cross site request forgery vulnerability checks only Directory_and_File_checks A number of security checks related to files such as text search and backup file checks and directory
56. b security project led by an international community of corporations educational institutions and security researchers OWASP is renown for its work in web security specifically through its list of top 10 web security risks to avoid This report shows which of the detected vulnerabilities are found on the OWASP top 10 vulnerabilities Payment Card Industry PCI standards The Payment Card Industry Data Security Standard PCI DSS is an information security standard which applies to organizations that handle credit card holder information This report identifies vulnerabilities which might breach parts of the standard and groups the vulnerabilities by the requirement that has been violated Sarbanes Oxley Act The Sarbanes Oxley Act was enacted to prevent fraudulent financial activities by corporations and top management Vulnerabilities which are detected during a scan which might lead to a breach in sections of the Act are listed in this report DISA STIG Web Security The Security Technical Implementation Guide STIG is a configuration guide for computer software and hardware defined by the Defense Information System Agency DISA which part of the United States Department of Defense This report identifies vulnerabilities which violate sections of STIG and groups the vulnerabilities by the sections of the STIG guide which are being violated Web Application Security Consortium WASC Threat Classification The Web Application Security C
57. cally added to the end of the website URL Note Directory and file filters specified for the root or any other directory of a website are not inherited by their sub directories therefore a filters must be specified separately for sub directories as shown in the screen shot above URL Rewrite rules Many web applications such as shopping carts and off the shelf applications such as WordPress and Joomla use URL rewrite rules Acunetix needs to understand these rewrite rules in order to navigate and understand the website structure and actual files better and to avoid crawling of inexistent objects URL Rewrite Editor Gd GG ed el wll e e um y Test Rule Options Rule Regular Expression Replace fA Hostname http testphp vulnweb com 1 global rules fe artist php subsection d details d artist php subsection 1 amp details 2 LINC Screenshot 57 URL Rewrite Configuration Adding a URL rewrite rule manually 1 Navigate to the Configuration gt Scan Settings gt Crawling Options gt URL rewrite node 2 Click the Add Ruleset button to open up the URL rewrite editor window and enter the host name of the target website for which the rule will be used Click on the 7 button to open up the Add rule dialogue 58 x Rule Properties This rule will apply to e General rule Directory rule This rule will apply to Regular expression Zare php subsector hd
58. can 1 Click on File gt New gt New Website Scan to start the Scan Wizard or click the New Scan button on the top left hand of the Acunetix Web Vulnerability Scanner menu bar x Scan Type Scan Type Hi Options Select whether you want to scan a single website or analyze the results of a previous crawl BM Select Targets B Login i Finish T Scan type C Here you can scan a single website In case you want to scan a single web application and not the 5 whole site you can enter the full path below The application supports HTTP and HTTPS websites e Scan single website Website URL INTE ET ES If you saved the site structure using the site crawler tool you can use the saved results here The scan will load this data from the file instead of crawling the site again Scan using saved crawling results Filename ha r If you want to scan a list of websites use the Acunetix Scheduler You can access the scheduler interface by clicking the link below acunetix http localhost 8181 owen Screenshot 24 Scan Wizard Select Scan Type 2 Specify the scan options e Scan single website Enter the URL of the target website e g http testphp vulnweb com e Scan using saved crawling results If you previously performed a crawl ona website you can use the saved results to launch a scan instead of having to crawl the website again Note The
59. checks such as directory listing etc Empty This profile may be used as a clean base to create other profiles File Upload File upload form vulnerabilities only GHDB Google hacking database security checks only High Riek Alerts Web and network vulnerability checks which are considered as High Risk such as SQL Injection and XSS Network_ Scripts Network security checks only If you would like to check if the network services are secured properly on the web server use this scanning profile Tests included are DNS cache poisoning telnet brute force and much more Parameter_manipulation All parameter manipulation attacks such as SQL injection XSS Cross site scripting Command execution etc SQL Injection SQL injection vulnerability checks only Weak_Passwords Web forms authentication audits related checks Web_ Applications Well known web applications e g Joomla 86 P Wordpress security checks Ws_ default Web services vulnerability checks only XSS Cross site scripting vulnerability checks only Creating Modifying Scanning Profiles Creating a new Scanning Profile 1 From the Profile drop down menu select the scanning profile that you would like to use as the base for the new scanning profile If you want to start with all the scripts disabled you should select the Empty scanning profile 2 Check all the vulnerability checks security checks you would like to include in the scanning profile 3 Click
60. cks have proven that web application security remains the most critical If your web applications are compromised hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly Network security defense provides no protection against web application attacks since these are launched on port 80 which has to remain open to allow regular operation of the business It is therefore imperative that you regularly and consistently audit your web applications for exploitable vulnerabilities The need for automated web application security scanning Manual vulnerability auditing of all your web applications is complex and time consuming since it generally involves processing a large volume of data It also demands a high level of expertise and the ability to keep track of considerable volumes of code used in a web application In addition hackers are constantly finding new ways to exploit your web application which would mean that you have to constantly monitor the security communities and find new vulnerabilities in your web application code before hackers discover them Automated vulnerability scanning allows you to focus on the already challenging task of building a web application An automated web application scanner is always on the lookout for new attack paths that hackers can use to access your web application or the data behind it Within m
61. crosoft SQL server This is recommended when scanning a lot of sites or larger sites This can be done as follows 1 Navigate to the Configuration gt Application Settings gt Database node in the Acunetix Web Vulnerability Scanner interface Select MS SQL Server from the Database Type drop down menu 2 Enter the Server IP or FQDN in the Server text box and the credentials to connect to the server in the Username and Password text box Only SQL Authentication is supported 51 3 Specify a database name in the Database text box If the database does not exist it will be automatically created If the database specified already exists you will be prompted with a confirmation to overwrite the current database structure and data Note The creation of the database requires a user SQL Administrator privileges Once the database is created you can change the SQL credentials to a user account with read and write permissions on the database It is also possible to import a database configuration file Select Import Database Configuration and select a dbconfig file generated by the Acunetix Enterprise Reporter to automatically import SQL database settings 52 7 Site Crawler Introduction The Site Crawler analyses a target website and builds the site structure using the information collected including the site s directories and files objects a File Action
62. cted Enable this option to be notified if URL rewrite is detected during the crawling stage of a scan Ignore parameters on file extensions like Is css etc When enabled Acunetix Web Vulnerability Scanner will not scan parameters on files which are not typically accessed directly by a user such as js css etc Disable auto custom 404 detection With this option enabled Acunetix Web Vulnerability Scanner will not automatically detect 404 error pages thereby requiring 404 recognition patterns to be configured manually You can read more about Custom 404 Error Page rules from page 84 of this manual Consider www domain com and domain com as the same host If this option is enabled Acunetix Web Vulnerability Scanner will scan both sites www domain com and domain com and treat them as one instead of separate hosts Enable Input limitation heuristics If this option is enabled and more than 20 identical input schemes are detected on files in the same directory the crawler will only crawl the first 20 identical input schemes 55 Maximum number of variations 50 Link depth limitation 0 for no limit 100 Structure depth limitation 0 for no limit 15 L Maximum number of subdirectories 50 l Maximum number of files in a directory 150 Maximum number of path schemes 100 l Crawler file limit 100000 Screenshot 54 Crawling Options Maximum number of variations In this option you can specify the maximu
63. cus e cus is used to match any number of characters after the pattern cus e cus is used to match a single character before the pattern cus e cPus is used to match a single character as a second character in the pattern specified 6 Alternatively you can configure Acunetix Web Vulnerability Scanner to automatically randomize the values for each input field by entering the bolded variable names below in the parameter s value field e f alpharand Automatically submit random alphabetical characters a z e S numrand Automatically submit random numeric characters 0 9 e S alphanumrand Automatically submit random alphabetical and numeric characters a z 0 9 You can also change the priority of a specific input field by highlighting it and then using the Up and Down arrows to give it higher or lower priority respectively Note If a unique set of data must be submitted to different forms then a new rule set must be created for each form respectively 62 8 Manual Crawling using the HTTP Sniffer Introduction Le Acunetix Web Vulnerability Scanner NFR Evaluation Edition File Actions Tools Configuration Help i New Scan ls Gb j o Be leel B EHS O Enable Traps fal EditTraps 9 WG PP Status Running on port 8080 in g Method Details Information S GET https erp acunetix com 443 panel keys aspx lang en text html charset utf 8 a 2 20 o 130 Kb POST https erp acunetix c
64. ders automatically or by a pre processing tool AcuSensor Data Any AcuSensor Technology data returned Alerts A list of alerts for the selected file 43 Grouping of Vulnerabilities File Actions Tools Configuration Help W New Scan le 287 Ee A leel B lA e S B LC s EI ior Cf amp Start URL http testphp vulnweb com 80 D Scan Results E Macromedia Dreamweaver Remote Database Scripts 1 mH Cross Site Scripting 4 m File indusion 2 The impact of this vulnerability This vulnerability affects artists php Discovered by Scripting Sql_Injection script Script source code disclosure 1 An attacker may execute arbitrary SQL statements on the vulnerable system This may Blind SQL Injection 2 compromise the integrity of your database and or expose sensitive information o E artists php 1 artist 1 Depending on the back end database in use SQL injection vulnerabilities lead to oi E Jproduct php 1 varying levels of data system access for the attacker It may be possible to not only i ca manipulate existing queries butto UNION in arbitrary data use subselects or append e SQL injection 3 additional queries In some cases it may be possible to read in or write outto files or E E fartists php 1 to execute shell commands on the underlying operating system artist 1 ee i variant 1 Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures databas
65. disclaimer bp id favicon ico DI b guestbook php i index php V o listproducts php i login php TA meriam ohn acunetix Compare Results Pamnacinan e metten nen minilinhia Activity Window Bis amp Status Ok 200 Ok 200 Forbidden 403 Forbidden 403 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Mat Camine ANA H HORS DU gl C Users chalie Desktop scan2 wvs Name Possible sensitive directories 3 URL redirection 1 Password type input with autoc Broken links 1 GHDB Generic MySQL error me Email address found 16 R Knowledge Base Site Structure Root a admin E cart php E categories php id disdaimer php E favicon ico E guestbook php index php E listproducts php E login php GA meian ohn Ready WEB APPLICATION SECURITY Status Ok 200 Ok 200 Forbidden 403 Forbidden 403 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Ok 200 Send SANA Screenshot 65 Compare Results Tool The Compare Results tool allows you to analyze the differences between the results of two separate scans of the same application You can compare a full security scan or just the site crawler data Comparing Results To compare two saved scan results 1 Goto the Compare Results
66. e alerts are reported under the Knowledge Base node in the Scan Results window Abort Scan if the server stops responding Configure the maximum number of network errors the scanner must encounter before completely aborting the scan Use cookies set by the site during scanning By default Acunetix Web Vulnerability Scanner ignores the cookies sent by the website during the scan but uses the ones discovered during the crawling process Enable this option to always use the latest cookies provided by the website ignore the cookies discovered in the crawl and use the ones the website is sending during the scan List of hosts allowed By default Acunetix Web Vulnerability Scanner will not crawl links outside the target URL However some links on some websites link to external locations outside the target URL and may require being included in the scan Configure Acunetix Web Vulnerability Scanner to include and follow these links in the list of hosts allowed field Enter the host name or IP address of the domain to be included ina crawl scan and click the button to add the entry E g when scanning testohp vulnweb com there are links which link to www acunetix com Note Hostnames can be specified using wildcards e g domain com which includes all websites with a suffix of domain com such as sales domain com A question mark can also be used as a wildcard e g host domain com would include all websites with one c
67. e server functions If an attacker can obtain access to these procedures it may be possible to compromise the entire machine E Aistproducts php 1 D BI product php 1 Apache 2 x version older than 2 0 61 1 Attack details Apache 2 x version older than 2 0 63 1 URL encoded GET input artist was setto 1 Backup files 1 Error message found Application error message 5 PHPinfo page found 1 supplied argument is not a valid MySQL result TRACE method is enabled 1 Possible sensitive directories 3 Login page password guessing attack 1 Password type input with autocomplete enabled 3 Broken links 1 GHDB Generic MySQL error message 4 Email address found 13 daw Network Alerts How to fix this vulnerability 49 Port Scanner 2 4 P Open Port 22 ssh Your script should filter metacharacters from user input 3 Ge aki Check detailed information for more information about fixing this vulnerability St Open or RD Knowledge Base Detailed information a4 PR Cite Eischen 2 Click here for more detailed information about this vulnerability Activity Window Web Scanner Scanning 1 website s T Number of websites left to scan 1 bi bi Ri Pl li D Ri View HTTP headers View HTML response Launch the attack with HTTP Editor Mark this alert as a false positive Screenshot 41 Grouping of vulnerabilities If the same vulnerability is detected on multi
68. e to load the results of a previously saved crawl or save the results of a completed crawl 53 Crawling Options Crawler configuration settings can be modified by navigating to Configuration gt Scan Settings gt Crawling Options The following Site Crawler options are available Crawling options These options will define the behaviour of the crawler Start HTTP Sniffer for manual crawling at the end of the process Get first URL only Iw Do not fetch anything above start folder w Fetch files below base folder Iw Fetch directory indexes even if not linked Iw Retrieve and process robots txt sitemap xml Ignore CASE differences in paths Screenshot 52 Crawling Options Start HTTP Sniffer for manual crawling at the end of the scan process This starts the HTTP Sniffer at the end of the crawl to allow the user to browse parts of the site that were not discovered by the crawler Typically the Acunetix Web Vulnerability Scanner crawler is able to crawl the entire website though there are some scenarios were it fails to do so automatically The crawler will update the website structure with the newly discovered links and pages Get first URL only Scans the index or first page of the target site only and does not crawl any links Do not fetch anything above start folder By enabling this option the crawler will not traverse any links that point to a location above the base link E g if http testohp vulnweb com wvs is t
69. e used for sending email notifications Server ip hostname Da 16 180 106 Port 25 Iw The SMTP server requires authentication Username joedoe password Email address where you will receive the email notifications Email address from where you will receive the email notification From no reply acunetix com Click Here to Verify Settings Screenshot 70 Scheduler email notifications In this section you can specify the settings for email notifications such as SMTP server IP or FQDN port SMTP server authentication optional and the email address where notifications will be sent Excluded hours templates Exduded Hours Templates Define time intervals when scanning is allowed disallowed Running scans will be paused and resumed accordingly Add Remove Selected Edit Nine to five No weekends Except working hours Screenshot 71 Excluded Hours Templates In the Excluded Hours Templates section you can specify a range of hours to pause on going scans E g if you do not want to scan your website during times of high traffic Excluded Hours Template Ei Template Hame Hew template Mon SS E Pt Tt Tt a pt ttt ty LIICHT cat RRP Sun BRP BE Allowed B Not allowed x Teer 73 Screenshot 72 Excluded Hours Configuration To add a new Excluded Hours Template click on the Add button and then 1 Specify a name of the template in the Name input field 2 Hig
70. e whole URI with the query instead of the path only Tick IIS URL rewrite rule if the target website is using Microsoft Windows IIS URL rewrite rules http Awww iis net download urlrewrite To test the URL rewrite rule enter a URL and click Test Rule 59 Importing a URL Rewrite rule configuration from an Apache web server To import the rewrite rule logic for Apache web servers 1 To open the Import Rewrite rules wizard click Add Ruleset and then click Import rule In the filename field enter the path of the Apache httpd conf or htaccess file the file which contains the URL rewrite rules 2 Select the type of configuration to import httpd conf or htaccess If htaccess is used it is important to specify the hostname of the website e g www acunetix com and webserver directory e g sales on which the URL rewrite configuration is set Importing a URL Rewrite rule configuration from an IIS web server If using Microsoft IIS as your web server you can automatically import the rewrite rule logic 1 To open the Import Rewrite rules wizard click Add Ruleset and then click Import rule 7 In the Filename field enter the path of the web application web config file that contains the URL rewrite rules 2 Select the IIS URL Rrewrite web config node and specify the hostname of the website e g www acunetix com and webserver directory e g sales on which the URL rewrite configuration is set Note Every Scan Set
71. ear from the date of download or activation The perpetual license does not expire The Small Business version is available as a perpetual license only If you purchase the perpetual license you must buy a maintenance agreement to get free support and upgrades beyond the first month after purchase The maintenance agreement entitles you to free version upgrades and support for the duration of the agreement Support and version upgrades are included in the price of the one year license Small Business Edition 1 Site Server The Small Business edition license allows you to install one copy of Acunetix Web Vulnerability Scanner on one computer and scan one nominated site this site must be owned by yourself or your company and not by third parties Acunetix Small Business edition will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited by the license agreement Additional licenses are required for separate installs onto different workstations Enterprise Edition Unlimited Sites Servers The Enterprise edition license allows you to install one copy of Acunetix Web Vulnerability Scanner on one computer to scan an unlimited number of sites or servers The sites or servers must be owned by yourself or your company and not by third parties Acunetix Enterprise edition will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited by the license agreement Addi
72. ebsite and gives a clear overview of the severity level of the website Quick Report The Quick Report provides a detailed listing of all the vulnerabilities discovered during the scan Compliance Reports OWASP TOP 10 2010 COMplaNce port Description Tee Fer aim of he OWASP Top 10 ls to et deveboers despre architects managers andl ganire BEE Set CEET of See ca FEN web SCHTER securky W sse The ho 10 provides bei cigas fo protect Sgr Dese hiph isk prone anes SCH also provides gauldience on were fo go fron here Disclaimer EE d Es content camo account io of be indeed bs fon of ks adice The oos of a n i Er ely aie SO be weld fo ere Sheet Gert mesures ane taken fo aver Fe rik of mea gege carried oat fo com dma Laja ee a e need aeeai Es egal ieat AC ks ard She ebe in which Tey are applad are miy Changed amd reisai Thensbre mo inirstion proviied in Ss docuenert mey ser DE used E am SES oo n qnier egal baky O Pec A poin d Tis report is ikan fom Case The Jen most oika wes SC soriy wihersoliie 2010 Scan URL F p Ae siph p wl resto 0 Som da SOTO 0 d Curation 5 minutes 2 seconds Compliance at a Glance This sacio of She report is a Ssueimary and Dee See cuir of Ser found scconding 30 individu compliance Ces Screenshot 48 Compliance Report Compliance Reports are available for the following compliance bodies and standards CWE SANS Top 25 Most Dangerous Software Errors This report sho
73. ed password protected area you will need to make use of a Login Sequence during the scan You can pre define login sequences from the Configuration gt Application Settings gt Login Sequence Manager or directly from the New Scan Wizard The Login Sequence Recorder can be used to perform a number of tasks during a crawl and a scan The Login Sequence Recorder can also be used to configure Acunetix Web Vulnerability Scanner to crawl a web application in a pre defined manner such as a shopping cart or to automatically input data into a web form For more information on the Login Sequence Recorder and its uses refer to To configure Acunetix Web Vulnerability Scanner to access a form based password protected section To create a pre defined crawling sequence such as a shopping cart To mark pages that require human manual intervention each time they are accessed such as pages with CAPTCHA One Time password Two Factor authentication etc http www acunetix com blog docs acunetix wvs login sequence recorder Proceed as follows to create a new login sequence 1 2 Click New Login Sequence to launch the Login Sequence Recorder a Login Sequence Recorder Oj x m Set start URL to define a This wizard will guide you in creating a login sequence which the Crawler will use to successfully log in to your web login sequence for application and craw it Record login actions Setup restricted links Please en
74. fe http testphp vulnweb Cookie mycookie 3 los estphp com W Host testphp vulnweb jonnection Ce e Connecti Keep aliv Accept Encoding gzip deflate User Agent Mozilla 5 0 compatible MSIE 9 0 Accept KA DH Response Headers Response Data View Page HTML Structure Analysis Look for CH Ro e E om eee HTML PUBLIC W3c DID HIML 4 01 Transitional EN Fhttp weww w3 org TR html14 loose dtd gt lt html gt lt InstanceBegin template Templates main dynamic template dwt php codeOutsideHIMLisLocked false gt K C CO CM SR lt meta http equiv Content Type content text html charset iso0 8859 2 gt lt InstanceBeginEditable name document title rgn gt lt title gt gquestbook lt title gt lt InstanceEndEditable gt lt link rel stylesheet href style css type text css gt Screenshot 9 HTTP Editor The HTTP Editor allows you to create analyze and edit client HTTP requests and server responses It also includes an encoding and decoding tool to encode decode text and URL s to MDS hashes UTF 7 formats and many other formats You can start the HTTP Editor from the Tools node within the Tools Explorer The Top pane in the HTTP editor displays the HTTP request data and headers The bottom pane displays the HTTP response headers data More information about the HTTP editor can be found here http www acunetix com blog docs http editor
75. gent string by manually typing it in Maximum number of parallel connections Specify the maximum number of HTTP connections made to a target website If overloaded with requests some target servers might crash or reject new connections 82 HTTP request timeout in seconds Specify how long Acunetix Web Vulnerability Scanner must wait for a HTTP response before considering it as timed out Delay between consecutive requests in milliseconds Configure the delay between each HTTP request Acunetix Web Vulnerability Scanner sends to the target website HTTP response size limit in kilobytes Maximum HTTP response size accepted by the crawler Larger HTTP responses than the specified size will not be crawled with this option you are controlling the maximum size of the requested files Custom HTTP Headers In this section you can specify custom HTTP Headers that Acunetix Web Vulnerability Scanner should include with the other standard HTTP headers while automatically crawling and scanning a website LAN Settings For more details on configuring LAN and proxy settings refer to page 26 in this manual DeepScan For more details on configuring the DeepScan settings refer to page 56 in this manual Custom Cookies For more details on configuring custom cookies refer to page 60 in this manual Input Fields For more details on configuring input fields refer to page 61 in this manual AcuSensor For more details on configuring
76. haracter added after host such as host1 domain com Headers and Cookies In this node you can configure all the options related to manipulation of HTTP Headers and Cookies The options are Test cookies for all files By default Acunetix Web Vulnerability Scanner will only try to manipulate cookie data and use it against files that contain GET and POST 81 parameters If this option is enabled Acunetix Web Vulnerability Scanner will also try to use manipulated cookie data against static files Manipulate the HTTP headers below A number of Acunetix Web Vulnerability Scanner security checks try to manipulate HTTP headers This section lists the HTTP headers Acunetix Web Vulnerability Scanner will try to manipulate during a scan If you are testing a web application that uses other custom HTTP headers that you would like to test you can add them to this list by clicking on the button Use the button to remove the highlighted header from the list By un ticking the Manipulate the HTTP headers listed below option you will disable all HTTP headers manipulation tests Parameter Exclusions Enables you to specify parameters that must be excluded from a scan Some parameters cannot be manipulated without affecting the user session and will therefore not be manipulated during a scan You can also select not to test all possible values Note Parameters specified in the Parameter Exclusions list will only be excluded from a scan b
77. he base URL the crawler will not crawl to links which point to a location above the base URL like http testphp vulnweb com Fetch files below base folder By enabling this option the crawler will follow links that point to locations outside the base folder E g if http testphp vulnweb com is the base URL it will still traverse the links which point to an object which resides in a sub directory below the base folder like http testohp acunetix com wvs With this option disabled the crawler will not crawl any objects from the root s sub directories Fetch directory indexes even if not linked When enabled the crawler will try to request the directory index for every discovered directory even if the directory index is not directly linked from another source Retrieve and process robots txt sitemap xml By enabling this option the crawler will search for a robots txt or sitemap xml file in the target website and follow all the links specified if robots or sitemap are detected Ignore CASE differences in paths By enabling this option the crawler will ignore any case difference in the links found on the website E g Admin will be considered the same as admin 54 Iw Enable CSA analyze and execute JavaScript AJAX Iw Fetch external scripts Iw Fetch default index files index php Default asp Try to prevent infinite directory recursion Warn user if URL rewrite is detected Iw Ignore parameters on fi
78. hlight the hours of the day when scans should not run 3 Click OK to save the new template Note If a scan is still running during the excluded hours the scan will be automatically paused and resumed again when scanning is allowed Creating a Scheduled scan 1 Access the Scheduler interface by clicking the Scheduler Icon ida on the toolbar in the Acunetix Web Vulnerability Scanner interface or browse http 127 0 0 1 8181 using a web browser Note JavaScript should be enabled to access the Acunetix Scheduler web interface acunetix wEB APPLICATION security G New scan cf Import CSV Screenshot 73 Acunetix Scheduler web interface 2 Click on the New scan button to add a new scan You can add as many scans as you wish If the scan schedule overlaps they will be scanned in parallel You can increase or decrease the number of parallel scans from the Scheduler configuration in the Acunetix Web Vulnerability Scanner application settings 3 If you would like to import a number of scans up to 2 000 using a CSV file click on the Import CSV button You can read more about this feature from page 76 Scheduled Scan Basic Options Add new scan x Basic options Scan type Scan a single website Z webateu Te Recursion one H Date 10 25 2011 Time 111 16 gt Advanced options gt Crawling options gt Scan results and reports OK Cancel E Screenshot 74 Acunetix Scheduler Basic options
79. hpaspect php path declaration formats If Apache does not execute htaccess files it must be configured to do so Refer to the following configuration guide http nttod apache org docs 2 0 howto htaccess html The above directive can also be configured in the httpd conf file Method 2 IIS and Apache php ini 1 Locate the file php ini on the server by using phpinfo function 24 2 Search for the directive auto_prepend_file and specify the path to the acu_phpaspect php file If the directive does not exist add it in the php ini file auto_prepend_file path to acu_phpaspect php file 3 Save all changes and restart the web server for the above changes to take effect Testing your AcuSensor Agent To test if the AcuSensor agent is working properly on the target website do the following 1 Inthe Tools Explorer Navigate to Configuration gt Scan Settings node and select the AcuSensor node 2 Enter the password of the AcuSensor agent file which was copied to the target website 3 Click Test AcuSensor installation on a Specific URL A dialog will prompt you to submit the URL of the target website where the AcuSensor Agent file is installed Enter the desired URL and click OK Changing the AcuSensor Password If you need to change the password used by the AcuSensor agent on your website you will need to re generate the AcuSensor Files and re install them on your website Perform the following if you are usi
80. htaccess file configuration 2 If using method 2 delete the directive auto_prepend_file path to acu_phpaspect php file from the php ini file 3 Delete the Acunetix AcuSensor PHP file acu_phpaspect php Note Although the Acunetix AcuSensor agent requires authentication uninstall remove the AcuSensor client files if they are no longer in use Configuring an HTTP Proxy or SOCKS proxy Server A Acunetix Web Vulnerability Scanner Consultant Edition ll x File Actions Tools Configuration Help Newsa Is 2 48 IBS aolececls lalle Tools Explorer H Template Default D Web Vulnerability Scanner J Web epes G Scanning Options LA LAN Settings dE Tools ei Haasan Gais Proxy settings for the scan C Site Crawler Parameter Exclusions g Target Finder GHDB HTTP Proxy Subdomain Scanner i i V Use an HTTP proxy server 3 Blind SQL Injector G Crawling options HTTP Editor File Extension Filters Hostname 192 168 0 1 Port 8080 HTP Sniffer G Directory and File Filters 4 HTTP Fuzzer gt URL Rewrite Username jacx yobert Authenticaton Tester Joes oe Cl Compare Results eee i Web Services 7 LAN Settings ee Web Services Scanner G Custom Cookies SOCKS Proxy e Web Services Editor el Input Fields Use a SOCKS proxy server Configuration A Aa r Application Settings AcuSensor Hostname 192 168 0 1 Port 3128 Scan Settings
81. ic vulnerabilities which require an intermediate server e Improved support in detecting and scanning smartphone tablet friendly websites When a mobile friendly site is scanned the user is given the option to crawl and scan the site as a normal browser or as a smartphone browser e Full support for HTML5 websites e Detection of DOM based XSS vulnerabilities e Detection of Blind XSS vulnerabilities using AcuMonitor e Detection of Server Side Request Forgery SSRF XML External Entity XXE Mail Header Injection and Host Header based vulnerabilities using AcuMonitor 18 Acunetix Blog and Support Page Acunetix publishes a number of web security and Acunetix how to technical documents on the Acunetix Web Application Security Blog http www acunetix com blog You can also find a number of support related documents such as FAQ s in the Acunetix Web Vulnerability Scanner support page http www acunetix com support Licensing Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner is available in 5 editions Small Business Enterprise Enterprise x10 instances Consultant and Consultant x10 instances Ordering and pricing information can be found here http www acunetix com ordering pricing htm Perpetual or Time Based Licenses Acunetix Web Vulnerability Scanner Enterprise and Consultant editions are sold as a one year subscribtion or perpetual license The 1 year subscription license expires after 1 y
82. ifferent input combinations This is the Automated Scan Stage If the AcuSensor Technology is enabled a series of additional vulnerability checks are launched against the website More information about AcuSensor is provided in the following section As vulnerabilities are found Acunetix Web Vulnerability Scanner reports these in the Alerts node Scan Results Eh ay Scan Thread 1 http testohp vulnweb cor iy Web Alerts 185 d E Bind SOL Injection 5 T CRLF injection HTTP response splitti Macunetix WEB APPLICATION SECURITY Blind SQL Injection E 8 Cross Site Scripting verified 26 Vulnerability description E Directory Traversal verified 3 WW 8 o e Dr HTTP Parameter Pollution 2 This scriptis possibly vulnerable to SQL Injection attacks e Macromedia anaes Hemme SQL injection is a vulnerability that allows an attacker to alter backend ER PHP allow_url_fopen enabled 1 SQL statements by manipulating the user input An SQL injection D Op Script source code disclosure 1 occurs when web applications accept user input that is directly placed GL SQL injection verified 26 into a SQL statement and doesnt properly filter out dangerous m Weak Password 1 EES e error message 6 This is one of the most common application layer attacks currently E Backup files 2 being used on the Internet Despite the fact that itis relatively easy to Gt Directory Listing 14 protect agai
83. information e Web Services Editor PHP version older than 5 2 6 1 Depending on the back end database in use SQL injection vulnerabilities lead to varying levels of Configuration PHP Zend_Hash_Del_Key_Or_Index vulnerability 1 data system access for the attacker It may be possible to not only manipulate existing queries but to Application Settings SQL injection As 3 UNION in arbitrary data use subselects or append additional queries In some cases it may be Z Scan Settings Si g fartists php 1 possible to read in or write out to files or to execute shell commands on the underlying operating A Scanning Profiles system E General D artist 1 er z Program Updates variant 1 Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures fio Version Information E g cart php 1 database server functions If an attacker can obtain access to these procedures it may be possible Licensing E fistproducts php 1 to compromise the entire machine Support Center Apache 2 x version older than 2 0 61 1 Attack details Si Purchase Apache 2 x version older than 2 0 63 1 Si User Manual html Apache httpd Remote Denial of Service 1 URL encoded GET input artist was set to TACUSTART NWKLSACUEND User Manual pdf Application error message 3 a 2 View HTTP headers AciSensor m Backup files 1 Error message on page 6 Request HTM
84. ing Scan Settings template select it from the Template drop down menu and click the X button To modify an existing Scan Settings template select it from the Templates drop down menu make the necessary changes and then click Apply Below is a detailed list of all the options available for each Scan Settings template Scanning Options Disable Alerts generated by crawler Select this option to disable crawler related alerts such as broken links file inputs and files which their name indicates that they can be dangerous etc from being reported Scanning Mode From this section you can select the Scanning Mode which will be used during both the crawling and scanning stage of the target website The scan mode will determine how both the crawler and the scanner will treat website parameters also known as inputs which will affect the number of security checks launched against the website The following scanning mode options are available e Quick In this mode the crawler will only fetch a very limited number of variations of each parameter because they are not considered to be actions parameters Action parameters are designed to control the execution flow of the server scripts Such scanning mode should only be used with small and static websites e Heuristic In this mode the crawler will try to make heuristic decisions on which parameters should be considered as action parameters It will 80 try to fetch the m
85. ink rel stylesheet href style css type text css gt TE InstanceBeginEditable name headers ronn gt 12 lt here goes headers headers gt 13 lt InstanceEndEditable gt a oo a IC Bar cance GS es e E Di Screenshot 64 HTTP Sniffer Trap form When an HTTP request or a response is trapped by the HTTP Sniffer the HTTP Trap window will automatically appear to allow you to edit the captured data Similarly to the HTTP Editor the Trap Form editor allows you to edit headers cookies queries and post variables Click OK to allow the HTTP request or response through Editing a HTTP Request without a Trap If you want to edit a HTTP request without setting up an HTTP trap right click on a request ora response and select Edit with the HTTP Editor Click Start in the HTTP Editor to send the HTTP request to the server 66 9 Compare Results Tool Introduction ae gt Acunetix Web Vulnerability Scanner NFR Evaluation Edition File Actions Tools Configuration Help 2 Be New Scan 1 y g ES C Users chalie Desktop scan 1 wvs Name Possible sensitive directories 3 o URL redirection Password type input with autoc Broken links 1 GHDB Generic MySQL error me V Email address found 7 RB Knowledge Base 1 List of open TCP ports 3 Site Structure Le Root Jo Soo b cart php EA categories php i id
86. inutes an automated web application scanner can scan your web application identify all the files accessible from the internet and simulate hacker activity in order to identify vulnerable components In addition an automated vulnerability scanner can also be used to assess the code which makes up a web application allowing it to identify potential vulnerabilities which might not be obvious from the internet but still exist in the web application and can thus still be exploited Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injections Cross site scripting and other exploitable vulnerabilities In general Acunetix Web Vulnerability Scanner scans any website or web application that is accessible via a web browser and uses the HTTP HTTPS protocol Acunetix Web Vulnerability Scanner offers a strong and unique solution for analyzing off the shelf and custom web applications including those utilizing JavaScript AJAX and Web 2 0 web applications Acunetix has an advanced crawler that can find almost any file This is important since what is not found cannot be checked How Acunetix Web Vulnerability Scanner Works Acunetix Web Vulnerability Scanner works in the following manner 1 Using Acunetix DeepScan the Crawler analyzes the entire website by following all the links on the site including
87. ipts Forbidder xj Server_Source_Code_Disciosure soipt 0 9 reque el Activity Window iWeb Scanner Scanning 1 website s Number of websites left to scan 1 Screenshot 38 Scan Result and Information window Web Alerts The Web Alerts node displays all vulnerabilities found on the target website Web Alerts are categorized according to 4 severity levels High Risk Alert Level 3 Vulnerabilities categorized as the most dangerous which put a site at maximum risk for hacking and data theft Medium Risk Alert Level 2 Vulnerabilities caused by server misconfiguration MEDIU Ge and site coding flaws which facilitate server disruption and intrusion Low Risk Alert Level 1 Vulnerabilities derived from lack of encryption of data traffic H or directory path disclosures Informational Alert Sites which are susceptible to revealing information wal through Google hacking search strings or email address disclosure If a vulnerability is detected by the AcuSensor Technology AS is displayed next to the vulnerability group More information about the vulnerability is shown when you click on an alert category node Vulnerability description A description of the discovered vulnerability Affected items The list of files vulnerable to the discovered vulnerability The impact of this vulnerability Level of impact on the website or web server if this vulnerability is exploited 40 Attack details Details ab
88. ipulated in real time before it arrives to the server You can do the same for HTTP responses Creating a HTTP Sniffer Trap Filter 1 2 1 E la Rule Template lt Select a rule template from the list below gt Rule description Rule type Apply to Regular expression Log string Update Add Description E Trap requests E Trap responses Don t trap requests Don t trap responses Wi Replace user agent d Log get variables al P Log Host string P Log post vars s Log Server string E Log URL P Log zs Powered Du string IS Trap ASP and PHP requests Trap requests with get variables Trap requests with post variables C Don t trap images ess scripts l Highlight PHP error messages Gr Remove gzip deflate enconding Log Server string Response headers 7i Server ss Arn ran Apply to Request headers Request headers Request headers Request headers Response headers Request headers Request headers Response headers Response Request headers Request headers Request headers Request headers Request Response headers Request headers Response headers Rule 7i GETIPOST het ID asp phpy 1 M8 J sl i GETIPOST s HTTP 1 IO i GETIPOST s 4 4sHTTP 1 01 7iJContent Type application x www form urlen i HTTP 1 01 s i GETIPOST s GIFIN JPGI JPEGI PNGI i GETIP
89. ken HTMLTokenizer Ze HTTPJob amp HTTPMessage HTTP Worker Injectionvalidator amp InputS cheme amp KBaseltem Link List amp MetaT ag ObjectFactories amp ParserData amp Reportltem set the job URL to targetUrl amp Script job url targetUrl ScriptContext amp Search Ga amp Serverlnfo var targetUrl new TURL scanURL url EC CH get current scheme var scheme getCurrentScheme a scheme can have multiple inputs for var i 0 i lt scheme inputCount i bi bi bi bi RR each input can have multiple variations var variations scheme selectVariationsForiInput i for var j 0 j lt variations count j load variation scheme loadVariation variations item j set input value to our payload lt XS5 gt scheme setInputValue i lt XSS gt RI bi Rb bi HI create a HTTP Job request var job new THTITPJob ball State Script 2 Script execution error No current input scheme available for current context In M acunetix documents ma WAITING Network script basicXSS script finished in 28 ms Request count 0 WAITING WAITING WAITING WAITING WAITING No running scripts Screenshot 14 Web Vulnerability Scanner Scripting tool The Acunetix Web Vulnerability Scanner Scripting tool allows you to create new custom web vulnerability checks These checks must be written i
90. l debug information EI Acunetix Web Vulnerability Scanner Consultant Edition R lol x Fie Actions Tools Configuration Help New Scan io 3 y L Be 8 ale e e a 2 id Tools Explorer a 7311 ed zl i Report 2 startur http testphp vulnweb com 80 gt Profie Default gt DI strt d wees EE Scan Results Vulnerability details E lal Scan Thread 1 http testphp vulnweb com 80 Finished 114 alerts a E DC Tools E fly Web Alerts 114 Source file var wwwivhosts default htdocs artists php G Site Crawler J Target Finder Apache Mod_Rewrite Off By One Buffer Overflow V Additional details Subdomain Scanner Blind SQL Injection 3 3 Blind SQL Injector e CRLF injection HTTP response splitting AS 1 SQL query SELECT FROM artists WHERE artist_id 1ACUSTART NwKL9ACUEND Ei HTP Editor Cross Site Scripting 7 mysql_query was called HTP Sniffer Macromedia Dreamweaver Remote Database Scripts D Ange Tester e PHP HTML Entity Encoder Heap Overflow Vulnerabilit The impact of this vulnerability ei i PHP version older than 5 2 1 1 lg Compare Results 3 PHP version older than 5 2 3 1 An attacker may execute arbitrary SQL statements on the vulnerable system This may compromise Web Services 467 Web Services Scanner E PHP version older than 5 2 5 1 the integrity of your database and or expose sensitive
91. le extensions like js css etc Disable auto custom 404 detection application will use only user defined rules Consider www domain com and domain com as the same host Enable input limitation heuristics Screenshot 53 Crawling Options Enable CSA analyze and execute JavaScript AJAX The Client Script Analyzer CSA is enabled by default during crawling This will execute JavaScript AJAX code on the website to gather a more complete site structure Fetch external scripts With this option enabled the CSA engine will fetch all external resources linked through client scripts running on the target The external resources will only be crawled and will not be scanned If this option is not enabled and a client script uses external resources the CSA engine will not be able to analyze the client script correctly which might result in an incomplete crawl Fetch default index files index php Default asp If this option is enabled the crawler will try to fetch common default index filenames such as index php Default asp for every folder even if not directly linked Try to prevent infinite directory recursion Certain websites are designed in a way which may cause the scanner to enter a loop when trying to fetch the same directory recursively e g images images images images This setting tries to prevent this situation by identifying repeated directory names in recursion Warn user if URL rewrite is dete
92. links which are dynamically built using JavaScript and links found in robots txt and sitemap xml if available Web Vulnerability Scanner will then map out the website structure and display detailed information about wey wes HTTP Fesul Content Type E if http testohp vulnweb com EI K Ok 200 Home of Acune text html 6 e idea Ok 200 Index of idea text html H en admin Ok 200 Index of fadmin text html D AJAX Ok 200 ajax test text html E V Connections Ok 200 Index of Conn text html H en cvs Ok 200 Index of CVS text html H en Flash Ok 200 Index of Flash text html Si en hpp Ok 200 1 HTTP Paramete text html fee icons Not Found text html Screenshot 1 Crawler Results 2 If Acunetix AcuSensor Technology is enabled the sensor will retrieve a listing of all the files present in the web application directory and add the files not found by the crawler to the crawler output Such files usually are not discovered by the crawler as they are not accessible from the web server or not linked through the website Acunetix AcuSensor also analyses files which are not accessible from the internet such as web config 3 After the crawling process Web Vulnerability Scanner automatically launches a series of vulnerability checks on each page found in essence emulating a hacker Also Acunetix Web Vulnerability Scanner analyses each page for places where it can input data and subsequently attempts all the d
93. ll vary depending on the type of report that you are generating Compliance Report Wizard Report Style Properties a Set properties specific to this report Select Scan Properties Report Properties Show short summary Show detailed report Show affected item list Show a list of scanned files acunetix Screenshot 47 Select Report Properties 6 Click the Generate button to generate the report 7 Once the report is generated it can be printed or exported to various formats including PDF Word and HTML Types of Reports The following is a list of the reports that can be generated using the Acunetix Web Vulnerability Scanner Reporter 47 Affected Items Report The Affected Items report shows the files and locations where vulnerabilities have been detected during a scan The report shows the severity of the vulnerability detected together with other details about how the vulnerability has been detected Developer Report The Developer Report is targeted to developers who need to work on the website in order to address the vulnerabilities discovered by Acunetix Web Vulnerability Scanner The report provides information on the files which have a long response time a list of external links email addresses client scripts and external hosts together with remediation examples and best practice recommendations for fixing the vulnerabilities Executive Report The Executive Report summarizes the vulnerabilities detected in a w
94. lnerability Scanner home categories artists disclaimer your cart guestbook AJAX Demo search art If you are already registered please enter your login information below Browse categories Username EEN Password Your cart Signup Your profile Our guestbook You can also signup here rosin Links Security art Fractal Explorer Screenshot 31 Login Sequence Recorder 3 Onthe second page of the wizard browse to the website s login page and submit the authentication credentials in the login form to log in Wait for the page to fully load indicating that you are logged in Click Next to proceed E r Set start URL to define a login sequence for Record login actions Setup restricted links Setup in session detection detection of invalidated sessions Review login sequence r4w8173 comment on this artist Blad3 comment on this artist lyzae comment on this artist Screenshot 32 Specify an excluded link 4 Once logged in you also need to identify the logout link so the crawler will ignore it to prevent ending the session In the Setup restricted links step of the wizard click the logout link for it to be ignored If the logout link is not on the same page click the Pause button in the top menu navigate to a page where the logout link is found resume the session and then click on the logout link Click Next to p
95. logout php gt You can also highlight specific content and click on Define pattern from selection and a regular expression will be automatically generated SI Login Sequence Recorder DW Oj x Set start URL to define a URL hnttp 1 10 172 0 127 acuart DI Detect login sequence for in session Out of session Record login actions Setup restricted links Pi Setup in session acu netix O G U aq rt detection detection of invalidated sessions Review login sequence home categories artists disclaimer your cart guestbook AJAX Demo search art welcome to our page E Test site for Acunetix WVS Browse categories Browse artists Your cart Signup Your profile Our guestbook AJAX Demo Logout Links Security art ae Fractal Explorer Not in headers Not in body Status code is i Show raw data Define pattern from selection Show in browser Le P SERGE oacunetix Pattern i lt a s href logout php gt e Pattern type Check pattern Help Next Cancel Screenshot 34 Specify an In session or Out of session pattern Drop down menu You also have to specify where the pattern can be found in the response From the Pattern Type drop down menu select if the pattern is In headers Not in headers In body Not in body Status code is and Status code is not 36 7 Click on Check Pattern to verify that the crawler is able to
96. m number of variations for a file E g index asp has a GET parameter ID of which the crawler discovered 10 possible values from links requesting the page Each of these links is considered a variation and each variation will appear under the file in the Scan Tree during crawling Link Depth Limitation This option allows you to configure the maximum number of links to crawl from the root URL Structure Depth Limitation This option allows you to configure the maximum number of directories to crawl from the root URL Maximum number of sub directories This option allows you to configure the maximum number of sub directories Acunetix Web Vulnerability Scanner should crawl in a website Maximum number of files in a directory In this option you can configure the maximum number of files in a directory Maximum number of path schemes In this option you can specify the maximum number of path schemes that should be detected by the crawler You should only tweak this setting if you are crawling a very large website and notice that some path schemes are not being crawled Crawler file limit This option allows you to configure the maximum number of files the crawler should crawl during a website crawl Acunetix DeepScan Most websites make use of or are totally implemented in JavaScript These include websites that make use of AJAX or Single Page Applications SPAs Acunetix Web Vulnerability Scanner uses DeepScan technology t
97. manual settings To ensure the use of manual settings disable automatic configuration Automatically detect settings Use automatic configuration script Proxy server Use a proxy server for your LAN These settings will not apply to dial up or VPN connections v Address 127 0 0 1 Port Soen Advanced Bypass proxy server for local addresses L o II Gem Screenshot 62 Browser Proxy Server Settings From the Tools drop down menu click Internet Options Click on the Connections tab and then click LAN Settings button Tick the option Use a proxy server for your LAN In the Address input field enter 127 0 0 1 and enter 8080 in the Port input field GARE EE E If you also need to capture SSL traffic click on the Advanced button and in the Secure Input field enter 127 0 0 0 as proxy address and 8080 as port number 6 Click on OK to save all settings and close all configuration windows Google Chrome Google Chrome uses Internet Explorer s proxy server settings Therefore to use Google Chrome follow the procedure above and configure Internet Explorer Note By default the HTTP Sniffer proxy server listens on localhost 127 0 0 1 and port 8080 This limits the capturing of traffic to web clients running on the same machine The HTTP Sniffer options in Acunetix Web Vulnerability Scanner can be accessed from the Configuration gt Application Settings gt HTTP Sniffer node You
98. n JavaScript and require installation of the SDK 17 You can read more about writing custom web security checks from the following URL http www acunetix com blog docs creating vulnerability checks You can download the scripting SDK from http www acunetix com download tools Acunetix_SDK zip Reporter The Reporter allows you to generate reports of scan results in a printable format Various report templates are available including summary detailed reports and compliance reporting The Consultant Version of Acunetix Web Vulnerability Scanner allows customization of the generated report Scan of hip tiaz 1680 2a heed ele ke ERT PAR ERT if zeg 4 J E ihesi Heater jeden le Be scbke 1007 O57 754 Bee Species versice slides han 1 EU Bist E Bikey Mas Ben ma Ree saaja mme ation Beri D Fih pipi iii B ei fa D tasnce die diha Pie U Kesbkevardrgp p te 1007 ppe a eege Seiti G Sagi ren ane maaa Mach Screenshot 15 Typical Report including Chart of alerts New in Acunetix Web Vulnerability Scanner Version 9 e Introduction of Acunetix DeepScan which makes use of the same rendering engine used in Google Chrome and Apple Safari to better identify the web site s structure during a scan Acunetix DeepScan provides a huge improvement in scanning of AJAX sites JavaScript based sites and Single Page Applications SPA e Introduction of the Acunetix AcuMonitor service which is used to identify specif
99. n you change any of the Web Interface settings upon clicking the Apply button restart the Acunetix WVS Scheduler v8 Windows service from the Windows Services console Scan Options Scan Scan results save folder C Users Public Documents Acunetix WV5 9 Saves Parallel scans max 10 be SZ Screenshot 69 Scheduler scan options In this section you can specify the path where the Acunetix Web Vulnerability Scanner scan results should be saved By default the scan results are saved in the My Documents folder of the Windows Public user profile in the Acunetix WVS sub directory Scanning multiple websites From this section you can also configure the number of parallel scans launched in Acunetix Web Vulnerability Scanner E g if you want to scan 4 websites and their scan schedule overlaps instead of the scans being queued another instance of Acunetix Web Vulnerability Scanner is automatically started and the scans will be launched in parallel If you are scanning a large number of websites it is suggested to increase the number of parallel scans so their schedule does not overlap Maximum number of parallel scans is 10 if you have the x10 instances license 72 Note The maximum number of scheduled scans that can be configured in the Acunetix Web Vulnerability Scanner scheduler is 2000 Configuring Email notifications Email Notifications W Send email notifications when scans are finished SMTP server to b
100. ng a NET website 1 Use the procedure in the next section to Disable and Uninstall the AcuSensor agent 2 Proceed with installing the AcuSensor with the new password If you are using a PHP file you will just need to overwrite the old acu_phpaspect php with the one with the new acu_phpaspect php file Disabling and uninstalling AcuSensor To uninstall and disable the sensor AcuSensor for ASP NET websites 1 Browse to the installation directory where the AcuSensor Agent had been installed 2 Open AcuSensorlInjector exe EI Acunetix NET AcuSensor Injector Iof Select the applications you want to njectfuninject from the list bellow Refresh Fie acuforunn EDN acublog Target Runtime NET Framework version 2 0 Inject Selected Uninject Selected Screenshot 21 Select website and click Uninject Selected 3 Select the website where the AcuSensor agent is installed and click on Uninject to remove the AcuSensor Agent form the site 4 Close AcuSensorInjector exe 5 From the same directory double click uninstall exe to uninstall the AcuSensor Agent files 25 Note If you uninstall the Acunetix NET AcuSensor Technology Injector without un injecting the NET application then the AcuSensor Technology code will not be removed from your NET application AcuSensor for PHP 1 If using method 1 htaccess file delete the directive php_value auto_prepend_file path to acu_phpaspect php file from the
101. ng the AcuSensor Agent Chapter on page 22 AcuMonitor In this node you can enable usage of the AcuMonitor service configure the saved scans folder which is used to store information about the tests done for vulnerabilities which require the AcuMonitor Service and the amount of time that you would like Acunetix to keep such information You can also register to the AcuMonitor service and lookup requests using the ID found in an notification email received from AcuMonitor to get more information on the vulnerability detected 79 13 Scan Settings Templates Scan Settings can be configured exclusively for a specific URL and saved as Scan Settings Templates If you frequently need to scan multiple websites that require different settings Scan Settings Templates can be recalled quickly and easily without the need of any reconfiguration EI Acunetix Web Vulnerability Scanner Consultant Edition p l iol sl File Actions Tools Configuration Help Newsa PPA IBS 8 alera alalaw Tools Exclorer_1t a gt rau Dg Se Web Vulnerability Scanner S S Web Scanner Pi g Op Scanning Options Configure the Acunetix scanning engine Tools j Headers and Cookies G Site Crawler ll Parameter Exclusions 7 P ene GHDB Scanning options H Suocoman Scanner e g Disable alerts generated by crawler e g broken links file inputs 3 Blind SQL Injector Crawling Options i HTTP Editor G File Ex
102. node in the Tools Explorer 2 Inthe Compare Results toolbar specify the path of the first scan file In the second edit box specify the path of the second scan 3 Click on the Compare button l to launch the compare tool 4 Specify which items you wish to compare such as Referrers HTTP headers etc The list of items that are enabled for comparison can be saved as a new template by renaming the template and clicking the Save button Click Start to begin the comparison Note For large websites the file structure comparison process may take longer to complete Analyzing the Results Comparison Once the comparison is complete the results are shown in a two pane interface The left pane contains the contents of the original scan while the right hand pane contains the results of the second scan The middle column shows icons indicating the comparison result for the items in that line based on the following indicators There are no changes el This item was added in the new version 67 This item was deleted from the new version This item was changed in the new version Click on the result icon in the middle column to display the details in the window below the comparison These details show the changes detected between the two scans such as the number of items detected and the items that have been added or deleted 68 10 Scanning Web Services Introduction Web Services like any other internet dependen
103. nst there is a large number of web applications vulnerable GL Tv Errar mecesne op omano I Ti Gg P 4 an Affected items Screenshot 2 Scan Results Each alert contains information about the vulnerability such as POST variable name affected item http response of the server and more 4 If AcuSensor Technology is used details such as source code line number stack trace or affected SQL query which lead to the vulnerability are listed Recommendations on how to fix the vulnerability are also shown 5 In addition a port scan is launched against the web server hosting the website If open ports are found Acunetix Web Vulnerability Scanner will perform a range of network security checks against the network service running on the open port If open ports are found they will be reported in the Port Scanner node The list of open ports contains information such as the banner returned from the port and if a security test failed 6 After a scan has been completed the scan results can be saved to file for later analysis and for comparison to previous scans Using the Acunetix reporter a professional report can be created summarizing the scan Acunetix AcuSensor Technology Acunetix s unique AcuSensor Technology allows you to identify more vulnerabilities than other Web Application Scanners whilst generating less false positives Acunetix AcuSensor indicates exactly where in your code the vulnerability is and reports additiona
104. ntly better results than using source code analyzers and black box scanning independently The AcuSensor sensors can be inserted in the NET and PHP code transparently The NET source code is not required the sensors can be injected in already compiled NET applications Thus there is no need to install a compiler or obtain the web applications source code which is a big advantage when using a third party NET application In case of PHP web applications the source is readily available To date Acunetix is the only Web Vulnerability Scanner to implement this technology Advantages of using AcuSensor Technology e Ability to provide more information about the vulnerability such as source code line number stack trace affected SQL query e Allows you to locate and fix the vulnerability faster because of the ability to provide more information about the vulnerability such as source code line number stack trace affected SQL query etc e Significantly reduces false positives when scanning a website because it understands the behavior of the web application better e Alerts you of web application configuration problems which can result in a vulnerable application or expose sensitive information E g If custom errors are enabled in NET this could expose sensitive application details to a malicious user e Advises you how to better secure your web server settings e g if write access Is enabled on the web server Detects m
105. o scan these type of websites effectively Acunetix DeepScan can be configured from Configuration gt Scan Settings gt DeepScan The following are the options available Enable DeepScan Enables the processing of JavaScript based technologies using DeepScan Process scripts from external sites Some websites reference and use JavaScript files which are located on a different site than the one being scanned This option you can specify if these JavaScript files are retrieved and processed by DeepScan during the Crawl Scan 56 File Extension Filters fa Acunetix Web Vulnerability Scanner Consultant Edition i O x E File Actions Tools Configuration Help 2 Newsan li e A Be a o Template Default sl WE x 5g Scanning Options File Extension Filters mi TE SEET Ey Exdude files from being crawled and scanned based on their extension j Parameter Exclusions eelerer GHDB EE Se Specify the types of files to be ignored by the Crawler by adding their extension to the Gf Crawling Options Exdude list The default Indude value will process all file types that are not in the Exdude list G File Extension Filters 3 Directory and File Filters ah URL Rewrite HTTP Options LAN Settings b Deepscan C Custom Cookies mi Input Fields P AcuSensor Port Scanner ve Custom 404 Screenshot 55 Crawling Options File Extension Filters It is possible to configure a list
106. om 443 panel keys aspx lang en text html charset utf 8 A 200 OK 58 Kb POST https erp acunetix com 443 panel keys aspx lang en text html charset utf 8 A 200 OK 132 Kb I GET https erp acunetix com 443 panel key aspx lang en amp id 3439 amp f p 3d1 260 text html charset utf 8 A 200 OK 75 Kb Ki A 200 OK 55 Kb a GET https erp acunetix com 443 panel images play gif image gif 2 200 OK 976b POST https erp acunetix com 443 panel editcustomer aspx lang en amp op edit amp id 184 text html charset utf 8 A 302 Found 424b GET https erp acunetix com 443 panel customerleads aspx lang en amp id 184 amp r editc text html charset utf 8 i A 200 OK 23 Kb GET https erp acunetix com 443 scripts feedback js application x javascript a 200 OK 2Kb m 1 GET a panel editcustomer aspx lang en op edit id 184 r key aspxt3flangt3den t2 6idt3d3439 26f 3dpt253d1t25260 253dCreatedOnt2526dt253ddesct2526F4 253dregqulart2526f 5 253da HITP 1 1 g 2 Host erp acunetix com 443 3 User Agent Mozilla 5 0 Windows U Windows NT 6 1 en US rv 1 9 2 8 Gecko 20100722 Firefox 3 6 8 4 Accept text html application xhtml xml application xml q 0 9 q 0 8 5 Accept Language en us en q 0 5 6 Accept Encoding gzip deffate T Accept Charset ISO 8859 1 utf 8 q 0 7 q 0 7 Look for O r el Plain text D Activity Window Ready Screenshot 61 The HTTP Sniffer The HTTP Sniffer is a proxy server that enables you to capture and edit HTT
107. om acuservice service asmx WSDL Helloworld Responsive true HelloUser MD5Encode GetUserinfo B ServiceSoap 12 CG HelloWorld HelloUser MD5Encode f Getuserinfo Io Statistics 204 requests V Progress 8 GC d LU m b Activity Window Ready Screenshot 66 Web Services Scanner Starting a Web Service Scan 1 From the Tools Explorer select Web Services Scanner and click the New Scan button in the toolbar to launch the Web Service Scan Wizard Specify the URL of an online or local WSDL and choose a scanning profile Click Next to proceed 2 Inthe Selection step select the Web Services Ports and Operations that must be scanned The number of inputs accepted by each operation and the URL of the ports will be displayed in the Details section 3 Enter specific input values optional for the scanner to use as Web Service Operations in the Default Values step 4 Proceed to the scan summary review it and click Finish to launch the scan 69 Web Services Editor r SSS Acunetix Web Vulnerability Scanner NFR Evaluation Edition File Tools Configuration Help New Scan amp 3 j q Be leelo a k WSDL URL http testaspnet vulnweb com acuservice service asmx WSDL e E E import Editor WSDL Structure WSDL Service P Service v Port ServiceSoap12 v Operation HelloUser m D Send HTTP Editor Ia Spo Reque
108. on it indicates exactly where vulnerabilities are detected in your code and also reports debug information Acunetix AcuSensor requires an agent to be installed on your website This agent is generated uniquely for your website for security reasons Generating the AcuSensor files AcuSensor Deployment a From this node you can generate the files you need to deploy AcuSensor technology to a server Generate AcuSensor Installation Files Output folder C Wsers Nicks Documents Acunetix WVS 9 AcuSensor Jh Generate PHP AcuSensor J Generate MET Acusensal IT Also set password in currently selected settings template Use the below button to generate the files you need to deploy AcuSensor to a server Generate AcuSensor Installation Files Screenshot 17 AcuSensor Deployment settings node 1 Navigate to the Configuration gt Application Settings node in the Tools Explorer Click on the AcuSensor Deployment node 2 Enter a password or click on the padlock icon to randomly generate a password unique to the AcuSensor file Specify the path where you want the AcuSensor files to be generated 4 Select whether to generate files for a PHP website or a NET website 5 Select Also set password in currently selected settings template to store the password specified in the scan settings template 6 Click on Generate AcuSensor Installation Files to generate the files 7 Depending on if you are using a ASP NE
109. onsortium WASC is a non profit organization made up of an international group of security experts which has created a threat classification system for web vulnerabilities This report groups the vulnerabilities identified on your site using the WASC threat classification system 49 Scan Comparison Report Scan comparrkom Li irg i ari Apache Maj Fraine GAE ia ch Teki dia Tr y bad el ils al Depeted by reen ia sapian Talii Hh Sg Tia goe bin bet edie gata ated dilig rip reest Sin t Wg be a dae gre zi Dees kees wn soot Bees beret Led k beg Lavi 1 gt Bruti ue laval Biuratii thread breng inp ot me hegtearenty bpe wunerabelbe ee Ve Gegemg Wek Auger abe J pckaegrtinn ier tan d J dd Lesty He fam r Screenshot 49 Comparison Report The Scan Comparison Report allows the user to track the changes between two scan results for the same application This report will highlight resolved unchanged and new vulnerabilities making it easy to track development changes affecting the security of your web application Monthly Vulnerabilities Report This statistical report correlates the data from the scans performed in a specific month and reports on the vulnerabilities identified during that month Reporter Settings The Reporter settings allow you to configure the layout and style of the generated reports To access the report settings navigate to the Configuration gt Settings node in the Reporter
110. ore SQL injection vulnerabilities Previously SQL injection vulnerabilities could only be found if database errors were reported whereas now the source code can be analyzed for improve detection Ability to detect SQL Injection vulnerabilities in all SQL statements including in SQL INSERT statements Using a black box scanner such SQL injection vulnerabilities cannot be found This significantly increases the ability for Acunetix Web Vulnerability Scanner to find vulnerabilities Discovers all the files present and accessible through the web server If an attacker gains access to the website and creates a backdoor file in the application directory the file is found and scanned when using the AcuSensor Technology and you will be alerted AcuSensor Technology is able to intercept all web application inputs and build a comprehensive list with all possible inputs in the website and test them No need to write URL rewrite rules when scanning web applications which use search engine friendly URL s Using the AcuSensor Technology the scanner is able to rewrite SEO URL s on the fly Ability to test for arbitrary file creation and deletion vulnerabilities E g Through a vulnerable script a malicious user can create a file in the web application directory and execute it to have privileged access or delete sensitive web application files Ability to test for email injection E g A malicious user may append additional information such as a list or
111. ost possible values of each parameter This will result in a larger number of different variations and therefore the scanner will launch more security checks against the website This scanning mode is the most efficient and accurate one and is recommended as the scanning mode of choice unless there are specific reasons to use other scanning modes e Extensive In this mode the crawler will fetch all possible values and combinations of all parameters This will lead to a much larger number of variations and therefore the scanner will launch an extensive amount of security checks against the website This scanning mode should only be used for specialized security audits since it can take a considerable amount of time to finish Limit crawl recursions to X iterations After a site is crawled and vulnerability scanning has started the scanner can still discover new objects for which a new crawl will be started This is called iteration Configure the maximum number of crawl iterations that can happen during a website scan Enable Port Scanning Enable this option to port scan the web server on which the target website is hosted during a web security scan by default For more information about the Port Scanner and Network Alerts refer to page 10 of this manual Collect uncommon HTTP Requests Acunetix Web Vulnerability Scanner can report any uncommon server response that might include sensitive data such as internal server errors Thes
112. out the parameters and variables used to test for this vulnerability E g for a Cross Site Scripting alert the name of the exploited input variable and the string it was set to will be displayed You can also find the HTTP request sent to the web server and the response sent back by the web server including the HTML response The attack can be inspected and re launched manually by clicking Launch the attack with HTTP Editor For more information please refer to http www acunetix com blog docs http editor How to fix this vulnerability How to fix the vulnerability Detailed information Information about the reported vulnerability Web references A list of web links providing more information on the vulnerability to help you understand and fix it Marking an Alert as a False Positive If you are certain that the vulnerability discovered is a false positive you can flag the alert as a False Positive to avoid it being reported in subsequent scans of the same website To do this click on the Mark alert as false positive link or right click on the alert and select the menu option You can remove an alert from the false positives list by navigating to the Configuration gt Application Settings node in the Tools Explorer and select the False Positives node Network Alerts Scan Results S 39 Scan Thread 1 http testphp vulnweb co F l Web Alerts 88 J vn Network Alerts 1 Server 49 Port Scanner 3
113. ple pages the scanner will group them under one alert node Expanding the alert node will reveal all the vulnerable pages Expand further to view the vulnerable parameters for the selected page Saving a Scan Result When a scan is completed you can save the scan results to an external file for analysis and comparison at a later stage The saved file will contain all the scans from the current session including alert information and site structure To save the scan results click the File menu and select Save Scan Results To load the scan results click the File menu and select Load Scan Results 44 6 Generating a Report from the results Introduction to the Reporter aloj xj ir sf BS CETE A oc unctix NEB APPLICATION SECURITY ay WVS Reporter E Mfected tema Common Tasks i Developer Repost E Executive Summary I gt Generate Report Generate a report from the last saved scan results using the default report template Quick Report E Compliance Report Scan Companson Acunetix WVS Reporter Tool Monthly Vulnerabilities IER Report Preview Default Report Default report template E Sege E Report Preview View prepared reports E Ostabase Explorer E Database Browse the database Screenshot 42 The Reporter Application The Acunetix Web Vulnerability Scanner Reporter is a standalone application that allows you to generate reports for the security scans performed using Acunetix Web Vulnerability Scanner
114. quences gt If upgrading from version 7 the Reporting database needs to be updated before it can be used in a newer version This can be done using the Reporting Database Upgrade tool which can be downloaded from http www acunetix com download tools ConvertWVSDatabase zip Proceed as follows a If you are using an SQL database select MS SQL Server and specify the Server credentials and Database which needs to be upgraded and click on the Convert button Then configure the new version of Acunetix Web Vulnerability Scanner to use the upgraded database 27 b Convert WVS Database MSAccess P 3 Vulnerability Scanner Data GeneralyLoginS equences se Screenshot 23 Upgrade Reporting Database If you are using an Access database select MS Access and select the database backed up in 3 and click on the Convert button Once ready copy the upgraded database to lt C ProgramData Acunetix WVS X Data Database vulnscanresults mdb gt 28 4 Scanning a Website NOTE DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION The web server logs will show your IP address and all the attacks made by Acunetix Web Vulnerability Scanner If you are not the sole administrator of the website please make sure to warn other administrators before performing a scan Some scans might cause a website to crash requiring a restart of the website To scan a website you first need to perform the following steps Step 1 Select Target s to S
115. rating system webserver technology or change the base path EG A ETGEN E entering these details you can reduce the scanning time B Login Finish List of targets H testphp vulnweb com 80 a Base path i Server banner Apache 2 0 55 Ubuntu mod_python 3 1 4 Python 2 Target URL http testphp yulnweb com 80 Operating system Unix WebServer El Optimize for following technologies ASP ASP NET DW PHP wi Perl wi JavaAJ2EE a ColdFusion Jrun TT Python Ruby mod_ssl vi mod_perl v mod_python v OpenSSL v S acunetix Status Done lt Back ge Cancel Screenshot 26 Scan Wizard Selecting Targets and Technologies Acunetix Web Vulnerability Scanner will automatically fingerprint the target website for the server s operating system the web server its web server technologies and custom 404 error page in use If a custom 404 error page is being used Acunetix Web Vulnerability Scanner will automatically detect it and determine a pattern for it removing the need for manual configuration For more details on Custom 404 Error Pages refer to page 84 of this manual The web vulnerability scanner will reduce the scan time by scanning only for the selected web technologies E g Acunetix Web Vulnerability Scanner will not launch IIS security checks against a Linux system running an Apache web server Click on the relevant field and change the setting
116. roceed 35 E Login Sequence Recorder Set start URL to define a URL ieee E rh v EJ Detect login sequence for In session Out of session Aacunetix lacuart home categories artists disclaimer your cart guestbook AJAX Demo Ld Record login actions Setup restricted links Setup in session detection detection of invalidated sessions Review login sequence search art welcome to our page ge a z Test site for Acunetix WVS Browse categories Browse artists Your cart Signup Your profile Our guestbook AJAX Demo Logout Links Security art Fractal Explorer Wi en Lee eacunetix Pattern i lt a s href logout php gt Pattern type Check pattern Screenshot 33 Specify an In session or Out of session pattern In this step you have to specify In Session or Out of Session detection patterns For the In Session detection specify a pattern which allows the crawler to detect the session is still valid If for some reason the session expires during a crawl the Crawler will automatically log in again Click on Detect to make Acunetix Web Vulnerability Scanner attempt to automatically detect the pattern There are situations where the session state cannot be detected automatically in which case you will need to specify this manually The pattern can be plain text or a regular expression e g lt a sthref
117. s Tools Configuration Help New Scan j L Be EMP eia alni E g Uu Ae y P Start URL http testphp vulnweb com Login Sequence lt no login sequence gt w Start Gr Name HTTF Result Inputs Title Cor kag ren EE RE 2 S E Ga http testphp vulnweb com a Wy mi ows general information about the se Rig on items for more a g OK Home of Acune L AJAX OK ajax test E Flash Forbidden Access forbidden E Filename artists php id add swf OK Page title artists L images Forbidden Access forbidden Filepath fartists php ed OK Op http testphp vulnweb com arti Oe Gg f 3 eng ww artist 3 OK artists ai amas ox E File willbe scanned True i ee content type text html charset UTF 8 ww artist 2 OK artists OO Expected conten i L cart php OK Lage li Status File was processed addcart 2 price 800 OK you cart addcart 1 price 500 OK you cart addcart 3 price 986 OK you cart E categories php OK picture categories E disdaimer php OK disclaimer Le favicon ico OK EA guestbook php OK 1 guestbook name anony submit add OK guestbook E index php OK Home of Acune I i listproducts php OK 2 pictures Le login php OK login page id privacy php Not Found Le product php OK 1 picture details Le redir php Found 1 robots txt OK I EA search php OK 1 search Le showimage php OK 2 id signup php OK signup Le style css OK CA Lnmnrim 1 Lanner infin S m SE
118. s from the provided check boxes if you would like to add or remove scans for specific technologies Note if a specific web technology is not listed under Optimize for the following technologies it does not mean that it is unsupported by Web Vulnerability Scanner but that there are no vulnerability tests exclusive to that technology Step 4 Configure Login for Password Protected Areas Two types of Login mechanisms are commonly used on the web HTTP Authentication This type of authentication is handled by the web server where the user is prompted with a password dialog Scanning an HTTP password protected area is covered this step Forms Authentication This type of authentication is handled via a web form and not via HTTP The credentials are sent to the server for validation by a custom script Scanning websites using forms based authentication is done using the Login Sequence Recorder and is covered in Step 5 31 E Scan Type B Options M Select Targets Login a Finish acunetix x Login Configure input login details for password protected areas or HTML forms Forms Authentication E If your website requires forms authentication you need to record the steps required to login on the website This will be saved as 4 login sequence file and can be used later You can also specify a section of the website which you do not want to be crawled for example links that will log you out from the website
119. se a login sequence during the scan If nothing is specified no login sequence will be used during the scan e Scan Settings Specify the name of an existing scan settings template If no scan settings template is specified the default scan settings template will be used e Scan Mode Specify the scan mode to be used during the scan The options are quick heuristic and extensive If no scan mode is specified the default scan mode will be used e Generate Report Specify if a report should be generated after the scan The options are yes or no If nothing is specified no report will be generated e Report Format If you specified the generate report option then you have to specify the report format as well The options available are PDF RTF REP or HTML If you do not specify any format a PDF report will be generated e Notification Email Address Specify the email address where the email should be sent upon completion of the scan If an email is not specified the default email address configured in the Acunetix Web Vulnerability Scanner GUI will be used If you would like to omit an entry so the default value is used simply leave a space between the commas Some examples follow Example 1 To scan testphp vulnweb com on the 5 of November 2012 at 10pm using the default values use the below line in the CSV file http testphp vulnweb com 05112012 2200 Example 2 To scan testasp vulnweb com on the 5 of November 2012 a
120. se key are needed to register to this service Notifications of Vulnerabilities exposed will be sent to the email address provided below fou can register later from Configuration gt Application Settings Email address admirkBacunetix com License key More information about 4cuMonitor Register Cancel Screenshot 16 AcuMonitor Registration When you start Acunetix Web Vulnerability Scanner the first time you will be asked to register with the AcuMonitor Service The AcuMonitor Service is used to automatically detect certain vulnerabilities which can only be detected using an intermediate server such as Blind XSS Server Side Request Forgery SSRF and Email Header Injection 21 You can register to the AcuMonitor service using your email address and your license key Registration can also be done at a later stage from Acunetix Web Vulnerability Scanner gt Configuration gt Application Settings gt AcuMonitor More information on the AcuMonitor Service can be found at http www acunetix com websitesecurity acumonitor Installing the AcuSensor Agent NOTE Installing the AcuSensor Agent is optional Acunetix Web Vulnerability Scanner still is best in class as a black box scanner but the AcuSensor Agent improves accuracy and vulnerability results The unique Acunetix AcuSensor Technology identifies more vulnerabilities than a black box Web Application Scanner while generating less false positives In additi
121. so install IIS 6 Metabase Compatibility from Control Panel gt Turn Windows features On or Off gt Roles gt Web Server IIS gt Management Tools gt IIS 6 Management Compatibility gt IIS 6 Metabase Compatibility to enable listing of all NET applications running on server 2 Copy the AcuSensor installation files to the server hosting the NET website fRACU netix Acunetix WVS NET AcuSensor Installer Installation details Installation directory C Program Files Acunetix AcuSensorlnjector Se wi Create shortcut on Desktop w Create shortcut on Start Menu Programs folder wi Start application after the installation is completed Screenshot 19 Acunetix NET AcuSensor Agent installation 23 3 Double click Setup exe to install the Acunetix NET AcuSensor agent and specify the installation path The application will start automatically once the installation is ready If the application is not set to start automatically click on Acunetix NET AcuSensor Technology Injector from the program group menu e Acunetix MET AcuSensor Injector Select the applications You want to mjectfuninject from the list bellow Refresh i acuforum Lie acublog Target Runtime NET Framework version 2 0 Inject Selected Uninject Selected Screenshot 20 Acunetix NET AcuSensor Technology Agent 4 On start up the Acunetix NET AcuSensor Technology Installer will retrieve a list of NET applications inst
122. st SOAP E f gt Operation HelloUser username string lt hello gt 1 lt xml version 1 0 gt i 2 lt soap Envelope xmins soap http schemas xmlsoap org soap envelope xmlns xsi http www w3 org 2001 XMLSchema instance xmlns xsd http www w3 org 2001 XMLSchema gt 3 lt soap Body gt 4 lt HelloUserResponse xmlns http tempuri org gt 5 lt HelloUserResult gt Hello amp 1t hello amp gt lt HelloUserResult gt 6 lt HelloUserResponse gt 7 lt soap Body gt 8 lt soap Envelope gt 9 Look for O fi ka Se XML M Activity Window Ready Screenshot 67 Web Services Editor The Web Services Editor allows importing of online or local WSDL for custom editing and execution of various web service operations for an in depth analysis of WSDL requests and responses The editor also features syntax highlighting for all languages making it easy to edit SOAP headers and customize manual attacks Editing and sending of Web Services SOAP messages is very similar to editing normal requests sent via the HTTP Editor Importing WDSL and Sending Request 1 Click on the Web Services Editor node in the tools explorer and enter the URL of the WSDL or locate the local directory where the local WSDL file is stored Click Import to import all WSDL information 2 From the drop down menus in the toolbar select the Service Port and Operation that must be tested 3 Specify a value for the operation
123. t 3 15pm using the XSS Cross site scripting scanning profile without login sequence default scan settings using the extensive scanning mode generate a PDF report and send the results to results myemail com use the below example http testasp vulnweb com 05112012 1515 XSS extensive yes PDF results myemail com Note Scans imported from a CSV file will only be executed once It is not possible to configure recurring scans using the CSV file import feature 76 12 Application Settings Acunetix Web Vulnerability Scanner configuration settings can be accessed from the Configuration gt Application Settings node in the Tools Explorer window pane EI Acunetix Web Vulnerability Scanner Consultant Edition i i x Fie Actions Tools Configuration Help i wsm e 5 48 Be 8 eleela alalQola DS Application Updates Application Updates E Configure the updater and it s network settings Web Vulnerability Scanner Leal Je Web Scanner d joai Kl Database EC Tools ja Updates Q Site Crawler 4 HTTP Authentication i Check for tes At ication sta A bei dee E Client Certificates updo application startup z domain Scanner 3 Blind SQL Injector 2 Login Sequence Manager HTTP Proxy for program updates HTTP Editor False Positives If your company is using different settings for acessing the internet web and intranet HTTP Sniffer i below you can configure the proxy
124. t systems present new exploit possibilities and increase the need for security audits The Web Services Scanner performs automated vulnerability scans for Web Services and generates a detailed security report of the results ra a A Acunetix Web Vulnerability Scanner Evaluation Edition File Actions Tools Configuration Help New Scan le A2 7 Ee Die ei Oil 3 OQ GG led d Report Wett URL http testaspnet vulnweb com acuservice service asmx WSDL v Profile ws_default v Start in d Fesults ily Alerts summary 4 alerts mu http testaspnet vulnweb com acuservice service asmx W Kl S lil Alerts 4 A acunetix threat level Acunetix Threat Level 3 SQL injection 2 One or more high severity type vulnerabilities have been discovered by E E http testaspnet vulnweb com acuservice servic Level 3 High the scanner A malicious user can exploit these vulnerabilities and or compromise the backend database and or deface your website E Service ServiceSoap GetUserInfo username 1 variant 1 i IO Service ServiceSoap12 GetUserInfo usernam Application error message 2 I E E http testaspnet vulnweb com acuservice servic been alerts found 4 i Ei Servic Serbien Geff egen 8 High 2 M variant 1 Medium 2 M Service ServiceSoap 12 GetUserInfo usernam Low 0 Bi Web Services 1 Informational 0 LU 5 2 Service E ServiceSoap 3 Target information http testaspnet vulnweb c
125. te pattern from selection Browse UAL http testasp vulnweb com Ee HTTP1 1 302 Found Date Wed 26 Oct 2011 12 44 09 GMT Server Apache 2 Location http testasp vulnweb com404 bm Content Length 205 Connection close Content Type test html charset i0 8959 1 lt IDOCTYPE HTML PUBLIC IETF DTO HTML 2 04 EN gt lt html gt lt head lt titles 302 Founds de lt head gt lt body gt lt h1 gt Pounds Al cp The document has moved lt a href http w acunetis com 404 bt bere de lt p gt ch lt address 4pache 2 Server at Wat acunetis com Port 60 address gt lt body gt lt html gt x F Generate pattem from selection Cancel Screenshot 79 Custom 404 Error page configuration 1 Specify the URL of the website for which you would like to create a custom 404 error page rule in the URL to match on input field 2 Inthe Pattern input field you should specify a text pattern or regular expression which matches some unique text on the custom 404 error page 3 Specify where the pattern can be found in the custom 404 error page response from the Match on drop down menu 84 e Location header The defined pattern can be found in the header of the custom error page e Result Body The defined pattern can be found in the body of the custom error page e Result The defined pattern can be found in both the header and body of the custom error page You can also gener
126. technologies being used screenshots showing the problem etc Please include also the license key information in the support email We will do our best to answer your query within 24 hours or less depending on your time zone Knowledge base Support page You can also explore the Acunetix knowledge base and other support options by browsing to http www acunetix com support Acunetix Facebook page Join us on Facebook for the latest product and industry updates http www facebook com Acunetix 88
127. tension Filters Scanning mode Heuristic v Help HTP Sniffer Directory and File Filters 4 HTTP Fuzzer URL Rewrite Limit crawl recursion to 5 iterations use 0 to disable crawl recursion 8 Authentication Tester ES Cl Compare Results 4_ HTTP Options Enable port scanning Web SEEN L LAN Settings Collect uncommon HTTP requests HTTP status code 500 no headers e Web Services Scanner 3 Custom Cookies an z 4 Web Services Editor tip input Fields v Abort scan if the server stops responding Abort after 25 network errors Configuration a R A i N Kafen Settings AcuSensor Use cookies set by the site during scanning ia Port Scanner A Scanning Profiles Custom 404 m List of hosts allowed CC General 2 Program Updates Version Information E Licensing Support Center SI Purchase SI User Manual html SI User Manual pdf s AcuSensor Some websites may link to files on other hosts ex img domain com You should indude here all the hosts that you want to be scanned The hostname can be specified using wildcards ex domain com or host domain com Hosts E AddHost Remove Selected Activity Window Ready WY Screenshot 78 Scan Settings templates Creating modifying or deleting Scan Settings templates To create a new Scan Settings template click the X button and specify a name for the New Scan Settings template To delete an exist
128. ter Start the reporter tool Support Center Purchase J Scheduler Start the scheduler User Manual html User Manual pdf s AcuSensor Go to AcuSensor configuration page s AcuSensor Common Tasks _ New Scan Start a new website scan Load the results from a sample scan session Acunetix Web Application Security Blog Acunetix to Be Exhibited at Globaltech 2011 VIDEO How Cross Site Scripting XSS Works Improving Web Security by Working With What You ve Got Acunetix Web Vulnerability Scanner Version 7 build 20111005 released Explaining the why of Web application security A Acunetix Ltd 2011 All rights reserved Acunetix WVS v8 0 Build 20111017 Activity Window October 19 13 45 17 Parse Frame Config XML October 19 13 45 17 Acunetix Web Vulnerability Scanner version 8 0 build 20111017 October 19 13 45 21 Populate application menus October 19 13 45 22 Populate tools bar October 19 13 45 22 Populate tool explorer October 19 13 45 22 Load ServerInfo XML sl Application Log Error Log E Screenshot 4 Acunetix Web Vulnerability Scanner Web Scanner The Web Scanner launches an automatic security audit of a website A website security scan typically consists of two phases 1 Crawling Making use of Acunetix DeepScan Acunetix Web Vulnerability Scanner automatically analyzes and crawls the website in order to
129. ter the application s URL below Setup in session detection http 10 172 0 127 acuart sl Check URL detection of invalidated sessions Review login sequence Please note that in order to record a successful login sequence the wizard has to delete any cookies associated with the website or web application you specified in the URL field above If you do not want that such cookies to be deleted press Cancel to exit this wizard now The Login Sequence Recorder can also be used to configure the crawler to crawl a web application in a pre defined manner such as a shopping cart To configure the crawler to crawl a web application in a pre defined manner craw the web application in the second step of this wizard Record Login Actions and do not configure In session details in the fourth step of this wizard acunetix Help Screenshot 30 Login Sequence Wizard Enter the URL of the website for which you would like to record a login sequence By default the URL of the target website is automatically populated Click Next to proceed 34 Setstat URLto dees 6 O lt SEZ to10 172 0 127acuarogn pn SUE login sequence for e http 10 172 0 127 acuart login php m Record login actions te Click here to mark this page for manual int ti x Setup restricted links Setup in session detection detection of invalidated acunetix O G U a rt sessions Review login sequence TEST and Demonstration site for Acunetix Web Vu
130. tes simultaneously Limitations of Trial Version The trial version of Acunetix Web Vulnerability Scanner downloadable from the Acunetix website is practically identical to the full version in functionality and features but contains the following limitations e The Trial edition will expire after 15 days e When scanning your website all the Web Alerts will be reported However you will not be able to drill down and find where the vulnerability is found in your website e Reports cannot be generated Scan results will not be stored in the Reports database e Full scans including detailed information on the vulnerabilities discovered can be made against the following Acunetix test web sites o http testphp vulnweb com o http testasp vulnweb com o http testaspnet vulnweb com o http testhtml5 vulnweb com e The Scan Scheduler is not available If you decide to purchase Acunetix Web Vulnerability Scanner you will need to un install the trial edition and install the purchased edition which must be downloaded as a separate installer file Download the installer file using the link provided by our sales team and double click to begin the setup You will be prompted to remove the trial version and install the full edition All settings from the previously installed version will be retained Once the installation is complete you will be prompted to enter the License key 20 3 Installing Acunetix Web Vulnerability
131. the port banner e List of Network Services running on the web server and their response e List of files with inputs found on the website The number of inputs per file are also shown e List of links to external hosts found on the website E g testohp vulnweb com contains a link to www acunetix com e List of Client and Server HTTP error responses together with the HTTP requests that generated them An example would be the response code Server Internal Error HTTP 500 Check the response for information exposure Site Structure The Site Structure Node displays the layout of the target website including all files and directories discovered during the crawling process E Acunetix Web Vulnerability Scanner Consultant Edition Fie Actions Took Configuration Help New Scan e j 5e Tocs Opie 3 AE AR EAR gt gt Start URL e WEN See Scan Rents Je Scan Thread 1 http testphp vulnweb co Scanning Tools j eb Alerts Site Crawler Bn Web Alerts 5 Profile stp Pause Hide Tab Information R This page shows general information about the selected file Right cick on items 1 for more options 4 Target Finder Subdomain Scanner I Sind SQL injector d me Gee HTTP Editor E aden Forbidden HTTP Sniffer e E aax OK Forbidden ez W gt Configuration A Application Settings ettings Forbidden gt 0A OM a a 566 o ge og o AL SS ag o oo WA 5 3 rep i JV H RER amp ea 8 Lee d
132. tication Attacks Directory Enumeration and other exploits Moreover the hacker community is very close knit newly discovered web application intrusions known as Zero Day exploits are posted on a number of forums and websites known only to members of that exclusive group Postings are updated daily and are used to propagate and facilitate further hacking Web applications shopping carts forms login pages dynamic content and other bespoke applications are designed to allow your website visitors to retrieve and submit dynamic content including varying levels of personal and sensitive data If these web applications are not secure then your entire database of sensitive information is at serious risk A Gartner Group study reveals that 75 of cyber attacks are done at the web application level Why are web applications vulnerable e Websites and web applications are easily available via the internet 24 hours a day 7 days a week to customers employees suppliers and therefore also hackers e Firewalls and SSL provide no protection against web application hacking simply because access to the website has to be made public e Web applications often have direct access to backend data such as customer databases e Most web applications are custom made and therefore involve a lesser degree of testing than off the shelf software Consequently custom applications are more susceptible to attack e Various high profile hacking atta
133. tings template can have different crawler settings Refer to page 80 of this user manual to read more on how to modify or create new Scan Settings templates Custom Cookies You can create a custom cookie which can be used during a website crawl to emulate a user or to automatically login to a section of the website without requiring the Login Sequence Recorder fa Acunetix Web Vulnerability Scanner Consultant Edition i ioj x gt Fie Actions Tools Configuration Help Jeng PAIS SAH ele Maala Template Default ke x Scanning Options Custom Cookies mi Leck cornell Candies User defined cookies to use during scan and crawl mi Parameter Exclusions SSES Custom Cookies 7 Crawler can be instructed to use your custom cookie values Insert your custom cookies 3 Crawling Options bellow using the Add Cookie button a File Extension Filters C Directory and File Filters Br URL Rewrite CS HTTP Options L LAN Settings Er Custom Cookies mi Input Fields al AcuSensor ai Port Scanner a Custom 404 o i 1 Settings changed Click Apply to save changes Cancel activity Window Ready Z Add Cookie Remove Screenshot 59 Custom Cookies To add a custom cookie 1 Navigate to Configuration gt Scan Settings gt Custom cookies node 2 Click on the Add Cookie button to add a new blank cookie to the list 60 5 Tick the option Lock custom cookies during
134. tional licenses are required for separate installs onto different workstations Enterprise Edition Unlimited Sites Servers x10 instances The ONLY difference between the Enterprise Edition and the Enterprise Edition x10 instances is that this edition of the Acunetix Web Vulnerability Scanner Enterprise allows you to run up to 10 instances of Acunetix Web Vulnerability Scanner on the same computer giving you the ability to scan up to 10 websites simultaneously Consultant Edition The Consultant edition license allows you to install one copy of Acunetix on one computer to scan an unlimited number of sites or servers including 3 party sites provided that you have obtained permission from the respective site owners This is the correct edition to use if you are a consultant who provides web security testing services hosting provider or ISP The consultant edition also includes the capability of modifying the reports to include your own company logo This edition does 19 not leave any trail in the log files of the scanned server Additional licenses are required for separate installs onto different workstations Consultant Edition x10 instances The ONLY difference between the Consultant Edition and the Consultant Edition x10 instances is that this edition of the Acunetix Web Vulnerability Scanner Consultant allows you to run up to 10 instances of Acunetix Web Vulnerability Scanner on the same computer giving you the ability to scan up to 10 websi
135. used for program updates the proxy for accessing Authentication Tester 23 Scheduler E Cea l Use an HTTP proxy server e eb Miscellaneous Web Services Configuration AcuSensor Deployment Hostname D B Acte EE L Scan Settings Username F Scanning Profiles Password H E General i Settings changed Click Apply to save changes Cancel Screenshot 77 Application Settings Application Updates From this node you can configure when the application checks for both vulnerability and application updates You can also configure the Proxy Server settings if your Internet connection must be accessed via a proxy server Logging From the Logging node you can configure which actions logging severities are logged You can also specify how many log files to retain Note that some log files may contain a lot of information such as the one which logs the HTTP requests and responses Database You can configure the database that you would like to use for the scan results This database will be used to generate reports using the Web Vulnerability Scanner Reporter HTTP Authentication Refer to page 31 of this manual for information about the HTTP Authentication options Client Certificates Some websites require client certificates to identify a client before access is granted These certificates may be configured in Acunetix Web Vulnerability Scanner by specifying the URL to be used during a crawl or a scan To do
136. ut will still be crawled Adding a parameter to the exclusion list 1 Specify a URLin the URL textbox to exclude the parameter when scanning the specified URL only Use a wildcard to exclude the parameter from every scan 2 Type the parameter name to be excluded in the Name textbox and select for which type of HTTP verb it should be excluded from the Type drop down menu Select Any to exclude the parameter in any type of HTTP verb 3 Click Apply to save your changes GHDB Google Hacking Database Options By default all GHDB Google Hacking Database tests 1450 are launched against a website during a scan From the Settings gt GHDB node you can configure which GHDB vulnerability checks you want to test for Filter the list by entering a keyword e g sql in the Filter GHDB text box Click on Uncheck Visible to uncheck all vulnerabilities that match with keyword and exclude them from a default scan Click Check Visible to check all entries again and include them in a default scan Crawling Options Refer to page 54 of this manual for more information on the crawling options HTTP Options Use this node to configure various HTTP related options HTTP General User agent string Configure what user agent header string Acunetix Web Vulnerability Scanner should use when accessing a target website You can click on X to use a predefined user agent string or you can specify your own custom user a
137. ws a list of vulnerabilities that have been detected in your website which are listed in the CWE SANS top 25 most dangerous software errors These errors are often easy to find and exploit and are dangerous because they will often allow attackers to take over the website or steal data More information can be found at http cwe mitre org top25 The Health Insurance Portability and Accountability Act HIPAA Part of the HIPAA Act defines the policies procedures and guidelines for maintaining the privacy and security of individually identifiable health information This report identifies the vulnerabilities that might be infringing these policies The vulnerabilities are grouped by the sections as defined in the HIPAA Act 48 International Standard ISO 27001 ISO 27001 part of the ISO IEC 27000 family of standards formally specifies a management system that is intended to bring information security under explicit management control This report identifies vulnerabilities which might be in violation of the standard and groups the vulnerabilities by the sections defined in the standard NIST Special Publication 800 53 NIST Special Publication 800 53 covers the recommended security controls for the Federal Information Systems and Organizations Once again the vulnerabilities identified during a scan are grouped by the categories as defined in the publication OWASP Top10 2013 The Open Web Application Security Project OWASP is we
138. x Web Vulnerability Scanner Consultant Edition p ioj xi gt File Actions Tools Configuration Help engen IR 3 A AU Ow E k er aele alaaa DG Application Updates e HTTP Authentication art Manage the login credentials required during automated scanning and crawling F Logging processes D HTTP Authentication Credentials R HTTP Authentication fs Client Certificates T Do not prompt for manual authentication W Automatically save new credentials SC Login Sequence Manager False Positives HTTP Sniffer J Scheduler F testphp vul Miscellaneous al AcuSensor Deployment Activity Window Screenshot 29 HTTP Authentication Options Do not prompt for manual authentication By default when a target website requires HTTP authentication during a crawl and scan Acunetix Web Vulnerability Scanner will ask you for the credentials If this option is switched off Acunetix Web Vulnerability Scanner will continue scanning the website without authenticating therefore protected website parts will not be crawled and scanned Automatically save new credentials When this option is enabled new credentials and the URL specified during a scan are automatically saved in the Acunetix Web Vulnerability Scanner HTTP Authentication settings and will be automatically used when the same site is scanned 33 Step 5 Scanning a Form Based Password Protected Area In order to scan a form bas
139. y e OR Apache Mod_Rewrite OF r Gre B th A malicious user ca scanner A malicio exploit these vulnerabilities and backend database our website compromise the d deface y D we 1 H OR PHP version older than 5 2 3 1 Total alerts found 34 e PP version older than 5 2 5 1 man Deem ec Ob P version older than 5 2 6 1 Q Medun i H pp Zend_Hash_Del_Key_Or_index tow i Q Apache 2 x version older than 2 0 6 fi Informational 19 e 9 Apache 2 x version older than 2 0 6 Apache httpd Remote Denial of Serv r D OR Hidden form input named price was f Target information httpu testphp vuinweb com 80 User redentials are sentin dear te ZA Statistics 697 requests broken Inks 5 Scan time t6 minutes Emal address found 3 Number of requests 697 v GE Default phpinfo page 1 Average response time 341 34 milliseconds 8 GHD6 Generic MySQL error messag Scan iteration Ge phon fod CO GHOB SQL error message 2 e Password type input with autocompl L Knowledge Base Response time history OK 7 g admin Forbidden AJAX oO kO compat bidder G Connections Forbidden Progress OBI 9 CNS Forbidden Port scanner Finished wo Flash Forbxider i D L mages Forbidden Files tf d 3 Mod Rev OK Direct d W pictures Forbidde t f d Si H secured K pting Runni g u Templates Forbkider FCKEditor_Audit script 17 requests D I wvstests Forbidce Idie K mmServerScr
Download Pdf Manuals
Related Search