Acunetix Deep-dive
Articles,  Blog

Acunetix Deep-dive


Hello, and welcome to the Acunetix Deep-dive
video Acunetix is a platform for testing and managing
web application security, and is available both Online as well as On Premise
It can automatically scan any website or web application accessible over HTTP or HTTPS
for over 3,000 web application vulnerabilities and misconfigurations. Additionally, Acunetix also provides powerful
vulnerability management tools built right-into the heart of the product. The automated security testing and vulnerability
management process of most organizations is split-up into four major stages. The first stage is scanning
In order to properly scan a website or web application, it needs to be crawled first
The Acunetix crawler analyzes the entire structure of a web application by looking for links
and inputs Being able to properly crawl a web application
is essential for an accurate scan The scanner cannot test a page for vulnerabilities
if it does not know that the page exists basically, if you can’t crawl it, you can’t scan it After the crawl is complete, Acunetix will
proceed to test every page it found during the crawl for security vulnerabilities A scan’s scope can be customized, so you can easily exclude areas of the site that you do not wish to scan The next step is to report the automated scan’s
findings. Acunetix provides us with a great deal of
flexibility here Results are automatically populated on the
Dashboard in real-time What’s more, you can start working with
results the scanner finds before the scan finishes Acunetix provides us with a comprehensive list of management and compliance reports,
including reports for PCI DSS, OWASP Top 10, HIPAA, ISO 27001 and others Accurate scan results alone are not useful unless vulnerabilities are fixed so Remediation the next step in the vulnerability
management process We’ve spoken about generating reports already;
and while you can certainly provide a development team with a report of the scanner’s findings,
anyone who has worked on, or with, a development team during remediation knows that “300-page
PDFs” don’t work particularly well This is because development teams organize
their work in Issue Trackers, since these tools are typically integrated with other
aspects of the SDLC such as version control So providing PDFs to the people who actually
need to fix vulnerabilities, is just not a natural fit to a development team’s workflow. This is why apart from offering detailed Developer
reports, Acunetix also offers out-of-the-box integration with Atlassian JIRA, GitHub and
Microsoft Team Foundation Server, allowing development teams to focus on remediation,
whilst still allowing management to extract the reports required for them to make strategic
decisions Acunetix can also export discovered vulnerabilities
to the most popular Web Application Firewalls, and you can also integrate Acunetix into new
and existing Jenkins Continuous Integration (CI) and Continuous Deployment (CD) workflows. Finally, we’d want to verify that any vulnerabilities we found are properly fixed. And we can do this in two ways;
First, we can mark vulnerabilities as Fixed. and once a vulnerability is marked as fixed, if
that same vulnerability is detected again in a subsequent scan, Acunetix will mark it
as “Rediscovered”, indicates, that the implemented fix was not effective, and the vulnerability
is still exploitable. Secondly, we have the option of setting-up
a Target for “Continuous Scanning”. This allows us to ensure that any vulnerabilities go from discovery to remediation as quickly as possible. Let’s now jump into a demo of Acunetix
So before starting a scan, we’ll need to create a Target of the site we wish to test
in this example, we’ll be scanning testphp.vulnweb.com, so if you have downloaded and installed the
trial version from our website, you can try this out yourself too Adding a new Target is simple, just click
on “Targets” in the right-hand-side menu and click the “Add Target” button. You will now need to enter an address
This can be either a URL or IP address of the location of the website or web application
Once we click Add Target, we’re taken to the Target Configuration page
Now because this site has a login page, we need to create a “Login Sequence” in order to instruct the scanner on how to log into the web application. This is an essential part of the scanning
process, and something that is usually difficult or tedious to set-up properly with other scanners. You can either attempt to have the scanner
log in for you, and this will work for most simple sites requiring just a username and
password, or else you can create a Login Sequence manually which works better for more complex
logins and provides much more control. Acunetix makes creating a Login Sequence very
easy. so, you simply need to go through the normal
login process of signing into an account and you’ll notice that your actions are being
recorded on the right-hand-side pane. The scanner will replay these actions to log
in during the scan. Once you are done recording, you can click
the “Play” button to re-play the login sequence to make sure it is working correctly Once you click “Next” you have the option of selecting what links you do not want the
scanner to click on whilst logged in. These are referred to as “Restrictions”. For example, we obviously don’t want the
scanner to get logged out of the session during a crawl or a scan, so we can create a restriction
by clicking on the “Logout” link in order to restrict it. You are free to set-up as many restrictions
as you like. Once you’re done restricting links, click
“Next”. A Login Sequence on it’s own is not enough
The scanner needs to understand when it is logged in and when it is logged out so that
it can re-run the login sequence in the event of the authenticated session getting destroyed
The Login Sequence Recorder needs what is known as a “Session Pattern”
A Session Pattern is nothing more than something unique between a logged in and a logged-out
state of a web application. The Login Sequence Recorder will detect this
pattern automatically for you however, you’re free to customize this pattern
if you wish to do so Clicking Finish, will ask you to save the
Login Sequence you’ve just created. You can now upload the Login Sequence to the
newly created Target. Once we’re done with our configuration,
we can simply click “Scan” to start scanning this Target
We can set the “Scan Type” we want for this scan
For example, if we only want to scan for Cross-site Scripting vulnerabilities, we can choose the
relevant Scan Type You can also create your own Scan Types to
specify exactly which vulnerabilities you want to test for
In this case, we’re going to be scanning for High Risk Vulnerabilities
We can also specify a Report that we want to automatically generated after the scan
is completed Of course, we can always go back and generate
reports from previous scans later if we choose to do so
but for now, we’ll choose a PCI compliance report in this example
Finally, we need to decide when this scan is to run. We can either run the scan instantly, at a
future date, or we can even set-up a recurrent schedule for this scan
For this example, let’s just start the scan instantly Acunetix will now start to crawl and subsequently
scan the site for vulnerabilities. In the meantime, let’s go over some of Acunetix’s
differentiating features First, let’s take a look at DeepScan Acunetix DeepScan is the technology that powers
the Acunetix crawler DeepScan can crawl and scan HTML5 web applications,
and can also execute JavaScript like a normal browser. This means that the crawler can crawl complex
client-side web applications that make use of modern JavaScript frameworks and DeepScan
also brings the ability to reliably detect DOM-based XSS, which is not possible using
traditional crawlers Also thanks to DeepScan, Acunetix can scan
for malicious URLs, based off-of the Google and Yandex safe-browsing databases, and it
can also test popular CMSs such as WordPress, Drupal, Joomla! and others for hundreds of
vulnerabilities. In addition to all of this, DeepScan can also
understand CRUD (Create, Read, Update and Delete) requests and can detect and individually
test JSON, XML and GWT (Google Web Toolkit) input schemes, even in AJAX requests. DeepScan can also automatically test web services,
including SOAP webservices with WSDL or WCF definitions (WSDL/SOAP, WCF/SOAP) and REST
services with WADL definitions (WADL/REST) Next, we’ll take a look at AcuMonitor
AcuMonitor is a set-it-and-forget-it technology that is included as part of Acunetix. It serves as an intermediary service that
works in the background and allows the scanner to detect out-of-band vulnerabilities. Out-of-band vulnerability testing, accounts
for vulnerabilities that do not provide a response to a scanner during testing. Such vulnerabilities include
Blind Cross-site Scripting (XSS), XML External Entity Injection (XXE),
Server Side Request Forgery (SSRF), Out-of-Band SQL Injection
and Out-of-Band Remote Code Execution All of which can be automatically detected
using AcuMonitor. In order to detect out-of-band vulnerabilities,
an intermediary service that the scanner controls, or has access to, needs to exist. Acunetix, combined with AcuMonitor, makes
automatic detection of such vulnerabilities painless and also transparent to the user
running the scan. In this example, AcuMonitor is detecting a
Blind Cross-site-scripting vulnerability In the first step, Acunetix will send a Cross-site
Scripting payload to the web application The Cross-site Scripting payload will then
get stored in a datastore which may remain there for an indefinite amount of time, possibly
long after the scan has completed This payload is executed inside a victim’s
browser at a later date, possibly from an entirely different web application which shared
the same datastore Once the Cross-site Scripting payload executes,
it will contact AcuMonitor notifying it that it has executed
and AcuMonitor in-turn notifies Acunetix Finally, we’ll talk about AcuSensor
AcuSensor is a standard component with Acunetix that can be installed on the server-side to
provide what is known as a gray-box scan Black-box scanners, including Acunetix without
AcuSensor, don’t have access to the web application’s code. On the other end-of the spectrum, source code
analysis tools can’t always understand what happens when code is in execution. Acunetix AcuSensor brings both testing methodologies
together and as a result can provide a more accurate and comprehensive scan. Since the sensor has knowledge of the backend
system, it can also find vulnerabilities which a black-box scanner cannot. AcuSensor improves a scan by providing increased
vulnerability information such as the source code line number and even a stack trace and
queries affected by SQL Injection. Furthermore, because AcuSensor has full visibility
of what’s going on on the back-end, it brings a reduction to an already very low false-positive
and false-negative rate. It also has the ability to analyze the server
configuration to expose potential misconfigurations and the ability to detect files present on
a web server thanks to AcuSensor’s back-end crawl technology. And because AcuSensor can indicate the vulnerable
line of code and can even report additional debug information, it greatly increases a
development team’s efficiency at resolving critical security bugs. Let’s now switch back to Acunetix and take
a look at the scan results The moment you click on a specific vulnerability,
SQL Injection in this case, Acunetix reveals the input parameter that is vulnerable as
well as the attack vector for that parameter. Acunetix will first provide a summary of the
vulnerability, and then it will proceed to explain what the impact of such vulnerability
is and how to fix it. Since testphp.vulnweb.com is set-up to work
with AcuSensor, we can see that Acunetix also provides us with the SQL statement used and
it will even provide us with the file concerned and the vulnerable line of code. Another example of a vulnerability would be
Server-side Request Forgery, which is an out-of-band vulnerability which was only possible to detect
thanks to AcuMonitor Selecting a specific vulnerability allows
us to see its details such as Vulnerability’s description, Attack details the HTTP request that was sent the vulnerability’s impact the vulnerability’s fix Classifications such as CWE, CVE and CVSSv3 as well as any web references Earlier, when we configured the scan, we requested
that a PCI DSS report be generated upon the scan’s completion We can easily access the report by navigating
to “Reports” Apart from creating “Scan Reports”, we can
also create a “Target Report” and an “All Vulnerabilities Report”
For example, I can generate a Target Report that lists all vulnerabilities inside of a specific
Target that I’m interested in and Acunetix can generate several types of
reports, be that the Developer report, which is the most detailed report, or a report that
simply provides an Executive Summary, and of course there is a comprehensive list of
compliance reports to choose from; including OWASP Top 10, PCI DSS, ISO 27001, HIPAA, and others We’ll be generating an Affected Items Report for this example As we discussed earlier, Reports are great
for communicating vulnerability management progress
However, when it comes to remediation, which, is the most important step in the vulnerability
management process, Acunetix provides us with a number of tools to help us even further Before we can do anything with the vulnerability
data we have, it’s important that we’re able to slice-and-dice it to obtain the
results we are after. By using “Filters”, we can fine-tune any view
to reduce the data we are presented with to fit a complex search query
For example, we might want to see vulnerabilities that
Are of “High” and “Medium” Severity Exist in Targets with a Business Criticality
of “Critical” and “High” And have a status of “Open”, therefore are
not fixed yet And also, let’s narrow this down to
Targets that are externally-facing and also running in production In some cases, it’s not practical or possible
to fix a vulnerability there-and-then At the same time, not acceptable to leave
known vulnerabilities ripe for exploitation Web Application Firewalls, or WAFs, are useful
tools in this space since they allow you to temporarily block malicious requests and give
you enough breathing room to fix vulnerabilities Acunetix supports virtual patching the most
popular Web Application Firewalls Now while virtual patching reduces your risk
temporarily, there is no better protection than to actually fix the vulnerability,
and so Acunetix integrates closely with Issue Trackers, allowing you to open vulnerabilities
as issues in Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS) without leaving
Acunetix’s user interface That brings this deep-dive to a close. If you have any further questions, please feel free to reach our Support Team at [email protected] Thank you for your attention

Leave a Reply

Your email address will not be published. Required fields are marked *