Review: Acunetix Web Vulnerability Scanner

By | April 17, 2006

More companies than ever are using web applications for their business, yet only a small percentage of websites are tested for vulnerabilities. Through web application vulnerabilities, hackers can gain access to sensitive data such as customer’s details and corporate data: Gartner study reveals that 75% of cyber attacks are launched on shopping carts, forms, login pages etc.; 8 out of 10 websites have at least one serious vulnerability.

AcunetixAny defense at network security layer will guarantee no protection against web attacks since they are launched on port 80 – which has to remain open. In addition, web application security auditing is often done from the developer’s perspective – checking the source code for possible security issues – that can leave gaps in the application security.

To create a web application that is both secure and reliable, you need to combine developer’s approach and hacker’s approach – checking security issues after the code leaves the development environment. To provide continues protection to your web application, this task needs to be done automatically and regularly – such as is provided by Acunetix Web Vulnerability Scanner.

Acunetix Web Vulnerability Scanner lets you view your web application security problems from the hacker’s perspective – it doesn’t check the code, but can tell how one could circumvent your application’s security by Cross-Site-Scripting, SQL Injection, Sever attacks etc.

To perform a scan, you simply click “New Scan” to start the Scan Wizard. You can perform a number of scan types. The first option performs a scan on a single web site. Acunetix has provided a list of test websites to check the installation and learn more about the software features. The second option initiates a scan on a list of web sites based on entries in a file. The last option locates and scans web applications on a range of IP address on a network.

Once you select a web site, you choose the scanning options: the profile to be used for scanning, how to crawl the web site and how to perform the scan. The scanner comes with many built-in scanning tests such as SQL injections, Cross-Site Scripting and more. The default option performs all tests. However, to speed the scanning process, you can perform particular tests. You can also create custom profiles to your web applications.

The scan results appear in two nodes. The “Alerts” node provides you with a list of security vulnerabilities that were detected during the scan. The “Site Structure” node displays web pages discovered by the scanner crawler. You can click on a file or directory name to get further information, such as file size and its path. The right pane contains detailed information about each security issue. This includes a description of the problem, severity level, impact on the web application, and references to online security advisories where you can get more information.

Acunetix Web Vulnerability Scanner also includes several additional tools:

Report Generation – Using the “Report Wizard” you can select the scan(s) results for which you want to generate a report. The wizard lets you customize the information to be included in the report. Each report will contain scan summery (general information on the scan), alerts summery and alerts details.

Vulnerability Editor – The “Vulnerability Editor” allows you to create or edit existing vulnerabilities.

From what I have experienced with Acunetix Web Vulnerability Scanner, I can definitely say that it is best tool to audit your web application through the eyes of an attacker. The scanner focuses its attention on the web application and provides you with information on security issues that hackers can exploit. So, whether you are a web application developer or a security auditor, Acunetix Web Vulnerability Scanner is an essential tool to ensure the security of your web application. Click here to download a copy of Acunetix Web Vulnerability Scanner.

Leave a Reply