Acunetix Web Vulnerability Scanner. Manual. v5.0. By Acunetix Ltd.

Transcription

1 Acunetix Web Vulnerability Scanner Manual v5.0 By Acunetix Ltd.

2 Acunetix Ltd. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Acunetix Ltd. Acunetix WVS is copyright of Acunetix Ltd Acunetix Ltd. All rights reserved. Document version 5.00 Last updated 4 th June 2007.

3 Contents 1. INTRODUCTION TO ACUNETIX WEB VULNERABILITY SCANNER WHY YOU NEED TO SECURE YOUR WEB APPLICATIONS WEB ATTACK EXAMPLES THE ACUNETIX WEB VULNERABILITY SCANNER AUDITED VULNERABILITIES SUPPORTED TECHNOLOGIES MAIN FEATURES ACUNETIX WVS PROGRAM OVERVIEW LICENSE SCHEME Perpetual or Time Based Licenses Small Business Version 1 Site/Server Enterprise Version Unlimited Sites/Servers Consultant Version Purchasing Acunetix WVS INSTALLING ACUNETIX WVS SYSTEM REQUIREMENTS INSTALLATION PROCEDURE UPGRADE PROCEDURE CONFIGURING A PROXY SERVER CONFIGURING WEB BROWSER FOR HTTP SNIFFER PASSWORD PROTECT WVS LIMITATIONS OF THE EVALUATION VERSION UPGRADING FROM AN EVALUATION TO A PURCHASED VERSION EXTENDING OR UPGRADING A PURCHASED VERSION THE USER INTERFACE INTRODUCTION THE WVS MAIN INTERFACE Layout Navigation Toolbar Tools Explorer Main Area Activity Window Status Bar Hiding Panels Context Menus THE SETTINGS INTERFACE Saving Changes ERROR HANDLING GETTING STARTED: SCANNING YOUR WEBSITE STARTING A SCAN STEP 1: SELECT TARGET(S) TO SCAN STEP 2: CONFIRM TARGETS AND TECHNOLOGIES DETECTED STEP 3: SPECIFY CRAWLER OPTIONS STEP 4: SPECIFY SCANNING PROFILE OPTIONS AND MODE STEP 5: CONFIGURE LOGIN FOR PASSWORD PROTECTED AREAS STEP 6: CONFIGURING CUSTOM 404 ERROR PAGES SELECTING THE FILES/FOLDERS TO SCAN 49 Acunetix Web Vulnerability Scanner Contents i

4 4.9 ANALYZING THE SCAN RESULTS Alerts Node Site Structure Node SAVING THE SCAN RESULTS GENERATING A REPORT FROM THE SCAN RESULTS GOOGLE HACKING VULNERABILITIES SITE CRAWLER TOOL INTRODUCTION ANALYZING A WEBSITE STRUCTURE Starting the crawling process Analyzing the information collected by the crawler Info Tab Referrers Tab HTTP Headers Tab Inputs Tab View Source Tab View Page Tab HTML Analysis Tab TARGET FINDER TOOL INTRODUCTION TO START A SCAN SUBDOMAIN SCANNER TOOL INTRODUCTION STARTING A SUBDOMAIN SCAN HTTP SNIFFER TOOL INTRODUCTION CONFIGURING THE HTTP SNIFFER ENABLING THE HTTP SNIFFER CREATING AN HTTP SNIFFER TRAP FILTER ANALYZING AND RESPONDING TO THE TRAPPED REQUESTS The Trap Form EDITING AN HTTP REQUEST WITHOUT A TRAP AUTHENTICATION TESTER TOOL INTRODUCTION TESTING HTTP AUTHENTICATION What is HTTP Authentication? Testing the Password Strength TESTING HTML FORM AUTHENTICATION What is HTML Forms Authentication? Testing Password Strength HTTP EDITOR TOOL INTRODUCTION EDITING A REQUEST FIN-TUNING REQUESTS AND ANALYZING RESPONSES Response Headers and Response Data tabs Text Only Tab View Page Tab HTML Structure Analysis Tab HTTP FUZZER TOOL INTRODUCTION 85 Contents ii Acunetix Web Vulnerability Scanner

5 11.2 CREATING A RULE TO AUTOMATICALLY TEST A SERIES OF INPUTS WEB SERVICES SCANNER INTRODUCTION STARTING A WEB SERVICE SCAN ANALYZING RESULTS WEB SERVICES EDITOR INTRODUCTION USING THE WEB SERVICES EDITOR HTTP EDITOR EXPORT FEATURE COMPARE RESULTS TOOL INTRODUCTION COMPARING RESULTS ANALYZING THE RESULTS COMPARISON MODIFY/DELETE TEMPLATE ITEMS THE REPORTER INTRODUCTION TO THE REPORTER LAUNCHING THE REPORTER REPORT STYLES AND TEMPLATES GENERATING A REPORT THE REPORT VIEW WVS DATABASE THE REPORTER SETTINGS COMMAND LINE SUPPORT INTRODUCTION LOCATING THE WVS COMMAND LINE EXECUTABLE COMMAND LINE PARAMETERS AND OPTIONS REPORTER COMMAND LINE COMMAND LINE EXAMPLES SCHEDULER INTRODUCTION THE SCHEDULER MANAGEMENT CONSOLE CREATING A SCHEDULE CONFIGURING ACUNETIX WVS INTRODUCTION SETTINGS: APPLICATION SETTINGS > GENERAL SETTINGS: APPLICATION SETTINGS > LAN SETTINGS SETTINGS: APPLICATION SETTINGS > DATABASE SETTINGS: APPLICATION SETTINGS > CERTIFICATES SETTINGS: APPLICATION SETTINGS > LOGGING TOOL SETTINGS > SITE CRAWLER TOOL SETTINGS > SITE CRAWLER > FILE FILTERS TOOL SETTINGS > SITE CRAWLER > DIRECTORY FILTERS TOOL SETTINGS > SITE CRAWLER > URL REWRITE TOOL SETTINGS > SITE CRAWLER > CUSTOM COOKIES TOOL SETTINGS > HTTP SNIFFER TOOL SETTINGS > SCANNER SCANNER SETTINGS > LOGIN SEQUENCES SCANNER SETTINGS > HTML FORMS SCANNER SETTINGS > PARAMETER EXCLUSIONS SCANNER SETTINGS > CUSTOM ERROR PAGES 150 Acunetix Web Vulnerability Scanner Contents iii

6 18.18 SCANNER SETTINGS > GHDB SCANNING PROFILES Default Scanning Profiles CREATING/MODIFYING SCAN PROFILES DATABASE CONVERSION UTILITY INTRODUCTION OBTAINING THE DATABASE CONVERSION UTILITY CONVERTING A DATABASE VULNERABILITY EDITOR INTRODUCTION ACUNETIX WVS AUDIT MODULES ADDING A VULNERABILITY TEST Editing the Vulnerability Description Specifying When the Vulnerability Check is Applicable Specifying Test Variables Variables Explained Defining the Requests to be Made in the Test Analyzing the Response ADDING A VULNERABILITY ITEM EXAMPLE: CREATING A TEST WHICH SEARCHES FOR A PARTICULAR FILE Step 1: Creating a Vulnerability Step 2: Adding a Vulnerability Item Step 3: Configuring the Test Properties Step 4: Save the Test and Re-Launch Acunetix WVS WVS FILE TYPES WVS TOOLS FILE TYPES WVS EXPORT FILE TYPES TROUBLESHOOTING INTRODUCTION REQUEST SUPPORT VIA SUPPORT CENTER CREDITS INDEX 185 Contents iv Acunetix Web Vulnerability Scanner

7 1. Introduction to Acunetix Web Vulnerability Scanner 1.1 Why You Need To Secure Your Web Applications Website security is possibly today's most overlooked aspect of securing the enterprise and should be a priority in any organization. Increasingly, hackers are concentrating their efforts on web-based applications to obtain access and to misuse sensitive data such as customer details, credit card numbers and proprietary corporate data. Hackers already have a wide repertoire of attacks that they regularly launch against organizations including SQL Injection, Cross Site Scripting, Directory Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP headers, HTML Forms), Authentication Attacks, Directory Enumeration and other exploits. Moreover, the hacker community is very close-knit; newly discovered web application intrusions are posted on a number of forums and websites known only to members of that exclusive group. Postings are updated daily and are used to propagate and facilitate further hacking. Web applications shopping carts, forms, login pages, dynamic content, and other bespoke applications are designed to allow your website visitors to retrieve and submit dynamic content including varying levels of personal and sensitive data. If these web applications are not secure, then your entire database of sensitive information is at serious risk. A Gartner Group study reveals that 75% of cyber attacks are done at the web application level. Why does this happen? Websites and related web applications must be available 24 hours a day, 7 days a week to provide the required service to customers, employees, suppliers and other stakeholders. Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public. Web applications often have direct access to backend data such as customer databases and, hence, control valuable data and are much more difficult to secure. Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack. Various high-profile hacking attacks have proven that web application security remains the most critical. If your web applications are compromised, hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly. 5 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 5

8 Network security defense provides no protection against web application attacks since these are launched on port 80 (default for websites) which has to remain open to allow regular operation of the business. For the most comprehensive security strategy, it is therefore imperative that you regularly and consistently audit your web applications for exploitable vulnerabilities. The need for automated web application security scanning Manual vulnerability auditing of all your web applications is complex and time-consuming. It also demands a high-level of expertise and the ability to keep track of considerable volumes of code and of all the latest tricks of the hacker s trade. Automated vulnerability scanning allows you to focus on the more challenging issue of securing your web applications from any exploitable vulnerability that jeopardizes your data. 1.2 Web Attack Examples Well-known sites that were open to web application attacks include: TJX, the owner of clothing retailers T.J. Maxx, Marshall's Inc. suffered the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts. TJX first learned that there was suspicious software on its computer system on Dec. 18, 2006, however the stolen data covered transactions dating as far back as December In September 2006 hackers pilfered the personal data of nearly 19,000 DSL equipment customers through a vulnerability in AT&T s online store. In a statement, AT&T attributed the motive of the attack to a criminal market for illegally obtained personal information. In fact, the data also included customers credit card details. In 2006, ChoicePoint, Inc. paid $10 million in civil penalties and $5 million in consumer redress after the personal financial records of more than 163,000 consumers in its database had been compromised. Last year, the University of Southern California spent more than $140,000 to notify affected students and also shut down the applications website for 10 days after a hacker gained online access to the admissions website. In June 2004, security analyst ZapTheDingbat pointed out that MasterCard, Natwest, Barclaycard, WorldPay, the GCHQ, and various other sites had missed some basic gaps in their security including the cross-site scripting vulnerability. This flaw, for example, allows hackers to send users to the legitimate site while displaying content and functionality of the hacker s choice. In June 2003 fashion label Guess and pet supply retailer PetCo.com were notoriously found to be vulnerable to the SQL injection vulnerability. This resulted in PetCo leaving as many as 500,000 credit card numbers open to anyone able to construct this specially-crafted URL. One hacker gained access to over five million credit card accounts in February 2003 through a web application attack. Similarly, in December 2002, a vulnerability at Tower Records website laid bare the company s customer orders database. 6 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

9 1.3 The Acunetix Web Vulnerability Scanner The Acunetix Web Vulnerability Scanner (WVS) broadens the scope of vulnerability scanning by introducing highly advanced heuristic and rigorous technologies designed to tackle the complexities of today's web-based environments. WVS is an automated web application security testing tool that audits your web applications by checking for vulnerabilities to SQL Injection, Cross site scripting and other exploitable hacking vulnerabilities. In general, the product scans any website or web application that is accessible via a web browser and that respects HTTP/HTTPS rules. Besides automatically scanning for exploitable vulnerabilities, WVS offers a strong and unique solution for analyzing off-the-shelf and custom web applications including those relying on JavaScript (e.g., AJAX applications). The Acunetix WVS is suitable for any small, medium sized and large organizations with intranets, extranets, and websites aimed at exchanging and/or delivering information with/to customers, vendors, employees and other stakeholders. How WVS Works Acunetix WVS has a vast array of automated features and manual tools and, in general, works in the following manner: 1. It crawls the entire website by following all the links on the site and in the robots.txt file (if available). WVS will then map out the website structure and display detailed information about every file. 2. After this discovery stage or crawling process, WVS automatically launches a series of vulnerability attacks on each page found, in essence emulating a hacker. WVS analyzes each page for places where it can input data, and subsequently attempts all the different input combinations. This is the Automated Scan Stage. 3. As it finds vulnerabilities, Acunetix WVS reports these in the Alerts Node. Each alert contains information about the vulnerability and recommendations on how to fix it. 4. After a scan has been completed, it may be saved to file for later analysis and for comparison to previous scans. With the reporter tool a professional report may be created summarizing the scan. 1.4 Audited Vulnerabilities Acunetix WVS automatically checks for the following vulnerabilities: Version Check o Vulnerable Web Servers o Vulnerable Web Server Technologies such as PHP file disclosure and possible code execution. CGI Tester o Checks for Web Servers Problems Determines if dangerous HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE) o Verify Web Server Technologies Parameter Manipulation o Cross-Site Scripting (XSS) o SQL Injection o Code Execution 7 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 7

10 o Directory Traversal o File Inclusion o Script Source Code Disclosure o CRLF Injection / HTTP Response Splitting o Cross Frame Scripting (XFS) o PHP Code Injection o XPath Injection o Full Path Disclosure o LDAP Injection o Cookie Manipulation o URL Redirection o Application Error Message MultiRequest Parameter Manipulation o Blind SQL / XPath Injection File Checks o Checks for Backup Files or Directories - Looks for common files (such as logs, application traces, CVS web repositories) o Cross Site Scripting in URI o Checks for Script Errors Directory Checks o Looks for Common Files (such as logs, traces, CVS) o Discover Sensitive Files/Directories o Discovers Directories with Weak Permissions o Cross Site Scripting in Path and PHPSESSID Session Fixation. Web Applications Large database of known vulnerabilities for specific web applications such as Forums, Web Portals, Collaboration Platforms, CMS Systems, E-Commerce Applications and PHP Libraries. Text Search o Directory Listings o Source Code Disclosure o Check for Common Files o Check for Addresses o Microsoft Office Possible Sensitive Information o Local Path Disclosure o Error Messages GHDB Google Hacking Database o Over 1400 GHDB Search Entries in the Database Web Services Parameter Manipulation o SQL Injection / Blind SQL Injection o Directory Traversal o Code Execution o XPath Injection o Application Error Messages Other vulnerability tests may also be performed using the manual tools provided, including: Input Validation Authentication attacks Buffer overflows 8 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

11 1.5 Supported Technologies Acunetix WVS is designed to use a web application as an exploitable frontend through which it can make contact with a database or web-server. This approach ensures that WVS does not rely on specific compatible webservers for a scan to be executed. For scanning web applications, Acunetix WVS is designed around the following concept; if an application can be viewed in any browser without installing special plug-ins, over the HTTP and HTTPS protocols, then it will also be correctly crawled and scanned. Tests carried out internally, and on public web applications, have confirmed that Acunetix WVS can efficiently crawl and scan the following technologies: ASP, ASP.NET, JavaScript, AJAX, PHP, FrontPage, PERL, JRun, Ruby, Flash, ColdFusion. Tested web applications were also hosted on a number of different web servers such as IIS, APACHE, Sun Java, and Lotus Domino. 1.6 Main Features Compliance Reporting The reporter allows you to generate detailed compliance reports for OWASP, PCI, Sarbanes-Oxley, Web Application Security Consortium and HIPPA. JavaScript / AJAX Support Client Script Analyzer (CSA) During the discovery stage, Acunetix WVS crawls for JavaScript and AJAX using the new Client Script Analyzer (CSA). This allows the crawler to build a comprehensive site structure upon which the automated scan will be launched. The CSA has been designed to be part of the crawling process to allow automated rather than manual crawls of websites that rely on JavaScript / AJAX. Rather than parsing the client code on the page, the CSA actually executes the JavaScript in real time and in similar fashion to the browser. This is does since it builds the Document Object Model (DOM) of each page on the website. These design features significantly reduce the time needed to scan websites containing JavaScript code while simplifying the whole scanning process for such sites. Web Services Support For complete web security analysis, Acunetix WVS features full support for Web Services vulnerability scanning and assessment. Web Services are now becoming a commonplace implementation for information availability and task processing over the internet, and the need to secure these systems from being exploited also brings about the need for the right tools to perform this task. The Web Services Scanner and Web Services Editor allow for full vulnerability scanning and WSDL analysis, with full reporting functionality. Subdomain Scanner The Subdomain scanner allows fast and easy identification of active Subdomains using various techniques and guessing of common subdomain names. The Subdomain Scanner can be configured to use the target s DNS server, or one specified by the user for added flexibility. 9 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 9

12 Scheduler Application The scheduler application ensures enhanced flexibility and automation when launching all types of scans including concurrent and/or sequential scans of single or multiple websites. Schedule such tasks as automated web crawling and scanning at a time most convenient to you. Tasks may be run daily, weekly, monthly, at certain times and/or continuously within a queue. Scheduling runs as a service with the related management console enabling users to fully and easily configure scanning, crawling, logging and saving of results features. Relevant schedule logs provide users with detailed information on the scheduled queues. Command Line The Command Line support provides a command line interface that gives you the power of Acunetix WVS without the usual graphical user interface. It allows you to use WVS directly from the command prompt and from batch files and script languages, making it ideal for automating repetitive tasks. A comprehensive set of command line parameters gives you direct control over the WVS features. The WVS Command Line supports the normal tasks for automated scanning as well as support for tasks related to Web Services. URL Rewrite Support The idea behind URL Rewriting (for example: mod_rewrite ) is to use a rulebased rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly. The URL Rewrite configurations may be setup in Acunetix WVS to support the proper crawling of such websites. The configuration may be done manually by defining custom rulesets and also by importing the rules directly from Apache httpd.conf or.htaccess files. Detects Google Hacking Vulnerabilities Google hacking is the term used to refer to when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, a hacker may still crawl your site and launch Google Hacking Database queries directly onto the crawled content. The Google hacking feature will launch all the queries found in the Google hacking database, onto the crawled content of your website thus finding any sensitive data or exploitable targets before a search engine hacker does. The Google hacking feature is a unique, industry first feature. The Google Hacking Database is located at and looks for the following information: Advisories and server vulnerabilities Error messages that contain too much information Files containing passwords Sensitive directories Pages containing logon portals 10 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

13 Pages containing network or vulnerability data such as firewall logs. For further reference please visit: Extend Attacks with the HTTP Editor and Sniffer With the HTTP Editor, you may construct HTTP/HTTPS requests and analyze the related responses of the web server. Thus the feature allows you to perform and test for custom SQL injection and cross site scripting attacks. With the HTTP Sniffer you can log, intercept and modify all HTTP/HTTPS traffic, giving you an in-depth knowledge of the data sent by your web application. In-Depth Testing with the HTTP Fuzzer The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and input validation. With it, you can create rules to automatically test a range of variables. A simple example would be the following URL: Using the HTTP Fuzzer you could create a rule which would automatically replace the last part of the URL with numbers between Only valid results will be reported. This degree of automation allows you to quickly test the results of a 1000 queries while significantly reducing the amount of manual input. Login Sequence Recorder for Protected Areas The recorder allows you to scan password-protected sections of your website. Simply use the login sequence tool to provide Acunetix WVS with single or multiple login details. In addition, you can provide the scanner with links it should not crawl, for example, a logout link. Automatic HTML Form-filler When the crawler encounters an HTML form, it can be instructed to use certain input values when submitting this form. This way you can automatically test your website for different types of inputs. Crawl Flash Files Acunetix WVS analyzes flash files looking for both links to follow and HTML code. Test Password Strength of Login Pages With the authentication tester, you can audit password protected pages by launching a dictionary attack. Vulnerability Editor Create custom web attack checks or modify existing ones with the Vulnerability editor. Supports All Major Web Technologies Acunetix WVS supports scanning for vulnerabilities in websites that use any of the major development technologies, including ASP, ASP.NET, PHP and 11 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 11

14 CGI. In general, the product scans any website or web application that is accessible via a web browser and that respects HTTP/HTTPS rules. Scanning Profiles You can use different scanning profiles to scan different websites with different identity and scan options. This reduces scan times and allows for deeper analyses. Report Generator The Acunetix WVS V5 Reporting Application makes it quick and easy to generate different reports of your scan results, with the added functionality to export the report to a variety of file types. Designed as a stand-alone application, the Reporter connects directly to the WVS Database, and allows you to view results and generate different reports for vulnerabilities, compliance, statistics, and parallel comparison of results. In-built search functionality allows you to search for specific alerts within a set of results. The Reporter is also fully configurable. One can configure the default report-type for on the fly report generation, insert custom logos, headers, and footers, or change page layout and size. Compare Scans and Find Differences Use the compare function to easily contrast recent and previous scans thereby reflecting the changes made and identifying any resulting new vulnerabilities. Easily Re-Audit Website Changes Good security best-practice requires you to check your website with every effected change. This can automatically be done with Acunetix WVS. Reauditing a website has been further simplified with the Scheduler application which allows you to automatically configure website scans according to your specific work and development schedules. 12 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

15 1.7 Acunetix WVS Program Overview The following pages briefly explain the main WVS tools and features: Web Scanner Screenshot 1 - Acunetix Web Vulnerability Scanner The Web Scanner is the most important component it launches the automated security audit of a website. The automated scan consists of two phases: 1. Crawling This discovery phase will automatically analyze the website and build a site structure. 2. Scanning A vulnerability scan consists of a series of attacks launched against the crawled site structure, in effect, emulating a hacker. 13 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 13

16 Screenshot 2 Scan Results The results of a scan are displayed in an Alert Node tree. Each Alert Node contains extensive details on all the vulnerabilities found within the website. Site Crawler Screenshot 3 The Site Crawler The Site Crawler tool crawls the entire target website and displays its structure together with detailed information on each file found. 14 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

17 HTTP Editor Screenshot 4 The HTTP Editor The HTTP Editor allows you to create custom HTTP requests from scratch and debug HTTP requests/responses. HTTP Sniffer Screenshot 5 - The HTTP Sniffer In contrast to the HTTP Editor (see above), the HTTP Sniffer helps you modify an HTTP request. 15 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 15

18 The HTTP Sniffer allows you to capture, examine and modify HTTP communications between an HTTP client and a web server. This tool is used to: Analyze how Session IDs are stored Session IDs are used by the application to uniquely identify a client browser. It is important that the session ID is unpredictable and the application utilizes a strong method of generating random ID s. Analyze how inputs are sent back to the server. Alter any HTTP request being sent back to the server before it does actually get sent. Navigate through parts of the website which cannot be crawled automatically because, for example, of certain JavaScript code. To use this tool, all http requests must pass through WVS thus the software must be set as the proxy server for your browser. HTTP Fuzzer Screenshot 6 - The HTTP Fuzzer The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and input validation. With this tool you can easily create input rules for Acunetix WVS to test. A simple example would be the following URL: Using the HTTP Fuzzer you can create a rule which would automatically replace the last part of the URL with numbers between Only valid results will be reported. This degree of automation allows you to quickly test the results of a 1000 queries while significantly reducing the amount of manual input. 16 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

19 Authentication Tester Screenshot 7 - The Authentication Tester With the Authentication Tester tool you can perform a dictionary attack on login pages which use HTTP (NTLM) or HTML form authentication. This tool uses two predefined text files which contain an extensive list of common usernames and passwords. These text files may be easily modified to include your own combinations. Vulnerability Editor Screenshot 8 The Vulnerability Editor The Vulnerability Editor allows you to create custom security checks. You will also notice changes and additions to the Vulnerability Editor as updates to the Acunetix WVS are installed. For more information on updating the Acunetix WVS please refer to page 127 of this manual. 17 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 17

20 Reporter The Reporter application allows you to present the scan results in a printable format, which you can send to your colleagues or customers. Various report templates are available, including summary, detailed reports and also compliance reporting. The Consultant Version of the WVS allows further customization of the report headers. Screenshot 9 - Typical WVS Report including Chart of alerts 18 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

21 1.8 License Scheme Acunetix Web Vulnerability Scanner (WVS) is available in 3 versions: Small Business, Enterprise and Consultant Perpetual or Time Based Licenses Acunetix WVS is sold as a one-year or perpetual license. The 1 year license expires 1 year from the date of purchase. The perpetual license never expires. The Enterprise and Consultant versions are available as both a one-year and perpetual license. The Small Business version is available as a perpetual license only. A Maintenance Agreement, which entitles the end user to free support and version upgrades, is included for free in the one-year license for the full duration. Perpetual licenses include two months of free support and upgrades. To extend this period of support a maintenance agreement should be purchased along with the perpetual license. A maintenance agreement can be purchased in yearly intervals and begins from the date of product purchase Small Business Version 1 Site/Server The Small Business Version license allows you to install one copy of Acunetix WVS on one computer, and scan one nominated site or server; this site or server must be owned by yourself (or your company) and not by third parties. In the case of companies, you must obtain proper authorization to scan the website. Acunetix Small Business version will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited with this license. To scan multiple websites you would require the Enterprise unlimited license. To install copies on several computers, you require purchasing the necessary individual licenses Enterprise Version Unlimited Sites/Servers The Enterprise version license allows you to install one copy of Acunetix WVS on one computer, and scan an unlimited number of sites or servers. The sites or servers must be owned by yourself (or your company) and not by third parties. In the case of companies, you must obtain proper authorization to scan the website. Acunetix Enterprise version will leave a trail in the log files of the scanned server and scanning of third party sites is prohibited with this license. To install copies on several computers, you are required to purchase the necessary individual licenses Consultant Version The Consultant version license allows you to install one copy of Acunetix on one computer, and scan an unlimited number of sites or servers including 3 rd party, provided that you have obtained permission from the respective site owners. This is the correct version to use if you are a consultant who provides web security testing services, or an ISP. The consultant edition also includes the capability of modifying the reports to include your own company logo. Furthermore this version does not leave any trail in the log files of the scanned server. 19 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 19

22 1.8.5 Purchasing Acunetix WVS To purchase any of these licenses please visit: and contact one of the Channel Partners in your area. If there are no Channel Partners in your country, you may place your order online from Pricing is available at 20 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner

23 2. Installing Acunetix WVS 2.1 System Requirements Microsoft Windows XP Professional or Home Edition, Windows 2000, Windows Server 2003 and Windows Vista. 128 MB of RAM (256 MB or higher recommended). 200 MB of available hard-disk space. 2.2 Installation Procedure Microsoft Internet Explorer 5.1 (or higher). Microsoft SQL Server / Access support if database is enabled (optional) 1. Double click on webvulnscan5.exe file to launch Acunetix WVS setup wizard and click Next. 2. Read and review the License agreement and, if you agree with the conditions laid out, select I accept the agreement. Click on Next to continue the installation. Screenshot 10 Setup Wizard Enter Details 3. Enter your Name, Company Name and License key. If you are evaluating the product, leave the license key edit box blank. Click Next. 21 Installing Acunetix WVS Installing Acunetix WVS 21

24 If using the evaluation version, you will only be able to scan one of the Acunetix test websites: - A test website with PHP technology - A test website with ASP technology - A test website with ASP.NET technology Furthermore, you will not be able to save the scan results. Screenshot 11 Setup Wizard Confirm Details 4. Select the folder location where you want to install Acunetix Web Vulnerability Scanner and click Next. 5. Choose whether a program shortcut icon is to be created on the desktop. Click on Next to continue with your installation. 22 Installing Acunetix WVS Acunetix Web Vulnerability Scanner

25 6. After Acunetix WVS has been installed, you will be prompted to launch the application. Check the tick box as appropriate and click Finish. Screenshot 12 Setup Wizard Finish By default, Acunetix WVS is installed with Microsoft Access database support enabled. This is required to create reports using the Reporter. If you want to use a Microsoft SQL Server or MSDE database, you will need to enter the required credentials from the configuration screen under the Application Settings node. For more information on how to configure this feature, please refer to page 113 of this manual. SQL Server/MSDE must be installed in mixed mode or SQL server authentication mode. NT authentication only mode is NOT supported. 2.3 Upgrade Procedure 1. Double click on webvulnscan5.exe file to launch Acunetix WVS set-up wizard. The installer automatically detects any previous versions installed and will display a dialog which gives you a choice if to continue or not. Screenshot 13 Setup Upgrade Confirmation Dialog 23 Installing Acunetix WVS Installing Acunetix WVS 23

26 2. Click on Yes to proceed with the upgrade 3. At this point the uninstaller is launched and it will verify again that you want to actually uninstall the previous version of Acunetix WVS. Click on Yes to proceed with the upgrade. Screenshot 14 Setup Uninstall Confirmation Dialog 4. The next step requires a careful choice: If you plan to keep your past scan results and use them in the new version or build of Acunetix WVS, you may select NO to keep the current database. If you plan to clear all your past scans and start from scratch with the new version or build, you may select YES to remove your current database. Screenshot 15 Setup Database Removal Dialog 5. At this stage, the un-installation process starts and when finished click on OK to proceed with the upgrade. 6. The installation steps that follow are the same as described in section 2.2 of this manual. The installation procedure will be identical to a standard installation from here on. Screenshot 16 First Run Previous Settings Import Dialog 7. After the installation is finished, run Acunetix WVS. The application will present a dialog to upgrade any previous settings from the previous build that was installed. Click on Yes to restore any previous configurations to the new version or build just installed. 24 Installing Acunetix WVS Acunetix Web Vulnerability Scanner

27 2.4 Configuring a Proxy Server Screenshot 17 - LAN HTTP Proxy Settings If your machine is sitting behind a proxy server and you need Acunetix WVS to use this proxy, then you need to configure the proxy server settings. From the Tools Explorer Panel on the far left-hand side of the user interface, select Configuration > Settings. Then select Application Settings > LAN Settings to access the configuration panel as shown above.. Acunetix WVS supports both HTTP and SOCKS proxy settings. You can setup the Acunetix Web Vulnerability Scanner to use both technologies concurrently. HTTP Proxy Settings Use an HTTP proxy server Tick the check box to make Acunetix WVS use an HTTP proxy server. Hostname and Port Hostname (or IP address) and port number of the HTTP proxy server. Username and Password Credentials used to access the proxy. If no authentication is required, leave these options empty. SOCKS Proxy Settings Use a SOCKS proxy server Tick the check box to make Acunetix WVS use a SOCKS proxy server. Hostname and Port Hostname (or IP address) and port number for the SOCKS proxy server. Protocol Select which SOCKS protocol to use. Both Socks v4 or v5 protocols are supported by Acunetix WVS. Username and Password The credentials used to access this proxy. If no authentication is required, leave these options empty. 25 Installing Acunetix WVS Installing Acunetix WVS 25

28 2.5 Configuring Web Browser for HTTP Sniffer To sniff HTTP traffic, you must configure Acunetix WVS as a proxy server for the browser installed on your machine. This allows you to direct WVS to pages it either could not find automatically or could not access (because of JavaScript etc.) and thus be able to scan them. To use the browser you need to launch Acunetix WVS and enable the HTTP Sniffer. Therefore, it is advisable to install a second browser (either Internet Explorer or Firefox depending on your default preference) and use it for sniffing traffic. You may then continue using your preferred browser for regular browsing. Internet Explorer Configuration To configure Internet Explorer to pass via the Acunetix WVS proxy: 1. Launch Internet Explorer and select Tools > Internet Options > Connections > LAN Settings Screenshot 18 - Internet Explorer Proxy Server setup 2. Enable Use a proxy server for your LAN and specify the IP address / Name and Port (default 8080) of the computer were Acunetix WVS is running. If the browser is running on the same computer as Acunetix WVS, you can use or localhost as the proxy server address. 26 Installing Acunetix WVS Acunetix Web Vulnerability Scanner

29 Mozilla Firefox Configuration To configure Mozilla Firefox to pass via the Acunetix WVS proxy: 1. Launch Firefox and select Tools > Options Screenshot 19- Firefox proxy setup 2. Click on the Advanced icon at the top of the dialog. Then go to the Network tab and click on Settings 3. Select Manual proxy configuration and specify the IP address/name and port (default 8080) of the computer running Acunetix WVS for both HTTP and SSL. 4. If you will be using the HTTP Sniffer to browse a local website hosted on the same machine as Acunetix WVS, also clear the No proxy for: textbox. 5. Click on the OK button to save the changes. 2.6 Password Protect WVS To password protect the main interface of WVS together with all the supporting applications including the Reporter, Vulnerability Editor and Scheduler, simply follow these steps: 1. Go to the Configuration > Settings > Application Settings > General node to access the password protection configuration settings. 27 Installing Acunetix WVS Installing Acunetix WVS 27

30 Screenshot 20- Password Protection Options 2. In the Password protection section of the page, enter the current password in the Current password textbox. If you are configuring a password for the first time leave this field empty. 3. Enter the new password in both the New password and the Confirm new password textboxes. 4. Click on the Set Password button to save the settings. Screenshot 21- Password Protection Dialog Once a password has been set in WVS, the next time and all the subsequent time that you will launch the product or any of its supporting applications, you will be presented with a password protection dialog. Simply enter the password you configured in WVS into this dialog to access the application normally. For more information on the password protection feature of WVS, please go to page Installing Acunetix WVS Acunetix Web Vulnerability Scanner

31 2.7 Limitations of the Evaluation Version The evaluation version of WVS, which is downloadable from the Acunetix main website, is practically identical to the full version in functionality and in the set of tools that it presents with the following limitations: Websites will be scanned for Cross Site Scripting (XSS) vulnerabilities only the Acunetix test websites will be scanned for all types of vulnerabilities Only the default report can be generated and it cannot be printed or exported Scan Results cannot be saved Screenshot 22- Evaluation Limitations Dialog To find out on how to purchase Acunetix Web Vulnerability Scanner, select General > How to purchase. 2.8 Upgrading From an Evaluation to a Purchased Version If you decide to purchase Acunetix WVS, you will need to upgrade the evaluation version to the purchased version. You will receive a new download location to obtain the unlocked and full version. After download, simply launch the setup file. Setup will ask whether it can remove the evaluation version and install the full version. Any settings you have already made will be retained. You will be able to enter the License key you received, after which you will install the full version and scan your website. 2.9 Extending or Upgrading a Purchased Version If you have already installed the full version, but only want to extend the license key or upgrade from an enterprise to a consultant version, you can enter your new license key under the General > Licensing node. Right-click on the General/Licensing Node, select License Product and enter your new license key. 29 Installing Acunetix WVS Installing Acunetix WVS 29

32

33 3. The User Interface 3.1 Introduction Acunetix WVS consists of a comprehensive set of highly technical, complex and flexible tools. The product has an easy-to-use and intuitive Graphical User Interface (GUI) designed to ensure immediate use of the product without any particular level of technical expertise. 3.2 The WVS Main Interface Layout The following sections contain detailed descriptions of the different parts of the Acunetix Web Vulnerability Scanner Navigation Screenshot 23 The Acunetix WVS Main Interface Layout The Main Interface includes all the main features needed to operate the application and conduct your audits. From this interface you can launch a new scan, access the individual tools of the application and configure all settings and options. Navigation in Acunetix WVS is performed through the Toolbar and the various nodes in the Tools Explorer panel. 31 The User Interface The User Interface 31

34 3.2.3 Toolbar Screenshot 24 The Acunetix WVS Toolbar Found below the menu bar, at the top, the Toolbar contains quick access buttons (represented by a number of icons) that allow quick access to the main tools of the application, to settings and to main operation of the product that of starting a new scan. You will note the following icons/buttons on the toolbar: New Scan Access the Scan Wizard to start a new scan. Web Scanner Access the Web Scanner tool to launch a scan manual instead of using the Scan Wizard. Site Crawler Access the Site Crawler tool. Target Finder Access the Target Finder tool. Subdomain Scanner Access the Subdomain Scanner tool. HTTP Editor Access the HTTP Editor tool. HTTP Sniffer Access the HTTP Sniffer tool. HTTP Fuzzer Access the HTTP Fuzzer tool. Authentication Tester Access the Authentication Tester tool. Compare Results Access the Compare Results tool. Web Services Scanner Access the Web Services Scanner tool. Web Services Editor Access the Web Services Editor tool. Settings Access the configuration settings area of the application. Scanning Profile Access the Scanning Profiles configuration. Scheduler Access the Acunetix WVS Scheduler application. Reporter Access the Reporter application 32 The User Interface Acunetix Web Vulnerability Scanner

35 3.2.4 Tools Explorer Screenshot 25 The Tools Explorer As will be seen throughout this manual, the Tools Explorer is central to navigating within Acunetix WVS. The Tools Explorer is laid out in a hierarchical tree of nodes (branches) and corresponding sub-nodes (subbranches). Each sub-node has a parent node which categorizes the structure in sections. The convention used to denote a particular node and sub-node throughout this manual is referenced in the following manner: Node > Sub-Node. For example the Settings sub-node is child to the parent node Configuration. Hence, to denote the Settings node we use Configuration -> Settings. The tree structure has four main nodes: Tools This node category contains all the tools available in the application. Web Services This node category contains all the tools related to web services available in the application. Configuration This node category contains the configuration settings of the application and also the Scanning Profiles configuration settings. General This node category contains general application information and links to the support centre. 33 The User Interface The User Interface 33

36 3.2.5 Main Area Screenshot 26 The Acunetix WVS Main Area The Main Area of the application will show the current active screen depending on your selection from the toolbar or the tools explorer. It, therefore, varies according to the tool and feature you are using Activity Window Screenshot 27 The Activity Window The Activity Window at the bottom will show the current activity of the application in real time. This section is subdivided into two tabs: 34 The User Interface Acunetix Web Vulnerability Scanner

37 Application Log Tab This tab includes real-time information on all tools and any informational messages. Error Log Tab This tab shows any errors occurring during the scan or the use of any of the tools Status Bar Hiding Panels Screenshot 28 The Acunetix WVS Status Bar The Status Bar found at the bottom of the Main Interface provides summary information of the current running tool in the application. This information is shown entirely through the operation of all tools so that you always have an immediate overview of the current activity and status of the application. The Tools Explorer and the Activity Window panels can be hidden in order to obtain more space in the main panel. This is extremely useful when working in low resolution modes. To hide a panel simply click on the icon at the edge of the panel Context Menus Screenshot 29 Hide Panel Icon This will trigger the panel s auto-hide mode. Moving the mouse to the main panel will auto-hide the panel and moving the mouse to the edge where the panel was will bring it into focus again. To change the panel s behavior to fixed mode again, simply click on the icon again. The auto-hide panel mode is available to other panels throughout the application which have the icon. Many of the nodes used in the Tools Explorer and also in the tools themselves contain useful Context Menus. Accessed directly by right-click, these menus are contextual in the sense that they allow access to specific actions tied to a particular node. 35 The User Interface The User Interface 35

38 Screenshot 30 The Web Scanner Context Menu For example, the context menu of the Web Scanner node in the Tools Explorer contains several options regarding the scan results and also an option to start a new scan or load saved scan results. Screenshot 31 The Site Crawler Context Menu In this example, the context menu of the Site Crawler node contains options which let you save and load crawl results. 3.3 The Settings Interface Screenshot 32 The Acunetix WVS Settings Interface 36 The User Interface Acunetix Web Vulnerability Scanner

39 3.3.1 Saving Changes The Settings Interface is accessed from the Configuration > Settings node in the Tools Explorer on the left in the main interface. The settings interface is also laid out in a tree structure to facilitate navigation across the various configuration nodes. The settings tree structure is categorized in the following sections: Application Settings Contains the configurations screens related to the general application settings. Tools Settings Contains the configuration screens related to the tools in the application. Scanner Settings Contains the configuration screens related to the Scanner in the application. The settings interface provides two buttons at the bottom of each configuration screen to apply or discard the settings effected. To save the configuration changes you made, click the Apply button otherwise your changes will not be saved. Screenshot 33 Changing the WVS Settings After making changes on any of the configuration screens the text Settings have been changed! will be shown next to these buttons. 3.4 Error Handling If an error occurs in Acunetix WVS, the appropriate response in the form of a dialogue box will be presented. Please refer to Troubleshooting section on page 180 for guidelines on how to handle any problems in the application. Screenshot 34 The Acunetix WVS Error Handling Dialog 37 The User Interface The User Interface 37

40 4. Getting Started: Scanning Your Website 4.1 Starting a Scan DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION! The web server logs will show the scans and any attacks made by Acunetix WVS. If you are not the sole administrator of the website please make sure to you warn other administrators before performing a scan. Some scans might cause a website to crash requiring a restart of the website. Auditing the security of your website with Acunetix WVS is easy. The Scan Wizard allows you to quickly set-up an automated crawl and scan of your website. An automated scan provides a comprehensive and deep understanding of the level website security by simply reviewing the individual alerts returned. This chapter presents the process of launching a security audit of your website through the Scan wizard 38 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

41 4.2 Step 1: Select Target(s) to Scan You will need to enter the IP or the URL of the website that you wish to scan. To begin a new scan: 1. Click on File > New Scan: The Scan Wizard will start up and offer you a number of steps to guide you through the process of launching a website audit. Screenshot 35 Scan Wizard Select Scan Type 2. Specify the target(s) to be scanned. The scan target options are: Scan single website - Scans a single website. Enter a URL, e.g. or Scan using saved crawling results If you previously performed a crawl/scan on a website and saved the results, you can analyze these results directly without having to crawl the site again. Specify the Saved crawler results file by clicking on the folder button. Scan List of Websites Scans a list of target websites specified in a plain text file (one target per line). Every target in the file is to be specified in the format: <URL> or <URL:port> or <IP> or <IP:port> For example Ensure that the port is included in each line, even if it s a default port. Scan Range of Computers This will scan a specific range of IPs (e.g ) for target sites which are open on the specified ports (Default 80, 81 and 443). 3. Click Next to continue. 39 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 39

42 4.3 Step 2: Confirm Targets and Technologies Detected Screenshot 36 Scan Wizard Selecting Targets and Technologies Acunetix WVS will automatically probe the website(s) target(s) for basic details such as operating system, web server, web server technologies and whether a custom error page is used (For more details on Custom Error Pages refer to page 47 of this manual). The web vulnerability scanner will optimize the scan for the selected technologies and use these details to reduce the number of tests performed which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a UNIX system). This will reduce scanning time. If you already know what technologies the website is running, you can check whether Acunetix WVS identified them correctly. Click on the relevant field and change the setting from the provided check boxes as shown above. After you have confirmed the technologies, click Next to proceed. 40 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

43 4.4 Step 3: Specify Crawler Options Screenshot 37 Scan Wizard Crawling Options 1. In this dialog you can configure the crawling options. Crawling Options The Crawler traverses the entire website and identifies its structure. The following crawling options may be configured: Start HTTP Sniffer for manual crawling at the end of the scan process this option will start the HTTP Sniffer automatically at the end of the crawl process, enabling you to browse (the browser must be set to use Acunetix WVS as proxy) parts of the site that the crawler could not reach or did not find. Frequently these are pages are linked via JavaScript menus or other methods. Although the Acunetix WVS handles JavaScript, there may be situations where a manual crawl is still required. The crawler will update the site structure with the newly discovered links and pages. Get first URL only Scan only the index or first page. Do not fetch anything above start folder - Select this option to instruct the crawler not to follow any links above the start folder. For example, if you specify as a start URL it will not traverse the links which point to a location above the base link e.g. However it will traverse all links to pages located in the /wvs/ folder or any of its subfolders. Fetch files below base folder - Select this option to also follow links which are contained outside the base folder. For example, if you specify as a start URL it will traverse the links which point to a location below the base link e.g.: Fetch directory indexes even if not linked - Select this option to instruct the crawler to request the directory index for every discovered directory even if the directory index is not directly linked. 41 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 41

44 Submit forms With this option enabled any forms encountered during the scan will be automatically submitted with test-data. To instruct WVS to submit specific data in a particular form you can navigate to the HTML Forms setting: Configuration > Settings (in Tools Explorer) > Scanner Settings > HTML Forms (in the Settings Interface) node. (For full details on how to configure the Acunetix WVS see Chapter 0 on page 126 of this manual). Retrieve and process robots.txt, sitemap.xml Select this option to have Acunetix WVS look for a robots.txt file and follow all the links in it. Case insensitive paths Select this option to ignore any case difference in the links found on the website. E.g. /Admin will be considered the same as /admin Analyze JavaScript Select this option to activate the Client Script Analyzer (CSA) during crawling. This will execute JavaScript/AJAX code on the website to gather a more complete site structure. After crawling let me choose the files to scan Select this option to present a window at the end of the crawling process which lets you select which files from the site structure to actually scan. Click Next. 4.5 Step 4: Specify Scanning Profile Options and Mode 1. In this dialog you can configure the scanning profile and scan options, including the options for the scanning mode. Scanning Profile The Scanning Profile will determine which tests are to be carried out on the target site. For example, if you only want to test your website(s) for SQL injection, you would select the sql_injection profile and no additional tests would be performed. 42 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

45 Refer to the Scanning Profiles section on page 153 for more information on how to customize existing profiles and create new scanning profiles. Scan Options From this section you can select the Scanning Mode which will be used during the scan. The scanning mode options are the following: Quick In this mode the scanner will test for just the first value of every parameter. Heuristic In this mode the scanner will try to automatically figure out for which parameters to test all values and for which not to test all values. Extensive In this mode the scanner will test all possible combinations for all parameters on the website. In some cases, this can generate a huge number of requests and should be used with caution. The other options which you can select are: Test known web application vulnerabilities on every directory If this option is selected, the scanner will test for the known web application vulnerabilities on every directory instead of the default directory for each known vulnerability. This option will generate a lot of HTTP traffic and will extend the scanning time if the website being scanned is very large. Manipulate HTTP headers With this option selected, the scanner will try to manipulate the HTTP headers which might be used by server side technologies. Check for stored XSS Enabling this option instructs the scanner to make extra tests for XSS which may be stored in databases. 4.6 Step 5: Configure Login for Password Protected Areas Your website may have password protected areas or pages behind an HTML feedback form (e.g. visitor registration required to download whitepapers, files etc.) using either HTTP authentication or HTML forms authentication. HTML forms authentication is not handled via HTTP, but rather via a web form which asks the user for a username and password. This information is sent back to the server for validation by a custom script. HTTP authentication is part of the HTTP specification. If a site uses HTTP authentication, then the browser will pop up a password dialog. The web server validates the logon against a database of users. (In the case of IIS these are local Windows user accounts, and in the case of Apache these are stored in a file). If you want Acunetix WVS to scan the pages contained within/behind the login page, then configure Acunetix WVS to authenticate the password protected area or fill in the HTML form details. 43 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 43

46 Screenshot 38 - Login Details Options To test a HTTP password protected area: 1. Tick the box Authenticate with this user name and password combination 2. Enter the username and password 3. Click Next. When Acunetix WVS encounters a HTTP password dialog, it will use the details you entered. To test an HTML form password protected area: 1. Click on Record new login sequence. The record login sequence window starts. The Login Sequence Recorder allows WVS to save and replicate all the events which were manually performed to access the area secured by the login page. 2. Browse the HTML forms login page, enter username and password and authenticate by clicking login. Note that on your website the names of the fields and the submit button might be different. Now click on the End login sequence button at the top of the dialog. 44 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

47 Screenshot 39 - Login Sequence Recording Screenshot 40 - Login Sequence Recording Logout 3. After you have authenticated, you also need to identify the logout link otherwise, Acunetix WVS will try to crawl the logout link and logout of the password protected area. Click on the logout link and select restricted link 45 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 45

48 Screenshot 41 - Login Sequence Editing 4. You can review the login sequence that you recorded by clicking on the Edit login sequence button: 5. When you are done, click on the save icon and click on the exit button to exit the login sequence editor. The wizard will save the login sequence. Screenshot 42 - Login Sequences configuration You can reuse the login sequence during future scans. Login sequences can be edited from the Tools Explorer by selecting Configuration > Settings and then selecting the appropriate Scanner Settings > Login sequences node in the Settings Interface as shown. 46 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

49 Screenshot 43 The Tools Explorer and Access to Application, Tool and Scanner Settings You can choose to configure HTML form input directly, without the login sequence editor, from the Tools Explorer by selecting Configuration > Settings and then selecting the appropriate Scanner Settings > HTML Forms node. For more information see the chapter Configuring Acunetix WVS on page 126 of this manual. 4.7 Step 6: Configuring Custom 404 Error Pages A 404 error page is the page which appears when an invalid URL is entered. In many cases, rather than displaying the standard error 404, many websites show a page formatted according to the look and feel of the website to inform the user that the page requested does not exist. Custom 404 error pages do not necessarily represent a server 404 error (invalid URLs), and therefore Acunetix WVS must be able to automatically identify these pages to detect the difference between an invalid URL and a valid web page. The scan wizard will automatically try to detect whether your site uses custom error pages. If your website does so, WVS will display the custom error page and will automatically attempt to locate the unique identifier of such an error page; in this case Error 404: Page Not Found. To configure the custom error page: 1. Highlight the text that is unique to this page. This text should not be found on any other page on your website. 47 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 47

50 Screenshot 44 Custom Error Page Configuration 2. Click on the Generate pattern button within the wizard window to generate a regular expression from the highlighted text. The highlighted text will be copied to the Error message pattern box and changed into a regular expression that Acunetix WVS can interpret. 3. Click on the Text pattern button to verify the generated pattern. 4. Click Next. Once the custom error page is configured, it will be saved and may be accessed by selecting Configuration > Settings from the Tools Explorer and then selecting the Scanner Settings > Custom 404 Pages node. 48 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

51 Screenshot 45 - Scan Wizard - Finish window 6. If you want to save the scan results to a database, enable Save scan results to the database for report generation. Click on the Finish button to start the scan. It may take several hours to complete an automated scan of a large website! 4.8 Selecting the Files/Folders to Scan If the option to choose the files to scan was selected in the crawling option, a window with the site structure will open up, from which a selection of files to scan and ones to ignore can be made. By default all the files and folders in the site structure shown will be selected. To remove items from being included in the scan, simply uncheck the tick box next to the item. For websites with a large number of items, the toolbar at the top of the window provides the following functionality: Filter Show only the items partially matching the entered text Check Selected Select the highlighted items Uncheck Selected Deselect the highlighted items Check All Select ALL files in the site structure Uncheck All Deselect ALL files in site structure 49 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 49

52 Screenshot 46 Choice of which files / folders to include in the scan To change the selection of multiple items at the same time without having to go through each item individually, you can use the CTRL and SHIFT key combinations. 4.9 Analyzing the Scan Results After the scan is completed, the results can be expanded by clicking on the scan, in the Scan results window. Two main nodes, Alerts and Site Structure, will be shown. Screenshot 47 - Scan Result and Information window 50 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

53 4.9.1 Alerts Node The alerts node displays all vulnerabilities found and how to fix them. Alerts are sorted into four severity levels: High, Medium, Low and Informational. The number of vulnerabilities detected is displayed in brackets () next to the alert categories. Screenshot 48 - Scan Results Vulnerability information By clicking on an alert category node more information will be shown: Vulnerability description A description of the current vulnerability and the object affected. The impact of this vulnerability What impact this vulnerability may have. Attack details Detailed information about the current alert. For example, for an SQL injection alert the parameters used to test for this vulnerability will be displayed. View HTTP headers Display HTTP headers for the request and response. View HTML response Display the HTML response as a frame in the current document. Launch the attack with HTTP Editor This will load the current HTTP request and response in the HTTP Editor for manual inspection. For more information, please refer to the HTTP Editor chapter. How to fix this vulnerability Recommendation on how to fix the problem. Detailed information This section provides extensive detailed information for certain high risk vulnerabilities. Web references A list of references where you could gather more information about the current vulnerability and/or how to fix it. 51 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 51

54 For further investigation, click on Launch the attack with HTTP Editor at the bottom of the pane. This will load the current HTTP request and response in the HTTP Editor for manual inspection. For more information, refer to the HTTP Editor chapter 79 of this manual Levels of Severity There are four vulnerability severity levels: High Risk Alert Level 3 Vulnerabilities categorized as the most dangerous, which put a site at maximum risk for hacking and data theft. Medium Risk Alert Level 2 Vulnerabilities caused by server miss-configuration and site-coding flaws, which facilitate server disruption and directory intrusion. Low Risk Alert Level 1 Vulnerabilities derived from lack of encryption for data traffic, or directory path disclosures Informational Alert Sites which are susceptible to revealing information through GHDB search strings, or addresses disclosure. 52 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

55 4.9.2 Site Structure Node The Site Structure Node displays the layout of the target site including all files and directories discovered during the crawling process. For every item retrieved more detailed information is available in the right information pane. Screenshot 49 - Site Structure details Summary information for a file or directory includes: Filename The name of this file/directory. Page Title The page title of this file/directory. File path The file/directory location. URL The file/directory URL location. HTTP Result The file/directory HTTP Get Response Code. Length The file/directory size in bytes. Input Variable Count Number of inputs used for collecting and processing data usually gathered within HTML forms. Status File status. Grouping of Test Variants When more than a single instance of the same vulnerability is detected on any page, the scanner will group the variants of each exploit according to the parameter which was tested. This makes it easy to understand how many total exploits were detected, and also how many files were found to be vulnerable. This organization of vulnerability data makes it easier for results to be interpreted, and also makes it easier to keep track of vulnerable pages and what vulnerabilities need to be fixed. Vulnerability data can also be presented in a report with this system of grouping, by selecting the Vulnerability Report template in the reporting application. 53 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 53

56 4.10 Saving the Scan Results When a scan is completed you can save the scan results to an external file for analysis and comparison at a later stage. The saved file will contain all the scans from the current session including alert information and site structure. To save the scan results go on File > Save Scan Results. To load the scan results go on File > Load Scan Results Generating a Report from the Scan Results Creating a report when viewing the scan results, is as easy as clicking a button. Simply click on the Report button on the toolbar at the top this automatically starts the report generation process using the default report configuration. More information on how to configure the default report, which is generated when clicking on the Report button, can be found on page 112 of this manual. Screenshot 50 - Report Button in Scan Results Once the report is generated, the Acunetix WVS Reporter will automatically be launched, and you will be presented with the vulnerability report which is configured as the default. From this screen you can print the report or export it to the various supported formats. Screenshot 51 Default Generated Report from Scan Results To generate a report, a database must be configured (either MDB or SQL). This can be done from the Tools Explorer by selecting the Configuration > Settings node and, subsequently, Application Settings > Database. 54 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner

57 4.12 Google Hacking Vulnerabilities Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, a hacker may still crawl your site, and launch Google Hacking Database queries directly onto the crawled content. The Google hacking feature will launch all the queries found in the Google Hacking Database, onto the crawled content of your website thus finding any sensitive data or exploitable targets before a search engine hacker does. The Google hacking feature is a unique, industry first feature. The Google Hacking Database is located at: and looks for the following information: Advisories and server vulnerabilities Error messages that contain too much information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data such as firewall logs. For further reference please visit: Screenshot 52 Scanner results with GHDB node The GHDB vulnerability detection is performed as part of the automated scanning process. The results will be displayed as a separate node in the Scanner results. 55 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 55

58

59 5. Site Crawler Tool 5.1 Introduction The Site Crawler tool traverses the target site and builds an internal representation of the site layout using the information (e.g. web pages and directories) collected. You can configure what the crawler fetches by selecting Configuration > Settings in the Tools Explorer and Tool Settings > Crawler from the Settings Interface. The site crawler tool is automatically launched by the web scanner. You can use the site crawler tool to analyze the structure of a website without automatically launching the attacks. The Crawler tool interface consists of: Screenshot 53 The crawler tool interface Toolbar Here you can specify the URL and start a crawl. Site structure window (left hand side) Displays target site information fetched by the crawler, e.g., cookies, robots, and files. Details window (right hand side) Displays general information about a file selected in the site structure window (e.g., filename, file path). At the bottom of the details window, there is a tabbed tool bar. Clicking on the Referrers, Headers, Inputs, View Page or HTML analysis tabs will show further information about the object selected. 57 Site Crawler Tool Site Crawler Tool 57

60 5.2 Analyzing a Website Structure Starting the crawling process Enter the start URL of the target website from where the crawler should start the site traversal (e.g. and click on the Start button. The crawl process for large sites might take considerable time up to several hours for very large sites). The site structure will be displayed on the left hand side for each directory found, a node will be created together with sub nodes for each file. At the end of the scan, the site crawler will create a Cookies Node which displays information about the cookies found Analyzing the information collected by the crawler Info Tab Clicking on any of the pages or items on the left hand side, will display details about that object in the right hand pane. Since there is considerable information, the details pane has been split up into the Info, Referrers, HTTP headers, Inputs, View Page and HTML analysis tabs as shown in the screenshot below. Screenshot 54 - Info Page The info tab contains Filename, Page title, Path, URL and other information. It shows how many inputs the page can take in Input variable count. 58 Site Crawler Tool Acunetix Web Vulnerability Scanner

61 5.2.4 Referrers Tab HTTP Headers Tab Screenshot 55 - Referrers Page This tab contains the list of files that link to the selected file. Screenshot 56 HTTP Page This tab contains the HTTP request for the selected file and the response received. From here you can check content type, date, whether file is cached and any relevant server information. You can edit the HTTP request in the HTTP Editor by clicking the Edit with HTTP Editor icon located on top of the HTTP request pane. This allows you to analyze how the application will behave when certain parameters are altered. 59 Site Crawler Tool Site Crawler Tool 59

62 5.2.6 Inputs Tab Screenshot 57 Inputs Page The inputs tab lists the inputs that this page accepts. For every input is listed the name and the type of the variable, the list of possible values and all the input combinations. Although the web scanner will automatically attack these inputs, the Inputs Tab proves very useful to review and analyze input information View Source Tab Screenshot 58 View Source Page 60 Site Crawler Tool Acunetix Web Vulnerability Scanner

63 5.2.8 View Page Tab Screenshot 59 Browser Page This tab loads the page as a web browser would without, however, any formatting data (e.g., CSS files and images). Client side scripts are disabled for security reasons. 61 Site Crawler Tool Site Crawler Tool 61

64 5.2.9 HTML Analysis Tab This tab displays the HTML structure of a selected file. The structure information is detailed into five separate tabs including Simple URLs, Comments, Client side scripts, Input forms and Meta tags. The total number of Links, comments, etc., are displayed within brackets ( ). Simple URLs Sub-Tab Screenshot 60 - Simple URLs tab This tab displays the links contained in the file. The sub-tag column shows the HTML tag, for example, A for a page link, IMG for an image link and so on. Review this information for pages and links that might reveal sensitive information. 62 Site Crawler Tool Acunetix Web Vulnerability Scanner

65 Comments Sub-Tab Screenshot 61 - Comments tab This sub-tab displays any comments present within the selected file structure. This information cannot be automatically analyzed but may still reveal interesting developer comments about the construction and coding of the site. Client Script Sub-Tab Screenshot 62 - Client side scripts tab This sub-tab displays the scripts (JavaScript, VBscript etc.) and source code contained in the selected HTML file. These scripts will be executed by the client web browser. Review each script manually to see what it does it 63 Site Crawler Tool Site Crawler Tool 63

66 might reveal information about the logic of the web application and what information is expected. In the course of a security audit, you might then try to give the application unexpected information to see how it behaves. Check all scripts for: Input validation code, for example, on onclick or onsubmit events. Client side input validation logic is not secure. Any characters that might upset applications. Code that reads to or from an HTML form field, i.e. getelementbyid, formname.fieldname.value and so on. Input Forms Sub-Tab Screenshot 63 Input Forms page This sub-tab displays any HTML forms present in the selected file: The top window displays the list of all forms. The middle window displays the list of fields in the selected form e.g. Buttons, Entry Fields, etc. The bottom window displays the default values for a selected field. Review this information carefully and see whether the HTML forms unnecessarily reveal any information about the web application. 64 Site Crawler Tool Acunetix Web Vulnerability Scanner

67 META Tags Sub-Tab Screenshot 64 Meta Tags tab META tags contain information about the web page, for example the description and keywords META tags used by search engines. META tags with an HTTP-EQUIV attribute are equivalent to HTTP headers. Typically, they control the action of browsers and may be used to refine the information provided by the actual headers. Tags using this form should have an equivalent effect when specified as an HTTP header, and in some servers may be translated to actual HTTP headers automatically or by a preprocessing tool. 65 Site Crawler Tool Site Crawler Tool 65

68

69 6. Target Finder Tool 6.1 Introduction The Target Finder is a port scanner which can be used to find websites on a given IP or within a range of IPs. Screenshot 65 - Target Finder view 6.2 To Start A Scan 1. In the Acunetix WVS Tools Explorer select the Tools > Target Finder node. 2. In the toolbar, enter: IP or range of IPs specify the IP address of the target(s) (e.g ) The list of ports specify the ports to probe (e.g. 80,81,443). 2. Now click the Start button to start the scan. 3. After the scan is complete, the web server/s is/are displayed, including the respective server type. HTTPS web servers are identified by a padlock icon. 4. You can launch a scan on a target server by right clicking on the server(s) of choice and selecting Scan this server from the menu. 67 Target Finder Tool Target Finder Tool 67

70

71 7. Subdomain Scanner Tool 7.1 Introduction The Subdomain Scanner automatically scans a top-level domain to locate any subdomains configured in its hierarchy, by using the target domain s DNS server, or by specifying one manually. Any subdomains discovered can be scanned for vulnerabilities from within the tool itself, or imported directly into the HTTP Editor for further analysis through custom requests. Screenshot 66 Subdomain Scanner Tool While scanning, this tool will automatically identify and inform the user if the domain being scanned is using wildcards (*.somedomain.com). 7.2 Starting a Subdomain Scan 1. In the Acunetix WVS Tools Explorer select the Tools > Subdomain Scanner node. 2. In the toolbar, enter: Top Level Domain Name specify the target domain (e.g. acunetix.com) Select DNS Server use the target s DNS server, or specify a server manually 3. Default timeout is an optimal setting, increase if slow responses are encountered. 4. Click the Start button to begin the scan. 69 Subdomain Scanner Tool Subdomain Scanner Tool 69

72 5. Right-click the discovered subdomains to: Launch a scan on the subdomain directly from the tool Send custom requests using the HTTP Editor Save the list of results as a text-file to be imported into the scan wizard Export the list of servers to a CSV file. 8. HTTP Sniffer Tool 8.1 Introduction The HTTP Sniffer tool is actually a proxy server which can capture, edit and filter requests made between a web client (browser or other http application) and a web server. Screenshot 67 The HTTP Sniffer The HTTP Sniffer is an excellent tool used to intercept client requests and modify them before they are sent to the server. Use it to: Create a rule to trap particular POST, GET requests and change them manually. Create a rule that automatically changes particular requests. Create a rule to automatically log information in requests or responses. 70 HTTP Sniffer Tool Acunetix Web Vulnerability Scanner

73 8.2 Configuring the HTTP Sniffer To use the HTTP Sniffer tool you must: 1. Configure the ports and interfaces that the HTTP Sniffer internal proxy will listen on for requests being made (from the Tools Explorer select Configuration > Settings and Tools Settings > Http Sniffer from the Settings Interface). 2. Configure your web client/browser to use the machine on which Acunetix WVS is running as its proxy server. By default, the HTTP Sniffer internal proxy server will listen on the 8080 port of the machine it is running on (bound to the local interface i.e ) this means that the default settings limit the internal proxy to be accessible only by web client applications running on the same machine. To use the Acunetix WVS HTTP Sniffer internal proxy server to listen and service requests from web clients installed on other machines, you will need to configure the HTTP Sniffer settings to listen on all interfaces (from the Tools Explorer select Configuration > Settings and Tools Settings > HTTP Sniffer from the Settings Interface). 8.3 Enabling the HTTP Sniffer Screenshot 68 - HTTP Sniffer toolbar with the proxy server started Once you have configured your web client to pass through the HTTP Sniffer/proxy server, go to the HTTP Sniffer tool and click on the Start button in the toolbar. This will start the proxy server and thus the sniffing of connection requests. All connection requests and responses will be listed in the main window. To view the complete request, click on the request - more detailed information will be displayed in the lower pane. 71 HTTP Sniffer Tool HTTP Sniffer Tool 71

74 8.4 Creating an HTTP Sniffer Trap Filter You can configure the HTTP Sniffer to intercept an HTTP request BEFORE being sent. The user can make changes to this request and the sniffer will send the modified request to the server. You can do the same for HTTP responses you can review and edit a particular request before it is sent to the client. You can do this by creating HTTP Proxy trap filters: 1. In the HTTP Sniffer toolbar, click on the Edit traps button to bring up the HTTP traps dialog. Screenshot 69 - HTTP Sniffer Edit Trap window 2. You can select a rule trap template, e.g. trap requests, trap ASP or PHP requests. This will load up a preconfigured trap which you can edit. 3. Alternatively you can create a new trap by entering a description, rule type, to what traffic it applies and a regular expression. The following rule types are available: Trap rules - Configure what requests/responses should be trapped for editing. Don t trap rules - Configure what trapped requests/responses should be ignored. Replace or change rules - Configure which requests should be automatically changed based on the given expression. Logging rules Configure which requests or responses should be logged in the Activity window. 5. You can now configure whether to apply the trap to all of the response, or just the Request headers, request body and so on. 6. Enter a regular expression. 7. To add the trap to the list below, click Add. This will add the trap and automatically enable it. You can enable/disable traps by clicking on the tick box in front of the trap rule. 72 HTTP Sniffer Tool Acunetix Web Vulnerability Scanner

75 8. When you have created your trap rules, click the OK button to return to the HTTP Sniffer dialog. 9. Click on the Enable traps button to activate the traps. 8.5 Analyzing and Responding To the Trapped Requests The Trap Form After you have created your trap filters and enabled them, the sniffer will follow the steps described below to decide which actions should be taken when handling a certain request or response: 1. Is it included in the log rules? 2. If yes, make a log entry. 3. Is it included in auto change rules? 4. If yes make the requested changes. 5. Is it included in the trapping rules? 6. If no then go to Action Is it included in the exclusion rules for trapping? 8. If yes the go to Action Trap the request or response by using the trap form 10. Forward the request or the response. Screenshot 70 - HTTP Sniffer Trap form When a request or a response is trapped by the HTTP Sniffer, the HTTP trap window will pop up to allow you to edit the request/reply. Similar to the 73 HTTP Sniffer Tool HTTP Sniffer Tool 73

76 HTTP Editor, the Trap Form editor allows you to edit cookies, query and post variables. When done, click OK to send the request/response to the server/client. 8.6 Editing an HTTP Request without a Trap If you want to edit a request without setting up an HTTP trap, simply right click on a request or a response and select Edit with the HTTP Editor. Then click Start to send the request/response to the server. 74 HTTP Sniffer Tool Acunetix Web Vulnerability Scanner

77 9. Authentication Tester Tool 9.1 Introduction The authentication tester is a tool used to test the strength of passwords within HTTP or HTML forms authentication environments via a dictionary attack. 9.2 Testing HTTP Authentication What is HTTP Authentication? Screenshot 71 - HTTP authentication HTTP authentication is part of the HTTP specification. If a site performs HTTP authentication, then the browser will display a password pop-up dialog as shown above. With HTTP authentication, the web server validates the logon against a database of users (with IIS these are local Windows user accounts and with Apache these are stored in a file). 75 Authentication Tester Tool Authentication Tester Tool 75

78 9.2.2 Testing the Password Strength 1. In the Tools Explorer, select the Tools > Authentication Tester node. In the Target URL to test edit box, specify the target URL e.g Select HTTP as the authentication method to be used for the attack. Screenshot 72 - HTTP based authentication 3. You can use the default dictionaries or specify your own Username and Password dictionaries. You have to specify the full path to a plain text file containing the list of usernames or passwords to attempt to login with e.g. C:\Program Files\Acunetix\Web Vulnerability Scanner 5\Data\General\userlist.txt. 4. Click Start to start the test. You do not need to change the Logon failed if field since the server will return an HTTP response value of 401 for a failed login. However, if you have configured a custom error, then you have to enter a different error code in the Logon failed if field. 9.3 Testing HTML Form Authentication What is HTML Forms Authentication? Screenshot 73 - HTML form login A logon sequence that implements HTML forms authentication asks the user for a username and password via a web form, which is then validated on the server via a custom script, rather than by the web server directly. 76 Authentication Tester Tool Acunetix Web Vulnerability Scanner

79 9.3.2 Testing Password Strength 1. Specify the target URL of the site to be tested for authentication vulnerabilities e.g. Screenshot 74 - HTML form based authentication 2. Select HTML form based as authentication method 3. Now you need to indicate the form fields that represent the Username and Password fields. Click on the Select button to bring up the form field parser. This will load the login page at the specified URL, parse it and display the available fields contained in the target page which can be used to input the user / passwords. Screenshot 75 Specifying HTML Form fields 4. If there are multiple forms on the page, select the form which contains the relevant authentication. 5. Select the username field from the list of available fields and click on the Username button at the bottom of the dialog. 77 Authentication Tester Tool Authentication Tester Tool 77

80 6. Select the password field from the list of available fields and click on the Password button at the bottom of the dialog. Screenshot 76 - A typical access denied page 7. Now you need to instruct Acunetix WVS what constitutes a failed login, so that the application realizes the appropriate behavior upon successful login. To do this, attempt to logon to the page so as to generate a login error. Write down the text that appears after a failed logon. In the example in our screenshot, the text that indicates a failed logon would be Invalid Login!. Screenshot 77 - HTML form based authentication Login has failed if 8. Now in the Login failed if field, select Result body contains and enter the login failed text. Note that you can also specify a regular expression using the Result contains Match regex option. 9. Click on the Start button to start the authentication testing process. If you get an error message 401 Unauthorized, then the authentication method is HTTP and not HTML forms. 78 Authentication Tester Tool Acunetix Web Vulnerability Scanner

81 10. HTTP Editor Tool 10.1 Introduction Screenshot 78- The HTTP Editor The HTTP Editor tool allows you to create or edit HTTP requests and analyze the server response. You can start the HTTP Editor from the Tools > HTTP Editor node within the Tools Explorer as shown above. The HTTP Editor is organized into 2 panes: The top pane shows the HTTP request data and the bottom pane shows the server response data. The Activity Window is a separate pane and does not relate to the HTTP Editor. 79 HTTP Editor Tool HTTP Editor Tool 79

82 10.2 Editing a Request By editing the HTTP request of an existing web page, you may start directly from a valid HTTP request and then modify the request according to your requirements. 1. Scan/crawl a website or load up a previous crawl in Web Scanner node (select Web Scanner from the Tools Explorer). Right click on the web page for which you want to edit the HTTP request and select Edit with HTTP Editor. Screenshot 79 - HTTP Editor Headers 2. In the HTTP Editor toolbar, you can edit the following options: Method Any one of the standard methods supported by all web servers (e.g. GET, POST, HEAD, and PUT) or a custom method supported only by specific web servers (e.g. OPTIONS, TRACE, DELETE). Protocol The HTTP Protocol (HTTP/1.0 or HTTP/1.1) version to be used for the request. URL Specify the fully qualified URL, including the hostname of target object that you want to request (e.g. You can specify a relative URL without hostname and request the hostname via the request headers. 3. The request tab shows the headers of the HTTP request. You can edit any of the headers by specifying the Header name (e.g. Cookie or User-Agent) and assigning the header text (value) associated to it (e.g. ID=1). 4. To make a request that requires user data apart from the headers (e.g. a POST request with variables), enter the data in the request headers window. The variable data can be edited by the variable editor only if it is URL encoded. 80 HTTP Editor Tool Acunetix Web Vulnerability Scanner

83 Screenshot 80 - Variable Editor Click on the Edit query variables button to edit variables in the URL using the variable editor. Query variables are separated from the URL by a? and are encoded in the URL-Encode standard. With the variable editor you can edit query variables, cookies and other request data. You can add, remove, URL-encode and URL-decode variables using the buttons in the small toolbar at the bottom of the variable editor window. Click OK when you have entered all the variables. You can supply data other than the URL encoded variables, such as XML documents for PROPFIND request. Specify the content length and the content type through the appropriate ( content length and content type ) headers. In the case that no content length or type is specified, the HTTP Editor will use application/x-www-form-urlencoded as the default content type, whilst the content length is automatically calculated. 5. Use the toolbar at the top of the request page to add and remove request headers, add cookie variables, open the encoder-decoder tool and/or specify any HTTP authentication which might be required by the target server receiving the request. 6. Click the icon to specify HTTP authentication details. Select the authentication type (NTLM or HTTP Basic) and enter the username and a password. Screenshot 81 - Encode/Decode tool 81 HTTP Editor Tool HTTP Editor Tool 81

84 7. Click the encode/decode button to encode-decode any text data that you want to send with a request or that you got back in response. This tool can currently make use of two encoding / decoding techniques to convert plain text data to send in a request. These are Base64 and URL-encoding. 8. After you have finished the request, click Start to request the URL Fin-Tuning Requests and Analyzing Responses After you have successfully launched the request to the server you can analyze the server response in the bottom pane of the HTTP Editor. The server response is shown in the tabs Response headers, Response data, View Page, and HTML structure analysis. Screenshot 82 - Response headers tab in the Response pane 82 HTTP Editor Tool Acunetix Web Vulnerability Scanner

85 Response Headers and Response Data tabs Text Only Tab Screenshot 83 - Response data tab The response headers and response data tab show the headers and data of the response To search and highlight specific strings contained within the server response data: 1. Type the string to be searched in the Look for entry point located in the toolbar on top of the response data window. 2. From the same toolbar, click the button labeled as a to highlight in red the matching strings present within the response data on display. 3. Click the {Re} button, to toggle between each matching string. Cookies information sent by the server can be viewed by clicking on the cookie icon button located in the Last response toolbar View Page Tab Screenshot 84 - Text only tab This tab displays the request and the last response received in plain text. You can make changes to the request by editing the text directly on display. To search or highlight any specific strings within the request and response data, use the a and {Re} buttons and follow the same procedure previously described. Screenshot 85 - Browser Page 83 HTTP Editor Tool HTTP Editor Tool 83

86 The view page tab displays the web page without relevant images or CSS. Clicking on any of the links will display the request of that link in the Request tab and allows you to easily analyze each request HTML Structure Analysis Tab Using the HTML structure analysis tab you can edit and view links, comments, client scripts, HTML forms and META tags in the HTML document. Screenshot 86 - Document Structure Page 84 HTTP Editor Tool Acunetix Web Vulnerability Scanner

87 11. HTTP Fuzzer Tool 11.1 Introduction Screenshot 87 The HTTP Fuzzer The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and input validation. With it, you can create rules to automatically test a range of variables. A simple example would be the following URL: Using the HTTP Fuzzer you could create a rule which would automatically replace the last part of the URL with numbers between Only valid results will be reported. This degree of automation allows you to quickly test the results of a 1000 queries while significantly reducing the amount of manual input Creating a Rule to Automatically Test a Series of Inputs The utility of HTTP Fuzzer is best explained by using an example. We will create a rule to test the products section of the Acunetix test website using a range of values to find out what products are listed in the database. We will instruct the scanner to automatically replace the variable part of a URL with a series of values that we specify. In the URL, the last part?cat=1 is the variable part HTTP Fuzzer Tool HTTP Fuzzer Tool 85

88 The scanner already automatically guesses variable sections of a URL and tries to extract valid variables. However this exercise is done to illustrate how easy it is for the scanner to test a range of values. Gathering an HTTP Request 1. Load a Web Scanner or Site Crawler result from a previously scanned website. Screenshot 88 Copying an HTTP request to the HTTP Fuzzer 2. Right-Click on one of the files in the results tree and select Export to HTTP Fuzzer. If you already have an HTTP Request, you can go to the Tools > HTTP Fuzzer node and enter or paste a valid HTTP request into the Request area of the window directly. Creating Data Generators Once you have a valid HTTP Request, you will need to determine the part of the request that you will be fuzzing. This value will be replaced by a generator. To create a generator: 1. Click on the icon from the right part of the HTTP Fuzzer window. Screenshot 89 HTTP Fuzzer generator list 86 HTTP Fuzzer Tool Acunetix Web Vulnerability Scanner

89 2. Select the appropriate generator from the drop-down list: Number generator This will generate all range of numbers from a start number variable to a stop number variable, using the specified increment. Character generator This will generate all the ASCII characters contained between a Start character variable and a Stop character variable. File generator This will feed all the strings from a specified file. In the file, each variable string should be entered on a new line. String generator This will generate all the string combinations with the characters from a Character set variable of the length specified. Random string generator This will generate a specified number of random strings with the characters from a Character set variable of a given length. Character repeater This will repeat a specified character/string for a given number of times (commonly used for buffer overflow testing). Screenshot 90 HTTP Fuzzer generators 3. Once you selected a generator you will be presented with detailed information on the generator parameters. You can set these parameters according to the test you would like to make. 87 HTTP Fuzzer Tool HTTP Fuzzer Tool 87

90 Screenshot 91 HTTP Fuzzer insert generator 4. After configuring the generator(s), place the text cursor in the specific part of the HTTP Request where the generator will replace the static value. Select the static value (e.g. /artists.php?artist=1). 5. Click on the icon to replace the static value with the Generator variable (e.g. result will be: /artists.php?artist=${artists_id}) Screenshot 92 HTTP Fuzzer filters 6. Click on the Fuzzer filters button on top to open up the filters dialog. To use a standard filter, select a predefined rule template from the dropdown list; otherwise, you can create your own filters by defining the following parameters: Rule description A significant name to describe the rule. Rule Type Select an Include type or Exclude type of rule. Apply To Indicates where to search for the matching expression. Regular expression This should contain the regular expression or text which will be searched to match the rule. Ensure that the relevant checkboxes are ticked to enable the created filters. Click the OK button to save the settings and close the dialog. 7. Click on the Start button to initiate the HTTP Fuzzing. 88 HTTP Fuzzer Tool Acunetix Web Vulnerability Scanner

91 Screenshot 93 HTTP Fuzzer Results 8. Acunetix WVS will start generating the HTTP requests according to the filter you created and show the response for each. 89 HTTP Fuzzer Tool HTTP Fuzzer Tool 89

92 12. Web Services Scanner 12.1 Introduction Many organizations are implementing the Web Services architecture to increase the availability of information, and to improve process executions of the internet. Web Services, like any other internet-dependent system, present new exploit possibilities and increase the need for security audits. The Web Services Scanner allows you to perform automated vulnerability scans for Web Services and to generate a detailed security report from the results Starting a Web Service Scan The best way to start a scan is to use the Web Services Scan Wizard which provides a series of steps to ask for the required details and configuration to be used during the scan. Screenshot 94 Web Services Scan Wizard 1. In the Acunetix WVS Tools Explorer select the Web Services > Web Services Scanner node to access the scanner 2. Click the New Scan button in the toolbar the launch the Web Services Scan Wizard 3. Select an online or local WSDL and choose a scanning profile. Click on Next to proceed to the next step. 90 Web Services Scanner Acunetix Web Vulnerability Scanner

93 Screenshot 95 Web Services Scan Wizard Selection 4. Select the Web Services, Port Types and Methods you would like to scan. This can be done by using the tick boxes for selection. Click on Next to proceed to the next step. Screenshot 96 Web Services Scan Wizard Values 5. Enter specific input types for the scanner to use custom values during the scan. Entering values at this stage is optional. Click on Next to proceed to the next step. 91 Web Services Scanner Web Services Scanner 91

94 Screenshot 97 Web Services Scan Wizard Summary 6. This step shows a summary of the WSDL that will be scanned together with all the options selected. Click Finish to launch the scan Analyzing Results Once the Web Services Scan is finished, a set of results will be shown on screen in the form of a tree structure with nodes and sub-nodes. Screenshot 98 Web Services Scan Results 92 Web Services Scanner Acunetix Web Vulnerability Scanner

95 In the scan results panel of WVS the vulnerabilities are grouped according to their vulnerability-class with each class containing the pages which have been discovered as exploitable. Collapsing a class allows you to reveal the vulnerable pages with every variant of the exploit which WVS has tested. The activity window at the bottom of the screen allows you to see a detailed verbose log of the entire scan process and also any errors which the Web Services scan might have encountered. Screenshot 99 Web Services Scan Result Details Clicking on each node will allow further analysis of the vulnerability in the info panel on the right hand side. Without using the Reporter it is possible to read about the vulnerability and how it may be exploited on the page, the attack details including the request and response exchanged between WVS and the server, and also the detailed remediation techniques for securing the page. Screenshot 100 Web Services Scan Result Report Button The Web Services scanner allows you to quickly generate a report of the results by clicking the Report button in the scanner toolbar. This will launch 93 Web Services Scanner Web Services Scanner 93

96 the Reporter, which will automatically generate the default report without needing further configuration. For more information about the Reporter you can refer to page 105 of this manual. Screenshot 101 Web Services Scan Report 94 Web Services Scanner Acunetix Web Vulnerability Scanner

97 13. Web Services Editor 13.1 Introduction The Web Services Editor allows you to import an online or local WSDL for custom editing and execution of various web service operations over different port types for an in depth analysis of WSDL requests and responses. The editor also features syntax highlighting for all languages to easily edit SOAP headers and customize your own manual attacks Using the Web Services Editor Editing and sending Web Services SOAP messages is very similar to editing normal requests sent via the HTTP Editor. Importing WDSL and Sending Request 1. In the Acunetix WVS Tools Explorer select the Web Services > Web Services Editor node. 2. Enter the URL of the WSDL or locate the local directory, and click Import. Screenshot 102 Web Services Editor 3. In the Editor Tab select the Service and Port types and the function which will be used to perform the Operation. After you finish selecting the settings, click Send. The editor will build the SOAP request as defined by the operation, and display the server response in a structured or XML view type. 95 Web Services Editor Web Services Editor 95

98 Response Tab This tab allows you to accurately view and analyze the web service response data in the raw XML format. Screenshot 103 Web Services Editor: Response Tab Structured Data Tab This tab presents the XML data in a different way by showing the elements in a hierarchy of nodes showing the value for each element. Screenshot 104 Web Services Editor: Structured Data Tab WSDL Structure Tab This tab provides a very detailed and structured view of the web service data as provided by the WSDL Structure. 96 Web Services Editor Acunetix Web Vulnerability Scanner

99 Screenshot 105 Web Services Editor: WSDL Structure Tab The WSDL information is structured in the form of nodes and sub-nodes so that it is easy to understand and analyze the data. The main nodes of the tree structure are XML Schema and Services. The XML Schema node lists all the ComplexTypes and the Elements of the web service. The Services node lists all the web service ports and their respective operations together with the resource details of the source of the SOAP data. Screenshot 106 Web Services Editor: WSDL Structure Tab Detailed If needed, a mode detailed WSDL structure can also be shown by ticking the Show detailed WSDL structure at the bottom of the screen. This will provide extensive information for each sub-node of the Services node structure such as input messages and parameters. 97 Web Services Editor Web Services Editor 97

100 WSDL Tab This tab shows the actual WDSL data in the form of XML tags. Using the toolbar provided at the bottom of the screen you can search for certain keywords or elements in the source code and also change the syntax highlighting if needed. Screenshot 107 Web Services Editor: WSDL Tab 98 Web Services Editor Acunetix Web Vulnerability Scanner

101 13.3 HTTP Editor Export Feature The Web Services Editor is very useful for editing and customizing SOAP requests, however the tool also gives you the option to export a SOAP request to the HTTP Editor for it to be sent as an HTTP Post request. 1. In the Acunetix WVS Tools Explorer select the Web Services > Web Services Editor node 2. Enter the URL of the WSDL or locate the local directory, and click Import. Screenshot 108 Web Services Editor: HTTP Editor Export 3. Once the WSDL is imported, click the HTTP Editor button in the Web Services Editor toolbar to export the SOAP request. Screenshot 109 Web Services Editor: HTTP Editor View 99 Web Services Editor Web Services Editor 99

102 4. The HTTP Editor tool will automatically import the data and you can now customize and send the SOAP request as an HTTP POST request by clicking on the Start button. 5. Once the response comes back from the web server, the response data is presented in the in the tabs which can be further analyzed. Screenshot 110 Web Services Editor: HTTP Editor Response Data Tab 100 Web Services Editor Acunetix Web Vulnerability Scanner

103 14. Compare Results Tool 14.1 Introduction The compare results tool allows you to analyze the differences between 2 scans performed at different dates. You can compare a full security scan or just the site crawler output. To compare results you need to save the scan results to a scan file using the save scan results function in the file menu Comparing Results To compare scan results: 1. Go to the Tools > Compare results node. Screenshot 111 Compare Results Toolbar 2. In the compare results toolbar, specify the file of the first scan results in the first edit box and the other scan results file in the other edit box. The selected files must both be of the same type i.e. must both contain scan results or crawler results. Screenshot Compare settings dialog 101 Compare Results Tool Compare Results Tool 101

104 3. Click on the compare button, to launch the compare results wizard. Now specify which items you want to compare by enabling/disabling the tick box next to the relevant item. 4. You can save the list of items that you wish to compare by specifying a new template name and clicking on the save button. 5. Click Finish to start the compare process. For large websites, the file structure comparison process may take a long time to complete. 102 Compare Results Tool Acunetix Web Vulnerability Scanner

105 14.3 Analyzing the Results Comparison Screenshot Comparison results display window After the comparison has completed, the results are shown in a two-pane interface with a column down the middle. The left pane contains the contents of the original scan while the right hand side pane contains the results of the more recent scan. The middle column shows icons indicating the comparison result of the items in that line as follows. There are no changes. This item was added in the new version. This item was deleted from the new version. This item was changed in the new version. The column either shows that an item was added, deleted or changed. The legend of possible comparison results is shown above. 103 Compare Results Tool Compare Results Tool 103

106 Screenshot Comparison Results details Click on the result icon in the middle column to display the comparison result details. These details show the changes detected between the two scans such as the number of items present in each scan and the items that have been added or deleted Modify/Delete Template Items To modify templates of items to compare: 1. Launch the compare results dialog by clicking on the compare button. 2. Select the template to be modified from the dropdown list at the top of the dialog and make the necessary changes. 3. Click on the Save button, located on the right of the template name/dropdown to store these changes. 104 Compare Results Tool Acunetix Web Vulnerability Scanner

107 15. The Reporter 15.1 Introduction to the Reporter The Reporter Application is a separate application which provides extensive functionality. It can also be launched directly from Acunetix WVS once a scan is complete to generate on-the-fly reports according to the chosen default template. Different reporting templates can be used to categorize scan results according to vulnerability-class, affected pages, general exploit summary, comparison and statistical analysis, and to present exploit details as specified by several compliance standards. The Reporter Application also allows you to view and manage the scan database and other existing reports. Screenshot 115 The Reporter Application 15.2 Launching the Reporter The Reporter may also be used as a stand-alone tool. When installing Acunetix WVS a desktop shortcut is created for the Reporting Application, this allows the tool to be launched without requiring Acunetix WVS to be running. It is also possible to launch the Reporter as a stand-alone by selecting Tools > Reporter in the application or from the reporter icon on the Acunetix WVS toolbar. 105 The Reporter The Reporter 105

108 Screenshot 116 Reporter Icon on WVS Toolbar 15.3 Report Styles and Templates Developer Report The developer report style groups the scan results according to the affected pages and files. This creates an easy workflow for the developer to quickly identify and resolve vulnerabilities detected on the site. This report style also features detailed remediation examples and best-practice recommendations for securing the vulnerable items. Screenshot 117 Developer Report Executive Report The Executive report creates a summary of the total number of exploits found in every vulnerability class. This makes it ideal for management to review the results without needing to include unnecessary technical detailing. 106 The Reporter Acunetix Web Vulnerability Scanner

109 Screenshot 118 Executive Report Vulnerability Report The Vulnerability report style presents a technical summary of the scan results and groups all the exploits according to their vulnerability class. Each vulnerability class contains information about the exposed pages, the attack headers and the specific test details. Screenshot 119 Vulnerability Report Scan Comparison Report The Scan Comparison report template allows the user to document the changes tracked between 2 sets of scan results. This report will document resolved and unchanged exploits, and new vulnerability details. This report 107 The Reporter The Reporter 107

110 style makes it easy to periodically track development changes for a web application. Statistical Reports Screenshot 120 Comparison Report This set of reporting templates allows you to gather exploit information from the results database and present the information for periodical vulnerability statistics. This report style is particularly suitable for both developers and management to track security changes and to compile trend analysis reports. Compliance Reports Screenshot 121 Statistical Report This group of report styles allows you to generate a report according to the various compliance standard specifications. An easy to use wizard will prioritize and report specific vulnerabilities and exploits according to the standardized format as specified by the following compliance bodies; 108 The Reporter Acunetix Web Vulnerability Scanner

111 The Health Insurance Portability and Accountability Act (HIPAA), OWASP 2004 Top10, OWASP 2007 Top10, Payment Card Industry (PCI) standards, Sarbanes Oxley Act of 2002, and the Web Application Security Consortium Threat Classification. Screenshot 122 Compliance Report 15.4 Generating a Report It is fast and easy to create on-the-fly reports from your scan results by using the one-click Report button directly from the Web Scanner toolbar. This will instantly generate the configured default report-type from the scan results. (Refer to section 1.7 for default report settings) Screenshot 123 Generate Report Button As a stand-alone tool, the Reporter offers extensive functionality for creating different reports. The packaged templates allow you to launch the specific wizard for a selected report-style, and to quickly present your scan results into the desired format. Single Scan Report Wizard 1. Click on one of the Single Scan Template sub-nodes from the Tools Explorer panel to select Developer, Executive Summary or Vulnerability Report. 109 The Reporter The Reporter 109

112 2. Click on the Report Wizard button. This opens up the Single Scan Report Wizard. 3. Configure the report filter to identify specific results, or leave the default selection to display all scan results and click Next. 4 - Select the specific scan from the chronologically organized list and click Next Comparison Wizard 5 - Select the desired report content properties, and click Generate. 1. Click on the Scan Comparison sub-node under the Comparison Templates node from the Tools Explorer panel. 2. Click on the Report Wizard button. This opens up the Comparison Report Wizard. 3. Configure the report filter to identify specific results, or leave the default selection to display all scan results and click Next. 4. Select the scan from the chronologically organized list to be used for the comparison and click Next 5. Select the second scan from the chromatically organized list which will be compared with the first scan previously selected and click Next 6. Select the desired report content properties, and click Generate Statistical Templates 1. Select a one of the statistical template sub-node under the Statistical Templates node to select Yearly, Monthly or Weekly Vulnerability statistical reports. 2. Select the Report Wizard button. This opens up the Report Properties for the selected statistical template. 3. Configure the time-frame for which you need the results to be grouped by specifying the month and year for which you require the statistics. 4. Click Generate to create the report. Compliance Templates 1. Select Compliance Report sub-node under the Compliance Templates node from the Tools Explorer. 2. Select the Report Wizard button. This opens up the Compliance Report Wizard. 3. Select the specific compliance standard from the list. A detailed description of the selected compliance is provided in the bottom part of the wizard. Click Next to proceed to the next step. 110 The Reporter Acunetix Web Vulnerability Scanner

113 Screenshot 124 Compliance Report Wizard 4. Configure the report filter to identify specific results, or leave the default selection to display all scan results and click Next. 5. Select the scan from the chronologically organized list and click Next 6. Click Generate to create the specified report 15.5 The Report View Once the selected report is generated it can be immediately viewed from within the Reporter. The report view provides further options to save, export, and print the report, or to search for specific data within the report. Screenshot 125 Reporter Toolbar Print Brings up the printing dialog where you can select a printer and print the current report in view. Open Opens a saved report file (report files have the PRE extension). Save Saves the current report in view as an Acunetix report file (PRE). Export Export your report to one of the supported output formats: PDF, RTF, HTML, BMP or TXT. Document Map Shows/Hide the document map panel. 111 The Reporter The Reporter 111

114 Find Search for specific text within the report Zoom Out Zoom In 15.6 WVS Database The Reporter can also be used to view the database of scan results. Through the Reporter database view it is easy to select a specific scan, and generate a report straight from the database. The database view can also be used to remove unnecessary data and to reduce the overall database size when necessary. Screenshot 126 Reporter Database View 15.7 The Reporter Settings The Reporter settings allow you to configure the tool and the way it displays reports through two settings groups. Report Options This configuration screen consists of two sections which can be used to customize the layout, titles and images in the headers of the report General Settings Configure the default report style when generating a report directly from Acunetix WVS Report Options Select custom icons, logos, headers and footer to customize the report. You can use these settings to change the report layout to suit your needs and also to brand them for your own company. These customizations are mostly used by consultants who would generate the reports from scan results done by WVS to rebrand them with their own company logos and images. These settings are general default settings and will be used for all the reports generated with the WVS Reporter. 112 The Reporter Acunetix Web Vulnerability Scanner

115 Screenshot 127 Reporter Settings: Report Options Page Settings The page settings allow you to configure the default page size, orientation and border dimensions of your reports. These settings are general default settings and will be used for all the reports generated with the WVS Reporter. Screenshot 128 Reporter Settings: Page Settings 113 The Reporter The Reporter 113

116 16. Command Line Support 16.1 Introduction Command Line support provides a command line interface that gives you the power of Acunetix WVS without accessing the usual graphical user interface. It allows you to use WVS directly from a command prompt and through batch files and script languages thereby allowing you to automate repetitive tasks. A comprehensive set of command line parameters gives you precise control over the most important features of Acunetix WVS. Scanning a website through WVS Command Line is faster than going through the user interface since the command line concentrates on performing the scan rather than displaying real-time scan results. 114 Command Line Support Acunetix Web Vulnerability Scanner

117 16.2 Locating the WVS Command Line Executable The WVS Command Line Executable is installed with Acunetix WVS and can be accessed from the default installation folder of the application. The default location is: C:\Program Files\Acunetix\Web Vulnerability Scanner 5\wvs_console.exe If the executable is run without parameters, usage information is presented together with all the details of every parameter and option accepted by the console application for your quick reference. Screenshot 129 WVS Command Line Help 115 Command Line Support Command Line Support 115

118 16.3 Command Line Parameters and Options The Acunetix WVS Command Line supports many of the graphical user interface options and allows the same degree of customization and flexibility via a set of supported command line parameters and options. WVS Command Line supports the following Usage Parameters: Parameter /scan [url] /crawl [url] /scanfromcrawl [file] /scanlist [file] /scanwsdl [wsdlurl] Description Scan a single website where [url] is the full url of the website you want to scan. Crawl a single website where [url] is the full url of the website you want to crawl. Start a scan from a saved crawl [file[. Scan a group of websites defined in a text file where [filename] is the name of the text file containing the list of websites you want to scan. Start a web services scan from a [wsdlurl]. A URL must be passed to the command line executable and therefore one of the usage parameters must be used. Other parameters and options can be passed to the WVS Command Line. WVS Command Line supports the following Parameters: Parameter /profile [profilename] /loginseq [filename] /save [filename] /exportxml [filename] /exportavdl [filename] /savetodatabase /savelogs [filename] /generatereport [dir] /sendmail /verbose /usage Description Use specified profilename during scanning where [profilename] is the name of the saved profile Use specified login sequence where [filename] is the name of the saved login sequence Save results to filename where [filename] is the name of the file to save the results as. Exports results as XML to filename where [filename] is the name of the XML file to export to. Exports results as AVDL to filename where [filename] is the name of the file to export to. Save results to database Save logs to filename where [filename] is the name of the log file to save the logs to. Save the report of a scan directly to the [dir] given. When a scan finishes, an will be sent using the details configured in the scheduler settings. Enable verbose mode Show usage information 116 Command Line Support Acunetix Web Vulnerability Scanner

119 WVS Command Line supports the following Options: Option --GetFirstOnly=[true false] --RestrictToBaseFolder=[true false] --FetchSubdirs=[true false] --ForceFetchDirindex=[true false] --UseHTTPAuthentication=[true false] --AuthUser=username Description Get only the first URL. This can be set to either true or false. Do not fetch anything above start folder. This can be set to either true or false. Fetch files bellow base folder. This can be set to either true or false. Fetch directory indexes even if not linked. This can be set to either true or false. Use HTTP authentication. This can be set to either true or false. HTTP authentication username. The username passed with this option will be used with an NTLM login on the website. --AuthPass=password HTTP authentication password. The password passed with this option will be used with an NTLM login on the website. --SubmitForms=[true false] --RobotsTxt=[true false] --CaseInsensitivePaths=[true false] --UseCSA=[true false] Submit forms. This can be set to either true or false. Retrieve and process robots.txt. This can be set to either true or false. Use case insensitive paths. This can be set to either true or false. Analyze Javascript. This can be set to either true or false. Apart from the usage parameters, all other parameters and options are optional and can be omitted when calling the command line executable. When the optional parameters and options are not specified, the default graphical user interface settings will be used. 117 Command Line Support Command Line Support 117

120 16.4 Reporter Command Line Screenshot 130 Reporter Command Line Help 16.5 Command Line Examples Here are some examples on how to launch a scan via the command line to help you understand better how this console application works. Example 1 Here is a sample command which you can use to start a scan on the website and save the results to the file output.wvs : wvs_console.exe /scan /save output.wvs Example 2 In this example a scan on the website is started and the results of the crawl are saved to the file testasp.wvs and also saved to the database. The login sequence testasp login will be used. While performing the scan verbose and usage information will also be shown. wvs_console.exe /scan /save testasp.wvs /profile default /loginseq testasp login /verbose /savetodatabase 118 Command Line Support Acunetix Web Vulnerability Scanner

121 17. Scheduler 17.1 Introduction The scheduler application ensures enhanced flexibility and automation when launching all types of scans including concurrent and/or sequential scans of single or multiple websites. Schedule such tasks as automated web crawling and scanning at a time most convenient to you. Tasks may be run daily, weekly, monthly, at certain times and/or continuously within a queue. Scheduling runs as a background service with the related management console enabling users to fully and easily configure scanning, crawling, logging and saving of results features. Relevant schedule logs provide users with detailed information on the scheduled queues. Neither the WVS nor the Scheduler management console need to be running for the scans to launch at the scheduled time and, thus, no user intervention would be required. 119 Scheduler Scheduler 119

122 17.2 The Scheduler Management Console You can access the Schedule Management Console by clicking on the Scheduler Icon on the toolbar in the main program interface. Screenshot 131 The Main Toolbar The Scheduler may also be launched directly without having to start Acunetix WVS through a shortcut found in the Acunetix Folder within the Windows Program Manager: Start > All Programs > Acunetix Web Vulnerability Scanner 5 > Acunetix Web Vulnerability Scanner Scheduler Screenshot 132 Acunetix WVS Scheduler The main console is divided horizontally in two panels: - The top panel contains a structured list or tree of queues containing the websites to be scanned at specified scheduled times. Each item in the tree can be configured separately. - The bottom panel contains a detailed log of the scheduling service containing information on the service itself and also on each of the launched queues. 120 Scheduler Acunetix Web Vulnerability Scanner

123 Scheduler Toolbar Screenshot 133 The Scheduler Toolbar The scheduler toolbar can be used to: Add a Scheduled Scan This is used to open the add scheduled scan dialogue. Settings This opens the Settings dialogue which gives you the option to start the Scheduler Management Console upon launching Windows and to minimize the Console to the system tray (this is a default setting). Notifications This tab provides the configuration for notification to be used when a scheduled scan finishes. 121 Scheduler Scheduler 121

124 Start/Stop Service Clicking this button yields a dropdown menu used to start or stop a scheduler service running in the background. Service is Running/Service is Not Running Found on the toolbar of the top panel on the Management Console, this text indicates whether the scheduler service is started or not. 122 Scheduler Acunetix Web Vulnerability Scanner

125 Scheduler Log Toolbar Screenshot 134 The Scheduler Log Toolbar The log toolbar on the lower panel of the Management Console is used to filter what is shown in the log pane. Show/Hide Debug Logs Show or hide any debug information from the log pane. Debug Logs are usually needed in case of any application errors. Show/Hide Info Logs Show or hide any information logs from the log pane. Information logs are used to show the progress of queues. Show/Hide Warn Logs Show or hide any warning logs from the log pane. Warning logs are used to show any warnings that occurred during the progress of queues. Show/Hide Error Logs Show or hide any error logs from the log pane. Error logs are used to show any errors that occurred during the progress of queues. Show/Hide Timestamps Show or hide the Timestamps columns from the log pane. Filter Logs Filter the logs to show only the log entries containing the text typed in the adjacent field. Clear Logs Clear the logs. This is an irreversible operation which will erase all the log data. Save Logs to File Save the current log to a file. 123 Scheduler Scheduler 123

126 17.3 Creating a Schedule 1. Open the Scheduler Interface Console. 2. Click on the Add scheduled Scan button to open the Add Scheduled Scan dialogue. Screenshot 135 Scheduler Add Scan Dialogue 3. To create a queue, enter an appropriate name in the field provided adjacent to the radio button Create a new queue named. Example: Test Queue 1 or Weekly Live Website Scan. 4. Select the scheduled recurrence of the queue from: Once, Every Day, Every Week, Every Month or Continuous. 5. Select the specific time of the recurrence. (This option might not be fully customizable depending on the type of recurrence configured.) 6. A scan target may be configured by: Entering the target application/web service URL Selecting a text file with a pre-defined list of URLs Importing a set of saved crawl results (*.cwl) 7. Select the specific scanning profile that you want to be scanned for this specific queue. Scanning profiles can be customized from the WVS main interface. For more information on Scanning Profiles please refer to page 153 of this manual. 8. Choose any login sequences that you want to execute prior to the scan. Login sequences have to be recorded and saved from the WVS main interface. 9. If you wish to save the results to a scan results file you can tick the option Save scan results to and type in the name of the file you want to save the scan results to. 124 Scheduler Acunetix Web Vulnerability Scanner

127 10. Click on the OK button to save the scheduled queue. To enable an existing queue tick the radio button Enqueue to an existing queue a drop-down list appears with a list of all the queues already created in the scheduler. To set other advanced options to the scheduled queue, you can switch to the Advanced tab in the Add scheduled scan dialogue. Screenshot 136 Scheduler Add Scan Dialogue Advanced Settings The options in this tab allow you to customize the crawling settings with the same flexibility as the WVS main interface. The option to save the logs for later reference is also available from here. 125 Scheduler Scheduler 125

128 18. Configuring Acunetix WVS 18.1 Introduction Screenshot Configuration Settings The Acunetix WVS may be configured to control such options as LAN settings, scanning profiles, database backend to use, and more. By clicking on Configuration in the Tools Explorer you will see 2 main configuration nodes called Settings and Scanning Profiles. 126 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

129 18.2 Settings: Application Settings > General The Settings Node allows you to configure general settings for Acunetix WVS such as Update settings, HTTP general settings and HTTP requests. Click on Configuration > Settings in the Tools Explorer to display the Settings Interface with a set of configurable options as seen below. Updates Screenshot General Application Options Updates URL The location for new vulnerability definitions. Check for updates Specify when to automatically check for new vulnerability definitions. HTTP General User agent string: Configure how Acunetix WVS should identify itself to the web server. File size limit in kilobytes Maximum file size accepted by the crawler. Files with sizes greater than this value will not be crawled. HTTP request timeout in seconds If no HTTP response is received after this interval, the request is cancelled and a timeout warning is displayed in the activity window. 127 Configuring Acunetix WVS Configuring Acunetix WVS 127

130 Display custom HTTP status information Display the full HTTP status line header and the corresponding status string. HTTP Tuning Maximum number of parallel connections Sets the limit on the number of simultaneous connections made to a target site. If overloaded with parallel requests, some target servers might crash or return incorrect results. HTTP request queue execution frame Number of requests queued for execution. Delay between consecutive requests group Delay between two execution queues (in milliseconds). Default schemes Select predefined schemes for Internet or Local Intranet (There are several predefined HTTP tuning schemes that can be used by the user. (e.g. there is one for internet and one for a local intranet). If you select one of these schemes, the values for the previous settings (Maximum number of parallel connections and the rest) will be modified. Changes applied in HTTP Section are only enabled on the next re-start of the Acunetix WVS. These settings control how the application sends requests to the server. Please modify them carefully because these settings may cause the application to flood the server with requests and may even crash your server or return incorrect results. Password Protection This section gives you the possibility to configure a password to restrict access to the WVS main application and all the WVS applications including the Reporter, Vulnerability Editor and Scheduler. When a password is configured in this section, every time a WVS is launched, the password dialog is presented where you can enter the password to access the application. Screenshot General Application Options Password Protection Once a password has been set in WVS, the next time and all the subsequent time that you will launch the product or any of its supporting applications, you will be presented with a password protection dialog. Simply enter the 128 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

131 password you configured in WVS into this dialog to access the application normally. Screenshot 140- Password Protection Dialog Removing Password Protection If you have a password configures in WVS and you need to remove it so that it can be accessed without requiring the user to enter a password, you can remove this protection by following these steps: 1. Go to the Configuration > Settings > Application Settings > General node to access the password protection configuration settings. 2. In the Password protection section of the page, enter the current password in the Current password textbox. 3. Leave the New password and the Confirm new password textboxes empty. 4. Click on the Set Password button to save the settings. A dialog will appear confirming that the password protection has been disabled. Screenshot 141- Password Protection Disabled Dialog 18.3 Settings: Application Settings > LAN Settings The LAN Settings are explained in Chapter 2 on page 21 of this manual. 129 Configuring Acunetix WVS Configuring Acunetix WVS 129

132 Screenshot 142 LAN Settings Options window 18.4 Settings: Application Settings > Database The Database Settings node allows you to configure the database within which scan results are to be saved for future reference. To configure which database to use (MS Access/MS SQL Server) for storing scan results: Screenshot Enable Database Support 1. Go to Configuration > Settings in the Tools Explorer and click Application Settings > Database in the Settings Interface. 130 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

133 Screenshot MS SQL Server Database support setup 2. Select Enable Database Support and select the database backend type. If you select MS Access, you will also need to specify a location where to save the scan results. The database will be automatically created for you. If you select MS SQL Server as a database backend you will also need to specify the following: The hostname/ip of the SQL server. Login credentials to use to access the server. The name of the database to create on the SQL Server where scan results will be stored. 3. Click on the Apply button to create the database. If you specify the name of a database that already exists, Acunetix WVS will check if it has the required structure and use that. If the structure is different it will ask you to either overwrite the existing database or specify a different database name. 131 Configuring Acunetix WVS Configuring Acunetix WVS 131

134 18.5 Settings: Application Settings > Certificates Some websites require client certificates to identify a client before access is granted. These certificates may be configured into Acunetix WVS by specifying the URL to be used during a crawl or a scan. To configure a certificate: Screenshot MS SQL Server Database support setup 1. Go to the Configuration > Settings in the Tools Explorer and clicking on the Application Settings > Certificates node in the Settings Interface. 2. Click on the browse folder button to browse for the certificate file. 3. Enter a password (if required) in the Password textbox. 4. Enter the URL which requires the certificate. 5. Click on the Import button to save the certificate details. 6. Click on the Apply button to save the changes. 132 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

135 18.6 Settings: Application Settings > Logging This section provides configuration for enabling the general logging sections including the individual logging for various components of the application. Screenshot 146 Logging Configuration 133 Configuring Acunetix WVS Configuring Acunetix WVS 133

136 18.7 Tool Settings > Site Crawler In this node you can configure the default options for the site crawler Defaults may be overwritten on a scan-by-scan basis from the File > New > Scan. Crawling Options Screenshot Crawler global options setup The Crawler traverses the entire website and identifies its structure. The following crawling options may be configured: Start HTTP Sniffer for manual crawling at the end of the scan process this option will start the HTTP Sniffer automatically at the end of the crawl process, enabling you to browse (the browser must be set to use Acunetix WVS as proxy) parts of the site that the crawler could not reach or did not find. Frequently these pages are linked via JavaScript menus or other methods. Although the Acunetix WVS handles JavaScript, there may be situations where a manual crawl is still required. The crawler will update the site structure with the newly discovered links and pages. Get first URL only Scan only the index or first page. Do not fetch anything above start folder - Select this option to instruct the crawler not to follow any links above the start folder. For example, if you specify as a start URL it will not traverse the links which point to a location above the base link e.g. However it will traverse all links to pages located in the /wvs/ folder or any of its subfolders. 134 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

137 Fetch files below base folder - Select this option to also follow links which are contained outside the base folder. For example, if you specify as a start URL it will traverse the links which point to a location below the base link e.g. Fetch directory indexes even if not linked - Select this option to instruct the crawler to request the directory index for every discovered directory even if the directory index is not directly linked. Retrieve and process robots.txt, sitemap.xml Select this option to have Acunetix WVS look for a robots.txt file and follow all the links in it. Case insensitive paths Select this option to ignore any case difference in the links found on the website. E.g. /Admin will be considered the same as /admin Submit forms Select this option to automatically fill in and submit HTML forms with information that you have previously configured in the Configuration > Settings (in Tools Explorer) > Scanner Settings > HTML Forms node. (For full details on how to configure the Acunetix WVS see Chapter 0 on page 126 of this manual). Analyze JavaScript Select this option to activate the Client Script Analyzer (CSA) during crawling. This will execute JavaScript/AJAX code on the website to gather a more complete site structure. Fetch External Scripts This option is related with Client Script Analyzer (CSA). If this option is enabled, CSA will read and analyze scripts located on other hosts. Fetch default index files If this option is enabled, the crawler will try to fetch common default index filenames (like index.php, Default.asp) for every folder, even if these files are not directly linked. Try to prevent infinite directory recursion There is a small probability that certain website structures will put the scanner in a loop trying to fetch the same directory recursively (e.g. /images/images/images/images/ ) Enabling this setting will instruct the scanner to try to prevent this situation by identifying repeated directory names in recursion. Keep site file data on disk Select this option to instruct the crawler to store the crawling data directly to the hard drive instead of keeping it in memory. This option considerably reduces memory consumption but might reduce the application responsiveness at times. Maximum number of variations This option will specify the maximum number of variations for a file. Link Depth Limitation This option will specify the maximum link depth level. Structure Depth Limitation - This option will specify the maximum depth level for directories. Authenticate with this username and password combination - Select this option to log into the target website if it requires HTTP authentication. 135 Configuring Acunetix WVS Configuring Acunetix WVS 135

138 18.8 Tool Settings > Site Crawler > File Filters In this node you can configure which files will be included or excluded from the crawling. This is done by matching the respective extension of the files as shown below. File Filters Screenshot 148 Site Crawler File Filters Options Include List Process all files which fit the wildcards specified in the list. Exclude List Ignore all files which fit the wildcard specified in the list. Binary files (images, movies, archives etc) are excluded by default by the crawler to avoid unnecessary traffic and scanning of non-vulnerable files. 136 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

139 18.9 Tool Settings > Site Crawler > Directory Filters In this node you may configure which directories will be ignored during a crawl. Screenshot 149 Site Crawler Directory Filters Options To configure a directory filter: 1. Go to the Configuration > Settings > Tool settings > Directory filters node. 2. Click on the Add URL button 137 Configuring Acunetix WVS Configuring Acunetix WVS 137

140 18.10 Tool Settings > Site Crawler > URL Rewrite This node defines a list of URL rewrite rulesets for websites using this technology. These rulesets will be used by the crawler to better navigate and understand the website. Screenshot 150 Site Crawler URL Rewrite Options To import the URL Rewrite configuration from an Apache Webserver, you need to have access to the http.conf or.htaccess file and import them to the URL Rewrite configuration. 138 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

141 To import the Apache Configuration: 1. Click on the Import Rule button to open the Import Rewrite rules dialogue. Screenshot 151 URL Rewrite Import Configuration Dialogue 2. Enter the path leading to the filename of the Apache http.conf file or.htaccess file. 3. Select the type of configuration to import (http.conf or.htaccess). If.htaccess is being used, you need to configure the hostname and the directory in which the URL rewrite configuration is set on the web server. 4. Click on the Next button. To add a new ruleset: 1. Click on Add ruleset button to open up the URL rewrite editor window. Screenshot 152 URL Rewrite Editor 139 Configuring Acunetix WVS Configuring Acunetix WVS 139

142 2. Click on button to open up the Add rule dialogue. Screenshot 153 URL Rewrite Add Rule Dialogue 3. Select if the ruleset will be a general rule or a directory rule. 4. Enter the Regular Expression which will be used to match the URL and then enter the Replace With value that you have configured on your web server. 5. Click on the OK button to save the ruleset. 140 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

143 18.11 Tool Settings > Site Crawler > Custom Cookies This configuration node allows you to define the custom cookies for each URL to be sent to the web server during a scan. To add a custom cookie: Screenshot 154 Site Crawler Custom Cookies Options 1. Click on Add cookie button to add a new blank line to the list. 2. Click on the next empty line on the list. 3. Enter the URL where you want the custom cookie to be sent. 4. Enter the custom cookie string that you want to send for the particular URL. 5. Click on the Apply button to save your changes. 141 Configuring Acunetix WVS Configuring Acunetix WVS 141

144 18.12 Tool settings > HTTP Sniffer The HTTP Sniffer tool is actually a proxy server, which intercepts all requests from your browser to the target website, thereby allowing you to analyze and modify requests. Screenshot Internal Proxy Server Setup You can configure the following options: Listen on: Select the network interface to which Acunetix WVS will be bound. If you want the proxy server to allow remote computers to pass via the HTTP Sniffer, select All interfaces. Port: Specify the TCP port on which the internal proxy server will listen for requests Tool Settings > Scanner This node allows you to configure the default options of the Web Scanner. You can override defaults on a scan-by-scan basis from the File > New > Scan on the main menu. 142 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

145 Scanning Options Screenshot Web Scanner Setup Window Report internal server errors - Select this option to report internal server errors (HTTP status code 500). Disable alerts generated by crawler - Select this option to ignore alerts generated by the crawler (broken links and file inputs). Synchronize crawlers Select this option to prevent Acunetix WVS starting the vulnerability checks before the crawler is complete. The synchronize crawlers option applies to vulnerability scans on multiple targets in the same scan request (e.g. scan a list of websites). List of hosts allowed By default, Acunetix WVS will not traverse links outside of the URL you are scanning. However, some links exist on related sites (for example, support.scanneddomain.com) which may require inclusion in the scan. You may configure the Acunetix WVS to include and follow these links in the list of hosts allowed field. Enter the host name or IP address of the domain to be included in a vulnerability scan and click the + button to add this entry to the list of hosts to be scanned. Hostnames can be specified using wildcards (e.g., *.domain.com, which includes all websites with a suffix of.domain.com (e.g., sales.domain.com and support.domain.com). Specifying question mark, for example host?.domain.com, would include all websites with one character added to host (e.g., host1.domain.com and host2.domain.com). 143 Configuring Acunetix WVS Configuring Acunetix WVS 143

146 18.14 Scanner Settings > Login sequences This configuration screen allows you to create and edit login sequences which will be used by Acunetix WVS to enter protected areas of a website or to submit information to HTML forms. Any login sequences previously recorded in the Scanning Wizard or other parts of Acunetix WVS will also be listed here. To create a new login sequence: Screenshot 157 Login sequences configuration 1. Go to the Configuration > Settings node in the Tools Explorer and select Scanner Settings > Login Sequences in the Settings Interface. Screenshot 158 Login sequence recording 144 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

147 2. Click on the button to open up the sequence recorder window. The record login sequence window starts and you may record the login process. 3. Browse to the HTLM forms login page, enter username and password and authenticate by clicking the login button. On your website the names of the fields and the login button may be different from the examples used here. 4. Now click on the End login sequence button at the top of the dialog. Screenshot 159 Login sequence recording logout 5. After authentication you also need to identify the logout link otherwise, the logout link and logout of the password protected area will be crawled. Click on the logout link and select restricted link. 145 Configuring Acunetix WVS Configuring Acunetix WVS 145

148 6. You can review the login sequence that you recorded by clicking on the Edit login sequence button. Screenshot 160 Login sequence edit 7. When you are done, click on the Save icon and exit the login sequence editor. The login will be saved and shown in the login sequences dialog Scanner settings > HTML forms In this node you can configure the custom values that are sent to specific HTML forms on a website. These values will be submitted by the Scanner during an automated scan when accessing certain parts of the websites which are only accessible when a specific input is given. For example, a download links page will only be accessible if a valid address is submitted to a download details form. Screenshot 161 HTML Forms configuration 146 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

149 To configure an HTML Form: 1. Go to the Configuration > Settings node. 2. Select the HTML Forms subnode of the Scanner Settings node in the Settings Interface. 3. In the section HTML Forms, enter the URL address of the page containing the specific form to which custom parameters are to be passed and click on Parse from URL button. The resulting list will then be automatically completed with the form fields found on the given URL. 4. Enter the values for the required fields from the list by clicking in the value column for that field (as shown in the above screenshot). 6. Click on the Apply button to save the changes. Example: Testing a Signup Form The Acunetix test website signup page is used as an example. The page that should follow after submitting the signup details will only be accessible if valid input is given, for example, a valid address or phone number. To configure this HTML Form: Screenshot 162 HTML Forms example 1. Go to the Configuration > Settings node in the Tools Explorer and select Scanner Settings > Login Sequences in the Settings Interface. 2. In the section HTML Forms enter the URL address then click on the button Parse from URL. The list in the panel below will be completed with the details of the form and inputs found. 3. From the list, enter some valid alphanumeric test for the 'uuname, upass, upass2, urname, ucc, uphone and uaddress input parameters as shown in the screenshot above. 4. Enter your address as a value for the input parameter. By using your address you will later receive an that will confirm that this form was actually triggered with the details you have entered here. 147 Configuring Acunetix WVS Configuring Acunetix WVS 147

150 5. Uncheck the searchfor input parameter since you do not require a search in this example. 6. Click on the Apply button to save the changes. To easily edit the parameter values, click on the value part of a parameter value row (as shown in the previous screenshot) and press the shortcut key F2 on the keyboard. To test the HTML Form details: Screenshot 163 HTML Forms example results 1. Go to Tools > Site Crawler in the Tools Explorer. 2. Enter the URL in the Start URL textbox and click the Start button. 3. After the crawl is completed, in the middle panel, find the subnode with the file newuser.php under the folder node secured and click on the + of the subnode to reveal the HTML Form parameters sent. 4. You will then be able to view all the submission details and the resulting page form the section on the right. 148 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

151 18.16 Scanner Settings > Parameter Exclusions In this node you can configure the parameters that you want to exclude from a scan. Some parameters cannot be manipulated without affecting the user session. The parameters configured in this section will not be manipulated during a scan. To configure a parameter exclusion: 1. Go to the Configuration > Settings node. 2. Select the Parameter Exclusion subnode of the Scanner Settings node. Screenshot 164 Scanner Settings Parameter Exclusions 3. Select the type of parameter from the dropdown list that you want to exclude. The options available are GET, POST, Cookie or Any. 4. Type in the name of the parameter in the name textbox that you want to exclude. 5. Click on Add exclusion button to add the parameter details to the list. 6. Click on Apply button to save the changes 149 Configuring Acunetix WVS Configuring Acunetix WVS 149

152 18.17 Scanner settings > Custom Error Pages To configure a custom error page: 1. Go to the Configuration > Settings node in Tools Explorer. 2. Select the Custom 404 pages subnode of the Scanner Settings node in the Settings Interface. Screenshot Configuring a custom 404 error page 3. Click on the icon to open the Custom 404 page dialog window. Screenshot Configuring a custom 404 website 150 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

153 4. In the URL textbox enter the address of the website with the custom error page and click the Autodetect button. This will extend the current window to show the custom error page as seen by a web browser. Screenshot Configuring a custom 404 pattern 5. Highlight the text that is unique to this custom error page, for example: Sorry, the page you have requested cannot be found. This text should not be found on any other page of the website. 6. Click on the Generate pattern button to generate a regular expression from the highlighted text. The highlighted text will be copied to the Pattern textbox and changed into a regular expression that Acunetix WVS can understand. 7. Click on the Test pattern button to verify the generated pattern. 8. Click Add to save this custom error page configuration. 151 Configuring Acunetix WVS Configuring Acunetix WVS 151

154 18.18 Scanner settings > GHDB By default, all GHDB entries (1450+) are tested for. You can also limit the set of GHDB queries to scan for. Screenshot 168 Configuring GHDB entries 152 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

155 To select specific GDBS entries: 1. Go to the Configuration > Settings node in the Tools Explorer. 2. Select the GHDB subnode of the Scanner settings node in the Settings Interface. 3. Click on the Uncheck Visible button to unselect all the entries. Screenshot Configuring GHDB entries by filtering 4. In the Filter GHDB textbox enter a keyword to filter the view of the entries list (e.g., sql ). The list will automatically refresh as you type. 5. Click on the Check only visible button to select the entries that are shown in the list. This will also unselect all the other entries which are not visible. 6. Unselect any entries that you do not wish to be scanned. 7. Click on the Apply button to save the changes Scanning Profiles Scanning profiles may be used to test a website for specific vulnerabilities. For example, the SQL injection profile will only check for SQL injection vulnerabilities. You can create your own profiles. When launching a scan, select the profile to use from the profile dropdown list in the toolbar. Screenshot 170 The Scanning a Profiles Tool Bar 153 Configuring Acunetix WVS Configuring Acunetix WVS 153

156 Default Scanning Profiles Acunetix WVS is installed with the following default profiles: Profile default cgi_tester dir_file_checks empty parameter_mani pulation text_search version_check blind_injection ghdb Description This profile includes all vulnerability checks, excluding only web services related tests. The CGI tester scanning profile only searches for common CGI scripts and common sensitive files. This script detects all HTTP methods supported by the targeted web server, for example GET, PUT, DELETE etc. and its functionality is similar to that of a CGI scanner. However, WVS does include a highly configurable XML interface. This scanning profile scans the structure of a target website for directories and files. For example when scanning PHP-based websites, this profile would search for such files as phpinfo.php among others, which would contain all information about the PHP configuration of that server. This profile does not perform any tests. This profile may be used as a clean base when you want to create other profiles and also when you want to perform a scan without performing any tests (i.e., just the standard checks performed by the crawler such as broken links). This scanning profile launches all parameter manipulation attacks, for example SQL injection, XSS Cross site scripting and Command execution. The text search scanning profile scans files and filenames for remarks and text. These could contain sensitive information. The version_check scanning profile scans the version of the web servers (e.g., Apache), and the different technologies (e.g., PHP, mod_ssl, etc.) in use and compares them to a list of vulnerable versions. If you have a version with vulnerabilities, you will be advised to patch your web server. This profile includes only the MiltiRequest parameter manipulation section with the Blind SQL / XPath Inction tests. Only GHDB will be checked. For a more granular selection of the GHDB tests, go to the configuration options. 154 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner

157 18.20 Creating/Modifying Scan Profiles To create a new scan profile: Screenshot 171 Creating a scanning profile 1. Go to the Configuration > Scanning Profiles node. 2. Click on the New Scanning profile button in the middle panel at the top (to the right of the profile drop down box) 3. Type a new name for your profile. 4. Select the scanning tests to be performed. 5. Click on the Save button to the right of the profile name. To modify a profile simply check/uncheck the tests (test modules) you want from an existing profile. Save the changes to the current profile or to a new profile by clicking the Save button. 155 Database Conversion Utility Database Conversion Utility 155

158 19. Database Conversion Utility 19.1 Introduction The database structure of Acunetix WVS v5 is improved and optimized to retain a low file size and store results more efficiently. Since the database structure is different, earlier v4 databases cannot be used by v5. Acunetix provides this database conversion utility which extracts the data from a WVS v4 database and creates a new database with the WVS v5 structure with the same data extracted. The source and destination databases can be a mix of both MDB files and SQL Server schemas. This utility is designed for users of WVS v4 who wish to upgrade to WVS v5 while keeping the scan results already done with WVS v4. This utility was designed to make the upgrade transition quick and easy Obtaining the Database Conversion Utility To obtain the conversion tool you can visit the Acunetix website or contact support on support@acunetix.com Converting a Database 1. Launch the conversion utility by double-clicking on WVSv5DBConvert.exe file that you downloaded and click Next. Screenshot 172 Database Conversion Utility 2. Select the source WVS v4 database by pointing the conversion utility to the MDB file s location. You can click on the icon to browse for the file. 156 Database Conversion Utility Acunetix Web Vulnerability Scanner

159 Screenshot 173 Database Conversion Utility Source Selection MDB If the source database is stored on an SQL Server, change the database type to MS SQL Server and enter the required details and credentials to connect to the database. Screenshot 174 Database Conversion Utility Source Selection SQL Server Click on the Next button to proceed to the next step. 3. Leave the database type selection to MS Access if you want the destination database to be an MDB file. If you want to add the scan results from the source database to an already created MDB file with the WVS v5 structure, you can click on the icon to locate the MDB file. If you want to create a new MDB file with the new structure you can click on the icon to browse to a folder and specify the name of the new file which will hold the database containg the new structure. 157 Database Conversion Utility Database Conversion Utility 157

160 Screenshot 175 Database Conversion Utility Destination Selection MDB If you with to convert the data of the source database to an MS SQL Server, change the database type to MS SQL Server and enter the required details and credentials to connect to the database. Screenshot 176 Database Conversion Utility Destination Selection SQL Server Click on the Next button to proceed to the next step. 4. During this step the conversion utility will process all the scan results in the source selected and create the scan results with the new structure in the destination selected. The number of scan results found in the source database and the progress of the conversion is shown during this step. 158 Database Conversion Utility Acunetix Web Vulnerability Scanner

161 Screenshot 177 Database Conversion Utility Processing The conversion process may take a considerably long amount of time to perform the operation on large WVS v4 databases. The time a conversion takes also depends on the type of hardware system that is processing the operation a faster processor will usually result in a better conversion time. 5. At the end of the conversion process, a summary page allows you to view the number of scan results converted and the time taken to process this data. Screenshot 178 Database Conversion Utility Finished Summary Clicking on the Finish button closes the conversion tool and completes the conversion process. 159 Database Conversion Utility Database Conversion Utility 159

162

163 20. Vulnerability Editor 20.1 Introduction Screenshot 179 The vulnerability editor The Vulnerability Editor allows you to edit the database which contains the definitions of all the vulnerability tests that can be performed during an audit. You can create new or edit existing vulnerabilities. You can start the Vulnerability Editor from the Acunetix program group in the Start Menu or by clicking Tools > Vulnerability Editor on the file menu within the Acunetix WVS user interface. Be careful when editing the tests these are core to Acunetix WVS and can corrupt the Acunetix WVS installation. All tests are organized into 6 main nodes, each node being the particular module that performs the actual audit tests. Below each node, one can create Vulnerabilities and vulnerability parameters. Vulnerabilities are stored in a modified version of the VulnXML format a web vulnerability standard defined by the OWASP group. 161 Vulnerability Editor Vulnerability Editor 161

164 20.2 Acunetix WVS audit modules Acunetix includes the following auditing modules: Version Check TM_ Version_Check.dll This module analyses the server banners to determine web server versions (e.g., Apache) and different technologies used (e.g., PHP, mod_ssl, etc.). The version is then compared to the database of vulnerable versions of that particular software. With the version check module you can create checks for more recent versions or for other types of software thereby allowing for checks in spite of which vulnerable version is installed. CGI Tester TM_CGI_Tester.dll The CGI tester module will search for common CGI scripts. It can also be used to determine both the presence of sensitive files on the web server (e.g., the Apache manual directory) and the methods allowed on the web server (e.g., GET, PUT, DELETE etc.). It is similar to a CGI scanner but with a configurable XML interface. Parameter Manipulation -TM_parameter_manipulation.dll This module will try to manipulate the inputs of a file (like server side script), to test common vulnerabilities e.g. SQL injection, XSS Cross site scripting, command execution. File Checks TM_Backup_Files.dll This module analyses "interesting" files within the web structure (e.g. Files with input parameters and probable scripts) and will try to manipulate their names in the http requests. For example, if WVS finds a file login.php, the module will try to look for files such as login.php.bak, login.bak, login.zip etc One can add new file parameters and different extensions using the Vulnerability Editor. Directory Checks TM_Common_Files.dll This module scans for common files left in directories of the site. It will look at the structure of the website and will try to request files and directories that should not be there. For example, a common file present on PHP-based websites would be phpinfo.php, which displays information about the PHP configuration on that server. Text Search TM_ Text_Search.dll The text search will look for certain texts within the files/filenames retrieved from the web server. It will search for remarks left by the web administrator, including username and password information. 162 Vulnerability Editor Acunetix Web Vulnerability Scanner

165 20.3 Adding a Vulnerability Test To add a new Vulnerability check; 1. Right click on an existing module or Vulnerability and select Add Vulnerability. Screenshot New Group details 2. Specify the name of the Vulnerability, a short description and the name of the VulnXML file where the test parameters will be stored. 3. Specify whether the test must be based on VulnXML or not: Based Default VulnXML uses the default/built-in VulnXML test parameters. Based on existing VulnXML copies the test parameters from an existing VulnXML file. No VulnXML is required used if the test does not perform any HTTP requests but only specifies the condition which will make it successful. (E.g. tests in the Version Checks module, only specify a VersionRegex parameter. The test is successful if the VersionRegex value matches the target web server banner). 163 Vulnerability Editor Vulnerability Editor 163

166 4. Click on the Add button to create the new Vulnerability. Screenshot Vulnerability Properties 5. Now click on the created Vulnerability to bring up the details in the Vulnerability properties page (the right hand pane), which contains the Vulnerability Properties, the Parameters and the VulnXML sections. The properties are the ones already set when you created the new vulnerability. 6. You can now set the following parameters in the parameters section: Affects identifies the object which is affected by this test, for example details about a Web Server (e.g. if the vulnerability effects the web server), a file or an object which is identified by the module (when set_by_module is specified). This parameter is dependent on the type of test being carried out. BindAlertToFile set this to 1 to enable the test to add any new discovered files to the crawler directory structure for use in future scans. You can leave the Affects parameter as default for most cases. 164 Vulnerability Editor Acunetix Web Vulnerability Scanner

167 7. You can edit the test parameters in the VulnXML section of the dialog. This section is organized into 5 subsections, each represented by a tab each of which is described in the subsequent subsections: Test Description Tab - edit generic information References Tab - specify links to additional information about the vulnerability ApplicableTo Tab - specify for which operating systems, web servers or technologies you want this test to be performed Variables Tab - create/edit variables to be used by the test Connection Tab - specify what HTTP requests should be made, what response to look for and what defines success or failure of the test Editing the Vulnerability Description In the vulnerability Test Description tab you can edit generic information: Name -The name of the vulnerability (e.g., could be the same as the name given to the VulnXML file.) Version - Test Version number. Released - Date showing when this Test/Vulnerability was created (yyyy/mm/dd). Updated - Date showing the last time that this Test/Vulnerability was updated (yyyy/mm/dd). Protocol Defines the Protocol that this test will use for sending request to a target during a scan (i.e. HTTP). May Proxy - Defines whether this test may be performed through a proxy server. If Acunetix WVS is configured to use a proxy server, set this option to true to execute the test. Affects - Defines which components of the target site structure will be tested. Severity - Defines the vulnerability level of a target should this test fail (i.e. High Severity indicates that if this test generates failures, the target being scanned has a severe vulnerability). Alert - Defines whether the Alert is to be triggered on success or failure of the test. Description - Contains the test function description. Impact - Contains information on the effect that the vulnerability detected by this test has on your target site. Recommendation - Contains information on what you should do to eliminate the vulnerability detected by this test. 165 Vulnerability Editor Vulnerability Editor 165

168 Screenshot References tab page In the References tab you can specify links to additional information about the vulnerability (e.g., cause and related fix). Link Title Specify the Link heading/title of the article/information. URL - Contains the URL. You can add additional references by right clicking and selecting Add reference. 166 Vulnerability Editor Acunetix Web Vulnerability Scanner

169 Specifying When the Vulnerability Check is Applicable Screenshot Applicable to tab In the ApplicableTo tab you can specify for which operating systems, web servers or technologies you want this test to be performed. The test will only be performed if all of the conditions are true. Operating System Defines the Operating systems. You can choose Windows, Unix/Linux or all. Web Server - Defines which Web Server types must be checked using by this test. For example Apache, IIS etc. Technology Define which technologies (e.g. ASP/PHP) must be checked by this test. You can add additional conditions by right-clicking and selecting Add applicable to Specifying Test Variables Screenshot Variables page 167 Vulnerability Editor Vulnerability Editor 167

170 In the Variables tab you can create/edit variables to be used by the test. The type of variables that you can create are dependent on which module is performing the test. For example, if creating a vulnerability check within the CGI Tester node, only the File variable will be available. The following is a list of variables that each module supports: Version Check CGI Tester no variables no variables Parameter Manipulation File Checks file - the site file to be tested (e.g. /dir/a.asp)) test - this specifies that it should perform the check for each parameter created under Vulnerability parameters. combinations - this will contain all the combinations of parameter values, for example?param1=${test}&param2=1,?param1=1&param2=${test}. Path - the actual URL for the test, for example ${file}${combinations} post - same as combinations but for POST variables filename - same as file however it does not include the path, only the filename, for example a.asp. file - the site file to be tested (e.g. /dir/a.asp)) test - this specifies that it should perform the check for each parameter created under Vulnerability parameters. Path - the actual URL for the test, for example ${file}${test} Directory Checks Text Search file - the site file to be tested (e.g. /dir/a.asp)) test - this specifies that it should perform the check for each parameter created under Vulnerability parameters. Path - the actual URL for the test, for example ${directory}${test} no variables Variables Explained Defining the variables is the hardest part in creating a vulnerability check and is best explained using an example such a SQL injection check. Let's say we have a website with 1 file: /dir1/a.asp. On that file, we want to create an HTTP request with a and a 1 character. We would setup this vulnerability check with these variables: File: /dir1/a.asp Test: ' (a single quote) 168 Vulnerability Editor Acunetix Web Vulnerability Scanner

171 Combinations:?param1=${test}&param2=1,?param1=1&param2={test} Path: ${file}${combinations} Post: <empty> Filename: a.asp With these variables, the vulnerability will be executed with the following request: ${scheme}://${host}:${port}${path} - scheme, host, port are default variables that will contain the values of currently scanned website. e.g. scheme= host=testwebsite.com, port=80 path is defined as ${file}${combinations}, so it will be evaluated as /dir1/a.asp${combinations} ${combinations} is?param1=${test}&param2=1, ${test} is ', So, in the end we will have 2 requests: /dir1/a.asp?param1='&param2=1 /dir1/a.asp?param1=1&param2=' You can edit the existing variables, or add new ones. To create a new variable, Right-click on the Variable page and select Add Variable. To delete a user-created variable right click on the variable name and select Delete. Default Module variables cannot be deleted. Screenshot Connection tab sub-tabs In the Connection tab you can specify what HTTP requests should be made, what response to look for and what defines success or failure of the test. These parameters are set via the Connection, Request, Response and TestCriteria sub-tabs. It s usually not necessary to modify the connection sub-tab, since the test will automatically use the scheme, hostname and port 169 Vulnerability Editor Vulnerability Editor 169

172 of the active scan. However you can choose to specify a custom connection scheme (HTTP/HTTPS), host name and the port for the test Defining the Requests to be Made in the Test Screenshot Request sub-tab page In the Request sub-tab, you must specify the exact HTTP request to be made: Message header - Method - define HTTP request method, e.g. GET, POST, HEAD and PUT. Message header - URI - define the destination of the request. The URI parameter is by default set to path since this variable encloses the value of variables $file$test. This means that the path variable will be set to various combinations of $file and $test according to the request and target website being scanned. Message header - Version - define the HTTP protocol version to be used for the request, e.g. HTTP/1.0 or HTTP/1.1 Message body Separator specify the separator Message body text specify the text for the body The URI is not necessarily a URL. For more information on the subject, please refer to Vulnerability Editor Acunetix Web Vulnerability Scanner

173 Analyzing the Response Define Screenshot Response sub-tab page In this response tab you can edit/create the responses that the test should look for. Name Variable name Type Variable type Description Variable description Source Specify where to apply the regular expression (on status code, on response headers or response body). Value Specify the regular expression used to extract the variable value from the source. Defining the test criteria/conditions. 171 Vulnerability Editor Vulnerability Editor 171

174 Screenshot 188 Test Criteria sub-tab page The last step is to define what conditions cause the success or failure of the test. You can add failure or success conditions: If a failure condition evaluates to true, then the test fails. If a success condition evaluates to true then the test passes. You can create multiple success or failure conditions: If any of the failure conditions evaluates to true, independent of the other conditions, then the test fails. If you add a success condition, then the success condition must evaluate to true for the test to pass. You can use equal, not equal, contains, not contains, lower than and greater than operators in a condition. To create a new test criteria, right click and select Add test criteria success to create a success condition or Add test criteria failure to create a failure condition. After you have created the vulnerability, click on the Save button in the Tool bar to save the test information. Now close Acunetix WVS, including the vulnerability editor and launch it again to perform the test. You will need to enable the test first in one of the scanning profiles. You can do this from the Configuring > Scanning Profiles node. 172 Vulnerability Editor Acunetix Web Vulnerability Scanner

175 20.4 Adding a Vulnerability Item Vulnerability items are additional parameters which Vulnerabilities require during a scan. Vulnerability items are kept within the relative Vulnerability and can be created as follows: 1. Right click on the Vulnerability where you want to create the new Vulnerability parameter and select Add Vulnerability item. Screenshot Vulnerability parameter parameters 2. In the Item Properties, define the Name (i.e. the Item name) and Value (e.g. a file name) that will be attributed to this parameter. 3. Click on the save button in the Toolbar at the top of the Vulnerability editor window. This will save the new Vulnerability item which will be referenced by the test variable. 173 Vulnerability Editor Vulnerability Editor 173

176 20.5 Example: Creating a Test Which Searches for a Particular File In this section we will present a walk-through of the process of creating a new vulnerability check in this case looking for a file called passwords.txt Step 1: Creating a Vulnerability Create a new Vulnerability. We will call it Look for Passwords.txt file. Screenshot Vulnerability Editor Modules 1. Launch the Vulnerability Editor from Acunetix WVS. 2. Since we are looking for a file in any of the site s directories, we will use the Directory check module. Click on the Directory Checks node, right-click and select Add vulnerability. Screenshot New group properties window 174 Vulnerability Editor Acunetix Web Vulnerability Scanner

177 3. In the New vulnerability dialog, specify the following details: Name: Look for a Passwords.txt. file Description: This test will scan the target site and look for a file called passwords.txt VulnXML: Leave default suggested filename VulnXML support: Based on Default VulnXml. Click on the Add button to create the new Vulnerability. It will be listed under the Directory Checks node Step 2: Adding a Vulnerability Item Now that we have created the test, we need to define the parameters of the test. This is done by creating a Vulnerability item. In this example, we need to create a Vulnerability parameter which contains the name of the file to be searched for (i.e. passwords.txt): 1. Right click on the Look for Passwords.txt Vulnerability, right-click and select Add vulnerability item. Screenshot Creating an item Screenshot In the Item properties section, specify the following information: Name: Password.txt Value: /Passwords.txt 175 Vulnerability Editor Vulnerability Editor 175

178 The webscanner will now look for a file called Passwords.txt in all the directories it finds. E.g. Assume that the crawler finds 2 directories /secured and / after scanning a target site. Based on the value of the ${path} variable (in the VulnXML file properties) and the corresponding Vulnerability parameter value, it will look for: /passwords.txt /secured/passwords.txt. 3. Click on the save button to save the new Vulnerability parameter Step 3: Configuring the Test Properties Now we need to configure the test properties: 1. Click on the Look for the Passwords.txt Vulnerability. 2. In the parameters section, leave the Affects and BindAlertToFile as default (i.e. set_by_module and 1 respectively). Screenshot Specifying the test description 3. In the VulnXML section, specify the following details for these fields in the test description tab: Name: Look for Passwords.txt file Affects: File Severity: High Alert: Success (i.e. alert is generated if file is found) Description: Search for passwords.txt file 176 Vulnerability Editor Acunetix Web Vulnerability Scanner

179 Impact: Contains sensitive information Recommendation: Delete the file 4. Alternatively, in the References tab, specify any references on the web to the vulnerability: Database: Link Title URL: Full URL to the reference 5. In the Applicable To tab, leave the settings as default, since checking for the file independent of the web server, operating system or technology used. 6. In the variables tab specify the variables of the test. The Directory checks module makes use of three variables called File, Test and Path. The File variable value is automatically set by the scanner for every directory it finds. The Test variable is retrieved from the Vulnerability parameter created previously. In our example, the test variable will contain /Passwords.txt which is the value specified when having added a new Vulnerability parameter (i.e. in our example the Vulnerability parameter is called The Pword file to be searched and is the sub node that we have added to the Look for passwords.txt file Vulnerability). The Path variable value is set by combining the values of $file$test explained above. However, since already having created the vulnerability item which is referenced by the test variable, there is no need to make any changes in this dialog. 7. In the Connection tab specify the HTTP requests and the success/fail criteria that this test will make. Since there is no need to make any specific HTTP requests in this example, leave the values of the Connection tab default. 177 Vulnerability Editor Vulnerability Editor 177

180 Step 4: Save the Test and Re-Launch Acunetix WVS 8. Click on the save button to save the Vulnerability check and close the Vulnerability Editor as well as Acunetix WVS. Screenshot Scanning Profiles: Arrow shows the new Vulnerability that has been added 9. Launch Acunetix WVS again and check if the new Vulnerability has been added to the scanning profiles by clicking on the Scanning Profiles located in the Configuration node. 10. Mark the box at the left of the new test in order to enable the use of the new test in the next scan. Click on the Web Scanner Node, specify a target and start a scan so that you can check the new test. 11. If the test identifies the file, then it will be displayed in the alerts node during a scan. 178 Vulnerability Editor Acunetix Web Vulnerability Scanner

181 21. WVS File Types 21.1 WVS Tools File Types The following are the various file types which Acunetix generates, and the tools which use them: WVS The results file saved from the Web Scanner WSS The results file saved from the Web Services Scanner CWL The directory structure saved from the Site Crawler PRE The Prepared Reports file generated by the Reporter SLG The log file saved from the HTTP Sniffer FZS The Session file saved from the HTTP Fuzzer CSV The files used to store the logging data of requests and responses sent during a scan WVS Export File Types The following are the files which are exported from Acunetix WVS and its tools: PDF Reporter files may be exported in Portable Document Format files PRN Reporter files may be exported in Portable Dot-Matrix Printer Format HTML Reporter files may be exported in Hypertext Markup Language files RTF Reporter files may be exported in MS Word format BMP Reporter files may be exported in Bitmap files AVDL Web Scanner results may be exported as Application Vulnerability Description Language files XML Web Scanner results may be exported as Extensible Markup Language files 179 WVS File Types WVS File Types 179

182 22. Troubleshooting 22.1 Introduction The troubleshooting guide explains how you should go about resolving the issues that may result. The main sources of information available to users are: The Manual most issues can be solved by reading the manual. Support Contact the Acunetix support department by at The Acunetix Support Center Request Support Via If you have problems that you cannot resolve, please contact the Acunetix support department. The best way to do this is via , since you can include vital information to enable us to solve the issues you have more quickly. The Troubleshooter included in the program group, automatically generates a number of files needed for Acunetix to provide technical support. The files would include the configuration settings etc. To generate these files, start the troubleshooter and follow the instructions in the application. In addition to collecting all the information, the troubleshooter will also ask you several questions. Answer these questions accurately as without proper information it will not be possible to diagnose your problem. Then go to the support directory, located under the main program directory, ZIP the files and send the generated files to support@acunetix.com. We will answer your query within 24 hours or less, depending on your time zone and strive to resolve the issue as quickly as possible. 180 Troubleshooting Acunetix Web Vulnerability Scanner

183 22.3 Support Center The Acunetix Support Center contains a knowledgebase of articles with the most common problems experienced by Acunetix WVS customers. From this Support Center you will also be able to open a support ticket the status of which can be tracked online. Screenshot 196 The Acunetix Support Center Website 181 Troubleshooting Troubleshooting 181