Acunetix Web Vulnerability Scanner 5 Review

Acunetix Web Vulnerability Scanner 5 Review After the LANguard NSS 8 review, I thought I should repeat the experience of testing an industry grade vulnerability scanner, enterprise edition, of course: The brand new Acunetix Web Vulnerability Scanner v.5

Note : This is not a sponsored review.


So I presented my plan to Tamara Borg @ Acunetix and she was kind enough to provide me an enterprise edition license of Acunetix WVS 5. Sweet. I’m glad I tested this software as it was a nice surprise to see all the features you would expect from a web application security scanner packed in an easy to use , sharp designed application.

pacmsFor my tests I used a VMware install of PACMS: Personal AJAX CMS (heavy JavaScript usage) because I was really curious about the new JavaScript interpreter deployed in Acunetix 5 .

The Scan
So without further ado, I fired up Acunetix WVS and began to work on my assessment. There is a scanning wizard available in case you want a canned scan or you could take the matters in you own hands and define the targets and the scanning profile. You can chose one of the predefined scanning profiles :CGI tester,parameter manipulation (XSS, SQL, CRLF,etc), file checks,known web applications, etc  or you can define you own profile.

Acunetix Web Vulnerability Scanner 5 Review I chose the default profile and 40 minutes and 37,616 http requests later the scan was finished and the results were ready for analysis. It’s worth noted that during a scan you can manually verify any vulnerability using a built in HTTP Editor. Although the scan results are automatically saved in a database (SQL Server or MS Access), you can save the whole scan session for further investigation. Pretty handy for short time on-site assessments when you want to grab as much data as possible for further crunching.

The Reports
Acunetix Reporter Acunetix WVS provides a separate report generator and it’s very easy to generate a report based on any scan stored in thedatabase. You can customize the report with your own logo and captions as well as which information to include in the report. I preferred to use the default template and I chose to generate 3 reports for my assessment , all of them available as PDF for download.

The Custom Vulnerability Checks
Acunetix Custom Vulnerability Editor Acunetix WVS offers the option to define custom checks which are merged into the main body of vulnerabilities and one can easily integrate these checks into the scanning profiles. Very useful feature for internal QA assessments, I must say.

 

 

 
The Tools
Undoubtedly, automatic scanning does a great job at discovering application vulnerabilities such as Cross Site Scripting, SQL injection , CSRF, XPath. However, the manual security analysis requires powerful additional tools and Acunetix WVS provides the penetration tester with a well structured collection of such tools (a.k.a web security Swiss knife):

  • Site Crawler
  • Target Finder
  • Subdomain Scanner
  • HTTP Editor
  • HTTP Sniffer
  • HTTP Fuzzer
  • Authentication Tester
 

 

The Extras
As if it wasn’t enough, here are just a few features that truly make Acunetix WVS 5 stand out from the crowd :

  • Command line support – good for scripting and automated tasks
  • Scanning Scheduler – define the scan once, schedule it and forget about it ; you can always run differential reports later to check the status of vulnerabilities.
  • JavaScript / AJAX Support – Client Script Analyzer (CSA) : parsing Javascript is so yesterday; welcome to Document Object Model (DOM) real time reconstruction.
  • WebService Support – got WSDL ?
  • Flash Files Support : What’s behind that flashy animation ?
  • Google Hacking Database Support : Find out what google migh reveal about your site – because you don’t want to be known as a googledork!

The Conclusion
Acunetix Web Vulnerability Scanner 5 is definitely a most valuable allied  in the battle against web security risks. This versatile software has successfully tackled the 80 / 20 problem of advanced software applications. It delivers good value for the money even if you use just 20 percent of it’s features, whereas in the hands of an web application security professional it reveals the 80 percent reserve of raw power. 

I love it !

Download Acunetix WV 5 and use it for  the full 100 percent !



Thank you for reading this post. You can now Read Comments (7) or Leave A Trackback. Print This Post Print This Post

7 Responses to “Acunetix Web Vulnerability Scanner 5 Review

  • 1
    anonymous
    October 22nd, 2007 04:34

    Version 5.0 sucks. Locked features
    Whats point if you can’t try before buying it

  • 2
    Steve
    November 7th, 2007 12:14

    Yeah that’s right, thats the reason i prefer Maui Security Scanner (http://www.elanize.com).

  • 3
    vulnerability scanner
    March 12th, 2008 04:33

    I have checked Beyond Security Vulnerability Scanner and was impressed.
    It is very easy to use, very friendly interface, and I have a feeling that it has much more vulnerabilities tested. in any case, new vulnerabilities are discovered every day, and the best company is the one that is up to date.

  • 4
    didier
    February 17th, 2009 07:33

    Attackers are well-aware of the valuable information accessible through Web applications, and
    their attempts to get at it are often unwittingly assisted by several important factors.
    Conscientious organizations carefully protect their perimeters with intrusion detection systems
    and firewalls, but these firewalls must keep ports 80 and 443 (SSL) open to conduct online
    business. These ports represent open doors to attackers, who have figured out thousands of
    ways to penetrate Web applications.
    The standard security measures for protecting network traffic, network firewalls and Intrusion
    Prevention Systems (IPS) and Intrusion Detection Systems (IDS), do not offer a solution to
    application level threats. Network firewalls are designed to secure the internal network
    perimeter, leaving organizations vulnerable to various application attacks.
    Intrusion Prevention and Detection Systems (IDS/IPS) do not provide thorough analysis of
    packet contents. Applications without an added layer of protection increase the risk of harmful
    attacks and extreme vulnerabilities.

    Web Application Level Attacks is the Achilles heel. In the past, security breaches occurred at the
    network level of the corporate systems. Today, hackers are manipulating web applications
    inside the corporate firewall. This entry enables them to access sensitive corporate and
    customer data. An experienced hacker can break into most commercial websites with even the
    smallest hole in a company’s website application code. These sophisticated attacks have
    become increasingly threatening to organizations.

    I recommend a service call GamaSec ( http://www.gamasec.com) remote online web vulnerability-assessment service
    that tests web servers, web-interfaced systems and web-based applications against thousands
    of known vulnerabilities with dynamic testing, and by simulating web-application attacks during
    online scanning. The service identifies security vulnerabilities and produces recommended
    solutions that can fix, or provide a viable workaround to the identified vulnerabilities

    http://www.gamasec.com

    Vulnerability scanner does automated search for security weaknesses in web applications and theirs services and reports them in details about possible vulnerabilities and probable defense or ways to prevent it

  • 5
    Dragos Lungu
    February 17th, 2009 08:17

    @didier

    Thanks for your comment, even though it sounds like a commercial presentation of Gamasec services 🙂 I will apply for a free Gamasec trial and I will post the results of my assessment.

  • 6
    M
    May 21st, 2009 05:41

    @Dragos

    Try Powerfuzzer (http://www.powerfuzzer.com) as well. I had very good results with the Online scanning service.

  • 7
    Dragos Lungu
    May 26th, 2009 11:02

    Thanks ! I will definitely try powerfuzzer.com


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge