Acunetix Web Vulnerability Scanner 5 Review
After the LANguard NSS 8 review, I thought I should repeat the experience of testing an industry grade vulnerability scanner, enterprise edition, of course: The brand new Acunetix Web Vulnerability Scanner v.5
Note : This is not a sponsored review.
So I presented my plan to Tamara Borg @ Acunetix and she was kind enough to provide me an enterprise edition license of Acunetix WVS 5. Sweet. I’m glad I tested this software as it was a nice surprise to see all the features you would expect from a web application security scanner packed in an easy to use , sharp designed application.
For my tests I used a VMware install of PACMS: Personal AJAX CMS (heavy JavaScript usage) because I was really curious about the new JavaScript interpreter deployed in Acunetix 5 .
The Scan
So without further ado, I fired up Acunetix WVS and began to work on my assessment. There is a scanning wizard available in case you want a canned scan or you could take the matters in you own hands and define the targets and the scanning profile. You can chose one of the predefined scanning profiles :CGI tester,parameter manipulation (XSS, SQL, CRLF,etc), file checks,known web applications, etc or you can define you own profile.
I chose the default profile and 40 minutes and 37,616 http requests later the scan was finished and the results were ready for analysis. It’s worth noted that during a scan you can manually verify any vulnerability using a built in HTTP Editor. Although the scan results are automatically saved in a database (SQL Server or MS Access), you can save the whole scan session for further investigation. Pretty handy for short time on-site assessments when you want to grab as much data as possible for further crunching.
The Reports
Acunetix WVS provides a separate report generator and it’s very easy to generate a report based on any scan stored in thedatabase. You can customize the report with your own logo and captions as well as which information to include in the report. I preferred to use the default template and I chose to generate 3 reports for my assessment , all of them available as PDF for download.
The Custom Vulnerability Checks
Acunetix WVS offers the option to define custom checks which are merged into the main body of vulnerabilities and one can easily integrate these checks into the scanning profiles. Very useful feature for internal QA assessments, I must say.
The Tools
Undoubtedly, automatic scanning does a great job at discovering application vulnerabilities such as Cross Site Scripting, SQL injection , CSRF, XPath. However, the manual security analysis requires powerful additional tools and Acunetix WVS provides the penetration tester with a well structured collection of such tools (a.k.a web security Swiss knife):
|
 |
The Extras
As if it wasn’t enough, here are just a few features that truly make Acunetix WVS 5 stand out from the crowd :
- Command line support – good for scripting and automated tasks
- Scanning Scheduler - define the scan once, schedule it and forget about it ; you can always run differential reports later to check the status of vulnerabilities.
- JavaScript / AJAX Support – Client Script Analyzer (CSA) : parsing Javascript is so yesterday; welcome to Document Object Model (DOM) real time reconstruction.
- WebService Support - got WSDL ?
- Flash Files Support : What’s behind that flashy animation ?
- Google Hacking Database Support : Find out what google migh reveal about your site – because you don’t want to be known as a googledork!
The Conclusion
Acunetix Web Vulnerability Scanner 5 is definitely a most valuable allied in the battle against web security risks. This versatile software has successfully tackled the 80 / 20 problem of advanced software applications. It delivers good value for the money even if you use just 20 percent of it’s features, whereas in the hands of an web application security professional it reveals the 80 percent reserve of raw power.
I love it !
Download Acunetix WV 5 and use it for the full 100 percent !
Thank you for reading this post. You can now Read Comments (7) or Leave A Trackback.
Print This Post
Post Info
This entry was posted on Thursday, June 21st, 2007 . Tagged with:You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: Tenable Passive Vulnerability Scanner – IDS / Sniffer / Scanner ? »
Next Post: Google MD5 Hash Search Engine »
Read More
Related Reading:- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!
- My Twitter Notes on 2010-07-18
October 22nd, 2007 04:34
Version 5.0 sucks. Locked features
Whats point if you can’t try before buying it
November 7th, 2007 12:14
Yeah that’s right, thats the reason i prefer Maui Security Scanner (http://www.elanize.com).
March 12th, 2008 04:33
I have checked Beyond Security Vulnerability Scanner and was impressed.
It is very easy to use, very friendly interface, and I have a feeling that it has much more vulnerabilities tested. in any case, new vulnerabilities are discovered every day, and the best company is the one that is up to date.
February 17th, 2009 07:33
Attackers are well-aware of the valuable information accessible through Web applications, and
their attempts to get at it are often unwittingly assisted by several important factors.
Conscientious organizations carefully protect their perimeters with intrusion detection systems
and firewalls, but these firewalls must keep ports 80 and 443 (SSL) open to conduct online
business. These ports represent open doors to attackers, who have figured out thousands of
ways to penetrate Web applications.
The standard security measures for protecting network traffic, network firewalls and Intrusion
Prevention Systems (IPS) and Intrusion Detection Systems (IDS), do not offer a solution to
application level threats. Network firewalls are designed to secure the internal network
perimeter, leaving organizations vulnerable to various application attacks.
Intrusion Prevention and Detection Systems (IDS/IPS) do not provide thorough analysis of
packet contents. Applications without an added layer of protection increase the risk of harmful
attacks and extreme vulnerabilities.
Web Application Level Attacks is the Achilles heel. In the past, security breaches occurred at the
network level of the corporate systems. Today, hackers are manipulating web applications
inside the corporate firewall. This entry enables them to access sensitive corporate and
customer data. An experienced hacker can break into most commercial websites with even the
smallest hole in a company’s website application code. These sophisticated attacks have
become increasingly threatening to organizations.
I recommend a service call GamaSec ( http://www.gamasec.com) remote online web vulnerability-assessment service
that tests web servers, web-interfaced systems and web-based applications against thousands
of known vulnerabilities with dynamic testing, and by simulating web-application attacks during
online scanning. The service identifies security vulnerabilities and produces recommended
solutions that can fix, or provide a viable workaround to the identified vulnerabilities
http://www.gamasec.com
Vulnerability scanner does automated search for security weaknesses in web applications and theirs services and reports them in details about possible vulnerabilities and probable defense or ways to prevent it
February 17th, 2009 08:17
@didier
Thanks for your comment, even though it sounds like a commercial presentation of Gamasec services
I will apply for a free Gamasec trial and I will post the results of my assessment.
May 21st, 2009 05:41
@Dragos
Try Powerfuzzer (http://www.powerfuzzer.com) as well. I had very good results with the Online scanning service.
May 26th, 2009 11:02
Thanks ! I will definitely try powerfuzzer.com