Acunetix Web Vulnerability Scanner 5 Review
After the LANguard NSS 8 review, I thought I should repeat the experience of testing an industry grade vulnerability scanner, enterprise edition, of course: The brand new Acunetix Web Vulnerability Scanner v.5
Note : This is not a sponsored review.
So I presented my plan to Tamara Borg @ Acunetix and she was kind enough to provide me an enterprise edition license of Acunetix WVS 5. Sweet. I’m glad I tested this software as it was a nice surprise to see all the features you would expect from a web application security scanner packed in an easy to use , sharp designed application.
For my tests I used a VMware install of PACMS: Personal AJAX CMS (heavy JavaScript usage) because I was really curious about the new JavaScript interpreter deployed in Acunetix 5 .
The Scan
So without further ado, I fired up Acunetix WVS and began to work on my assessment. There is a scanning wizard available in case you want a canned scan or you could take the matters in you own hands and define the targets and the scanning profile. You can chose one of the predefined scanning profiles :CGI tester,parameter manipulation (XSS, SQL, CRLF,etc), file checks,known web applications, etc or you can define you own profile.
I chose the default profile and 40 minutes and 37,616 http requests later the scan was finished and the results were ready for analysis. It’s worth noted that during a scan you can manually verify any vulnerability using a built in HTTP Editor. Although the scan results are automatically saved in a database (SQL Server or MS Access), you can save the whole scan session for further investigation. Pretty handy for short time on-site assessments when you want to grab as much data as possible for further crunching.
The Reports
Acunetix WVS provides a separate report generator and it’s very easy to generate a report based on any scan stored in thedatabase. You can customize the report with your own logo and captions as well as which information to include in the report. I preferred to use the default template and I chose to generate 3 reports for my assessment , all of them available as PDF for download.
The Custom Vulnerability Checks
Acunetix WVS offers the option to define custom checks which are merged into the main body of vulnerabilities and one can easily integrate these checks into the scanning profiles. Very useful feature for internal QA assessments, I must say.
The Tools
Undoubtedly, automatic scanning does a great job at discovering application vulnerabilities such as Cross Site Scripting, SQL injection , CSRF, XPath. However, the manual security analysis requires powerful additional tools and Acunetix WVS provides the penetration tester with a well structured collection of such tools (a.k.a web security Swiss knife):
|
 |
The Extras
As if it wasn’t enough, here are just a few features that truly make Acunetix WVS 5 stand out from the crowd :
- Command line support - good for scripting and automated tasks
- Scanning Scheduler - define the scan once, schedule it and forget about it ; you can always run differential reports later to check the status of vulnerabilities.
- JavaScript / AJAX Support - Client Script Analyzer (CSA) : parsing Javascript is so yesterday; welcome to Document Object Model (DOM) real time reconstruction.
- WebService Support - got WSDL ?
- Flash Files Support : What’s behind that flashy animation ?
- Google Hacking Database Support : Find out what google migh reveal about your site - because you don’t want to be known as a googledork!
The Conclusion
Acunetix Web Vulnerability Scanner 5 is definitely a most valuable allied in the battle against web security risks. This versatile software has successfully tackled the 80 / 20 problem of advanced software applications. It delivers good value for the money even if you use just 20 percent of it’s features, whereas in the hands of an web application security professional it reveals the 80 percent reserve of raw power.
I love it !
Download Acunetix WV 5 and use it for the full 100 percent !
If you enjoyed this post, make sure you subscribe to my RSS feed!
October 22nd, 2007 at 4:34 am
Version 5.0 sucks. Locked features
Whats point if you can’t try before buying it
November 7th, 2007 at 12:14 pm
Yeah that’s right, thats the reason i prefer Maui Security Scanner (http://www.elanize.com).
March 12th, 2008 at 4:33 am
I have checked Beyond Security Vulnerability Scanner and was impressed.
It is very easy to use, very friendly interface, and I have a feeling that it has much more vulnerabilities tested. in any case, new vulnerabilities are discovered every day, and the best company is the one that is up to date.