Acunetix Standard and Premium User Guide
- June 6, 2024
- Acunetix
Table of Contents
Acunetix Standard and Premium
Acunetix Quick Start Guide
LEARNING THE BASICS
Congratulations on joining Acunetix!
Web security might seem like a daunting concept. But with Acunetix, you can
start scanning target web applications immediately.
Acunetix is an automated, yet configurable, web application security scanner.
It enables you to scan websites, web applications and web services in order to
detect vulnerabilities and other issues that may be useful to malicious
hackers.
First, we recommend that you read the Acunetix Introduction.
INFORMATION
Acunetix provides, in many cases, proof that discovered vulnerabilities are real, significantly reducing false positives. Together with the speed of the Acunetix scanning engine (the fastest on the market), this means you avoid wasting time on manual verifications. This enables you to spend time fixing vulnerabilities instead.
WEB APPLICATION SECURITY THE SCAN PLAN
A good way to bring security to your web applications is to follow a simple
6-point plan.
- Understand your web application’s underlying technologies and structure
- Preparing and configuring targets
- Scanning your web application
- Resolving issues
- Retesting fixed issues
- Generating reports
Getting Started with Acunetix
INSTALLATION
There are two ways to use Acunetix:
- Acunetix Online is a cloud-based web application security scanner. You can simply log in by using the Account Administrator credentials you were supplied.
- Alternatively, you can download and install the Acunetix on-premises edition.
- First check in with the Installing Acunetix guide to understand that your system has the minimum system requirements.
- Proceed with installing Acunetix. Once it is installed and you have created your administrator user account, you can start using the application immediately.
ACTIVATING YOUR ACUNETIX INSTALLATION
After the installation, Acunetix needs to be activated using your license key
. Simply log into the Acunetix web UI and navigating to the profile page of
your account, where you will need to update your contact details. Insert your
license key and proceed with product activation. With the
on-premises edition, you can also choose to register your installation with
the AcuMonitor service. Acunetix Online users will automatically make use of
AcuMonitor. More details about License Activation can be found here.
INFORMATION
AcuMonitor is used to detect certain types of vulnerabilities, such Blind XSS, SSRF, XXE and other out of band vulnerabilities which can only be detected using an intermediary service. More information on AcuMonitor can be found here.
ADDING TARGET WEBSITE APPLICATIONS
Now that you have installed Acunetix, you are almost ready to start scanning.
Before you begin, it is important you understand how to add a target website,
and, equally important, how to define the target to correctly match your
website. Adding your target website before starting to scan is necessary so
Acunetix knows which sites you want to scan, and how best to perform the scan
to take a better snapshot of the web application’s attack surface.
WARNING
Each target scanned counts towards your license; you cannot switch this site
out for a different site you need to scan. To see a more complete description
of how targets are counted towards your license,
Acunetix Online users need to verify the ownership of their websites prior to
scanning. For more details on this,
Click the “Save” button.
VERIFYING WEBSITE OWNERSHIP
(Acunetix Online only)
You can Verify Ownership of a website by uploading a verification file into
the root of the Target’s URL. For Network scanning, there will be a one-time
verification process where you may need to be contacted by Acunetix.
You can obtain more details about the verification process in Configuring
Targets.
AUTHENTICATION SETTINGS
Authentication settings are very important for a web application scan. Most
web applications require a legitimate user to log in before allowing the user
access to parts of the web application that are reserved to logged-in users.
To scan these reserved parts of the web application, this authentication step
must be configured within your Target settings so the scanner can reach these
components.
Authentication may be configured in one of two ways. The first option is to
use the Acunetix
Auto-Login feature; for most web applications using a simple login/logout
mechanism, this will be sufficient. More complex login mechanisms will require
additional configuration, which can be done using the Acunetix Login Sequence
Recorder. For more details on this, see Configuring Targets.
Default configuration will allow you to use Acunetix for black-box scanning; this means that the scanning engine uses a large set of techniques to efficiently and effectively scan the target web application even without having “insider” knowledge of the server-side scripting engine being used. The engine will scan the web application, using multiple mechanisms to attempt to find flaws and vulnerabilities, much the same way as a malicious hacker would. The modern-day term for this is DAST, or Dynamic Application Security Testing.
INFORMATION
AcuSensor gets additional information from the server back end, at the time when Acunetix is scanning the web application. This additional information gives us a number of benefits:
- Line of code or stack trace indicating where vulnerability is created
- Greater precision and increased confidence in vulnerabilities detected
- Full web application coverage
A more advanced strategy we can use is IAST, or Interactive Application Security Testing, where Acunetix creates an AcuSensor agent file that can be deployed into a web application for some types of server-side scripting languages (JAVA, PHP, and .NET). Once AcuSensor is deployed, it works in tandem with the external Acunetix scanning engine, returning feedback in real- time for a much wider range of tests that can now be performed thanks to the synergy between the external scanner and the AcuSensor WITHIN the application.
You can get more detailed information about deploying the AcuSensor for PHP, JAVA, and .NET.
GROUPING YOUR TARGETS
If you are managing a large number of web sites or applications, it will benefit you to organize these websites or applications into logical groups for ease of management; you can later on assign a whole group of websites to a particular security staff member.
LAUNCHING A SCAN
Now that your targets are configured, you are ready to launch a scan. There are two ways to do this. You can either use the default settings, or you can configure them for an optimized and faster scan.
USING THE DEFAULT SETTINGS
Acunetix is an easy to use, automated web application security scanner. Depending on whether you want to check your web application for all vulnerabilities, or just for a subset of vulnerabilities, Acunetix provides a number of default scanning profiles, including:
- Full Scan
- High Risk Vulnerabilities
- Cross-site Scripting Vulnerabilities
- SQL Injection Vulnerabilities
- Weak Passwords
- Crawl Only
- Full Web and Network Scan
- Network Scan
…as well as the possibility to create a custom profile to run specific classes
of tests as you may wish to perform.
The built-in Scan Profiles makes it easy to get started quickly. To understand
the scan settings in more detail, start with Creating a New Scan.
INFORMATION
Remember that scan duration may vary depending on the size of the web application, the response time of the web application, and the security checks enabled in the Scan Profile you select.
REVIEWING SCAN RESULTS
Now that the scan has been launched, it’s time to look into the generated
results. In fact, the Scan page shows its findings even while the scan is in
progress, exposing a list of all the vulnerabilities found so far, a
hierarchical model of the structure of the web application discovered during
the initial crawling stage of the scan, and a dashboard with a summary of the
key pieces of information relevant to the scan.
Each vulnerability is listed, classified according to type, and described for
eventual resolution by the development team – complete with the HTTP request
made to the web server to identify the vulnerability, and the response
received that contains the vulnerability.
As you go through your first few scans of your web application, you can:
- Learn about vulnerability severity levels
- Gain an overview of the security state
- Check the scan summary and impacts
- Review the issues and remedies
- Fix the vulnerabilities and retest
- Update the status of the issues
In this section, we will discuss how vulnerabilities are categorized, how to
interpret ongoing and completed scan results, and what to do once an issue has
been identified and fixed.
Now is a good time to read up about Vulnerability Severity Levels and other
classification nomenclature.
WHAT IS GOING ON DURING SCANNING ?
During the scan phase, Acunetix is crawling and attacking discovered pages.
The Scan summary page shows the results for a single website during the scan,
and also after completion.
If you are managing a suite of web applications, the Dashboard provides an overview of your web inventory, showing:
- statistics for the different vulnerability classifications
- a ranking of the web applications from most-to-least vulnerable
- a shortlist of the most commonly found vulnerabilities within the inventory
- trend charts to expose the efficiency and effectiveness of the remediation process
- The list of vulnerabilities can be filtered and sorted to give priority to the items that are most relevant to the situation.
- If exposed vulnerability will take a long time to fix, it is possible to export vulnerabilities for import into top-tier Web Application Firewalls.
- Integration with Issue Trackers can be configured for easier tracking by developers.
- When a second or subsequent scan is performed, one can “Compare Scans” to identify which vulnerabilities are no longer present (fixed), and which still remain.
WHY DO WE NEED REPORTS?
Reports are important because:
- Developer teams need reports to work on discovered vulnerabilities
- Directors and Regulatory bodies need reports to show compliance
- Managers need reports to evaluate impact on running business, and prioritizing remediation tasks
- Support staff need reports to react to customer requests for assistance
WHY DO WE NEED REPORTS?
A number of built-in report formats are provided with Acunetix, including
Developer and Executive Summary reports and compliance reports, such as HIPAA,
OWASP Top 10, NIST SP800, PCI DSS, and others. You can get more information
about the availability of different Types of Reports.
SETTING UP YOUR USERS AND PERMISSIONS
Now that you have added your first target, you can configure your users and
access levels.
Setting up user permissions at the start ensures that users get access to the
features they need to work on the websites they are responsible for,
identifying and resolving security issues right away.
To set up your users and their access levels, go to Configuring Users. Each
user can have one of 3 roles: Tech Admin, Tester, and Auditor. If a Tech Admin
is assigned the “Access All Targets” right, then he also is able to add
Targets to the system. This table summarizes the functionality assigned to
each role.
ABOUT ACUNETIX
Acunetix is a global web security leader. As the first company to build a fully dedicated and fully automated web vulnerability scanner, Acunetix carries unparalleled experience in the field. The Acunetix web vulnerability scanning platform has been recognized as a leading solution multiple times. It is also trusted by customers from the most demanding sectors including many fortune 500 companies.
Our mission is to provide you with a trustworthy web security solution that protects all your assets, aligns with all your policies, and fits perfectly into your development lifecycle. The Acunetix platform frees up your security team resources. It can detect vulnerabilities that other technologies would miss because it combines the best of dynamic and static scanning technologies and uses a separate monitoring agent. It is your platform of choice for comprehensive web vulnerability assessment and vulnerability management.
WHERE TO FIND US
Stay up to date with the latest web s ecurity news.
Website. www.acunetix.com
Acunetix Web Security Blog. acunetix.com/blog
Facebook. facebook.com/acunetix
Twitter. twitter.com/acunetix
CONTACT INFORMATION
Acunetix (Europe and ROW)
Tel. +44 (0) 330 202 0190
Fax. +44 (0) 30 202 0191
Email. sales@acunetix.com
Acunetix (USA)
Tel. (+1) 737 241 8773
Fax. (+1) 737 600 8810
Email. salesusa@acunetix.com
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>