Acunetix Web Vulnerability Scanner
Updated: Jul 16
Acunetix Web Vulnerability Scanner is a suite of tools that allows you to secure your website in the most efficient manner. It consists of the following components:
The Web Scanner launches an automatic security audit of a website. A website security scan typically consists of two phases:
Crawling: The Crawler automatically analyzes and crawls the website and builds a site structure. The crawling process enumerates all files and is vital to ensure that all the files on your website are scanned.
Scanning: Acunetix Web Vulnerability Scanner launches a series of web vulnerability checks against each file in your web application – in effect, emulating a hacker. The results of a scan are displayed in the Alert Node tree and include comprehensive details on all the vulnerabilities found within the website.
AcuSensor Technology Agent
Acunetix AcuSensor Technology is a unique technology that allows you to identify more vulnerabilities than a traditional black box web security scanner, and is designed to further reduce false positives. Additionally, it also indicates the code where the vulnerability was found. This increased accuracy is achieved by combining black box scanning techniques with dynamic code analysis whilst the source code is being executed. For Acunetix AcuSensor to work, an agent must be installed on your website to enable communication between Acunetix Web Vulnerability Scanner and AcuSensor. Acunetix AcuSensor can be used with PHP and .NET web applications.
The Port Scanner performs a port scan against the web server hosting the scanned website. When open ports are found, Acunetix Web Vulnerability Scanner will perform network level security checks against the network service running on that port, such as DNS Open Recursion tests, badly configured proxy server tests, weak SNMP community strings, and many other network level security checks.
The Target Finder is a scanner that allows you to locate web servers (generally on ports 80, 443) within a given range of IP addresses. If a web server is found, the scanner will also display the response header of the server and the web server software. The port numbers to scan are configurable.
Using various techniques, the Subdomain scanner allows fast and easy identification of active sub domains of a top-level domain. The Subdomain Scanner can be configured to use the target’s DNS server or any other DNS server specified by the user.
Blind SQL Injector
Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool with which you can make manual tests to further analyze SQL injections reported during a scan. The tool makes use of Blind SQL Injection techniques to enumerate databases, tables, dump data and also read specific files on the file system of the web server if an exploitable SQL injection is discovered. With the Blind SQL Injector tool, you can also run manual tests to check for different variants of SQL injection. Using this tool, you can also run custom SQL ‘Select’ queries against the database.
The HTTP Editor allows you to create, analyze, and edit client HTTP requests and server responses. It also includes an encoding and decoding tool to encode / decode text and URL’s to MD5 hashes, UTF-7 formats and many other formats. You can start the HTTP Editor from the ‘Tools’ node within the Tools Explorer. The Top pane in the HTTP editor displays the HTTP request data and headers. The bottom pane displays the HTTP response headers data.
The HTTP Sniffer acts as a proxy and allows you to capture, examine and modify HTTP traffic between an HTTP client and a web server. You can also enable, add or edit traps to capture traffic before it is sent to the web server or back to the web client. This tool is useful to:
Analyze how Session IDs are stored and how inputs are sent to the server.
Alter any HTTP requests being sent back to the server before they get sent.
Manual crawling; navigate through parts of the website which cannot be crawled automatically, and import the results into the scanner to include them in the automated scan.
The HTTP Fuzzer enables you to launch a series of sophisticated fuzzing tests to audit the web application’s handling of invalid and unexpected random data. The HTTP Fuzzer also allows you to easily create input rules for further testing in Acunetix Web Vulnerability Scanner.
Web Services Scanner and Web Services Editor
The Web Services Scanner allows you to launch automated vulnerability scans against WSDL based Web Services. Web Services are commonly used for to exchange data, and generally vulnerabilities in Web Services can easy be used to leak sensitive information. The Web Services Editor allows you to import an online or local WSDL for custom editing and execution of various web service operations over different port types for an in-depth analysis of WSDL requests and responses. The editor also features syntax highlighting for all languages to easily edit SOAP headers and customize your own manual attacks.
Acunetix Web Vulnerability Scanner SDK
The Reporter allows you to generate reports of scan results in a printable format. Various report templates are available, including summary, detailed reports and compliance reporting. The Consultant Version of Acunetix Web Vulnerability Scanner allows customization of the generated report.
Acunetix Web Vulnerability Scanner Licensing
Acunetix Web Vulnerability Scanner is available in 5 editions:
The Small Business edition license allows you to install one copy of Acunetix Web Vulnerability Scanner on one computer, and scan one nominated site; this site must be owned by yourself (or your company) and not by third parties. Acunetix Small Business edition will leave a trail in the log files of the scanned server and scanning of third-party sites is prohibited by the license agreement. Additional licenses are required for separate installs onto different workstations.
The Enterprise edition license allows you to install one copy of Acunetix Web Vulnerability Scanner on one computer to scan an unlimited number of sites or servers. The sites or servers must be owned by yourself (or your company) and not by third parties. Acunetix Enterprise edition will leave a trail in the log files of the scanned server and scanning of third-party sites is prohibited by the license agreement. Additional licenses are required for separate installs onto different workstations
Enterprise x10 Instances
The ONLY difference between the Enterprise Edition and the Enterprise Edition x10 instances is that this edition of the Acunetix Web Vulnerability Scanner Enterprise allows you to run up to 10 instances of Acunetix Web Vulnerability Scanner on the same computer giving you the ability to scan up to 10 websites simultaneously.
The Consultant edition license allows you to install one copy of Acunetix on one computer to scan an unlimited number of sites or servers including 3rd party sites, provided that you have obtained permission from the respective site owners. This is the correct edition to use if you are a consultant who provides web security testing services, hosting provider or ISP. The consultant edition also includes the capability of modifying the reports to include your own company logo. This edition does not leave any trail in the log files of the scanned server. Additional licenses are required for separate installs onto different workstations.
Consultant x10 Instances
The ONLY difference between the Consultant Edition and the Consultant Edition x10 instances is that this edition of the Acunetix Web Vulnerability Scanner Consultant allows you to run up to 10 instances of Acunetix Web Vulnerability Scanner on the same computer giving you the ability to scan up to 10 websites simultaneously.
Reach out to our sales consultants for a use case and demo at firstname.lastname@example.org