Wvs 5 Manual

Acunetix Web Vulnerability Scanner
Manual
v5.0

By Acunetix Ltd.

Acunetix Ltd.
http://www.acunetix.com
E-mail: info@acunetix.com

Information in this document is subject to change without notice. Companies,
names, and data used in examples herein are fictitious unless otherwise
noted. No part of this document may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the
express written permission of Acunetix Ltd.

Acunetix WVS is copyright of Acunetix Ltd. 20042007.
Acunetix Ltd. All rights reserved.

Document version 5.00
Last updated 4
th
June 2007.

Acunetix Web Vulnerability Scanner Contents i
Contents
1. INTRODUCTION TO ACUNETIX WEB VULNERABILITY SCANNER __________________________________ 5
1.1 WHY YOU NEED TO SECURE YOUR WEB APPLICATIONS ____________________________________________ 5
1.2 WEB ATTACK EXAMPLES _________________________________________________________________ 6
1.3 THE ACUNETIX WEB VULNERABILITY SCANNER __________________________________________________ 7
1.4 AUDITED VULNERABILITIES _______________________________________________________________ 7
1.5 SUPPORTED TECHNOLOGIES _______________________________________________________________ 9
1.6 MAIN FEATURES ______________________________________________________________________ 9
1.7 ACUNETIX WVS PROGRAM OVERVIEW ______________________________________________________ 13
1.8 LICENSE SCHEME _____________________________________________________________________ 19
1.8.1 Perpetual or Time Based Licenses _________________________________________________ 19
1.8.2 Small Business Version 1 Site/Server _______________________________________________ 19
1.8.3 Enterprise Version Unlimited Sites/Servers __________________________________________ 19
1.8.4 Consultant Version _____________________________________________________________ 19
1.8.5 Purchasing Acunetix WVS ________________________________________________________ 20
2. INSTALLING ACUNETIX WVS _____________________________________________________________ 21
2.1 SYSTEM REQUIREMENTS ________________________________________________________________ 21
2.2 INSTALLATION PROCEDURE ______________________________________________________________ 21
2.3 UPGRADE PROCEDURE _________________________________________________________________ 23
2.4 CONFIGURING A PROXY SERVER ___________________________________________________________ 25
2.5 CONFIGURING WEB BROWSER FOR HTTP SNIFFER ______________________________________________ 26
2.6 PASSWORD PROTECT WVS ______________________________________________________________ 27
2.7 LIMITATIONS OF THE EVALUATION VERSION ___________________________________________________ 29
2.8 UPGRADING FROM AN EVALUATION TO A PURCHASED VERSION _____________________________________ 29
2.9 EXTENDING OR UPGRADING A PURCHASED VERSION _____________________________________________ 29
3. THE USER INTERFACE ___________________________________________________________________ 31
3.1 INTRODUCTION ______________________________________________________________________ 31
3.2 THE WVS MAIN INTERFACE _____________________________________________________________ 31
3.2.1 Layout _______________________________________________________________________ 31
3.2.2 Navigation ____________________________________________________________________ 31
3.2.3 Toolbar ______________________________________________________________________ 32
3.2.4 Tools Explorer _________________________________________________________________ 33
3.2.5 Main Area ____________________________________________________________________ 34
3.2.6 Activity Window _______________________________________________________________ 34
3.2.7 Status Bar ____________________________________________________________________ 35
3.2.8 Hiding Panels__________________________________________________________________ 35
3.2.9 Context Menus ________________________________________________________________ 35
3.3 THE SETTINGS INTERFACE _______________________________________________________________ 36
3.3.1 Saving Changes ________________________________________________________________ 37
3.4 ERROR HANDLING ____________________________________________________________________ 37
4. GETTING STARTED: SCANNING YOUR WEBSITE ______________________________________________ 38
4.1 STARTING A SCAN ____________________________________________________________________ 38
4.2 STEP 1: SELECT TARGET(S) TO SCAN ________________________________________________________ 39
4.3 STEP 2: CONFIRM TARGETS AND TECHNOLOGIES DETECTED ________________________________________ 40
4.4 STEP 3: SPECIFY CRAWLER OPTIONS ________________________________________________________ 41
4.5 STEP 4: SPECIFY SCANNING PROFILE OPTIONS AND MODE _________________________________________ 42
4.6 STEP 5: CONFIGURE LOGIN FOR PASSWORD PROTECTED AREAS______________________________________ 43
4.7 STEP 6: CONFIGURING CUSTOM 404 ERROR PAGES _____________________________________________ 47
4.8 SELECTING THE FILES/FOLDERS TO SCAN _____________________________________________________ 49

Contents ii Acunetix Web Vulnerability Scanner
4.9 ANALYZING THE SCAN RESULTS ___________________________________________________________ 50
4.9.1 Alerts Node ___________________________________________________________________ 51
4.9.2 Site Structure Node _____________________________________________________________ 53
4.10 SAVING THE SCAN RESULTS ______________________________________________________________ 54
4.11 GENERATING A REPORT FROM THE SCAN RESULTS _______________________________________________ 54
4.12 GOOGLE HACKING VULNERABILITIES ________________________________________________________ 55
5. SITE CRAWLER TOOL ___________________________________________________________________ 57
5.1 INTRODUCTION ______________________________________________________________________ 57
5.2 ANALYZING A WEBSITE STRUCTURE _________________________________________________________ 58
5.2.1 Starting the crawling process _____________________________________________________ 58
5.2.2 Analyzing the information collected by the crawler ___________________________________ 58
5.2.3 Info Tab ______________________________________________________________________ 58
5.2.4 Referrers Tab __________________________________________________________________ 59
5.2.5 HTTP Headers Tab ______________________________________________________________ 59
5.2.6 Inputs Tab ____________________________________________________________________ 60
5.2.7 View Source Tab _______________________________________________________________ 60
5.2.8 View Page Tab _________________________________________________________________ 61
5.2.9 HTML Analysis Tab _____________________________________________________________ 62
6. TARGET FINDER TOOL __________________________________________________________________ 67
6.1 INTRODUCTION ______________________________________________________________________ 67
6.2 TO START A SCAN ____________________________________________________________________ 67
7. SUBDOMAIN SCANNER TOOL ____________________________________________________________ 69
7.1 INTRODUCTION ______________________________________________________________________ 69
7.2 STARTING A SUBDOMAIN SCAN ___________________________________________________________ 69
8. HTTP SNIFFER TOOL ____________________________________________________________________ 70
8.1 INTRODUCTION ______________________________________________________________________ 70
8.2 CONFIGURING THE HTTP SNIFFER _________________________________________________________ 71
8.3 ENABLING THE HTTP SNIFFER ____________________________________________________________ 71
8.4 CREATING AN HTTP SNIFFER TRAP FILTER ____________________________________________________ 72
8.5 ANALYZING AND RESPONDING TO THE TRAPPED REQUESTS ________________________________________ 73
8.5.1 The Trap Form _________________________________________________________________ 73
8.6 EDITING AN HTTP REQUEST WITHOUT A TRAP _________________________________________________ 74
9. AUTHENTICATION TESTER TOOL __________________________________________________________ 75
9.1 INTRODUCTION ______________________________________________________________________ 75
9.2 TESTING HTTP AUTHENTICATION __________________________________________________________ 75
9.2.1 What is HTTP Authentication? ____________________________________________________ 75
9.2.2 Testing the Password Strength ____________________________________________________ 76
9.3 TESTING HTML FORM AUTHENTICATION_____________________________________________________ 76
9.3.1 What is HTML Forms Authentication? ______________________________________________ 76
9.3.2 Testing Password Strength _______________________________________________________ 77
10. HTTP EDITOR TOOL ___________________________________________________________________ 79
10.1 INTRODUCTION ______________________________________________________________________ 79
10.2 EDITING A REQUEST ___________________________________________________________________ 80
10.3 FIN-TUNING REQUESTS AND ANALYZING RESPONSES _____________________________________________ 82
10.3.1 Response Headers and Response Data tabs _________________________________________ 83
10.3.2 Text Only Tab _________________________________________________________________ 83
10.3.3 View Page Tab _________________________________________________________________ 83
10.3.4 HTML Structure Analysis Tab _____________________________________________________ 84
11. HTTP FUZZER TOOL ___________________________________________________________________ 85
11.1 INTRODUCTION ______________________________________________________________________ 85

Acunetix Web Vulnerability Scanner Contents iii
11.2 CREATING A RULE TO AUTOMATICALLY TEST A SERIES OF INPUTS _____________________________________ 85
12. WEB SERVICES SCANNER ______________________________________________________________ 90
12.1 INTRODUCTION ______________________________________________________________________ 90
12.2 STARTING A WEB SERVICE SCAN ___________________________________________________________ 90
12.3 ANALYZING RESULTS ___________________________________________________________________ 92
13. WEB SERVICES EDITOR ________________________________________________________________ 95
13.1 INTRODUCTION ______________________________________________________________________ 95
13.2 USING THE WEB SERVICES EDITOR _________________________________________________________ 95
13.3 HTTP EDITOR EXPORT FEATURE ___________________________________________________________ 99
14. COMPARE RESULTS TOOL ____________________________________________________________ 101
14.1 INTRODUCTION _____________________________________________________________________ 101
14.2 COMPARING RESULTS _________________________________________________________________ 101
14.3 ANALYZING THE RESULTS COMPARISON _____________________________________________________ 103
14.4 MODIFY/DELETE TEMPLATE ITEMS ________________________________________________________ 104
15. THE REPORTER _____________________________________________________________________ 105
15.1 INTRODUCTION TO THE REPORTER ________________________________________________________ 105
15.2 LAUNCHING THE REPORTER _____________________________________________________________ 105
15.3 REPORT STYLES AND TEMPLATES _________________________________________________________ 106
15.4 GENERATING A REPORT ________________________________________________________________ 109
15.5 THE REPORT VIEW ___________________________________________________________________ 111
15.6 WVS DATABASE ____________________________________________________________________ 112
15.7 THE REPORTER SETTINGS_______________________________________________________________ 112
16. COMMAND LINE SUPPORT ___________________________________________________________ 114
16.1 INTRODUCTION _____________________________________________________________________ 114
16.2 LOCATING THE WVS COMMAND LINE EXECUTABLE _____________________________________________ 115
16.3 COMMAND LINE PARAMETERS AND OPTIONS _________________________________________________ 116
16.4 REPORTER COMMAND LINE _____________________________________________________________ 118
16.5 COMMAND LINE EXAMPLES _____________________________________________________________ 118
17. SCHEDULER ________________________________________________________________________ 119
17.1 INTRODUCTION _____________________________________________________________________ 119
17.2 THE SCHEDULER MANAGEMENT CONSOLE ___________________________________________________ 120
17.3 CREATING A SCHEDULE ________________________________________________________________ 124
18. CONFIGURING ACUNETIX WVS ________________________________________________________ 126
18.1 INTRODUCTION _____________________________________________________________________ 126
18.2 SETTINGS: APPLICATION SETTINGS > GENERAL ________________________________________________ 127
18.3 SETTINGS: APPLICATION SETTINGS > LAN SETTINGS ____________________________________________ 129
18.4 SETTINGS: APPLICATION SETTINGS > DATABASE _______________________________________________ 130
18.5 SETTINGS: APPLICATION SETTINGS > CERTIFICATES _____________________________________________ 132
18.6 SETTINGS: APPLICATION SETTINGS > LOGGING ________________________________________________ 133
18.7 TOOL SETTINGS > SITE CRAWLER _________________________________________________________ 134
18.8 TOOL SETTINGS > SITE CRAWLER > FILE FILTERS _______________________________________________ 136
18.9 TOOL SETTINGS > SITE CRAWLER > DIRECTORY FILTERS __________________________________________ 137
18.10 TOOL SETTINGS > SITE CRAWLER > URL REWRITE ____________________________________________ 138
18.11 TOOL SETTINGS > SITE CRAWLER > CUSTOM COOKIES _________________________________________ 141
18.12 TOOL SETTINGS > HTTP SNIFFER _______________________________________________________ 142
18.13 TOOL SETTINGS > SCANNER ___________________________________________________________ 142
18.14 SCANNER SETTINGS > LOGIN SEQUENCES __________________________________________________ 144
18.15 SCANNER SETTINGS > HTML FORMS _____________________________________________________ 146
18.16 SCANNER SETTINGS > PARAMETER EXCLUSIONS _____________________________________________ 149
18.17 SCANNER SETTINGS > CUSTOM ERROR PAGES _______________________________________________ 150

Contents iv Acunetix Web Vulnerability Scanner
18.18 SCANNER SETTINGS > GHDB __________________________________________________________ 152
18.19 SCANNING PROFILES ________________________________________________________________ 153
18.19.1 Default Scanning Profiles _____________________________________________________ 154
18.20 CREATING/MODIFYING SCAN PROFILES ___________________________________________________ 155
19. DATABASE CONVERSION UTILITY ______________________________________________________ 156
19.1 INTRODUCTION _____________________________________________________________________ 156
19.2 OBTAINING THE DATABASE CONVERSION UTILITY ______________________________________________ 156
19.3 CONVERTING A DATABASE ______________________________________________________________ 156
20. VULNERABILITY EDITOR ______________________________________________________________ 161
20.1 INTRODUCTION _____________________________________________________________________ 161
20.2 ACUNETIX WVS AUDIT MODULES _________________________________________________________ 162
20.3 ADDING A VULNERABILITY TEST __________________________________________________________ 163
20.3.1 Editing the Vulnerability Description ______________________________________________ 165
20.3.2 Specifying When the Vulnerability Check is Applicable ________________________________ 167
20.3.3 Specifying Test Variables _______________________________________________________ 167
20.3.4 Variables Explained ____________________________________________________________ 168
20.3.5 Defining the Requests to be Made in the Test _______________________________________ 170
20.3.6 Analyzing the Response ________________________________________________________ 171
20.4 ADDING A VULNERABILITY ITEM __________________________________________________________ 173
20.5 EXAMPLE: CREATING A TEST WHICH SEARCHES FOR A PARTICULAR FILE _______________________________ 174
20.5.1 Step 1: Creating a Vulnerability __________________________________________________ 174
20.5.2 Step 2: Adding a Vulnerability Item _______________________________________________ 175
20.5.3 Step 3: Configuring the Test Properties ____________________________________________ 176
20.5.4 Step 4: Save the Test and Re-Launch Acunetix WVS __________________________________ 178
21. WVS FILE TYPES ____________________________________________________________________ 179
21.1 WVS TOOLS FILE TYPES _______________________________________________________________ 179
21.2 WVS EXPORT FILE TYPES ______________________________________________________________ 179
22. TROUBLESHOOTING _________________________________________________________________ 180
22.1 INTRODUCTION _____________________________________________________________________ 180
22.2 REQUEST SUPPORT VIA E-MAIL __________________________________________________________ 180
22.3 SUPPORT CENTER ____________________________________________________________________ 181
23. CREDITS ___________________________________________________________________________ 183
24. INDEX_____________________________________________________________________________ 185

5 Introduction to Acunetix Web Vulnerability Scanner Introduction to Acunetix Web Vulnerability Scanner 5
1. Introduction to Acunetix Web
Vulnerability Scanner
1.1 Why You Need To Secure Your Web Applications
Website security is possibly today's most overlooked aspect of securing the
enterprise and should be a priority in any organization.
Increasingly, hackers are concentrating their efforts on web-based
applications to obtain access and to misuse sensitive data such as customer
details, credit card numbers and proprietary corporate data.
Hackers already have a wide repertoire of attacks that they regularly launch
against organizations including SQL Injection, Cross Site Scripting, Directory
Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP
headers, HTML Forms), Authentication Attacks, Directory Enumeration and
other exploits. Moreover, the hacker community is very close-knit; newly
discovered web application intrusions are posted on a number of forums and
websites known only to members of that exclusive group. Postings are
updated daily and are used to propagate and facilitate further hacking.
Web applications shopping carts, forms, login pages, dynamic content, and
other bespoke applications are designed to allow your website visitors to
retrieve and submit dynamic content including varying levels of personal and
sensitive data.
If these web applications are not secure, then your entire database of
sensitive information is at serious risk. A Gartner Group study reveals that
75% of cyber attacks are done at the web application level.
Why does this happen?
Websites and related web applications must be available 24 hours a
day, 7 days a week to provide the required service to customers,
employees, suppliers and other stakeholders.
Firewalls and SSL provide no protection against web application
hacking, simply because access to the website has to be made
public.
Web applications often have direct access to backend data such as
customer databases and, hence, control valuable data and are much
more difficult to secure.
Most web applications are custom-made and, therefore, involve a
lesser degree of testing than off-the-shelf software. Consequently,
custom applications are more susceptible to attack.
Various high-profile hacking attacks have proven that web application
security remains the most critical. If your web applications are compromised,
hackers will have complete access to your backend data even though your
firewall is configured correctly and your operating system and applications
are patched repeatedly.

6 Introduction to Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner
Network security defense provides no protection against web application
attacks since these are launched on port 80 (default for websites) which has
to remain open to allow regular operation of the business.
For the most comprehensive security strategy, it is therefore imperative that
you regularly and consistently audit your web applications for exploitable
vulnerabilities.
The need for automated web application security scanning
Manual vulnerability auditing of all your web applications is complex and
time-consuming. It also demands a high-level of expertise and the ability to
keep track of considerable volumes of code and of all the latest tricks of the
hackers trade.
Automated vulnerability scanning allows you to focus on the more
challenging issue of securing your web applications from any exploitable
vulnerability that jeopardizes your data.
1.2 Web Attack Examples
Well-known sites that were open to web application attacks include:
TJX, the owner of clothing retailers T.J. Maxx, Marshall's Inc. suffered the
largest known data theft to date. Hackers invaded the TJX systems resulting
in at least 45.7 million credit and debit card numbers stolen over an 18-month
period. As well as the stolen personal data, including driver's license numbers
of another 455,000 customers who returned merchandise without receipts.
TJX first learned that there was suspicious software on its computer system
on Dec. 18, 2006, however the stolen data covered transactions dating as far
back as December 2002.
In September 2006 hackers pilfered the personal data of nearly 19,000 DSL
equipment customers through a vulnerability in AT&Ts online store. In a
statement, AT&T attributed the motive of the attack to a criminal market for
illegally obtained personal information. In fact, the data also included
customers credit card details.
In 2006, ChoicePoint, Inc. paid $10 million in civil penalties and $5 million in
consumer redress after the personal financial records of more than 163,000
consumers in its database had been compromised.
Last year, the University of Southern California spent more than $140,000 to
notify affected students and also shut down the applications website for 10
days after a hacker gained online access to the admissions website.
In June 2004, security analyst ZapTheDingbat pointed out that MasterCard,
Natwest, Barclaycard, WorldPay, the GCHQ, and various other sites had
missed some basic gaps in their security including the cross-site scripting
vulnerability. This flaw, for example, allows hackers to send users to the
legitimate site while displaying content and functionality of the hackers
choice.
In June 2003 fashion label Guess and pet supply retailer PetCo.com were
notoriously found to be vulnerable to the SQL injection vulnerability. This
resulted in PetCo leaving as many as 500,000 credit card numbers open to
anyone able to construct this specially-crafted URL.
One hacker gained access to over five million credit card accounts in
February 2003 through a web application attack. Similarly, in December
2002, a vulnerability at Tower Records website laid bare the companys
customer orders database.

1.3 The Acunetix Web Vulnerability Scanner
The Acunetix Web Vulnerability Scanner (WVS) broadens the scope of
vulnerability scanning by introducing highly advanced heuristic and rigorous
technologies designed to tackle the complexities of today's web-based
environments.
WVS is an automated web application security testing tool that audits your
web applications by checking for vulnerabilities to SQL Injection, Cross site
scripting and other exploitable hacking vulnerabilities. In general, the product
scans any website or web application that is accessible via a web browser
and that respects HTTP/HTTPS rules.
Besides automatically scanning for exploitable vulnerabilities, WVS offers a
strong and unique solution for analyzing off-the-shelf and custom web
applications including those relying on JavaScript (e.g., AJAX applications).
The Acunetix WVS is suitable for any small, medium sized and large
organizations with intranets, extranets, and websites aimed at exchanging
and/or delivering information with/to customers, vendors, employees and
other stakeholders.
How WVS Works
Acunetix WVS has a vast array of automated features and manual tools and,
in general, works in the following manner:
1. It crawls the entire website by following all the links on the site
and in the robots.txt file (if available). WVS will then map out the
website structure and display detailed information about every file.
2. After this discovery stage or crawling process, WVS automatically
launches a series of vulnerability attacks on each page found, in
essence emulating a hacker. WVS analyzes each page for places
where it can input data, and subsequently attempts all the different
input combinations. This is the Automated Scan Stage.
3. As it finds vulnerabilities, Acunetix WVS reports these in the Alerts
Node. Each alert contains information about the vulnerability and
recommendations on how to fix it.
4. After a scan has been completed, it may be saved to file for later
analysis and for comparison to previous scans. With the reporter tool
a professional report may be created summarizing the scan.

1.4 Audited Vulnerabilities
Acunetix WVS automatically checks for the following vulnerabilities:
Version Check
o Vulnerable Web Servers
o Vulnerable Web Server Technologies such as PHP 4.3.0 file
disclosure and possible code execution.

CGI Tester
o Checks for Web Servers Problems Determines if dangerous
HTTP methods are enabled on the web server (e.g. PUT, TRACE,
DELETE)
o Verify Web Server Technologies

Parameter Manipulation
o Cross-Site Scripting (XSS)
o SQL Injection
o Code Execution

o Directory Traversal
o File Inclusion
o Script Source Code Disclosure
o CRLF Injection / HTTP Response Splitting
o Cross Frame Scripting (XFS)
o PHP Code Injection
o XPath Injection
o Full Path Disclosure
o LDAP Injection
o Cookie Manipulation
o URL Redirection
o Application Error Message

MultiRequest Parameter Manipulation
o Blind SQL / XPath Injection

File Checks
o Checks for Backup Files or Directories - Looks for common files
(such as logs, application traces, CVS web repositories)
o Cross Site Scripting in URI
o Checks for Script Errors

Directory Checks
o Looks for Common Files (such as logs, traces, CVS)
o Discover Sensitive Files/Directories
o Discovers Directories with Weak Permissions
o Cross Site Scripting in Path and PHPSESSID Session Fixation.

Web Applications Large database of known vulnerabilities for specific
web applications such as Forums, Web Portals, Collaboration Platforms,
CMS Systems, E-Commerce Applications and PHP Libraries.
Text Search
o Directory Listings
o Source Code Disclosure
o Check for Common Files
o Check for Email Addresses
o Microsoft Office Possible Sensitive Information
o Local Path Disclosure
o Error Messages

GHDB Google Hacking Database
o Over 1400 GHDB Search Entries in the Database

Web Services Parameter Manipulation
o SQL Injection / Blind SQL Injection
o Directory Traversal
o Code Execution
o XPath Injection
o Application Error Messages

Other vulnerability tests may also be performed using the manual tools
provided, including:
Input Validation
Authentication attacks
Buffer overflows

1.5 Supported Technologies
Acunetix WVS is designed to use a web application as an exploitable front-
end through which it can make contact with a database or web-server. This
approach ensures that WVS does not rely on specific compatible web-
servers for a scan to be executed.
For scanning web applications, Acunetix WVS is designed around the
following concept; if an application can be viewed in any browser without
installing special plug-ins, over the HTTP and HTTPS protocols, then it will
also be correctly crawled and scanned. Tests carried out internally, and on
public web applications, have confirmed that Acunetix WVS can efficiently
crawl and scan the following technologies: ASP, ASP.NET, JavaScript,
AJAX, PHP, FrontPage, PERL, JRun, Ruby, Flash, ColdFusion. Tested web
applications were also hosted on a number of different web servers such as
IIS, APACHE, Sun Java, and Lotus Domino.

1.6 Main Features
Compliance Reporting
The reporter allows you to generate detailed compliance reports for OWASP,
PCI, Sarbanes-Oxley, Web Application Security Consortium and HIPPA.
JavaScript / AJAX Support Client Script Analyzer (CSA)
During the discovery stage, Acunetix WVS crawls for JavaScript and AJAX
using the new Client Script Analyzer (CSA). This allows the crawler to build a
comprehensive site structure upon which the automated scan will be
launched.
The CSA has been designed to be part of the crawling process to allow
automated rather than manual crawls of websites that rely on JavaScript /
AJAX. Rather than parsing the client code on the page, the CSA actually
executes the JavaScript in real time and in similar fashion to the browser.
This is does since it builds the Document Object Model (DOM) of each page
on the website.
These design features significantly reduce the time needed to scan websites
containing JavaScript code while simplifying the whole scanning process for
such sites.
Web Services Support
For complete web security analysis, Acunetix WVS features full support for
Web Services vulnerability scanning and assessment. Web Services are now
becoming a commonplace implementation for information availability and
task processing over the internet, and the need to secure these systems from
being exploited also brings about the need for the right tools to perform this
task. The Web Services Scanner and Web Services Editor allow for full
vulnerability scanning and WSDL analysis, with full reporting functionality.
Subdomain Scanner
The Subdomain scanner allows fast and easy identification of active
Subdomains using various techniques and guessing of common subdomain
names. The Subdomain Scanner can be configured to use the targets DNS
server, or one specified by the user for added flexibility.

Scheduler Application
The scheduler application ensures enhanced flexibility and automation when
launching all types of scans including concurrent and/or sequential scans of
single or multiple websites.
Schedule such tasks as automated web crawling and scanning at a time
most convenient to you. Tasks may be run daily, weekly, monthly, at certain
times and/or continuously within a queue.
Scheduling runs as a service with the related management console enabling
users to fully and easily configure scanning, crawling, logging and saving of
results features. Relevant schedule logs provide users with detailed
information on the scheduled queues.
Command Line
The Command Line support provides a command line interface that gives
you the power of Acunetix WVS without the usual graphical user interface.
It allows you to use WVS directly from the command prompt and from batch
files and script languages, making it ideal for automating repetitive tasks. A
comprehensive set of command line parameters gives you direct control over
the WVS features.
The WVS Command Line supports the normal tasks for automated scanning
as well as support for tasks related to Web Services.
URL Rewrite Support
The idea behind URL Rewriting (for example: mod_rewrite) is to use a rule-
based rewriting engine (based on a regular-expression parser) to rewrite
requested URLs on the fly.
The URL Rewrite configurations may be setup in Acunetix WVS to support
the proper crawling of such websites. The configuration may be done
manually by defining custom rulesets and also by importing the rules directly
from Apache httpd.conf or .htaccess files.
Detects Google Hacking Vulnerabilities
Google hacking is the term used to refer to when a hacker tries to find
exploitable targets and sensitive data by using search engines. The Google
Hacking Database (GHDB) is a database of queries that identify sensitive
data. Although Google blocks some of the better known Google hacking
queries, a hacker may still crawl your site and launch Google Hacking
Database queries directly onto the crawled content.
The Google hacking feature will launch all the queries found in the Google
hacking database, onto the crawled content of your website thus finding any
sensitive data or exploitable targets before a search engine hacker does.
The Google hacking feature is a unique, industry first feature.

The Google Hacking Database is located at http://johnny.ihackstuff.com and
looks for the following information:
Advisories and server vulnerabilities
Error messages that contain too much information
Files containing passwords
Sensitive directories
Pages containing logon portals

Pages containing network or vulnerability data such as firewall logs.

For further reference please visit:
http://www.informit.com/articles/article.asp?p=170880&rl=1
Extend Attacks with the HTTP Editor and Sniffer
With the HTTP Editor, you may construct HTTP/HTTPS requests and
analyze the related responses of the web server. Thus the feature allows you
to perform and test for custom SQL injection and cross site scripting attacks.
With the HTTP Sniffer you can log, intercept and modify all HTTP/HTTPS
traffic, giving you an in-depth knowledge of the data sent by your web
application.
In-Depth Testing with the HTTP Fuzzer
The HTTP Fuzzer tool allows sophisticated testing for buffer overflows and
input validation. With it, you can create rules to automatically test a range of
variables.
A simple example would be the following URL:
http://testphp.acunetix.com/listproducts.php?cat=1
Using the HTTP Fuzzer you could create a rule which would automatically
replace the last part of the URL - 1 - with numbers between 1 999. Only
valid results will be reported. This degree of automation allows you to quickly
test the results of a 1000 queries while significantly reducing the amount of
manual input.
Login Sequence Recorder for Protected Areas
The recorder allows you to scan password-protected sections of your
website. Simply use the login sequence tool to provide Acunetix WVS with
single or multiple login details. In addition, you can provide the scanner with
links it should not crawl, for example, a logout link.
Automatic HTML Form-filler
When the crawler encounters an HTML form, it can be instructed to use
certain input values when submitting this form.
This way you can automatically test your website for different types of inputs.
Crawl Flash Files
Acunetix WVS analyzes flash files looking for both links to follow and HTML
code.
Test Password Strength of Login Pages
With the authentication tester, you can audit password protected pages by
launching a dictionary attack.
Vulnerability Editor
Create custom web attack checks or modify existing ones with the
Vulnerability editor.
Supports All Major Web Technologies
Acunetix WVS supports scanning for vulnerabilities in websites that use any
of the major development technologies, including ASP, ASP.NET, PHP and

CGI. In general, the product scans any website or web application that is
accessible via a web browser and that respects HTTP/HTTPS rules.
Scanning Profiles
You can use different scanning profiles to scan different websites with
different identity and scan options. This reduces scan times and allows for
deeper analyses.
Report Generator
The Acunetix WVS V5 Reporting Application makes it quick and easy to
generate different reports of your scan results, with the added functionality to
export the report to a variety of file types. Designed as a stand-alone
application, the Reporter connects directly to the WVS Database, and allows
you to view results and generate different reports for vulnerabilities,
compliance, statistics, and parallel comparison of results. In-built search
functionality allows you to search for specific alerts within a set of results. The
Reporter is also fully configurable. One can configure the default report-type
for on the fly report generation, insert custom logos, headers, and footers, or
change page layout and size.
Compare Scans and Find Differences
Use the compare function to easily contrast recent and previous scans
thereby reflecting the changes made and identifying any resulting new
vulnerabilities.
Easily Re-Audit Website Changes
Good security best-practice requires you to check your website with every
effected change. This can automatically be done with Acunetix WVS. Re-
auditing a website has been further simplified with the Scheduler application
which allows you to automatically configure website scans according to your
specific work and development schedules.

1.7 Acunetix WVS Program Overview
The following pages briefly explain the main WVS tools and features:
Web Scanner

Screenshot 1 - Acunetix Web Vulnerability Scanner
The Web Scanner is the most important component it launches the
automated security audit of a website. The automated scan consists of two
phases:
1. Crawling This discovery phase will automatically analyze the website and
build a site structure.
2. Scanning A vulnerability scan consists of a series of attacks launched
against the crawled site structure, in effect, emulating a hacker.


Screenshot 2 Scan Results
The results of a scan are displayed in an Alert Node tree. Each Alert Node
contains extensive details on all the vulnerabilities found within the website.
Site Crawler

Screenshot 3 The Site Crawler
The Site Crawler tool crawls the entire target website and displays its
structure together with detailed information on each file found.

HTTP Editor

Screenshot 4 The HTTP Editor
The HTTP Editor allows you to create custom HTTP requests from scratch
and debug HTTP requests/responses.
HTTP Sniffer

Screenshot 5 - The HTTP Sniffer
In contrast to the HTTP Editor (see above), the HTTP Sniffer helps you
modify an HTTP request.

The HTTP Sniffer allows you to capture, examine and modify HTTP
communications between an HTTP client and a web server. This tool is used
to:
Analyze how Session IDs are stored Session IDs are used by the
application to uniquely identify a client browser. It is important that the
session ID is unpredictable and the application utilizes a strong method
of generating random IDs.
Analyze how inputs are sent back to the server.
Alter any HTTP request being sent back to the server before it does
actually get sent.
Navigate through parts of the website which cannot be crawled
automatically because, for example, of certain JavaScript code.
To use this tool, all http requests must pass through WVS thus the software
must be set as the proxy server for your browser.
HTTP Fuzzer

Screenshot 6 - The HTTP Fuzzer
input validation. With this tool you can easily create input rules for Acunetix
WVS to test.
Using the HTTP Fuzzer you can create a rule which would automatically
manual input.

Authentication Tester

Screenshot 7 - The Authentication Tester
With the Authentication Tester tool you can perform a dictionary attack on
login pages which use HTTP (NTLM) or HTML form authentication. This tool
uses two predefined text files which contain an extensive list of common
usernames and passwords. These text files may be easily modified to
include your own combinations.
Vulnerability Editor

Screenshot 8 The Vulnerability Editor
The Vulnerability Editor allows you to create custom security checks.
You will also notice changes and additions to the Vulnerability Editor as
updates to the Acunetix WVS are installed. For more information on updating
the Acunetix WVS please refer to page 127 of this manual.

Reporter
The Reporter application allows you to present the scan results in a printable
format, which you can send to your colleagues or customers. Various report
templates are available, including summary, detailed reports and also
compliance reporting.
The Consultant Version of the WVS allows further customization of the report
headers.

Screenshot 9 - Typical WVS Report including Chart of alerts

1.8 License Scheme
Acunetix Web Vulnerability Scanner (WVS) is available in 3 versions: Small
Business, Enterprise and Consultant.
1.8.1 Perpetual or Time Based Licenses
Acunetix WVS is sold as a one-year or perpetual license. The 1 year license
expires 1 year from the date of purchase. The perpetual license never
expires.
The Enterprise and Consultant versions are available as both a one-year and
perpetual license. The Small Business version is available as a perpetual
license only.
A Maintenance Agreement, which entitles the end user to free support and
version upgrades, is included for free in the one-year license for the full
duration. Perpetual licenses include two months of free support and
upgrades. To extend this period of support a maintenance agreement should
be purchased along with the perpetual license. A maintenance agreement
can be purchased in yearly intervals and begins from the date of product
purchase.
1.8.2 Small Business Version 1 Site/Server
The Small Business Version license allows you to install one copy of
Acunetix WVS on one computer, and scan one nominated site or server; this
site or server must be owned by yourself (or your company) and not by third
parties. In the case of companies, you must obtain proper authorization to
scan the website. Acunetix Small Business version will leave a trail in the log
files of the scanned server and scanning of third party sites is prohibited with
this license.
To scan multiple websites you would require the Enterprise unlimited license.
To install copies on several computers, you require purchasing the necessary
individual licenses.
1.8.3 Enterprise Version Unlimited Sites/Servers
The Enterprise version license allows you to install one copy of Acunetix
WVS on one computer, and scan an unlimited number of sites or servers.
The sites or servers must be owned by yourself (or your company) and not by
third parties. In the case of companies, you must obtain proper authorization
to scan the website. Acunetix Enterprise version will leave a trail in the log
files of the scanned server and scanning of third party sites is prohibited with
this license.
To install copies on several computers, you are required to purchase the
necessary individual licenses.
1.8.4 Consultant Version
The Consultant version license allows you to install one copy of Acunetix on
one computer, and scan an unlimited number of sites or servers including 3
rd

party, provided that you have obtained permission from the respective site
owners. This is the correct version to use if you are a consultant who
provides web security testing services, or an ISP. The consultant edition also
includes the capability of modifying the reports to include your own company
logo. Furthermore this version does not leave any trail in the log files of the
scanned server.

1.8.5 Purchasing Acunetix WVS
To purchase any of these licenses please visit:
http://www.acunetix.com/ordering/ and contact one of the Channel Partners
in your area. If there are no Channel Partners in your country, you may place
your order online from http://www.acunetix.com/ordering/pricing.htm

Pricing is available at http://www.acunetix.com/ordering/pricing.htm

21 Installing Acunetix WVS Installing Acunetix WVS 21
2. Installing Acunetix WVS
2.1 System Requirements
Microsoft Windows XP Professional or Home Edition, Windows 2000,
Windows Server 2003 and Windows Vista.
128 MB of RAM (256 MB or higher recommended).
200 MB of available hard-disk space.
Microsoft Internet Explorer 5.1 (or higher).
Microsoft SQL Server / Access support if database is enabled (optional)
2.2 Installation Procedure
1. Double click on webvulnscan5.exe file to launch Acunetix WVS setup
wizard and click Next.
2. Read and review the License agreement and, if you agree with the
conditions laid out, select I accept the agreement. Click on Next to
continue the installation.

Screenshot 10 Setup Wizard Enter Details
3. Enter your Name, Company Name and License key. If you are evaluating
the product, leave the license key edit box blank. Click Next.

22 Installing Acunetix WVS Acunetix Web Vulnerability Scanner

Screenshot 11 Setup Wizard Confirm Details
4. Select the folder location where you want to install Acunetix Web
Vulnerability Scanner and click Next.
5. Choose whether a program shortcut icon is to be created on the desktop.
Click on Next to continue with your installation.
If using the evaluation version, you will only be able to scan one of the Acunetix test
websites:
http://testphp.acunetix.com - A test website with PHP technology
http://testasp.acunetix.com - A test website with ASP technology
http://testaspnet.acunetix.com - A test website with ASP.NET technology
Furthermore, you will not be able to save the scan results.

6. After Acunetix WVS has been installed, you will be prompted to launch the
application. Check the tick box as appropriate and click Finish.

Screenshot 12 Setup Wizard Finish

2.3 Upgrade Procedure
1. Double click on webvulnscan5.exe file to launch Acunetix WVS set-up
wizard. The installer automatically detects any previous versions installed
and will display a dialog which gives you a choice if to continue or not.

Screenshot 13 Setup Upgrade Confirmation Dialog

By default, Acunetix WVS is installed with Microsoft Access database support enabled.
This is required to create reports using the Reporter. If you want to use a Microsoft
SQL Server or MSDE database, you will need to enter the required credentials from
the configuration screen under the Application Settings node. For more information on
how to configure this feature, please refer to page 113 of this manual.
SQL Server/MSDE must be installed in mixed mode or SQL server authentication
mode. NT authentication only mode is NOT supported.

2. Click on Yes to proceed with the upgrade
3. At this point the uninstaller is launched and it will verify again that you want
to actually uninstall the previous version of Acunetix WVS. Click on Yes to
proceed with the upgrade.

Screenshot 14 Setup Uninstall Confirmation Dialog

4. The next step requires a careful choice:
If you plan to keep your past scan results and use them in the new
version or build of Acunetix WVS, you may select NO to keep the
current database.
If you plan to clear all your past scans and start from scratch with
the new version or build, you may select YES to remove your
current database.

Screenshot 15 Setup Database Removal Dialog

5. At this stage, the un-installation process starts and when finished click on
OK to proceed with the upgrade.
6. The installation steps that follow are the same as described in section 2.2
of this manual. The installation procedure will be identical to a standard
installation from here on.

Screenshot 16 First Run Previous Settings Import Dialog

7. After the installation is finished, run Acunetix WVS. The application will
present a dialog to upgrade any previous settings from the previous build that
was installed. Click on Yes to restore any previous configurations to the new
version or build just installed.

2.4 Configuring a Proxy Server

Screenshot 17 - LAN HTTP Proxy Settings
If your machine is sitting behind a proxy server and you need Acunetix WVS
to use this proxy, then you need to configure the proxy server settings.
From the Tools Explorer Panel on the far left-hand side of the user interface,
select Configuration > Settings. Then select Application Settings > LAN
Settings to access the configuration panel as shown above..
Acunetix WVS supports both HTTP and SOCKS proxy settings. You can
setup the Acunetix Web Vulnerability Scanner to use both technologies
concurrently.
HTTP Proxy Settings
Use an HTTP proxy server Tick the check box to make Acunetix WVS use
an HTTP proxy server.
Hostname and Port Hostname (or IP address) and port number of the
HTTP proxy server.
Username and Password Credentials used to access the proxy. If no
authentication is required, leave these options empty.
SOCKS Proxy Settings
Use a SOCKS proxy server Tick the check box to make Acunetix WVS
use a SOCKS proxy server.
Hostname and Port Hostname (or IP address) and port number for the
SOCKS proxy server.
Protocol Select which SOCKS protocol to use. Both Socks v4 or v5
protocols are supported by Acunetix WVS.
Username and Password The credentials used to access this proxy. If no
authentication is required, leave these options empty.

2.5 Configuring Web Browser for HTTP Sniffer
To sniff HTTP traffic, you must configure Acunetix WVS as a proxy server for
the browser installed on your machine. This allows you to direct WVS to
pages it either could not find automatically or could not access (because of
JavaScript etc.) and thus be able to scan them.

Internet Explorer Configuration
To configure Internet Explorer to pass via the Acunetix WVS proxy:
1. Launch Internet Explorer and select Tools > Internet Options >
Connections > LAN Settings

Screenshot 18 - Internet Explorer Proxy Server setup
2. Enable Use a proxy server for your LAN and specify the IP address /
Name and Port (default 8080) of the computer were Acunetix WVS is
running. If the browser is running on the same computer as Acunetix WVS,
you can use 127.0.0.1 or localhost as the proxy server address.
To use the browser you need to launch Acunetix WVS and enable the HTTP Sniffer.
Therefore, it is advisable to install a second browser (either Internet Explorer or Firefox
depending on your default preference) and use it for sniffing traffic. You may then
continue using your preferred browser for regular browsing.

Mozilla Firefox Configuration
To configure Mozilla Firefox 2.0.0+ to pass via the Acunetix WVS proxy:
1. Launch Firefox and select Tools > Options

Screenshot 19- Firefox proxy setup
2. Click on the Advanced icon at the top of the dialog. Then go to the
Network tab and click on Settings
3. Select Manual proxy configuration and specify the IP address/Name
and port (default 8080) of the computer running Acunetix WVS for both HTTP
and SSL.
4. If you will be using the HTTP Sniffer to browse a local website hosted on
the same machine as Acunetix WVS, also clear the No proxy for: textbox.
5. Click on the OK button to save the changes.

2.6 Password Protect WVS
To password protect the main interface of WVS together with all the
supporting applications including the Reporter, Vulnerability Editor and
Scheduler, simply follow these steps:
1. Go to the Configuration > Settings > Application Settings > General
node to access the password protection configuration settings.


Screenshot 20- Password Protection Options
2. In the Password protection section of the page, enter the current
password in the Current password textbox. If you are configuring a
password for the first time leave this field empty.
3. Enter the new password in both the New password and the Confirm
new password textboxes.
4. Click on the Set Password button to save the settings.

Screenshot 21- Password Protection Dialog
Once a password has been set in WVS, the next time and all the subsequent
time that you will launch the product or any of its supporting applications, you
will be presented with a password protection dialog. Simply enter the
password you configured in WVS into this dialog to access the application
normally.
For more information on the password protection feature of WVS, please go
to page 128.

2.7 Limitations of the Evaluation Version
The evaluation version of WVS, which is downloadable from the Acunetix
main website, is practically identical to the full version in functionality and in
the set of tools that it presents with the following limitations:
Websites will be scanned for Cross Site Scripting (XSS)
vulnerabilities only the Acunetix test websites will be scanned for
all types of vulnerabilities
Only the default report can be generated and it cannot be printed
or exported
Scan Results cannot be saved

Screenshot 22- Evaluation Limitations Dialog

2.8 Upgrading From an Evaluation to a Purchased Version
If you decide to purchase Acunetix WVS, you will need to upgrade the
evaluation version to the purchased version. You will receive a new download
location to obtain the unlocked and full version.
After download, simply launch the setup file. Setup will ask whether it can
remove the evaluation version and install the full version. Any settings you
have already made will be retained.
You will be able to enter the License key you received, after which you will
install the full version and scan your website.
2.9 Extending or Upgrading a Purchased Version
If you have already installed the full version, but only want to extend the
license key or upgrade from an enterprise to a consultant version, you can
enter your new license key under the General > Licensing node. Right-click
on the General/Licensing Node, select License Product and enter your new
license key.
To find out on how to purchase Acunetix Web Vulnerability Scanner, select General >
How to purchase.

31 The User Interface The User Interface 31
3. The User Interface
3.1 Introduction
Acunetix WVS consists of a comprehensive set of highly technical, complex
and flexible tools. The product has an easy-to-use and intuitive Graphical
User Interface (GUI) designed to ensure immediate use of the product
without any particular level of technical expertise.
3.2 The WVS Main Interface
The following sections contain detailed descriptions of the different parts of
the Acunetix Web Vulnerability Scanner.
3.2.1 Layout

Screenshot 23 The Acunetix WVS Main Interface Layout
The Main Interface includes all the main features needed to operate the
application and conduct your audits. From this interface you can launch a
new scan, access the individual tools of the application and configure all
settings and options.
3.2.2 Navigation
Navigation in Acunetix WVS is performed through the Toolbar and the
various nodes in the Tools Explorer panel.

32 The User Interface Acunetix Web Vulnerability Scanner
3.2.3 Toolbar

Screenshot 24 The Acunetix WVS Toolbar
Found below the menu bar, at the top, the Toolbar contains quick access
buttons (represented by a number of icons) that allow quick access to the
main tools of the application, to settings and to main operation of the product
that of starting a new scan.
You will note the following icons/buttons on the toolbar:

New Scan Access the Scan Wizard to start a new scan.
Web Scanner Access the Web Scanner tool to launch a scan
manual instead of using the Scan Wizard.
Site Crawler Access the Site Crawler tool.
Target Finder Access the Target Finder tool.
Subdomain Scanner Access the Subdomain Scanner tool.
HTTP Editor Access the HTTP Editor tool.
HTTP Sniffer Access the HTTP Sniffer tool.
HTTP Fuzzer Access the HTTP Fuzzer tool.
Authentication Tester Access the Authentication Tester tool.
Compare Results Access the Compare Results tool.
Web Services Scanner Access the Web Services Scanner tool.
Web Services Editor Access the Web Services Editor tool.
Settings Access the configuration settings area of the application.
Scanning Profile Access the Scanning Profiles configuration.
Scheduler Access the Acunetix WVS Scheduler application.
Reporter Access the Reporter application

3.2.4 Tools Explorer

Screenshot 25 The Tools Explorer
As will be seen throughout this manual, the Tools Explorer is central to
navigating within Acunetix WVS. The Tools Explorer is laid out in a
hierarchical tree of nodes (branches) and corresponding sub-nodes (sub-
branches). Each sub-node has a parent node which categorizes the structure
in sections.

The tree structure has four main nodes:
Tools This node category contains all the tools available in the
application.
Web Services This node category contains all the tools related
to web services available in the application.
Configuration This node category contains the configuration
settings of the application and also the Scanning Profiles
configuration settings.
General This node category contains general application
information and links to the support centre.

The convention used to denote a particular node and sub-node throughout this manual
is referenced in the following manner: Node > Sub-Node. For example the Settings
sub-node is child to the parent node Configuration. Hence, to denote the Settings
node we use Configuration -> Settings.

3.2.5 Main Area

Screenshot 26 The Acunetix WVS Main Area
The Main Area of the application will show the current active screen
depending on your selection from the toolbar or the tools explorer. It,
therefore, varies according to the tool and feature you are using.

3.2.6 Activity Window

Screenshot 27 The Activity Window
The Activity Window at the bottom will show the current activity of the
application in real time. This section is subdivided into two tabs:

Application Log Tab This tab includes real-time information on all
tools and any informational messages.
Error Log Tab This tab shows any errors occurring during the scan
or the use of any of the tools.
3.2.7 Status Bar

Screenshot 28 The Acunetix WVS Status Bar
The Status Bar found at the bottom of the Main Interface provides summary
information of the current running tool in the application.
This information is shown entirely through the operation of all tools so that
you always have an immediate overview of the current activity and status of
the application.
3.2.8 Hiding Panels
The Tools Explorer and the Activity Window panels can be hidden in order to
obtain more space in the main panel. This is extremely useful when working
in low resolution modes.
To hide a panel simply click on the icon at the edge of the panel.

Screenshot 29 Hide Panel Icon
This will trigger the panels auto-hide mode. Moving the mouse to the main
panel will auto-hide the panel and moving the mouse to the edge where the
panel was will bring it into focus again. To change the panels behavior to
fixed mode again, simply click on the icon again.
The auto-hide panel mode is available to other panels throughout the
application which have the icon.
3.2.9 Context Menus
Many of the nodes used in the Tools Explorer and also in the tools
themselves contain useful Context Menus. Accessed directly by right-click,
these menus are contextual in the sense that they allow access to specific
actions tied to a particular node.


Screenshot 30 The Web Scanner Context Menu
For example, the context menu of the Web Scanner node in the Tools
Explorer contains several options regarding the scan results and also an
option to start a new scan or load saved scan results.

Screenshot 31 The Site Crawler Context Menu
In this example, the context menu of the Site Crawler node contains options
which let you save and load crawl results.
3.3 The Settings Interface

Screenshot 32 The Acunetix WVS Settings Interface

The Settings Interface is accessed from the Configuration > Settings node
in the Tools Explorer on the left in the main interface.
The settings interface is also laid out in a tree structure to facilitate navigation
across the various configuration nodes. The settings tree structure is
categorized in the following sections:
Application Settings Contains the configurations screens related
to the general application settings.
Tools Settings Contains the configuration screens related to the
tools in the application.
Scanner Settings Contains the configuration screens related to
the Scanner in the application.
3.3.1 Saving Changes
The settings interface provides two buttons at the bottom of each
configuration screen to apply or discard the settings effected. To save the
configuration changes you made, click the Apply button otherwise your
changes will not be saved.

Screenshot 33 Changing the WVS Settings
After making changes on any of the configuration screens the text Settings
have been changed! will be shown next to these buttons.

3.4 Error Handling
If an error occurs in Acunetix WVS, the appropriate response in the form of a
dialogue box will be presented. Please refer to Troubleshooting section on
page 180 for guidelines on how to handle any problems in the application.

Screenshot 34 The Acunetix WVS Error Handling Dialog

38 Getting Started: Scanning Your Website Acunetix Web Vulnerability Scanner
4. Getting Started: Scanning Your
Website
4.1 Starting a Scan

Auditing the security of your website with Acunetix WVS is easy. The Scan
Wizard allows you to quickly set-up an automated crawl and scan of your
website. An automated scan provides a comprehensive and deep
understanding of the level website security by simply reviewing the individual
alerts returned.
This chapter presents the process of launching a security audit of your
website through the Scan wizard

DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION!
The web server logs will show the scans and any attacks made by Acunetix WVS. If
you are not the sole administrator of the website please make sure to you warn other
administrators before performing a scan.
Some scans might cause a website to crash requiring a restart of the website.

39 Getting Started: Scanning Your Website Getting Started: Scanning Your Website 39
4.2 Step 1: Select Target(s) to Scan
You will need to enter the IP or the URL of the website that you wish to scan.
To begin a new scan:
1. Click on File > New Scan: The Scan Wizard will start up and offer you a
number of steps to guide you through the process of launching a website
audit.

Screenshot 35 Scan Wizard Select Scan Type
2. Specify the target(s) to be scanned. The scan target options are:
Scan single website - Scans a single website. Enter a URL, e.g.
http://testphp.acunetix.com, https://www.testaspnet.acunetix.com or
http:// 80.237.145.112.
Scan using saved crawling results If you previously performed a
crawl/scan on a website and saved the results, you can analyze these
results directly without having to crawl the site again. Specify the Saved
crawler results file by clicking on the folder button.
Scan List of Websites Scans a list of target websites specified in a
plain text file (one target per line). Every target in the file is to be specified
in the format:
<URL> or <URL:port> or <IP> or <IP:port>
For example http://80.237.145.112:80/. Ensure that the port is included in
each line, even if its a default port.
Scan Range of Computers This will scan a specific range of IPs (e.g.
192.168.0.10-192.168.0.200) for target sites which are open on the
specified ports (Default 80, 81 and 443).
3. Click Next to continue.

4.3 Step 2: Confirm Targets and Technologies Detected

Screenshot 36 Scan Wizard Selecting Targets and Technologies
Acunetix WVS will automatically probe the website(s) target(s) for basic
details such as operating system, web server, web server technologies and
whether a custom error page is used (For more details on Custom Error
Pages refer to page 47 of this manual).
The web vulnerability scanner will optimize the scan for the selected
technologies and use these details to reduce the number of tests performed
which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a
UNIX system). This will reduce scanning time.
If you already know what technologies the website is running, you can check
whether Acunetix WVS identified them correctly.
Click on the relevant field and change the setting from the provided check
boxes as shown above.
After you have confirmed the technologies, click Next to proceed.

4.4 Step 3: Specify Crawler Options

Screenshot 37 Scan Wizard Crawling Options
1. In this dialog you can configure the crawling options.
Crawling Options
The Crawler traverses the entire website and identifies its structure. The
following crawling options may be configured:
Start HTTP Sniffer for manual crawling at the end of the scan
process this option will start the HTTP Sniffer automatically at the end
of the crawl process, enabling you to browse (the browser must be set to
use Acunetix WVS as proxy) parts of the site that the crawler could not
reach or did not find. Frequently these are pages are linked via
JavaScript menus or other methods. Although the Acunetix WVS handles
JavaScript, there may be situations where a manual crawl is still required.
The crawler will update the site structure with the newly discovered links
and pages.
Get first URL only Scan only the index or first page.
Do not fetch anything above start folder - Select this option to instruct
the crawler not to follow any links above the start folder. For example, if
you specify http://testphp.acunetix.com/wvs/ as a start URL it will not
traverse the links which point to a location above the base link e.g.
http://testphp.acunetix.com/. However it will traverse all links to pages
located in the /wvs/ folder or any of its subfolders.
Fetch files below base folder - Select this option to also follow links
which are contained outside the base folder. For example, if you specify
http://testphp.acunetix.com/ as a start URL it will traverse the links which
point to a location below the base link e.g.:
http://testphp.acunetix.com/wvs/
Fetch directory indexes even if not linked - Select this option to
instruct the crawler to request the directory index for every discovered
directory even if the directory index is not directly linked.

Submit forms With this option enabled any forms encountered during
the scan will be automatically submitted with test-data. To instruct WVS
to submit specific data in a particular form you can navigate to the HTML
Forms setting: Configuration > Settings (in Tools Explorer) > Scanner
Settings > HTML Forms (in the Settings Interface) node. (For full details
on how to configure the Acunetix WVS see Chapter 0 on page 126 of this
manual).
Retrieve and process robots.txt, sitemap.xml Select this option to
have Acunetix WVS look for a robots.txt file and follow all the links in it.
Case insensitive paths Select this option to ignore any case
difference in the links found on the website. E.g. /Admin will be
considered the same as /admin
Analyze JavaScript Select this option to activate the Client Script
Analyzer (CSA) during crawling. This will execute JavaScript/AJAX code
on the website to gather a more complete site structure.
After crawling let me choose the files to scan Select this option to
present a window at the end of the crawling process which lets you select
which files from the site structure to actually scan.
Click Next.

4.5 Step 4: Specify Scanning Profile Options and Mode

1. In this dialog you can configure the scanning profile and scan options,
including the options for the scanning mode.
Scanning Profile
The Scanning Profile will determine which tests are to be carried out on the
target site.
For example, if you only want to test your website(s) for SQL injection, you
would select the sql_injection profile and no additional tests would be
performed.

Refer to the Scanning Profiles section on page 153 for more information on
how to customize existing profiles and create new scanning profiles.
Scan Options
From this section you can select the Scanning Mode which will be used
during the scan. The scanning mode options are the following:
Quick In this mode the scanner will test for just the first value of
every parameter.
Heuristic In this mode the scanner will try to automatically figure
out for which parameters to test all values and for which not to test all
values.
Extensive In this mode the scanner will test all possible
combinations for all parameters on the website. In some cases, this
can generate a huge number of requests and should be used with
caution.
The other options which you can select are:
Test known web application vulnerabilities on every directory
If this option is selected, the scanner will test for the known web
application vulnerabilities on every directory instead of the default
directory for each known vulnerability. This option will generate a lot
of HTTP traffic and will extend the scanning time if the website being
scanned is very large.
Manipulate HTTP headers With this option selected, the scanner
will try to manipulate the HTTP headers which might be used by
server side technologies.
Check for stored XSS Enabling this option instructs the scanner to
make extra tests for XSS which may be stored in databases.

4.6 Step 5: Configure Login for Password Protected Areas
Your website may have password protected areas or pages behind an HTML
feedback form (e.g. visitor registration required to download whitepapers,
files etc.) using either HTTP authentication or HTML forms authentication.
HTML forms authentication is not handled via HTTP, but rather via a web
form which asks the user for a username and password. This information is
sent back to the server for validation by a custom script.
HTTP authentication is part of the HTTP specification. If a site uses HTTP
authentication, then the browser will pop up a password dialog. The web
server validates the logon against a database of users. (In the case of IIS
these are local Windows user accounts, and in the case of Apache these are
stored in a file).
If you want Acunetix WVS to scan the pages contained within/behind the
login page, then configure Acunetix WVS to authenticate the password
protected area or fill in the HTML form details.


Screenshot 38 - Login Details Options
To test a HTTP password protected area:
1. Tick the box Authenticate with this user name and password combination
2. Enter the username and password
3. Click Next. When Acunetix WVS encounters a HTTP password dialog, it
will use the details you entered.

To test an HTML form password protected area:
1. Click on Record new login sequence. The record login sequence window
starts. The Login Sequence Recorder allows WVS to save and replicate all
the events which were manually performed to access the area secured by the
login page.
2. Browse the HTML forms login page, enter username and password and
authenticate by clicking login. Note that on your website the names of the
fields and the submit button might be different. Now click on the End login
sequence button at the top of the dialog.


Screenshot 39 - Login Sequence Recording

Screenshot 40 - Login Sequence Recording Logout
3. After you have authenticated, you also need to identify the logout link
otherwise, Acunetix WVS will try to crawl the logout link and logout of the
password protected area. Click on the logout link and select restricted link


Screenshot 41 - Login Sequence Editing

4. You can review the login sequence that you recorded by clicking on the
Edit login sequence button:
5. When you are done, click on the save icon and click on the exit button to
exit the login sequence editor. The wizard will save the login sequence.

Screenshot 42 - Login Sequences configuration
You can reuse the login sequence during future scans. Login sequences can
be edited from the Tools Explorer by selecting Configuration > Settings and
then selecting the appropriate Scanner Settings > Login sequences node
in the Settings Interface as shown.


Screenshot 43 The Tools Explorer and Access to Application, Tool and Scanner Settings

4.7 Step 6: Configuring Custom 404 Error Pages
A 404 error page is the page which appears when an invalid URL is entered.
In many cases, rather than displaying the standard error 404, many websites
show a page formatted according to the look and feel of the website to inform
the user that the page requested does not exist. Custom 404 error pages do
not necessarily represent a server 404 error (invalid URLs), and therefore
Acunetix WVS must be able to automatically identify these pages to detect
the difference between an invalid URL and a valid web page.
The scan wizard will automatically try to detect whether your site uses
custom error pages. If your website does so, WVS will display the custom
error page and will automatically attempt to locate the unique identifier of
such an error page; in this case Error 404: Page Not Found.

To configure the custom error page:
1. Highlight the text that is unique to this page. This text should not be found
on any other page on your website.
You can choose to configure HTML form input directly, without the login sequence
editor, from the Tools Explorer by selecting Configuration > Settings and then
selecting the appropriate Scanner Settings > HTML Forms node.
For more information see the chapter Configuring Acunetix WVS on page 126 of this
manual.


Screenshot 44 Custom Error Page Configuration
2. Click on the Generate pattern button within the wizard window to
generate a regular expression from the highlighted text. The highlighted text
will be copied to the Error message pattern box and changed into a regular
expression that Acunetix WVS can interpret.
3. Click on the Text pattern button to verify the generated pattern.
4. Click Next.

Once the custom error page is configured, it will be saved and may be
accessed by selecting Configuration > Settings from the Tools Explorer and
then selecting the Scanner Settings > Custom 404 Pages node.


Screenshot 45 - Scan Wizard - Finish window
6. If you want to save the scan results to a database, enable Save scan
results to the database for report generation.
Click on the Finish button to start the scan.

4.8 Selecting the Files/Folders to Scan
If the option to choose the files to scan was selected in the crawling option, a
window with the site structure will open up, from which a selection of files to
scan and ones to ignore can be made.
By default all the files and folders in the site structure shown will be selected.
To remove items from being included in the scan, simply uncheck the tick box
next to the item.
For websites with a large number of items, the toolbar at the top of the
window provides the following functionality:
Filter Show only the items partially matching the entered text
Check Selected Select the highlighted items
Uncheck Selected Deselect the highlighted items
Check All Select ALL files in the site structure
Uncheck All Deselect ALL files in site structure
It may take several hours to complete an automated scan of a large website!


Screenshot 46 Choice of which files / folders to include in the scan

4.9 Analyzing the Scan Results
After the scan is completed, the results can be expanded by clicking on the
scan, in the Scan results window. Two main nodes, Alerts and Site Structure,
will be shown.

Screenshot 47 - Scan Result and Information window
To change the selection of multiple items at the same time without having to go
through each item individually, you can use the CTRL and SHIFT key combinations.

4.9.1 Alerts Node
The alerts node displays all vulnerabilities found and how to fix them. Alerts
are sorted into four severity levels: High, Medium, Low and
Informational. The number of vulnerabilities detected is displayed in brackets
() next to the alert categories.

Screenshot 48 - Scan Results Vulnerability information
By clicking on an alert category node more information will be shown:
Vulnerability description A description of the current vulnerability and
the object affected.
The impact of this vulnerability What impact this vulnerability may
have.
Attack details Detailed information about the current alert. For
example, for an SQL injection alert the parameters used to test for this
vulnerability will be displayed.
View HTTP headers Display HTTP headers for the request and
response.
View HTML response Display the HTML response as a frame in the
current document.
Launch the attack with HTTP Editor This will load the current HTTP
request and response in the HTTP Editor for manual inspection. For
more information, please refer to the HTTP Editor chapter.
How to fix this vulnerability Recommendation on how to fix the
problem.
Detailed information This section provides extensive detailed
information for certain high risk vulnerabilities.
Web references A list of references where you could gather more
information about the current vulnerability and/or how to fix it.


Levels of Severity
There are four vulnerability severity levels:

High Risk Alert Level 3 Vulnerabilities categorized as the
most dangerous, which put a site at maximum risk for hacking
and data theft.

Medium Risk Alert Level 2 Vulnerabilities caused by server
miss-configuration and site-coding flaws, which facilitate server
disruption and directory intrusion.

Low Risk Alert Level 1 Vulnerabilities derived from lack of
encryption for data traffic, or directory path disclosures

Informational Alert Sites which are susceptible to revealing
information through GHDB search strings, or email addresses
disclosure.

For further investigation, click on Launch the attack with HTTP Editor at the bottom
of the pane. This will load the current HTTP request and response in the HTTP Editor
for manual inspection. For more information, refer to the HTTP Editor chapter 79 of
this manual

4.9.2 Site Structure Node
The Site Structure Node displays the layout of the target site including all files
and directories discovered during the crawling process. For every item
retrieved more detailed information is available in the right information pane.

Screenshot 49 - Site Structure details
Summary information for a file or directory includes:
Filename The name of this file/directory.
Page Title The page title of this file/directory.
File path The file/directory location.
URL The file/directory URL location.
HTTP Result The file/directory HTTP Get Response Code.
Length The file/directory size in bytes.
Input Variable Count Number of inputs used for collecting and
processing data usually gathered within HTML forms.
Status File status.

Grouping of Test Variants
When more than a single instance of the same vulnerability is detected on
any page, the scanner will group the variants of each exploit according to the
parameter which was tested. This makes it easy to understand how many
total exploits were detected, and also how many files were found to be
vulnerable.
This organization of vulnerability data makes it easier for results to be
interpreted, and also makes it easier to keep track of vulnerable pages and
what vulnerabilities need to be fixed. Vulnerability data can also be presented
in a report with this system of grouping, by selecting the Vulnerability Report
template in the reporting application.

4.10 Saving the Scan Results
When a scan is completed you can save the scan results to an external file
for analysis and comparison at a later stage. The saved file will contain all the
scans from the current session including alert information and site structure.
To save the scan results go on File > Save Scan Results.
To load the scan results go on File > Load Scan Results.
4.11 Generating a Report from the Scan Results
Creating a report when viewing the scan results, is as easy as clicking a
button. Simply click on the Report button on the toolbar at the top this
automatically starts the report generation process using the default report
configuration.
More information on how to configure the default report, which is generated
when clicking on the Report button, can be found on page 112 of this manual.

Screenshot 50 - Report Button in Scan Results
Once the report is generated, the Acunetix WVS Reporter will automatically
be launched, and you will be presented with the vulnerability report which is
configured as the default. From this screen you can print the report or export
it to the various supported formats.

Screenshot 51 Default Generated Report from Scan Results

To generate a report, a database must be configured (either MDB or SQL). This can
be done from the Tools Explorer by selecting the Configuration > Settings node and,
subsequently, Application Settings > Database.

4.12 Google Hacking Vulnerabilities
Google hacking is the term used when a hacker tries to find exploitable
targets and sensitive data by using search engines. The Google Hacking
Database (GHDB) is a database of queries that identify sensitive data.
Although Google blocks some of the better known Google hacking queries, a
hacker may still crawl your site, and launch Google Hacking Database
queries directly onto the crawled content.
The Google hacking feature will launch all the queries found in the Google
Hacking Database, onto the crawled content of your website thus finding any
sensitive data or exploitable targets before a search engine hacker does.
The Google hacking feature is a unique, industry first feature.
The Google Hacking Database is located at:
http://johnny.ihackstuff.com and looks for the following information:
Advisories and server vulnerabilities
Error messages that contain too much information
Files containing passwords
Sensitive directories
Pages containing logon portals
Pages containing network or vulnerability data such as firewall logs.

For further reference please visit:
http://www.informit.com/articles/article.asp?p=170880&rl=1

Screenshot 52 Scanner results with GHDB node
The GHDB vulnerability detection is performed as part of the automated
scanning process. The results will be displayed as a separate node in the
Scanner results.

57 Site Crawler Tool Site Crawler Tool 57
5. Site Crawler Tool
5.1 Introduction
The Site Crawler tool traverses the target site and builds an internal
representation of the site layout using the information (e.g. web pages and
directories) collected. You can configure what the crawler fetches by
selecting Configuration > Settings in the Tools Explorer and Tool Settings
> Crawler from the Settings Interface.
The site crawler tool is automatically launched by the web scanner. You can
use the site crawler tool to analyze the structure of a website without
automatically launching the attacks.

Screenshot 53 The crawler tool interface
The Crawler tool interface consists of:
Toolbar Here you can specify the URL and start a crawl.
Site structure window (left hand side) Displays target site information
fetched by the crawler, e.g., cookies, robots, and files.
Details window (right hand side) Displays general information about a
file selected in the site structure window (e.g., filename, file path). At the
bottom of the details window, there is a tabbed tool bar. Clicking on the
Referrers, Headers, Inputs, View Page or HTML analysis tabs will show
further information about the object selected.

58 Site Crawler Tool Acunetix Web Vulnerability Scanner
5.2 Analyzing a Website Structure
5.2.1 Starting the crawling process
Enter the start URL of the target website from where the crawler should start
the site traversal (e.g. http://testphp.acunetix.com/) and click on the Start
button.

The site structure will be displayed on the left hand side for each directory
found, a node will be created together with sub nodes for each file. At the end
of the scan, the site crawler will create a Cookies Node which displays
information about the cookies found.
5.2.2 Analyzing the information collected by the crawler
Clicking on any of the pages or items on the left hand side, will display details
about that object in the right hand pane. Since there is considerable
information, the details pane has been split up into the Info, Referrers, HTTP
headers, Inputs, View Page and HTML analysis tabs as shown in the
screenshot below.
5.2.3 Info Tab

Screenshot 54 - Info Page
The info tab contains Filename, Page title, Path, URL and other information.
It shows how many inputs the page can take in Input variable count.
The crawl process for large sites might take considerable time up to several hours
for very large sites).

5.2.4 Referrers Tab

Screenshot 55 - Referrers Page
This tab contains the list of files that link to the selected file.
5.2.5 HTTP Headers Tab

Screenshot 56 HTTP Page
This tab contains the HTTP request for the selected file and the response
received. From here you can check content type, date, whether file is cached
and any relevant server information.
You can edit the HTTP request in the HTTP Editor by clicking the Edit with
HTTP Editor icon located on top of the HTTP request pane. This allows you
to analyze how the application will behave when certain parameters are
altered.

5.2.6 Inputs Tab

Screenshot 57 Inputs Page
The inputs tab lists the inputs that this page accepts. For every input is listed
the name and the type of the variable, the list of possible values and all the
input combinations.
Although the web scanner will automatically attack these inputs, the Inputs
Tab proves very useful to review and analyze input information.

5.2.7 View Source Tab

Screenshot 58 View Source Page

5.2.8 View Page Tab

Screenshot 59 Browser Page
This tab loads the page as a web browser would without, however, any
formatting data (e.g., CSS files and images). Client side scripts are disabled
for security reasons.

5.2.9 HTML Analysis Tab
This tab displays the HTML structure of a selected file. The structure
information is detailed into five separate tabs including Simple URLs,
Comments, Client side scripts, Input forms and Meta tags. The total number
of Links, comments, etc., are displayed within brackets ( ).
Simple URLs Sub-Tab

Screenshot 60 - Simple URLs tab
This tab displays the links contained in the file. The sub-tag column shows
the HTML tag, for example, A for a page link, IMG for an image link and so
on. Review this information for pages and links that might reveal sensitive
information.

Comments Sub-Tab

Screenshot 61 - Comments tab
This sub-tab displays any comments present within the selected file structure.
This information cannot be automatically analyzed but may still reveal
interesting developer comments about the construction and coding of the
site.
Client Script Sub-Tab

Screenshot 62 - Client side scripts tab
This sub-tab displays the scripts (JavaScript, VBscript etc.) and source code
contained in the selected HTML file. These scripts will be executed by the
client web browser. Review each script manually to see what it does it

might reveal information about the logic of the web application and what
information is expected. In the course of a security audit, you might then try
to give the application unexpected information to see how it behaves.
Check all scripts for:
Input validation code, for example, on onclick or onsubmit events.
Client side input validation logic is not secure.
Any characters that might upset applications.
Code that reads to or from an HTML form field, i.e. getelementbyid,
formname.fieldname.value and so on.
Input Forms Sub-Tab

Screenshot 63 Input Forms page
This sub-tab displays any HTML forms present in the selected file:
The top window displays the list of all forms.
The middle window displays the list of fields in the selected form e.g.
Buttons, Entry Fields, etc.
The bottom window displays the default values for a selected field.
Review this information carefully and see whether the HTML forms
unnecessarily reveal any information about the web application.

META Tags Sub-Tab

Screenshot 64 Meta Tags tab
META tags contain information about the web page, for example the
description and keywords META tags used by search engines.
META tags with an HTTP-EQUIV attribute are equivalent to HTTP headers.
Typically, they control the action of browsers and may be used to refine the
information provided by the actual headers. Tags using this form should have
an equivalent effect when specified as an HTTP header, and in some servers
may be translated to actual HTTP headers automatically or by a pre-
processing tool.

67 Target Finder Tool Target Finder Tool 67
6. Target Finder Tool
6.1 Introduction
The Target Finder is a port scanner which can be used to find websites on a
given IP or within a range of IPs.

Screenshot 65 - Target Finder view
6.2 To Start A Scan
1. In the Acunetix WVS Tools Explorer select the Tools > Target Finder
node.
2. In the toolbar, enter:
IP or range of IPs specify the IP address of the target(s) (e.g.
192.168.0.1 192.168.0.50)
The list of ports specify the ports to probe (e.g. 80,81,443).
2. Now click the Start button to start the scan.
3. After the scan is complete, the web server/s is/are displayed, including the
respective server type. HTTPS web servers are identified by a padlock icon.

4. You can launch a scan on a target server by right clicking on the server(s)
of choice and selecting Scan this server from the menu.

69 Subdomain Scanner Tool Subdomain Scanner Tool 69
7. Subdomain Scanner Tool
7.1 Introduction
The Subdomain Scanner automatically scans a top-level domain to locate
any subdomains configured in its hierarchy, by using the target domains
DNS server, or by specifying one manually. Any subdomains discovered can
be scanned for vulnerabilities from within the tool itself, or imported directly
into the HTTP Editor for further analysis through custom requests.

Screenshot 66 Subdomain Scanner Tool
While scanning, this tool will automatically identify and inform the user if the
domain being scanned is using wildcards (*.somedomain.com).
7.2 Starting a Subdomain Scan
1. In the Acunetix WVS Tools Explorer select the Tools > Subdomain
Scanner node.
2. In the toolbar, enter:
Top Level Domain Name specify the target domain (e.g.
acunetix.com)
Select DNS Server use the targets DNS server, or specify a server
manually
3. Default timeout is an optimal setting, increase if slow responses are
encountered.
4. Click the Start button to begin the scan.

70 HTTP Sniffer Tool Acunetix Web Vulnerability Scanner
5. Right-click the discovered subdomains to:
Launch a scan on the subdomain directly from the tool
Send custom requests using the HTTP Editor
Save the list of results as a text-file to be imported into the scan
wizard
Export the list of servers to a CSV file.
8. HTTP Sniffer Tool
8.1 Introduction
The HTTP Sniffer tool is actually a proxy server which can capture, edit and
filter requests made between a web client (browser or other http application)
and a web server.

Screenshot 67 The HTTP Sniffer
The HTTP Sniffer is an excellent tool used to intercept client requests and
modify them before they are sent to the server.
Use it to:
Create a rule to trap particular POST, GET requests and change them
manually.
Create a rule that automatically changes particular requests.
Create a rule to automatically log information in requests or responses.

71 HTTP Sniffer Tool HTTP Sniffer Tool 71
8.2 Configuring the HTTP Sniffer
To use the HTTP Sniffer tool you must:
1. Configure the ports and interfaces that the HTTP Sniffer internal proxy will
listen on for requests being made (from the Tools Explorer select
Configuration > Settings and Tools Settings > Http Sniffer from the
Settings Interface).
2. Configure your web client/browser to use the machine on which Acunetix
WVS is running as its proxy server.

8.3 Enabling the HTTP Sniffer

Screenshot 68 - HTTP Sniffer toolbar with the proxy server started
Once you have configured your web client to pass through the HTTP
Sniffer/proxy server, go to the HTTP Sniffer tool and click on the Start button
in the toolbar. This will start the proxy server and thus the sniffing of
connection requests.
All connection requests and responses will be listed in the main window. To
view the complete request, click on the request - more detailed information
will be displayed in the lower pane.

By default, the HTTP Sniffer internal proxy server will listen on the 8080 port of the
machine it is running on (bound to the local interface i.e.127.0.0.1) this means that the
default settings limit the internal proxy to be accessible only by web client applications
running on the same machine.
To use the Acunetix WVS HTTP Sniffer internal proxy server to listen and service
requests from web clients installed on other machines, you will need to configure the
HTTP Sniffer settings to listen on all interfaces (from the Tools Explorer select
Configuration > Settings and Tools Settings > HTTP Sniffer from the Settings
Interface).

8.4 Creating an HTTP Sniffer Trap Filter
You can configure the HTTP Sniffer to intercept an HTTP request BEFORE
being sent. The user can make changes to this request and the sniffer will
send the modified request to the server.
You can do the same for HTTP responses you can review and edit a
particular request before it is sent to the client. You can do this by creating
HTTP Proxy trap filters:
1. In the HTTP Sniffer toolbar, click on the Edit traps button to bring up the
HTTP traps dialog.

Screenshot 69 - HTTP Sniffer Edit Trap window
2. You can select a rule trap template, e.g. trap requests, trap ASP or PHP
requests. This will load up a preconfigured trap which you can edit.
3. Alternatively you can create a new trap by entering a description, rule type,
to what traffic it applies and a regular expression. The following rule types are
available:
Trap rules - Configure what requests/responses should be trapped for
editing.
Dont trap rules - Configure what trapped requests/responses should be
ignored.
Replace or change rules - Configure which requests should be
automatically changed based on the given expression.
Logging rules Configure which requests or responses should be
logged in the Activity window.
5. You can now configure whether to apply the trap to all of the response, or
just the Request headers, request body and so on.
6. Enter a regular expression.
7. To add the trap to the list below, click Add. This will add the trap and
automatically enable it. You can enable/disable traps by clicking on the tick
box in front of the trap rule.

73 HTTP Sniffer Tool HTTP Sniffer Tool 73
8. When you have created your trap rules, click the OK button to return to the
HTTP Sniffer dialog.
9. Click on the Enable traps button to activate the traps.
8.5 Analyzing and Responding To the Trapped Requests
After you have created your trap filters and enabled them, the sniffer will
follow the steps described below to decide which actions should be taken
when handling a certain request or response:
1. Is it included in the log rules?
2. If yes, make a log entry.
3. Is it included in auto change rules?
4. If yes make the requested changes.
5. Is it included in the trapping rules?
6. If no then go to Action 10.
7. Is it included in the exclusion rules for trapping?
8. If yes the go to Action 10.
9. Trap the request or response by using the trap form
10. Forward the request or the response.
8.5.1 The Trap Form

Screenshot 70 - HTTP Sniffer Trap form
When a request or a response is trapped by the HTTP Sniffer, the HTTP
trap window will pop up to allow you to edit the request/reply. Similar to the

HTTP Editor, the Trap Form editor allows you to edit cookies, query and post
variables.
When done, click OK to send the request/response to the server/client.
8.6 Editing an HTTP Request without a Trap
If you want to edit a request without setting up an HTTP trap, simply right
click on a request or a response and select Edit with the HTTP Editor. Then
click Start to send the request/response to the server.

75 Authentication Tester Tool Authentication Tester Tool 75
9. Authentication Tester Tool
9.1 Introduction
The authentication tester is a tool used to test the strength of passwords
within HTTP or HTML forms authentication environments via a dictionary
attack.
9.2 Testing HTTP Authentication
9.2.1 What is HTTP Authentication?

Screenshot 71 - HTTP authentication
HTTP authentication is part of the HTTP specification. If a site performs
HTTP authentication, then the browser will display a password pop-up dialog
as shown above. With HTTP authentication, the web server validates the
logon against a database of users (with IIS these are local Windows user
accounts and with Apache these are stored in a file).

76 Authentication Tester Tool Acunetix Web Vulnerability Scanner
9.2.2 Testing the Password Strength
1. In the Tools Explorer, select the Tools > Authentication Tester node. In
the Target URL to test edit box, specify the target URL e.g.
www.test.com/login/
2. Select HTTP as the authentication method to be used for the attack.

Screenshot 72 - HTTP based authentication
3. You can use the default dictionaries or specify your own Username and
Password dictionaries. You have to specify the full path to a plain text file
containing the list of usernames or passwords to attempt to login with e.g.
C:\Program Files\Acunetix\Web Vulnerability Scanner 5\Data\General\userlist.txt.
4. Click Start to start the test.

9.3 Testing HTML Form Authentication
9.3.1 What is HTML Forms Authentication?

Screenshot 73 - HTML form login
A logon sequence that implements HTML forms authentication asks the user
for a username and password via a web form, which is then validated on the
server via a custom script, rather than by the web server directly.
You do not need to change the Logon failed if field since the server will return an
HTTP response value of 401 for a failed login. However, if you have configured a
custom error, then you have to enter a different error code in the Logon failed if field.

77 Authentication Tester Tool Authentication Tester Tool 77
9.3.2 Testing Password Strength
1. Specify the target URL of the site to be tested for authentication
vulnerabilities e.g. www.test.com/login.php.

Screenshot 74 - HTML form based authentication
2. Select HTML form based as authentication method
3. Now you need to indicate the form fields that represent the Username and
Password fields. Click on the Select button to bring up the form field parser.
This will load the login page at the specified URL, parse it and display the
available fields contained in the target page which can be used to input the
user / passwords.

Screenshot 75 Specifying HTML Form fields

4. If there are multiple forms on the page, select the form which contains the
relevant authentication.
5. Select the username field from the list of available fields and click on the
Username button at the bottom of the dialog.

78 Authentication Tester Tool Acunetix Web Vulnerability Scanner
6. Select the password field from the list of available fields and click on the
Password button at the bottom of the dialog.

Screenshot 76 - A typical access denied page
7. Now you need to instruct Acunetix WVS what constitutes a failed login, so
that the application realizes the appropriate behavior upon successful login.
To do this, attempt to logon to the page so as to generate a login error. Write
down the text that appears after a failed logon. In the example in our
screenshot, the text that indicates a failed logon would be Invalid Login!.

Screenshot 77 - HTML form based authentication Login has failed if
8. Now in the Login failed if field, select Result body contains and enter the
login failed text. Note that you can also specify a regular expression using the
Result contains Match regex option.
9. Click on the Start button to start the authentication testing process.

If you get an error message 401 Unauthorized, then the authentication method is
HTTP and not HTML forms.

79 HTTP Editor Tool HTTP Editor Tool 79
10. HTTP Editor Tool
10.1 Introduction

Screenshot 78- The HTTP Editor
The HTTP Editor tool allows you to create or edit HTTP requests and analyze
the server response. You can start the HTTP Editor from the Tools > HTTP
Editor node within the Tools Explorer as shown above.
The HTTP Editor is organized into 2 panes: The top pane shows the HTTP
request data and the bottom pane shows the server response data. The
Activity Window is a separate pane and does not relate to the HTTP Editor.

80 HTTP Editor Tool Acunetix Web Vulnerability Scanner
10.2 Editing a Request
By editing the HTTP request of an existing web page, you may start directly
from a valid HTTP request and then modify the request according to your
requirements.
1. Scan/crawl a website or load up a previous crawl in Web Scanner node
(select Web Scanner from the Tools Explorer). Right click on the web page
for which you want to edit the HTTP request and select Edit with HTTP
Editor.

Screenshot 79 - HTTP Editor Headers
2. In the HTTP Editor toolbar, you can edit the following options:
Method Any one of the standard methods supported by all web servers
(e.g. GET, POST, HEAD, and PUT) or a custom method supported only
by specific web servers (e.g. OPTIONS, TRACE, DELETE).
Protocol The HTTP Protocol (HTTP/1.0 or HTTP/1.1) version to be
used for the request.
URL Specify the fully qualified URL, including the hostname of target
object that you want to request (e.g. http://192.168.0.28/). You can
specify a relative URL without hostname and request the hostname via
the request headers.
3. The request tab shows the headers of the HTTP request. You can edit any
of the headers by specifying the Header name (e.g. Cookie or User-Agent)
and assigning the header text (value) associated to it (e.g. ID=1).
4. To make a request that requires user data apart from the headers (e.g. a
POST request with variables), enter the data in the request headers window.
The variable data can be edited by the variable editor only if it is URL
encoded.


Screenshot 80 - Variable Editor
Click on the Edit query variables button to edit variables in the URL using
the variable editor. Query variables are separated from the URL by a ? and
are encoded in the URL-Encode standard. With the variable editor you can
edit query variables, cookies and other request data. You can add, remove,
URL-encode and URL-decode variables using the buttons in the small toolbar
at the bottom of the variable editor window. Click OK when you have entered
all the variables.
You can supply data other than the URL encoded variables, such as XML
documents for PROPFIND request. Specify the content length and the
content type through the appropriate (content length and content type)
headers. In the case that no content length or type is specified, the HTTP
Editor will use application/x-www-form-urlencoded as the default content
type, whilst the content length is automatically calculated.
5. Use the toolbar at the top of the request page to add and remove request
headers, add cookie variables, open the encoder-decoder tool and/or specify
any HTTP authentication which might be required by the target server
receiving the request.
6. Click the icon to specify HTTP authentication details. Select the
authentication type (NTLM or HTTP Basic) and enter the username and a
password.

Screenshot 81 - Encode/Decode tool

7. Click the encode/decode button to encode-decode any text data that
you want to send with a request or that you got back in response. This tool
can currently make use of two encoding / decoding techniques to convert
plain text data to send in a request. These are Base64 and URL-encoding.
8. After you have finished the request, click Start to request the URL.
10.3 Fin-Tuning Requests and Analyzing Responses
After you have successfully launched the request to the server you can
analyze the server response in the bottom pane of the HTTP Editor. The
server response is shown in the tabs Response headers, Response data,
View Page, and HTML structure analysis.

Screenshot 82 - Response headers tab in the Response pane

10.3.1 Response Headers and Response Data tabs

Screenshot 83 - Response data tab
The response headers and response data tab show the headers and data of
the response
To search and highlight specific strings contained within the server response
data:
1. Type the string to be searched in the Look for entry point located in the
toolbar on top of the response data window.
2. From the same toolbar, click the button labeled as a to highlight in red the
matching strings present within the response data on display.
3. Click the {Re} button, to toggle between each matching string.
Cookies information sent by the server can be viewed by clicking on the
cookie icon button located in the Last response toolbar.
10.3.2 Text Only Tab

Screenshot 84 - Text only tab
This tab displays the request and the last response received in plain text. You
can make changes to the request by editing the text directly on display.
To search or highlight any specific strings within the request and response
data, use the a and {Re} buttons and follow the same procedure
previously described.
10.3.3 View Page Tab

Screenshot 85 - Browser Page

The view page tab displays the web page without relevant images or CSS.
Clicking on any of the links will display the request of that link in the Request
tab and allows you to easily analyze each request.
10.3.4 HTML Structure Analysis Tab
Using the HTML structure analysis tab you can edit and view links,
comments, client scripts, HTML forms and META tags in the HTML
document.

Screenshot 86 - Document Structure Page

85 HTTP Fuzzer Tool HTTP Fuzzer Tool 85
11. HTTP Fuzzer Tool
11.1 Introduction

Screenshot 87 The HTTP Fuzzer
input validation. With it, you can create rules to automatically test a range of
variables.
Using the HTTP Fuzzer you could create a rule which would automatically
manual input.
11.2 Creating a Rule to Automatically Test a Series of Inputs
The utility of HTTP Fuzzer is best explained by using an example. We will
create a rule to test the products section of the Acunetix test website using a
range of values to find out what products are listed in the database.
We will instruct the scanner to automatically replace the variable part of a
URL with a series of values that we specify. In the URL, the last part ?cat=1
is the variable part.

86 HTTP Fuzzer Tool Acunetix Web Vulnerability Scanner

Gathering an HTTP Request
1. Load a Web Scanner or Site Crawler result from a previously scanned
website.

Screenshot 88 Copying an HTTP request to the HTTP Fuzzer
2. Right-Click on one of the files in the results tree and select Export to
HTTP Fuzzer. If you already have an HTTP Request, you can go to the
Tools > HTTP Fuzzer node and enter or paste a valid HTTP request into the
Request area of the window directly.

Creating Data Generators
Once you have a valid HTTP Request, you will need to determine the part of
the request that you will be fuzzing. This value will be replaced by a
generator.
To create a generator:
1. Click on the icon from the right part of the HTTP Fuzzer window.

Screenshot 89 HTTP Fuzzer generator list
The scanner already automatically guesses variable sections of a URL and tries to
extract valid variables. However this exercise is done to illustrate how easy it is for the
scanner to test a range of values.

2. Select the appropriate generator from the drop-down list:
Number generator This will generate all range of numbers from a start
number variable to a stop number variable, using the specified increment.
Character generator This will generate all the ASCII characters
contained between a Start character variable and a Stop character
variable.
File generator This will feed all the strings from a specified file. In the
file, each variable string should be entered on a new line.
String generator This will generate all the string combinations with the
characters from a Character set variable of the length specified.
Random string generator This will generate a specified number of
random strings with the characters from a Character set variable of a
given length.
Character repeater This will repeat a specified character/string for a
given number of times (commonly used for buffer overflow testing).

Screenshot 90 HTTP Fuzzer generators
3. Once you selected a generator you will be presented with detailed
information on the generator parameters. You can set these parameters
according to the test you would like to make.

88 HTTP Fuzzer Tool Acunetix Web Vulnerability Scanner

Screenshot 91 HTTP Fuzzer insert generator
4. After configuring the generator(s), place the text cursor in the specific part
of the HTTP Request where the generator will replace the static value. Select
the static value (e.g. /artists.php?artist=1).
5. Click on the icon to replace the static value with the Generator variable
(e.g. result will be: /artists.php?artist=${artists_id})

Screenshot 92 HTTP Fuzzer filters
6. Click on the Fuzzer filters button on top to open up the filters dialog. To
use a standard filter, select a predefined rule template from the dropdown list;
otherwise, you can create your own filters by defining the following
parameters:
Rule description A significant name to describe the rule.
Rule Type Select an Include type or Exclude type of rule.
Apply To Indicates where to search for the matching expression.
Regular expression This should contain the regular expression or text
which will be searched to match the rule.
Ensure that the relevant checkboxes are ticked to enable the created filters.
Click the OK button to save the settings and close the dialog.
7. Click on the Start button to initiate the HTTP Fuzzing.


Screenshot 93 HTTP Fuzzer Results
8. Acunetix WVS will start generating the HTTP requests according to the
filter you created and show the response for each.

90 Web Services Scanner Acunetix Web Vulnerability Scanner
12. Web Services Scanner
12.1 Introduction
Many organizations are implementing the Web Services architecture to
increase the availability of information, and to improve process executions of
the internet. Web Services, like any other internet-dependent system, present
new exploit possibilities and increase the need for security audits. The Web
Services Scanner allows you to perform automated vulnerability scans for
Web Services and to generate a detailed security report from the results.
12.2 Starting a Web Service Scan
The best way to start a scan is to use the Web Services Scan Wizard which
provides a series of steps to ask for the required details and configuration to
be used during the scan.

Screenshot 94 Web Services Scan Wizard

1. In the Acunetix WVS Tools Explorer select the Web Services > Web
Services Scanner node to access the scanner
2. Click the New Scan button in the toolbar the launch the Web Services
Scan Wizard
3. Select an online or local WSDL and choose a scanning profile. Click on
Next to proceed to the next step.

91 Web Services Scanner Web Services Scanner 91

Screenshot 95 Web Services Scan Wizard Selection
4. Select the Web Services, Port Types and Methods you would like to scan.
This can be done by using the tick boxes for selection. Click on Next to
proceed to the next step.

Screenshot 96 Web Services Scan Wizard Values
5. Enter specific input types for the scanner to use custom values during the
scan. Entering values at this stage is optional. Click on Next to proceed to
the next step.


Screenshot 97 Web Services Scan Wizard Summary
6. This step shows a summary of the WSDL that will be scanned together
with all the options selected. Click Finish to launch the scan.

12.3 Analyzing Results
Once the Web Services Scan is finished, a set of results will be shown on
screen in the form of a tree structure with nodes and sub-nodes.

Screenshot 98 Web Services Scan Results

93 Web Services Scanner Web Services Scanner 93
In the scan results panel of WVS the vulnerabilities are grouped according to
their vulnerability-class with each class containing the pages which have
been discovered as exploitable. Collapsing a class allows you to reveal the
vulnerable pages with every variant of the exploit which WVS has tested.
The activity window at the bottom of the screen allows you to see a detailed
verbose log of the entire scan process and also any errors which the Web
Services scan might have encountered.

Screenshot 99 Web Services Scan Result Details
Clicking on each node will allow further analysis of the vulnerability in the info
panel on the right hand side. Without using the Reporter it is possible to read
about the vulnerability and how it may be exploited on the page, the attack
details including the request and response exchanged between WVS and the
server, and also the detailed remediation techniques for securing the page.

Screenshot 100 Web Services Scan Result Report Button
The Web Services scanner allows you to quickly generate a report of the
results by clicking the Report button in the scanner toolbar. This will launch

the Reporter, which will automatically generate the default report without
needing further configuration. For more information about the Reporter you
can refer to page 105 of this manual.

Screenshot 101 Web Services Scan Report

95 Web Services Editor Web Services Editor 95
13. Web Services Editor
13.1 Introduction
The Web Services Editor allows you to import an online or local WSDL for
custom editing and execution of various web service operations over different
port types for an in depth analysis of WSDL requests and responses. The
editor also features syntax highlighting for all languages to easily edit SOAP
headers and customize your own manual attacks.

13.2 Using the Web Services Editor
Editing and sending Web Services SOAP messages is very similar to editing
normal requests sent via the HTTP Editor.
Importing WDSL and Sending Request
Services Editor node.
2. Enter the URL of the WSDL or locate the local directory, and click Import.

Screenshot 102 Web Services Editor
3. In the Editor Tab select the Service and Port types and the function which
will be used to perform the Operation. After you finish selecting the settings,
click Send.
The editor will build the SOAP request as defined by the operation, and
display the server response in a structured or XML view type.

96 Web Services Editor Acunetix Web Vulnerability Scanner
Response Tab
This tab allows you to accurately view and analyze the web service response
data in the raw XML format.

Screenshot 103 Web Services Editor: Response Tab

Structured Data Tab
This tab presents the XML data in a different way by showing the elements in
a hierarchy of nodes showing the value for each element.

Screenshot 104 Web Services Editor: Structured Data Tab

WSDL Structure Tab
This tab provides a very detailed and structured view of the web service data
as provided by the WSDL Structure.


Screenshot 105 Web Services Editor: WSDL Structure Tab
The WSDL information is structured in the form of nodes and sub-nodes so
that it is easy to understand and analyze the data. The main nodes of the tree
structure are XML Schema and Services.
The XML Schema node lists all the ComplexTypes and the Elements of the
web service. The Services node lists all the web service ports and their
respective operations together with the resource details of the source of the
SOAP data.

Screenshot 106 Web Services Editor: WSDL Structure Tab Detailed
If needed, a mode detailed WSDL structure can also be shown by ticking the
Show detailed WSDL structure at the bottom of the screen. This will
provide extensive information for each sub-node of the Services node
structure such as input messages and parameters.

WSDL Tab
This tab shows the actual WDSL data in the form of XML tags. Using the
toolbar provided at the bottom of the screen you can search for certain
keywords or elements in the source code and also change the syntax
highlighting if needed.

Screenshot 107 Web Services Editor: WSDL Tab

13.3 HTTP Editor Export Feature
The Web Services Editor is very useful for editing and customizing SOAP
requests, however the tool also gives you the option to export a SOAP
request to the HTTP Editor for it to be sent as an HTTP Post request.
Services Editor node
2. Enter the URL of the WSDL or locate the local directory, and click Import.

Screenshot 108 Web Services Editor: HTTP Editor Export
3. Once the WSDL is imported, click the HTTP Editor button in the Web
Services Editor toolbar to export the SOAP request.

Screenshot 109 Web Services Editor: HTTP Editor View

4. The HTTP Editor tool will automatically import the data and you can now
customize and send the SOAP request as an HTTP POST request by
clicking on the Start button.
5. Once the response comes back from the web server, the response data is
presented in the in the tabs which can be further analyzed.

Screenshot 110 Web Services Editor: HTTP Editor Response Data Tab

101 Compare Results Tool Compare Results Tool 101
14. Compare Results Tool
14.1 Introduction
The compare results tool allows you to analyze the differences between 2
scans performed at different dates. You can compare a full security scan or
just the site crawler output.
To compare results you need to save the scan results to a scan file using the
save scan results function in the file menu.
14.2 Comparing Results
To compare scan results:
1. Go to the Tools > Compare results node.

Screenshot 111 Compare Results Toolbar
2. In the compare results toolbar, specify the file of the first scan results in the
first edit box and the other scan results file in the other edit box. The selected
files must both be of the same type i.e. must both contain scan results or
crawler results.

Screenshot 112 - Compare settings dialog

102 Compare Results Tool Acunetix Web Vulnerability Scanner
3. Click on the compare button, to launch the compare results wizard.
Now specify which items you want to compare by enabling/disabling the tick
box next to the relevant item.
4. You can save the list of items that you wish to compare by specifying a
new template name and clicking on the save button.
5. Click Finish to start the compare process.

For large websites, the file structure comparison process may take a long time to
complete.

103 Compare Results Tool Compare Results Tool 103
14.3 Analyzing the Results Comparison

Screenshot 113 - Comparison results display window
After the comparison has completed, the results are shown in a two-pane
interface with a column down the middle. The left pane contains the contents
of the original scan while the right hand side pane contains the results of the
more recent scan. The middle column shows icons indicating the comparison
result of the items in that line as follows.

There are no changes.

This item was added in the new version.

This item was deleted from the new version.

This item was changed in the new version.

The column either shows that an item was added, deleted or changed. The
legend of possible comparison results is shown above.

104 Compare Results Tool Acunetix Web Vulnerability Scanner

Screenshot 114 - Comparison Results details
Click on the result icon in the middle column to display the comparison result
details. These details show the changes detected between the two scans
such as the number of items present in each scan and the items that have
been added or deleted.
14.4 Modify/Delete Template Items
To modify templates of items to compare:
1. Launch the compare results dialog by clicking on the compare button.
2. Select the template to be modified from the dropdown list at the top of the
dialog and make the necessary changes.
3. Click on the Save button, located on the right of the template
name/dropdown to store these changes.

105 The Reporter The Reporter 105
15. The Reporter
15.1 Introduction to the Reporter
The Reporter Application is a separate application which provides
extensive functionality. It can also be launched directly from Acunetix WVS
once a scan is complete to generate on-the-fly reports according to the
chosen default template.
Different reporting templates can be used to categorize scan results
according to vulnerability-class, affected pages, general exploit summary,
comparison and statistical analysis, and to present exploit details as specified
by several compliance standards.
The Reporter Application also allows you to view and manage the scan
database and other existing reports.

Screenshot 115 The Reporter Application
15.2 Launching the Reporter
The Reporter may also be used as a stand-alone tool. When installing
Acunetix WVS a desktop shortcut is created for the Reporting Application,
this allows the tool to be launched without requiring Acunetix WVS to be
running.
It is also possible to launch the Reporter as a stand-alone by selecting Tools
>Reporter in the application or from the reporter icon on the Acunetix WVS
toolbar.

106 The Reporter Acunetix Web Vulnerability Scanner

Screenshot 116 Reporter Icon on WVS Toolbar
15.3 Report Styles and Templates
Developer Report
The developer report style groups the scan results according to the affected
pages and files. This creates an easy workflow for the developer to quickly
identify and resolve vulnerabilities detected on the site. This report style also
features detailed remediation examples and best-practice recommendations
for securing the vulnerable items.

Screenshot 117 Developer Report

Executive Report
The Executive report creates a summary of the total number of exploits found
in every vulnerability class. This makes it ideal for management to review the
results without needing to include unnecessary technical detailing.


Screenshot 118 Executive Report

Vulnerability Report
The Vulnerability report style presents a technical summary of the scan
results and groups all the exploits according to their vulnerability class. Each
vulnerability class contains information about the exposed pages, the attack
headers and the specific test details.

Screenshot 119 Vulnerability Report

Scan Comparison Report
The Scan Comparison report template allows the user to document the
changes tracked between 2 sets of scan results. This report will document
resolved and unchanged exploits, and new vulnerability details. This report

style makes it easy to periodically track development changes for a web
application.

Screenshot 120 Comparison Report
Statistical Reports
This set of reporting templates allows you to gather exploit information from
the results database and present the information for periodical vulnerability
statistics. This report style is particularly suitable for both developers and
management to track security changes and to compile trend analysis reports.

Screenshot 121 Statistical Report
Compliance Reports
This group of report styles allows you to generate a report according to the
various compliance standard specifications. An easy to use wizard will
prioritize and report specific vulnerabilities and exploits according to the
standardized format as specified by the following compliance bodies;

The Health Insurance Portability and Accountability Act (HIPAA), OWASP
2004 Top10, OWASP 2007 Top10, Payment Card Industry (PCI) standards,
Sarbanes Oxley Act of 2002, and the Web Application Security Consortium
Threat Classification.

Screenshot 122 Compliance Report

15.4 Generating a Report
It is fast and easy to create on-the-fly reports from your scan results by using
the one-click Report button directly from the Web Scanner toolbar. This will
instantly generate the configured default report-type from the scan results.
(Refer to section 1.7 for default report settings)

Screenshot 123 Generate Report Button

As a stand-alone tool, the Reporter offers extensive functionality for creating
different reports. The packaged templates allow you to launch the specific
wizard for a selected report-style, and to quickly present your scan results
into the desired format.
Single Scan Report Wizard
1. Click on one of the Single Scan Template sub-nodes from the
Tools Explorer panel to select Developer, Executive Summary or
Vulnerability Report.

2. Click on the Report Wizard button. This opens up the Single Scan
Report Wizard.
3. Configure the report filter to identify specific results, or leave the
default selection to display all scan results and click Next.
4 - Select the specific scan from the chronologically organized list
and click Next
5 - Select the desired report content properties, and click Generate.
Comparison Wizard
1. Click on the Scan Comparison sub-node under the Comparison
Templates node from the Tools Explorer panel.
2. Click on the Report Wizard button. This opens up the Comparison
Report Wizard.
4. Select the scan from the chronologically organized list to be used
for the comparison and click Next
5. Select the second scan from the chromatically organized list which
will be compared with the first scan previously selected and click
Next
6. Select the desired report content properties, and click Generate
Statistical Templates
1. Select a one of the statistical template sub-node under the
Statistical Templates node to select Yearly, Monthly or Weekly
Vulnerability statistical reports.
2. Select the Report Wizard button. This opens up the Report
Properties for the selected statistical template.
3. Configure the time-frame for which you need the results to be
grouped by specifying the month and year for which you require the
statistics.
4. Click Generate to create the report.
Compliance Templates
1. Select Compliance Report sub-node under the Compliance
Templates node from the Tools Explorer.
2. Select the Report Wizard button. This opens up the Compliance
Report Wizard.
3. Select the specific compliance standard from the list. A detailed
description of the selected compliance is provided in the bottom part
of the wizard. Click Next to proceed to the next step.


Screenshot 124 Compliance Report Wizard

5. Select the scan from the chronologically organized list and click
Next
6. Click Generate to create the specified report

15.5 The Report View
Once the selected report is generated it can be immediately viewed from
within the Reporter.
The report view provides further options to save, export, and print the report,
or to search for specific data within the report.

Screenshot 125 Reporter Toolbar
Print Brings up the printing dialog where you can select a printer and
print the current report in view.
Open Opens a saved report file (report files have the PRE extension).
Save Saves the current report in view as an Acunetix report file (PRE).
Export Export your report to one of the supported output formats: PDF,
RTF, HTML, BMP or TXT.
Document Map Shows/Hide the document map panel.

Find Search for specific text within the report
Zoom Out
Zoom In
15.6 WVS Database
The Reporter can also be used to view the database of scan results. Through
the Reporter database view it is easy to select a specific scan, and generate
a report straight from the database.
The database view can also be used to remove unnecessary data and to
reduce the overall database size when necessary.

Screenshot 126 Reporter Database View

15.7 The Reporter Settings
The Reporter settings allow you to configure the tool and the way it displays
reports through two settings groups.
Report Options
This configuration screen consists of two sections which can be used to
customize the layout, titles and images in the headers of the report
General Settings Configure the default report style when generating a
report directly from Acunetix WVS
Report Options Select custom icons, logos, headers and footer to
customize the report.
You can use these settings to change the report layout to suit your needs and
also to brand them for your own company. These customizations are mostly
used by consultants who would generate the reports from scan results done
by WVS to rebrand them with their own company logos and images.
These settings are general default settings and will be used for all the reports
generated with the WVS Reporter.


Screenshot 127 Reporter Settings: Report Options

Page Settings
The page settings allow you to configure the default page size, orientation
and border dimensions of your reports. These settings are general default
settings and will be used for all the reports generated with the WVS Reporter.

Screenshot 128 Reporter Settings: Page Settings

114 Command Line Support Acunetix Web Vulnerability Scanner
16. Command Line Support
16.1 Introduction
Command Line support provides a command line interface that gives you the
power of Acunetix WVS without accessing the usual graphical user interface.
It allows you to use WVS directly from a command prompt and through batch
files and script languages thereby allowing you to automate repetitive tasks.
A comprehensive set of command line parameters gives you precise control
over the most important features of Acunetix WVS.
Scanning a website through WVS Command Line is faster than going
through the user interface since the command line concentrates on
performing the scan rather than displaying real-time scan results.

115 Command Line Support Command Line Support 115
16.2 Locating the WVS Command Line Executable
The WVS Command Line Executable is installed with Acunetix WVS and can
be accessed from the default installation folder of the application. The default
location is:
C:\Program Files\Acunetix\Web Vulnerability Scanner 5\wvs_console.exe
If the executable is run without parameters, usage information is presented
together with all the details of every parameter and option accepted by the
console application for your quick reference.

Screenshot 129 WVS Command Line Help

16.3 Command Line Parameters and Options
The Acunetix WVS Command Line supports many of the graphical user
interface options and allows the same degree of customization and flexibility
via a set of supported command line parameters and options.
WVS Command Line supports the following Usage Parameters:

Parameter Description
/scan [url] Scan a single website where [url] is the full url of the
website you want to scan.
/crawl [url] Crawl a single website where [url] is the full url of the
website you want to crawl.
/scanfromcrawl [file] Start a scan from a saved crawl [file[.
/scanlist [file] Scan a group of websites defined in a text file where
[filename] is the name of the text file containing the list
of websites you want to scan.
/scanwsdl [wsdlurl] Start a web services scan from a [wsdlurl].

WVS Command Line supports the following Parameters:

Parameter Description
/profile [profilename] Use specified profilename during scanning where
[profilename] is the name of the saved profile
/loginseq [filename] Use specified login sequence where [filename] is the
name of the saved login sequence
/save [filename] Save results to filename where [filename] is the name of
the file to save the results as.
/exportxml [filename] Exports results as XML to filename where [filename] is
the name of the XML file to export to.
/exportavdl [filename] Exports results as AVDL to filename where [filename] is
the name of the file to export to.
/savetodatabase Save results to database
/savelogs [filename] Save logs to filename where [filename] is the name of
the log file to save the logs to.
/generatereport [dir] Save the report of a scan directly to the [dir] given.
/sendmail When a scan finishes, an email will be sent using the
details configured in the scheduler settings.
/verbose Enable verbose mode
/usage Show usage information

A URL must be passed to the command line executable and therefore one of the
usage parameters must be used. Other parameters and options can be passed to the
WVS Command Line.

117 Command Line Support Command Line Support 117
WVS Command Line supports the following Options:

Option Description
--GetFirstOnly=[true|false] Get only the first URL. This can be set to
either true or false.
--RestrictToBaseFolder=[true|false] Do not fetch anything above start folder.
This can be set to either true or false.
--FetchSubdirs=[true|false] Fetch files bellow base folder. This can
be set to either true or false.
--ForceFetchDirindex=[true|false] Fetch directory indexes even if not
linked. This can be set to either true or
false.
--UseHTTPAuthentication=[true|false] Use HTTP authentication. This can be
set to either true or false.
--AuthUser=username HTTP authentication username. The
username passed with this option will be
used with an NTLM login on the website.
--AuthPass=password HTTP authentication password. The
password passed with this option will be
used with an NTLM login on the website.
--SubmitForms=[true|false] Submit forms. This can be set to either
true or false.
--RobotsTxt=[true|false] Retrieve and process robots.txt. This can
be set to either true or false.
--CaseInsensitivePaths=[true|false] Use case insensitive paths. This can be
set to either true or false.
--UseCSA=[true|false] Analyze Javascript. This can be set to
either true or false.
Apart from the usage parameters, all other parameters and options are
optional and can be omitted when calling the command line executable.
When the optional parameters and options are not specified, the default
graphical user interface settings will be used.

16.4 Reporter Command Line

Screenshot 130 Reporter Command Line Help

16.5 Command Line Examples
Here are some examples on how to launch a scan via the command line to
help you understand better how this console application works.
Example 1
Here is a sample command which you can use to start a scan on the website
http://testphp.acunetix.com and save the results to the file output.wvs:
wvs_console.exe /scan http://testphp.acunetix.com /save output.wvs
Example 2
In this example a scan on the website http://testasp.acunetix.com is started
and the results of the crawl are saved to the file testasp.wvs and also saved
to the database. The login sequence testasp login will be used. While
performing the scan verbose and usage information will also be shown.
wvs_console.exe /scan http://testasp.acunetix.com /save testasp.wvs /profile
default /loginseq testasp login /verbose /savetodatabase

119 Scheduler Scheduler 119
17. Scheduler
17.1 Introduction
The scheduler application ensures enhanced flexibility and automation when
launching all types of scans including concurrent and/or sequential scans of
single or multiple websites.
Schedule such tasks as automated web crawling and scanning at a time
most convenient to you. Tasks may be run daily, weekly, monthly, at certain
times and/or continuously within a queue.
Scheduling runs as a background service with the related management
console enabling users to fully and easily configure scanning, crawling,
logging and saving of results features. Relevant schedule logs provide users
with detailed information on the scheduled queues.
Neither the WVS nor the Scheduler management console need to be running
for the scans to launch at the scheduled time and, thus, no user intervention
would be required.

120 Scheduler Acunetix Web Vulnerability Scanner
17.2 The Scheduler Management Console
You can access the Schedule Management Console by clicking on the
Scheduler Icon on the toolbar in the main program interface.

Screenshot 131 The Main Toolbar
The Scheduler may also be launched directly without having to start Acunetix
WVS through a shortcut found in the Acunetix Folder within the Windows
Program Manager:
Start > All Programs > Acunetix Web Vulnerability Scanner 5 > Acunetix
Web Vulnerability Scanner Scheduler

Screenshot 132 Acunetix WVS Scheduler
The main console is divided horizontally in two panels:
- The top panel contains a structured list or tree of queues containing the
websites to be scanned at specified scheduled times. Each item in the tree
can be configured separately.
- The bottom panel contains a detailed log of the scheduling service
containing information on the service itself and also on each of the launched
queues.

Scheduler Toolbar

Screenshot 133 The Scheduler Toolbar

The scheduler toolbar can be used to:
Add a Scheduled Scan This is used to open the add scheduled
scan dialogue.
Settings This opens the Settings dialogue which gives you the
option to start the Scheduler Management Console upon launching
Windows and to minimize the Console to the system tray (this is a
default setting).

Email Notifications This tab provides the configuration for email
notification to be used when a scheduled scan finishes.

Start/Stop Service Clicking this button yields a dropdown menu
used to start or stop a scheduler service running in the background.

Service is Running/Service is Not Running Found on the toolbar
of the top panel on the Management Console, this text indicates
whether the scheduler service is started or not.

Scheduler Log Toolbar

Screenshot 134 The Scheduler Log Toolbar
The log toolbar on the lower panel of the Management Console is used to
filter what is shown in the log pane.
Show/Hide Debug Logs Show or hide any debug information
from the log pane. Debug Logs are usually needed in case of any
application errors.
Show/Hide Info Logs Show or hide any information logs from
the log pane. Information logs are used to show the progress of
queues.
Show/Hide Warn Logs Show or hide any warning logs from the
log pane. Warning logs are used to show any warnings that occurred
during the progress of queues.
Show/Hide Error Logs Show or hide any error logs from the
log pane. Error logs are used to show any errors that occurred during
the progress of queues.
Show/Hide Timestamps Show or hide the Timestamps
columns from the log pane.
Filter Logs Filter the logs to show only the log entries
containing the text typed in the adjacent field.
Clear Logs Clear the logs. This is an irreversible operation
which will erase all the log data.
Save Logs to File Save the current log to a file.

17.3 Creating a Schedule
1. Open the Scheduler Interface Console.
2. Click on the Add scheduled Scan button to open the Add Scheduled
Scan dialogue.

Screenshot 135 Scheduler Add Scan Dialogue
3. To create a queue, enter an appropriate name in the field provided
adjacent to the radio button Create a new queue named. Example: Test
Queue 1 or Weekly Live Website Scan.
4. Select the scheduled recurrence of the queue from: Once, Every Day,
Every Week, Every Month or Continuous.
5. Select the specific time of the recurrence. (This option might not be fully
customizable depending on the type of recurrence configured.)
6. A scan target may be configured by:
Entering the target application/web service URL
Selecting a text file with a pre-defined list of URLs
Importing a set of saved crawl results (*.cwl)
7. Select the specific scanning profile that you want to be scanned for this
specific queue. Scanning profiles can be customized from the WVS main
interface. For more information on Scanning Profiles please refer to page 153
of this manual.
8. Choose any login sequences that you want to execute prior to the scan.
Login sequences have to be recorded and saved from the WVS main
interface.
9. If you wish to save the results to a scan results file you can tick the option
Save scan results to and type in the name of the file you want to save the
scan results to.

10. Click on the OK button to save the scheduled queue.
To enable an existing queue tick the radio button Enqueue to an existing
queue a drop-down list appears with a list of all the queues already
created in the scheduler.
To set other advanced options to the scheduled queue, you can switch to the
Advanced tab in the Add scheduled scan dialogue.

Screenshot 136 Scheduler Add Scan Dialogue Advanced Settings

The options in this tab allow you to customize the crawling settings with the
same flexibility as the WVS main interface. The option to save the logs for
later reference is also available from here.

126 Configuring Acunetix WVS Acunetix Web Vulnerability Scanner
18. Configuring Acunetix WVS
18.1 Introduction

Screenshot 137 - Configuration Settings
The Acunetix WVS may be configured to control such options as LAN
settings, scanning profiles, database backend to use, and more.

By clicking on Configuration in the Tools Explorer you will see 2 main
configuration nodes called Settings and Scanning Profiles.

127 Configuring Acunetix WVS Configuring Acunetix WVS 127
18.2 Settings: Application Settings > General
The Settings Node allows you to configure general settings for Acunetix
WVS such as Update settings, HTTP general settings and HTTP requests.
Click on Configuration > Settings in the Tools Explorer to display the
Settings Interface with a set of configurable options as seen below.

Screenshot 138 - General Application Options
Updates
Updates URL The location for new vulnerability definitions.
Check for updates Specify when to automatically check for new
vulnerability definitions.

HTTP General
User agent string: Configure how Acunetix WVS should identify itself to
the web server.
File size limit in kilobytes Maximum file size accepted by the crawler.
Files with sizes greater than this value will not be crawled.
HTTP request timeout in seconds If no HTTP response is received
after this interval, the request is cancelled and a timeout warning is
displayed in the activity window.

Display custom HTTP status information Display the full HTTP
status line header and the corresponding status string.
HTTP Tuning
Maximum number of parallel connections Sets the limit on the
number of simultaneous connections made to a target site. If overloaded
with parallel requests, some target servers might crash or return incorrect
results.
HTTP request queue execution frame Number of requests queued
for execution.
Delay between consecutive requests group Delay between two
execution queues (in milliseconds).
Default schemes Select predefined schemes for Internet or Local
Intranet (There are several predefined HTTP tuning schemes that can be
used by the user. (e.g. there is one for internet and one for a local
intranet). If you select one of these schemes, the values for the previous
settings (Maximum number of parallel connections and the rest) will
be modified.

Password Protection
This section gives you the possibility to configure a password to restrict
access to the WVS main application and all the WVS applications including
the Reporter, Vulnerability Editor and Scheduler.
When a password is configured in this section, every time a WVS is
launched, the password dialog is presented where you can enter the
password to access the application.

Screenshot 139 - General Application Options Password Protection

Once a password has been set in WVS, the next time and all the subsequent
time that you will launch the product or any of its supporting applications, you
will be presented with a password protection dialog. Simply enter the
Changes applied in HTTP Section are only enabled on the next re-start of the Acunetix
WVS.
These settings control how the application sends requests to the server. Please modify
them carefully because these settings may cause the application to flood the server
with requests and may even crash your server or return incorrect results.

password you configured in WVS into this dialog to access the application
normally.

Screenshot 140- Password Protection Dialog

Removing Password Protection
If you have a password configures in WVS and you need to remove it so that
it can be accessed without requiring the user to enter a password, you can
remove this protection by following these steps:
1. Go to the Configuration > Settings > Application Settings > General
node to access the password protection configuration settings.
2. In the Password protection section of the page, enter the current
password in the Current password textbox.
3. Leave the New password and the Confirm new password textboxes
empty.
4. Click on the Set Password button to save the settings. A dialog will
appear confirming that the password protection has been disabled.

Screenshot 141- Password Protection Disabled Dialog

18.3 Settings: Application Settings > LAN Settings
The LAN Settings are explained in Chapter 2 on page 21 of this manual.


Screenshot 142 LAN Settings Options window

18.4 Settings: Application Settings > Database
The Database Settings node allows you to configure the database within
which scan results are to be saved for future reference.
To configure which database to use (MS Access/MS SQL Server) for storing
scan results:

Screenshot 143 - Enable Database Support
1. Go to Configuration > Settings in the Tools Explorer and click
Application Settings > Database in the Settings Interface.


Screenshot 144 - MS SQL Server Database support setup
2. Select Enable Database Support and select the database backend type.
If you select MS Access, you will also need to specify a location where to
save the scan results. The database will be automatically created for you.
If you select MS SQL Server as a database backend you will also need to
specify the following:
The hostname/IP of the SQL server.
Login credentials to use to access the server.
The name of the database to create on the SQL Server where scan
results will be stored.
3. Click on the Apply button to create the database.

If you specify the name of a database that already exists, Acunetix WVS will check if it
has the required structure and use that. If the structure is different it will ask you to
either overwrite the existing database or specify a different database name.

18.5 Settings: Application Settings > Certificates
Some websites require client certificates to identify a client before access is
granted. These certificates may be configured into Acunetix WVS by
specifying the URL to be used during a crawl or a scan.

Screenshot 145 - MS SQL Server Database support setup
To configure a certificate:
1. Go to the Configuration > Settings in the Tools Explorer and clicking on
the Application Settings > Certificates node in the Settings Interface.
2. Click on the browse folder button to browse for the certificate file.
3. Enter a password (if required) in the Password textbox.
4. Enter the URL which requires the certificate.
5. Click on the Import button to save the certificate details.
6. Click on the Apply button to save the changes.

18.6 Settings: Application Settings > Logging
This section provides configuration for enabling the general logging sections
including the individual logging for various components of the application.

Screenshot 146 Logging Configuration

18.7 Tool Settings > Site Crawler
In this node you can configure the default options for the site crawler Defaults
may be overwritten on a scan-by-scan basis from the File > New > Scan.

Screenshot 147 - Crawler global options setup
Crawling Options
The Crawler traverses the entire website and identifies its structure. The
following crawling options may be configured:
Start HTTP Sniffer for manual crawling at the end of the scan
process this option will start the HTTP Sniffer automatically at the end
of the crawl process, enabling you to browse (the browser must be set to
use Acunetix WVS as proxy) parts of the site that the crawler could not
reach or did not find. Frequently these pages are linked via JavaScript
menus or other methods. Although the Acunetix WVS handles
JavaScript, there may be situations where a manual crawl is still required.
The crawler will update the site structure with the newly discovered links
and pages.
Get first URL only Scan only the index or first page.
Do not fetch anything above start folder - Select this option to instruct
the crawler not to follow any links above the start folder. For example, if
you specify http://testphp.acunetix.com/wvs/ as a start URL it will not
traverse the links which point to a location above the base link e.g.
http://testphp.acunetix.com/. However it will traverse all links to pages
located in the /wvs/ folder or any of its subfolders.

Fetch files below base folder - Select this option to also follow links
which are contained outside the base folder. For example, if you specify
http://testphp.acunetix.com/ as a start URL it will traverse the links which
point to a location below the base link e.g.
http://testphp.acunetix.com/wvs/.
Fetch directory indexes even if not linked - Select this option to
instruct the crawler to request the directory index for every discovered
directory even if the directory index is not directly linked.
Retrieve and process robots.txt, sitemap.xml Select this option to
have Acunetix WVS look for a robots.txt file and follow all the links in it.
Case insensitive paths Select this option to ignore any case
difference in the links found on the website. E.g. /Admin will be
considered the same as /admin
Submit forms Select this option to automatically fill in and submit
HTML forms with information that you have previously configured in the
Configuration > Settings (in Tools Explorer) > Scanner Settings >
HTML Forms node. (For full details on how to configure the Acunetix
WVS see Chapter 0 on page 126 of this manual).
Analyze JavaScript Select this option to activate the Client Script
Analyzer (CSA) during crawling. This will execute JavaScript/AJAX code
on the website to gather a more complete site structure.
Fetch External Scripts This option is related with Client Script
Analyzer (CSA). If this option is enabled, CSA will read and analyze
scripts located on other hosts.
Fetch default index files If this option is enabled, the crawler will try to
fetch common default index filenames (like index.php, Default.asp) for
every folder, even if these files are not directly linked.
Try to prevent infinite directory recursion There is a small
probability that certain website structures will put the scanner in a loop
trying to fetch the same directory recursively (e.g.
/images/images/images/images/) Enabling this setting will instruct the
scanner to try to prevent this situation by identifying repeated directory
names in recursion.
Keep site file data on disk Select this option to instruct the crawler to
store the crawling data directly to the hard drive instead of keeping it in
memory. This option considerably reduces memory consumption but
might reduce the application responsiveness at times.
Maximum number of variations This option will specify the maximum
number of variations for a file.
Link Depth Limitation This option will specify the maximum link depth
level.
Structure Depth Limitation - This option will specify the maximum depth
level for directories.
Authenticate with this username and password combination - Select
this option to log into the target website if it requires HTTP authentication.

18.8 Tool Settings > Site Crawler > File Filters
In this node you can configure which files will be included or excluded from
the crawling. This is done by matching the respective extension of the files as
shown below.

Screenshot 148 Site Crawler File Filters Options
File Filters
Include List Process all files which fit the wildcards specified in the list.
Exclude List Ignore all files which fit the wildcard specified in the list.

Binary files (images, movies, archives etc) are excluded by default by the crawler to
avoid unnecessary traffic and scanning of non-vulnerable files.

18.9 Tool Settings > Site Crawler > Directory Filters
In this node you may configure which directories will be ignored during a
crawl.

Screenshot 149 Site Crawler Directory Filters Options
To configure a directory filter:
1. Go to the Configuration > Settings > Tool settings > Directory filters node.
2. Click on the Add URL button

18.10 Tool Settings > Site Crawler > URL Rewrite
This node defines a list of URL rewrite rulesets for websites using this
technology. These rulesets will be used by the crawler to better navigate and
understand the website.

Screenshot 150 Site Crawler URL Rewrite Options
To import the URL Rewrite configuration from an Apache Webserver, you
need to have access to the http.conf or .htaccess file and import them to the
URL Rewrite configuration.

To import the Apache Configuration:
1. Click on the Import Rule button to open the Import Rewrite rules dialogue.

Screenshot 151 URL Rewrite Import Configuration Dialogue
2. Enter the path leading to the filename of the Apache http.conf file or
.htaccess file.
3. Select the type of configuration to import (http.conf or .htaccess). If
.htaccess is being used, you need to configure the hostname and the
directory in which the URL rewrite configuration is set on the web server.
4. Click on the Next button.

To add a new ruleset:
1. Click on Add ruleset button to open up the URL rewrite editor window.

Screenshot 152 URL Rewrite Editor

2. Click on button to open up the Add rule dialogue.

Screenshot 153 URL Rewrite Add Rule Dialogue
3. Select if the ruleset will be a general rule or a directory rule.
4. Enter the Regular Expression which will be used to match the URL and
then enter the Replace With value that you have configured on your web
server.
5. Click on the OK button to save the ruleset.

18.11 Tool Settings > Site Crawler > Custom Cookies
This configuration node allows you to define the custom cookies for each
URL to be sent to the web server during a scan.

Screenshot 154 Site Crawler Custom Cookies Options
To add a custom cookie:
1. Click on Add cookie button to add a new blank line to the list.
2. Click on the next empty line on the list.
3. Enter the URL where you want the custom cookie to be sent.
4. Enter the custom cookie string that you want to send for the particular
URL.
5. Click on the Apply button to save your changes.

18.12 Tool settings > HTTP Sniffer
The HTTP Sniffer tool is actually a proxy server, which intercepts all
requests from your browser to the target website, thereby allowing you to
analyze and modify requests.

Screenshot 155 - Internal Proxy Server Setup
You can configure the following options:
Listen on: Select the network interface to which Acunetix WVS will be
bound. If you want the proxy server to allow remote computers to pass
via the HTTP Sniffer, select All interfaces.
Port: Specify the TCP port on which the internal proxy server will listen
for requests.
18.13 Tool Settings > Scanner
This node allows you to configure the default options of the Web Scanner.
You can override defaults on a scan-by-scan basis from the File > New >
Scan on the main menu.


Screenshot 156 - Web Scanner Setup Window
Scanning Options
Report internal server errors - Select this option to report internal
server errors (HTTP status code 500).
Disable alerts generated by crawler - Select this option to ignore alerts
generated by the crawler (broken links and file inputs).
Synchronize crawlers Select this option to prevent Acunetix WVS
starting the vulnerability checks before the crawler is complete.

List of hosts allowed By default, Acunetix WVS will not traverse links
outside of the URL you are scanning. However, some links exist on
related sites (for example, support.scanneddomain.com) which may
require inclusion in the scan. You may configure the Acunetix WVS to
include and follow these links in the list of hosts allowed field. Enter the
host name or IP address of the domain to be included in a vulnerability
scan and click the + button to add this entry to the list of hosts to be
scanned.

Hostnames can be specified using wildcards (e.g., *.domain.com, which includes all
websites with a suffix of .domain.com (e.g., sales.domain.com and
support.domain.com). Specifying question mark, for example host?.domain.com,
would include all websites with one character added to host (e.g., host1.domain.com
and host2.domain.com).
The synchronize crawlers option applies to vulnerability scans on multiple targets in
the same scan request (e.g. scan a list of websites).


18.14 Scanner Settings > Login sequences
This configuration screen allows you to create and edit login sequences
which will be used by Acunetix WVS to enter protected areas of a website or
to submit information to HTML forms. Any login sequences previously
recorded in the Scanning Wizard or other parts of Acunetix WVS will also be
listed here.

Screenshot 157 Login sequences configuration
To create a new login sequence:
1. Go to the Configuration > Settings node in the Tools Explorer and select
Scanner Settings > Login Sequences in the Settings Interface.

Screenshot 158 Login sequence recording

2. Click on the button to open up the sequence recorder window. The
record login sequence window starts and you may record the login process.
3. Browse to the HTLM forms login page, enter username and password and
authenticate by clicking the login button.

4. Now click on the End login sequence button at the top of the dialog.

Screenshot 159 Login sequence recording logout
5. After authentication you also need to identify the logout link otherwise,
the logout link and logout of the password protected area will be crawled.
Click on the logout link and select restricted link.

On your website the names of the fields and the login button may be different from the
examples used here.

6. You can review the login sequence that you recorded by clicking on the
Edit login sequence button .

Screenshot 160 Login sequence edit
7. When you are done, click on the Save icon and exit the login sequence
editor. The login will be saved and shown in the login sequences dialog.
18.15 Scanner settings > HTML forms
In this node you can configure the custom values that are sent to specific
HTML forms on a website. These values will be submitted by the Scanner
during an automated scan when accessing certain parts of the websites
which are only accessible when a specific input is given.
For example, a download links page will only be accessible if a valid email
address is submitted to a download details form.

Screenshot 161 HTML Forms configuration

To configure an HTML Form:
1. Go to the Configuration > Settings node.
2. Select the HTML Forms subnode of the Scanner Settings node in the
Settings Interface.
3. In the section HTML Forms, enter the URL address of the page
containing the specific form to which custom parameters are to be passed
and click on Parse from URL button. The resulting list will then be
automatically completed with the form fields found on the given URL.
4. Enter the values for the required fields from the list by clicking in the value
column for that field (as shown in the above screenshot).

Example: Testing a Signup Form
The Acunetix test website signup page is used as an example. The page that
should follow after submitting the signup details will only be accessible if valid
input is given, for example, a valid email address or phone number.

Screenshot 162 HTML Forms example
To configure this HTML Form:
1. Go to the Configuration > Settings node in the Tools Explorer and select
Scanner Settings > Login Sequences in the Settings Interface.
2. In the section HTML Forms enter the URL address
http://testphp.acunetix.com/signup.php then click on the button Parse from
URL. The list in the panel below will be completed with the details of the
form and inputs found.
3. From the list, enter some valid alphanumeric test for the 'uuname, upass,
upass2, urname, ucc, uphone and uaddress input parameters as shown
in the screenshot above.
4. Enter your email address as a value for the Email input parameter. By
using your email address you will later receive an email that will confirm that
this form was actually triggered with the details you have entered here.

5. Uncheck the searchFor input parameter since you do not require a search
in this example.

Screenshot 163 HTML Forms example results
To test the HTML Form details:
1. Go to Tools > Site Crawler in the Tools Explorer.
2. Enter the URL http://testphp.acunetix.com/signup.php in the Start URL
textbox and click the Start button.
3. After the crawl is completed, in the middle panel, find the subnode with the
file newuser.php under the folder node secured and click on the + of the
subnode to reveal the HTML Form parameters sent.
4. You will then be able to view all the submission details and the resulting
page form the section on the right.

To easily edit the parameter values, click on the value part of a parameter value row
(as shown in the previous screenshot) and press the shortcut key F2 on the keyboard.

18.16 Scanner Settings > Parameter Exclusions
In this node you can configure the parameters that you want to exclude from
a scan.
Some parameters cannot be manipulated without affecting the user session.
The parameters configured in this section will not be manipulated during a
scan.

To configure a parameter exclusion:
1. Go to the Configuration > Settings node.
2. Select the Parameter Exclusion subnode of the Scanner Settings node.

Screenshot 164 Scanner Settings Parameter Exclusions
3. Select the type of parameter from the dropdown list that you want to
exclude. The options available are GET, POST, Cookie or Any.
4. Type in the name of the parameter in the name textbox that you want to
exclude.
5. Click on Add exclusion button to add the parameter details to the list.
6. Click on Apply button to save the changes

18.17 Scanner settings > Custom Error Pages
To configure a custom error page:
1. Go to the Configuration > Settings node in Tools Explorer.
2. Select the Custom 404 pages subnode of the Scanner Settings node in
the Settings Interface.

Screenshot 165 - Configuring a custom 404 error page
3. Click on the icon to open the Custom 404 page dialog window.

Screenshot 166 - Configuring a custom 404 website

4. In the URL textbox enter the address of the website with the custom error
page and click the Autodetect button. This will extend the current window to
show the custom error page as seen by a web browser.

Screenshot 167 - Configuring a custom 404 pattern
5. Highlight the text that is unique to this custom error page, for example:
Sorry, the page you have requested cannot be found. This text should not
be found on any other page of the website.
6. Click on the Generate pattern button to generate a regular expression
from the highlighted text. The highlighted text will be copied to the Pattern
textbox and changed into a regular expression that Acunetix WVS can
understand.
7. Click on the Test pattern button to verify the generated pattern.
8. Click Add to save this custom error page configuration.

18.18 Scanner settings > GHDB
By default, all GHDB entries (1450+) are tested for. You can also limit the set
of GHDB queries to scan for.

Screenshot 168 Configuring GHDB entries

To select specific GDBS entries:
1. Go to the Configuration > Settings node in the Tools Explorer.
2. Select the GHDB subnode of the Scanner settings node in the Settings
Interface.
3. Click on the Uncheck Visible button to unselect all the entries.

Screenshot 169 - Configuring GHDB entries by filtering
4. In the Filter GHDB textbox enter a keyword to filter the view of the entries
list (e.g., sql). The list will automatically refresh as you type.
5. Click on the Check only visible button to select the entries that are shown
in the list. This will also unselect all the other entries which are not visible.
6. Unselect any entries that you do not wish to be scanned.
18.19 Scanning Profiles
Scanning profiles may be used to test a website for specific vulnerabilities.
For example, the SQL injection profile will only check for SQL injection
vulnerabilities. You can create your own profiles.
When launching a scan, select the profile to use from the profile dropdown
list in the toolbar.

Screenshot 170 The Scanning a Profiles Tool Bar

18.19.1 Default Scanning Profiles
Acunetix WVS is installed with the following default profiles:

Profile Description
default This profile includes all vulnerability checks, excluding only
web services related tests.
cgi_tester The CGI tester scanning profile only searches for common
CGI scripts and common sensitive files. This script detects
all HTTP methods supported by the targeted web server,
for example GET, PUT, DELETE etc. and its functionality
is similar to that of a CGI scanner. However, WVS does
include a highly configurable XML interface.
dir_file_checks This scanning profile scans the structure of a target
website for directories and files. For example when
scanning PHP-based websites, this profile would search
for such files as phpinfo.php among others, which would
contain all information about the PHP configuration of that
server.
empty This profile does not perform any tests. This profile may be
used as a clean base when you want to create other
profiles and also when you want to perform a scan without
performing any tests (i.e., just the standard checks
performed by the crawler such as broken links).
parameter_mani
pulation
This scanning profile launches all parameter manipulation
attacks, for example SQL injection, XSS Cross site
scripting and Command execution.
text_search The text search scanning profile scans files and filenames
for remarks and text. These could contain sensitive
information.
version_check The version_check scanning profile scans the version of
the web servers (e.g., Apache), and the different
technologies (e.g., PHP, mod_ssl, etc.) in use and
compares them to a list of vulnerable versions. If you have
a version with vulnerabilities, you will be advised to patch
your web server.
blind_injection This profile includes only the MiltiRequest parameter
manipulation section with the Blind SQL / XPath Inction
tests.
ghdb Only GHDB will be checked. For a more granular selection
of the GHDB tests, go to the configuration options.

155 Database Conversion Utility Database Conversion Utility 155
18.20 Creating/Modifying Scan Profiles

Screenshot 171 Creating a scanning profile
To create a new scan profile:
1. Go to the Configuration > Scanning Profiles node.
2. Click on the New Scanning profile button in the middle panel at the top (to
the right of the profile drop down box)
3. Type a new name for your profile.
4. Select the scanning tests to be performed.
5. Click on the Save button to the right of the profile name.
To modify a profile simply check/uncheck the tests (test modules) you want
from an existing profile. Save the changes to the current profile or to a new
profile by clicking the Save button.

156 Database Conversion Utility Acunetix Web Vulnerability Scanner
19. Database Conversion Utility
19.1 Introduction
The database structure of Acunetix WVS v5 is improved and optimized to
retain a low file size and store results more efficiently. Since the database
structure is different, earlier v4 databases cannot be used by v5.
Acunetix provides this database conversion utility which extracts the data
from a WVS v4 database and creates a new database with the WVS v5
structure with the same data extracted. The source and destination
databases can be a mix of both MDB files and SQL Server schemas.
This utility is designed for users of WVS v4 who wish to upgrade to WVS v5
while keeping the scan results already done with WVS v4. This utility was
designed to make the upgrade transition quick and easy.
19.2 Obtaining the Database Conversion Utility
To obtain the conversion tool you can visit the Acunetix website or contact
support on support@acunetix.com.

19.3 Converting a Database
1. Launch the conversion utility by double-clicking on WVSv5DBConvert.exe
file that you downloaded and click Next.

Screenshot 172 Database Conversion Utility

2. Select the source WVS v4 database by pointing the conversion utility to
the MDB files location. You can click on the icon to browse for the file.


Screenshot 173 Database Conversion Utility Source Selection MDB

If the source database is stored on an SQL Server, change the database
type to MS SQL Server and enter the required details and credentials to
connect to the database.

Screenshot 174 Database Conversion Utility Source Selection SQL Server

Click on the Next button to proceed to the next step.

3. Leave the database type selection to MS Access if you want the
destination database to be an MDB file. If you want to add the scan results
from the source database to an already created MDB file with the WVS v5
structure, you can click on the icon to locate the MDB file.
If you want to create a new MDB file with the new structure you can click on
the icon to browse to a folder and specify the name of the new file which
will hold the database containg the new structure.

158 Database Conversion Utility Acunetix Web Vulnerability Scanner

Screenshot 175 Database Conversion Utility Destination Selection MDB

If you with to convert the data of the source database to an MS SQL Server,
change the database type to MS SQL Server and enter the required details
and credentials to connect to the database.

Screenshot 176 Database Conversion Utility Destination Selection SQL Server

Click on the Next button to proceed to the next step.

4. During this step the conversion utility will process all the scan results in
the source selected and create the scan results with the new structure in the
destination selected.
The number of scan results found in the source database and the progress of
the conversion is shown during this step.


Screenshot 177 Database Conversion Utility Processing

5. At the end of the conversion process, a summary page allows you to view
the number of scan results converted and the time taken to process this data.

Screenshot 178 Database Conversion Utility Finished Summary

Clicking on the Finish button closes the conversion tool and completes the
conversion process.

The conversion process may take a considerably long amount of time to perform the
operation on large WVS v4 databases. The time a conversion takes also depends on
the type of hardware system that is processing the operation a faster processor will
usually result in a better conversion time.

161 Vulnerability Editor Vulnerability Editor 161
20. Vulnerability Editor
20.1 Introduction

Screenshot 179 The vulnerability editor
The Vulnerability Editor allows you to edit the database which contains the
definitions of all the vulnerability tests that can be performed during an audit.
You can create new or edit existing vulnerabilities. You can start the
Vulnerability Editor from the Acunetix program group in the Start Menu or by
clicking Tools > Vulnerability Editor on the file menu within the Acunetix
WVS user interface.

Be careful when editing the tests these are core to Acunetix WVS and can corrupt
the Acunetix WVS installation.
All tests are organized into 6 main nodes, each node being the particular module that
performs the actual audit tests. Below each node, one can create Vulnerabilities and
vulnerability parameters.
Vulnerabilities are stored in a modified version of the VulnXML format a web
vulnerability standard defined by the OWASP group.

162 Vulnerability Editor Acunetix Web Vulnerability Scanner

20.2 Acunetix WVS audit modules
Acunetix includes the following auditing modules:
Version Check TM_ Version_Check.dll
This module analyses the server banners to determine web server versions
(e.g., Apache) and different technologies used (e.g., PHP, mod_ssl, etc.).
The version is then compared to the database of vulnerable versions of that
particular software. With the version check module you can create checks for
more recent versions or for other types of software thereby allowing for
checks in spite of which vulnerable version is installed.
CGI Tester TM_CGI_Tester.dll
The CGI tester module will search for common CGI scripts. It can also be
used to determine both the presence of sensitive files on the web server
(e.g., the Apache manual directory) and the methods allowed on the web
server (e.g., GET, PUT, DELETE etc.). It is similar to a CGI scanner but with
a configurable XML interface.
Parameter Manipulation -TM_parameter_manipulation.dll
This module will try to manipulate the inputs of a file (like server side script),
to test common vulnerabilities e.g. SQL injection, XSS Cross site scripting,
command execution.
File Checks TM_Backup_Files.dll
This module analyses "interesting" files within the web structure (e.g. Files
with input parameters and probable scripts) and will try to manipulate their
names in the http requests. For example, if WVS finds a file login.php, the
module will try to look for files such as login.php.bak, login.bak, login.zip
etcOne can add new file parameters and different extensions using the
Vulnerability Editor.
Directory Checks TM_Common_Files.dll
This module scans for common files left in directories of the site. It will look at
the structure of the website and will try to request files and directories that
should not be there. For example, a common file present on PHP-based
websites would be phpinfo.php, which displays information about the PHP
configuration on that server.
Text Search TM_ Text_Search.dll
The text search will look for certain texts within the files/filenames retrieved
from the web server. It will search for remarks left by the web administrator,
including username and password information.

20.3 Adding a Vulnerability Test
To add a new Vulnerability check;
1. Right click on an existing module or Vulnerability and select Add
Vulnerability.

Screenshot 180 - New Group details
2. Specify the name of the Vulnerability, a short description and the name of
the VulnXML file where the test parameters will be stored.
3. Specify whether the test must be based on VulnXML or not:
Based Default VulnXML uses the default/built-in VulnXML test
parameters.
Based on existing VulnXML copies the test parameters from an
existing VulnXML file.
No VulnXML is required used if the test does not perform any HTTP
requests but only specifies the condition which will make it successful.
(E.g. tests in the Version Checks module, only specify a VersionRegex
parameter. The test is successful if the VersionRegex value matches the
target web server banner).

4. Click on the Add button to create the new Vulnerability.

Screenshot 181 - Vulnerability Properties
5. Now click on the created Vulnerability to bring up the details in the
Vulnerability properties page (the right hand pane), which contains the
Vulnerability Properties, the Parameters and the VulnXML sections. The
properties are the ones already set when you created the new vulnerability.
6. You can now set the following parameters in the parameters section:
Affects identifies the object which is affected by this test, for example
details about a Web Server (e.g. if the vulnerability effects the web
server), a file or an object which is identified by the module (when
set_by_module is specified). This parameter is dependent on the type of
test being carried out.
BindAlertToFile set this to 1 to enable the test to add any new
discovered files to the crawler directory structure for use in future scans.

You can leave the Affects parameter as default for most cases.

7. You can edit the test parameters in the VulnXML section of the dialog.

This section is organized into 5 subsections, each represented by a tab each
of which is described in the subsequent subsections:
Test Description Tab - edit generic information
References Tab - specify links to additional information about the
vulnerability
ApplicableTo Tab - specify for which operating systems, web servers or
technologies you want this test to be performed
Variables Tab - create/edit variables to be used by the test
Connection Tab - specify what HTTP requests should be made, what
response to look for and what defines success or failure of the test
20.3.1 Editing the Vulnerability Description
In the vulnerability Test Description tab you can edit generic information:
Name -The name of the vulnerability (e.g., could be the same as the
name given to the VulnXML file.)
Version - Test Version number.
Released - Date showing when this Test/Vulnerability was created
(yyyy/mm/dd).
Updated - Date showing the last time that this Test/Vulnerability was
updated (yyyy/mm/dd).
Protocol Defines the Protocol that this test will use for sending request
to a target during a scan (i.e. HTTP).
May Proxy - Defines whether this test may be performed through a proxy
server. If Acunetix WVS is configured to use a proxy server, set this
option to true to execute the test.
Affects - Defines which components of the target site structure will be
tested.
Severity - Defines the vulnerability level of a target should this test fail
(i.e. High Severity indicates that if this test generates failures, the target
being scanned has a severe vulnerability).
Alert - Defines whether the Alert is to be triggered on success or failure
of the test.
Description - Contains the test function description.
Impact - Contains information on the effect that the vulnerability detected
by this test has on your target site.
Recommendation - Contains information on what you should do to
eliminate the vulnerability detected by this test.


Screenshot 182 - References tab page
In the References tab you can specify links to additional information about
the vulnerability (e.g., cause and related fix).
Link Title Specify the Link heading/title of the article/information.
URL - Contains the URL.
You can add additional references by right clicking and selecting Add
reference.

20.3.2 Specifying When the Vulnerability Check is Applicable

Screenshot 183 - Applicable to tab
In the ApplicableTo tab you can specify for which operating systems, web
servers or technologies you want this test to be performed. The test will only
be performed if all of the conditions are true.
Operating System Defines the Operating systems. You can choose
Windows, Unix/Linux or all.
Web Server - Defines which Web Server types must be checked using
by this test. For example Apache, IIS etc.
Technology Define which technologies (e.g. ASP/PHP) must be
checked by this test.
You can add additional conditions by right-clicking and selecting Add
applicable to.
20.3.3 Specifying Test Variables

Screenshot 184 - Variables page

In the Variables tab you can create/edit variables to be used by the test. The
type of variables that you can create are dependent on which module is
performing the test. For example, if creating a vulnerability check within the
CGI Tester node, only the File variable will be available. The following is a list
of variables that each module supports:
Version Check
no variables
CGI Tester
no variables
Parameter Manipulation
file - the site file to be tested (e.g. /dir/a.asp))
test - this specifies that it should perform the check for each parameter
created under Vulnerability parameters.
combinations - this will contain all the combinations of parameter values,
for example ?param1=${test}&param2=1, ?param1=1&param2=${test}.
Path - the actual URL for the test, for example ${file}${combinations}
post - same as combinations but for POST variables
filename - same as file however it does not include the path, only the
filename, for example a.asp.
File Checks
Path - the actual URL for the test, for example ${file}${test}

Directory Checks
Path - the actual URL for the test, for example ${directory}${test}
Text Search
no variables
20.3.4 Variables Explained
Defining the variables is the hardest part in creating a vulnerability check
and is best explained using an example such a SQL injection check. Let's say
we have a website with 1 file: /dir1/a.asp. On that file, we want to create an
HTTP request with a and a 1 character. We would setup this
vulnerability check with these variables:
File: /dir1/a.asp
Test: ' (a single quote)

Combinations: ?param1=${test}&param2=1, ?param1=1&param2={test}
Path: ${file}${combinations}
Post: <empty>
Filename: a.asp
With these variables, the vulnerability will be executed with the following
request:
${scheme}://${host}:${port}${path} - scheme, host, port are default variables
that will contain the values of currently scanned website. e.g. scheme=http://,
host=testwebsite.com, port=80
path is defined as ${file}${combinations}, so it will be evaluated as
/dir1/a.asp${combinations}
${combinations} is ?param1=${test}&param2=1, ${test} is ', So, in the end we
will have 2 requests:
/dir1/a.asp?param1='&param2=1
/dir1/a.asp?param1=1&param2='

You can edit the existing variables, or add new ones. To create a new
variable, Right-click on the Variable page and select Add Variable. To delete
a user-created variable right click on the variable name and select Delete.

Screenshot 185 - Connection tab sub-tabs
In the Connection tab you can specify what HTTP requests should be made,
what response to look for and what defines success or failure of the test.
These parameters are set via the Connection, Request, Response and
TestCriteria sub-tabs. Its usually not necessary to modify the connection
sub-tab, since the test will automatically use the scheme, hostname and port
Default Module variables cannot be deleted.

of the active scan. However you can choose to specify a custom connection
scheme (HTTP/HTTPS), host name and the port for the test.
20.3.5 Defining the Requests to be Made in the Test

Screenshot 186 - Request sub-tab page
In the Request sub-tab, you must specify the exact HTTP request to be
made:
Message header - Method - define HTTP request method, e.g. GET,
POST, HEAD and PUT.
Message header - URI - define the destination of the request. The URI
parameter is by default set to path since this variable encloses the value
of variables $file$test. This means that the path variable will be set to
various combinations of $file and $test according to the request and
target website being scanned.
Message header - Version - define the HTTP protocol version to be
used for the request, e.g. HTTP/1.0 or HTTP/1.1
Message body Separator specify the separator
Message body text specify the text for the body

The URI is not necessarily a URL. For more information on the subject, please refer to
http://www.pierobon.org/iis/url.htm/.

20.3.6 Analyzing the Response

Screenshot 187 - Response sub-tab page
In this response tab you can edit/create the responses that the test should
look for.
Define
Name Variable name
Type Variable type
Description Variable description
Source Specify where to apply the regular expression (on status code,
on response headers or response body).
Value Specify the regular expression used to extract the variable value
from the source. Defining the test criteria/conditions.


Screenshot 188 Test Criteria sub-tab page
The last step is to define what conditions cause the success or failure of the
test. You can add failure or success conditions: If a failure condition
evaluates to true, then the test fails. If a success condition evaluates to true
then the test passes.
You can create multiple success or failure conditions: If any of the failure
conditions evaluates to true, independent of the other conditions, then the
test fails. If you add a success condition, then the success condition must
evaluate to true for the test to pass.
You can use equal, not equal, contains, not contains, lower than and greater
than operators in a condition.
To create a new test criteria, right click and select Add test criteria success
to create a success condition or Add test criteria failure to create a failure
condition.
After you have created the vulnerability, click on the Save button in the
Tool bar to save the test information. Now close Acunetix WVS, including the
vulnerability editor and launch it again to perform the test. You will need to
enable the test first in one of the scanning profiles. You can do this from the
Configuring > Scanning Profiles node.

20.4 Adding a Vulnerability Item
Vulnerability items are additional parameters which Vulnerabilities require
during a scan. Vulnerability items are kept within the relative Vulnerability and
can be created as follows:
1. Right click on the Vulnerability where you want to create the new
Vulnerability parameter and select Add Vulnerability item.

Screenshot 189 - Vulnerability parameter parameters
2. In the Item Properties, define the Name (i.e. the Item name) and Value
(e.g. a file name) that will be attributed to this parameter.
3. Click on the save button in the Toolbar at the top of the Vulnerability
editor window. This will save the new Vulnerability item which will be
referenced by the test variable.

20.5 Example: Creating a Test Which Searches for a Particular File
In this section we will present a walk-through of the process of creating a new
vulnerability check in this case looking for a file called passwords.txt.
20.5.1 Step 1: Creating a Vulnerability
Create a new Vulnerability. We will call it Look for Passwords.txt file.

Screenshot 190 - Vulnerability Editor Modules
1. Launch the Vulnerability Editor from Acunetix WVS.
2. Since we are looking for a file in any of the sites directories, we will use
the Directory check module. Click on the Directory Checks node, right-click
and select Add vulnerability.

Screenshot 191 - New group properties window

3. In the New vulnerability dialog, specify the following details:
Name: Look for a Passwords.txt. file
Description: This test will scan the target site and look for a file called
passwords.txt
VulnXML: Leave default suggested filename
VulnXML support: Based on Default VulnXml.
Click on the Add button to create the new Vulnerability. It will be listed under
the Directory Checks node.
20.5.2 Step 2: Adding a Vulnerability Item
Now that we have created the test, we need to define the parameters of the
test. This is done by creating a Vulnerability item.
In this example, we need to create a Vulnerability parameter which contains
the name of the file to be searched for (i.e. passwords.txt):
1. Right click on the Look for Passwords.txt Vulnerability, right-click and
select Add vulnerability item.

Screenshot 192 - Creating an item
Screenshot 193
2. In the Item properties section, specify the following information:
Name: Password.txt
Value: /Passwords.txt

The webscanner will now look for a file called Passwords.txt in all the
directories it finds. E.g. Assume that the crawler finds 2 directories
/secured and / after scanning a target site. Based on the value of the
${path} variable (in the VulnXML file properties) and the corresponding
Vulnerability parameter value, it will look for:
/passwords.txt
/secured/passwords.txt.
3. Click on the save button to save the new Vulnerability parameter.
20.5.3 Step 3: Configuring the Test Properties
Now we need to configure the test properties:
1. Click on the Look for the Passwords.txt Vulnerability.
2. In the parameters section, leave the Affects and BindAlertToFile as
default (i.e. set_by_module and 1 respectively).

Screenshot 194 - Specifying the test description
3. In the VulnXML section, specify the following details for these fields in the
test description tab:
Name: Look for Passwords.txt file
Affects: File
Severity: High
Alert: Success (i.e. alert is generated if file is found)
Description: Search for passwords.txt file

Impact: Contains sensitive information
Recommendation: Delete the file
4. Alternatively, in the References tab, specify any references on the web to
the vulnerability:
Database: Link Title
URL: Full URL to the reference
5. In the Applicable To tab, leave the settings as default, since checking for
the file independent of the web server, operating system or technology used.
6. In the variables tab specify the variables of the test. The Directory checks
module makes use of three variables called File, Test and Path.
The File variable value is automatically set by the scanner for every
directory it finds.
The Test variable is retrieved from the Vulnerability parameter created
previously. In our example, the test variable will contain
/Passwords.txt which is the value specified when having added a new
Vulnerability parameter (i.e. in our example the Vulnerability parameter is
called The Pword file to be searched and is the sub node that we have
added to the Look for passwords.txt file Vulnerability).
The Path variable value is set by combining the values of $file$test
explained above.
However, since already having created the vulnerability item which is
referenced by the test variable, there is no need to make any changes in this
dialog.
7. In the Connection tab specify the HTTP requests and the success/fail
criteria that this test will make. Since there is no need to make any specific
HTTP requests in this example, leave the values of the Connection tab
default.

20.5.4 Step 4: Save the Test and Re-Launch Acunetix WVS
8. Click on the save button to save the Vulnerability check and close the
Vulnerability Editor as well as Acunetix WVS.

Screenshot 195 - Scanning Profiles: Arrow shows the new Vulnerability that has been added
9. Launch Acunetix WVS again and check if the new Vulnerability has been
added to the scanning profiles by clicking on the Scanning Profiles located
in the Configuration node.
10. Mark the box at the left of the new test in order to enable the use of the
new test in the next scan. Click on the Web Scanner Node, specify a target
and start a scan so that you can check the new test.
11. If the test identifies the file, then it will be displayed in the alerts node
during a scan.

179 WVS File Types WVS File Types 179
21. WVS File Types
21.1 WVS Tools File Types
The following are the various file types which Acunetix generates, and the
tools which use them:
WVS The results file saved from the Web Scanner
WSS The results file saved from the Web Services Scanner
CWL The directory structure saved from the Site Crawler
PRE The Prepared Reports file generated by the Reporter
SLG The log file saved from the HTTP Sniffer
FZS The Session file saved from the HTTP Fuzzer
CSV The files used to store the logging data of requests and
responses sent during a scan.

21.2 WVS Export File Types
The following are the files which are exported from Acunetix WVS and its
tools:
PDF Reporter files may be exported in Portable Document Format
files
PRN Reporter files may be exported in Portable Dot-Matrix Printer
Format
HTML Reporter files may be exported in Hypertext Markup
Language files
RTF Reporter files may be exported in MS Word format
BMP Reporter files may be exported in Bitmap files
AVDL Web Scanner results may be exported as Application
Vulnerability Description Language files
XML Web Scanner results may be exported as Extensible Markup
Language files

180 Troubleshooting Acunetix Web Vulnerability Scanner
22. Troubleshooting
22.1 Introduction
The troubleshooting guide explains how you should go about resolving the
issues that may result.
The main sources of information available to users are:
The Manual most issues can be solved by reading the manual.
Email Support Contact the Acunetix support department by email at
support@acunetix.com
The Acunetix Support Center http://support.acunetix.com
22.2 Request Support Via E-Mail
If you have problems that you cannot resolve, please contact the Acunetix
support department. The best way to do this is via e-mail, since you can
include vital information to enable us to solve the issues you have more
quickly.
The Troubleshooter included in the program group, automatically generates
a number of files needed for Acunetix to provide technical support. The files
would include the configuration settings etc. To generate these files, start the
troubleshooter and follow the instructions in the application.
In addition to collecting all the information, the troubleshooter will also ask
you several questions. Answer these questions accurately as without proper
information it will not be possible to diagnose your problem.
Then go to the support directory, located under the main program directory,
ZIP the files and send the generated files to support@acunetix.com.
We will answer your query within 24 hours or less, depending on your time
zone and strive to resolve the issue as quickly as possible.

181 Troubleshooting Troubleshooting 181
22.3 Support Center
The Acunetix Support Center contains a knowledgebase of articles with the
most common problems experienced by Acunetix WVS customers. From this
Support Center you will also be able to open a support ticket the status of
which can be tracked online.

Screenshot 196 The Acunetix Support Center Website

Acunetix Web Vulnerability Scanner Credits 183

23. Credits
Acunetix Web Vulnerability Scanner uses technology from the following
entities:

OpenSSL Project (http://www.openssl.org/). The product contains and
uses the unmodified version of OpenSSL 0.9.7c.
PCRE Wrapper for Delphi
(http://renatomancuso.com/software/dpcre/dpcre.htm) based on PCRE
(Perl Compatible Regular Expression) library.
Regular expression support is provided by the PCRE library package,
which is open source software written by Philip Hazel and copyright by
the University of Cambridge, England.
(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/)
Internet Component Suite developed by Franois Piette
(http://www.overbyte.be/).
Virtual TreeView component developed by Mike Lischke
(http://www.delphi-gems.com/VirtualTreeview/VT.php).
GHDB (Google hacking database)
(http://johnny.ihackstuff.com/index.php?module=prodreviews).


24. Index
4
404 47, 48, 150, 151
A
Affects 164, 165, 176
AJAX 7, 9, 42, 135
alerts node 51, 53
APACHE 9
ASP 9, 11, 72, 167
ASP.NET 9, 11
Attack 6, 51
Authenticate 42, 135
Authentication 5, 8, 17, 32,
75, 76
AVDL 116, 179
B
Backup 8, 162
BindAlertToFile 164, 176
Blind SQL Injection 8
Buffer overflows 8
C
CGI Tester 162
Code Injection 8
ColdFusion 9
Command Line support 10,
114
Compare 12, 32, 101
compare results 102, 104
Compliance 9, 108, 109, 110,
111
configuration 10, 25, 27, 32,
33, 37, 46, 90, 94, 112,
121, 126, 133, 138,
139, 141, 144, 146,
151, 154, 162, 180
Cookie Manipulation 8
crawler 9, 11, 39, 41, 57, 58,
101, 127, 134, 135,
138, 143, 154, 164, 176
CRLF Injection 8
Cross Frame Scripting 8
Cross Site Scripting 5, 8
CSA 9, 42, 135
CSV 70, 179
D
database 5, 6, 8, 9, 10, 21,
24, 43, 49, 55, 75, 85,
105, 108, 112, 116,
118, 126, 130, 131,
156, 157, 158, 161,
162, 183
Default Scanning Profiles
154
developer 63, 106
Directory Checks 162
Directory Traversal 5, 8
DNS 9, 69
DNS server 69
Document Object Model 9
DOM 9
E
Editor 11, 15, 17, 32, 51, 59,
69, 70, 79, 80, 81, 82,
95, 96, 97, 98, 99, 100,
139, 161, 162, 174
Error 8, 10, 35, 37, 40, 47,
48, 55, 123, 150
Evaluation 29
export 12, 54, 99, 111, 116
extranets 7
F
Fetch files below base folder
41, 135
File Checks 162
File Inclusion 8
Firefox 27, 28, 29, 129
Firewalls 5
Flash 9, 11
FrontPage 9
Full Path Disclosure 8
Fuzzer 11, 16, 32, 85, 86, 87,
88, 89, 179
G
General Settings 127
GET 70, 80, 149, 154, 162,
170
GHDB 8, 10, 52, 55, 56, 152,
153, 154, 183
Google Hacking 8, 10, 55,
56
H
hacker 5, 6, 7, 10, 13, 55
heuristic 7
HIPPA 9
htaccess 10, 138, 139
HTTP 5, 7, 8, 9, 11, 12, 15,
16, 17, 25, 26, 27, 32,
41, 43, 44, 51, 53, 58,
59, 65, 69, 70, 71, 72,
73, 74, 75, 76, 79, 80,
81, 82, 85, 86, 87, 88,

186 Credits Acunetix Web Vulnerability Scanner

89, 95, 99, 100, 117,
127, 128, 134, 135,
142, 143, 154, 163,
165, 168, 169, 170,
177, 179
HTTP Editor 32, 51, 59, 74,
79, 80
HTTP Fuzzer 32, 86
HTTP General 127
HTTP Sniffer 11, 15, 32, 41,
71, 134
HTTP Tuning 128
httpd.conf 10
HTTPS 7, 9, 11, 12, 67, 170
I
IIS 9, 40, 43, 75, 167
input 7, 11, 16, 60, 64, 77,
85, 91, 97, 146, 147,
148, 162
Internet Explorer 21, 26
intranet 128
intranets 7
J
Java 9
JavaScript 7, 9, 16, 41, 42,
63, 134, 135
JRun 9
L
LDAP Injection 8
license 6, 19, 21, 29
License key 29
Login 11, 43, 44, 45, 46, 78,
124, 131, 144, 145,
146, 147
Login Sequence Recorder
11, 44
logs 8, 10, 11, 55, 116, 119,
123, 125
Lotus Domino 9
M
May Proxy 165
mod_rewrite 10
Mode 42, 43
modules 155, 174
N
Navigation 31
NTLM 17, 81, 117
O
OWASP 9, 109
P
Parameter Manipulation 162
passwords 174
PCI 9, 109
PERL 9
PHP 7, 8, 9, 11, 72, 154,
162, 167
PHPSESSID 8
POST 70, 80, 100, 149, 168,
170
print 54, 111
proxy server 16, 25, 26, 70,
71, 142, 165
PUT 7, 80, 154, 162, 170
R
references 51
report 7, 12, 18, 49, 53, 54,
90, 93, 106, 107, 108,
109, 110, 111, 112,
116, 143
reporter 7, 9, 105
Response Splitting 8
robots.txt 7, 42, 117, 135
Ruby 9
S
Sarbanes-Oxley 9
save 27, 36, 37, 46, 49, 54,
88, 101, 102, 111, 116,
118, 124, 125, 131,
132, 140, 141, 147,
148, 149, 151, 153,
172, 173, 176, 178
Saving the Scan Results 54
Scan Range of Computers
39
Scanner i, 5, 7, 9, 13, 19, 22,
25, 32, 36, 37, 42, 46,
47, 48, 56, 69, 76, 80,
86, 90, 109, 115, 120,
135, 142, 143, 144,
146, 147, 149, 150,
152, 153, 178, 179, 183
Scanning Profiles 12, 32, 33,
43, 124, 126, 153, 155,
172, 178
Scheduler 10, 12, 32, 119,
120, 121, 123, 124, 125
Script Source Code
Disclosure 8
Settings 24, 25, 26, 27, 32,
36, 37, 42, 46, 47, 48,
57, 71, 112, 113, 121,
125, 126, 127, 129,
130, 132, 133, 134,
135, 136, 137, 138,
141, 142, 144, 147,
149, 150, 153
Severity 165
Site Crawler 14, 32, 57, 86,
134, 136, 137, 138,
141, 148, 179
site structure 9, 13, 41, 42,
49, 54, 57, 58, 134,
135, 165
Site Structure Node 53
Sniffer 11, 15, 16, 26, 27, 32,
41, 70, 71, 72, 73, 134,
142, 179


SOAP 95, 97, 99, 100
SQL Injection 5, 7, 8
SSL 5, 27
Subdomain 9, 32, 69
Support 9, 10, 114, 130, 131,
180, 181
System requirements 21
T
technologies 7, 11, 25, 40,
162, 167
template 53, 72, 88, 102,
104, 105, 107, 110
Test Database Editor 161,
178
Test description 165
Test Group 163, 164, 165,
173, 174, 175, 176,
177, 178
Test Item 173, 175, 176, 177
Text Search 162
Toolbar 31, 32, 57, 101,
106, 111, 120, 121,
123, 173
TRACE 7, 80
Trap rules 72
U
updates 17, 127
Updates 127
URI 8, 170
URL Rewrite 10, 138, 139,
140
V
variables 74, 80, 81, 165,
168, 169, 170, 177
Version 7, 18, 19, 29, 162,
163, 165, 168, 170
Version Check 162
Vulnerability i, 5, 7, 11, 13,
17, 19, 22, 25, 51, 53,
55, 76, 107, 109, 110,
115, 120, 161, 162,
163, 164, 165, 167,
168, 173, 174, 175,
176, 177, 178, 179, 183
vulnerability editor 161, 172
W
web attack 11
Web Scanner 32, 80
Web Server 7, 164, 167
Web Services 8, 9, 10, 32,
33, 90, 91, 92, 93, 94,
95, 96, 97, 98, 99, 100,
179
Web Services Editor 9, 32,
95, 99
wizard 21, 23, 38, 46, 47, 48,
70, 102, 108, 109, 110
X
XFS 8
XML 81, 95, 96, 97, 98, 116,
154, 162, 179
XPath Injection 8
XSS 7, 43, 154, 162

Wvs 5 Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wvs 5 Manual

Uploaded by

Copyright:

Available Formats

Acunetix Web Vulnerability Scanner

You might also like