Acunetix WVS User Certification Test – Outline of Topics

The following is an outline of the topics candidates are expected to be familiar with for the successful completion of the Acunetix WVS User Certification Test.

Fundamentals

  • Understanding of the purpose, function and role of Acunetix WVS and automated security testing.
  • Understanding of the three fundamental stages in which Acunetix WVS operates
    • Crawling
    • Scanning
    • Reporting and Remediation

Crawler

  • Understanding of the function and importance of the crawler in the overall scanning process
  • Ability to run a crawl
  • Ability to verify a correctly crawled directory structure
  • Ability to verify a correctly represented input scheme on a page from a correctly crawled directory structure
  • Ability to perform a manual crawl with the external tools import the proxy results and start a scan using the proxied results

Scanner

  • Understanding of the function and importance of the scanner in the overall scanning process
  • Ability to run a scan using the Scan Wizard
  • Ability to interpret scan results
  • Ability to differentiate between scanning modes
    • Quick
    • Heuristic
    • Extensive
  • Ability to include and exclude files and directories from a scan
  • Understanding of verified vulnerabilities
  • Understanding of how response time affects scan speed
  • Understanding of the purpose of Selenium IDE in the context of automated web security testing with Acunetix WVS

Login Sequence Recorder (LSR)

  • Understanding of the function and importance of a Login Sequence to the overall scanning process
  • Ability to create a Login Sequence
  • Ability to verify the correct operation of a Login Sequence
  • Ability to identify the need for Manual Intervention
  • Ability to configure the Login Sequence Recorder for authentication requiring Manual Intervention

Application Settings

  • Understanding of the purpose of Application Settings
  • Familiarity with Application Settings

Scan Settings

  • Understanding of the purpose of Scan Settings
  • Familiarity with Scan Settings

Scanning Profiles

  • Understanding of the purpose of Scanning Profiles
  • Ability to customize existing, and create new Scanning Profiles

AcuSensor

  • Understanding of the function and importance of AcuSensor in the overall scanning process
  • Understanding the benefits of an AcuSensor enabled scan
  • Installing/Uninstalling AcuSensor
  • Troubleshooting AcuSensor

AcuMonitor

  • Understanding of the function and importance of AcuMonitor in the overall scanning process
  • Understanding the benefits of an AcuMonitor enabled scan
  • Ability to register with the AcuMonitor service
  • Ability to analyze a blind cross-site scripting (BXSS) alert issued by AcuMonitor

Manual tools

  • Familiarity with the HTTP Editor
  • Familiarity with the HTTP Sniffer
  • Familiarity with the HTTP Fuzzer
  • Ability to interpret and verify scan results using the appropriate manual tools

Web Service Scanning

  • Familiarity with the Web Services Scanner
  • Familiarity with WSDL, WCF, WADL, SOAP and REST terminology

Scheduling Scans

  • Ability to schedule a scan
  • Ability to configure Excluded Hours

Reporting

  • Understanding of the function and importance of reporting and the Acunetix Reporter
  • Ability to generating different types of reports

General

  • Understanding of what a web application vulnerability is, and its business impact
  • Understanding of the concept of HTTP request and responses
  • Understanding of the concept of Server Sessions, Cookies and Session IDs
  • Understanding of web application security best practicesUnderstanding of the concept of SQL injection (SQLi) and proper mitigation practices
  • Understanding of the concept of cross-site scripting (XSS) and proper mitigation practices
  • Understanding of the concept of cross-site request forgery (CSRF) and proper mitigation practices
  • Understanding of the concept of file inclusion/directory traversal
  • Basic understanding of out out-of-band (OOB) vulnerabilities
    • Blind Cross-site Scripting (BXSS)
    • XML External Entity Injection (XXE)
    • Server-side Request Forgery (SSRF)
    • Out-of-band SQL Injection (OOB SQLi)
    • Out-of-band Remote Code Execution (OOB RCE)
    • Host Header Injection
    • Email/SMTP Header Injection
  • Familiarity with vulnerability enumeration and classification standards supported by Acunetix WVS
    • CVE
    • CWE
    • CVSS v2
    • CVSS v3