Acunetix WVS displays vulnerability alerts and threats in real-time during the whole process of the scan. Before scanning a site, WVS first crawls the website to find all available input forms/links that can be manipulated later during the scanning stage. However, some of these web security alerts are also reported from the early stage of crawling.
During the crawling stage, the Crawler can find some threats of different severity, ranging from 'Info' to 'High', without even using the scanning engine - for instance, the crawler does not launch any parameter manipulation checks. While the target website is crawled, the Crawler sends a number of HTTP requests and connections to the website from which it tries to identify links, input forms, and information that might be revealed from comments, cookie data, or browser security settings. Moreover -- while crawling -- it can identify if the connection to the target server is secure or encrypted (HTTPS) when accessing sensitive data, etc.
Hence, the crawling stage can already detect several important threats without even doing any scanning, but by obtaining important information just by sending harmless (with no malicious content) connections/requests to the website.
If you do not wish the Crawler to inform you on any alerts generated during the crawling stage, you can disable the option Disable alerts generated by crawler from the Tools Explorer > Configuration > Scan Settings > Scanning Options node. Click Apply to save the changed option.
Below is a list of alerts which the crawler can detect and their severity:
|HTTPS connection is using SSL version 2||Medium|
|HTTPS connection with weak key length||Medium|
|Hidden form input named price was found||Low|
|User credentials are sent in clear text||Low|
|Password type input with autocomplete enabled||Info|
|Insecure transition from HTTP to HTTPS in form post||Medium|
|SQL Statement in comment||Low|
|Internet Explorer XSS Protection disabled on this page||Info|
|Content type is not specified||Info|
|Session token in URL||Low|
|Password field submitted using GET method||Low|
|Application error message||Medium|
|Sensitive page could be cached||Low|
|Unencrypted __VIEWSTATE parameter||Info|
|Session Cookie scoped to parent domain||Low|
|Session Cookie without HttpOnly flag set||Low|
|Session Cookie without Secure flag set||Low|
|HTML form without CSRF Protection||Medium|