FAQ: Which Web Security Alerts are Detected by the Acunetix Crawler?

Acunetix WVS displays vulnerability alerts and threats in real-time during the whole process of the scan. Before scanning a site, WVS first crawls the website to find all available input forms/links that can be manipulated later during the scanning stage. However, some of these web security alerts are also reported from the early stage of crawling.

During the crawling stage, the Crawler can find some threats of different severity, ranging from 'Info' to 'High', without even using the scanning engine - for instance, the crawler does not launch any parameter manipulation checks. While the target website is crawled, the Crawler sends a number of HTTP requests and connections to the website from which it tries to identify links, input forms, and information that might be revealed from comments, cookie data, or browser security settings. Moreover -- while crawling -- it can identify if the connection to the target server is secure or encrypted (HTTPS) when accessing sensitive data, etc.

Hence, the crawling stage can already detect several important threats without even doing any scanning, but by obtaining important information just by sending harmless (with no malicious content) connections/requests to the website.

If you do not wish the Crawler to inform you on any alerts generated during the crawling stage, you can disable the option Disable alerts generated by crawler from the Tools Explorer > Configuration > Scan Settings > Scanning Options node. Click Apply to save the changed option.

Below is a list of alerts which the crawler can detect and their severity:

 

TitleSeverity
HTTPS connection is using SSL version 2
Medium
HTTPS connection with weak key length
Medium
Broken links
Info
Hidden form input named price was found
Low
File upload
Low
User credentials are sent in clear text
Low
Password type input with autocomplete enabled
Info
Insecure transition from HTTP to HTTPS in form post
Medium
Suspicious comment
Info
SQL Statement in comment
Low
Internet Explorer XSS Protection disabled on this page
Info
Content type is not specified
Info
Session token in URL
Low
Password field submitted using GET method
Low
Application error message
Medium
Sensitive page could be cached
Low
Unencrypted __VIEWSTATE parameter
Info
Session Cookie scoped to parent domain
Low
Session Cookie without HttpOnly flag set
Low
Session Cookie without Secure flag set
Low
HTML form without CSRF ProtectionMedium

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply


*