FAQ: Which Web Security Alerts are Detected by the Acunetix Crawler?

Acunetix WVS displays vulnerability alerts and threats in real-time during the whole process of the scan. Before scanning a site, WVS first crawls the website to find all available input forms/links that can be manipulated later during the scanning stage. However, some of these web security alerts are also reported from the early stage of crawling.

During the crawling stage, the Crawler can find some threats of different severity, ranging from ‘Info’ to ‘High’, without even using the scanning engine – for instance, the crawler does not launch any parameter manipulation checks. While the target website is crawled, the Crawler sends a number of HTTP requests and connections to the website from which it tries to identify links, input forms, and information that might be revealed from comments, cookie data, or browser security settings. Moreover — while crawling — it can identify if the connection to the target server is secure or encrypted (HTTPS) when accessing sensitive data, etc.

Hence, the crawling stage can already detect several important threats without even doing any scanning, but by obtaining important information just by sending harmless (with no malicious content) connections/requests to the website.

If you do not wish the Crawler to inform you on any alerts generated during the crawling stage, you can disable the option Disable alerts generated by crawler from the Tools Explorer > Configuration > Scan Settings > Scanning Options node. Click Apply to save the changed option.

Below is a list of alerts which the crawler can detect and their severity:

Title Severity
HTTPS connection is using SSL version 2 Medium
HTTPS connection with weak key length Medium
Broken links Info
Hidden form input named price was found Low
File upload Low
User credentials are sent in clear text Low
Password type input with autocomplete enabled Info
Insecure transition from HTTP to HTTPS in form post Medium
Suspicious comment Info
SQL Statement in comment Low
Internet Explorer XSS Protection disabled on this page Info
Content type is not specified Info
Session token in URL Low
Password field submitted using GET method Low
Application error message Medium
Sensitive page could be cached Low
Unencrypted __VIEWSTATE parameter Info
Session Cookie scoped to parent domain Low
Session Cookie without HttpOnly flag set Low
Session Cookie without Secure flag set Low
HTML form without CSRF Protection Medium

View all the Acunetix FAQs here.

Leave a Reply

Your email address will not be published.


*