Why did Acunetix WVS display a message window stating that URL rewrite was detected during a scan?

URL rewrite (ex. mod_rewrite) is a common technology which is enabled on a web server to change the format of the URL being requested on the fly, for search engine crawling purposes.

Common example:
http://testasp.vulnweb.com/showthread.asp?id=1

can be rewritten automatically into:
http://testasp.vulnweb.com/showthread.asp/id/1

?id=1 is a parameter input, however with URL rewrite it can be rewritten to /id/1 which looks like a directory structure. Acunetix is designed to display this message when it detects a file which resides in non-existent directory. When URL rewrite is enabled on the web server, Acunetix WVS must be configured to identify the ruleset which determines the rewrite structure, otherwise the crawler cannot correctly identify the site structure, and incorrect results will be reported.

If you are using Apache web server, it is possible to import the .htaccess or httpd.conf files into the URL rewrite node of the product settings to define the ruleset accordingly. Else, if you are using Microsft IIS server you can automatically import the URL rewrite rules from the web.config file.

If no URL rewrite is configured on your web server, you can turn off the message by un-ticking the option “Warn user if URL rewrite is detected” in the Site Crawler settings node.

See the section Site ‘Crawling Options’ > URL Rewrite’ in the Acunetix WVS user manual for more information about URL rewrite rules configuration.  An example and detailed explanation of URL rewrite rules can also be found in the following FAQ; How can I write my own URL rewrite rules.

View all the Acunetix FAQs here.

Leave a Reply

Your email address will not be published.


*