How to scan for specific vulnerabilities

Acunetix provides a list of commonly used Scan Types which you can use to reduce the scope of the tests the scanner will run during the scan. If you do not need to perform a full scan, you may choose from the list of Scan Types to run against a Target, such as SQL injection or Cross-Site Scripting tests.

This can be done by selecting one of the predefined Scanning Types. Each Scan Type is a logical grouping of tests that test for specific classes of vulnerabilities.

Acunetix (on-premises)

The Scan Type may be set upon launching a new Scan. A single Target may be scanned with more than one Scan Type. Scan Types included with Acunetix (on-premises) are as follows.

  • Full Scan – Performs a full and thorough scan that will perform all the checks required for high, medium and low severity vulnerabilities.
  • High Risk Vulnerabilities – Performs checks regarding what are considered high risk issues on your web application (vulnerabilities that can be exploited easily and have the highest impact).
  • Cross-Site Scripting Vulnerabilities – The scan type will check specifically for XSS vulnerabilities.
  • SQL Injection Vulnerabilities – Scans for vulnerabilities that can potentially be exploited using SQL Injection.
  • Weak Passwords – Scans for weak or default passwords on web applications.
  • Crawl Only – Will not perform any scans on the web application but will find all the links and buttons available. Results in a tree structure of the web application being crawled.

Acunetix Online

In Acunetix Online, ‘Scan Types’ are referred to as ‘Scanning Profiles’. A Scanning Profile may be set upon launching a new Scan. A single Target may be scanned with more than one Scanning Profile. Scanning Profiles included with Acunetix Online are as follows.

  • Full web scan
  • CSRF web scan
  • High Risk Alerts web scan
  • SQL Injection web scan
  • Weak Passwords web scan
  • Cross Site Scripting (XSS) web scan

A further two options are also provided for network scans. These include options to run a:

  • Full network scan using safe checks
  • Full network scan that includes invasive checks

View all the Acunetix FAQs here.

Share this post
  • Your product was just used aggressively yesterday by Anonymous hackers to probe my website for attack vulnerabilities. I don’t know if you can control this in any way, but please think about it. Thank you for designing it to leave a record of its identity in the process.

  • Hi Christiaan X

    I am sorry about that. Unfortunately this is an issue which unfortunately cannot be controlled, since certain individuals are using cracked versions of Acunetix WVS and scanning sites without permission.

    Version 7 scanner is sending these headers with every request:

    Acunetix-Product: WVS/7 (Acunetix Web Vulnerability Scanner – NORMAL)
    Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
    Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm

    and Version 8 scanner is sending these headers with every request:

    Acunetix-Product: WVS/8 (Acunetix Web Vulnerability Scanner – NORMAL)
    Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
    Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm

    You can change the version (WVS/*) in the Acunetix-Product header to the version of Acunetix you wish to block, such as WVS/6 or WVS/7 or WVS/8.

    If you have an application firewall like mod_security
    (http://www.modsecurity.org/) you are able to block these requests by defining some custom rules.

    Otherwise, you may block attacker’s IP address.

    Here is the Apache documentation about access control (in case your web server is Apache):
    http://httpd.apache.org/docs/2.2/howto/access.html

    If you are using IIS, this document may help you to control access:
    http://www.hostmysite.com/support/dedicated/IIS/blockip/

    If you are using another web server software, consult its documentation for information on access control.

    Thank You

  • I’m using it only on my sites, not to attack someone else’s.

  • Leave a Reply

    Your email address will not be published.