Creating custom vulnerability checks for Acunetix WVS

Vulnerability checks in Acunetix Web Vulnerability Scanner consists of two files;

  • *.script - The actual vulnerability check written in JavaScript.  Such scripts are stored in the <C:\ProgramData\Acunetix WVS 8\Data\Scripts> directory.
  • *.xml – This file contains all the documentation related to the vulnerability description, such as vulnerability details, remediation, severity level and other details.  These XML files use VulnXML format and are stored in the <C:\ProgramData\Acunetix WVS 8\Data\Scripts\XML> sub directory in the Acunetix WVS installation directory.

Creating a new vulnerability check

1. Writing the Vulnerability check script

To write a new vulnerability check script, you can use any text editor of your choice, or else WVS Scripting tool which is available for free.

The tool and detailed Acunetix WVS scripting reference can be downloaded from the following URL; http://www.acunetix.com/download/tools/WVSSDK.zip.  Once downloaded, extract the tool in the same Acunetix WVS installation directory.  We recommend you use our tool since it is specifically designed to assist you in writing Acunetix WVS Vulnerability Checks.  It also includes a number of functions to help you test your scripts.

2. Writing the vulnerability XML file (VulnXML format)

To create a new XML file using VulnXML format, use Acunetix WVS Vulnerability Editor which is available from the Acunetix WVS Program Group.

Follow the below procedure to create a new VulnXML file for a custom vulnerability check;

  1. Right Click the VulnXML node and select ‘Add Vulnerability’.
  2. Specify the VulnXML filename and also specify if you want to use the default template.
  3. Specify all the required details to populate the VulnXML vulnerability file.  For a detailed description of all fields available refer to the following list;
    1. Name -The name of the vulnerability (e.g., could be the same as the name given to the VulnXML file.)
    2. Version - Test Version number
    3. Released - Date when Test/Vulnerability was created (yyyy/mm/dd)
    4. Updated - Date of last time this Vulnerability was updated (yyyy/mm/dd)
    5. Severity - Defines the vulnerability level e.g. high severity indicates that if this test generates failures, the target being scanned has a severe vulnerability
    6. Alert - Defines if the alert is to be triggered on success or failure of the test
    7. Type – Select the type of vulnerability from the drop down menu, e.g. parameter manipulation, canonicalization etc
    8. Affects - Defines which components of the target is affected by such vulnerability, e.g. server, directory etc
    9. Description – This field should contain a description of the vulnerability
    10. Impact – This field should contain information on the impact generated if such vulnerability is exploited
    11. Recommendation – This field should contain a number of recommendations to help the developer eliminate the reported vulnerability
    12. Detailed Information – This field should contain a detailed technical description of the reported vulnerability
    13. Tags – tags related to the vulnerability.

In the ‘References’ tab you can specify links to additional information about the vulnerability (e.g., cause and related fix).  You can add additional references by right clicking and selecting ‘Add reference’.

  1. Database - Specify the Link heading/title of the article/information
  2. URL - Contains the URL.

Modifying Vulnerability check

Note: The built-in vulnerability checks cannot be modified.  Only their VulnXML files (vulnerability details) can be modified.

Modifying a custom vulnerability check

To modify a custom vulnerability check, open the script in the WVS Scripting tool and proceed with the desired changes.  The WVS Scripting tool and detailed scripting reference are available from; http://www.acunetix.com/download/tools/WVSSDK.zip.

Modifying the vulnerability VulnXML file

To modify an existing vulnerability check, open Acunetix Vulnerability Editor and select the script to edit from the VulnXML node.  Click on the section which you would like to edit and proceed with the text changes.  Once ready click on the ‘Save’ icon (first icon) in the top left corner or the Vulnerability Editor.

To create a new XML file using VulnXML format, use Acunetix WVS Vulnerability Editorwhich is available from the Acunetix WVS Program Group.

Click here to find out more about creating custom checks in Acunetix Web Vulnerability Scanner (WVS), and to find out more about Acunetix SDK , click here.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply


*

  1. wu

    nice

    August 18, 2010 at 3:39 pm Reply
  2. Pingback: Acunetix 7 makes web application security checking easier and more cost effective | Acunetix Web Application Security Blog

  3. rsibi

    When can we wait for the SDK for WVS8?

    March 5, 2012 at 5:31 pm Reply
    • Hi rsibi,

      We just updated the blog post with the Acunetix WVS version 8 SDK downloads.

      Stay secure!

      March 13, 2012 at 9:50 pm Reply
  4. Jensen

    The paper is WVS7.When can we wait for the paper for WVS8?

    March 28, 2012 at 4:35 pm Reply
    • Hi Jensen,

      The links in the blog post refer to the Acunetix WVS 8 SDK.

      March 28, 2012 at 4:39 pm Reply