FAQ: Can I scan a website that uses URL rewrite without specifying URL rewrite rules in Acunetix WVS?

Although it is not a suggested operation, yes, you can still scan a website which has URL rewrite enabled without specifying any URL rewrite rules in Acunetix Web Vulnerability Scanner. Unlike other scanners, Acunetix WVS will advise you once it detects that the target website has URL rewrite enabled (as shown in the below screen shot).  The automatic notification can be switched off by un-ticking the option ‘Warn user if URL rewrite is detected’ from the Site Crawler settings node.

If you do not specify any URL rewrite rules in the URL Rewrite settings node, the chances are that the scan results will include a number of false positives, and some of the inputs on the target website will not be identified.   Hence it will result in an incomplete and invalid scan.

If for some reason you do not want to, or cannot import the URL rewrite rules in Acunetix WVS, disabling the following security checks will help in reducing the number of reported false positives and avoid infinite scan loops during a scan;

ScriptsPerFileBackup_File.script
ScriptsPerFolderPossible_Sensitive_Directories.script
ScriptsPerFolderPossible_Sensitive_Files.script

To disable the above security checks, navigate to the Configuration > Scanning Profiles node, and un-tick these tests from the scanning profile of your choice, as highlighted in the below screen shot.

For other Acunetix Web Vulnerability Scanner FAQ’s, please click here.

Share this post

Leave a Reply

Your email address will not be published.