Acunetix AcuSensor increases the efficiency of an Acunetix scan by improving the crawling, detection and reporting of vulnerabilities, while decreasing false positives. Acunetix AcuSensor can be used on .NET and PHP web applications.
Installing the AcuSensor Agent
NOTE: Installing the AcuSensor Agent is optional. Acunetix Web Vulnerability Scanner is still best in class as a “black box” scanner but the AcuSensor Agent improves accuracy and vulnerability results when scanning .NET and PHP web applications.
The unique Acunetix AcuSensor Technology identifies more vulnerabilities than a black box Web Application Scanner while generating less false positives. In addition, it indicates exactly where vulnerabilities are detected in your code and also reports debug information
Acunetix AcuSensor requires an agent to be installed on your website. This agent is generated uniquely for your website for security reasons.
Generating the AcuSensor files
First you will need to generate your unique AcuSensor files. Proceed as follows:
- If using Acunetix WVS, open Acunetix WVS and navigate to the ‘Configuration > Application Settings’ node. Click on the ‘AcuSensor Deployment’ node.
Screenshot – AcuSensor Deployment settings node
- If using Acunetix Online Vulnerability Scanner (OVS), you can generate the AcuSensor files from the Scan Target’s configuration. From Acunetix OVS, change to Scan Targets > List Scan Targets > Click on the Scan Target’s name. Skip to step 6.
- Enter a password or click on the padlock icon to randomly generate a password unique to the AcuSensor file.
- Select 'Also set password in currently selected settings template' to store the password specified in the scan settings template.
- Specify the path where you want the AcuSensor files to be generated.
- Select whether to generate files for a PHP website or a .NET website.
- Click on Generate AcuSensor Installation Files to generate the files.
- Depending on if you are using an ASP .NET or a PHP website, use one of the following procedures to install the AcuSensor files.
Installing the AcuSensor agent for ASP .NET Websites
The AcuSensor agent will need to be installed in your web application. This section describes how to install AcuSensor in an ASP.NET web application.
- Install Prerequisites on the server hosting the website: The AcuSensor installer application requires Microsoft .NET Framework 3.5 or higher.
- Copy the AcuSensor installation files to the server hosting the .NET website.
Screenshot – Acunetix .NET AcuSensor installation
- Double click AcuSensorInstaller.exe to install the Acunetix .NET AcuSensor agent and proceed through the installation wizard.
- You will be asked to insert the AcuSensor password. This should match the one that you used in the Acunetix settings.
- After the installation is complete, you will be prompted to launch the Acunetix .NET AcuSensor Manager.
Screenshot – Acunetix .NET AcuSensor Manager
- On start-up, the Acunetix .NET AcuSensor Manager will retrieve a list of .NET applications installed on your server. Select which applications you would like to enhance with the AcuSensor Technology and click Install Sensor to install the AcuSensor Technology sensor in the selected .NET applications. Once the sensor has been installed, close the confirmation window and also the AcuSensor manager.
Installing the AcuSensor agent for PHP websites
This section describes how to install AcuSensor in a PHP web application.
- Locate the PHP AcuSensor file of the website you want to install AcuSensor on. Copy the acu_phpaspect.php file to the remote web server hosting the web application. The AcuSensor agent file should be in a location where it can be accessed by the web server software. Acunetix AcuSensor Technology works on websites using PHP version 5 and up.
- There are 2 methods to install the AcuSensor agent, one method can be used for Apache servers, and the other method can be used for both IIS and Apache servers.
Method 1: Apache .htaccess file
Create a .htaccess file in the website directory and add the following directive:
php_value auto_prepend_file ‘[path to acu_phpaspect.php file]’.
Note: For Windows use ‘C:\sensor\acu_phpaspect.php’ and for Linux use ‘/Sensor/acu_phpaspect.php’ path declaration formats. If Apache does not execute .htaccess files, it must be configured to do so. Refer to the following configuration guide: http://httpd.apache.org/docs/2.0/howto/htaccess.html. The above directive can also be configured in the httpd.conf file.
Method 2: IIS and Apache php.ini
- Locate the file ‘php.ini’ on the server by using phpinfo() function.
- Search for the directive auto_prepend_file, and specify the path to the acu_phpaspect.php file. If the directive does not exist, add it in the php.ini file:
auto_prepend_file=”[path to acu_phpaspect.php file]”
- Save all changes and restart the web server for the above changes to take effect.
Testing your AcuSensor Agent [WVS only]
To test if the AcuSensor agent is working properly on the target website, do the following:
- In the Tools Explorer, Navigate to ‘Configuration > Scan Settings’ node and select the AcuSensor node.
- Enter the password of the AcuSensor agent file which was copied to the target website.
- Click Test AcuSensor installation on a Specific URL. A dialog will prompt you to submit the URL of the target website where the AcuSensor Agent file is installed. Enter the desired URL and click OK.
Changing the AcuSensor Password [WVS only]
If you need to change the password used by the AcuSensor agent on your website, you will need to re-generate the AcuSensor Files and reinstall them on your website.
Perform the following if you are using a .NET website:
- Use the procedure in the next section to Disable and Uninstall the AcuSensor agent.
- Configure a new password.
This step can be omitted if you are using Acunetix Online Vulnerability Scanner, since a new unique and secure password is automatically generated each time the AcuSensor files are generated. The unique password is stored with the Scan Target’s settings.
- Click on Generate AcuSensor installation files.
- Proceed with installing the new AcuSensor files. If you are using a PHP web application, you will just need to overwrite the old acu_phpaspect.php with the new acu_phpaspect.php file.
Disabling and uninstalling AcuSensor
To uninstall and disable the sensor from your web site:
AcuSensor for ASP .NET websites
- From Start > Programs, open the Acunetix .NET AcuSensor Manager
Screenshot - Select website and click Remove Sensor
- Select the website where the AcuSensor agent is installed and click Remove Sensor to remove the AcuSensor Agent from the site.
- Close the Acunetix .NET AcuSensor Manager.
- If needed, you can also uninstall the Acunetix .NET AcuSensor Manager from the Add/Remove Programs Control Panel.
AcuSensor for PHP
- If method 1 (.htaccess file) was used to install the PHP AcuSensor, delete the directive: php_value auto_prepend_file=”[path to acu_phpaspect.php file]” from .htaccess
- If method 2 was used to install the PHP AcuSensor, delete the directive: auto_prepend_file=”[path to acu_phpaspect.php file]” from php.ini.
- Finally, delete the Acunetix AcuSensor PHP file: acu_phpaspect.php.
Note: Although the Acunetix AcuSensor agent requires authentication, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.