Configuring Scan Targets
Scan Targets are the web and perimeter servers that you would like to scan using Acunetix OVS. These will need to be configured in Acunetix OVS before they can be scanned. Once configured, a scan target can be scanned repeatedly.
There are two types of Scan Targets that you can configure:
- Web Scan Targets – this is where your website and web applications are hosted. Both Network and Web Vulnerability scans can be launched against such scan targets.
- Perimeter Network Scan Targets – these are scan targets that host any other type of service exposed on the internet; such as your firewall, router, mail server, DNS server etc.
All scan targets can be configured from the 'Scan Targets' menu. The configuration of Network and Web Scan targets is very similar, and will only differ in the information provided for authentication purposes. Proceed as follows to create a new scan target:
- From the ‘Scan Targets’ menu, select 'Add Scan Target'.
Screenshot - Add Scan Target option
- Provide a name that will allow you to easily identify this scan target. You also have the option to provide a description of the scan target.
Screenshot - Configure Scan Target Details
- Insert the URL of the website or web application, or the IP of the server you would like to scan.
- Configure Web and/or Network Specific options (explained in the next section).
- Click ‘Add Scan Target’ when complete.
Verifying Scan Target Ownership
Once you create a new scan target, you will be asked to verify ownership of the scan target. Scan target verification will depend on the type of scan that you intend to launch against the scan target.
In summary, web vulnerability scans require the unique verification file to be present in the root of the web server before a scan starts. This is required for all your scan targets against which you wish to run web scans.
Network vulnerability scans require that we verify your account details; a one-time process where you will be contacted by a member of our support team.
Screenshot - Scan Target Verification required
Web Scan Verification
Web scan verification is a 3 step process.
- Download the unique verification file assigned to your new scan target.
- Upload the verification file to the root of the site (using FTP for example).
- From the configuration of the scan target in Acunetix OVS, click on 'Verify Ownership' to complete the verification process.
Note: The verification file needs to be kept in the root of the site, since Acunetix OVS will check for the verification file each time it scans the server.
Network Scan Verification
- For network scans you will need to verify the authenticity of your account details, and request verification of your account details by an Acunetix representative.
- From within the configuration of your scan target, in the Network Scan Verification, click ‘Proceed to verify my details’, or you can go directly to Account Settings > Profile.
- Confirm that your account details are correct, and update as needed.
Screenshot - Verify account details
- From within the Account Verification section, you can request the verification of your account details.
- You will immediately receive an automatic call to the phone number specified, and will be given a one time code. You will need to enter this code into Acunetix as part of the account verification process.
- An Acunetix representative may get in touch with you within 24 hours to complete the verification.
- Once your account details have been verified, you can launch network vulnerability scans on all your scan targets.
Contact us at firstname.lastname@example.org if you require help with the verification process.
Note: When listing the scan targets, the Status column will indicate the verification status of each scan target configured. This will allow you to easily identify the ones that still need to be verified.
Web Server Scan Settings
In the web server scan settings, you can configure any authentication settings required to access restricted areas within the website. You can also generate a unique AcuSensor agent for your scan target.
Configuring Web Site Authentication
If the new scan target is a web application or a website, you might need to scan restricted areas within the web application. The information used to access the restricted area can be configured from the Web Server Scan Settings within the scan target's configuration.
Screenshot - Form-based Authentication - Automated Login
In most cases, you can select to use 'Automated Login (for simple web applications)'. You simply need to provide the Username and Password to access the restricted area. The scanner will automatically detect the login link, the logout link and the mechanism used to maintain the session active.
Screenshot - Form-based Authentication using Login Sequence Recorder
For more complex web applications, which might be using a more elaborate login mechanism, you would need to download and use the Login Sequence Recorder to create a Login Sequence file (*.loginseq). This can then be uploaded and saved with your Web Scan Target settings. Information on how to use the Login Sequence Recorder can be found at http://www.acunetix.com/blog/docs/acunetix-wvs-login-sequence-recorder/
Generating and Installing AcuSensor
AcuSensor improves the scan results provided by Acunetix OVS by being able to identify all the pages on your website, increases the information about the vulnerabilities detected and decreases false positives.
NOTE: Installing the AcuSensor Agent is optional. Acunetix Vulnerability Scanner is still best in class as a “black box” scanner but the AcuSensor Agent improves accuracy and vulnerability results.
The unique Acunetix AcuSensor Technology identifies more vulnerabilities than a black box Web Application Scanner while generating less false positives. In addition, it indicates exactly where vulnerabilities are detected in your code and also reports debug information.
Acunetix AcuSensor requires an agent to be installed on your website. This agent is generated uniquely for your website for security reasons.
Acunetix AcuSensor can be used with PHP and .NET web applications.
Generating the AcuSensor files
- From within the scan target’s settings, scroll down to Web Scan Settings.
Screenshot - Generate AcuSensor files
- In the AcuSensor section, select whether to generate AcuSensor for PHP or .NET.
- Click the Generate button. You will be prompted to save the AcuSensor files.
Once you have generated and downloaded the unique AcuSensor files for your web application, you can proceed with installing AcuSensor in your web application.
Network Server Scan Settings
You might also want to configure SSH credentials for your scan target. This will allow the Acunetix OVS network scanner to provide a more comprehensive network scans of the scan target.
Note: SSH credentials are optional. If no SSH credentials are provided, a full network scan can still be done using the same information that a hacker has.