Analyzing the Scan Results
The vulnerabilities discovered during the scan of a website are displayed in real-time in the Alerts node in the Scan Results window. A ‘Site Structure’ node is also shown listing the files and folders discovered.
Screenshot - Scan Results showing Alerts Summary
The Web Alerts node displays all vulnerabilities found on the target website. Web Alerts are categorized according to 4 severity levels:
High Risk Alert Level 3 – Vulnerabilities categorized as the most dangerous, which put a site at maximum risk for hacking and data theft.
Medium Risk Alert Level 2 – Vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion.
Low Risk Alert Level 1 – Vulnerabilities derived from lack of encryption of data traffic, or directory path disclosures.
Informational Alert – These are items which have been discovered during a scan and which are deemed to be of interest, e.g. the possible disclosure of an internal IP address or email address, or matching a search string found in the Google Hacking Database
More information about the vulnerability is shown when you click on an alert category node:
- Vulnerability description - A description of the discovered vulnerability. The AcuSensor logo is displayed in the Vulnerability Description for the vulnerabilities that are detected using the AcuSensor Technology.
- Affected items - The list of files vulnerable to the discovered vulnerability.
- The impact of this vulnerability – Level of impact on the website or web server if this vulnerability is exploited.
- Attack details - Details about the parameters and variables used to test for this vulnerability. E.g. for a Cross Site Scripting alert, the name of the exploited input variable and the string it was set to will be displayed. You can also find the HTTP request sent to the web server and the response sent back by the web server (including the HTML response). The attack can be inspected and re-launched manually by clicking Launch the attack with HTTP Editor. For more information, please refer to http://www.acunetix.com/blog/docs/http-editor/.
- How to fix this vulnerability - Guidance on how to fix the vulnerability.
- Detailed information - More information about the reported vulnerability.
- Web references - A list of web links providing more information on the vulnerability to help you understand and fix it.
Marking an Alert as a False Positive
If you are certain that the vulnerability discovered is a false positive, you can flag the alert as a False Positive to avoid it being reported in subsequent scans of the same website. To do this, click on the ‘Mark alert as false positive’ link or right click on the alert and select the menu option.
You can remove an alert from the false positives list by navigating to the ‘Configuration > Application Settings’ node in the Tools Explorer and select the ‘False Positives’ node.
Screenshot - Network, Port Scanner and Knowledge base nodes
The Network Alerts node displays network level vulnerabilities discovered in scanned network services, such as DNS, FTP, SMTP and SSH servers. Network alerts are categorized into 4 severity levels (similar to web alerts). The number of vulnerabilities detected is displayed in brackets () next to the alert categories. Click an alert category node to view more information (similar to web alerts).
Note: You can disable network security checks by un-ticking the ‘Enable Port Scanning’ option in the Scan Wizard. Network Security Checks are only performed on open ports detected during the scan, thus disabling port scanning will effectively disable all the network security checks.
The Port Scanner node displays all the discovered open ports on the server. Network service banners can be viewed by clicking on an open port.
Note: Port Scanning of the target server can be enabled or disabled from Acunetix WVS > Configuration > Scan Settings > Scanning Options > Enable Port Scanning.
The knowledge base node is a high level report that displays:
- List of open TCP ports found on the server, including the port banner.
- List of Network Services running on the web server and their response.
- List of files with inputs found on the website. The number of inputs per file are also shown.
- List of links to external hosts found on the website. E.g. testphp.vulnweb.com contains a link to www.acunetix.com.
- List of Client and Server HTTP error responses together with the HTTP requests that generated them. An example would be the response code Server Internal Error – HTTP 500. Check the response for information exposure.
The Site Structure Node displays the layout of the target website including all files and directories discovered during the crawling process.
Screenshot - Site Structure
In the Crawler results (Site Structure node), color-codes are used to show different file statuses. The filename color coding is as follows;
- Green – These files will be tested with AcuSensor Technology, resulting in more advanced security checks and less false positive alerts. From the AcuSensor data tab, the user can see what data related to these files is being returned by the AcuSensor. Such information is useful to know what SQL queries were executed or if the selected file is using functions which are monitored by AcuSensor.
- Blue – File was detected during a vulnerability test and not by the crawler. Most probably such files are not linked from anywhere on the target website.
- Black – Files discovered by the crawler.
For every discovered item, more detailed information is available in the information pane on the right-hand side:
- Info - Generic information such as file name, page title, path, length, URL etc.
- Referrers – The files or pages that linked to the tested file.
- HTTP Headers - The HTTP headers of the request sent to the web server to retrieve the selected file, and the HTTP response headers received.
- Inputs – Possible input parameters and values for the file.
- View Source - The source HTML of the page.
- View Page - The page is displayed as it is shown in a web browser. Most client side scripts are disabled in this tab for security purposes to avoid launching vulnerabilities against the computer on which Acunetix Web Vulnerability Scanner is running.
- AcuSensor Data – Any AcuSensor Technology data returned.
- Alerts – A list of alerts for the selected file.
In addition, each item contains the HTML Structure Analysis, which includes:
- A list of links discovered in the file.
- Comments discovered in the selected page. The information contained in the comments cannot be automatically analyzed but may reveal interesting information about the construction and coding of the website.
- Any forms discovered in the selected object are shown in the top window. A list of parameters and their possible values are shown in the middle and bottom window.
- A list of META tags discovered in the selected object. META tags contain information about the website, e.g. the description and keywords META tags used by search engines. META tags with an HTTP-EQUIV attribute are equivalent to HTTP headers. Typically, such META tags control the action of browsers and may be used to refine the information provided by the actual headers. Tags using this form should have an equivalent effect when specified as an HTTP header, and in some servers may be translated to actual HTTP headers automatically or by a pre-processing tool.
Grouping of Vulnerabilities
Screenshot – Grouping of vulnerabilities
If the same type of vulnerability is detected on multiple pages, the scanner will group them under one alert node. Expanding the alert node will reveal all the vulnerable pages. Expand further to view the vulnerable parameters for the selected page.
Saving / Loading Scan Results
When a scan is completed you can save the scan results to an external file for analysis and comparison at a later stage. The saved file will contain all the scans from the current session including alert information and site structure.
- To save the scan results click the File menu and select Save Scan Results.
- To load the scan results click the File menu and select Load Scan Results.