Scanning a Website
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION!
The web server logs will show your IP address and all the attacks made by Acunetix Web Vulnerability Scanner. If you are not the sole administrator of the website please make sure to warn other administrators before performing a scan. Some scans might cause a website to crash, requiring a restart of the website.
To scan a website, you first need to perform the following steps:
Step 1: Select Target(s) to Scan
- Click on File > New > New Website Scan to start the Scan Wizard, or click the New Scan button on the top left hand of the Acunetix Web Vulnerability Scanner menu bar.
Screenshot - Scan Wizard: Select Scan Type
- Specify the scan options:
- Scan single website - Enter the URL of the target website, e.g. http://testphp.vulnweb.com.
- Scan using saved crawling results - If you previously performed a crawl on a website, you can use the saved results to launch a scan instead of having to crawl the website again.
- Click Next to continue.
Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options
Screenshot – Scanning Profile and Scan Settings template
The Scanning Profile will determine which tests are to be launched against the target website. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection. No additional tests will be performed. The Default scanning profile will test your website for all known web vulnerabilities. Refer to the ‘Scanning Profiles’ section for more information on how to customize or create scanning profiles.
Scan Settings template
The Scan Settings template will determine what Crawler and Scanner settings are to be used during a scan. Refer to the ‘Scan Settings templates’ section for more information on how to customize or create new Scan Settings templates.
Advanced Crawling Options
Tick the option Show advanced options in the scan wizard to proceed to the Advanced Crawl options, allowing you to pre-seed a crawl using Selenium scripts, Fiddler Session Archives, Burp Saved files and Acunetix HTTP Sniffer log files. You can also configure the Acunetix to show you the list of files identified by the Crawler, giving you the option to choose which files to scan.
Step 3: Confirm Targets and Technologies Detected
Screenshot – Scan Wizard Selecting Targets and Technologies
Acunetix Web Vulnerability Scanner will automatically fingerprint the target website for the server’s operating system, the web server and its web server technologies. The web vulnerability scanner will reduce the scan time by scanning only for the selected web technologies. E.g. Acunetix Web Vulnerability Scanner will not launch IIS security checks against a Linux system running an Apache web server.
Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies.
Note: If a specific web technology is not listed under Optimize for the following technologies, it does not mean that it is unsupported by Web Vulnerability Scanner, only that there are no vulnerability tests exclusive to that technology.
Step 4: Configure Login for Password Protected Areas
Two types of Login mechanisms are commonly used on the web:
HTTP Authentication - This type of authentication is handled by the web server, where the user is prompted with a password dialog. Scanning an HTTP password protected area requires that you either enter the credentials during the crawling of your web application, or you have the credentials pre-configured in Acunetix. This is covered in more detail here.
Forms Authentication - This type of authentication is handled via a web form and not via HTTP. The credentials are sent to the server for validation by a custom script. Scanning websites using forms-based authentication is done using the Login Sequence Recorder and is covered in more detail here.
Step 5: Finalize Scan Options
Screenshot - Finalize Scan Options
Before the Scan is started, the Scan Wizard will report issues which might hinder the scan. The following is a list of actions which you might be presented with:
- If an error is encountered while connecting to the target server, the error will be shown.
- If Acunetix Web Vulnerability Scanner is unable to automatically detect a custom 404 error page pattern, you will have to configure a custom 404 error page rule by clicking the Customize button. Read more about configuring Acunetix to handle Custom 404 error pages.
- If the target server is using CASE insensitive URLs, you must force case insensitive crawling. This can be done from Configuration > Scan Settings > Crawling Options > Ignore CASE differences in paths.
- If AcuSensor Technology is enabled and the target server is running PHP or .NET, you will get an error if the AcuSensor agent is not detected. Click the Customize button to install AcuSensor on the target web application.
- If additional hosts have been found to be linked to from the web site being scanned, you can optionally select to scan these too. You will require permissions to scan the selected hosts too.
- If a smartphone friendly version of the website is detected, you will be given the option to crawl and scan the site as a normal browser or a mobile browser.
- If you have made changes to the Scan Settings template, you will be asked if you want to save the modifications to the existing or new template.
Step 6: Start the scan
Click on Finish to start the automated scan. If the option After crawling let me choose the files to scan was selected in the crawling options, you will be asked to select the files to scan after Acunetix Web Vulnerability Scanner has finished crawling the site.
Depending on the size of the website, scanning profile selected, and the server’s response time, a scan may take several hours.