The Scheduler application allows you to schedule scans at a convenient time without requiring Acunetix Web Vulnerability Scanner or the Acunetix Web Vulnerability Scanner Scheduler Interface to be running.
Configuring the Scheduler service
The Acunetix Scheduler has a web-based interface that can be configured through the Acunetix Web Vulnerability Scanner application settings. To access the Scheduler service settings navigate to Configuration > Application Settings > Scheduler node.
Configuring the Scheduler web interface
Screenshot – Scheduler web interface configuration
By default, the Scheduler web interface is only accessible via localhost and on port 8181 (http://localhost:8181). If you would like the Scheduler web interface to be accessible from other remote computers, tick the Allow remote computers to connect option. When enabled, you will be prompted to specify a username and password for HTTPS to be automatically enabled. For security reasons, login credentials must always be defined when the scheduler web interface is configured to be accessed remotely.
Note: When you change any of the Web Interface settings, upon clicking the ‘Apply’ button restart the ‘Acunetix WVS Scheduler’ service from the Windows Services console.
Screenshot – Scheduler scan options
In the Scheduler Scan Options, you can specify the path where the Acunetix Web Vulnerability Scanner scan results should be saved. By default, the scan results are saved in the My Documents folder of the Windows Public user profile in the Acunetix WVS sub directory.
Scanning multiple websites
From this section you can also configure the number of parallel scans launched in Acunetix Web Vulnerability Scanner. E.g. if you want to scan 4 websites and their scan schedule overlaps, instead of the scans being queued, another instance of Acunetix Web Vulnerability Scanner is automatically started and the scans will be launched in parallel. If you are scanning a large number of websites it is suggested to increase the number of parallel scans so their schedule does not overlap. Maximum number of parallel scans is 10 if you have the x10 instances license.
Note: The maximum number of scheduled scans that can be configured in the Acunetix Web Vulnerability Scanner scheduler is 2000.
Configuring Email notifications
Screenshot – Scheduler email notifications
In this section you can specify the settings for email notifications, such as SMTP server IP or FQDN, port, SMTP server authentication (optional) and the email address where notifications will be sent.
Excluded hours templates
Screenshot – Excluded Hours Templates
In the ‘Excluded Hours Templates’ section you can specify a range of hours to pause on-going scans. E.g. if you do not want to scan your website during times of high-traffic.
Screenshot – Excluded Hours Configuration
To add a new ‘Excluded Hours Template’ click on the Add button and then:
- Specify a name of the template in the Name input field.
- Highlight the hours of the day when scans should not run.
- Click OK to save the new template.
Note: If a scan is still running during the excluded hours, the scan will be automatically paused and resumed again when scanning is allowed.
Creating a Scheduled scan
- Access the Scheduler interface by clicking the Scheduler Icon on the toolbar in the Acunetix Web Vulnerability Scanner interface, or browse http://127.0.0.1:8181 using a web browser.
Screenshot – Acunetix Scheduler web interface
- Click on the New scan button to add a new scan. You can add as many scans as you wish. If the scan schedule overlaps, they will be scanned in parallel. You can increase or decrease the number of parallel scans from the Scheduler configuration in the Acunetix Web Vulnerability Scanner application settings.
- If you would like to import a number of scans (up to 2,000) using a CSV file, click on the Import CSV button. You can read more about this feature later in this chapter.
Scheduled Scan Basic Options
Screenshot – Acunetix Scheduler Basic options
The Basic Options allow you to specify which target/s to scan as well as the scan recursion. The recursion option gives you the option to configure the Scheduler to run a scan Once, Every Day, Every Week, Every Month or Continuous. Set a specific day number if schedule is set to weekly or monthly, e.g. 2nd day of the week or 21st day of the month.
Scheduled Scan Advanced Options
Screenshot – Acunetix Scheduler Advanced options
The Advanced Options allow you to configure:
- Scanning Profile
- Login Sequence
- Scan Settings template
- Scan Mode
- Excluded Hours Template
Scheduled scan results and reports
Screenshot – Acunetix Scheduler Scan results and Reports
In the Scan results and reports section, you can select to save the scan results to the reporting database, save the scan logs, and generate a report. You can also specify in which format you want the report to be generated and an email address where the scan results are sent. If no email address is specified, the email address configured in the scheduler settings is used.
In addition, the Report template field allows you to specify what report template to use. You can choose among four templates which are Affected Items, Developer Report, Executive Summary and Quick Report.
Importing Scheduling Scans
You can also import scheduled scans from a CSV file. The format of the CSV files are described next.
CSV File Properties
Each line in the CSV file should only contain one scan. For each scan you should specify the following properties:
- URL- Specify the URL with or without protocol (http and https). If no protocol is specified, http is used. This entry is mandatory.
- Date- Specify the date when the scan should be launched. The date format is MMDDYYYY and should be single string. E.g. If a scan is to be scheduled for the 5th of November 2014, the date should be 11052014. This entry is mandatory.
- Time- Specify the time when the scan should be launched. The time format is 24 hours and should be a single string of 4 digits. E.g. 10am should be 1000 and 10pm should be 2200. This entry is mandatory.
- Scanning Profile- Specify the name of an existing scanning profile to be used during the scan. If not specified, the default scanning profile will be used during the scan.
- Login Sequence- Specify the name of an existing login sequence if you want to use a login sequence during the scan. If nothing is specified, no login sequence will be used during the scan.
- Scan Settings- Specify the name of an existing scan settings template. If no scan settings template is specified, the default scan settings template will be used.
- Scan Mode- Specify the scan mode to be used during the scan. The options are quick, heuristic and extensive. If no scan mode is specified, the default scan mode will be used.
- Generate Report – Specify if a report should be generated after the scan. The options are yes or no. If nothing is specified, no report will be generated.
- Report Format- If you specified the generate report option, then you have to specify the report format as well. The options available are PDF, RTF, REP or HTML. If you do not specify any format, a PDF report will be generated.
- Notification Email Address- Specify the email address where the email should be sent upon completion of the scan. If an email is not specified, the default email address configured in the Acunetix Web Vulnerability Scanner GUI will be used.
If you would like to omit an entry so the default value is used, simply leave a space between the commas. Some examples follow:
Example 1: To scan testphp.vulnweb.com on the 5th of November 2014 at 10pm using the default values, use the below line in the CSV file:
http://testphp.vulnweb.com,11052014,2200, , , , , , ,
Example 2: To scan testasp.vulnweb.com on the 5th of November 2014 at 3:15pm using the XSS (Cross-site scripting) scanning profile, without login sequence, default scan settings, using the extensive scanning mode, generate a PDF report and send the results to email@example.com, use the below example:
http://testasp.vulnweb.com,11052014,1515,XSS, , ,extensive,yes,PDF,firstname.lastname@example.org
Note: Scans imported from a CSV file will only be executed once. It is not possible to configure recurring scans using the CSV file import feature.