43
Getting Started: Scanning Your Website
Getting Started: Scanning Your Website
43
Refer to the
‘Scanning Profiles’ section on page 158 for more information on
how to customize existing profiles and create new scanning profiles.
Scan Options
From this section you can select the Scanning Mode
which will be used
during the scan. The scanning mode options are the following:
Quick
–
In this mode the scanner will test for just the first value of
every parameter.
Heuristic
–
In this mode the scanner will try to automatically figure
out for which parameters to test all values and for which not to test all
values.
Extensive
–
In this mode the scanner will test all possible
combinations for all parameters on the website. In some cases, this
can generate a huge number of requests and should be used with
caution.
The other options which you can select are:
Test known web application vulnerabilities on every directory –
If this option is selected, the scanner will test for the known web
application vulnerabilities on every directory instead of the default
directory for each known vulnerability. This option will generate a lot
of HTTP traffic and will extend the scanning time if the website being
scanned is very large.
Manipulate HTTP headers – With this option selected, the scanner
will try to manipulate the HTTP headers which might be used by
server side technologies.
Check for stored XSS – Enabling this option instructs the scanner to
make extra tests for XSS which may be stored in databases.
4.6
Step 5: Configure Login for Password Protected Areas
Your website may have password protected areas or pages behind an HTML
feedback form (e.g. visitor registration required to download whitepapers,
files etc.) using either HTTP authentication or HTML forms authentication.
HTML forms authentication is not handled via HTTP, but rather via a web
form which asks the user for a username and password. This information is
sent back to the server for validation by a custom script.
HTTP
authentication is part of the HTTP specification. If a site uses
HTTP
authentication, then the browser will pop up a password dialog.
The web
server validates the logon against a database
of users. (In the case of IIS
these are local Windows user accounts, and in the case of Apache these are
stored in a file).
If you want Acunetix WVS to scan
the pages contained within/behind the
login page, then configure Acunetix WVS to authenticate the password
protected area or fill in the HTML form details.
 |
 |
 |