Acunetix User Certification Test – Outline of Topics

The following is an outline of the topics candidates are expected to be familiar with for the successful completion of the Acunetix User Certification Test.

Fundamentals

  • Understanding of the purpose, function and role of Acunetix and automated security testing
  • Understanding of the fundamental stages in which Acunetix operates
    • Creating and Configuring a Target
    • Crawling and Scanning
    • Reporting and Remediation
    • Management of Vulnerabilities

Configuring a Target

  • Create and Configure a Target
  • Understanding of the Target Settings
  • Ability to include and exclude files and directories from a scan
  • Familiarity with the Advanced Target Settings

Login Sequence Recorder (LSR)

  • Understanding of the function and importance of a Login Sequence to the overall scanning process
  • Ability to create a Login Sequence
  • Ability to verify the correct operation of a Login Sequence
  • Ability to identify the need for Manual Intervention
  • Ability to configure the Login Sequence Recorder for authentication requiring Manual Intervention

AcuSensor

  • Understanding of the function and importance of AcuSensor in the overall scanning process
  • Understanding the benefits of an AcuSensor enabled scan
  • Installing/Uninstalling AcuSensor
  • Troubleshooting AcuSensor

AcuMonitor

  • Understanding the importance of AcuMonitor in the detection of Out of Band Vulnerabilities
  • Ability to analyze a blind cross-site scripting (BXSS) alert issued by AcuMonitor

Starting Scans

  • Ability to start an Instant Scan
  • Ability to schedule a scan
  • Choosing the Right Scan Type

Crawler

  • Understanding of the function and importance of the crawler in the overall scanning process
  • Ability to run a crawl
  • Ability to verify a correctly crawled directory structure
  • Ability to perform a manual crawl with the external tools, and import the proxy results to be used when scanning the Target

Scanner

  • Understanding of the function and importance of the scanner in the overall scanning process
  • Ability to run a scan
  • Ability to interpret scan results
  • Ability to choose the correct Scan Type
  • Understanding of verified vulnerabilities
  • Understanding of how response time affects scan speed
  • Understanding of the purpose of Selenium IDE in the context of automated web security testing with Acunetix.

Vulnerability Management

  • Understanding of the Vulnerability Details provided by Acunetix
  • Filtering and Grouping Vulnerabilities
  • Marking Vulnerabilities as False Positives, Fixed or Ignored
  • Retesting Vulnerabilities
  • Exporting Vulnerabilities to a supported Web Application Firewall (WAF)
  • Sending Vulnerabilities to a supported Issue Tracker

Reporting

  • Understanding of the function and importance of reporting and the Acunetix Reporter
  • Ability to generating different types of reports
  • Differentiate between Target Reports, Scan Reports and Vulnerability Reports

General Settings

  • Scan Types (previously called Scanning Profiles)
    • Understanding of the purpose of Scan Types
    • Ability to customize existing, and create new Scan Types
  • User Management
  • Grouping Targets
  • Configuring Issue Trackers
  • Configuring Excluded Hours

Manual tools

  • Familiarity with the HTTP Editor
  • Familiarity with the HTTP Sniffer
  • Familiarity with the HTTP Fuzzer
  • Ability to interpret and verify scan results using the appropriate manual tools

Web Security Concepts

  • Understanding of what a web application vulnerability is, and its business impact
  • Understanding of the concept of HTTP request and responses
  • Understanding of the concept of Server Sessions, Cookies and Session IDs
  • Understanding of web application security best practices
  • Understanding of the concept of SQL injection (SQLi) and proper mitigation practices
  • Understanding of the concept of cross-site scripting (XSS) and proper mitigation practices
  • Understanding of the concept of cross-site request forgery (CSRF) and proper mitigation practices
  • Understanding of the concept of file inclusion/directory traversal
  • Basic understanding of out out-of-band (OOB) vulnerabilities
    • Blind Cross-site Scripting (BXSS)
    • XML External Entity Injection (XXE)
    • Server-side Request Forgery (SSRF)
    • Out-of-band SQL Injection (OOB SQLi)
    • Out-of-band Remote Code Execution (OOB RCE)
    • Host Header Injection
    • Email/SMTP Header Injection
  • Familiarity with vulnerability enumeration and classification standards supported by Acunetix WVS
    • Common Vulnerability Enumeration (CVE)
    • Common Weakness Enumeration (CWE)
    • Common Vulnerability Scoring System (CVSS)