Note: This articles refers to an older version of Acunetix. Click here to download the latest version. 

Nowadays, a lot of web applications are using URL rewriting. URL rewriting involves converting normal URLs to search engine friendly URLs. Usually the reason for doing this is to improve the rankings in search engines.

A search friendly URL looks like this:

Or like this:

However, these kinds of URLs are creating a lot of problems for web vulnerability scanners and their crawlers.

Below is the crawl result of a sample application that is uses the mod_rewrite module:

As seen above, the crawler is confused when dealing with such URLs, thinking that BuyProduct and Details are directories and handling them as such.  Also, the crawler did not find any inputs for this web application therefore cannot test it properly.

In order to handle this kind of situations, in the previous versions of Acunetix WVS we implemented a solution that allows defining rewrite rules through a graphical tool where the user can manually define the rewrite rules and these rules will be parsed by the crawler and the crawler will rewrite the URLs automatically. Another option was to import the file with the rewrite rules.

However, apart from the fact that this is a manual process, the user must manually define the rewrite rules and that’s not always an easy task,  sometimes it’s very complicated or even impossible.  In companies where freelance web developers are hired, usually the administrator auditing the site is only administering the server and is not responsible for the actual content of the site or not familiar with the source code of the site.

Because the AcuSensor Technology has inside information from the scanned application, it can provide information to the crawler about the actual filenames and about input parameters.  Therefore when AcuSensor Technology is enabled on the website, the crawler can correctly parse the site structure and the file inputs and able to properly test the web application.

As seen above, the crawl results for the same site when AcuSensor Technology is enabled, the real files appear in the crawl results: buy.php and details.php.

Also, now the crawler has information about the input parameters for these files (GET param id and the list of possible values). Therefore, the scanner can properly audit the web application.

Other files have been discovered in the application directory (database_connect.php, takeover.php, …).  One of these files also has an input parameter and can be tested even if this file is not directly linked from the website.  With a typical black box scanner such files are never audited.

The AcuSensor Technology is available in Acunetix WVS version 6 and has a number of advantages that will improve the quality of the scan results.

Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.