Acunetix displays vulnerability alerts and threats in real-time throughout the scan. Before scanning a website or web application, Acunetix first crawls the website to find all available inputs and links that can be manipulated later during the scanning stage. However, some of these web security alerts are also reported from the early stage of crawling.
During the crawling stage, the Crawler uses passive analysis to identify some threats of different severity, ranging from informational alerts, to high-severity vulnerabilities, without invoking the scanner. For instance, the crawler does not launch any parameter manipulation tests. While the target website is crawled, the Crawler sends a number of HTTP requests and connections to the website from which it tries to identify links, input forms, and information that might be revealed from comments, cookie data, or browser security settings. Moreover – while crawling – it can identify if the connection to the target server is secure or encrypted (HTTPS) when accessing sensitive data, etc.
The following is a list of alerts (together with their severity) which the Crawler detects using passive analysis
|DOM-based Cross-site Scripting||High|
|HTTPS connection is using SSL version 2||Medium|
|HTTPS connection with weak key length||Medium|
|Hidden form input named price was found||Low|
|User credentials are sent in clear text||Low|
|Password type input with autocomplete enabled||Info|
|Insecure transition from HTTP to HTTPS in form post||Medium|
|SQL Statement in comment||Low|
|Internet Explorer XSS Protection disabled on this page||Info|
|Content type is not specified||Info|
|Session token in URL||Low|
|Password field submitted using GET method||Low|
|Application error message||Medium|
|Sensitive page could be cached||Low|
|Unencrypted __VIEWSTATE parameter||Info|
|Session Cookie scoped to parent domain||Low|
|Session Cookie without HttpOnly flag set||Low|
|Session Cookie without Secure flag set||Low|
|HTML form without CSRF Protection||Medium|
Get the latest content on web security
in your inbox each week.