As an automated black-box web application security scanner, Acunetix performs a series of tasks to identify web application vulnerabilities as outlined below.

1 – Target identification

  1. Acunetix checks if the Target in question is reachable and running a web server, and therefore serving requests over the HTTP protocol.
  2. Acunetix fingerprints the web server to identify popular technologies that the web server might be using. This allows the scanner to identify the type of web server (e.g. Apache HTTP Server, Nginx, IIS…), the server-side language being used (e.g. PHP, ASP.NET, Java/J2EE, Python, NodeJS…) as well as the operating system the web server is running on. This information allows the scanner to automatically tune itself to the Target to be scanned – for example, certain vulnerabilities will only exist on Windows servers, or specific versions of PHP.

2 – Site crawling and structure mapping

  1. The index file is requested from the web server. This is determined by the start URL (e.g. will load index.html).
  2. Once a response is received, DeepScan is launched, executing any JavaScript present on the web page.
  3. The Crawler, hand-in-hand with DeepScan will follow links, map input fields and parameters. This contributes to building a list of directories and files within the site.

3 – Security analysis performed against the site structure

  1. Acunetix launches a number of security tests against the target website
  2. As Acunetix discovers vulnerabilities, alerts are reported in real-time. Each alert produces detailed information about the vulnerability, recommendations on how to fix it, as well as several links through which the user can learn more about the reported vulnerability and how to fix it.

After a scan is completed scan results may exported to an XML format, submitted to Issue Tracker, exported to a WAF for virtual patching, or generated into to a variety of reports.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • Hello , I have a doubt.
    So if the person disables the server header completely, which means that the header won’t contain the name of the server, how will you fingerprint the web server now? Or what if I change the server header to wrong ones, Example I change tomcat’s server header to nginx, Can you find the real name of the server then?

    • Hi,

      Acunetix does make use of banner information returned by the server as part of it’s fingerprinting. If you wish, you may also manually set the technology a Target is using from the Target’s ‘Advanced’ tab > Enable ‘Technologies’ and check the technologies you would like to manually optimize the scan for.

  • Hello, I want to invest further into Acunetix’s structure (like how it were made, how does it work,…). Is there any documents suitable for my case? Seems like I can’t find any on the main website. Thanks in advanced.

  • Hello,

    One of our customer’s scanned our application software and we know in fact we this feature that they are looking for (ie: Non-compliance to multiple ASC password requirements); and they are using your software and it is reported that we do not have this features.

    How do you determine as such as you have no access to our feature sets and your Vulnerability Scanner software report this.

    Now, our customer is forcing us to fix or patch our software for something that we already have.

  • Comments are closed.