WIVET stands for Web Input Extractor Teaser, and is a web application that is designed to test the crawling capabilities of web application scanners. WIVET has been used in web application scanner reviews, such as the reputable review by Shay Chen – The Web Application Vulnerability Scanners Benchmark.
WIVET includes a set of tests (21 at the time of writing), which test different methods that can be used to access a website. For each connection received, WIVET will create a session, which needs be maintained throughout the test. There are 2 ways that a session can be disconnected:
- Click on the Logout link (/logout.php)
- Browse to /pages/100.php
In this article, I will explain how to successfully crawl WIVET using Acunetix.
- Download WIVET from https://github.com/bedirhan/wivet
- Extract the contents of the zip file to your web server (e.g. htdocs\wivet for Apache)
- Browse to the WIVET site to ensure that it is working (e.g. http://127.0.0.1/wivet)
- Now configure Acunetix to exclude scanning the links which would void the WIVET session. Proceed as follows
- From Acunetix WVS, change to Scan Settings
- Ensure that the Default scan settings template is selected (since the Acunetix Site Crawler will always use the Default template)
- Change to Crawling options > Directory and File Filters
- Select the * URL (or create a new URL for your website)
- Click on Add Filter
- Select the new filter, and press F2
- Change the filter to “/pages/100.php” (without quotes)
- For the new entry, change the Regex to “Yes”. This can be done by clicking in the Regex column, and pressing F2
- Do the same to add “/logout.php”, Regex = Yes
- Click Apply to save your changes
- You are now ready to crawl your WIVET site. Change to Site Crawler, Enter the start URL (e.g. http://127.0.0.1/wivet/), and click Start. Wait for Acunetix to finish crawling the site.
- Change to the WIVET web interface, and click on Statistics. This will show the results for all the sessions that have been made to WIVET. The Acunetix session is expected to have over 100% coverage if AcuSensor is used, and over 94% coverage if AcuSensor is not used.
- In Statistics, WIVET will also show your session. These will generally have a coverage of 0%, unless you click on one of the tests on the side.
- If the Acunetix crawl generates 2 results for each crawl (e.g 64% and 32%), probably the Directory / File exclusions are not configured correctly, and the session is being invalidated half way. You can check this from the Crawl results, which should not show /logout.php or /pages/100.php.