Acunetix is once again confirmed as one of the leaders in web application scanning with a 100% detection accuracy and 0% false positives for Reflected Cross-Site Scripting and SQL Injection vulnerabilities, together with a leading WIVET assessment score.

In the 2013/2014 Web Application Vulnerability Scanners Benchmark, information security researcher, analyst, tool author and speaker Shay Chen, compared 63 different web application scanners.

The applications were tested against a collection of 1,413 vulnerable test cases for 6 different attack vectors, each test case simulating a different unique scenario that may exist in an application.

How did Acunetix Compare to Other Web Application Scanners?

Highest WIVET Score at 94%

Acunetix achieved the highest WIVET score of 94%. WIVET (Web Input Vector Extractor Teaser) is a project that measures how well a scanner is able to crawl an application, and how well can it locate input vectors by presenting a collection of challengers that contain links, parameters and input delivery methods that the crawling process should locate and extract.

The WIVET Score of Web Application Scanners

The WIVET Score of Web Application Scanners (source:

100% Detection Accuracy & 0% False Positives

As the charts below show, Acunetix Web Vulnerability Scanner also achieved a 100% detection accuracy and 0% false positives in the detection of Reflected XSS and SQLi vulnerabilities. The scanner had a 0% rate of false positives across all tests.

The Reflected XSS Detection Accuracy of Commercial/SAAS Scanners

The Reflected XSS Detection Accuracy of Commercial/SAAS Scanners (source:

The SQL Injection Detection Accuracy of Commercial/SAAS Scanners

The SQL Injection Detection Accuracy of Commercial/SAAS Scanners (source:

Highest Score for Detection Accuracy of Old/Backup/Unreferenced Files

Acunetix also achieved the highest score amongst commercial/SAAS scanners for the detection accuracy of Old, Backup and Unreferenced Files, “a very common exposure, that may lead to source code and configuration theft.”

This is a very important vector; it’s an exposure that the benchmark author himself, as a pentester, “personally abused to download the entire source code of banks, e-commerce web sites, and credit card companies, obtained connection strings and hard-coded credentials from obsolete source code fragments and configuration files, as well as located numerous hidden entry points that were vulnerable to exposures that the rest of the application was not prone to.”

The Old/Backup/Hidden File Detection Accuracy of Commercial/SAAS Scanners

The Old/Backup/Hidden File Detection Accuracy of Commercial/SAAS Scanners (source:

Authentication, Control and Connection Features

Acunetix Web Vulnerability Scanner v9 also performed very well in the Authentication and Usability Feature Comparison, a clear sign of the scanner’s ability to support a wide array of website and web application technologies.

Authentication, Control and Connection Features Comparison

Authentication, Control and Connection Features Comparison (source:

Other Tests

Other areas where Acunetix performed fairly well and which are being studies by our team for further development, include the detection of Path Traversal/LFI, RFI, Counting Audit Features and Scanner Adaptability.

What do these results mean for Acunetix users?

The crawling coverage capability of any web application scanner is extremely important in any scan. This is especially true in point-and-shoot scans where time or methodology restrictions are present, or when the user is not a security expert that knows how to properly use manual crawling with the scanner.

Acunetix Web Vulnerability Scanner prides itself in its ability to deeply crawl websites and web applications for various vulnerabilities, including HTML5 and JavaScript-based technologies.

Deep crawling allows a scanner to detect vulnerabilities that could be exploited by a hacker. However, a scanner needs to go further. A good web application security scanner needs to also identify 100% of vulnerabilities and at the same time report little or no false positives.

This allows web security experts to be more efficient and spend more time securing their websites and web applications rather than spending countless hours sifting through false positives.

Lessons learned and future improvements

All of us at Acunetix would like to sincerely thank Shay Chen for his tireless and professional work.

In the meantime, our teams are carefully studying those areas which can be improved upon so Acunetix continues to help organisations across the globe to secure their business-critical websites and web applications.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • There’s no web application pentesting without Acunetix, that’s for sure. Thanks for your amazing product!

  • can anyone pls help me to find the difference between web inspect and acunetix….

    • The benchmark linked to from this article provides an independent review of Acunetix and 3rd party scanners. If you have additional queries, you can reach out to our sales team who can help you further.

  • Comments are closed.