Web application security scanning flow

Launching an automated web application security scan is not enough on its own. Maintaining a secure web application is a broader and more challenging process. Thanks to Acunetix 360’s advanced technologies, discovering issues in a web application and fixing them is easier than ever.

Acunetix 360 will help you with default options and explanations. But you also need to gather some detailed information about your web applications. This topic will help you prepare, so that you can set the correct options for your Acunetix 360 scan.

Step 1. Knowing your web application

Before launching a scan, it's best to conduct a mental inventory. The answers will help you to optimize your Scan Policies.

Do you know the following about your website Technologies?

  • Which programming (or scripting) languages were used to develop the website?
  • Is the web application based on a framework or a CMS?
  • On which operating system does the application run?
  • Are there any databases connected to the application?
  • Are you aware of all your online collateral, web applications, and services?
  • The most vulnerable components of a web application could be the login forms and the input fields (which are reported in the Knowledge Base Tab once a scan has been completed). Have you checked your websites to determine if there are any web forms or input areas? You will need them for setting up form authentication or excluding them from the Scan Scope. Excluding components will be very useful in such cases.


Acunetix 360 carries out a large number of attacks that may negatively affect your web application if the parameters are not set properly. For instance, if there is a mail form on your web application, Acunetix 360 will send requests on that form and you may receive many unwanted emails.

For further information, see Before Using Acunetix 360, Application & Service Discovery Service, and Scanning Production Environments with Acunetix 360.

Step 2. Preparing and configuring scans

After learning which technologies and other elements exist on the web application, next you will start configuring the scan.

Acunetix 360 is a very user-friendly, automated web application security scanner. In most cases, it is enough to enter the target URL and start scanning. The scanner will automatically fine-tune itself. However, even though Acunetix 360 will discover the issues successfully, it may make extra and unnecessary security checks, keeping the target host needlessly busy, because the scan is not configured precisely. So, you can choose to configure the Scan Settings yourself.

The duration of a web application security scan depends on various factors. To keep the duration short, you can optimize a scan by configuring some of the settings. For even more accurate scan results, you should configure the scan further. You can configure the following options:

  • Crawling Options
  • Scan Scope
  • URL Rewrite Rules
  • Website Authentication
  • Scan Policy

Before scanning your website, the target host must be ready for the test. Ensure that the target host stays online during the scanning process. In addition, you can use the Pause and Stop features. To avoid any service breakdowns, you can use the Scan Time Window to set the time for Acunetix 360 to scan the target URL.

For further information, see Overview of Scan Policies and Scan Policy Optimizer.

Step 3. Scanning your web applications

Think of your web applications as an unsecured back door into your business. Modern web applications let users interact with the host’s network or server. Poor coding and defective hardening policies may negatively affect web application security. If the web application is not developed with the relevant security standards, it can be manipulated by exploiting vulnerabilities and misconfigurations.

Acunetix 360’s advanced Proof of Exploit feature makes it easy to identify SQL Injection, Cross-site Scripting (XSS) and thousands of other vulnerabilities in web applications. Acunetix 360 also can detect out-of-date web application technologies to help you keep your web application up-to-date.


The VDB (Vulnerability database) is updated every week.

Acunetix 360 can be easily integrated into your SDLC, DevOps, and other environments to help keep your web applications secure.

For further information, see What is Acunetix 360? and Integrating Acunetix 360 into Your Existing SDLC.

Step 4. Reviewing and comparing scan results with previous scans

If you have Acunetix 360, you probably have already performed a scan of your web application. Previous scans make you aware of the security development process. Please compare the old and new scan results, and review the newly discovered issues.

  • Acunetix 360 allows you to retest the issues found in a previous scan.
  • You can also choose the security test type for specific vulnerabilities.
  • Incremental scans help you save time. Instead of scanning the web application, you can just scan the new pages added since the last scan.

You can integrate an issue tracker with Acunetix 360 to help you manage and maintain a list of all the issues at each stage of the SDLC (Software Development Life Cycle).

For further information, see Creating a New Scan and Reviewing Scan Results and Imported Vulnerabilities.

Step 6. Fixing issues

Attackers use different methodologies to hack web applications. Every day brings the potential for a new attack. Scheduling and performing periodic security scans are vital. Each scan may discover new vulnerabilities in your web application. If vulnerabilities are detected, you need to fix them as quickly as possible and then re-test them with Acunetix 360. At this point, Acunetix 360 checks whether the issues are properly fixed. They are then marked as resolved. This process needs to be conducted continuously so that the security of your web applications is maintained.

For further information, see Updating the Status of an Issue in Acunetix 360.

Step 7. Retesting fixed issues

The main objective of a security scan is to detect issues and fix them. Acunetix 360 lets you retest the issues to check if they are fixed or not. Instead of starting a full scan, you can retest only the fixed issues.

Acunetix 360 automatically checks the issue. If it is fixed as intended, the issue will be marked as Fixed. If not, the issue will be assigned back to the Assignee. If you are sure that the issue is a false positive, you can mark it as a False Positive. You can also mark the issue as Accepted Risk if you are aware of its impact. And, finally, you can manually mark an issue as Fixed (Unconfirmed).

For further information, see How to Run a Retest in Acunetix 360.

Step 8. Generating reports

Reporting is the most important step in the web application security scanning process. Acunetix 360 can generate reports based on relevant regulations. If you want your web application to be compliant with ISO 27001, generate an ISO 27001 Compliance Report to check for specific vulnerabilities and apply the correct remedies.

Acunetix 360 Online also has a PCI compliance feature that enables you to automate most of the process and generate approved PCI compliance reports. When a PCI scan is completed, websites that meet the standard will receive an approved compliance report. If the website fails, you can fix the listed vulnerabilities and retest them.

Acunetix 360 also enables you to create custom reports (see Custom Report Policies). This means you can change the vulnerability details, classification numbers, actions to take or add the logo of your organization.

For further information, see Built-in Reports and Report Templates.


« Back to the Acunetix Support Page