Overview of Scan Policies
A Scan Policy is a list of web application security checks that are executed during an Acunetix 360 scan. Acunetix 360 users can choose from one of the predefined Scan Policies, or create a custom Scan Policy to scan for specific vulnerabilities.
The selected Scan Policy will have an impact on the duration of a scan. So while a scan using the Full Scan policy will be more comprehensive, it will take more time than a scan using the High Risk Vulnerabilities scan policy, for example. If you need to run a quick scan for a specific vulnerability, it is better to create a custom Scan Policy.
The main advantages of having Scan Policies are:
- You are in full control of which web vulnerabilities Acunetix 360 scans for
- You can reduce the time of the scan, and the bandwidth used by the scan, by limiting the number of web vulnerability checks
- The built-in Scan Policies make it easy to check for common vulnerabilities
- Custom Scan Policies can be reused in future scans, rather than reconfiguring each time
- You can disable the web security checks that are irrelevant to your scenario
Built-In Scan Policies
The built-in Scan Policies check for common vulnerabilities or vulnerability groups. These built-in Scan Policies cannot be modified or deleted.
Acunetix 360 has the following built-in Scan Policies:
- Crawl Only is a scan policy used to crawl the Target without doing any vulnerability checks. This is often used to ensure that Scan Profile settings, such as login configuration, are correctly configured. This can be assessed by checking the locations identified in the site structure.
- Cross-site Scripting Vulnerabilities is a scan policy in which Acunetix 360 only scans for Cross-site Scripting (XSS) vulnerabilities.
- Full Scan is a scan policy in which Acunetix 360 conducts all security checks.
- High Risk Vulnerabilities is a scan policy in which Acunetix 360 only checks for all the high risk vulnerabilities (see Vulnerability Severity Levels).
- SQL Injection Vulnerabilities is a scan policy in which Acunetix 360 only scans for SQL Injection vulnerabilities.
- Weak Passwords is a scan policy in which Acunetix 360 only scans for weak passwords, using a list of commonly used usernames and passwords.
How to Use Built-In Scan Policies in Acunetix 360
- Log in to Acunetix 360.
- From the sidebar, click Scans, then New Scan. The New Scan page is displayed.
- From the General tab, in the Scan Policy section, click the dropdown.
- Select the Scan Policy you want to use.