Creating a New Scan

Acunetix 360 enables you to begin scanning web applications immediately, by selecting the default scan settings.

However, there are multiple, customizable scan options available. Each option is explained in the following sections.

For further details, see Acunetix 360 Assistant, Overview of Scanning, Overview of Scan Policies, and Scheduling Scans.

 Acunetix 360 New Scan Fields

This table lists and explains the fields in the New Scan window.

Field

Description

Target URL

This is the target URL of the website, including the path.

You can add a URL in the following formats:

Hostname: http://mysite.com/

IPv4: http://192.168.1.42/

IPv6: http://[fe80::8554:69c3:bb4:b28a]/

Scan Profile

This is the Scan Profile.

For further information, see Configuring Scan Profiles.

 Acunetix 360 Scan Options Fields

This section lists and explains the fields in the Scan Options section.

General

In this tab, you can configure the basic scanning options.

Field

Description

Scan Policy

The Scan Policy defines the scan settings and which security tests will be performed.

For further information, see Overview of Scan Policies and Scan Policy Editor.

Agent Selection

This is the type of Agent that will run the scan.

The options are: Dedicated or Group. If you select Group, the Preferred Agent field (next) changes to Preferred Agent Group.

This field is only available in Acunetix 360 (On-Premises).

For further information, see Agents in Acunetix 360 On-Premises.

Preferred Agent/Preferred Agent Group

The Agent is a Windows service application that executes scans and informs the Acunetix 360 application.

Select an Agent or Agent Group.

This field is only available in Acunetix 360 (On-Premises).

For further information, see Agents in Acunetix 360 On-Premises.

Report Policy

The Report Policy defines how scan results will be reported.

For further information, see Custom Report Policies.

Custom Cookies

This contains any required cookies in the format cookiename=value.

The value must be URL encoded. Use semicolons (;) to separate multiple cookies.

Crawling

This indicates how the scan should crawl the Target URL.

The options are:

  • Find and Follow New Links
  • Enable Crawl & Attack at the Same Time

Max Scan Duration

This indicates the maximum length of the scan. Drag the slider as required.

If the scan is not completed within this time, it is automatically terminated.

In the New Group Scan and Scheduling Group Scan windows, there are checks to:

  • Customize Max Scan Duration – Enable this setting to configure the maximum scan duration in hours. If your scan isn't completed in this time, it will be automatically terminated.
  • Customise Scan Time Windows – Enable this setting to configure the time periods during which scanning is allowed. Scanning is paused during disallowed hours.

Comments

This option allows users to add a comment to their scan during a launch. This comment is displayed on the scan report.

Scan Scope

In this tab, you can configure the Scan Scope.

In addition, you can:

  • Enter a list of Regular Expressions to Exclude or Include URLs
  • Select whether the scanner should Include or Exclude the RegEx patterns
  • Specify Disallowed HTTP Methods

Field

Description

Entered Path and Below

This tab enables you to specify which parts of the target website should be crawled and scanned.

If, for example, you enter http://example.com/testarea/, the scanner will not scan the following URLs:

Only Entered URL

This tab enables you to scan only the supplied URL and the parameters on that page.

If, for example, you enter http://example.com/test.asp, the scanner will only scan URLs that start with http://example.com/test.asp, and will not scan the following:

Whole Domain

This tab enables you to scan the entire domain, even if you only entered the URL of a page or a directory. If, for example, you enter http://example.com/test.asp, the scanner will start from the test.asp page and scan everything on the http://example.com domain.

Exclude URLs with RegEx

In this section, list and configure the URLs you want included or excluded.

Include/Exclude

If you choose Include, Acunetix 360 will only test URLs that match any of the given regular expression. If you choose Exclude, Acunetix 360 will not visit and test URLs that match any of the given regular expressions.

New RegEx Pattern

This creates a new RegEx Pattern field.

Disallowed HTTP Methods

Select HTTP methods to disallow. Acunetix 360 won’t make HTTP requests for the selected methods.

For further information, see Configuring the Scan Scope.

Additional Websites

In this tab, you can add additional links to domains that need to be scanned, other than the domain of the target URL.

Field

Description

New

Click to add additional URLs. Two additional fields are displayed.

URL

This is the URL of the additional website.

Canonical

Enable to scan canonical URLs to prevent scanning duplicate pages.

For further information, see Configuring Additional Websites.

Imported Links

In this tab, you can add any pages that you also want to scan, that are not linked from anywhere on the target website.

Field

Description

Enter Links

Specify the pages that you want to scan.

Import Links

Select a file for importing links from the dropdown.

For further information, see Importing Links.

URL Rewrite

In this tab, you can configure URL Rewrite rules for the scan.

  • Heuristic mode, to automatically detect the URL
  • Custom mode, to configure the URL Rewrite rules for a faster scan

For further information, see URL Rewrite Rules.

Field

Description

Root Path Max Dynamic Signatures

If a URL block in the root path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Sub Path Dynamic Signatures

If a URL block in the sub path contains more items than this limit, it will be identified as a URL rewrite parameter. It must be between 1 and 10,000.

This field is displayed only in the Heuristic tab.

Block Separators

Enter separators to use to split the URL into blocks.

This field is displayed only in the Heuristic tab.

Analyzable Extensions

If the URL contains a file extension, it will be analyzed only if the respective extension is in this list.

This field is displayed only in the Heuristic tab.

Enable Heuristic URL Rewrite detection

Acunetix 360 will try to automatically detect other URL rewrite rules if this option is set.

This field is displayed only in the Custom tab.

Placeholder Pattern

This contains the relative path with placeholders for URL rewrite parameters.

This field is displayed only in the Custom tab.

RegEx Pattern

This is a regular expression used for matching the URL rewrite parameters.

This field is displayed only in the Custom tab.

Form Authentication

In this tab, you can configure Form Authentication options.

Field

Description

Form Authentication

Select to enable Form Authentication.

Login Form URL

Enter the absolute URL of the login form, including the protocol (http or https).

Override Target URL with authenticated page

Select to enable the system to use the last page from the authentication process as the start URL, instead of the Target URL.

Detect Bearer Authentication Token

If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.

Active

Select to enable the system to log in using the supplied credentials.

Username

Enter the username for the login form.

Password

Enter the password for the login form.

OTP

Enter the One-time Password for the login form.

Custom Scripts

If automatic authentication does not work for your website, you can click New Script and enter a JavaScript script that will be used to authenticate against the web application, completing the login form and clicking the Submit button.

You can add more than one script.

Basic NTLM/Kerberos

In this tab, you can configure NTLM/Kerberos, Basic or Digest authentication.

Field

Description

Basic, Digest, NTLM/Kerberos, Negotiate Authentication

Select to enable Basic, Digest, NTLM/Kerberos or Negotiate Authentication.

Type

Select the type of authentication.

The options are: Basic, NTLM, Kerberos, Digest, Negotiate

URL Prefix

Enter a prefix to specify the scope of the authentication method. For example: https://www.example.com/protected.

Username

Enter the username for the login popup.

Password

Enter the password for the login popup.

Domain

Enter the login form's URL.

This entry is optional, for when the domain is required in Windows environments only.

Do not expect challenge (Basic Authentication)

Select to enable authentication, even if the server does not send an authentication challenge.

Header Authentication

In this tab, you can configure HTTP Header authentication.

Field

Description

Enabled

Select to enable Header Authentication. All listed HTTP headers will be added to all HTTP requests.

New Authentication Header

Click to add a new Authentication Header.

Name

Enter the name of the Header.

It must contain ASCII characters only.

Value

Enter the value of the header.

Client Certificate

In this tab, you can configure Client Certificate authentication.

Field

Description

Client Certificate

Select to enable a client certificate to be used to log in to the web application.

Browse

Click to browse and upload the certificate file.

Password

Enter the password for the certificate.

Scan Time Window

In this tab, you can configure the time periods in the week during which scanning is allowed and paused.

Field

Description

Enable Scan Time Window

Select to enable the configuration of scan time settings.

Weekends

Click to enable configuration of the Scan Time Window. The default start and stop time is 00:00 to 23:59 on Saturday and Sunday. Drag the slider and click Scan/Do Not Scan to alter.

Business Hours

This tab enable configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00 from Monday to Friday. Drag the slider and click Scan/Do Not Scan to alter.

Non-business Hours

This tab enable configuration of the Scan Time Window. The default start and stop time is 09:00 to 18:00. Drag the slider and click Scan/Do Not Scan to alter.

For further information, see Scan Time Window.

Notifications

In this tab, you can configure notifications to instantly inform you about the status of a web application security scan, or when specific vulnerabilities are detected. You also manage notification priorities and test a notification.

Field

Description

Event

This is the Scan Event that triggers the Notification. The options are:

  • New Scan
  • Scan Cancelled
  • Scan Failed
  • Scan Completed
  • Scheduled Scan Launch Failed

Group

Select to enable group notifications that occur within the specified period.

Scope

Notifications will be sent if the scan is related to the website or website group. The options are:

  • Any Website
  • Website Group
  • Website

Email Recipients

This is a list of names and email addresses of the recipients that will receive an Email Notification.

SMS Recipients

This is a list of the names and phone numbers of the recipients that will receive an SMS Notification.

Excluded Recipients

This is a list of users who will no longer receive notifications.

Integration Endpoints

This is a list of configured integrations.

For more information, see Introduction to Notifications in Acunetix 360.

PCI Scan

In this tab, you can conduct a PCI Scan to receive approved PCI compliance reports for your public websites.

For further information, see PCI Scanning in Acunetix 360.

How to Scan a Website in Acunetix 360

Before scanning your first website in Acunetix 360, make sure you have added a website (Adding a Website in Acunetix 360).

  1. From the main menu, click Scans, then New Scan. The New Scan window is displayed.

  1. In the Target URL field, enter the URL.
  2. Complete the remainder of the fields, as described in Acunetix 360 New Scan Fields and Acunetix 360 Scan Options Fields.
  3. Click Launch.
How to Run a Group Scan in Acunetix 360
  1. From the main menu, click Scans, then New Group Scan. The New Website Group Scan window is displayed.

  1. From the Website Group dropdown, select the website group you want to scan.
  2. Complete the remainder of the fields, as described in How to Scan a Website in Acunetix 360.
  3. Click Launch.

You can also launch Group Scans from Manage Groups window (click Scan).

How to Run an Incremental Scan in Acunetix 360
  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the relevant scan, click Report. The Scan Summary window is displayed.

  1. From the Scan dropdown, select Incremental Scan. The Incremental Scan window is displayed.
  2. Click Launch.
How to Run an Incremental Group Scan in Acunetix 360

First, make sure you have already run a Group Scan.

  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the Group Scan for which you want to run an incremental scan, click the Scan dropdown, and select Incremental Scan. The Incremental Scan window is displayed.

  1. If required, select the Customize Max Scan Duration checkbox and configure the settings.
  2. Click Launch.
How to Run a Retest in Acunetix 360
  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the scan for which you want to run a Retest, click the Scan dropdown, and select Retest. The Retest Scan window is displayed.

  1. Click Launch.
How to Run Bulk Operations on a Scan
  1. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  2. Next to the scans for which you want to run a bulk operation, click the checkbox.
  3. Click the Bulk dropdown, and select the bulk operation you want.

  1. A dialog is displayed asking you to confirm your choice.

  1. Click Delete, Cancel or Pause as required.

 

« Back to the Acunetix Support Page