Custom Scripts for Security Checks in Acunetix 360

You can conduct your own attacks in Acunetix 360 and detect vulnerabilities during scans.

This topic explains how Acunetix 360 lets you add custom vulnerability detections to your scans.

Adding a custom security script in Acunetix 360 On-Demand? Please contact support@acunetix.com. Only a support engineer can add a custom script to your account.

• Before contact with a support engineer in order to add a custom script to your account, you need to decide what type of vulnerability the script will raise. You can specify the name of the vulnerability, its severity, and the text to be displayed when it is displayed in Acunetix 360 and in reports. (see Custom Report Policies).
• Then, a support engineer will create a custom report policy and add your new vulnerability check to the custom report policy. After that, they will add your new custom security script to your account.

Using Acunetix 360 On-Premises? An account owner can let you write your own custom security check. To do this, from the main menu, they have to select Settings > General. Then, select the "Account can execute custom security checks" checkbox. This enables users to create their custom report policies and add their custom security checks.

Executing a custom script on a web page

For Acunetix 360 to be able to find a vulnerability, it needs to scan your website. That is also the case for custom vulnerabilities. Go ahead and scan your website. Then, make sure the vulnerable page is listed in the Sitemap tree. Then, you can execute your custom script on a web page you want.

How to execute a custom script on a web page

1. Log in to Acunetix 360.
2. From the main menu, select Policies > Custom Scripts.
3. Next to the relevant script, select View.
4. From the Executive Custom Script panel, select or search a website from the Websites drop-down.
5. From the Recently Completed Scans drop-down, select a scan.
6. From the Sitemap, select a web page that a custom security check will be executed.
7. Select Execute.

When Acunetix 360 executes the custom security check script, a message is displayed, informing you whether a vulnerability has been found during the execution.

Scanning a website with a custom security script

You can scan your website with a custom report and scan policy created based on your custom security script.

Prerequisites:

1. A custom scan policy.
2. A custom report policy.

For further information about custom scan policies, see Configuring Scan Policies.

How to scan a website with custom policies

1. Log in to Acunetix 360.
2. From the main menu, select Scans > New Scan.
3. In the Target URL field, enter the URL.
4. From the Scan Policy drop-down, select your custom scan policy.
5. From the Report Policy drop-down, select your custom report policy.
6. Complete the remainder of the fields, as described in Acunetix 360 New Scan Fields, if necessary.
7. Select Launch.

When the scan is completed, if a vulnerability is found (the one you have raised in your custom script code), it will be displayed in the report(s) and the Sitemap tree under the selected vulnerable page's node.

If no vulnerabilities have been found, check the script code you have written. Execute the script code as many times as you want until you see it reported in the report(s) and the Sitemap tree.