Pre-Request Scripts in Acunetix 360

Pre-Request Scripts allow you to manipulate requests easily before sending them to the target. This feature also helps the scanner achieve better scan coverage and provide better results.

You may need to manipulate a request by adding, changing, or computing some part of it before it is sent. Here are some typical scenarios:

  • To calculate Hash-based Message Authentication Code (HMAC) value
  • Meet double submitted cookie requirements for anti-Cross-Site Request Forgery (CSRF) mechanisms
  • To send random values
  • To abort a request for some situation



You can write your script in the Pre-Request Scripts tab. Alternatively, you can write it in any text editor and copy it in.

This feature is only available in Acunetix 360 On-Premises.

Pre-Request Script Fields

This table lists and describes the fields in the Pre-Request Scripts.




Select to enable Pre-Request Script. Once enabled, the Presets dropdown is activated.


This allows you to select the HMAC option and view the relevant script.

Test Script

This allows you to test the new script.

Writing a Pre-Request Script

Acunetix 360 can manipulate a request since it runs Pre-Request Scripts automatically before dispatching a request.

How to Write a Pre-Request Script in Acunetix 360 On-Premises
  1. Log in to Acunetix 360.
  2. From the main menu, click Scans, then New Scan. The New Scan window is displayed.
  3. From the Scan Options section, select Pre-Request Script. The Pre-Request Script section is displayed.
  4. Select the Enabled checkbox.

  1. You can now start to write your script using JavaScript.

Testing Pre-Request Scripts

Acunetix 360 can check the script syntactically to make sure that it does not contain any errors. When the scanner verifies that the script contains no errors, you can begin scanning.

How to Test a Pre-Request Script in Acunetix 360 On-Premises
  1. Write your script as explained in Writing a Pre-Request Script.

  1. Click Test Script.
  2. If Acunetix 360 finds no error in your script, a confirmation dialog is displayed.

  1. Click Start Scan.
  2. Once the scan has started, you can view the effect of the Pre-Request Scripts in the request sent by Acunetix 360.

Sample HMAC Code

Acunetix 360 can use a simple pre-request script such as the one below to compose the HMAC header. The scanner will add this header to all request headers.

You can write and save this script in an external file so that you can have a clearer Pre-request Scripts panel in Acunetix 360. Except for line 37, all this could be stored in a script file.

acunetix.setEnvironmentVariable('hmacAuthHeader', getAuthHeader(request['method'], request['uri'], request['body']));

Writing Pre-Request Scripts

To write a pre-request script, you need to specify the environment variables; facets, objects, and helpers; and the flow of the script (examples provided below). Even though the main goal remains the same, the implementation can vary according to your needs.

Let's examine the building blocks in turn.

Environment Variables

In any programming language, variables are very important for storing values and retrieving them later. You can use variables to change some part of a request dynamically. Acunetix 360's Pre-Request Scripts enable you to update placeholders at any place in a request.

The Building Blocks of Pre-Request Scripts: Facets, Objects, and Helpers

Facets, objects, and helpers are among the ingredients of the Pre-Request Scripts feature that you can use when writing scripts.

You can use the request object to access the current request Acunetix 360 is about to send. This object also allows you to modify the HTTP request.

This table lists and explains the method.




This returns the method (verb) of the HTTP request to which the Pre-Request Scripts will be applied.

If you need to know which HTTP verb (method) is used before manipulating a request, request.method can help you find out.

Sample Scenario

Because only POST and PUT requests can have a request body, if your pre-request script requires some changes in the request body, you have to first check whether the request method is one of those verbs. Otherwise, the request would not have a request body:

if(request.method == "POST")

request.body = request.body + "&debug=true";


The access to a request body is usually a vital part of the pre-request script. The request object has a method body that can be used as both a getter and a setter.


To get the URL of the request that Acunetix 360 is about to send, a request.uri property can be used.


This collection can be used for both the getter and the setter. It is possible to retrieve the value of a specific request header or set request's header with a new value. You can set a custom header using this collection.

Here is an example.

Let's say the target application requires you to send an x-auth header with a legitimate value.

request.headers["x-auth"] = calculateXAuth();


The object acunetix offers some properties and methods that can be useful while writing a pre-request script.

The most important one amongst them is the request method. It helps to initiate HTTP requests in a pre-request script. As shown, it is very useful when request chaining is a need.

var request = new Request('');

request.parameters.add(new Parameter('foo', 'bar', 1));

var res = acunetix.request(request);


Acunetix 360's Pre-Request Script feature can use the CryptoJS library. CryptoJS is a growing collection of standard and secure cryptographic algorithms implemented in JavaScript using best practices and patterns.

Here is an example:

// Hashing response body with SHA512

requestBody = request.body;


Manipulating Request Parameters

For adding parameters into anywhere in a request, you can use the request.parameters collection.

Here is an example for adding parameters such as following:


It takes only one class Parameter as parameter. Here is an example of an instance of the Parameter class:

var parameter = new Parameter(paramaterName, parameterValue, parameterType);

This table lists and explains some of the most common values of the parameter type.








Sent in request body

The purpose of the parameter name and parameter value are obvious. The enumeration type parameterType requires some clarification:

0 : Querystring

The value '0' means Querystring. With this type of parameter, you can add a query string parameter to the request being sent:

var parameter = new Parameter(paramaterName, parameterValue, parameterType);

Use Cases and Presets

Here are some examples that address common scenarios for those who want to scan web applications with Acunetix.

Real Time Computed Parameters - HMAC Tokens

In this example, in order to get hmacToken value, you can sign a string containing your token and timestamp value with your secret key.

var token = "TOKEN"

var secret = "MyTopSecret"

function signToken() {

    var dateTime = (new Date).getTime().toString()

    var stringToSign = `${token}-${dateTime}`;

    const hash = CryptoJS.HmacSHA512(stringToSign, secret)

    return CryptoJS.enc.Base64.stringify(hash);


var signedToken = signToken()

acunetix.setEnvironmentVariable("hmacAuthHeader", signedToken);

Now, you have to define the point in the request that the hmacAuthHeader value will be populated.

Chained Requests

You can chain requests using Acunetix 360's Pre-Request Scripting feature. First, you may be required to make a prior request in order to get a token for subsequent requests.

For example, the following script makes a request to get a JWT token for subsequent ones.

function getToken(){

        var request = new Request('');

        request.parameters.add(new Parameter('username', 'admin', 1));

        request.parameters.add(new Parameter('password', '4Really53cur3P455w0rd', 1));

        var res = acunetix.request(request);

        return res.body;


    acunetix.setVariable("JWT", getToken());    

Then from the Header tab of the Authentication section of the Scan Settings in the Start a New Website or Web Service Scan dialog, you can set Authorization header.

Double Submitted Cookies

You may want to use CSRF prevention mechanisms without depending on a persistent method. Modern web applications are mostly distributed nowadays. So you may not prefer to use old-school methods like storing CSRF tokens in session objects.

Some websites prefer sending CSRF tokens with a cookie like this:

HTTP/1.1 200 OK

Set-cookie: XSRF-Token=somerandomvalue

Then, it expects to see that the XSRF-Token cookie value and custom header X-CSRF-Token value are equal.

GET / HTTP/1.1

Cookie: XSRF-Token=somerandomvalue

X-CSRF-TOKEN: somerandomvalue

There are two limitations here that prevent attackers from being able to exploit potential CSRF issues:

  • Because of the Same Origin Policy, when a request is made to a cross-domain, a website (attacker's own site or attacker-controlled website) cannot set a custom header.
  • Even if attackers are able to add a custom header into a request, it's not possible to get the value of the CSRF cookie.

Here is an example of the code that could be used.

if ($_COOKIE["XSRF-Token"] == $_SERVER['HTTP_X_CSRF_TOKEN'])) {

         Do something

} else {

                throw("CSRF protection enabled.")


You do not need to store anything on the server-side to make this CSRF prevention mechanism work.

You can use a Pre-Request Script such as the following for double submitted cookie cases.

if(request.headers.Cookie) {        

var cookiePattern =  /XSRF-Token=([^;]+)/gm;        

var match = cookiePattern.exec(request.headers.Cookie);

             if (match && match[1]){           

           // 4 is request header parameter.  

                  request.Parameters.Add(new Parameter('X-CSRF-TOKEN', match[1], 4));



Request Abortions

Pre-Request Scripting allows you to abort some requests before arriving at the target.

For example, if a request parameter (action) has a delete value you have to stop the request before sending it to the target.

if(request.parameters["action"] == "delete") {



« Back to the Acunetix Support Page