Acunetix AcuSensor increases the accuracy of an Acunetix scan by improving the crawling, detection and reporting of vulnerabilities, while decreasing false positives. Acunetix AcuSensor can be used on .NET and PHP web applications.
Installing the AcuSensor Agent
NOTE: Installing the AcuSensor Agent is optional. Acunetix is still best in class as a black-box scanner, but the AcuSensor Agent improves accuracy and vulnerability results when scanning .NET and PHP web applications.
The unique Acunetix AcuSensor Technology identifies more vulnerabilities than a black-box Web Application Scanner while generating less false positives. In addition, it indicates exactly where vulnerabilities are detected in your code and also reports debug information
Acunetix AcuSensor requires an agent to be installed on your website. This agent is generated uniquely for each website for security reasons. From the configuration of each Target, change to the General tab, and toggle the AcuSensor option. From here, you can download the AcuSensor generated for the Target. Choose between the PHP or the .NET AcuSensor agent, depending on the web technology used on your site, and proceed with the installation steps below.
Installing the AcuSensor agent for ASP .NET Websites
The AcuSensor agent will need to be installed in your web application. This section describes how to install AcuSensor in an ASP.NET web application.
- Install Prerequisites on the server hosting the website: The AcuSensor installer application requires Microsoft .NET Framework 3.5 or higher.
- Copy the AcuSensor installation files to the server hosting the .NET website.
Screenshot – Acunetix .NET AcuSensor installation
- Double click AcuSensorInstaller.exe to install the Acunetix .NET AcuSensor agent and proceed through the installation wizard.
- You will be asked to insert the AcuSensor password. This should match the one that you used in the Acunetix settings.
- After the installation is complete, you will be prompted to launch the Acunetix .NET AcuSensor Manager.
Screenshot – Acunetix .NET AcuSensor Manager
- On start-up, the Acunetix .NET AcuSensor Manager will retrieve a list of .NET applications installed on your server. Select which applications you would like to enhance with the AcuSensor Technology and click Install Sensor to install the AcuSensor Technology sensor in the selected .NET applications. Once the sensor has been installed, close the confirmation window and also the AcuSensor manager.
Installing the AcuSensor agent for PHP websites
This section describes how to install AcuSensor in a PHP web application.
- Locate the PHP AcuSensor file of the website you want to install AcuSensor on. Copy the acu_phpaspect.php file to the remote web server hosting the web application. The AcuSensor agent file should be in a location where it can be accessed by the web server software. Acunetix AcuSensor Technology works on websites using PHP version 5 and up.
- There are 2 methods to install the AcuSensor agent, one method can be used for Apache web server, and the other method can be used for IIS, nginx and Apache web servers.
Method 1: Apache web Server - .htaccess file
Create a .htaccess file in the website directory and add the following directive:
php_value auto_prepend_file ‘[path to acu_phpaspect.php file]’.
Note: For Windows use ‘C:\sensor\acu_phpaspect.php’ and for Linux use ‘/Sensor/acu_phpaspect.php’ path declaration formats. If Apache web server does not execute .htaccess files, it must be configured to do so. Refer to the following configuration guide: http://httpd.apache.org/docs/2.0/howto/htaccess.html. The above directive can also be configured in the httpd.conf file.
Method 2: IIS, Apache and nginx - php.ini
- Locate the file ‘php.ini’ on the server by using phpinfo() function.
- Search for the directive auto_prepend_file, and specify the path to the acu_phpaspect.php file. If the directive does not exist, add it in the php.ini file:
- Save all changes and restart the web server for the above changes to take effect.
Disabling and uninstalling AcuSensor
To uninstall and disable the sensor from your web site:
AcuSensor for ASP .NET websites
- From Start > Programs, open the Acunetix .NET AcuSensor Manager
Screenshot - Select website and click Remove Sensor
- Select the website where the AcuSensor agent is installed and click Remove Sensor to remove the AcuSensor Agent from the site.
- Close the Acunetix .NET AcuSensor Manager.
- If needed, you can also uninstall the Acunetix .NET AcuSensor Manager from the Add/Remove Programs Control Panel.
AcuSensor for PHP
- If method 1 (.htaccess file) was used to install the PHP AcuSensor, delete the directive: php_value auto_prepend_file="/path/to/acu_phpaspect.php" from .htaccess
- If method 2 was used to install the PHP AcuSensor, delete the directive: auto_prepend_file="/path/to/acu_phpaspect.php" from php.ini.
- Finally, delete the Acunetix AcuSensor PHP file: acu_phpaspect.php.
Note: Although the Acunetix AcuSensor agent are secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.