After configuring your scan targets, you are ready to launch scans for web and network vulnerabilities. This can be done as follows:
- From Acunetix Online, click 'Launch Scan'.
- Select one or more scan targets that you would like to scan.
- Click 'Scan Now'. You can also schedule scans by selecting 'Schedule a Scan'.
Screenshot - Scan a Target
- You will then be asked to select the type of scan you want to perform.
For example, if you only require a network scan, select 'No web scan' in the 'Web Scanning Profile' list, and select one of the scanning profiles in the 'Network Scanning Profile' list. Check the Scanning Profiles section for more information.
- You can optionally have a report automatically generated after the scan is finished.
- Finally, click on the ‘Launch Scan’ button to have your scan(s) queued. You will be taken to the All Scans list, which allows you to monitor the progress of the scans requested.
- Scans can only be initiated against your scan targets after they have been verified. Check the Verifying Scan Target Ownership section in Configuring Scan Targets. We might need to contact you to perform further verification.
- It is recommended to launch both web and network scans against a website.
- Some scans, especially those performed on large websites may take a long time to complete. You will be notified by email when the scan has finished.
- All our scans are launched from ‘scanners.acunetix.com’. It is recommended that you whitelist this host on your firewall. If this is not done, your firewall might block all the connections made by Acunetix Online, invalidating the scans.
- If you launch multiple scans against the same scan target at the same time, Acunetix Online will queue the scans so that only one scan is executed at a time. This is done to prevent overloading the scanned server with requests.
A Scanning Profile is a logical grouping of checks that Acunetix Online performs to scan for a specific category of vulnerabilities (such as Cross-Site Scripting, SQL Injection, CSRF, etc.). Below is a list of scanning profiles with a short description about each:
Web Scanning Profiles
- Full Scan
Use the Full Scan profile to launch a scan using all the checks available in Acunetix Online.
- High Risk Alerts
The High Risk Alerts scanning profile will only check for the most dangerous web vulnerabilities.
- Cross-Site Scripting (XSS)
The XSS scanning profile will only check for Cross-Site Scripting vulnerabilities.
- SQL Injection
The SQL Injection scanning profile will only check for SQL Injection vulnerabilities.
- Weak Passwords
The Weak Passwords Scanning profile will identify forms which accept a username and password and will attack these forms.
- Cross-Site Request Forgery (CSRF)
The CSRF scanning profile will only check for Cross-Site Request Forgery vulnerabilities.
Network Scanning Profiles
- Full Scan (safe checks)
This scanning profile can be used for most network scans. It will perform a full scan, but avoids running invasive checks which might cause problems with the scanned server.
- Full Scan (incl. invasive checks)
Use this scanning profile to run a more comprehensive scan, including the invasive checks available in Acunetix Online. Ideally, execute scans using this scanning profile just before you put the server in production, or during off-peak hours.
Scans performed using this scanning profile can hinder the performance of the scan target, and might also cause it to go offline.
After running the initial scan, identifying and fixing the vulnerabilities detected, and making sure that your Scan Targets are safe, you need to ensure that they remain that way. Continuous Scanning allows you to keep your Scan Targets secure. Continuous Scanning can be enabled for your Scan Targets, so that you are notified of any new vulnerabilities that are introduced by the web developers, or new vulnerabilities that are detected by Acunetix.
Continuous Scanning performs a full web and network scan once a week. This scan is augmented by a daily rapid scan, which only scans for critical vulnerabilities. The scan results of the daily scans are not visible in the Scans List, since the daily scan results are stored with the results of the weekly scan. You will only be notified when new vulnerabilities are identified.