Targets are the websites and web applications that you would like to scan using Acunetix. In Acunetix Online, you can also configure Network assets as Targets. These will need to be configured in Acunetix before they can be scanned. Once configured, a Target can be scanned as often as required.
Change to the Targets page to configure a new website to scan.:
- From the Targets dropdown in the sidebar, select 'Add Target'.
Screenshot - Add Target
- Provide the address of the asset to scan
- Optionally, enter a short description that will allow you to easily identify this target.
- Click ‘Add Target’ when done.
- You will be taken to the Target’s options, where you can configure other options if needed.
Targets can be grouped for easier management. For example, from the Vulnerabilities page, you can filter for the vulnerabilities of one Target Group, or in the Scan page, you can filter for scans of a specific Target Group. Users accounts are also given access to specific Target Groups.
You will first need to create the Target Group, after which, you can configure target group membership for the Target Group.
Verifying Scan Target Ownership (Acunetix Online only)
Once you create a new Target, you will be asked to verify ownership of the Target. Target verification will depend on the type of scans that you intend to launch against the Target.
In summary, web vulnerability scans require a unique verification file to be present in the root of the web server before a scan starts. This is required for all your Targets against which you wish to run web scans.
Network vulnerability scans require that we verify your account details; a one-time process where you may be contacted by an Acunetix representative.
Screenshot - Scan Target Verification required
Web Scan Verification
Web scan verification is a 3 step process.
- Download the unique verification file assigned to your new Target.
- Upload the verification file to the root of the site (using FTP for example).
- From the configuration of the Target in Acunetix Online, click on 'Verify Scan Target' to complete the verification process.
Note: The verification file needs to be kept in the root of the site, since Acunetix Online will check the verification file each time it scans the server.
Network Scan Verification
- For network scans you will need to verify that your account details are correct, and request verification of your account by an Acunetix representative.
- From within the configuration of your scan target, in the Network Scan Verification, click ‘Proceed to verify my details’, or you can go directly to Account Settings > Profile.
- Confirm that your account details are correct, and update as needed.
Screenshot - Verify account details
- From within the Account Verification section, you can request the verification of your account details.
- You will immediately receive an automatic call to the phone number specified, and will be given a one time code. You will need to enter this code into Acunetix as part of the account verification process.
- An Acunetix representative may get in touch with you within 24 hours to complete the verification.
- Once your account details have been verified, you can launch network vulnerability scans on all your scan targets.
Contact us at firstname.lastname@example.org if you require help with the verification process.
Configuring Site Login
You may need to scan restricted areas within the web application configured as a Target in Acunetix. The information used to access the restricted area can be configured from the Site Login options found in the General Settings within the Target's configuration.
Screenshot - Form-based Authentication - Automated Login
In most cases, you can select to have Acunetix try to auto-login into the site. This will work for most web applications which use a simple login process. You need to provide the Username and Password to access the restricted area. The scanner will automatically detect the login link, the logout link and the mechanism used to maintain the session active.
Screenshot - Form-based Authentication using Login Sequence Recorder
For more complex web applications, which might be using a more elaborate login mechanism, you would need to Launch the Login Sequence Recorder and record a login sequence (*.lsr file), which can then be uploaded and saved with your Target settings. Information on how to use the Login Sequence Recorder can be found at http://www.acunetix.com/blog/docs/acunetix-wvs-login-sequence-recorder/
Generating and Installing AcuSensor
AcuSensor improves the scan results provided by Acunetix by being able to identify all the pages on your website, increases the information about the vulnerabilities detected and decreases false positives. Check the previous section on how to install AcuSensor.
Other Advanced Options
For each Target, you can configure other options, including:
- Crawling options, such as using a custom User-Agent
- Paths to be excluded when scanning the specific target
- HTTP Authentication
- Client Certificates
- Custom Headers
- Custom Cookies
- List of Allowed hosts, which will be scanned when scanning the specific Target. Note that these need to pre-configured as separate Targets beforehand.
- Excluded Hours profile