The web server logs will show your IP address and all the attacks made by Acunetix. If you are not the sole administrator of the website or web application, please make sure to warn other administrators before performing a scan. Some scans might cause a website to crash, requiring a restart of the website.
🔍 Authorization to Scan
Do NOT scan a website without proper authorization!
After configuring your Targets, you are ready to launch Scans and start identifying any vulnerabilities that exist in the web applications. There are multiple ways to start a Scan, which include:
- From the Targets list, select the Targets to scan, and click the Scan button
- From within the Scanning Options dialog, configure the options to be used for the scan, then click the "Create Scan" button
- Scan Type - Choose between Full Scan or a scanning profile which will scan for specific vulnerabilities, such as High Risk Vulnerabilities only. The Scan Types are described below
- Report - You can request that a report is automatically generated after the scan is completed. Here is a description of all the Reports
- Schedule - Select if the scan should start instantly, or if the scan should be scheduled for a future date / time. You can also configure recurrent scans.
- Click the "Create Scan" button to launch the scan.
Interaction with a Scan in Progress
While most of the scanning procedure is fully automated, you may have configured a Login Sequence for a target that may require some Manual Intervention. Manual Intervention is typically required when a target employs more sophisticated mechanisms to protect the login process – some examples would be CAPTCHA, Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), and other one-time password (OTP) mechanisms.
When you are performing a scan for such a target, Acunetix will pause and prompt you for your Manual Intervention with a popup notification:
Click on the Bell (notifications) icon to expand the notifications list, and click on "Resolve this issue" in the Manual Intervention required notification.
The LSR will open up, and will automatically perform all the recorded actions until the required Manual Intervention. Now you can perform the necessary actions which the LSR requires human interaction for, and click on the "Close" button at the bottom of the LSR window.
The LSR will continue to execute the remaining login actions, and the remainder of the scan can proceed automatically.
The Scan Types is a logical grouping of checks that Acunetix performs to scan for a specific category of vulnerabilities (such as Cross-Site Scripting, SQL Injection, etc.). Below is a list of scanning types available in Acunetix with a short description about each:
- Full Scan - Use the Full Scan profile to launch a scan using all the checks available in Acunetix.
- High Risk Vulnerabilities - The High Risk Alerts scanning profile will only check for the most dangerous web vulnerabilities.
- Cross-Site Scripting Vulnerabilities - The Cross-Site Scripting scanning profile will only check for Cross-Site Scripting vulnerabilities.
- SQL Injection Vulnerabilities - The SQL Injection scanning profile will only check for SQL Injection vulnerabilities.
- Weak Passwords - The Weak Passwords Scanning profile will identify forms which accept a username and password and will attack these forms.
- Crawl Only - The crawl only scan will only crawl the site and builds the structure of the site without running any vulnerability checks.
- Network Scan - Use the Network Scan (Full and fast) profile to launch a scan using the OpenVAS engine inside your network to scan network services that are not available from the outside but still may be subject to internal threats.
- Malware Scan - Use the Malware Scan profile to launch a scan that will only check links and scripts files on the Target (or accessed by the Target) for malware using the Anti-Virus (Windows Defender or ClamAV) on the Acunetix Machine. Malware Scanning is done when scanning a Targeting using Full Scans. When installed on Windows, Acunetix automatically uses Windows Defender, which is pre-installed with Windows and does not require configuration. When installed on Linux, Acunetix uses ClamAV. You will need to install ClamAV separately and Acunetix will automatically use it to scan for malware.
- New Web Vulnerabilities - If you have upgraded from a previous version of Acunetix, your new version may be able to detect new types of vulnerabilities which your previous version could not. This scan profile will scan for all the vulnerabilities that your previous version was not able to scan for.
After running the initial scan, identifying and fixing the vulnerabilities detected, and making sure that your Targets do not contain vulnerabilities, you need to ensure that they remain secure. Enable Continuous Scanning on a Target to have Acunetix scan the Target on a daily basis and report back any new vulnerabilities immediately. New vulnerabilities can be introduced by web developers making updates to the site or by administrators making changes to the web server’s configuration. In addition, Acunetix is often updated to detect new vulnerabilities.
Continuous Scanning performs a full scan once a week. This scan is augmented by a daily quick scan, which only scans for critical vulnerabilities. Continuous scans updates the vulnerabilities for the Target, and these can be accessed from the Vulnerabilities page. You will be notified by email and in the notification area when new vulnerabilities are identified.