Web Asset Discovery
This feature enables you to become aware of your enterprise's online collateral, web applications and services. This enables you to conduct a comprehensive security audit and better secure your online presence, continually reducing security threats.
This service works independently from the Acunetix product, and already has hundreds of millions of services on its database. It continually scans the entire internet.
- As soon as you activate your Acunetix license, the system begins the discovery process with the master user's email address, immediately suggesting websites that might also belong to you.
- Once you start adding targets, the system makes new suggestions based on those targets.
- Acunetix analyzes your configuration and data, then suggesting further websites that might also belong to you.
The Discovery List
As you use Acunetix, it builds a list of candidate websites which you might want to add to your list of targets. This list is updated every time you:
- add (or remove) a Target
- change one of the flags in the Discovery -> Settings page
- add an Inclusion to one of the inclusion lists (IP Addresses or Organizations or Second Level Domains)
- add an Exclusion to one of the exclusion lists (IP Addresses or Organizations or Top Level Domains or Second Level Domains)
This is the initial Discovery List after installing for master user "email@example.com":
🔍 Acunetix Web Asset Discovery - Update Interval
The list of Discovered websites is updated periodically, with a maximum delay of about 1 hour.
Adding or Removing a Target
When you add a Target, Web Asset Discovery will use the newly-added information to add possible candidates to the Discovery list. After adding "https://example.com" as a target, the Discovery list becomes much larger, as it lists all websites that the Web Asset Discovery function matches to the second level domain "example":
The Discovery Settings page allows you to customise the types of matches that the Web Asset Discovery function will make when building your Discovery list.
The Email Matching function will use the second level domain of your master account for matching websites. Disabling this will ignore the second level domain of your master account.
Website Matching will use the second level domain of any target you add to match any additional websites with the same second level domain. If you disable this function, then the Web Asset Discovery function will add or remove entries into your Discovery list when you add or remove a Target.
Only Registered Domains
By default, Web Asset Discovery will exclude any web services that do not have a publicly available DNS record. You can disable this option if you wish to widen your search to possible websites even if no DNS record for them exists.
Reverse IP Lookup
If your website is hosted on a shared hosting solution where other websites that do not belong to you are sharing the same IP Address, you can disable the Reverse IP Lookup option.
Organization Name Matching
By default, Web Asset Discovery will use the Organization Names extracted from SSL certificates of websites in your Discovery list to perform an additional search for other possible websites with a matching Organization Name in their SSL certificates.
The Inclusions page allows you to add search elements for Web Asset Discovery to find additional candidates, and add them to your Discovery list.
You can add IP Addresses in your inclusion list, and Web Asset Discovery will use this information to search in its database for candidate websites to add to your Discovery list:
You can add Organization Names in your inclusion list, and Web Asset Discovery will use this information to search in its database for candidate websites which match the Organization Names within their SSL certificate, and add them to your Discovery list:
Second Level Domains
You can add Second Level domains in your inclusion list, and Web Asset Discovery will use this information to search in its database for candidate websites with the specified Second Level domains to add to your Discovery list:
You can add Exclusions so that Web Asset Discovery will exclude websites from your Discovery list. You can specify the following type of Exclusions:
- IP Address - websites hosted on the specified IP Addresses will be excluded from the Discovery list
- Organization - websites with the specified Organization names in their SSL certificates will be excluded from the Discovery list
- Top Level Domain - websites with the specified Top Level domains in their hostname will be excluded from the Discovery list
- Second Level Domain - websites with the specified Second Level domains in their hostname will be excluded from the Discovery list
Quick Filtering from the Discovery List
The Discovery list provides a count icons for each Organization, IP Address, Second Level Domain, and Top Level Domain:
These count icons are clickable, and serve as a short-cut towards a filtered view, based on the chosen count icon. As an example, if you click on the count icon next to one of the "ch" Top Level domains, you will be taken to a filtered view of the Discovery list containing only items that match the "ch" Top Level domain:
Quickly Adding Targets from the Discovery List
Once Web Asset Discovery has provided you with a Discovery list containing potential websites, you can select items from the list and quickly create Targets directly from the Discovery list.
Simply enable the checkbox next to each of the websites you are interested in, and click the "Create Target" button.
Finally, add a description for each of the new Targets, and click on the "Save" button.