Although it is not a suggested operation, yes, you can still scan a website which has URL rewrite enabled without specifying any URL rewrite rules in Acunetix Web Vulnerability Scanner. Unlike other scanners, Acunetix WVS will advise you once it detects that the target website has URL rewrite enabled (as shown in the below screen shot). The automatic notification can be switched off by un-ticking the option ‘Warn user if URL rewrite is detected’ from the Site Crawler settings node.
If you do not specify any URL rewrite rules in the URL Rewrite settings node, the chances are that the scan results will include a number of false positives, and some of the inputs on the target website will not be identified. Hence it will result in an incomplete and invalid scan.
If for some reason you do not want to, or cannot import the URL rewrite rules in Acunetix WVS, disabling the following security checks will help reduce the number of reported false positives and avoid infinite scan loops during a scan;
CGI TesterPossible sensitive content
File ChecksBackup files
Directory ChecksCommon files
Directory ChecksPossible sensitive directories
Directory ChecksPossible sensitive files
Text searchCommon files
To disable the above security checks, navigate to the Configuration > Scanning Profiles node, and un-tick these tests from the scanning profile of your choice, as highlighted in the below screen shot.
