Introduction

Acunetix is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting and other exploitable vulnerabilities. In general, Acunetix scans any website or web application that is accessible via a web browser and uses the HTTP/HTTPS protocol.

Acunetix offers a strong and unique solution for analyzing off-the-shelf and custom web applications including those utilizing JavaScript, AJAX and Web 2.0 web applications. Acunetix has an advanced crawler that can find almost any file.

Its functions and modules looks like Burp Suite, but not cross platform. However, compare to Burp Suite, Acunetix has higher detection rate and lower false positives. Besides, it use modern web based user interface, which is more easy to learn and convenient to use.

We can obtain Acunetix from its official website directly, it offers 14 day free trial. After submit trial form, you can get a download link from email. The download link is point to a EXE format file. Since it only provide Windows platform distribution, you need use virtual machine if working on other operating system or use the online scanner.

In this case, since I am working on macOS, I will use a Windows 10 Developer VM as backend to run Acunetix and show some usage examples.

Installment

First of all, we need install the trial version to our machine, it is very simple, just click the EXE file and follow the instructions.

During the install process, the setup wizard will ask for input a email and password for the administrator account. After install process, we can simply click the Acunetix icon in desktop or windows start menu to run Acunetix, it will automatic open system default web browser to localhost:13443 if you have not change the default port during the install process.

Configuration

When first open the web user interface, it will prompt a login form, just input the administrator account information we set before and we can sign in the dashboard. The data between the browser and the server, whether used directly on a computer running Acunetix or via the local network, is transferred via TLS/SSL. A unique certificate authority for your environment is generated during the installation procedure.

After sign in, it will show dashboard page. There are some statistical data about targets and scan tasks, we can obtain abstract status about this system. It rates vulnerabilities for high, medium and low severity level. And we can know which is most vulnerable target, that is very helpful when we evaluate a system which includes several sub-domains. Besides, we can gain valuable insights from the top vulnerabilities data after we scanned considerable targets. The interface is fast and responsive, with a strong focus on functionality.

To begin a scan task, we need add a target first. Click the“Targets”label in the left sidebar, then click“Add Target”button, it will prompt a modal form to let us input address and description information. The description is optional and just works like comment.

We can start our first scan task after add a target, I use my personal website here to conduct an authorized scan task since unauthorized scan may cause illegal risk.

Before begin a scan, we can explore the“Settings”page, just click the corresponding label in left sidebar. And Acunetix provides some very basic settings option. You can set proxy now if you do not want expose yourself. I recommend you launch a Tor onion proxy locally and pass all the scan traffic flow through it for anonymous demand. Moreover, you can set a SMTP server in“Notifications Settings”, then you can get notified when a task finished or other events occurred.

In addition, if you install Acunetix in a server and want to share with your teammates like a cloud service, you can just simply create different user and user group for easily management. It is also a good practice to isolate different penetrate projects.

Since scanner task normally cost sizable time and network resources, Acunetix provide“Excluded Hours”to let us manual schedule our background tasks peacefully.

Usage

Back to the“Targets”page, we can select one or multi target and click scan button to config a scan task. It provides 6 different scan type including Full Scan, High Rank Vulnerabilities, Cross-site Scripting Vulnerabilities, SQL Injection Vulnerabilities, Weak Passwords and Crawl Only. By default, Acunetix defaults work for most sites, so you can start the scan without any further customizing at all. In this case, I choose the Full Scan selection.

In this options model form, we can also set report type and schedule time. The report type does not matter at this time because we can generate any type after scan task done.

We will receive notification when our task done, and the report is waiting for us. In the summary part, the report marked threat level as HIGH.

Then we can inspect the whole report. In fact, we can assess website performance according to Avg. Response Time. In the target information, it will display some detected fingerprint to infer server software, os and web framework, etc. However, these information can only use as a reference since we can easily modify HTTP response header and some other feature to deceive the scanner.

In the bottom part of the summary page, it display latest discovered vulnerabilities and ordered by time, it use different colors to mark different alert level.

Besides, the scanner use crawler to follow links in website page, and list all of external domain in the hosts, we can straightforward add these hosts as target for further side-channel attack.

After complete scan, we can get a site structure tree generated by crawler, based on this site structure, we can dig in extra information, like find XSS or CSRF vulnerability or SQL injection point.

Furthermore, in this view it classified vulnerabilities by URL path, therefore we can research potential hidden danger in some path, it is extremely useful when target is a dynamic website.

Every vulnerabilities title is clickable, we can view the details about each vulnerability. In the detail page, we can know about the vulnerability description, it has explained the causes and particulars. Also we can evaluate the urgency of fix this vulnerability based on the impact of this vulnerability.

Fortunately, Acunetix provided recommend solution to fix each vulnerability. In most case, we can simply follow the instruction to done the fix works. In the bottom of this page, we can see CWE and CVSS classification and some references.

All reports can be downloaded in PDF and HTML formats, and if you want to customize your scanning to an even greater degree, just go into Settings > Scan types, and create a new preset by selecting items from a long list of vulnerability classes and subclasses.

Moreover, the issue tracking functionality is a nice addition and can be integrated with Microsoft Team Foundation Server, Atlassian’s JIRA, and GitHub, that can be involved in the software development cycle.

Conclusion

To sum up, Acunetix is very suitable for collaboration with tester and auditor, and it provide solid access control for different user. The web-based interface makes it run smoother, and also unlocks the potential of offering role-based access to multiple users within the organization.

Since it has web based user interface, it is feasible to build a private cloud vulnerabilities scanner service. This is a remarkable feature compare to Burp Suite and some other similar products.

During the testing phase, the most challenge occurred is to figure out differences between each scan types, we need know our true demand and then we can start a scan. Fortunately, Acunetix has provided detailed document and manual, therefore we can finally achieve our goals.

Also, if Acunetix can provide more customized option like Burp Suite, it will be more professional and works well in a variety of specific circumstances.

References

[1] https://www.acunetix.com/support/docs/introduction/
[2] https://www.helpnetsecurity.com/2017/07/10/acunetix-11-review/
[3] https://www.acunetix.com/resources/wvsmanual.pdf