Getting Started with Acunetix

Bởi An Le vào January 2016

Starting a Scan
The Scan Wizard allows you to quickly set-up an automated security scan of
your website. The security scan provides a comprehensive understanding of
the web vulnerabilities present in your website, and gives you the opportunity
to review the individual alerts returned.
This Getting Started Guide explains the process of launching a security audit
of your website through the Scan wizard.

IMPORTANT NOTES:

Step 1: Select Target to Scan
1. Click on ‘File > New > Website Scan’ to start the Scan Wizard or click on
‘New Scan’ button from the Acunetix WVS menu bar.
stp1
Screenshot 1 – Scan Wizard: Provide Website to Scan

2. Specify the website to be scanned. The scan target options are:

You can scan multiple websites simultaneously using the Acunetix WVS
Scheduler. For more information, please refer to ‘The Scheduler’ chapter in
the Acunetix WVS user manual.
Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options
stp2
Screenshot 2 – Scan Wizard: Configure Scanning and Crawling options

Scanning Profile
Select a scanning profile (e.g. SQL Injection or XSS) to be used when
scanning the target website. A scanning profile defines which vulnerability
checks will be launched against your website. The Default scanning file will
test your website for all known web vulnerabilities. For more information,
please refer to ‘Scanning Profiles’ chapter in the Acunetix WVS user manual.

Scan Settings Template
The Scan Settings template will determine what Crawler (HTTP protocol,
advanced crawling) and scanner settings to be used during a scan. You can
customize the scan settings using the ‘Customize’ button. Any changes made
will affect only the current scan. If you wish to save the changes to be used
for future scans, you can select to save the template at the end of the Scan
Wizard. For more information, please refer to the ‘Scan Settings Template’
section in the user manual.

Crawling Options
If you want to manually select which files and directories should be scanned
after the crawl, select the After crawling let me choose the files to scan
option.
You can also select to have the crawler process URLs which might not be
linked from the main URL by using the Define list of URLs to be processed
by crawler at start option.

Step 3: Confirm Targets and Technologies Detected
stp3
Screenshot 3 – Scan Wizard: Confirm Targets and Technologies
Acunetix WVS will automatically fingerprint the target website for basic details
and will automatically determine if a custom 404 error-page is being used.
For more information, please refer to ‘Custom 404 Pages’ section in the user
manual.
The web vulnerability scanner will optimize and reduce the scan time for the
selected technologies by reducing the number of tests performed. Use the
checkboxes next to the web technologies to enable or disable scanning for
specific technologies. If a specific web technology is not listed, then that
technology is supported by there are no vulnerability tests exclusive to that
technology

Step 4: Configure Login for Password Protected Areas

stp4
Screenshot 4 – Scan Wizard: Login Details Options

Scanning a form based password protected area
1. Click ‘New Login Sequence’ to launch the Login Sequence Recorder. By
default the URL of the target website is automatically used. Click Next to
proceed.
stp5
Screenshot 5 – Login Sequence Recorder: Confirm URL
2. On the second page of the wizard, browse to the website’s login page
and submit the authentication credentials in the login form. Wait for the
page to fully load, indicating that you are logged in. Click Next to
proceed.
stp6
Screenshot 6 – Login Sequence Recorder: Record Login Actions

3. Once logged in, you also need to identify the logout link so the crawler
will ignore it to prevent ending the session. In the ‘Setup restricted links’
step of the wizard, click on the logout link. If the logout link is not in the
same page, click on ‘Pause’ in the top menu, navigate to a page where
the logout link is found, resume the session and click on the logout link.
Click ‘Next’ to proceed.
stp7
Screenshot 7 – Login Sequence Recorder: Specify restricted links

4. In this step, you can specify ‘In Session’ or ‘Out of Session’ detection
patterns. Session detection allows the crawler to detect that it is still
logged in. f the session expires during a crawl, the Crawler will
automatically login again. Click the Detect button so the Login Sequence
Recorder will try to automatically detect the pattern.
Note: if the automatic detection does not work, you would need to specify
the pattern manually. For more information, please refer to the ‘Scanning
a HTTP password protected area’ section in the user manual.
stp8
Screenshot 8- Login Sequence Recorder: Session Detection

5. In the last step of the wizard, you can review the recorded sequence.
One can change priority of URLs, edit requests and add or remove
requests. Click ‘Finish’ to finalize the login sequence recording.
For more information, please refer to the ‘Login Sequence Recorder’ section
in the Acunetix WVS user manual.

Step 5: Final wizard options
In the final step, the Scan Wizard will make an initial analysis of the web site
and you might be alerted to the following:

You will also be given the option to save the scan options to a new scanning
template, so that the same scan settings can be re-used for future scans.
stp9
Screenshot 9 – Scan Wizard – Final Scan Configuration options.

Step 6: Completing the scan
Click the Finish button to start the automated scan. Depending on the size of
the website, scanning profile chosen and the server response time, a scan
may take up to several hours. These factors cannot be controlled by Acunetix
WVS.

 http://www.acunetix.com/resources