Acunetix is available as Software (On Premise) Acunetix Web Vulnerability Scanner (WVS) or Online (Hosted) Acunetix Online Vulnerability Scanner (OVS). Since Acunetix Web Vulnerability Scanner (WVS) migrated over to web based architecture, both WVS and OVS is actually key different with one is cloud online hosted by Acunetix, and licensed by target; and On Premise is license by Standard/Pro/Enterprise/Multi Scan Engine with variety of concurrent scan instance and option for multiple users for Enterprise / Multi Scan Engine only.
Audit Your Website Security with Acunetix Web Vulnerability Scanner
With the uptake of cloud computing and the advancements in browser technology, web applications and web services have become a core component of many business processes, and therefore a lucrative target for attackers. Over 70% of websites and web applications however, contain vulnerabilities that could lead to the theft of sensitive corporate data, credit cards, customer information and Personally Identifiable Information (PII).
Firewalls, SSL and Hardened Networks Are Futile Against Web Application Hacking
Cyber criminals are focusing their efforts on exploiting weaknesses in web applications such as eCommerce platforms, blogs, login pages and other dynamic content. Insecure web applications and web services not only provide attackers access to backend databases but also allow them to perform illegal activities using compromised sites.
Web application attacks are carried out over HTTP and HTTPS; the same protocols that are used to deliver content to legitimate users. Yet web application attacks, both on free open-source software, such as WordPress, Drupal and Joomla!, as well as commercial or custom-built applications, can have repercussions that are the same, or worse than traditional network-based attacks.
The Technology Leaders in Automated Web Application Security
DeepScan Technology allows accurate crawling of AJAX-heavy client-side Single Page Applications (SPAs) that leverage complex technologies such as SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON, Google Web Toolkit (GWT) and CRUD operations.
Industry’s most advanced and robust SQL Injection and Cross-site Scripting testing, including advanced detection of DOM-based Cross-site Scripting.
AcuSensor Technology allows accurate scanning further reducing the false positive rate, by combining black box scanning techniques with feedback from its sensors placed inside the source code.
Fast, Accurate, Easy to Use
Multi-threaded, lightning fast crawler and scanner that can crawl hundreds of thousands of pages without interruptions.
Highest detection of WordPress vulnerabilities – scans WordPress installations for over 1200 known vulnerabilities in WordPress’ core, themes and plugins.
An easy to use Login Sequence Recorder that allows the automatic crawling and scanning of complex password protected areas including multi-step, Single Sign-On (SSO) and OAuth-based websites.
Easily generate a wide variety of technical and compliance reports aimed towards developers and business owners alike.
In-depth Crawl & Analysis
Accurately Crawl and Scan with DeepScan Technology
Acunetix Vulnerability Scanner includes Acunetix DeepScan Technology which allows the scanner to robustly test any application, no matter what web technology it’s written in.
At the heart of DeepScan, is a fully automated web browser that can understand and interact with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON, Google Web Toolkit (GWT) and CRUD operations just like a regular browser would. This allows Acunetix Vulnerability Scanner to test web application just as though it is running inside of a user’s browser, allowing the scanner to seamlesly interact with complex controls just as a user would, significantly increasing the scanner’s coverage of the web application.
DeepScan has been further optimized to analyze websites and web applications developed in Ruby on Rails and Java Frameworks including Java Server Faces (JSF), Spring and Struts.
Hassle-free Authenticated Web Application Testing
Testing authenticated areas of your websites and web applications is absolutely crucial to ensure full testing coverage. Acunetix Vulnerability Scanner can automatically test authenticated areas by recording a Login Sequence using the Login Sequence Recorder. The Login Sequence Recorder makes it quick and easy to record a series of actions the scanner can re-play to authenticate to a page. The Login Sequence Recorder can also record a series of Restrictions; making it trivial to granularly limit the scope of a scan in a few clicks.
Acunetix Login Sequence Recorder supports a large number of authentication mechanisms including
- Multi-step/Custom Authentication Schemes
- Single Sign-On Authentication
- Multi-factor Authentication
Malware URL Detection
Acunetix includes a malware detection service that detects URLs linking to external sites known to host malware or that are known to be used for phishing attacks.
Such links may indicate that the site being scanned has either been compromised, or that somehow an attacker has managed to inject URLs to the malicious site. It may also indicate that a legitimate site that your site links to has been compromised and is hosting malware.
Highest Detection Rate
Highest SQL Injection and XSS Detection Rate
Holistic and accurate vulnerability detection lies in the ability to detect anything from the most obvious to the most obscure SQL Injection, XSS and over 500 other types of web application vulnerabilities. Acunetix is the industry leader in detecting the largest variety of SQL Injection and XSS vulnerabilities, including Out-of-band SQL Injection and DOM-based XSS.
In-depth SQL Injection and Cross-Site Scripting (XSS) Vulnerability Testing
Acunetix Vulnerability Scanner rigorously tests for hundreds of web application vulnerabilities including SQL Injection and Cross-site Scripting. SQL Injection is one of the oldest and most prevalent of software bugs; it allows attackers to modify SQL queries in order to gain access to data in the database. Cross-Site scripting attacks allow attackers to execute malicious scripts inside your visitors’ browser; possibly leading to impersonation of that user.
When it comes to Dynamic Application Security Testing (DAST), while the number of tests a scanner can run is important, it is secondary to how well it can crawl an application – If you can’t crawl it, you can’t scan it! Acunetix Vulnerability Scanner’s DeepScan Technology has the ability to crawl complex client-side Single Page Applications (SPAs), guaranteeing the highest vulnerability detection rate even in client-side vulnerabilities such as DOM-based XSS vulnerabilities.
Advanced Automated DOM-based XSS Vulnerability Testing
DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client-side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
DOM-based XSS is often a client-side attack, and the attacker’s payload is never sent to the server. This makes it even more difficult to detect. Acunetix Vulnerability Scanner can scan for a wide range of advanced DOM-based XSS and also provide a stack-trace of the injected payload as it moves inside of the browser’s DOM.
Detection of Blind XSS, XXE, SSRF, Host Header Attacks and Email Header Injection
Traditional methods of detecting vulnerabilities fall short when attempting to detect second-order vulnerabilities; i.e. testing for vulnerabilities that do not provide a response to a scanner during testing. Detection of second-order vulnerabilities requires an intermediary service; Acunetix Vulnerability Scanner, combined with it’s built-in AcuMonitor Technology, makes automatic detection of such vulnerabilities possible and transparent to the user running the scan.
AcuMonitor allows the detection of vulnerabilities such as Blind XSS, XML External Entity Injection (XXE), Server Side Request Forgery (SSRF), Host Header Attacks, Email Header Injection and Password Reset Poisoning.
Lowest False Positives
Lowest False Positives Guarantees Effective Web Application Security
Acunetix’s unique AcuSensor Technology enhances a regular dynamic scan through an Interactive Application Security Testing (IAST) deployment of sensors inside the source code. AcuSensor will then relay feedback to the scanner during the source code’s execution. This combination of black-box and white-box testing (commonly referred to as gray-box testing) further enhances the scanner’s detection rate.
Interactive Security Testing with AcuSensor
Acunetix’s unique AcuSensor Technology enhances a regular dynamic scan through the deployment of sensors inside the source code. AcuSensor then relays the feedback to the scanner during the source code’s execution.
- Server-side component that enables the scanner to run a gray-box (IAST) scan.
- Inspects the source code of a web application whilst it is in execution.
- Crawls the application also on the back-end providing 100% crawl coverage.
- Find and test hidden inputs not discoverable during a black-box scan
Line of Code Visibility
AcuSensor indicates the vulnerable line of code for several high-severity vulnerabilities and reports additional debug information, This greatly increases remediation efficiency and makes the developer’s task of fixing the vulnerabilities easier.
- Indicates vulnerable line of code.
- Shows SQL queries for SQL Injection vulnerabilities.
- Enables quicker remediation.
- Pinpoints what needs to be fixed and where.
Lowest False Positive Rates
Detection of inexistent vulnerabilities are a nightmare to deal with. False positives reduce confidence in automated security testing and waste the developers’ time trying to find and fix vulnerabilities.
- Acunetix drives the industry’s lowest false positive and false negative rates even lower.
- Automatically verifies several high-severity vulnerabilities.
- Accurate scan results reduce the need to manually confirm detected vulnerabilities.
Vulnerability Management and Regulatory Compliance Reports
Vulnerability Management (VM) is the ongoing effort of discovering, measuring and remediating vulnerabilities. Organizations use vulnerability management to avert threats posed by the exploitation of applications and network infrastructure. Acunetix bakes advanced vulnerability management features right-into it’s core, making it easy to kick-start your vulnerability management program, as well as integrate the scanner’s results into other tools and platforms.
Your Vulnerability Management Program in One Consolidated View
It takes teamwork and collaboration to build and maintain a great security program. The Acunetix multi-user, multi-role features allow your Team to be flexible and productive while getting access only to resources they need. Vulnerability Management features allow your Team to easily maintain an integrated view of your security posture throughout your application portfolio by storing everything pertaining to your application security program into a single, central location.
Acunetix removes the need for managing your application security program in multiple PDFs, spreadsheets and other silos of information, and instead, allows you to continuously and automatically secure your application portfolio while managing risk exposure from one consolidated view.
Track Issues, not PDFs
Development Teams manage their work-load in Issue Trackers to fix bugs, track the progress of new features and manage deadlines. Going to developers with a “300-page PDF” full of security issues that need attention is counterproductive and creates a communication barrier.
- Integrates with Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS).
- Provides management with historical data, trending and prioritization tools.
- Reduces time and effort for remediation by integrating into the software development life-cycle.
Advanced Management and Compliance Reporting
Acunetix creates reports which allow you to share security findings internally with management and with regulatory bodies. Reports can focus either on a single Scan, on a specific Target or even on an arbitrary group of Scans or Targets.
- Easily generate detailed technical or management reports.
- Includes compliance reports such as PCI DSS, OWASP Top 10, ISO 27001 and HIPAA.
Concerned about WordPress Security? Enter Acunetix
With more than 24% of websites on the Internet running WordPress, WordPress security is becoming an increasingly important factor in an organization’s security posture. Unfortunately, thousands of WordPress plugins contain high-severity vulnerabilities which could allow attackers to gain access to the WordPress administrative interface.
Scan for Vulnerable WordPress Plugins
Acunetix identifies WordPress installations, and will launch security tests for WordPress plugins and WordPress core vulnerabilities. The WP plugins detected, are listed in the WordPress plugins Knowledge Base including a description, version number and latest version of plugin to update to.
- Scans for over 1200 vulnerable WordPress Plugins & Misconfigurations.
- Checks for weak WordPress admin passwords, WordPress username enumeration,
- Detects malware disguised as plugins and old versions of plugins.
WP Configuration File Disclosure and Username Enumeration
An administrator might sometimes need to alter certain settings from
wp-config.php directly as opposed to the WordPress interface. To do this, a backup of the known working configuration is created, before proceeding with manually altering the file. However, the backed up file then becomes available to whoever is able to guess the name of the backup file.
- Acunetix checks for a number of possible WordPress configurations.
- Runs tests for username enumeration of WordPress accounts.
- Detects use of weak passwords based on a password list and leetspeak.
Not just WordPress
Following WordPress, Joomla! and Drupal are among the most widely deployed Content Management Systems (CMSs) and have their own share of vulnerabilities and misconfigurations.
- Detects vulnerable versions Joomla! and Drupal installations.
- Tests Joomla! and Drupal web applications for known vulnerabilities and misconfigurations.
- Tips to prevent a WordPress hack.
Key Features of Acunetix Network Security Scanner
Comprehensive security audits require detailed inspection of the perimeter of your public-facing network assets. Acunetix has integrated the popular OpenVAS scanner within Acunetix Online Vulnerability Scanner to provide a comprehensive perimeter network security scan that integrates seamlessly with your web application security testing, all from an easy to use simple cloud-based service.
Scan Perimeter Network Services
Insecure perimeter networks are the cause of most data breaches. The perimeter is therefore one of the most important areas of your network to secure against vulnerabilities, misconfiguration and other security threats that could compromise security or availability of network services.
Acunetix Online Vulnerability Scanner extends your network’s visibility to outside threats and provides you with a perspective of your network’s perimeter just like an attacker would see it.
Every network scan will initially start with a port scan of the IP address the scanning target in order to discover open ports and running services. Open ports are then tested for over 35,000 known vulnerabilities and mis-configurations.
Testing for Network Vulnerabilities
Network vulnerability tests performed during a scan include assessing security testing of detected devices such as routers, firewalls, switches and load balancers; testing for weak passwords on common protocols such as FTP, IMAP, database servers, POP3, Socks, SSH and Telnet; Testing for DNS-related server vulnerabilities such as DNS zone transfer attacks, open recursive DNS attacks and DNS cache poisoning attacks; testing for badly configured Proxy Servers, weak SNMP community strings, weak TLS/SSL ciphers and many other security weaknesses.
The scan’s findings are then presented inside the Acunetix Online Vulnerability Scanner dashboard, from where a network security report can be easily generated.
Detecting Network Security Mis-configurations
Acunetix Online can detect a wide array of network security mis-configurations that could lead to sensitive data disclosure, denial of service or even compromise of hosts. The Online Scanner tests for:
- Anonymous FTP access and writable directories over FTP.
- Badly configured Proxy Servers.
- Weak SNMP community strings.
- Weak TLS/SSL ciphers.
Acunetix includes advanced tools for penetration testers to take web security testing further, while integrating both with external tools as well as tools to aid in testing business-logic web applications.
Take Automated Scanning Further
The manual penetration testing tools available to download for free allows veteran testers as well as up and coming security researchers, the ability to manually test web applications for logical flaws.
- Intercept, log and modify HTTP traffic on the fly.
- Fuzz test validation and handling of invalid or random data.
- Export Blind SQL Injection vulnerabilities and perform automated database data extractions.
- Import manual crawl data from Acunetix HTTP Editor, Telerik Fiddler, Portswigger BurpSuite and HAR (HTTP Archive) files.
Automatic Web Application Firewall (WAF) configuration
Acunetix integrates with popular WAFs to automatically create the appropriate Web Application Firewall rules to protect web applications against attacks targeting vulnerabilities that the scanner finds. This allows you to temporarily prevent exploitation of high-severity vulnerabilities until you are able to fix them. Acunetix integrates with:
- Imperva SecureSphere.
- F5 BIG-IP Application Security Manager.
- FortiWeb WAF.
Integration and Extensibility
Acunetix features a powerful RESTful Application Programming Interface (REST API). The REST API allows access and management of Scan Targets, Scans, Vulnerabilities, Reports and other resources within Acunetix in a simple, programmatic manner using conventional HTTP requests.
- Intuitive and powerful API endpoints.
- Easily retrieve results and execute actions.
- Seamlessly integrate Acunetix into complex, custom workflows and processes.
Please feel free to contact E-SPIN for your inquiry, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.