Acunetix Advanced Usage
For experience Acunetix and web vulnerability scanner (WVS) will know. It spider or crawler is based on if you can detect the link (or hidden link), then it can perform correct and accurate application security testing. Remember, it can’t crawl what is not linked.
The key challenges remain on Custom web application and RESTful web services, the way a web application or a web service is structured does not provide the crawler with links or references that can allow it to crawl the entire application.
For instance, If the page ‘/secret_admin’ (for Custom develop webapp) was not linked from anywhere in the site structure of the website or web application being crawled, it will never be picked up by the crawler, and what isn’t crawled can’t be scanned because the scanner simply does not know the page exists.
This is even more common when you test RESTful web services that do not use a WADL definition. A WADL definition is a description of the web service (like WSDL is to SOAP) and when supplied to Acunetix WVS, it eliminates the need for crawling.
So, Acunetix WVS version 10 onward introduces the ability to import results from its own HTTP Sniffer (.SLG) as well as other external tools such as Portswigger Burp Suite (Burp Suite XML), Telerik Fiddler (.SAZ) and any tool that can export an HTTP Archive file (.HAR). By doing so, it provide the option in particular for pentesters to further extend their manual testing workflow and automate more for the advanced security testing process, allowing more time and focus for discovering logical vulnerabilities.
Same as well for business logic testing, you can extend it by crawl and scan complex Business Logic-driven applications through consumption of Selenium IDE test cases and continue the workflow inside Acunetix Web Vulnerability Scanner.
This 3rd party tools support and integration, will extend advanced users and reach for more manual application security testing possibility.
Another key area for concern is to develop custom vulnerability test for the custom built or inhouse built webapplication or portal application. This can be achieve with make use of Acunetix command line interface, XML export, Vulnerability Editor, Acunetix SDK to develop your very own custom vulnerability test.
About E-SPIN
E-SPIN being active promoting and support Acunetix since version 4, along the years for support, E-SPIN gain insightful first hand experience from consulting work, integration work for SDLC and 3rd party tools – scanning, vulnerability exploit testing, validation, WAF integration etc. E-SPIN please to conduct a special Acunetix Advanced hand on workshop training for existing Acunetix experience users, security professionals, penetration testers how to extend it for the advanced usage scenario and context.
For more about the advanced training and content, please direct surf from the event link for detail.