You can't secure what you don't acknowledge.SM

Thursday, March 5, 2009

Acunetix - a very good Web scanner that keeps getting better

OK, it didn't *just* get better...it's been out for several months - but I've just now gotten a chance to really sit down with it and take it for a spin and write a post about it. I'm talking about Acunetix Web Vulnerability Scanner version 6.

NOTE_BEFORE_I_BEGIN: I don't do formal "reviews" but you know how excited I get over cool tools. I found something in this one that I thought you may benefit from...

What started out as an overly-simplistic scanner a few years ago has really become a contender in the Web vulnerability scanner market - especially for the price. In addition to rooting out a lot of XSS (even more than other tools can find), the latest version of Acunetix WVS can also check for blind SQL injection (something that's pretty much impossible to do manually - at least within reason) and it also does a port scan of the Web system to check for other services that may be vulnerable.

In some scans I ran it found FTP, SSH, and Windows Terminal Services open...Good things to know - things that are a *big* oversight in Web security assessments. You can't just look at layer 7 alone and assume you've done enough.

The graphic below doesn't do it much justice but Acunetix WVS has a pretty nice interface and is as easy to use as any scanning tool I've come across.


I've always said that, in most situations, you get what you pay for and this tool supports my theory. It's way better than any open source or freeware tool out there and really can hold its own with some of the bigger players.

If you already own one of the higher-end scanners but want to look at your Web systems from yet another perspective, then this would be a good route to go....a limited investment and based on what I've seen comparing it to some other popular tools you're pretty much guaranteed to find new/different/bigger Web vulnerabilities. It worked for me. It won't find everything (none of them will) but it finds a lot.

Now that I've painted a rosy picture there are a few things about the program I'm not crazy about:
  1. You can't run multiple scans at once either within the same session or by starting up a new instance of the program (it won't let you).
  2. It flags certain lower priority issues (in my mind) such as SSL v2.0 being used as higher priority ones...Most scanners do this. I'm just saying that there are many more things to worry about than someone having the tools and expertise to decrypt Web data in transit...and then getting anything valuable out of it such as the case with using SSL v2.0. Anyway, this is why you have to take your scan results with a grain of salt and do manual testing of your Web sites/apps and find/fix what matters in your context and in your environment.
  3. You can't apply changes to the maximum number of parallel connections (scanner threads so you can speed up or slow down the scan) while a scan is running. :-(
  4. You can only keep the scanner from submitting form input during the crawl phase - not the scanning phase. This is a GREAT way to tick off a bunch of people who'll undoubtedly receive thousands of emails from forms not protected with CAPTCHA or other mechanism being submitted over and over again during the scan.
  5. There's no easy way to work interactively and load/view the vulnerabilities it finds within a browser. You have to click on each finding then click in another window, and then copy/paste the URL, etc. into your browser.
All of that said, Acunetix WVS is still a very good, relatively fast Web vulnerability scanning tool - especially for the price. Check it out or tell others in your company about it...After all, it's the Web - everyone has to check for vulnerabilities in come capacity these days....or at least they should be!

2 comments:

  1. Dear Kevin,

    I am very pleased to hear that you liked our web vulnerability scanner, since here at Acunetix Ltd. we put a lot of work in it.

    I would like to make some corrections of the negative points you have presented, to let users know of the not very well known features of our scanner.

    1. You can't run multiple scans at once either within the same session or by starting up a new instance (it won't let you).

    Running multiple instances of the application is indeed not possible, for several reasons. However, running multiple parallel scans is possible. You can either set up scans from URLs from a text file or even scan a range of IP addresses. Another possibility for scanning multiple sites is to set up hosts that are allowed to spawn scans themselves, from a running scan. Meaning that if on the primary target there is a link which leads to an allowed host, a new scan thread will be spawned automatically.

    2. You can only keep the scanner from submitting form input during the crawl phase - not the scanning phase. This is a GREAT way to tick off a bunch of people who'll undoubtedly receive thousands of emails from forms that aren't protected with CAPTCHA or other mechanism.

    This is only partially true. As a fact, this is the most frequent problem of our customers. Of course WVS offers at least three different solutions for this. One is that you can exclude files from the scan, preventing WVS to submit inputs to the excluded files. Another solution would be to set up a special cookie used by the scanner and patch your scripts not to send any emails if the special cookie is present. Yet another solution is to check for WVS's special headers to prevent your scripts from submitting hundreds of emails.

    3. There's no easy to work interactively and load/view the vulnerabilities it finds within a browser. You have to click on each finding then click in another window, and then copy/paste the URL, etc. into your browser.

    Shortly, that is why I hate context menus :). For each node in the scanner tree there is a context menu by which you can do things for the selected node. One option for alerts is to open the HTTP request/response in HTTP editor. From there you can easily reproduce the issue and even view it in a browser window. Also, most of the vulnerabilities are associated to URLs on the target. You can easily look up those in the scan tree (under the crawler node) and by right-clicking the node you can open the URL in your default browser. Context menus indeed are a bit harder to find for a user, but you should check them out because a lot of things can be done from there.

    All that said, I hope I managed to shed some light on some tweaks that are not very obvious.

    Thanks for the good review, and I hope we can address the other problems you have mentioned in future version.

    Kind regards,
    Tibor Csonka
    Software Developer
    Acunetix Ltd. - http://www.acunetix.com
    Acunetix Web Vulnerability Scanner

    ReplyDelete
  2. Thanks for the good feedback Tibor. I stand corrected. Here are some final thoughts regarding what you said.

    Regarding #1, I'm just used to other tools that allow you start/stop scans on the fly and as needed without having to tell the scanner everything you want it to do at the very beginning.

    Regarding #2, I suppose these are viable technical solutions to the problem but when you have a large site or several sites to scan you may not have scoped an extra half day's worth of time to whittle down all the possible forms. Many site developers and admins couldn't tell you where all their forms are located even if you asked. Also, you may not be able to take the chance that you have overlooked a form or two as well. If you tell the scanner to not scan certain pages then the scanner may very well overlook vulnerabilities in those pages which can defeat the purpose of the scan. Finally, looking at this from a consultant/auditors point of view, it's not easy to ask the customer to create cookies custom or check headers on their end when all they want is someone to assess the security of their site as-is.

    Regarding #3, you can open the page itself in the Web browser but that's not going to show you the actual vulnerability. Or, like I said, you can open the HTML editor and then see what it looks like in a browser window. However, doing this requires an extra step which really adds up when you have a lot of findings you need to review. An option to right-click on the vulnerability in the scan results pane and click "view in browser" would eliminate the need for this extra step. Even if you had to go over to the Vulnerability description/Attack details section and click "view in browser" from there it'd still be easier.

    I know it's a lot easier being on my end pointing out things than it is to be in your shoes. Keep up the good work.

    ReplyDelete