The team over at Acunetix have been working hard on version 7 for quite some time and released a new build with added features earlier this year in February. It also has an entirely new attack vector, DOM XSS.

If you are already familiar with WVS, it’ll feel on the surface much the same as the old version as the interface hasn’t changed drastically (which is a good thing).

Most of the improvements and major changes in version 7 are under the hood, but at first use you will notice the difference. The scanner is much faster and seems more intelligent (there were noticeably less false positives than I remember in version 6) and it has much better support for Web 2.0 and AJAX powered web applications. That is of course a huge area now and very important for a tool like this that focuses on Web Security to support well (the modules have been re-written to support technologies such as such as JSON, XML and more). It also helps that it uses new unique verification techniques so you don’t have to wade through all the false positives by hand.

The order and layout of the scan results is also clearer and easier to follow with better sections and more information about each alert.

The information given is also more complete with links to the original advisory and for application based flaws, it’s also extremely easy to see the full headers returned by the web server, relaunch the attack with the HTTP Editor, retest the alert or mark it as a false positive.

It also gives suggestions on how to fix the issue, these are usually quite general though rather than specific technical instructions. One thing I really like about WVS it’s a very well equipped scanner which can crawl, scan, do vulnerability checks and has a bunch of handy tools for comparing results and even fuzzing.

With the HTTP Fuzzer can define your own character sets, iterations, use files and much more. It’s a very neat tool and not only for fuzzing, you can also use it to validate query sets to create your own valid input rules for WVS to test.

Another useful tool to have built in to this kind of application is a local HTTP Proxy – which is labeled in WVS as HTTP Sniffer. The HTTP Sniffer acts as a proxy and allows you to capture, examine and modify HTTP traffic between an HTTP client and a web server. You can also enable, add or edit traps to trap traffic before it is sent to the web server or back to the web client.

It also has a tool called the Authentication Tester, which you can use to perform dictionary/brute-force attacks against login pages which use both HTTP (NTLM v1, NTLM v2, digest) or form based authentication. This tool uses two predefined text files (dictionaries) which contain a list of common user-names and passwords. You can add your own combinations to these text files. It’s a very easy to setup brute-forcing tool for form-based authentication testing.

For those of who do this for a living, the Compare Results tool is great for those clients you scan regularly – it even allows you compare site structure. With this and regular scans you can easily monitor if and when any vulnerabilities are introduced and keep things under control.

Overall this new version of WVS feels similar to version 6 but somehow tighter, faster and more efficient – if you liked WVS before, you’ll love it now.

As an addition for the more advanced users, you can actually write your own Acunetix WVS Vulnerability Checks now too. As the new Checks are JavaScript in WVS 7 – it’s faster, easier and more flexible to write completely new Checks or edit existing Checks.

You can get the tool and detailed scripting reference to develop your own Checks here:

Acunetix_SDK.zip

More details about that here:

Creating custom vulnerability checks for Acunetix WVS Version 7

Acunetix WVS Trial Edition

Download Acunetix Web Vulnerability Scanner v7 trial edition from here.

There are also some useful resources here:

• Getting started with Acunetix Web Vulnerability Scanner
• Getting Started Guide [PDF]
• Ordering Acunetix Web Vulnerability Scanner (WVS) & Pricing
• The Acunetix WVS FAQ

You may remember a while back we did a Review of Acunetix Web Vulnerability Scanner 6 – the very full featured web vulnerability scanning software.

Well the latest version has been released recently with some updates, bug fixes and improvements on the web application security front.

I’m hoping to try out the AcuSensor on a PHP install soon to see what kind of information it can give me.

A full review isn’t really need as the installation, interface and features are mostly the same as version 6.

One of the great new features is the Login Sequence Recorder (LSR), which can record the exact sequence needed to login to a site and replay it.

Combine this with the Session Auto Recognition module, which will identify when a logged in session is invalided or expired and will re-login automatically and you have a great tool for scanning authentication based web applications.

There is also a lot more support for JSP/Tomcat based application, I haven’t had chance to test this as I don’t deal with many Java based web applications.

Also included are some back-end and interface changes like the display of port scan & network alerts separately from the web alerts, which does make it easier to see where the issues are.

Backend stuff like cookie handling and Blind SQL Injection methods have been improved, you can also import your settings from Version 6 if you are currently using that.

You can read the press release here, or more on the blog here.

The pricing can be found here (in both Euros and USD).

If you want to know more about the features you can download the manual here:

Acunetix WVS 6.5 Manual [PDF]

As you might know if you’ve been reading for some time, I do occasionally review commercial software if it’s interesting and relevant – the last one I remember doing was back in 2007 “Outpost Security Suite PRO Review“.

This time it’s for a much more relevant piece of software IMHO, and one which I actually like using and have used in the past – Acunetix Web Vulnerability Scanner 6. Version 6 was recently released and has some quite exciting new features including the new more accurate Acusensor, Port Scanner and Network Alerts tool and actual Blind SQL Injection.

If you were previously using version 5 and you’re interesting in version 6 there are some good progressive changes. One good development is AcuSensor which goes much more in depth into web application security testing and code injection (it can find vulnerabilities that typical black box scanning wouldn’t). The new Port Scanning feature will perform some kind of Nessus like function and try and find vulnerabilities in network services, you can learn more about adding your own vulnerability scripts here.

Something important for me too is the additional of Pausing a scan, this is very useful especially on a long scan when you can only carry it out during off peak hours.

There are some other minor improvements like the ability to mark an alert as a false positive, improvements in the scheduler and general improvements in the searching and filtering features.

Installation

Installation is very easy, there are very few options to select and it’s just a next-next kind of install. There is the option of installing the BETA Firefox Plugin, which is pretty neat. No reboot is required during install, but you do need to Restart Firefox if you wish to utilize the Plugin.

Getting Started

Once you fire up the software it will let you know if there are any updates, it’s managed very well with no manual action needed by the user.

With the wizard it’s very easy to start a scan or any of the other tasks within WVS.

Once the target is selected it allows you to optimize the scan for various different technologies depending on the architecture of the site (PHP, ASP, Perl and so on).

Then the scanning options – it gives you 3 main options for scanning; Extensive, Heuristic and Quick.

It also offers you some variety in crawling options, how deep you want to go, should you scan above the root directory or only below and then after that it’s basically on auto-pilot (it does give you the option for HTTP Authentication if you need to scan something behind a login/password).

Features

The crawling and scanning is pretty comprehensive, whilst the scan is taking place it give you updates in terms of progress and in terms of anything it has found (categorised).

The progress section is quite detailed and shows which module is running, on which page of the site and generally what is happening (some scripts run concurrently).

As for anything it finds out of the ordinary, threats are categorised into 3 levels – High, Medium & Low. On top of that there is also info and knowledge base (such as which ports are open).

There are also other useful tools such as the HTTP Fuzzer and Sniffer which are good for examining HTTP traffic in detail and especially for exposing weak authentication schemes.

AcuSensor is interesting because it actually has a server side component, both for ASP.NET applications and PHP based web apps. This means that it can tell you exactly where in your code the flaw is – like this SQL Injection Vulnerability found in Mambo by AcuSensor.

There’s another example about backdoor code in web applications here, with the example this time being the WordPress 2.1.1 Vulnerability.

This is the first time I’ve encountered this kind of technology and I think it’s an excellent step forwards in automated code auditing and deeper web application security.

Surprisingly I also found some Legislation and Compliance reports inside the WVS, this was a welcome surprise (as I’ve been involved in many ISO27001 projects) something like this can really save time.

Conclusion

All in all it’s a well rounded tool with a pretty accurate scanning engine (You can find a list of vulnerabilities it checks for here including those for specific software), it’s come a long way since the earlier versions and is now quite strong in all areas of web application security testing.

The new AcuSensor also ensures more vulnerabilities are found and less false positives delivered – false positives are the bane of any vulnerability scanner. That’s where the consultant skill comes in, ascertaining which are real and which are not.

A good part is it’s quite usable by less technical people as it gives in-depth descriptions on both a conceptual and a technical level enabling people to understand the issue uncovered.

Darknet recommends Acunetix Web Vulnerability Scanner 6 highly, it could make a real difference to your work flow for the consultants and for the in-house guys it could help improve the security, stability and integrity of your web applications.

You can find more reviews about Acunetix WVS here and some Customer Testimonials here.

If you wish to read more about Acunetix WVS you can do so here and you can find the prices here (in both Euros and USD).

You can also check out WVS Free Edition.