[ad]
As you might know if you’ve been reading for some time, I do occasionally review commercial software if it’s interesting and relevant – the last one I remember doing was back in 2007 “Outpost Security Suite PRO Review“.
This time it’s for a much more relevant piece of software IMHO, and one which I actually like using and have used in the past – Acunetix Web Vulnerability Scanner 6. Version 6 was recently released and has some quite exciting new features including the new more accurate Acusensor, Port Scanner and Network Alerts tool and actual Blind SQL Injection.
If you were previously using version 5 and you’re interesting in version 6 there are some good progressive changes. One good development is AcuSensor which goes much more in depth into web application security testing and code injection (it can find vulnerabilities that typical black box scanning wouldn’t). The new Port Scanning feature will perform some kind of Nessus like function and try and find vulnerabilities in network services, you can learn more about adding your own vulnerability scripts here.
Something important for me too is the additional of Pausing a scan, this is very useful especially on a long scan when you can only carry it out during off peak hours.
There are some other minor improvements like the ability to mark an alert as a false positive, improvements in the scheduler and general improvements in the searching and filtering features.
Installation
Installation is very easy, there are very few options to select and it’s just a next-next kind of install. There is the option of installing the BETA Firefox Plugin, which is pretty neat. No reboot is required during install, but you do need to Restart Firefox if you wish to utilize the Plugin.
Getting Started
Once you fire up the software it will let you know if there are any updates, it’s managed very well with no manual action needed by the user.
With the wizard it’s very easy to start a scan or any of the other tasks within WVS.
Once the target is selected it allows you to optimize the scan for various different technologies depending on the architecture of the site (PHP, ASP, Perl and so on).
Then the scanning options – it gives you 3 main options for scanning; Extensive, Heuristic and Quick.
It also offers you some variety in crawling options, how deep you want to go, should you scan above the root directory or only below and then after that it’s basically on auto-pilot (it does give you the option for HTTP Authentication if you need to scan something behind a login/password).
Features
The crawling and scanning is pretty comprehensive, whilst the scan is taking place it give you updates in terms of progress and in terms of anything it has found (categorised).
The progress section is quite detailed and shows which module is running, on which page of the site and generally what is happening (some scripts run concurrently).
As for anything it finds out of the ordinary, threats are categorised into 3 levels – High, Medium & Low. On top of that there is also info and knowledge base (such as which ports are open).
There are also other useful tools such as the HTTP Fuzzer and Sniffer which are good for examining HTTP traffic in detail and especially for exposing weak authentication schemes.
AcuSensor is interesting because it actually has a server side component, both for ASP.NET applications and PHP based web apps. This means that it can tell you exactly where in your code the flaw is – like this SQL Injection Vulnerability found in Mambo by AcuSensor.
There’s another example about backdoor code in web applications here, with the example this time being the WordPress 2.1.1 Vulnerability.
This is the first time I’ve encountered this kind of technology and I think it’s an excellent step forwards in automated code auditing and deeper web application security.
Surprisingly I also found some Legislation and Compliance reports inside the WVS, this was a welcome surprise (as I’ve been involved in many ISO27001 projects) something like this can really save time.
Conclusion
All in all it’s a well rounded tool with a pretty accurate scanning engine (You can find a list of vulnerabilities it checks for here including those for specific software), it’s come a long way since the earlier versions and is now quite strong in all areas of web application security testing.
The new AcuSensor also ensures more vulnerabilities are found and less false positives delivered – false positives are the bane of any vulnerability scanner. That’s where the consultant skill comes in, ascertaining which are real and which are not.
A good part is it’s quite usable by less technical people as it gives in-depth descriptions on both a conceptual and a technical level enabling people to understand the issue uncovered.
Darknet recommends Acunetix Web Vulnerability Scanner 6 highly, it could make a real difference to your work flow for the consultants and for the in-house guys it could help improve the security, stability and integrity of your web applications.
You can find more reviews about Acunetix WVS here and some Customer Testimonials here.
If you wish to read more about Acunetix WVS you can do so here and you can find the prices here (in both Euros and USD).
You can also check out WVS Free Edition.
CoL_ShaD says
I personally think this is a great tool that every webmaster should have in order to keep things secured and running good. One of the features that like is “Crawiling Options.” This program gives you everything needed to discover weaknesses in code or any flaw.
Brooks says
I use this tool quite often for clients who want their web content examined and it is truly a wonderful application. A+ on the review and 2 huge thumbs up to Accunetix. Awesome work!
devturkler says
Thanks acunetix is very nice scanner.
DJ Olson says
THis is a nice tool and I agree some more new nice features. But for automated assessing of your web apps I would go with Cenzic. It has greater flexibility, larger vuln library and is awhole lot more mature of a solution. I have used this for about a year and recommend it to those who want to move from manually doing the testing to automating it. They are a pretty cool bunch of people too. Small company that answers the phone. I tried their free tools but went up to their Pro version – more capabilities. They will let you test drive the pro. I emailed their support and just asked.
ethicalhack3r says
I have also played around with AWVS in the past and found it to be a great tool however it is very noisy and would be useless at the beggining of a black box test. I suppose in a black box enviroment it could be used towards the end of the pen test, just to make sure you havent missed anything out while manually testing. I have also heard that in some cases it has produced DoS’s.
Nico says
Thanks for the review.
The last time I used acunetix (more than a year ago) it was clearly inferior to other application scanners like Appscan or HP WebInspect.
However, acutenix is way cheaper (by a factor of 3 or 4).
Have you tested other scanners, how do you range them comparing to Acunetix ?