Acunetix OVS Review (Online Vulnerability Scanner)

Keep on Guard!


Introduction

It’s been a while since we’ve looked at any Acunetix products in depth, they’ve always had a solid Web Vulnerability Scanner as we found in our reviews of Acunetix WVS 6 and Acunetix WVS 7. Version 9.5 of the Web Vulnerability Scanner was released earlier this year and late last year Acunetix also announced their Online Vulnerability Scanner or OVS.

OVS is built leveraging the same state-of-the-art and proprietary Acunetix crawling and scanning technologies available in its on-premise solution.

Acunetix OVS Review (Online Vulnerability Scanner)

Acunetix Online Vulnerability Scanner was officially launched in March this year and is responsive, scalable and centralised with unmatched deep crawling and scanning capabilities.

If you compare it to the on-premise solution, it’s simple to use, there’s no maintenance (as it’s cloud based) and it’s very competitively priced (the on-premise offering is understandably a fairly costly enterprise solution).

I’ve spent a few days checking out OVS and it’s features/flow, including both the web scanning functionality and the network scan. So here is our Acunetix OVS review – enjoy.

Features

OVS is accessible via the web at https://ovs.acunetix.com/ – which for me is already a MAJOR benefit as I can easily log-in and check the status from anywhere. Previously with something like Acunetix WVS, you are limited to using the machine that has the software installed and the licence activated – which sometimes limits your mobility.

Feature wise it has:

  • Complete vulnerability management through one holistic dashboard
  • Perimeter server scanning
  • Recurring and scheduled scans
  • Over 35,000 network and 600 web vulnerability checks
  • Easy to interpret and prioritised vulnerability alerts with further information to make remediation easier
  • Complete set of compliance reports including OWASP Top 10, PCI DSS, ISO 27001 and HIPPAA
  • Fully supports HTML5, JavaScript, and thus the detection of DOM based XSS

Useful stuff if you are following any compliance regimes (PCI DSS is a pretty common one if you have anything to do with any kind of payment processing).

Also recently added to OVS are AcuSensor and AcuMonitor.

Acunetix AcuSensor Technology is a new security technology that allows you to identify more vulnerabilities than a traditional Web Application Scanner, whilst generating less false positives. In addition it indicates exactly where in your code the vulnerability is and reports also debug information.

There’s AcuSensor support for both .NET and PHP and you basically add it into your app to also scan from the inside and indicate exactly where in your code the vulnerabilities occur, install info can be found here.

Using OVS

Actually using OVS is pretty straight forward, after signing up you’ll have to do some basic account verification for a web scan. The domain you are scanning also has to be verified by means of a file in the web root (to prove it’s legitimately yours or at least you have access to it).

OVS Verification

You also have various options when adding a target including form based authentication details, you can add a login sequence file, download the AcuSensor file and add SSH credentials.

OVS Target Options

To do the network scan takes a little deeper verification requiring a phone call from Acunetix to confirm your contact number and some other details.

The interface isn’t the prettiest (it’s quite obviously Bootstrap), but it works just fine – starting a scan is easy as long as you’ve verified your domain. You can choose the type of Web Vulnerabilities you want to focus on and the type of Network scan (including if you want to run a safe or invasive network scan).

OVS Scan Options

It’s already really easy to set up scheduled and repeating scans, especially useful for compliance stuff like PCI DSS which requires quarterly scans.

OVS Scheduled Scans

When the scan has completed, you will get a notification via e-mail and you can check it out in the web app. The results are displayed in a fairly regular expanding tree format with the highest risk/impact vulnerabilities shown first. Each one has a title, and it expands to show what it affects, a description, attack details, impact, how to fix it and some web references if available.

OVS Scan Results

A feature I found really useful is the ability to generate reports from scan results in certain formats, the app can generate reports for you in terms of PCI 3.0 Compliance, Sarbanes-Oxley, HIPAA and so on. If that’s part of your job it’s a great value add.

Report Generation

Conclusion

Overall I think it’s a great tool and I’m glad to see a company like Acunetix, who has a great software scanner moving more into a SaaS (Software-as-a-Service) style offering. It suits the mobile pen-testing consultant a lot more, especially with agile teams working together the old methods of generating reports with software on each engineer laptop was cumbersome and hard to scale.

Hence tools were developed just to do report management like Kvasir and MagicTree. With a tool like Acunetix OVS, such issues are a thing of the past.

I do hope they keep developing and improving it, adding more features and making it a more user friendly experience.

If you want to check it out you can do so here:

http://www.acunetix.com/online-vulnerability-scanner/

Remember that there’s a 14 day free trial, which offers 2 full network scans with full results and 2 web scans with overview reports on 2 targets.

Posted in: Advertorial, Countermeasures, Security Software

, ,


Latest Posts:


SQLiv - SQL Injection Dork Scanning Tool SQLiv – SQL Injection Dork Scanning Tool
SQLiv is a Python-based massive SQL Injection dork scanning tool which uses Google, Bing or Yahoo for targetted, multiple-domain or reverse domain scans.
OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.


Comments are closed.