Introduction
It’s been a while since we’ve looked at any Acunetix products in depth, they’ve always had a solid Web Vulnerability Scanner as we found in our reviews of Acunetix WVS 6 and Acunetix WVS 7. Version 9.5 of the Web Vulnerability Scanner was released earlier this year and late last year Acunetix also announced their Online Vulnerability Scanner or OVS.
OVS is built leveraging the same state-of-the-art and proprietary Acunetix crawling and scanning technologies available in its on-premise solution.
Acunetix Online Vulnerability Scanner was officially launched in March this year and is responsive, scalable and centralised with unmatched deep crawling and scanning capabilities.
If you compare it to the on-premise solution, it’s simple to use, there’s no maintenance (as it’s cloud based) and it’s very competitively priced (the on-premise offering is understandably a fairly costly enterprise solution).
I’ve spent a few days checking out OVS and it’s features/flow, including both the web scanning functionality and the network scan. So here is our Acunetix OVS review – enjoy.
Features
OVS is accessible via the web at https://ovs.acunetix.com/ – which for me is already a MAJOR benefit as I can easily log-in and check the status from anywhere. Previously with something like Acunetix WVS, you are limited to using the machine that has the software installed and the licence activated – which sometimes limits your mobility.
Feature wise it has:
- Complete vulnerability management through one holistic dashboard
- Perimeter server scanning
- Recurring and scheduled scans
- Over 35,000 network and 600 web vulnerability checks
- Easy to interpret and prioritised vulnerability alerts with further information to make remediation easier
- Complete set of compliance reports including OWASP Top 10, PCI DSS, ISO 27001 and HIPPAA
- Fully supports HTML5, JavaScript, and thus the detection of DOM based XSS
Useful stuff if you are following any compliance regimes (PCI DSS is a pretty common one if you have anything to do with any kind of payment processing).
Also recently added to OVS are AcuSensor and AcuMonitor.
“Acunetix AcuSensor Technology is a new security technology that allows you to identify more vulnerabilities than a traditional Web Application Scanner, whilst generating less false positives. In addition it indicates exactly where in your code the vulnerability is and reports also debug information.”
There’s AcuSensor support for both .NET and PHP and you basically add it into your app to also scan from the inside and indicate exactly where in your code the vulnerabilities occur, install info can be found here.
Using OVS
Actually using OVS is pretty straight forward, after signing up you’ll have to do some basic account verification for a web scan. The domain you are scanning also has to be verified by means of a file in the web root (to prove it’s legitimately yours or at least you have access to it).
You also have various options when adding a target including form based authentication details, you can add a login sequence file, download the AcuSensor file and add SSH credentials.
To do the network scan takes a little deeper verification requiring a phone call from Acunetix to confirm your contact number and some other details.
The interface isn’t the prettiest (it’s quite obviously Bootstrap), but it works just fine – starting a scan is easy as long as you’ve verified your domain. You can choose the type of Web Vulnerabilities you want to focus on and the type of Network scan (including if you want to run a safe or invasive network scan).
It’s already really easy to set up scheduled and repeating scans, especially useful for compliance stuff like PCI DSS which requires quarterly scans.
When the scan has completed, you will get a notification via e-mail and you can check it out in the web app. The results are displayed in a fairly regular expanding tree format with the highest risk/impact vulnerabilities shown first. Each one has a title, and it expands to show what it affects, a description, attack details, impact, how to fix it and some web references if available.
A feature I found really useful is the ability to generate reports from scan results in certain formats, the app can generate reports for you in terms of PCI 3.0 Compliance, Sarbanes-Oxley, HIPAA and so on. If that’s part of your job it’s a great value add.
Conclusion
Overall I think it’s a great tool and I’m glad to see a company like Acunetix, who has a great software scanner moving more into a SaaS (Software-as-a-Service) style offering. It suits the mobile pen-testing consultant a lot more, especially with agile teams working together the old methods of generating reports with software on each engineer laptop was cumbersome and hard to scale.
Hence tools were developed just to do report management like Kvasir and MagicTree. With a tool like Acunetix OVS, such issues are a thing of the past.
I do hope they keep developing and improving it, adding more features and making it a more user friendly experience.
If you want to check it out you can do so here:
http://www.acunetix.com/online-vulnerability-scanner/
Remember that there’s a 14 day free trial, which offers 2 full network scans with full results and 2 web scans with overview reports on 2 targets.