Acunetix Scanner Download

[Zareen Zapata]

Acunetixis not just a web vulnerability scanner. It is a complete web application security testing solution that can be used both standalone and as part of complex environments. It offers built-in vulnerability assessment and vulnerability management, as well as many options for integration with market-leading software development tools. By making Acunetix one of your security measures, you can significantly increase your cybersecurity stance and eliminate many security risks at a low resource cost.

To save resources, ease remediation, and avoid late patching, enterprises often aim to include web vulnerability tests as part of their SecDevOps processes. Acunetix is one of the best DAST tools for such a purpose due to its efficiency in both physical and virtual environments.

Acunetix is the first web security scanner on the market that is constantly being improved since 2005. It is a highly mature, specialized tool developed by web security testing experts. Such specialization made it possible to build a solution that is more effective than many bundled tools.

Acunetix is available in versions suited to different customer needs. It can be deployed locally on Linux, macOS, and Microsoft Windows operating systems. You can also use it as a cloud product to save your local resources.

Vulnerability scanning is the only automatic way to protect your website or web application from malicious hacker attacks. In addition, you should do manual penetration testing after a vulnerability scan. You should use web application firewalls only as temporary protection before you can fix vulnerabilities.

You should scan your website or web application every time that you change it. However, if you use ready-made web applications such as WordPress, some plugins may be updated automatically and you do not always know if someone else is introducing changes. Therefore, we recommend that you run a full scan every week and a quick scan (incremental scan and/or high severity scan) every day.

We believe that Acunetix is the best vulnerability scanner because it is the most automated, the most efficient, and the most accurate scanner on the market. If you want to find out for yourself, test it along with other scanners.

Get way more than just a vulnerability scanner (although our scanning is amazing). Acunetix is a complete application security solution that finds security vulnerabilities in every corner of every application and actually makes you safer with integrations and features to help you fix your issues fast!

Acunetix provides an automated mechanism that detects and handles standard login forms with the login data that you supply. However, in the case of more complex web applications, you might need to launch the Acunetix Login Sequence Recorder (LSR) and record a login sequence (*.lsr file), which can then be uploaded and saved with your target settings.

The restriction will be recorded and shown in the panel on the right. You may add as many restrictions as you need.Click on the Next button to proceed to the valid session detection phase.Step 3. Identify Valid Authentication Session ParametersIn our example (the Acuart site), Acunetix is able to identify valid session parameters automatically. You can see a notification that confirms this:

In this step, the LSR tries to identify a valid session automatically. The session pattern is required so that the scanner will be able to know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to know that the session has been invalidated, it can replay the login sequence and validate the session again.

This is done by comparing the logged in and logged out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and let the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

In many cases where immediate identification does not happen, you can still get Acunetix to identify a valid authentication session while navigating. You can do this by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out. For example, a response from the website will contain the text Logout if the user is logged in. If it is not found in the response, it means that the user is not logged in. When you have identified and configured the session pattern, you may verify it by clicking Check Pattern at the top of the right-hand-side panel.

The LSR will keep track of this. When you perform a scan, Acunetix will pause and prompt you for your manual intervention with a popup notification. When you complete manual intervention actions, make sure that any actions created by the LSR that are part of the manual intervention process are deleted by selecting each superfluous action, and deleting it by clicking on the delete icon ().

If Acunetix is still unable to identify a user session pattern, you will have to configure one manually. The important point is that the responses sent by the web server will differ between those of a logged-in user and those of a user that is not logged in. Your task is to identify a reliable difference that the scanner can use to verify whether or not it is logged into the site.

For the sake of this explanation, we will assume that you are testing the Juice Shop application. Just like in the case of the Acuart application, you need to complete the above stage 1 and then steps 1-2 of stage 2.

Option 2: Identify a difference in the HTTP response headers in the logged-in web pages compared to the not-logged-in version. You can check this with Google Chrome, for example, by using the Inspect feature. The Network tab will show a Response Headers section that could include a header such as X-Logged-In: true, but would be absent or have a different value such as X-Logged-In: false:

Now you can set the dropdown labelled Session VALID if: to pattern is found in headers to the identified header value:

Acunetix Online among other features, acts as an IP vulnerability scanner and can automatically test any Internet-facing website or web application for thousands of vulnerabilities. However, since automated security testing often needs to be done during the development process, or in a staging environment, those environments need to be made accessible via the Internet to Acunetix Online in order for the website or web application to be tested.

Most SMB routers with a graphical interface will have a web interface allowing them to be configured for port-forwarding. Port forwarding allows you to forward a network port from one network node to another. This technique would allow Acunetix Online to reach a port on a private IP address (inside a LAN) from the outside using a NAT-enabled router.

Something to keep in mind when using a dynamic DNS service is that this may need to be used in conjunction with firewall rules, as the firewall will have to allow inbound traffic to the selected port before the forwarding routing can take place.

Once an account is created and the Dynamic DNS service configured, the Acunetix OVS scan target can be set to , for example.

The Dynamic DNS provider will then resolve the scan target to the correct IP address by having the router itself directly configured to make use of a dynamic DNS service (most SMB routers have out-of-the-box dynamic DNS support).

Alternatively, if your SMB router does not support dynamic DNS out-of-the-box, most dynamic DNS services will provide a small client be installed onto the machine to be accessed. When installed, this client communicates with the dynamic DNS service and informs it of the current IP address of the machine.

A secure tunnel can be created through a variety of services such as ngrok, which uses a small command line based application. The application sends a request for a secure connection through the firewall over a randomly assigned port, which will in turn automatically allow traffic back in on that same port. The application then gets a response back from the ngrok server which is when a secure encrypted tunnel is created. ( )

After registering for an account, download and run the application. Next, simply run the following command to start ngrok on a port of your choice. In this example, the port chosen is 8080, but this can be changed to any other port you want to use.

If you are using Microsoft Azure to host your staging environment, you will need to configure inbound and outbound traffic security rules through a network security group in order to control permissions which manage access restrictions to your staging environment in order to allow scanners.acunetix.com access to a web application.

Once both rules are in place, you should have two security rules within the network security group, one for allowing traffic inbound (from Acunetix Online), the other for allowing traffic outbound (to Acunetix Online).

For further information about network security groups in Micorsoft Azure, visit the official documentation. Further information about network security groups is also covered in this blog post by Microsoft.

If you are using Amazon Web Services (AWS) to host your staging environment, you will need to configure inbound and outbound traffic security rules through a network security group in order to control permissions which manage access restrictions to your staging environment in order to allow scanners.acunetix.com access to a web application.

Once in the main Amazon AWS EC2 dashboard, navigate to Network & Security > Security Groups from the left-hand-side menu. You should now be presented with a list of Security Groups you have set-up. By default, Amazon AWS creates a Security Group for you called default. You may either choose to edit the Security Group, or create a new one.

3a8082e126