Acunetix Web Vulnerability Scanner Consultant Edition Full
Francis Caya
Several times now a developer on our side has reported to us from monitoring tools he manages that people have scanned our critical applications with a freely available Web Application Vulnerability scanner from Acunetix.
"About blocking the attack: I don't know exactly what edition was used to scan your website. Some of our editions send the following header with each request: Acunetix-Scanning-agreement:Third Party Scanning PROHIBITED Check if you can see this header and block based on that.However, if they are using a Consultant edition, this header is not sent.
Please let me know if, based on this information, you can create for us a method by which to finger print and (dynamically) filter traffic from this scanner in the future. Our current countermeasure - waking up our network engineers and having them manually add the source IP of the scanner (which varies with each attack) - is time consuming...
The entire session should be blocked, not just a few packets; unless the remaining packets are part of a different session. Also, from your original post it seems like the patterns don't appear in the session in all the editions of their product. Can you confirm from a packet capture that the patterns (either a header or URI) are indeed present in the session.
You can build a custom vulnerability or app signature to identify this traffic. To match on patterns in http request headers, you can use the http-req-headers context, and for matching patterns in URL you can use http-req-uri-path context.
The result was this: Palo Alto firewall noticed the signature present in the first couple of packets and, so, blocked those packets. Subsequent packets (from the same source IP), which lacked these signatures, were not identified as part of the banned application and were allowed through.
The session vs. transaction option only matters when you have multiple conditions in the signature, and you want all of those be within a single transaction, or they can occur across transactions in a session. Have you taken a packet capture of the session to check if the patterns are indeed exactly the same as you used in the signature.
Pardon me for the late reply, please; yes, we took a packet capture and have uploaded this capture to our ticket (ticket #: 00149001). Please let me know if this will suffice for now, or if there is anything else we can provide you with in helping us develop a filter to test against this scanner.
Acunetix web vulnerability scanner is one of the popular and widely use application security testing (AST) tool in the cyber security market, capable to perform both dynamic application security testing (DAST), black box testing and gray box testing (with AcuSenor deployed for Java, PHP, .NET platform supported), as well as Web Application Penetration Testing (with Acunetix Manual pentesting tool deployed).
ConsultLite is basically allow unlimited scan, but cap at 5 target at each scan, it single install and license by per user base. Minimum is 1 year license subscription. Max 3 year license subscription is possible.
Consult+ had the feature for ConsultLite, plus the feature set for various compliance report, when for the consultant user will found it handy and time saver to direct generate various regulatory compliance report for the various industry standard or for their customer. Single install and single user.
Consult+5 had all the feature for Consult+ but allow to roaming of the license up to 5 different installation, for single user. ConsultLite and Consult+ will only single install, once activated and it can not be transfer to other machine, or the license will be void due to breach the manufacturer end user license agreement (EULA).
Consult+5 is address one of the issue for most of the consultant type customer, from time to time may require to change machine or customer had the policy and consultant require to use their trusted machine for conduct scanning activities etc. Under that scenario, Consult+5 allow to install into 5 different machine concurrently will make consultant more efficient and productive can run 5 client projects concurrently, where the ConsultLite and Consult+ is do not had that feature, and if want to roaming for multiple site, will require multiple Consult+ license, where Consult+5 is become the only viable solution for those use case.
Acunetix is a web vulnerability scanner that automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak password strength on authentication pages. It boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing. For downloads and more information,visit the Acunetix homepage.
It took me ages to get this to work it kept giving me an error that I was missing some.dll files which was a rare experience while opening acunetix, the one I after downloaded it from which worked. However, it is a great tool overall and would recommend it to anyone.
I LOVE Acunetix. Hands down best scanner out there and I've literally used them all. Identifies sqli vulns undetected by burp and nessus. Great for beginners for obvious reasons, but you can actually learn a lot by using it.
My team used Acunetix consultant version for quite some time and compared to generic infrastructure VA tools like Nessus, and Foundstone we found the value in using a specialized Web VA tool. It found more and specific issues with precise recommendations to fix those.I recommend it based on my experience. I havent explored the IBM and HP counterparts yet...I understand that they are relatively costlier.
It is OK, for point and shoot, but after using it a few times and then using BurpSuite, I just put it aside for except for those clients that demanded I use an automated commercial scanner. I would on one condition that I could also use BurpSuite. I always found more with Burp then I did with this tool.
I can schedule daily, weekly or monthly scans of targets which checks for vulnerabilities in our cloud infrastructure from one control panel. The ability to send different types of reports to various parties, for example a 'Board level' report or 'Developer' report is handy for tailoring content to the audience.
It perhaps could be improved by adding a section for commenting on how a vulnerability was fixed and a link to a relevant URL to confirm this. Pricing is good for a small amount of targets, but quickly becomes expensive for multiple target locations.
Comments: Good thing for a web application pentesting, can give You insight of a present vulnerabilities. Would recommend using in tandem with infrastructure scanner (like Nessus) to create a complete testing solution. Also presence of continous scanning and scheduler could be used for a regular security assesment of Your web applications.
Ease of use, good customer support, very insightful reports (especially Developer raport), good vulnerability management. Also continous scanning option is an interesting thing for having continous security awareness of Your vulnerability level. Also login sequence recorder is an awesome tool.
Not a lot of scan options to configure - especially in comparison to Nessus - every check is done in default, You can't choose specifically which test is done in selected scan, only the type of scan (full, high-risk vulnerabilities, xss, sqli, weak passwords, crawl only ) or technology in which the scanned web app is written.
Comments: Continuation of the cons section (number of chars was limited).* Settings are sometimes unclear, an info icon with a popup would be nice. Example 1: In the "Site Structure" of a scan it is possible to press "exclude", does it exlude the path from futre scans? If so why don't I see anything in the target settings? Or does "exlude" exclude vulnerabilities from the report? BTW after pressing exlude I'm not able to "include" it again.
Example 2: "scan speed", how many threads per setting are we talking about?* Would definitly like to get some more feedback from scans directly in the interface, what is it doing, why did it fail, did all the "allowed hosts" got scanned etc. I know you can debug a target, but this is not what I mean.
* As a pentester I absolutely miss a more flexible way to configure settings like it was possible in v10. The interface is built as "point a shoot", idiot proof. Currently, If I want to configure things I need to change xml config files on the server and reload acunetix...* After the release of v12 we were called by a sales agent as we suddently couldn't add targets anymore. The license model suddenly changed completely. The entire business model is now based on scanning an applications continuously over the year. However, as a pentesting business for we mostly scan apps just 1 time for our security assessments. It absolutely makes no sense to apply the same costs! Just like Netsparker, acunetix should have plans for pentesters and consultants.* Scanning an app that spans multiple domains always results in problems. Currently you have the "Allowed hosts" settings which is crappy in setting up. I need to set all (sub) domains to a different target. And ofcourse with the current business model you are charged per target, lol.
Comments: As a scanner it is quite good, relevant and well described findings, so far no false positives. Following an initial trial and PoC with couple of competitors, Acunetix had the best features, most suitable licensing model, good support, so we purchased a three year license. However, at some point, it all changed. The license became based on other criteria, the testing and verification tools were removed, there is no support or way of reverting to a previous version, after you realise that the changes introduced and making the software unusable or insufficient. Overall, unless there are guarantees that it won't happen again, I will be very reluctant to renew.
7fc3f7cf58