i Pentest website using acunetix (part 2) – All things in moderation

Pentest website using acunetix (part 2)

In this previous post I have show you about overview Acunetix web vulnerability scanner , in this post I will show you how to scan (penstest) a website with something tips and tricks to scan effective . OK , let’s start :

  Scanning website with Acunetix (GUI)

Step 1: Select Target(s) to Scan

  1.  Click on File > New > New Website Scan to start the Scan Wizard, or click the New Scanbutton on the top left hand of the Acunetix Web Vulnerability Scanner menu bar.

    scan_type

  2.  Specify the scan options:
    1.  Scan single website ­ Enter the URL of the target website, e.g. http://testphp.vulnweb.com.
    2.  Scan using saved crawling results ­ If you previously performed a crawl on a website, you can use the saved results to launch a scan instead of having to crawl the website again.
  3.  Click Next to continue.

Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options

options_scan

    Scanning Profile

The Scanning Profile will determine which tests are to be launched against the target website. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection. No additional tests will be performed. The Default scanning profile will test your website for all known web vulnerabilities. Refer to the ‘Scanning Profiles’ section for more information on how to customize or create scanning profiles.

    Scan Settings template

The Scan Settings template will determine what Crawler and Scanner settings are to be used during a scan. Refer to the ‘Scan Settings templates’ section for more information on how to customize or create new Scan Settings templates.

    Advanced Crawling Options

Tick the option Show advanced options in the scan wizard to proceed to the Advanced Crawl options, allowing you to pre­seed a crawl using Selenium scripts, Fiddler Session Archives, Burp Saved files and Acunetix HTTP Sniffer log files. You can also configure the Acunetix to show you the list of files identified by the Crawler, giving you the option to choose which files to scan.

Step 3: Confirm Targets and Technologies Detected

target_scan

Acunetix Web Vulnerability Scanner will automatically fingerprint the target website for the server’s operating system, the web server and its web server technologies. The web vulnerability scanner will reduce the scan time by scanning only for the selected web technologies. E.g. Acunetix Web Vulnerability Scanner will not launch IIS security checks against a Linux system running an Apache web server. Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies.

Step 4: Configure Login for Password Protected Areas

login_sequense

Two types of Login mechanisms are commonly used on the web:

    HTTP Authentication ­ This type of authentication is handled by the web server, where the user is prompted with a password dialog. Scanning an HTTP password protected area requires that you either enter the credentials during the crawling of your web application, or you have the credentials pre­configured in Acunetix.

    Forms Authentication­ This type of authentication is handled via a web form and not via HTTP. The credentials are sent to the server for validation by a custom script.

   Step 5: Finalize Scan Options

finish_scan

  Step 6: Start the scan

 

Click on Finish to start the automated scan. If the option After crawling let me choose the files to scanwas selected in the crawling options, you will be asked to select the files to scan after Acunetix Web Vulnerability Scanner has finished crawling the site. Depending on the size of the website, scanning profile selected, and the server’s response time, a scan may take several hours.

Leave a Reply