In this previous post I have show you about overview Acunetix web vulnerability scanner , in this post I will show you how to scan (penstest) a website with something tips and tricks to scan effective . OK , let’s start :
Scanning website with Acunetix (GUI)
Step 1: Select Target(s) to Scan
- Click on File > New > New Website Scan to start the Scan Wizard, or click the New Scanbutton on the top left hand of the Acunetix Web Vulnerability Scanner menu bar.
- Specify the scan options:
- Scan single website Enter the URL of the target website, e.g. http://testphp.vulnweb.com.
- Scan using saved crawling results If you previously performed a crawl on a website, you can use the saved results to launch a scan instead of having to crawl the website again.
- Click Next to continue.
Step 2: Specify Scanning Profile, Scan Settings Template and Crawling Options
The Scanning Profile will determine which tests are to be launched against the target website. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection. No additional tests will be performed. The Default scanning profile will test your website for all known web vulnerabilities. Refer to the ‘Scanning Profiles’ section for more information on how to customize or create scanning profiles.
Scan Settings template
The Scan Settings template will determine what Crawler and Scanner settings are to be used during a scan. Refer to the ‘Scan Settings templates’ section for more information on how to customize or create new Scan Settings templates.
Advanced Crawling Options
Tick the option Show advanced options in the scan wizard to proceed to the Advanced Crawl options, allowing you to preseed a crawl using Selenium scripts, Fiddler Session Archives, Burp Saved files and Acunetix HTTP Sniffer log files. You can also configure the Acunetix to show you the list of files identified by the Crawler, giving you the option to choose which files to scan.
Step 3: Confirm Targets and Technologies Detected
Acunetix Web Vulnerability Scanner will automatically fingerprint the target website for the server’s operating system, the web server and its web server technologies. The web vulnerability scanner will reduce the scan time by scanning only for the selected web technologies. E.g. Acunetix Web Vulnerability Scanner will not launch IIS security checks against a Linux system running an Apache web server. Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies.
Step 4: Configure Login for Password Protected Areas
Two types of Login mechanisms are commonly used on the web:
HTTP Authentication This type of authentication is handled by the web server, where the user is prompted with a password dialog. Scanning an HTTP password protected area requires that you either enter the credentials during the crawling of your web application, or you have the credentials preconfigured in Acunetix.
Forms Authentication This type of authentication is handled via a web form and not via HTTP. The credentials are sent to the server for validation by a custom script.
Step 5: Finalize Scan Options
Step 6: Start the scan
Click on Finish to start the automated scan. If the option After crawling let me choose the files to scanwas selected in the crawling options, you will be asked to select the files to scan after Acunetix Web Vulnerability Scanner has finished crawling the site. Depending on the size of the website, scanning profile selected, and the server’s response time, a scan may take several hours.