Acunetix is one of the biggest players in the web security arena. The European-based company released the first version of their product back in 2005, and thousands of clients around the globe use it to analyze the security of their web applications. They recently unveiled Acunetix version 11, so we’ve decided to take it for a spin.
Interface, users and roles
Before I start, it needs to be noted that I’ve tested the on-premise edition of Acunetix. The product is also available as an online system, and details on it can be found in the last part of the review.
One of the major changes in this version is a new interface that has been engineered from the ground up. Up until now, Acunetix was a Windows application, but with this release the user interface was moved into the browser. You can now use Acunetix by accessing its UI running on localhost:3443.
This switch provides a multi-user (and multi-role) environment where different members of the organization can access Acunetix fully, or just in limited capacity. The latter depends on a system of user roles assigned to Acunetix users. The default roles are Tech Admin, Tester, and Auditor:
The interface is fast and responsive, with a strong focus on functionality.
The data between the browser and the server, whether used directly on a computer running Acunetix or via the local network, is transferred via TLS/SSL. A unique certificate authority for your environment is generated during the installation procedure.
Target setup and scanning
Before starting the scanning process, you’ll need to create one or multiple targets. Back in the days of the first web application security scanners, target setup was straightforward – you would add a target address and the port on which the httpd is running. Nowdays the process is more complex, and setting up the target can involve the customization of some 20 or so parameters. By default, Acunetix defaults work for most sites, so you can start the scan without any further customizing at all.
For starters, depending on the business criticality and performance of the target system, you can choose different impact levels and scan speeds. For sites with authentication, there are options covering both HTTP auth, as well as web app form logins. In the case of built-in form logins, the scanner will try to use the provided credentials to connect automatically. In some cases (e.g. custom applications) this won’t work, but there is a nifty add-on called Login Sequence Recorder, which gives you the ability to record your manual login process and Acunetix will successfully recreate it when the scan is started.
The built-in crawler can be modified with predefined sets of user agent data, or you can create one that will fit your needs. You can also import different data into the crawler. Accepted formats include text files with a list of URLs, HTTP Sniffer (part of Acunetix’ freeware pentest tools) logs, Fiddler .SAZ, BURP saved/state files and HAR (HTTP Archive) files. The “Advanced” tab of the target setup includes a couple of other options you can play with (e.g. writing your custom headers and/or cookies).
The issue tracking functionality is a nice addition and it currently supports Microsoft Team Foundation Server, Atlassian’s JIRA, and GitHub.
Every scan can be started immediately, scheduled for a specific moment in the future, or set as a recurring task. By default, every scan is set as a Full Scan, but you can also choose one of the predefined options, including:
- High Risk Vulnerabilities
- Cross-Site Scripting Vulnerabilities
- SQL Injection Vulnerabilities
- Weak Passwords
- Crawl Only
If you want to customize your scanning to an even greater degree, go into Settings > Scan types, and create a new preset by selecting items from a long list of vulnerability classes and sub-classes.
Introduced in version 6 of Acunetix back in 2008 – and heavily improved since – AcuSensor technology extends the reach of the black box scanning with data collected from a custom sensor. For each target, Acunetix generates an AcuSensor file that should be uploaded to the web site being tested. Installing AcuSensor in an ASP.NET web application takes just a couple of clicks, while for PHP based sites you’ll need to modify the php.ini or .htaccess file with the location of the AcuSensorfile.
AcuSensor gives you the “inside job” functionality. There is much you can achieve by scanning a web site from the outside, but combining this with real-time feedback and analysis from the inside offers much greater visibility. When I did test scans with AcuSensor enabled, the number of detected issues (or different severity) was, on average, 45 percent greater than when AcuSensor was not used.
Web application scanners use a combination of crawled data (following links) and predefined lists of files (common locations for files being vulnerable or not) in different environments. As AcuSensor has access from the inside, it can deliver a third list of potential targets – those files that are invisible from the outside, but can have security issues (e.g. remote shells, backed-up files with sensitive data, or potentially vulnerable apps/plugins saved into non typical locations). Because of this scan structure (depicted above), AcuSensor can also report stack traces and affected SQL queries caused by the found vulnerabilities, as well as pinpoint the troublesome positions in the source code.
Sample scan data
I tested Acunetix against a number of different websites running open source, commercial, and custom web applications. As expected, the scanning speeds and results differed.
For testing, I have setup a fresh instance of the latest Ubuntu server with the following specs: 8GB RAM, 4 CPU and 80 GB SSD disk. As a CMS of choice, I used WordPress 4.8 without the usual pre-installed plugins.
The scan ran for 1h 48m 30s, the average response time was 218ms and Acunetix generated 195,084 requests. From the payload perspective, the initially empty target systems’ access.log now showed a size of 44MB.
Below is a screenshot of the issues discovered, ranked from high-risk to informational:
As a comparison, I’ve tested the same WordPress setup but this time with AcuSensor enabled. This time the duration of the scan was 4 hours and 46 minutes, during which 397,545 requests were generated. This time, the scan found another potential high risk vulnerability (allow_url_fopen, which was on), 15 medium-risk vulnerabilities, 6 low-risk ones and 22 issues that were labeled as informational.
Acunetix delivers reports in two sections. One focuses on standard reports such as quick, developer, executive summary and list of affected items, while the other contains compliance reports. The latter are aimed for the following compliance bodies and standards:
- CWE/SANS Top 25 Most Dangerous Software Errors
- The Health Insurance Portability and Accountability Act (HIPAA)
- International Standard – ISO 27001
- NIST Special Publication 800-53
- OWASP Top 10 – 2013 (as a side note, OWASP announced that they plan to release the final OWASP Top 10 – 2017 in July/August this year)
- Payment Card Industry (PCI) DSS 3.2
- Sarbanes Oxley Act
- DISA STIG Web Security
- Web Application Security Consortium (WASC) Threat Classification
All reports can be downloaded in PDF and HTML formats, but the downloaded reports will always have the same generic name (e.g. Developer.pdf for a Developer report). So, if you’re downloading the same type of report for different targets, you’ll have to make the effort to change the name, lest you end up with many files that you can’t tell apart at first glance.
Acunetix hosts all of its documentation online, and the product manual is extensive. I also suggest perusing the “Docs & FAQs” section located under the Blog menu of the Acunetix website. There you’ll find some interesting posts on specific usage scenarios, third party product integrations, and more.
Let’s start with the on-premise edition. Acunetix is available as a one year or perpetual license in four different tiers, each depending on the number of concurrent scans and/or users. One year licenses vary from $2,495/yr to $6,995/yr, while perpetual licenses are approximately double that price.
Yearly subscriptions for the online edition start from $345 for 1 target (web or network) + 3 free Network targets and the amount rises depending on the number of targets you need. Detailed information on the pricing structure is available here.
I’ve used Acunetix a number of times over the last decade, and I like what I see in this latest version. The web-based interface makes it run smoother, and also unlocks the potential of offering role-based access to multiple users within the organization.
Every aspect of the product can be fully customized to optimize the scans. As far as I’m concerned, AcuSensor should be used by default, as it expands the reach of the analysis and can provide interesting and helpful findings.