Program cu ajutorul caruia
se poate verifica securitatea site-ului personal vizavi de atacuri din
Acunetix Web Vulnerability Scanner first
identifies web servers from a particular IP or IP range. After that, it
crawls the whole site, gathering information about every file it finds,
and displaying the entire website structure. After this discovery stage,
it performs an automatic audit for common security issues.Acunetix Web
Vulnerability Scanner is a software that automatically detects file
The Port Scanner and network alerts
allow you to perform a port scan against the web server where the
scanned website is running. When open ports are found, Acunetix WVS will
perform complex network level security checks against the network
service running on that port, such as DNS Open recursion tests, badly
configured proxy server tests, weak SNMP community strings and many
other network level security checks
is one of the many web attack mechanisms used by hackers to steal data
from organizations. It is perhaps one of the most common application
layer attack techniques used today. It is the type of attack that takes
advantage of improper coding of your web applications that allows hacker
to inject SQL commands into say a login form to allow them to gain
access to the data held within your database.
In essence, SQL
Injection arises because the fields available for user input allow SQL
statements to pass through and query the database directly.
applications allow legitimate website visitors to submit and retrieve
data to/from a database over the Internet using their preferred web
browser. Databases are central to modern websites – they store data
needed for websites to deliver specific content to visitors and render
information to customers, suppliers, employees and a host of
stakeholders. User credentials, financial and payment information,
company statistics may all be resident within a database and accessed by
legitimate users through off-the-shelf and custom web applications. Web
applications and databases allow you to regularly run your business.
Injection is the hacking technique which attempts to pass SQL commands
(statements) through a web application for execution by the backend
database. If not sanitized properly, web applications may result in SQL
Injection attacks that allow hackers to view information from the
database and/or even wipe it out.
Such features as login pages,
support and product request forms, feedback forms, search pages,
shopping carts and the general delivery of dynamic content, shape modern
websites and provide businesses with the means necessary to communicate
with prospects and customers. These website features are all examples
of web applications which may be either purchased off-the-shelf or
developed as bespoke programs.
These website features are all
susceptible to SQL Injection attacks which arise because the fields
available for user input allow SQL statements to pass through and query
the database directly.
Acunetix AcuSensor Technology
is a new security technology that allows you to identify more
vulnerabilities than a traditional Web Application Scanner, whilst
generating less false positives. In addition it indicates exactly where
in your code the vulnerability is. The increased accuracy is achieved by
combining black box scanning techniques with dynamic code analyzes
while the source code is executed
Advantages of using
Acunetix AcuSensor Technology:
· Allows you
to locate and fix the vulnerability faster because of the ability to
provide more information about the vulnerability, such as source code
line number, stack trace, affected SQL query.
· We can significantly
reduce false positives when scanning a website because we can
internally understand better the behaviour of the web application.
Can alert you of web application configuration problems which could
result in a vulnerable application or expose internal application
details. E.g. If ‘custom errors’ are enabled in .NET, this could expose
sensitive application details to a malicious user.
· Detect many
more SQL injection vulnerabilities. Previously SQL injection
vulnerabilities could only be found if database errors were reported or
via other common techniques.
· Ability to detect SQL Injection
vulnerabilities in all SQL statements, including in SQL INSERT
statements. With a black box scanner such SQL injections vulnerabilities
cannot be found.
· Ability to know about all the files present and
accessible though the web server. If an attacker will gain access to the
website and create a backdoor file in the application directory, the
file will be found and scanned when using the AcuSensor Technology and
you will be alerted.
· AcuSensor Technology is able to intercept all
web application inputs and builds a comprehensive list will all
possible inputs in the website and tests them.
· No need to write
URL rewrite rules when scanning web applications which use search engine
friendly URL’s! Using AcuSensor Technology the scanner is able to
rewrite SEO URL’s on the fly.
· Ability to test for arbitrary file
creating and deletion vulnerabilities. E.g. Through a vulnerable scripta
malicious user can create a file in the web application directory and
execute it to have privileged access, or delete sensitive web
· Ability to test for email injection. E.g. A
malicious user may append additional information such as a list or
recipients or additional information to the message body to a vulnerable
web form, to spam a large number of recipients anonymously.
Here are some key features of
"Acunetix Web Vulnerability Scanner":
Acunetix Web Vulnerability Scanner automatically detects the
following vulnerabilities in web applications:
· Cross site scripting
· SQL injection
· CRLF injection
· Code execution
· Directory traversal
· File inclusion
· Script source code disclosure
· Discovers files/directories that may contain sensitive information
· Looks for common files (such as logs, application traces, CVS web
repositories), back-up files or directories
· Finds directory listings
· Discovers directories with weak permissions
· Discovers available web server technologies (such as WebDAV,
· Determines if dangerous HTTP methods are enabled on the web server
(e.g. PUT, TRACE, DELETE)
· Inspects the HTTP version banners and looks for vulnerable products
· Tests password strength of applications.
· With Acunetix Web Vulnerability Scanner, you can construct HTTP/HTTPS
requests and analyze the responses using the HTTP editor.
· By enabling you to log, intercept and modify all HTTP/HTTPS traffic,
Acunetix Web Vulnerability Scanner gives you an in-depth insight into
what data your web application is sending.
Test password strength:
· To test the strength of your passwords, you can perform a dictionary
attack on basic HTTP, NTLM or form-based authentication.
Test database editor:
· Acunetix Web Vulnerability Scanner includes a text database editor
that permits you to add additional attacks to the test database
(Enterprise & Consultant versions only).
Supports all major web technologies:
· Applications utilizing CGI, PHP, ASP, ASP.NET can all be tested for
· Acunetix Web Vulnerability Scanner allows you to quickly scan sites
with different options and identities.
· You can save scan sessions to MS SQL Server/Access databases and
generate complex reports from previous scan sessions using information
stored in the database.
· 128 MB of RAM (256MB or higher recommended)
· 200 MB of available hard-disk space
Internet Explorer 5.1 (or higher
SQL Server / Access if database is enabled (optional)
· Nag screen
· Does not allow saving and generation of scan reports
New in This Release: [ read
full changelog ]
New security checks:
· 8.3 DOS filename source code disclosure
· Apache Tomcat Directory Host Appbase authentication bypass
· Apache Tomcat WAR File directory traversal vulnerability
· Apache stronghold-info enabled
· Apache stronghold-status enabled
· ColdFusion 9 Solr Service exposed
· Error page path disclosure
· Error page web server version disclosure
· File inclusion RFI list
· Checks for multiple vulnerabilities in XAMPP
· Server-Side Includes (SSI) injection on Unix
· Server-Side Includes (SSI) injection on Windows
· ASP.NET error messages when requesting URL like |.aspx
· Added more variants to FCKeditor arbitrary file upload
· Updated cross site scripting in path security checks
· Updated directory listing security checks
· Updated directory traversal on Unix security checks
· Updated file upload security checks
· Updated LDAP injection security checks
· Updated possible sensitive files security checks
· Updated XPath injection security checks ...