Acunetix Web Vulnerability Scanner first identifies web servers from a particular IP or IP range. After that, it crawls the whole site, gathering information about every file it finds, and displaying the entire website structure. After this discovery stage, it performs an automatic audit for common security issues.Acunetix Web Vulnerability Scanner is a software that automatically detects file inclusion.

The Port Scanner and network alerts allow you to perform a port scan against the web server where the scanned website is running. When open ports are found, Acunetix WVS will perform complex network level security checks against the network service running on that port, such as DNS Open recursion tests, badly configured proxy server tests, weak SNMP community strings and many other network level security checks

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

Web applications allow legitimate website visitors to submit and retrieve data to/from a database over the Internet using their preferred web browser. Databases are central to modern websites – they store data needed for websites to deliver specific content to visitors and render information to customers, suppliers, employees and a host of stakeholders. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through off-the-shelf and custom web applications. Web applications and databases allow you to regularly run your business.

SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs.

These website features are all susceptible to SQL Injection attacks which arise because the fields available for user input allow SQL statements to pass through and query the database directly.

Acunetix AcuSensor Technology is a new security technology that allows you to identify more vulnerabilities than a traditional Web Application Scanner, whilst generating less false positives. In addition it indicates exactly where in your code the vulnerability is. The increased accuracy is achieved by combining black box scanning techniques with dynamic code analyzes while the source code is executed

Advantages of using Acunetix AcuSensor Technology:

· Allows you to locate and fix the vulnerability faster because of the ability to provide more information about the vulnerability, such as source code line number, stack trace, affected SQL query.
· We can significantly reduce false positives when scanning a website because we can internally understand better the behaviour of the web application.
· Can alert you of web application configuration problems which could result in a vulnerable application or expose internal application details. E.g. If ‘custom errors’ are enabled in .NET, this could expose sensitive application details to a malicious user.
· Detect many more SQL injection vulnerabilities. Previously SQL injection vulnerabilities could only be found if database errors were reported or via other common techniques.
· Ability to detect SQL Injection vulnerabilities in all SQL statements, including in SQL INSERT statements. With a black box scanner such SQL injections vulnerabilities cannot be found.
· Ability to know about all the files present and accessible though the web server. If an attacker will gain access to the website and create a backdoor file in the application directory, the file will be found and scanned when using the AcuSensor Technology and you will be alerted.
· AcuSensor Technology is able to intercept all web application inputs and builds a comprehensive list will all possible inputs in the website and tests them.
· No need to write URL rewrite rules when scanning web applications which use search engine friendly URL’s! Using AcuSensor Technology the scanner is able to rewrite SEO URL’s on the fly.
· Ability to test for arbitrary file creating and deletion vulnerabilities. E.g. Through a vulnerable scripta malicious user can create a file in the web application directory and execute it to have privileged access, or delete sensitive web application files.
· Ability to test for email injection. E.g. A malicious user may append additional information such as a list or recipients or additional information to the message body to a vulnerable web form, to spam a large number of recipients anonymously.

Here are some key features of "Acunetix Web Vulnerability Scanner":

Acunetix Web Vulnerability Scanner automatically detects the following vulnerabilities in web applications:
· Cross site scripting
· SQL injection
· CRLF injection
· Code execution
· Directory traversal
· File inclusion
· Script source code disclosure
· Discovers files/directories that may contain sensitive information
· Looks for common files (such as logs, application traces, CVS web repositories), back-up files or directories
· Finds directory listings
· Discovers directories with weak permissions
· Discovers available web server technologies (such as WebDAV, FrontPage, etc.)
· Determines if dangerous HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE)
· Inspects the HTTP version banners and looks for vulnerable products
· Tests password strength of applications.

Extend attacks:
· With Acunetix Web Vulnerability Scanner, you can construct HTTP/HTTPS requests and analyze the responses using the HTTP editor.

Connection spy:
· By enabling you to log, intercept and modify all HTTP/HTTPS traffic, Acunetix Web Vulnerability Scanner gives you an in-depth insight into what data your web application is sending.

Test password strength:
· To test the strength of your passwords, you can perform a dictionary attack on basic HTTP, NTLM or form-based authentication.

Test database editor:
· Acunetix Web Vulnerability Scanner includes a text database editor that permits you to add additional attacks to the test database (Enterprise & Consultant versions only).

Supports all major web technologies:
· Applications utilizing CGI, PHP, ASP, ASP.NET can all be tested for vulnerabilities.

Scanning profiles:
· Acunetix Web Vulnerability Scanner allows you to quickly scan sites with different options and identities.

Reporting:
· You can save scan sessions to MS SQL Server/Access databases and generate complex reports from previous scan sessions using information stored in the database.

Requirements:

· 128 MB of RAM (256MB or higher recommended)
· 200 MB of available hard-disk space
· Microsoft Internet Explorer 5.1 (or higher
· Microsoft SQL Server / Access if database is enabled (optional)

Limitations:

· Nag screen
· Does not allow saving and generation of scan reports

What's New in This Release: [ read full changelog ]

New security checks:
· 8.3 DOS filename source code disclosure
· Apache Tomcat Directory Host Appbase authentication bypass vulnerability
· Apache Tomcat WAR File directory traversal vulnerability
· Apache stronghold-info enabled
· Apache stronghold-status enabled
· ColdFusion 9 Solr Service exposed
· Error page path disclosure
· Error page web server version disclosure
· File inclusion RFI list
· Checks for multiple vulnerabilities in XAMPP
· Server-Side Includes (SSI) injection on Unix
· Server-Side Includes (SSI) injection on Windows
· ASP.NET error messages when requesting URL like |.aspx

Improvements:
· Added more variants to FCKeditor arbitrary file upload
· Updated cross site scripting in path security checks
· Updated directory listing security checks
· Updated directory traversal on Unix security checks
· Updated file upload security checks
· Updated LDAP injection security checks
· Updated possible sensitive files security checks
· Updated XPath injection security checks ...