SlideShare une entreprise Scribd logo

Sudugtooltestbaomat

J
Jenny Nguyen
Technologie
1  sur  8
Télécharger pour lire hors ligne
Acunetix Web Vulnerability Scanner Getting Started V6.5 By Acunetix Ltd. 1
Starting a Scan The Scan Wizard allows you to quickly set-up an automated crawl and scan of your website. An automated scan provides a comprehensive and deep understanding of the level website security by simply reviewing the individual alerts returned. This chapter explains the process of launching a security audit of your website through the Scan wizard. NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION! The web server logs will show the scans and any attacks made by Acunetix WVS. If you are not the sole administrator of the website please make sure to you warn other administrators before performing a scan. Some scans might cause a website to crash requiring a restart of the website. Step 1: Select Target(s) to Scan 1. Click on ‘File > New > New Website Scan’ to start the Scan Wizard or click on ‘New Scan’ button on the top right hand of the Acunetix WVS user interface. Screenshot 1 – Scan Wizard Select Scan Type 2. Specify the target or targets to be scanned. The scan target options are: · Scan single website - Scans a single website. E n t e r a URL, e.g. http://testphp.acunetix.com, https://.testaspnet.acunetix.com. · Scan using saved crawling results - If you previously performed a crawl on a website and saved the results, you can analyze these results directly without having to crawl the site again. Specify the ‘Saved crawler results’ file by clicking on the folder button. · Scan List of Websites - Scans a list of target websites specified in a plain text file (one target per line). Every target in the file is to be specified in the format <URL> or < URL:port> if the web server is listening on a non default port. The maximum number of websites Acunetix WVS can scan at 1 time is between 20 and 30 sites; depending on the size of the websites. 2 Acunetix Web Vulnerability Scanner
· Scan Range of Computers - This will scan a specific range of IP's (e.g. 192.168.0.10-192.168.0.200) for target sites which are open on the specified ports (Default 80, 81 and 443). 3. Click 'Next' to continue. Step 2: Confirm Targets and Technologies Detected Screenshot 2 – Scan Wizard Selecting Targets and Technologies Acunetix WVS will automatically probe the target website(s) for basic details such as operating system, web server, web server technologies and whether a custom error page is used (For more details on Custom Error Pages refer to the section ‘Settings > Scanner Settings > Custom 404 Pages’ in the user manual). The web vulnerability scanner will optimize the scan for the selected technologies and use these details to reduce the number of tests performed which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a UNIX system). This will reduce scanning time. Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies. 3
Step 3: Specify Crawler Options Screenshot 3 – Scan Wizard Crawling Options In this dialog you can configure the crawling options. Crawling Options The Crawler traverses the entire website and identifies its structure. The following crawling options may be configured: · Start HTTP Sniffer for manual crawling at the end of the scan process. · Get first URL only. · Do not fetch anything above start folder. · Fetch files below base folder. · Fetch directory indexes even if not linked. · Submit forms. · Retrieve and process robots.txt, sitemap.xml. · Case insensitive paths. · Analyze JavaScript. · After crawling let me choose the files to scan If the scan is from a saved crawl result, these options will be grayed out. Note: Using default crawling options allows you to scan your websites without any problems. If you would like to tweak the crawling options, please refer to Configuring the Crawler section in the user manual. 4 Acunetix Web Vulnerability Scanner
Step 4: Specify Scanning Profile Options and Mode Screenshot 4 – Scan Profile and Mode Options In this dialog you can configure the scanning profile and scan options, including the options for the scanning mode. Scanning Profile The Scanning Profile will determine which tests are to be carried out against the target site. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection and no additional tests would be performed. Refer to the ‘Scanning Profiles ’ chapter in the user manual for more information on how to customize existing profiles and create new scanning profiles. Scan Options From this section you can select the Scanning Mode which will be used during the scan. The scanning mode options are the following: · Quick - In this mode the scanner will test for just the first value of every parameter. · Heuristic - In this mode the scanner will try to automatically figure out for which parameters to test all values and for which not to test all values. · Extensive - In this mode the scanner will test all possible combinations for all parameters on the website. In some cases, this can generate a huge number of requests and should be used with caution. The other options which you can select from this step of the wizard are: · Test known web application vulnerabilities on every directory - If this option is selected, the scanner will test for known web application vulnerabilities on every directory instead of the default directory only. 5
This option will generate a lot of HTTP traffic and will extend the scanning time if the website being scanned is very large. · Manipulate HTTP headers - With this option selected, the scanner will try to manipulate the HTTP headers which might be used by server side technologies. · Enable Port Scanning - Tick this option to run the port scanner against the web server during a website scan. For more details about the Port Scanner refer to page Error! Bookmark not defined. ‘Configuring the Port Scanner’. · Enable AcuSensor Technology - Tick this option to enable AcuSensor Technology during the scan. Note that the AcuSensor client has to be installed on the web server which is being scanned. For more details about the AcuSensor Technology refer to the ‘AcuSensor Technology’ section in the user manual. Note: If the scan is being launched from saved scan results, in the Enable AcuSensor Technology section you can specify to use sensor data from crawling results without revalidation, or to not use sensor data from crawling results or to revalidate sensor data from the drop down menu. Step 5: Configure Login for Password Protected Areas Acunetix supports 2 types of Login pages: · HTTP Authentication - This type of authentication is handled by the web server, where the user is prompted with a password dialog. · HTML Authentication - This type of authentication is handled via a web form. The credentials are sent back to the server for validation by a custom script. Screenshot 5 - Login Details Options Scanning a HTTP Password protected area: Tick the box ‘Authenticate with this user name and password combination’ and enter the username and password. 6 Acunetix Web Vulnerability Scanner
Scanning a HTML Password protected area: 1. Click on ‘Record new login sequence’, browse to the HTML forms login page, and record the login sequence by entering the credentials and authenticating. 2. Once authenticated, you also need to identify the logout link so the crawler will not crawl that link and logs out the user session. Click on ‘Next’ to proceed to record the restricted link. Click on the link which logs out the user session. Click ‘Next’ to specify an ‘In Session’ or ‘Out of Session pattern’. 3. Click on ‘Detect’ for the scanner to try to automatically detect a pattern for it to recognize when the session is still valid or not. If the scanner is unable to automatically detect, specify a pattern manually in the Pattern input field. You can use Regular Expressions to specify the pattern. Specify also the pattern type. Click on ‘Check Pattern’ to verify the pattern. 4. Click on exit and Save the Login Sequence. You can reuse the login sequence during future scans. Login sequences can be edited from the Tools Explorer by selecting ‘Configuration > Scanner Settings > Login sequences’ node in the Settings Interface. Note: For further information about creating and editing Login Sequences refer the section ‘Settings > Scanner Settings > Login Sequences’ in the user manual. Step 6: Configure Custom 404 Error Pages A 404 error page is the page which appears when a requested page is not found. In many cases, rather than displaying the standard error 404, many websites show a page formatted according to the look and feel of the website to inform the user that the page requested does not exist. Custom 404 error pages do not necessarily represent a server 404 error (Page not found), and therefore Acunetix WVS must be able to automatically identify these pages to detect the difference between a non existing URL and a valid web page. The scan wizard will automatically try to detect whether the site uses custom error pages. I f it does, WVS will display the custom error page a n d will automatically attempt to locate the unique identifier of such an error page; in this case Error 404: Page Not Found. If it does not detect custom 404 error pages but the site uses them, then they have to be configured manually. Note: Typically, most of the websites return 404 errors when a requested URL is not found. If you need to configure a Custom 404 Error page, refer to the section ‘Settings > Scanner Settings > Custom 404 Pages ‘ in the user manual. Step 7: Select the Files and directories to Scan If the option ‘After crawling let me choose the files to scan’ was ticked in the crawling options, a window with the site structure will open up, from which a selection of files to scan and ones to ignore can be made after the crawl process is finished. Step 8: Completing the scan If you want to save the scan results to a database, enable ‘Save scan results to the database for report generation‘. Click on the ‘Finish’ button to start the scan. Now click ‘Finish’ to start the scan. Depending on the size of the website a scan may take several hours! 7
8 Acunetix Web Vulnerability Scanner

Recommandé

Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Module 4 topic 1
Module 4 topic 1Module 4 topic 1
Module 4 topic 1Annie cox
 
Terms used in poetry
Terms used in poetryTerms used in poetry
Terms used in poetryCarolyn
 
Ôn tập kiến thức ISTQB
Ôn tập kiến thức ISTQBÔn tập kiến thức ISTQB
Ôn tập kiến thức ISTQBJenny Nguyen
 
จดหมายข่าวเดือนมิถุนายน
จดหมายข่าวเดือนมิถุนายนจดหมายข่าวเดือนมิถุนายน
จดหมายข่าวเดือนมิถุนายนatscience
 
Chapter 4 Gen 2
Chapter 4 Gen 2Chapter 4 Gen 2
Chapter 4 Gen 2AuroraDay01
 
1st Semester Concepts Review
1st Semester Concepts Review1st Semester Concepts Review
1st Semester Concepts ReviewJonathan Abesamis
 

Recommandé

Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Module 4 topic 1
Module 4 topic 1Module 4 topic 1
Module 4 topic 1Annie cox
 
Terms used in poetry
Terms used in poetryTerms used in poetry
Terms used in poetryCarolyn
 
Ôn tập kiến thức ISTQB
Ôn tập kiến thức ISTQBÔn tập kiến thức ISTQB
Ôn tập kiến thức ISTQBJenny Nguyen
 
จดหมายข่าวเดือนมิถุนายน
จดหมายข่าวเดือนมิถุนายนจดหมายข่าวเดือนมิถุนายน
จดหมายข่าวเดือนมิถุนายนatscience
 
Chapter 4 Gen 2
Chapter 4 Gen 2Chapter 4 Gen 2
Chapter 4 Gen 2AuroraDay01
 
1st Semester Concepts Review
1st Semester Concepts Review1st Semester Concepts Review
1st Semester Concepts ReviewJonathan Abesamis
 
Bridge Portfolio
Bridge PortfolioBridge Portfolio
Bridge Portfolioblovelace
 
Salvador
SalvadorSalvador
Salvadorguestaf0e1d
 
Sigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama FikirleriSigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama FikirleriMedyaTEQ
 
How to go weekly
How to go weeklyHow to go weekly
How to go weeklytevinallen
 
Module 3, topic 1 notes
Module 3, topic 1 notesModule 3, topic 1 notes
Module 3, topic 1 notesAnnie cox
 
Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_junsew
 
常常喜樂
常常喜樂常常喜樂
常常喜樂moya1029
 
Qtp tutorial
Qtp tutorialQtp tutorial
Qtp tutorialJenny Nguyen
 
Prezentacjabb 052010
Prezentacjabb 052010Prezentacjabb 052010
Prezentacjabb 052010gueste6c5b1
 
Bai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntuBai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntuJenny Nguyen
 
Cuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vnCuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vnJenny Nguyen
 
Watershed Creation
Watershed CreationWatershed Creation
Watershed Creationpetercooney
 
1st Semester Quick Review
1st Semester Quick Review1st Semester Quick Review
1st Semester Quick ReviewJonathan Abesamis
 
Mother’s day
Mother’s dayMother’s day
Mother’s dayamylizzy83
 
Doubleside
DoublesideDoubleside
DoublesideAnnie cox
 
Syllabus foundation
Syllabus foundationSyllabus foundation
Syllabus foundationJenny Nguyen
 
Module 5 topic 1
Module 5 topic 1Module 5 topic 1
Module 5 topic 1Annie cox
 
จดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคมจดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคมatscience
 
Module 5 topic 2 2nd
Module 5 topic 2 2ndModule 5 topic 2 2nd
Module 5 topic 2 2ndAnnie cox
 
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntuBai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntuJenny Nguyen
 
Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Wlad1m1r
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 

Contenu connexe

En vedette

Bridge Portfolio
Bridge PortfolioBridge Portfolio
Bridge Portfolioblovelace
 
Sigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama FikirleriSigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama FikirleriMedyaTEQ
 
How to go weekly
How to go weeklyHow to go weekly
How to go weeklytevinallen
 
Module 3, topic 1 notes
Module 3, topic 1 notesModule 3, topic 1 notes
Module 3, topic 1 notesAnnie cox
 
Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_junsew
 
常常喜樂
常常喜樂常常喜樂
常常喜樂moya1029
 
Prezentacjabb 052010
Prezentacjabb 052010Prezentacjabb 052010
Prezentacjabb 052010gueste6c5b1
 
Bai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntuBai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntuJenny Nguyen
 
Cuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vnCuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vnJenny Nguyen
 
Watershed Creation
Watershed CreationWatershed Creation
Watershed Creationpetercooney
 
Mother’s day
Mother’s dayMother’s day
Mother’s dayamylizzy83
 
Syllabus foundation
Syllabus foundationSyllabus foundation
Syllabus foundationJenny Nguyen
 
Module 5 topic 1
Module 5 topic 1Module 5 topic 1
Module 5 topic 1Annie cox
 
จดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคมจดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคมatscience
 
Module 5 topic 2 2nd
Module 5 topic 2 2ndModule 5 topic 2 2nd
Module 5 topic 2 2ndAnnie cox
 
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntuBai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntuJenny Nguyen
 

En vedette (20)

Bridge Portfolio
Bridge PortfolioBridge Portfolio
Bridge Portfolio
 
Salvador
SalvadorSalvador
Salvador
 
Sigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama FikirleriSigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
Sigorta Sektörü İçin İnteraktif Pazarlama Fikirleri
 
How to go weekly
How to go weeklyHow to go weekly
How to go weekly
 
Module 3, topic 1 notes
Module 3, topic 1 notesModule 3, topic 1 notes
Module 3, topic 1 notes
 
Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_Who wants to_be_a_millionaire_
Who wants to_be_a_millionaire_
 
常常喜樂
常常喜樂常常喜樂
常常喜樂
 
Qtp tutorial
Qtp tutorialQtp tutorial
Qtp tutorial
 
Prezentacjabb 052010
Prezentacjabb 052010Prezentacjabb 052010
Prezentacjabb 052010
 
Bai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntuBai06 kiem tramodule-k-trpm@softtesting-nntu
Bai06 kiem tramodule-k-trpm@softtesting-nntu
 
Cuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vnCuoc song tinh yeu tieng cuoi tech24.vn
Cuoc song tinh yeu tieng cuoi tech24.vn
 
Watershed Creation
Watershed CreationWatershed Creation
Watershed Creation
 
1st Semester Quick Review
1st Semester Quick Review1st Semester Quick Review
1st Semester Quick Review
 
Mother’s day
Mother’s dayMother’s day
Mother’s day
 
Doubleside
DoublesideDoubleside
Doubleside
 
Syllabus foundation
Syllabus foundationSyllabus foundation
Syllabus foundation
 
Module 5 topic 1
Module 5 topic 1Module 5 topic 1
Module 5 topic 1
 
จดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคมจดหมายข่าวเดือนกรกฎาคม
จดหมายข่าวเดือนกรกฎาคม
 
Module 5 topic 2 2nd
Module 5 topic 2 2ndModule 5 topic 2 2nd
Module 5 topic 2 2nd
 
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntuBai11 quan ly-kiemtra-ktrpm@softtesting-nntu
Bai11 quan ly-kiemtra-ktrpm@softtesting-nntu
 

Similaire à Sudugtooltestbaomat

Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Wlad1m1r
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Qtp complete guide for all
Qtp complete guide for allQtp complete guide for all
Qtp complete guide for allRamu Palanki
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssistBryan Ferrario
 
Azure appservice
Azure appserviceAzure appservice
Azure appserviceRaju Kumar
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Load testing using_neoload by kc
Load testing using_neoload by kcLoad testing using_neoload by kc
Load testing using_neoload by kckrishna chaitanya
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
Cross-Browser Testing With Automation.pdf
Cross-Browser Testing With Automation.pdfCross-Browser Testing With Automation.pdf
Cross-Browser Testing With Automation.pdfRiley Claire
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 

Similaire à Sudugtooltestbaomat (20)

Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Qtp basics
Qtp basicsQtp basics
Qtp basics
 
Qtp complete guide for all
Qtp complete guide for allQtp complete guide for all
Qtp complete guide for all
 
Security testing
Security testingSecurity testing
Security testing
 
28791456 web-testing
28791456 web-testing28791456 web-testing
28791456 web-testing
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
VorlonJS
VorlonJSVorlonJS
VorlonJS
 
Load testing using_neoload by kc
Load testing using_neoload by kcLoad testing using_neoload by kc
Load testing using_neoload by kc
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
JCrawler
JCrawlerJCrawler
JCrawler
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
Cross-Browser Testing With Automation.pdf
Cross-Browser Testing With Automation.pdfCross-Browser Testing With Automation.pdf
Cross-Browser Testing With Automation.pdf
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Load Runner
Load RunnerLoad Runner
Load Runner
 
EVOLVE'13 | Enhance | Permission Sensitive Caching | Paul McMahon & Jason Rap...
EVOLVE'13 | Enhance | Permission Sensitive Caching | Paul McMahon & Jason Rap...EVOLVE'13 | Enhance | Permission Sensitive Caching | Paul McMahon & Jason Rap...
EVOLVE'13 | Enhance | Permission Sensitive Caching | Paul McMahon & Jason Rap...
 

Dernier

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Dernier (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Sudugtooltestbaomat

  • 1. Acunetix Web Vulnerability Scanner Getting Started V6.5 By Acunetix Ltd. 1
  • 2. Starting a Scan The Scan Wizard allows you to quickly set-up an automated crawl and scan of your website. An automated scan provides a comprehensive and deep understanding of the level website security by simply reviewing the individual alerts returned. This chapter explains the process of launching a security audit of your website through the Scan wizard. NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION! The web server logs will show the scans and any attacks made by Acunetix WVS. If you are not the sole administrator of the website please make sure to you warn other administrators before performing a scan. Some scans might cause a website to crash requiring a restart of the website. Step 1: Select Target(s) to Scan 1. Click on ‘File > New > New Website Scan’ to start the Scan Wizard or click on ‘New Scan’ button on the top right hand of the Acunetix WVS user interface. Screenshot 1 – Scan Wizard Select Scan Type 2. Specify the target or targets to be scanned. The scan target options are: · Scan single website - Scans a single website. E n t e r a URL, e.g. http://testphp.acunetix.com, https://.testaspnet.acunetix.com. · Scan using saved crawling results - If you previously performed a crawl on a website and saved the results, you can analyze these results directly without having to crawl the site again. Specify the ‘Saved crawler results’ file by clicking on the folder button. · Scan List of Websites - Scans a list of target websites specified in a plain text file (one target per line). Every target in the file is to be specified in the format <URL> or < URL:port> if the web server is listening on a non default port. The maximum number of websites Acunetix WVS can scan at 1 time is between 20 and 30 sites; depending on the size of the websites. 2 Acunetix Web Vulnerability Scanner
  • 3. · Scan Range of Computers - This will scan a specific range of IP's (e.g. 192.168.0.10-192.168.0.200) for target sites which are open on the specified ports (Default 80, 81 and 443). 3. Click 'Next' to continue. Step 2: Confirm Targets and Technologies Detected Screenshot 2 – Scan Wizard Selecting Targets and Technologies Acunetix WVS will automatically probe the target website(s) for basic details such as operating system, web server, web server technologies and whether a custom error page is used (For more details on Custom Error Pages refer to the section ‘Settings > Scanner Settings > Custom 404 Pages’ in the user manual). The web vulnerability scanner will optimize the scan for the selected technologies and use these details to reduce the number of tests performed which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a UNIX system). This will reduce scanning time. Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies. 3
  • 4. Step 3: Specify Crawler Options Screenshot 3 – Scan Wizard Crawling Options In this dialog you can configure the crawling options. Crawling Options The Crawler traverses the entire website and identifies its structure. The following crawling options may be configured: · Start HTTP Sniffer for manual crawling at the end of the scan process. · Get first URL only. · Do not fetch anything above start folder. · Fetch files below base folder. · Fetch directory indexes even if not linked. · Submit forms. · Retrieve and process robots.txt, sitemap.xml. · Case insensitive paths. · Analyze JavaScript. · After crawling let me choose the files to scan If the scan is from a saved crawl result, these options will be grayed out. Note: Using default crawling options allows you to scan your websites without any problems. If you would like to tweak the crawling options, please refer to Configuring the Crawler section in the user manual. 4 Acunetix Web Vulnerability Scanner
  • 5. Step 4: Specify Scanning Profile Options and Mode Screenshot 4 – Scan Profile and Mode Options In this dialog you can configure the scanning profile and scan options, including the options for the scanning mode. Scanning Profile The Scanning Profile will determine which tests are to be carried out against the target site. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection and no additional tests would be performed. Refer to the ‘Scanning Profiles ’ chapter in the user manual for more information on how to customize existing profiles and create new scanning profiles. Scan Options From this section you can select the Scanning Mode which will be used during the scan. The scanning mode options are the following: · Quick - In this mode the scanner will test for just the first value of every parameter. · Heuristic - In this mode the scanner will try to automatically figure out for which parameters to test all values and for which not to test all values. · Extensive - In this mode the scanner will test all possible combinations for all parameters on the website. In some cases, this can generate a huge number of requests and should be used with caution. The other options which you can select from this step of the wizard are: · Test known web application vulnerabilities on every directory - If this option is selected, the scanner will test for known web application vulnerabilities on every directory instead of the default directory only. 5
  • 6. This option will generate a lot of HTTP traffic and will extend the scanning time if the website being scanned is very large. · Manipulate HTTP headers - With this option selected, the scanner will try to manipulate the HTTP headers which might be used by server side technologies. · Enable Port Scanning - Tick this option to run the port scanner against the web server during a website scan. For more details about the Port Scanner refer to page Error! Bookmark not defined. ‘Configuring the Port Scanner’. · Enable AcuSensor Technology - Tick this option to enable AcuSensor Technology during the scan. Note that the AcuSensor client has to be installed on the web server which is being scanned. For more details about the AcuSensor Technology refer to the ‘AcuSensor Technology’ section in the user manual. Note: If the scan is being launched from saved scan results, in the Enable AcuSensor Technology section you can specify to use sensor data from crawling results without revalidation, or to not use sensor data from crawling results or to revalidate sensor data from the drop down menu. Step 5: Configure Login for Password Protected Areas Acunetix supports 2 types of Login pages: · HTTP Authentication - This type of authentication is handled by the web server, where the user is prompted with a password dialog. · HTML Authentication - This type of authentication is handled via a web form. The credentials are sent back to the server for validation by a custom script. Screenshot 5 - Login Details Options Scanning a HTTP Password protected area: Tick the box ‘Authenticate with this user name and password combination’ and enter the username and password. 6 Acunetix Web Vulnerability Scanner
  • 7. Scanning a HTML Password protected area: 1. Click on ‘Record new login sequence’, browse to the HTML forms login page, and record the login sequence by entering the credentials and authenticating. 2. Once authenticated, you also need to identify the logout link so the crawler will not crawl that link and logs out the user session. Click on ‘Next’ to proceed to record the restricted link. Click on the link which logs out the user session. Click ‘Next’ to specify an ‘In Session’ or ‘Out of Session pattern’. 3. Click on ‘Detect’ for the scanner to try to automatically detect a pattern for it to recognize when the session is still valid or not. If the scanner is unable to automatically detect, specify a pattern manually in the Pattern input field. You can use Regular Expressions to specify the pattern. Specify also the pattern type. Click on ‘Check Pattern’ to verify the pattern. 4. Click on exit and Save the Login Sequence. You can reuse the login sequence during future scans. Login sequences can be edited from the Tools Explorer by selecting ‘Configuration > Scanner Settings > Login sequences’ node in the Settings Interface. Note: For further information about creating and editing Login Sequences refer the section ‘Settings > Scanner Settings > Login Sequences’ in the user manual. Step 6: Configure Custom 404 Error Pages A 404 error page is the page which appears when a requested page is not found. In many cases, rather than displaying the standard error 404, many websites show a page formatted according to the look and feel of the website to inform the user that the page requested does not exist. Custom 404 error pages do not necessarily represent a server 404 error (Page not found), and therefore Acunetix WVS must be able to automatically identify these pages to detect the difference between a non existing URL and a valid web page. The scan wizard will automatically try to detect whether the site uses custom error pages. I f it does, WVS will display the custom error page a n d will automatically attempt to locate the unique identifier of such an error page; in this case Error 404: Page Not Found. If it does not detect custom 404 error pages but the site uses them, then they have to be configured manually. Note: Typically, most of the websites return 404 errors when a requested URL is not found. If you need to configure a Custom 404 Error page, refer to the section ‘Settings > Scanner Settings > Custom 404 Pages ‘ in the user manual. Step 7: Select the Files and directories to Scan If the option ‘After crawling let me choose the files to scan’ was ticked in the crawling options, a window with the site structure will open up, from which a selection of files to scan and ones to ignore can be made after the crawl process is finished. Step 8: Completing the scan If you want to save the scan results to a database, enable ‘Save scan results to the database for report generation‘. Click on the ‘Finish’ button to start the scan. Now click ‘Finish’ to start the scan. Depending on the size of the website a scan may take several hours! 7
  • 8. 8 Acunetix Web Vulnerability Scanner