We’ve previously talked about the importance of web vulnerability scanners. We’ve also touched on some of the services Acunetix offers. But how does Acunetix compares with other web vulnerability scanners out there? Here’s a closer look.

Sucuri

Sucuri is a free malware and security scanner. The website allows you to do a quick test for malware, blacklisting status, injected SPAM, etc. Just type in your website and Sucuri will list out any malware detections, injected scans, defacements, internal server errors, outdated backend for a website. It will also run the website through for any blacklistings including Google Safe Browsing, McAfee, Sucuri Labs, ESET, PhishTank, Tandex, Opera, etc.

If a user wishes for a complete scan, you can sign up on for the service on the website.

Qualys

This is an SSL Server Test. Qualys tests your website for any SSL/TLS misconfigurations and vulnerabilities. The service will offer you a detailed analysis including expiry day, overall rating, handshake simulation, protocol details, BEAST, cypher, etc.

Qualys also include a website vulnerability scanner. The Qualys free scanner includes issues such as OWASP web application auditing, missing software patches, and SCAP compliance.

Mozilla Observatory

Founded by the Mozilla Foundation, the Mozilla Observatory is an online vulnerability scanner. The tests under Mozilla Observatory are divided into 4 sections: HTTP Observatory, TLS Observatory, SSH Observatory, and Third-party tests. In other words, the tool validates against OWASP header security and best practices. Additionally, Mozilla Observatory performs third-party tests from High-Tech Bridge, SSL Labs, HSTS Preload, Security Headers, etc.

Detectify

Detectify essentially allows you to check with over 1,000 known vulnerabilities automatically. This will test your website against OWASP vulnerability tests and its built-in subdomain monitoring will analyse hostile attacks. Additionally, Detectifyenables you to integrate security scans with software like Zapier, Slack and Jira.

Detectify scans start with obtaining server information, then by crawling and fingerprinting. This is followed by exploitation tests and then the scan results afterwards.

Detectify comes in 3 pricing plans: Starter, Professional, and Enterprise. You can take up all 3 plans for a 14-day free trial, without having to use your credit card.

Intruder

The intruder is a cloud-based vulnerability scanner. This scanner offers bank and government-level security scanning engine. Intruder’s security checks cover missing patches, misconfigurations, SQL injection and XSS problems, CMS issues, etc.

Additionally, Intruder integrates with tools like Slack and Jira, and cloud providers AWS, GCP, Azure. The service is available for a 30-day free trial.

UpGuard

UpGuard includes a few types of tests,

1. Phishing and malware
2. Website risks
3. Network security
4. Email risks
5. Brand protection

The service is a free vulnerability scanner that tests against over 40 high severity security vulnerabilities and popular CVEs.UpGuard will scan for attacks such as man-in-the-middle attacks, cross-site attacks, email attacks, malware infections, domain hijacking attacks.

Probe.ly

This is a tool mainly built for developers and is meant to act as a virtual security specialist. Probe.ly is capable of operating OWASP Top 10 scans, check for PCI-DSS, ISO27001, HIPAA and even GDPR compliance.

Pentest-Tools

The service includes a comprehensive set of tools that covers information gathering, CMS testing, web application testing, infrastructure testing, and SSL testing.

Pentest-Tools will let you perform up to 2 free full scans. These reports include details about SQL inclusion, local file inclusion, XSS, and OS command injection vulnerabilities.

ScanMyServer

ScanMyServer is also a free tool that lets you search for common vulnerabilities. This will let you perform PHP code injection tests, check for XSS attacks, SQL and blind SQL injection attacks, HTTP header injection tests, etc.

To test this service, you would need to add an HTML badge on your website.

So what about Acunetix?

Hopefully, by now, you have a rough idea about the different types of web security scanner tools available. But what about Acunetix? What sets Acunetixapart from the rest? Here’s what you need to know.

In case you didn’t know already, Acunetix is an automated web application security testing tool. This allows you to audit web applications for a wide range of vulnerabilities.

How Acunetix works

AcunetixDeepScan performs an analysis across all links of a website. This includes links dynamically constructed via JavaScript, links found on robots.txt and sitemap.xml. The AcunetixAcuSensor Technology, on the other hand, will retrieve a list of files available in the web application directory. This will add the files not found by the crawler to the crawler output. AcuSensor also covers files that aren’t accessible from the internet such as web.config.

Once the crawling process completes, Acunetix essentially operates a series of vulnerability checks on each page. In other words, this attempts to emulate a hacker.

At the automated scan stage, Acunetix would analyse each page for areas that accept input data. Then, all possible input variations are tested.

Following the automated scan stage, the scan results are reported. This would include the list of vulnerabilities discovered. Each vulnerability result comes with details such as POST data used, affected item, HTTP response of the server, etc. If AcuSensor Technology is available, source code line number, stack trace/affected SQL query details are also listed out.

Of course, the scan results also include a recommendation on how to fix each of these vulnerabilities.

Acunetix also offers the option to generate various types of reports. These vary from Executive Summary report, Developer report, to various compliance reports such as PCI DSS/ISO 270001.

You can scan for specific vulnerabilities

Acunetix has over a few types of scans available. These include,

• Full scan: As implied, this performs a thorough, in-depth scan that would test for high, medium and low severity web application vulnerabilities
• High-risk vulnerabilities: Performs high impact, easily exploitable vulnerabilities
• XSS vulnerabilities: Tests against cross-site scripting vulnerabilities
• SQL Injection vulnerabilities: Tests against SQLi web application vulnerabilities
• Weak passwords: Performs test for weak or default web application passwords
• Crawl only: Performs a crawl. This locates links and inputs within a web application
• Malware scan: Checks the files processed for malware

Acunetix also comprises a network vulnerability scanning process. According to Acunetix, “As part of a website audit, the online version of Acunetix will execute a network security audit of the server hosting the website. This network security scan will identify any services running on the scanned server by running a port scan on the system. Acunetix will report the operating system and the software hosting the services detected. This process will also identify Trojans which might be lurking on the server.”

Regarding network scans, Acunetix includes a full network scan using safe checks and full network scan that includes invasive checks. Of course, you also have the option of performing custom scans.

There’s a lot more to it

Maybe you have been looking at web security for your enterprise for some time. Maybe you’re just keen on upgrading your current web security needs. Regardless, Acunetix is one tool that you would use to have in your toolkit.

If the above overview doesn’t convince you, then feel free to give us a buzz on info@c-yber.com or call us on (+372) 602 3532.

• Tags:
• Vulnerability