Acunetix - Easy to use Web Vulnerability Scanner

Summary

Acunetix is easy to use dynamic application security scanning tool to scan web applications and API's.

6 min read

Acunetix Scan Result

What is Acunetix?

Acunetix is one of the easiest web vulnerability scanning tools in the market.

We recommend Acunetix Premium to those who want to step up from “we are having security scans time to time” to the “Proactive Scanning” world.

Acunetix Dashboard

Your scans will be scheduled and integrated into your issue ticketing system, so developers will get issue tickets automatically.

 

In the meantime let's make no mistake, Acunetix is not the best for manual penetration testing, however, it has one useful feature: Business Logic Recorder.

Acunetix Business Logic Recorder

Dynamic application security tools are great at instant action and scaling up fast. But when it comes to action required steps in your applications, well we are not there yet.

 

Think about an e-commerce website purchase flow:

 

Product page -> Add to basket -> Shipping Info -> Payment details -> Thank you.

 

A dast tool can not crawl these action required steps by itself. It may try to access payment_details.php but it will not work because the application will require first adding a product to the basket.

 

You can use Business Logic Recorder to make your scan smarter and more complete.

 

It works exactly like Login Sequence Recorder and basically captures your actions on the website and generates a macro, so it can navigate through these forms by following your steps.

How popular Acunetix is?

We have looked around in LinkedIn jobs and found that there is 392 job position worldwide that demands prior Acunetix experience.

 

It makes Acunetix the 5th most popular DAST tool worldwide.

DAST ToolsUSAEUWorldwide
Burp Suite9411501072
HCL AppScan34343798
Fortify WebInspect36913616
OWASP ZAP23038392
Acunetix10936271

Is Acunetix fast?

Acunetix is developed in C++ and uses all the benefits of low-level programming for speed.

 

According to Acunetix ‘s own resources, an average scan takes between 2-4 hours.

Acunetix Scanning Speed

How often is Acunetix updated?

Acunetix has monthly updates on average and it can do it automatically. (Internet access) You can follow up on the build history here:

 

https://www.acunetix.com/support/build-history/

Acunetix Build History

How is Acunetix pricing work?

Acunetix licensing works based on the number of targets (FQDN) as pretty much DAST market standard.

 

You can buy minimum 5 target licenses to scan the targets below:

 

https://appsecsanta.com
https://api.appsecsanta.com
https://dev.appsecsanta.com
https://staging.appsecsanta.com
http://127.0.0.1/~appsecsanta/


It is a minimum two years subscription, and you can pay annually.

Acunetix Pricing

What integrations does Acunetix support?

Acunetix can integrate with most of the popular Issue trackers and WAF tools, and also offers a REST API for custom integrations.

 

Issue Trackers: Github, Gitlab, JIRA, Azure DevOps (TFS), Azure DevOps Services, BugZilla, Mantis

 

Web Application Firewalls: F5 Big-IP ASM (Application Security Manager), Imperva SecureSphere WAF, Fortinet Fortiweb, AWS Web Application Firewall, Citrix Web App Firewall, Generic XML

Acunetix Integrations

What kind of reports can Acunetix generate?

Acunetix can generate reports in 2 main templates:

 

Standard Reports: Affected Items, Comprehensive, Developer, Executive Summary and Quick.

 

Compliance Reports: CWE 2011, HIPAA, ISO 27001, NIST Special Publication 800-53, OWASP Top 10, PCI (not ASV), Sarbanes Oxley, STIG DISA, WASC Threat Classification

 

You can also export the found vulnerabilities in CSV, JSON and XML.

Anything I Missed?

Acunetix Reports

So these are my favourite features in Acunetix.

 

And now I’d like to hear from you:

 

Is there any other feature that you love… but didn’t see in this article?

 

Or maybe you have a question.

 

Either way, let me know by leaving a comment below right now.

On this page:

Leave a Reply

Your email address will not be published.