Acunetix is easy to use dynamic application security scanning tool to scan web applications and API's.
6 min read
Acunetix is one of the easiest web vulnerability scanning tools in the market.
We recommend Acunetix Premium to those who want to step up from “we are having security scans time to time” to the “Proactive Scanning” world.
Your scans will be scheduled and integrated into your issue ticketing system, so developers will get issue tickets automatically.
In the meantime let's make no mistake, Acunetix is not the best for manual penetration testing, however, it has one useful feature: Business Logic Recorder.
Dynamic application security tools are great at instant action and scaling up fast. But when it comes to action required steps in your applications, well we are not there yet.
Think about an e-commerce website purchase flow:
Product page -> Add to basket -> Shipping Info -> Payment details -> Thank you.
A dast tool can not crawl these action required steps by itself. It may try to access payment_details.php but it will not work because the application will require first adding a product to the basket.
You can use Business Logic Recorder to make your scan smarter and more complete.
It works exactly like Login Sequence Recorder and basically captures your actions on the website and generates a macro, so it can navigate through these forms by following your steps.
We have looked around in LinkedIn jobs and found that there is 392 job position worldwide that demands prior Acunetix experience.
It makes Acunetix the 5th most popular DAST tool worldwide.
| DAST Tools | USA | EU | Worldwide |
|---|---|---|---|
| Burp Suite | 941 | 150 | 1072 |
| HCL AppScan | 343 | 43 | 798 |
| Fortify WebInspect | 369 | 13 | 616 |
| OWASP ZAP | 230 | 38 | 392 |
| Acunetix | 109 | 36 | 271 |
Acunetix is developed in C++ and uses all the benefits of low-level programming for speed.
According to Acunetix ‘s own resources, an average scan takes between 2-4 hours.
Acunetix has monthly updates on average and it can do it automatically. (Internet access) You can follow up on the build history here:
Acunetix licensing works based on the number of targets (FQDN) as pretty much DAST market standard.
You can buy minimum 5 target licenses to scan the targets below:
https://appsecsanta.com
https://api.appsecsanta.com
https://dev.appsecsanta.com
https://staging.appsecsanta.com
http://127.0.0.1/~appsecsanta/
It is a minimum two years subscription, and you can pay annually.
Acunetix can integrate with most of the popular Issue trackers and WAF tools, and also offers a REST API for custom integrations.
Issue Trackers: Github, Gitlab, JIRA, Azure DevOps (TFS), Azure DevOps Services, BugZilla, Mantis
Web Application Firewalls: F5 Big-IP ASM (Application Security Manager), Imperva SecureSphere WAF, Fortinet Fortiweb, AWS Web Application Firewall, Citrix Web App Firewall, Generic XML
Acunetix can generate reports in 2 main templates:
Standard Reports: Affected Items, Comprehensive, Developer, Executive Summary and Quick.
Compliance Reports: CWE 2011, HIPAA, ISO 27001, NIST Special Publication 800-53, OWASP Top 10, PCI (not ASV), Sarbanes Oxley, STIG DISA, WASC Threat Classification
You can also export the found vulnerabilities in CSV, JSON and XML.
Anything I Missed?
So these are my favourite features in Acunetix.
And now I’d like to hear from you:
Is there any other feature that you love… but didn’t see in this article?
Or maybe you have a question.
Either way, let me know by leaving a comment below right now.
appsecsanta.com is part of CNT Friends Oy registered in Finland. Company No: 2993839-3 | © 2019-2022. All rights reserved.
