Acunetix v12

Is Your Website Hackable?

www.acunetix.com
– Founded in 2004

– Pioneer in web application security

– Fully automated Black-box, Gray-

box, Client-side and Out-of-band
web application scanner with one
consolidated view

– Depended on by
SMEs and Enterprises the world over

– Fortune 100, 500 and 1000 customers

www.acunetix.com
Product and Service Offering
Acunetix On Premise (Standard and Enterprise)
and Acunetix Online (Enterprise)

– Black-box, Gray-box, Out-of-band testing

– Highly accurate, wide test coverage (4500+ web

application vulnerabilities)

– Vulnerability Management

– Issue Tracker integration and WAF Virtual Patching

– No dependencies, easy to set-up

– Web-based console

– Extensible, highly scalable

www.acunetix.com
How it works and what’s
new in v12

www.acunetix.com
– Crawler analyzes entire Target starting from
a URL, mapping out entire structure.

– Scanner then tests pages found for

vulnerabilities.

– Reports on vulnerabilities found and

provides remediation

New in v12

– Support for latest JavaScript

– Scan speed up to 2X faster

– AcuSensor technology for JAVA

– Pause / Resume functionality

– Exclusion of locations from crawl

– Password Policy feature

www.acunetix.com
Support for latest JavaScript
(New in v12)

– Supports ES6 and ES7.

– Updated Acunetix DeepScan

and the Acunetix Login
Sequence Recorder.

– Better analysis of SPAs.

– Ahead of industry curve.

www.acunetix.com
Scan speed up to 2X faster (new
in v12)

– Fastest scanner in the industry.

– 50% decrease in scan time.

– Combined with multi-engine –

1000s of sites scanned in
shortest time.

www.acunetix.com
AcuSensor Technology for Java
(new in v12)

– AcuSensor Technology for .NET,

PHP and now JAVA!

– Improves website coverage.

– Better detection of
vulnerabilities.

– Fewer False Positives.

– Provides additional information

on vulnerabilities found.

www.acunetix.com
Pause and Resume (New in v12)

– Ability to Pause a Scan.

– Resume Scan at a later stage.

– Acunetix proceeds with scan

from where it left off.

– Information about paused scan

automatically retained in
Acunetix.

www.acunetix.com
Exclude Paths (New in v12)

– Exclusion of specific paths

directly from the UI.

– Eliminates need for complex

regular expressions

www.acunetix.com
Inbuilt Vulnerability
Management features

– Easily re-scan all Targets (stored in

Acunetix with individual settings).

– Prioritize vulnerabilities by Target’s

business criticality.

– Consolidated reports are stored in the

central interface.

– Select “Target reports”, “Scan reports” or

“All Vulnerabilities” report.

www.acunetix.com
– Mark vulnerabilities as Fixed

– Vulnerability Rediscovery let’s you

know that “fixed” vulnerabilities have
been rediscovered

– Continuous Scanning automatically

runs a Quick Scan every day on a
Target, and a Full Scan once a week

www.acunetix.com
Out-of-the-box WAF Virtual Patching

Acunetix can export accurate scan results

to automatically configure the following
Web Application Firewalls (WAFs):

– Imperva SecureSphere,

– F5 BIG-IP Application Security Manager

– FortiWeb WAF

www.acunetix.com
Out-of-the-box Issue-Tracker
Integration

Acunetix can send vulnerabilities as issues

to the following Issue Trackers:

– Atlassian JIRA Software

– GitHub

– Microsoft Team Foundation

www.acunetix.com
Reporting

– Web-based interface allows multiple user

access from browser irrespective of OS
used.

– Easily generate a wide variety of

management and compliance reports.

– OWASP Top 10, PCI DSS, ISO27001, HIPAA

– Results can be exported to XML

www.acunetix.com
Role-based multi-user system

– Create multiple user accounts.

– Assign users to particular

groups of targets.

– User can create, scan, and

report on the targets assigned,
depending on privileges.

www.acunetix.com
Role-based multi-user

Tester, auditor, developer and manager users can work together on

consolidated result data in one vulnerability management system.

www.acunetix.com
Password Policy (New in v12)

– 2-Factor-Authentication (2FA)
support.

– Password Policies for user

accounts.

www.acunetix.com
Acunetix Flagship Technologies

www.acunetix.com
Acunetix DeepScan

www.acunetix.com
Acunetix DeepScan
– WebKit, the world’s most widely used browser
engine

– Crawl and scan HTML5 web applications

– Execute JavaScript like a real browser

– Complex client-side web applications

(AngularJS, ReactJS, EmberJS…)

– DOM-based Cross-site Scripting

– Malicious URLs

– Popular CMSs (WordPress, Drupal, Joomla!)

– CRUD requests, JSON, XML, GWT, AJAX,

– WSDL/SOAP, WCF/SOAP and WADL/REST

www.acunetix.com
Over 65% of Customers
Scan Single-Page Apps
47% found DOM-based XSS vulnerabilities using DeepScan

www.acunetix.com
Acunetix AcuMonitor

www.acunetix.com
Acunetix AcuMonitor
– Automatic Out-of-band vulnerability detection
– Blind Cross-site Scripting (BXSS / Delayed XSS)

– XML External Entity Injection (XXE)

– Server Side Request Forgery (SSRF)

– Out-of-Band SQL Injection (OOB SQLi)

– Out-of-Band Remote Code Execution (OOB RCE)

– Host Header Injection

– Email Header Injection

– Password Reset Poisoning

www.acunetix.com
Acunetix AcuMonitor
– Hunting for XXE in Uber using Acunetix
AcuMonitor Blind Cross-site Scripting (BXSS / Delayed
XSS) to automatically

– Crawled the REST API endpoint

– Figured out POST vs GET

– Submitted XML even though App returns JSON

– Tests Blind OOB XXE using AcuMonitor

– No separate HTTP server

– No manual sifting of logs

https://www.acunetix.com/blog/articles/hunting-xxe-uber-using-acunetix-acumonitor/
– 26 different Uber domains affected (found using
Google Hacking)

www.acunetix.com
Acunetix AcuSensor

www.acunetix.com
Acunetix AcuSensor
– Enables the scanner to run a gray-box scan

– AcuSensor component inspects the source code

of a web application whilst it is in execution
– Shows vulnerable source code line number

– Shows vulnerable source code stack trace

– Shows vulnerable SQL queries

– 100% backend crawl coverage

mysqli_query($conn, $sql)
– 100% verification of 12+ high-severity
vulnerabilities

– Analyze server configuration for vulnerabilities

www.acunetix.com
Acunetix AcuSensor (100% Verified)
– Arbitrary File Creation – File Tampering

– Arbitrary File Deletion – File Upload

– Code Execution – PHP Code Injection

– CRLF Injection – PHP SuperGlobals Overwrite

– Directory Traversal – PHP User Controlled Vulnerabilities

– Email Injection – Reflected and Stored XSS

– File Inclusion – SQL Injection

www.acunetix.com
 AcuSensor is used by
over 30% of Customers
Included as standard in Acunetix

www.acunetix.com
Acunetix Partner Program
– Performance-based resale margin
– Access to free NFR & POCs
– Telephone & Email support
– Training videos, Documentation, Webinars, Blog
– Listing on the Acunetix partner page
– Access to leads
– Strong recurrent revenue opportunity

www.acunetix.com
Acunetix Academy

Partners and Licensed Users can get

Acunetix certified

– Win customer confidence

– Earn more from service revenue

– Get listed on the Acunetix website

www.acunetix.com
 Questions? sales@acunetix.com
Thank You support@acunetix.com

Is Your Website Hackable?

www.acunetix.com