Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acunetix Web Vulnerability Scanner

Published byLisa Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "Acunetix Web Vulnerability Scanner"— Presentation transcript:

1 Acunetix Web Vulnerability Scanner
Introduction to Acunetix and Web Security Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner.

2 Company Overview Founded 2004 Pioneer in Web Application Security
Unique Technology - AcuSensor OWASP Member Award Winning Software Fortune 500 Customers License Holder of IBM Patent Patent # 6,584,569 Company Overview Acunetix is a pioneer in the web application security business. Found in 2004, its technology was developed by networking and web security experts. Acunetix was founded to combat web site hacking which is on the rise and the number of victims and cost is increasing everyday. The Acunetix development team consists of highly experienced security developers who have each spent years developing network security scanning software prior to starting development on Acunetix WVS. Acunetix is an OWASP partner and its Acunetix Web Application Security Scanner has won many comparative reviews, including reviews by <name>. As an industry pioneer Acunetix is a license holder of IBM patent #. This is important for fortune 500 customers in order to be protected by potential law suites. Some web app scanners do not have this license and this leaves the scan license holder open to potential law suites from IBM Input owasp, hipaa, pci logos?

3 Government Customers FAA US Coast Guard US Department of Energy
National Weather Service NASA WHO South Yorkshire Police National Health Service UK Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Queensland Government US Geological Survey Saudi Food & Drug Authority

4 Korean People’s Army Air Force Norwegian Armed Forces
Military Customers US Army US Air Force The Pentagon Taiwan Ministry of National Defense Korean People’s Army Air Force Norwegian Armed Forces

5 IT & Telecom Customers British Telecom Samsung Panasonic T-Mobile
Siemens Nokia France Telecom Fujitsu Telstra Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Turk Telecom Skype Telefonica

6 PricewaterhouseCoopers
Financial Customers Credit Suisse PricewaterhouseCoopers HSBC Bank of China ING Deloitte American Express Deutsche Bank Barclays Bank Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership.

7 Educational Customers
American Naval War College Penn State University Columbia University Medical Center Potsdam University The Hong Kong Polytechnic University The University of Adelaide The Ohio State University Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. University of Reading Victoria University

8 Other Clients Danone CERN Adidas Air New Zealand Qatar Airways AXA
Canon Betfair Travelex Nikon Carrefour Hilton Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Lonely Planet Avis Sony

9 You must audit your web applications!
Why Web Application Security? Hackers concentrating on web applications Shopping carts and login pages at risk Web apps are publically available 24/7 Web apps are often custom made and therefore less tested Firewalls/network level defense provide no protection! You must audit your web applications!

10 Why Hackers Hack Gain access to sensitive data (credit card data)
Run phishing sites Run botnets Distribute illegal content Improve ranking

11 The Cost of Being Hacked
Loss of customer confidence and thus revenue Loss of ability to accept VISA, MC, AMEX and PayPal Significant website downtime Cost of rebuilding website and server Loss of customer data can result in court cases

12 Famous Website Hacks www.acunetix.com/blog
11th April Barracuda Networks SQL injection vulnerability despite web app firewall 27th March 2011 – MySQL.com SQL injection attack 4th July 2010 – YouTube hacked Cross-Site Scripting (XSS) Vulnerability 6th February 2010 – Kaspersky SQL Injection Vulnerability Famous website hacks Hackers are finding security holes in websites every day. Some of the hacks lead to site defacement, some lead to customers’ records being stolen and some others lead hackers to have access and control hardware. It is also a well known fact, that custom made or in house developed websites or web applications are more susceptible to attacks since usually a lesser degree of testing is done when compared to off-the-shelf software. Web servers are usually connected to big networks, like in a web server farm scenario or they are part of the DMZ in an enterprise network. If a website is hacked, the hacker is one step away from gaining access to the whole network, including other internal servers and other network attached devices and computers. This shows the importance of securing a website or web application and not just the network around it.

13 Acunetix Web Vulnerability Scanner?
Why Choose Acunetix Web Vulnerability Scanner? Key Features and Unique Selling Points

14 Industry Leading Crawler
State of art crawler technology Client Script Analyzer (CSA) Good crawler reduces false positives Web 2.0, JavaScript, JQuery and Ajax supported with CSA engine

15 Industry Leading Crawler
Detection of custom 404 Able to traverse log in areas using the log on recorder Can handle CAPTCHA forms Supports single sign on and security token mechanisms Understands scope of page and can act accordingly AcuSensor technology can find unlinked files too and can deal with URL rewriting rules

16 Acunetix AcuSensor Technology
Combines black box scanning & source code analysis Analyzes code whilst it is executed!

17 Acunetix AcuSensor Technology
Detection of more vulnerabilities Less false positives Find configuration issues in the web server or run time environment

18 AcuSensor Reports Advanced Debug Information
Reports the SQL query vulnerable to SQL Injection, the POST variable, stack trace Pinpoint the line of code with the security issue thanks to AcuSensor Technology The amount of debug information AcuSensor Technology reports, helps the developer understand and solve the issue much quicker. It also trains developers in writing more secure code. Once a SQL injection is found, AcuSensor reports the source file using this query, the vulnerable SQL query and also the stack trace information to help troubleshooting and solving the issue. If a Cross site scripting vulnerability or directory traversal attack is found, AcuSensor Technology reports the source file which is vulnerable, the line number of the source code which leads to the vulnerability and also all related variables and calls.

19 Indicates where in your code the vulnerability is
AcuSensor Reports Advanced Debug Information Indicates where in your code the vulnerability is

20 Saves security officers and developers time!
Lower False Positives Includes advanced techniques to verify vulnerabilities Analyzes response and fine tunes attack AcuSensor does not allow on application feedback only Analyzes what app does during execution Saves security officers and developers time! Results in significantly lower false positives

21 Advanced SQL Injection
Best in class SQL Injection Detection Comparative review confirmed that Acunetix detected many more SQL Injection vulnerabilities than other scanners Can do Blind SQL Injection checking AcuSensor checks all SQL statements, including SQL INSERT Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

22 Advanced Cross-Site Scripting
Detects more Cross Site Scripting (XSS) vulnerabilities Analyzes if characters are encoded or filtered Adapts analysis based on application response Uses heuristic approach that focuses on hacking methods Does not launch fire and forget checks which other scanners do Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

23 User Friendly Interface
All tools integrated in a single, easy to use GUI Acunetix Web Vulnerability Scanner is built on cutting edge technology that allows both automated and manual audits. With the automated scan, one can start scanning his website in a matter of seconds. It also helps saving time in the process of securing the website or web application. If you are a beginner in web security, Acunetix WVS friendly wizard helps you get started. In addition, Acunetix WVS also includes a suite of manual tools, to make further manual testing. Having a user friendly interface, Acunetix WVS makes web security easy to everyone. In a matter of seconds an inexperienced user can launch a scan and start securing his web application.

24 Easy Configuration, Little Tuning
Custom 404 detection Automatic detection of technologies used (PHP, ASP etc.) Point and click config of authenticated area configuration Easily configure how to traverse CAPTCHAS Manual scan a page and submit to scanner for analysis Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

25 Advanced Penetration Testing Tools
Includes advanced penetration testing tools: HTTP Editor HTTP Sniffer HTTP Fuzzer Authentication Tester Blind SQL Injector Advanced Penetration Testing Tools This suite of advanced penetration testing tools is available to help penetration testers and security experts to facilitate the manual audit process which takes place while securing a web application or website. An automated scanner does not always cover all security tests of a target website or web application, it depends on a lot of factors. Using this suite of tools, a penetration tester or security expert can run his own tests against the target, and also automate some of the manual audit procedures thus saving valuable time. HTTP Editor The HTTP Editor tool allows you to create, analyze and edit client HTTP requests and server responses. HTTP Sniffer The HTTP Sniffer tool is a proxy server which allows you to capture, edit and filter requests made between a web client (browser or other http application) and a web server or vice versa. This can also be used to crawl parts of a website or web application manually. HTTP Fuzzer Using the HTTP Fuzzer, a rule can be created to automatically replace a part of a URL with a number, character or any other type of generator. Only valid results will be reported. This gives the advantage to quickly test 1000 queries while significantly reducing the amount of time and manual input. Blind SQL Injector Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool. Using SQL injections found when scanning a website and importing them to this tool, one can see what a serious impact an SQL injection can have on the website. Authentication Tester The authentication tester is a tool used to test the strength of passwords within HTTP or HTML forms authentication environments via a dictionary attack. This helps in automating some processing where human intervention cannot be faster.

26 Powerful Reporting For developers, managers or Compliance
Legal and Compliance reports PCI HIPAA Sarbanes Oxley Security Standards OWASP top 10 CWE / Sans top 25 DISA NIST Web Application Security Consortium The Reporter Detailed reporting For every vulnerability reported, an extensive amount of details is presented to the user to help him understand what is the vulnerability, the impact of the vulnerability and what is leading to such vulnerability. This also helps developers who are not familiar with web security to trace the vulnerability and fix it in the shortest time possible. Using AcuSensor technology even reports which line in the code is vulnerable or the SQL query vulnerable to SQL injection, including the stack trace. From the selection of already available templates in the reporter, one can generate any of the following report styles: Detailed scan report; where all scan details including solution tips are in the report Developer report; a report targeted for developers to help them fix issues in the website or web application quickly Executive report; a reported targeted for executives, where it gives them a summary of the status of their web application or website security Compliance report; from these report templates one can generate PCI, OWASP, WASC, HIPAA and other compliancy reports Scan comparison report; use this report to compare 2 scans of the same target Monthly vulnerabilities report; use this report to see vulnerability trends by month and vulnerability group Reports can also be exported to other formats to share with colleagues such as pdf, word document, html and more. The reports can also be modified to add a company logo and also to change the page setup (available in consultant version only).

27 Detailed Vulnerability Fixing Suggestions
Includes detailed vulnerability fixing suggestions: Detailed description Links to articles Advanced Penetration Testing Tools This suite of advanced penetration testing tools is available to help penetration testers and security experts to facilitate the manual audit process which takes place while securing a web application or website. An automated scanner does not always cover all security tests of a target website or web application, it depends on a lot of factors. Using this suite of tools, a penetration tester or security expert can run his own tests against the target, and also automate some of the manual audit procedures thus saving valuable time. HTTP Editor The HTTP Editor tool allows you to create, analyze and edit client HTTP requests and server responses. HTTP Sniffer The HTTP Sniffer tool is a proxy server which allows you to capture, edit and filter requests made between a web client (browser or other http application) and a web server or vice versa. This can also be used to crawl parts of a website or web application manually. HTTP Fuzzer Using the HTTP Fuzzer, a rule can be created to automatically replace a part of a URL with a number, character or any other type of generator. Only valid results will be reported. This gives the advantage to quickly test 1000 queries while significantly reducing the amount of time and manual input. Blind SQL Injector Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool. Using SQL injections found when scanning a website and importing them to this tool, one can see what a serious impact an SQL injection can have on the website. Authentication Tester The authentication tester is a tool used to test the strength of passwords within HTTP or HTML forms authentication environments via a dictionary attack. This helps in automating some processing where human intervention cannot be faster.

28 Competitive Pricing http://www.acunetix.com/ordering/pricing.htm
Competitively priced Starting from only €995 Available in 5 editions: Small Business Edition: 1 nominated Website Enterprise Edition: Unlimited Websites Enterprise Edition x10 Instances: Unlimited Websites Consultant Edition: Unlimited Websites Consultant Edition x10 Instances: Unlimited Websites Acunetix is very competitively priced compared to competing products – because the company is able to sell volume, it is able to sell licenses at aproximiately 60 percent of the cost of comparable solutions. Pricing starts from €995 / $1445. Acunetix is available in 3 versions: A Small Business Version which scans one designated website an enterprise edition which can scan an unlimited number of sites and a consultant version which allows you to scan sites for customers . Additional pricing information at

29 Thank You Acunetix Blog http://www.acunetix.com/blog
Acunetix Facebook Page List of Checks Run by Acunetix WVS For more information and to download Acunetix visit our website at acunetix.com Thank you

Download ppt "Acunetix Web Vulnerability Scanner"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Barracuda Web Application Firewall

Barracuda Web Application Firewall
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training

Similar presentations

Ads by Google