OK, it didn’t *just* get better…it’s been out for several months – but I’ve just now gotten a chance to really sit down with it and take it for a spin and write a post about it. I’m talking about Acunetix Web Vulnerability Scanner version 6.
NOTE_BEFORE_I_BEGIN: I don’t do formal “reviews” but you know how excited I get over cool tools. I found something in this one that I thought you may benefit from…
What started out as an overly-simplistic scanner a few years ago has really become a contender in the Web vulnerability scanner market – especially for the price. In addition to rooting out a lot of XSS (even more than other tools can find), the latest version of Acunetix WVS can also check for blind SQL injection (something that’s pretty much impossible to do manually – at least within reason) and it also does a port scan of the Web system to check for other services that may be vulnerable.
In some scans I ran it found FTP, SSH, and Windows Terminal Services open…Good things to know – things that are a *big* oversight in Web security assessments. You can’t just look at layer 7 alone and assume you’ve done enough.
The graphic below doesn’t do it much justice but Acunetix WVS has a pretty nice interface and is as easy to use as any scanning tool I’ve come across.
I’ve always said that, in most situations, you get what you pay for and this tool supports my theory. It’s way better than any open source or freeware tool out there and really can hold its own with some of the bigger players.
If you already own one of the higher-end scanners but want to look at your Web systems from yet another perspective, then this would be a good route to go….a limited investment and based on what I’ve seen comparing it to some other popular tools you’re pretty much guaranteed to find new/different/bigger Web vulnerabilities. It worked for me. It won’t find everything (none of them will) but it finds a lot.
Now that I’ve painted a rosy picture there are a few things about the program I’m not crazy about:
All of that said, Acunetix WVS is still a very good, relatively fast Web vulnerability scanning tool – especially for the price. Check it out or tell others in your company about it…After all, it’s the Web – everyone has to check for vulnerabilities in come capacity these days….or at least they should be!
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”