I’ve always been a fan of Acunetix Web Vulnerability Scanner. It’s a lesser-known tool that packs a big punch. One of its most redeeming qualities is its password checking. As I mentioned in this post, Acunetix Web Vulnerability Scanner took what was going to be a basic assessment of an Outlook Web Access system with very few findings up many notches into a true penetration of the system…all thanks to the built-in password checks it does by default.
I’ve since had other scenarios where it has done the same thing and left me wondering why are other scanners finding these holes!?
The scanner not only checks for weak Web passwords but also weak FTP, POP3, SMTP, and telnet, and others as well.
I’m still waiting for some good brute-force checks built into these tools (a la Brutus) and – especially – better handling of login forms. If/when this occurs I honestly think we could eliminate a huge chunk of the directly-exploitable Web flaws out there. In fact, I’m really surprised that other scanners aren’t doing more in this area.
I’m confident that many – if not most – Web sites/apps that are deemed “secure” are just one weak password away from getting hacked…the weak passwords are there, they’re just being overlooked. Unless and until we start seeing better password-cracking capabilities built into all mainstream Web vulnerability scanners this flaw will remain and surface its ugly head in any given system. It’s just a matter of time.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”