Acunetix displays vulnerability alerts and threats in real-time throughout the scan. Before scanning a website or web application, Acunetix first crawls the website to find all available inputs and links that can be manipulated later during the scanning stage. However, some of these web security alerts are also reported from the early stage of crawling.

During the crawling stage, the Crawler uses passive analysis to identify some threats of different severity, ranging from informational alerts, to high-severity vulnerabilities, without invoking the scanner. For instance, the crawler does not launch any parameter manipulation tests. While the target website is crawled, the Crawler sends a number of HTTP requests and connections to the website from which it tries to identify links, input forms, and information that might be revealed from comments, cookie data, or browser security settings. Moreover – while crawling – it can identify if the connection to the target server is secure or encrypted (HTTPS) when accessing sensitive data, etc.

The following is a list of alerts (together with their severity) which the Crawler detects using passive analysis

Title Severity
DOM-based Cross-site Scripting High
HTTPS connection is using SSL version 2 Medium
HTTPS connection with weak key length Medium
Broken links Info
Hidden form input named price was found Low
File upload Low
User credentials are sent in clear text Low
Password type input with autocomplete enabled Info
Insecure transition from HTTP to HTTPS in form post Medium
Suspicious comment Info
SQL Statement in comment Low
Internet Explorer XSS Protection disabled on this page Info
Content type is not specified Info
Session token in URL Low
Password field submitted using GET method Low
Application error message Medium
Sensitive page could be cached Low
Unencrypted __VIEWSTATE parameter Info
Session Cookie scoped to parent domain Low
Session Cookie without HttpOnly flag set Low
Session Cookie without Secure flag set Low
HTML form without CSRF Protection Medium

View all the Acunetix FAQs here.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.