All-in-One Website Security Scanner Find and detect vulnerabilities at the earliest stage using Acunetix automated web vulnerability scannerFind vulnerabilities in your websites and web APIs Find vulnerabilities in your websites and web APIs Highest detection rating of over 4500 vulnerabilities in custom, commercial, and open source apps with nearly 0% false positives. AcuSensor (IAST) allows you to find and test hidden inputs not discovered during black-box scanning (DAST) Advanced Crawling & Authentication support gives you the ability to crawl JavaScript websites and SPAs

1. www.acunetix.com
Acunetix v12
Is Your Website Hackable?

2. – Founded in 2004
– Pioneer in web application security
– Fully automated Black-box, Gray-
box, Client-side and Out-of-band
web application scanner with one
consolidated view
– Depended on by SMEs and
Enterprises the world over
– Fortune 100, 500 and 1000 customers
www.acunetix.com

3. Product and Service Offering
Acunetix On Premise (Standard and Enterprise)
and Acunetix Online (Enterprise)
– Black-box, Gray-box, Out-of-band testing
– Highly accurate, wide test coverage (4500+ web
application vulnerabilities)
– Vulnerability Management
– Issue Tracker integration and WAF Virtual Patching
– No dependencies, easy to set-up
– Web-based console
– Extensible, highly scalable
www.acunetix.com

4. How it works and what’s
new in v12
www.acunetix.com

5. www.acunetix.com
– Crawler analyzes entire Target starting from
a URL, mapping out entire structure.
– Scanner then tests pages found for
vulnerabilities.
– Reports on vulnerabilities found and
provides remediation
New in v12
– Support for latest JavaScript
– Scan speed up to 2X faster
– AcuSensor technology for JAVA
– Pause / Resume functionality
– Exclusion of locations from crawl
– Password Policy feature

6. www.acunetix.com
Support for latest JavaScript
(New in v12)
– Supports ES6 and ES7.
– Updated Acunetix DeepScan
and the Acunetix Login
Sequence Recorder.
– Better analysis of SPAs.
– Ahead of industry curve.

7. www.acunetix.com
Scan speed up to 2X faster (new
in v12)
– Fastest scanner in the industry.
– 50% decrease in scan time.
– Combined with multi-engine –
1000s of sites scanned in
shortest time.

8. www.acunetix.com
AcuSensor Technology for Java
(new in v12)
– AcuSensor Technology for .NET,
PHP and now JAVA!
– Improves website coverage.
– Better detection of
vulnerabilities.
– Fewer False Positives.
– Provides additional information
on vulnerabilities found.

9. www.acunetix.com
Pause and Resume (New in v12)
– Ability to Pause a Scan.
– Resume Scan at a later stage.
– Acunetix proceeds with scan
from where it left off.
– Information about paused scan
automatically retained in
Acunetix.

10. www.acunetix.com
Exclude Paths (New in v12)
– Exclusion of specific paths
directly from the UI.
– Eliminates need for complex
regular expressions

11. www.acunetix.com
Inbuilt Vulnerability
Management features
– Easily re-scan all Targets (stored in
Acunetix with individual settings).
– Prioritize vulnerabilities by Target’s
business criticality.
– Consolidated reports are stored in the
central interface.
– Select “Target reports”, “Scan reports” or
“All Vulnerabilities” report.

12. www.acunetix.com
– Mark vulnerabilities as Fixed
– Vulnerability Rediscovery let’s you
know that “fixed” vulnerabilities have
been rediscovered
– Continuous Scanning automatically
runs a Quick Scan every day on a
Target, and a Full Scan once a week

13. www.acunetix.com
Out-of-the-box WAF Virtual Patching
Acunetix can export accurate scan results
to automatically configure the following
Web Application Firewalls (WAFs):
– Imperva SecureSphere,
– F5 BIG-IP Application Security Manager
– FortiWeb WAF

14. www.acunetix.com
Out-of-the-box Issue-Tracker
Integration
Acunetix can send vulnerabilities as issues
to the following Issue Trackers:
– Atlassian JIRA Software
– GitHub
– Microsoft Team Foundation

15. www.acunetix.com
Reporting
– Web-based interface allows multiple user
access from browser irrespective of OS
used.
– Easily generate a wide variety of
management and compliance reports.
– OWASP Top 10, PCI DSS, ISO27001, HIPAA
– Results can be exported to XML

16. www.acunetix.com
Role-based multi-user system
– Create multiple user accounts.
– Assign users to particular
groups of targets.
– User can create, scan, and
report on the targets assigned,
depending on privileges.

17. www.acunetix.com
Role-based multi-user
Tester, auditor, developer and manager users can work together on
consolidated result data in one vulnerability management system.

18. www.acunetix.com
Password Policy (New in v12)
– 2-Factor-Authentication (2FA)
support.
– Password Policies for user
accounts.

19. Acunetix Flagship Technologies
www.acunetix.com

20. Acunetix DeepScan
www.acunetix.com

21. Acunetix DeepScan
– WebKit, the world’s most widely used browser
engine
– Crawl and scan HTML5 web applications
– Execute JavaScript like a real browser
– Complex client-side web applications
(AngularJS, ReactJS, EmberJS…)
– DOM-based Cross-site Scripting
– Malicious URLs
– Popular CMSs (WordPress, Drupal, Joomla!)
– CRUD requests, JSON, XML, GWT, AJAX,
– WSDL/SOAP, WCF/SOAP and WADL/REST
www.acunetix.com

22. Over 65% of Customers
Scan Single-Page Apps
47% found DOM-based XSS vulnerabilities using DeepScan
www.acunetix.com

23. Acunetix AcuMonitor
www.acunetix.com

24. Acunetix AcuMonitor
– Automatic Out-of-band vulnerability detection
– Blind Cross-site Scripting (BXSS / Delayed XSS)
– XML External Entity Injection (XXE)
– Server Side Request Forgery (SSRF)
– Out-of-Band SQL Injection (OOB SQLi)
– Out-of-Band Remote Code Execution (OOB RCE)
– Host Header Injection
– Email Header Injection
– Password Reset Poisoning
www.acunetix.com

25. Acunetix AcuMonitor
– Hunting for XXE in Uber using Acunetix
AcuMonitor Blind Cross-site Scripting (BXSS / Delayed
XSS) to automatically
– Crawled the REST API endpoint
– Figured out POST vs GET
– Submitted XML even though App returns JSON
– Tests Blind OOB XXE using AcuMonitor
– No separate HTTP server
– No manual sifting of logs
– 26 different Uber domains affected (found using
Google Hacking)
www.acunetix.com
https://www.acunetix.com/blog/articles/hunting-xxe-uber-using-acunetix-acumonitor/

26. Acunetix AcuSensor
www.acunetix.com

27. Acunetix AcuSensor
– Enables the scanner to run a gray-box scan
– AcuSensor component inspects the source code
of a web application whilst it is in execution
– Shows vulnerable source code line number
– Shows vulnerable source code stack trace
– Shows vulnerable SQL queries
– 100% backend crawl coverage
– 100% verification of 12+ high-severity vulnerabilities
– Analyze server configuration for vulnerabilities
www.acunetix.com
mysqli_query($conn, $sql)

28. Acunetix AcuSensor (100% Verified)
– Arbitrary File Creation
– Arbitrary File Deletion
– Code Execution
– CRLF Injection
– Directory Traversal
– Email Injection
– File Inclusion
– File Tampering
– File Upload
– PHP Code Injection
– PHP SuperGlobals Overwrite
– PHP User Controlled Vulnerabilities
– Reflected and Stored XSS
– SQL Injection
www.acunetix.com

29. AcuSensor is used by
over 30% of Customers
Included as standard in Acunetix
www.acunetix.com

30. Acunetix Partner Program
– Performance-based resale margin
– Access to free NFR & POCs
– Telephone & Email support
– Training videos, Documentation, Webinars, Blog
– Listing on the Acunetix partner page
– Access to leads
– Strong recurrent revenue opportunity
www.acunetix.com

31. Acunetix Academy
Partners and Licensed Users can get
Acunetix certified
–Win customer confidence
–Earn more from service revenue
–Get listed on the Acunetix website
www.acunetix.com

32. www.acunetix.com
Thank You
Is Your Website Hackable?
Questions? sales@acunetix.com
support@acunetix.com