How To Use Acunetix WVS (Web Vulnerability Scanner) to scan websites? : Step-By-Step Tutorial
Vulnerability Scanning

How To Use Acunetix WVS (Web Vulnerability Scanner) to scan websites? : Step-By-Step Tutorial

Hello Hackers and Geeks , In this Article You are going to Know about one of the best Web Vulnerability Scanner i.e Acunetixso let’s go into it.


Acunetix Web Vulnerability Scanner is a robotized web application security testing instrument that reviews your web applications by checking for vulnerabilities like SQL Injection, Cross webpage scripting, and other exploitable vulnerabilities.

The should have the capacity to test applications inside and out and more remote than customary helplessness administration instruments do, has made a market with a few players in the Application Security space.

While Nessus/Nexpose are powerlessness administration (VM) instruments, Acunetix concentrates more on web application vulnerabilities and variations thereof, and improves work at recognition than customary VM devices.

It likewise gives moderation recommendations to the vulnerabilities – you can utilize that to build the security of the web application.

The scanner is super quick, it can slither a huge number of pages in only couple of minutes.


Site Crawler:

It gathers referrer pages, headers, and factors inside the pages.

On the off chance that the crawler is in the default mode, it will slither the entire site however you can confine the expansions on the off chance that you need.

Target Finder:

It is a port scanner that can discover sites running in a scope of given locations.

The scope of locations is not constrained and you can indicate which ports to look on keeping in mind the end goal to find sites on nonstandard ports.

It can likewise recognize the sort of the objective web server.

Subdomain Scanner:

It can recognize dynamic sub spaces of a top level area effectively.

It can be arranged to utilize the objective’s DNS server or whatever other DNS server determined by the client.

Daze SQL Injector:

This is a capable instrument that can identify databases and tables, dump information and furthermore read particular documents on the record arrangement of the web server if an exploitable SQL infusion is found.

It is a mechanized database information extraction apparatus, yet it additionally enables you to run custom SQL “Select” questions against the database.

HTTP Editor:

The HTTP Editor enables you to make, dissect, and alter customer HTTP solicitations and server reactions.

It additionally contains an encoding and unraveling instrument to encode/disentangle content and URL’s to MD5 hashes, UTF7 designs and numerous different arrangements.

HTTP Sniffer:

The HTTP Sniffer goes about as an intermediary and enables you to catch, inspect and change HTTP movement between a HTTP customer and a web server.

You can likewise empower, add or alter traps to catch activity before it is sent to the web server or back to the web customer.

It can enable you to break down how Session IDs are put away and how inputs are sent to the server, and modify any HTTP asks for being sent back to the server before they get sent.

It additionally enables you to explore through parts of the site which can’t be slithered consequently, and import the outcomes into the scanner to incorporate them in the mechanized sweep.

HTTP Fuzzer:

It empowers you to dispatch a progression of modern fluffing tests to review the web application’s treatment of invalid and sudden arbitrary information.

The HTTP Fuzzer additionally enables you to make include rules for additionally testing in Acunetix Web Vulnerability Scanner.

Verification Tester:

This is really a lexicon assault instrument that you can use to play out a word reference assault against login pages that utilization both HTTP (NTLM v1, NTLM v2, process) or frame based confirmation.

This instrument utilizes two predefined content documents containing a rundown of basic usernames and passwords.

You can add your own blends to these content records on the off chance that you need.

Web Services Scanner:

It enables you to dispatch computerized weakness checks against WSDL based Web Services.

Web Services Editor:

This instrument enables you to import an on the web or neighborhood WSDL for custom altering and execution of different web benefit operations over various port sorts for an indepth investigation of WSDL solicitations and reactions.

The supervisor likewise includes linguistic structure highlighting for all dialects to effortlessly alter SOAP headers and modify your own particular manual assaults.

 How to Use Acunetix

In the first place download and install Acunetix Web Vulnerability Scanner on your PC.


We initially need to reveal to Acunetix Web Vulnerability Scanner what webpage we’d get a kick out of the chance to examine

Acunetix WVS review 2

Next, we’ll have to choose a Scanning Profile. A Scanning Profile is a sensible gathering of tests that play out a particular gathering of tests.

This element enables you to redo what tests you need or don’t need Acunetix WVS to run.

You can look over the few implicit Scanning Profiles, or you can make custom Scanning Profiles that suit your particular necessities.

The Default Scanning Profile incorporates each test Acunetix Web Vulnerability Scanner can run.

Be that as it may, we should expect I’m just worried about high-hazard alarms, I can tweak the output to test for those vulnerabilities.

Acunetix WVS review 3

Filtering Profiles are by all account not the only approach to alter an output Scan Setting permits extremely granular control over your sweep.

Most clients won’t have to alter these settings since the defaults have been precisely chosen to provide food for by far most of sites and web applications.

In any case, since I happen to be associating with the web utilizing a HTTP intermediary, I’ll simply ahead and arrange that from here by tapping the Customize catch by the Scan Settings list box.

Acunetix WVS review 4

Should you require them, Acunetix WVS additionally has propelled alternatives you can use in the event that you require much more control over the pages you need the scanner creep and sweep.

You can choose which pages you need to prohibit from an output utilizing the After slithering let me pick the documents to examine choice, and even import comes about because of different apparatuses, for example, Portswigger’s BurpSuite and Telerik’s Fiddler, and obviously Acunetix WVS’ worked in HTTP Sniffer.

Acunetix WVS review 5

Being a discovery scanner, Acunetix WVS can examine any site or web application, paying little respect to the advances, or programming dialects it utilizes it basically tests a site or web application with no earlier information of how that webpage functions, much the same as a genuine assailant would.

Sweep Optimization:

Having said this, Acunetix Web Vulnerability Scanner has some shrewd traps up its sleeve to upgrade the output for a particular innovation.

Acunetix WVS will attempt to unique mark the web application with a specific end goal to distinguish the advances it is utilizing to eliminate the sweep time.

E.g. In case I’m trying a site fabricated utilizing PHP, there is no motivation to search for vulnerabilities that can just exist in ASP.NET applications.

Acunetix WVS review 6

Step by step instructions to Scan Password Protected Areas of a Website:

Since this site has a login page, we have to make a Login Sequence with a specific end goal to educate the scanner on the most proficient method to sign into the application.

This is a fundamental piece of the examining procedure, and something that is normally troublesome or dull to set-up legitimately with different scanners.

You can either endeavor to have the scanner sign in for you , or else you can make a Login Sequence physically.

Acunetix WVS review 7

Acunetix Web Vulnerability Scanner makes making a Login Sequence dead-simple, just experience your ordinary login procedure of marking into a record; you’ll see that your activities are being recorded.

The scanner will replay these activities to sign in amid the output.

Acunetix WVS review 8

You can likewise utilize the replay catch at the base left of the Login Sequence Recorder window to replay your activities just to ensure everything is working effectively.

When you click Next you have the alternative of choosing what joins you don’t need the scanner to tap on while signed in.

We clearly don’t need the scanner to get logged out of the session amid a creep or an output, so I’ll be tapping on the Logout interface keeping in mind the end goal to limit it, be that as it may you are allowed to set-up the same number of confinements as you like.

It’s additionally significant that the Login Sequence Recorder likewise has bolster for confining connections with nonces by utilizing special cases.

Acunetix WVS review 9

Once you’re finished confining connections, click Next. A Login Sequence alone is insufficient.

The scanner needs to comprehend when it is signed in and when it is logged out.

The Login Sequence Recorder needs what is known as a Session Pattern.

A Session Pattern is nothing more that something remarkable between a signed in and a logged-out condition of a web application.

The Login Sequence Recorder will recognize this example consequently for you;not withstanding, you’re allowed to alter this example in the event that you wish to do as such.

Acunetix WVS review 10

Clicking Finish, will request that you spare the Login Sequence you’ve recently made.

This can be utilized at a later date so you don’t have to experience the way toward making a Login Sequence each time you need to filter a similar site.

You will then be given the last screen of the Scan Wizard which gives you the alternative of sparing any Scan Settings you may have set.

Also, Acunetix WVS is sufficiently keen to distinguish if a site gives an alternate reaction to a portable User Agent string and it will inquire as to whether you’d jump at the chance to change your User Agent string to state that of an iPhone or an Android gadget convenient if your site is versatile agreeable.

WebSite Vulnerability Scan Results:

After the crawl and scan is finished, Acunetix WVS, will list a rundown of high-seriousness vulnerabilities that it recognized on the test site.

The minute you tap on a particular powerlessness (SQL Injection for this situation), Acunetix WVS uncovers which input parameter is defenseless as well as rundown varieties of an assault on that parameter.

Acunetix WVS Scan result

Acunetix WVS Scan result

Choosing one of the varieties of weakness clarifies the helplessness in extraordinary detail.

The scanner will initially give a rundown of the defenselessness, and after that it will continue to clarify what the effect of such weakness is and how to settle the powerlessness.

Acunetix WVS SQL Injection


So this is all about Acunetix and I hope this article helps you!!

Thank you for reading this.

Happy Hacking!!!


The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !