apache_maven

Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.

Acunetix  can detect some security vulnerabilities among others, click here for a list

Until now, Acunetix WVS does not support automated scanning via API's.  However, Acunetix WVS supports command line, which can provide similar functionality and is an easy way to integrate Acunetix WVS with other third party applications.

The example I am providing is using Maven, and start in phase “integration-test” Acunetix against your web application. Note that running Acunetix is a costly operation, it cost CPU, take a lot of time, stress your network, so I recommend you to run it at night (3 or 4AM) so developer can a receive a feedback the day after. I have also define a Maven profile “WebappSecurityTesting” so I can trigger the check in a new Build in Jetbrains TeamCity/Atlassian Bamboo/Java Hudson with -PWebappSecurityTesting in Maven goals list.

Trivial but worth mentioning:

  • You need in Maven phase “pre-integration-test” to deploy your web application to a running container: tomcat, jboss, weblogic, iis.. before running acunetix against it
  • You need to adapt values in red below to your runtime environment
  • the Ant task is run only if your OS match the string “Windows XP” so remove this or use the right OS's name  determined by the Java Virtual machine and set in the "os.name" system property.
<profiles>
    <profile>
        <id>WebappSecurityTesting</id>
        <activation>
            <activeByDefault>false</activeByDefault>
            <!-- automatic activation
                <file>
                <exists>C:\acunetix\wvs_console.exe</exists>
                </file>
            -->
        </activation>
        <build>
            <plugins>
                <plugin>
                    <artifactId>maven-antrun-plugin</artifactId>
                    <executions>
                        <execution>
                            <phase>integration-test</phase>
                            <configuration>
                                <tasks name="Run acunetix webscanner">
                                    <exec dir="C:\acunetix" executable="wvs_console.exe"
                                        os="Windows XP"
                                        output="${basedir}/target/acunetix/result.txt">
                                        <arg value="/Scan"/>
                                        <arg value="http://testphp.acunetix.com"/>
                                        <arg value="/Profile"/>
                                        <arg value="default"/>
                                        <arg value="/SaveToDatabase"/>
                                        <arg value="/GenerateReport"/>
                                        <arg value="${basedir}/target/acunetix"/>
                                        <arg value="/ReportFormat"/>
                                        <arg value="PDF"/>
                                        <arg value="/ReportExtraParams"/>
                                        <arg value="/r WVSComplianceReport.rep /k PCI12.xml"/>
                                        <arg value="--ScanningMode=Heuristic"/>
                                        <arg value="--UseAcuSensor=TRUE"/>
                                        <arg value="--EnablePortScanning=TRUE"/>
                                    </exec>
                                </tasks>
                            </configuration>
                            <goals>
                                <goal>run</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </profile>
</profiles>

Explanation

Acunetix WVS console application can be run by running 'wvs_console.exe' from the Acunetix WVS installation directory.  An example of a typical Acunetix WVS scan command including explanation, can be found below:

/Scan http://testphp.acunetix.com: Instruct the scanner to launch a single site scan against http://testphp.acunetix.com.

/Profile default: Use default profile for scanning.

/SaveToDatabase: This parameter instructs the scanner to save scan results to reporting database.  If this parameter is not enabled, reports cannot be generated.

/GenerateReport "c:\reports\": Generate scan report in the path 'c:\reports'.

/ReportFormat PDF: Generate the report in PDF format.

/ReportExtraParams "/r WVSComplianceReport.rep /k PCI12.xml": Generate a PCI version1.2 compliance report (PCI12.xml) using the Compliance reporting template (WVSComplianceReport.rep).

--ScanningMode=Heuristic: This option is to instruct the scanner to use heuristic scanning mode against specified target.

--UseAcuSensor=TRUE: Use AcuSensor Technology during scan. The AcuSensor client files must be installed and configured on the target for AcuSensor Technology to function.

--EnablePortScanning=TRUE: Instruct the scanner to port scan the target as well, and run network security tests (Network Alerts) against the target.

References

comments powered by Disqus

You might like also

Fetching artifact programmatically through REST/API in Nexus 3.x
There is so many case where it is desirable to pull down artifact from Sonatype Nexus using REST API, unfortunately Nexus 3.x Rest API are still under development... Some use cases in Nexus 2.x: You have a script that uses REST call to pull down the LATEST maven artifacts every night from Nexus and deploys them. You make extensive use of the REST API in all your puppet modules You use the Atlassian Puppet module for Nexus for creating repository, …
719 Days ago
git-branch-renamer-maven-plugin
When working with many feature/release/bugix/hotfix branches, it is a bad idea to start changing the pom version as this will create merge conflicts using pull request. this plugin allow you to keep in ALL branches the same pom version for all your projects, for example MASTER-SNAPSHOT the version will be derived from branch name automagically :-) You may want to read more first these 2 short articles Update Maven pom version on GIT checkout in TeamCity maven-release-plugin with GIT git-branch-renamer-maven-plugin …
731 Days ago
Review: Getting Started with Apache Maven by Russell Gold
Some time ago I was asked if I would like to write a review about one of the new video courses from Packt Publishing. It was "Getting Started with Apache Maven" http://bit.ly/1fycmpP by Russell Gold and since I have been using Maven for some years now (since 2007) and did publish some articles myself, I thought it would be nice to help them promote Apache Maven. The course is organized in eight chapters, forty videos with a length between two …
1918 Days ago
Update Maven pom version on GIT checkout in TeamCity
Here is a solution to the following problems Deriving Maven artifact version from GIT branch, Update pom version on GIT checkout automatically, Add the ability to use Pull request with Apache Maven. You have a workflow requirement that require you to have the artifact version of a module externally defined from the current branch in GIT. For example You want to start working on a new feature branch “feature-memory-improvement”, so you branch from master a new branch named feature/feature-memory-improvement Having …
1923 Days ago
Easily Compress Web Application Resources with EhCache
Resources such as JavaScript and CSS files can be compressed before being sent to the browser, improving network efficiencies and application load time in certain case. If you are not using Apache with mod_deflate or nginx in front of your web application, you may need to implement resources compression yourself…. Wait! don’t start writing your own filter to compress files like CSS, html, txt, javascript it is way more difficult than you think to properly handle http response headers and …
2405 Days ago
Tomcat 7 and Apache Maven
Here is 3 different way to control the lifetime a local Tomcat 7 container using Apache Maven. A typical scenario would be to start a servlet container prior to running integration tests (Selenium, SAHI or using any other framework you can think of ) With the following examples, you will be able to start an instance of Tomcat 7 running your web application in the pre-integration-test phase and stop the instance in the post-integration-test phase. You can also decide to …
2405 Days ago
Apache Maven copy local file to a remote server server using SSH
I will show you in an Apache Maven configuration file how to copy files to server each time the package phase is executed. Solution with Ant SCP task This snippet of code is a ready to use code that make use of Apache Ant task scp, Just put this snippet of code in your Maven module where the assembly is executed or anywhere else to push all tar.gz files to a server just run a maven mvn package, you can …
2593 Days ago
Apache M2Eclipse: Get rid of Duplicate resources when opening resources and types
In this small post, I’ll show you how to remove duplicated resources in the Open Resource view of Eclipse Eclipse – M2Eclipse – Subversive …
2599 Days ago
Apache Maven 3 Cookbook
&160; First a big thanks to Packt Publishing for having sent me this book to review! I did enjoy going through this book, while I did not learn a lot of new stuff (I am using Apache Maven daily since 2006!), I found it to be concise and would recommend it anytime to any of my colleagues. But let’s go through my review of this cookbook of over 50 recipes towards optimal Java Software Engineering with Maven 3: Apache Maven
2741 Days ago
Apache Maven 3 Cookbook Review
Thanks to Packt Publishing for having sent me this book to review. I will publish a review in the next coming days Grasp the fundamentals and extend Apache Maven 3 to meet your needs Implement engineering practices in your application development process with Apache Maven Collaboration techniques for Agile teams with Apache Maven Use Apache Maven with Java, Enterprise Frameworks, and various other cutting-edge technologies Develop for Google Web Toolkit, Google App Engine, and Android Platforms using Apache Maven You …
2787 Days ago