Adding a Vulnerability Test

To add a new Vulnerability check;

1. Right click on an existing module or Vulnerability and select Add Vulnerability.

Screenshot 180 - New Group details

2. Specify the name of the Vulnerability, a short description and the name of the VulnXML file where the test parameters will be stored.

3. Specify whether the test must be based on VulnXML or not:

 Based Default VulnXML – uses the default/built-in VulnXML test parameters.

 Based on existing VulnXML – copies the test parameters from an existing VulnXML file.

 No VulnXMLis required – used if the test does not perform any HTTP requests but only specifies the condition which will make it successful. (E.g. tests in the „Version Checks‟ module, only specify a VersionRegex parameter. The test is successful if the VersionRegex value matches the target web server banner).

4. Click on the Add button to create the new Vulnerability.

Screenshot 181 - Vulnerability Properties

5. Now click on the created Vulnerability to bring up the details in the Vulnerability properties page (the right hand pane), which contains the Vulnerability Properties, the Parameters and the VulnXML sections. The properties are the ones already set when you created the new vulnerability. 6. You can now set the following parameters in the parameters section:  Affects – identifies the object which is affected by this test, for example

details about a Web Server (e.g. if the vulnerability effects the web server), a file or an object which is identified by the module (when set_by_module is specified). This parameter is dependent on the type of test being carried out.

 BindAlertToFile – set this to 1 to enable the test to add any new discovered files to the crawler directory structure for use in future scans.

7. You can edit the test parameters in the VulnXML section of the dialog.

This section is organized into 5 subsections, each represented by a tab each of which is described in the subsequent subsections:

 Test Description Tab - edit generic information

 References Tab - specify links to additional information about the vulnerability

 ApplicableTo Tab - specify for which operating systems, web servers or technologies you want this test to be performed

 Variables Tab - create/edit variables to be used by the test

 Connection Tab - specify what HTTP requests should be made, what response to look for and what defines success or failure of the test

20.3.1 Editing the Vulnerability Description

In the vulnerability Test Description tab you can edit generic information:  Name -The name of the vulnerability (e.g., could be the same as the

name given to the VulnXML file.)  Version - Test Version number.

 Released - Date showing when this Test/Vulnerability was created (yyyy/mm/dd).

 Updated - Date showing the last time that this Test/Vulnerability was updated (yyyy/mm/dd).

 Protocol – Defines the Protocol that this test will use for sending request to a target during a scan (i.e. HTTP).

 May Proxy - Defines whether this test may be performed through a proxy server. If Acunetix WVS is configured to use a proxy server, set this option to true to execute the test.

 Affects - Defines which components of the target site structure will be tested.

 Severity - Defines the vulnerability level of a target should this test fail (i.e. High Severity indicates that if this test generates failures, the target being scanned has a severe vulnerability).

 Alert - Defines whether the Alert is to be triggered on success or failure of the test.

 Description - Contains the test function description.

 Impact - Contains information on the effect that the vulnerability detected by this test has on your target site.

 Recommendation - Contains information on what you should do to eliminate the vulnerability detected by this test.

Screenshot 182 - References tab page

In the References tab you can specify links to additional information about the vulnerability (e.g., cause and related fix).

 Link Title – Specify the Link heading/title of the article/information.  URL - Contains the URL.

You can add additional references by right clicking and selecting „Add reference‟.

20.3.2 Specifying When the Vulnerability Check is Applicable

Screenshot 183 - Applicable to tab

In the ApplicableTo tab you can specify for which operating systems, web servers or technologies you want this test to be performed. The test will only be performed if all of the conditions are true.

 Operating System – Defines the Operating systems. You can choose Windows, Unix/Linux or all.

 Web Server - Defines which Web Server types must be checked using by this test. For example Apache, IIS etc.

 Technology – Define which technologies (e.g. ASP/PHP) must be checked by this test.

You can add additional conditions by right-clicking and selecting „Add applicable to‟.

20.3.3 Specifying Test Variables

In the Variables tab you can create/edit variables to be used by the test. The type of variables that you can create are dependent on which module is performing the test. For example, if creating a vulnerability check within the CGI Tester node, only the File variable will be available. The following is a list of variables that each module supports:

Version Check