Acunetix Web Vulnerability Scanner (WVS)

Acunetix Web Vulnerability Scanner (WVS) is designed to audit web site security.

There is a free *nix based version as well as a Windows based version which ranges in price from a free trial to thousands of dollars.

// WVS contains a suite of tools designed to assist penetration testers in auditing web sites and also has the ability to output an easy to read summary for clients. What really sets this particular scanner apart from others is their proprietary AcuSensor Technology. By installing the AcuSensor Technology on the target system prior to scanning, one is able to decrease the number of false positives, identify more vulnerabilities, and accurately determine the vulnerable code. This works with closed source applications as well as open source. WVS will definitely work without AcuSensor, but, it is incredibly more accurate when this module is properly deployed on the target system.

// Composition of Acunetix Web Vulnerability Scanner:
Site Crawler - used to map a web site by following links and gathering information in a similar fashion to search engine web crawlers.
Target Finder - used to identify http/https servers from a given IP range.
Domain Scanner - used to enumerate additional sub-domains for use as potential targets.
Blind SQL Injector - automates the process of extracting database information through SQL injection.
HTTP Editor - for constructing custom HTTP/HTTPS requests in order to analyze responses.
HTTP Sniffer - HTTP proxy that allows logging, intercepting, and modifying HTTP/HTTPS traffic on the fly.
HTTP Fuzzer - allows fuzzing of request parameters or headers. Useful for determining buffer overflows or input validation errors.
Auth Tester - tool for performing dictionary based attacks against basic HTTP, NTLM, and form based authentication.

// WVS is capable of detecting a number of vulnerabilities including, but not limited to, the following:
Cross Site Scripting
Code Execution
SQL Injection
File Creation
Cookie Manipulation
CRLF Injection
Cross Frame Scripting
Directory Traversal
Email Injection
File Inclusion
Path Disclosure
PHP Code Injection
LDAP Injection
Remote XSL Inclusion
URL Redirection
XPath Injection
Source Code Disclosure

It also utilizes the GHDB (Google Hacking Database).

This is one of those very useful tools that penetration testers should seriously consider purchasing as it helps greatly when auditing web sites and servers and creating detailed reports for customers.