Thousands of website are hacked every day resulting business loss and reputational damage. Sophos Labs released a report in 2013, where it says 30,000 Websites are hacked a day.

That’s huge. There are multiple types of vulnerabilities in web application technology and keeping an eye on all of them manually is just impossible and prone to human error.

Did you know 46% of web applications scanned with Acunetix Online Vulnerability Scanner contained a high-risk vulnerability and 87% a medium risk vulnerability as per the 2015 Web App Vulnerability Report by Acunetix? You can download this report here.


That’s why it is important to run an automated scan for the detection of vulnerabilities in web applications, which gives actionable reports. In this article, I will talk about how to use Acunetix to perform a security scan for more than 500 vulnerabilities, PCI Compliance including top one as mentioned below.

  • XSS
  • SQL Injection
  • DOS
  • Host Header Attack
  • Directory Listing
  • XXE
  • SSRF

The good thing about this, you can scan multiple endpoints (listed below) with a single account. This eliminates the maintenance of having to use multiple software.

Web Scan – Scan any website, no matter what technologies are being used and form based authentication to scan password protected areas.

Network Scan – Scan detected devices such as a firewall, load balancer, routers, weak password for common protocols and much more.

So let’s get it started…

There are two ways you can use Acunetix Vulnerability Scanner.

  • Using Software – You can download for use on Windows OS
  • Over Cloud – You can create an online account and perform a scan.

Let’s get into creating an online account and explore.

  • Open Internet browser and access following link
  • Enter Name, Email, Password and click on Register


  • You will receive an email to confirm the account
  • Once confirmed, login to OVS (Online Vulnerability Scanner)
  • You will see Getting Started Wizard. Click on create scan target


  • Enter Name, Description, and IP/URL details. You may also select their test domain if you don’t want to perform scan against your URL yet. Click on Add Scan Target


  • You need to confirm the ownership of the target by uploading a verification file. This is necessary to prevent third parties from performing a scan on a web application which they don’t own.


  • You should see a green mark to “Create a Scan Target” once ownership is verified.


  • It’s time to launch a scan against the target. Let’s click on “Launch Scan” from the dashboard.


  • Click on Scan Now button for your target


  • You will have summary of the scan where you can customize the way you want to perform security scan


Web Vulnerability Scan:

  • Full Scan – Check against the entire vulnerabilities database
  • CSRF – Check if you could possibly have fallen victim of a Cross Site Request Forgery vulnerability
  • High Risk – Check against high-risk items only
  • SQL Injection – Check if your SQL call can be injected and made vulnerable
  • Weak Password – Check against weak password
  • XSS – Quick way to validate if vulnerable to XSS attack
  • No Scan – if you want to skip Web Scan and do the only network.

Based on your requirement, you can select any one of the above lists. For now, I will proceed with Full Scan.

Network Vulnerability Scan:

  • Full Scan – Marked, as safe checks and I will proceed with it in this article.
  • Full Scan inclusive invasive checks – May is not a good idea to do this during operational hour as it may impact performance or go offline if the load is unbearable.
  • No Scan – If you don’t want to include network scan at all.

Reports: you can select the type of report you want for this scan in either PDF or RTF format.

  • I have selected, Executive Summary report in PDF format.
  • Click on Launch Scan to begin


You will get a notification that your scan is in a queue and will receive an email notification once done.


It will take some time to complete. Meanwhile, you can wait for a completion notification email or click on “Refresh” to see the status. How about having coffee or explore my articles on Web Security until it’s complete.

Actually, it took almost 4 hours to complete. Well, it makes sense, as it has to validate against more than 500 vulnerabilities. This is how dashboard looks like after scan is completed.


Let’s take a look at reports now. If you remember, while setting up a scan I selected “Executive Summary” which is available to view now.

  • Go to Reports and click on Saved Reports


  • Here you can download the PDF and review the report.


Oh God, look at the report – I got many things to fix.



Well, the executive summary doesn’t give the detailed information so you got to generate a different type of report. To do so

  • Go to Reports and click Generate Reports
  • Select the target and click on Generate link


  • Select the type of reports and format and click on “Generate


  • It will take few seconds and will be ready to download at Saved Reports.


Now, it’s time to go through the report and fix the vulnerabilities finding. You can refer my Security & Hardening Guide for Apache or Nginx which should help to fix various findings.

I hope this gives you an idea how to use Acunetix to perform Vulnerability Scanner and keep your web applications safe and secure. If you like this article, why not share with your friends?